1 / 48

Security Mechanisms for Electronic Business Applications 適用於電子商務的安全機制之研究

Security Mechanisms for Electronic Business Applications 適用於電子商務的安全機制之研究. Advisor: Dr. Chin-Chen Chang Student: Chia-Chi Wu Date: Jan. 3.2011 Department of Computer Science and Information Engineering, National Chung Cheng University. Outline. Motivation

octavius-ferrell
Download Presentation

Security Mechanisms for Electronic Business Applications 適用於電子商務的安全機制之研究

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Mechanisms for Electronic Business Applications適用於電子商務的安全機制之研究 Advisor: Dr. Chin-Chen Chang Student: Chia-Chi Wu Date: Jan. 3.2011 Department of Computer Science and Information Engineering, National Chung Cheng University

  2. Outline • Motivation • A novel key agreement scheme in a multiple server environment • A new sealed-bid electronic auction • An authenticated PayWord scheme without public key cryptosystems • Digital rights management for multimedia content over 3G mobile networks • Conclusions and future works

  3. Motivation (1/3) • E-Business Activities • Transfer accounts • EDI (Electronic Data Interchange) • Access control • Online services • E-Auction • E-Payment • Digital right • …….

  4. Motivation(2/3) • E-Business Risks • Impersonation • Eavesdropping • Tampering • Privacy • Repudiation • Replay attacks • Fairness • ….. Authentication  Key agreement  En/decryption  Anonymity  Signature  Timestamp  Nonce checking  Hash chain  …..

  5. Motivation(3/3) Our Research Objectives: • Designing a novel key agreement protocol in a multiple server environment with low computation • Developing a sealed bid electronic auction scheme • Designing an authenticated PayWord scheme without public key cryptosystems • Digital rights management for multimedia content over 3G mobile networks • Conclusions

  6. A Novel Key Agreement Scheme in a Multiple Server Environment (1/8) Registration Token User Server Server 1 Token User Server 2 Registration Token Server n RC

  7. A Novel Key Agreement Scheme in a Multiple Server Environment (2/8) • Criteria • C1: No verification table • C2: Freely Chosen password • C3: Low computation and communication cost • C4: Mutual authentication • C5: Session key agreement • C6: Single registration • Security Criteria • S1: Session key security • S2: Known-key security

  8. A Novel Key Agreement Scheme in a Multiple Server Environment (3/8) Notations • Ui:The user i • Sj: The server j • UID:The user identity • PW:The password of the user • RC: The registration center • x:The long secret token of RC • SID: The identity of the server • h( ) :A secure one-way hash function • i, vi:The secret information of the user i • Ki,j:The shared key between Ui and Sj • wj:The shared secret key between Sj and RC • Vi,j:The shared parameter which can be computed by Ui and Sj • Ni:A nonce value • Ti:A current timestamp • △T:The expected valid time interval for transmission delay • skk: The session key for the kth session • ⊕: The exclusive-or operation for two bit-strings • Ek(m): Symmetric-key encryption of “m” with key k • Dk(c): Symmetric-key decryption of “c” with key k

  9. A Novel Key Agreement Scheme in a Multiple Server Environment (4/8) Juang’s scheme Registration phase RC sends wj=h(x, SIDj) to Sj via a secure channel after Sj registers at RC. Computes vi=h(x,UIDi) and μi=vi⊕PWi Ui RC S1 UIDi, PWi S2 Stores UIDi andμi in the smart card S3 Computes ki,j=h(vi,SIDj) Ewj(ki,j,UIDi) Sj Stores Ewj(ki,j,UIDi)

  10. A Novel Key Agreement Scheme in a Multiple Server Environment (5/8) Juang’s scheme Login and session key agreement phase When Ui wants to login Sj, he/she inserts the smart card into the card reader and inputs UIDi and PWi into the device. Decrypts Eki,j(ruk,h(UIDi || N1)) Checks h(UIDi || N1) Computes Eki,j(rsk,N1+1,N2), skk=h(ruk, rsk, ki,j) Ui Sj Smart card computes vi =μi⊕PWi, ki,j =h(vi, SIDj) N1, UIDi ,Eki,j(ruk,h(UIDi || N1)) Decrypts Eki,j(rsk,N1+1,N2) Checks N1+1 Computes skk=h(ruk, rsk, ki,j), Eskk(N2+1) Eki,j(rsk,N1+1,N2) Decrypts Eskk(N2+1) Checks N2+1 Eskk(N2+1)

  11. A Novel Key Agreement Scheme in a Multiple Server Environment (6/8) Drawbacks of Juang’s scheme • When new users join, RC has plenty of overheads • Si must store each user’s UIDx and Ewj(kxj, UIDx) in encrypted key table. There are storage consumption and risk.

  12. A Novel Key Agreement Scheme in a Multiple Server Environment (7/8) The proposed scheme Registration phase RC sends wj=h(x, SIDj) to Sj via a secure channel after Sj registers at RC. Computes μi=x⊕PWi Ui RC Stores UIDiμi,and h( )in the smart card UIDi, PWi

  13. Computes Vi,j'= h(wj|| UIDi) Checks T-T1△T and h(Vij|| T1)=h(Vij'|| T1) Generates h(Vij'||T2) ? Checks T-T2△T and h(Vij' ||T2)= h(Vij||T2) ? A Novel Key Agreement Scheme in a Multiple Server Environment (8/8) The proposed scheme (cont.) Login and session key agreement phase Ui inserts the smart card into the card reader and inputs UIDi and PWi into the device. Ui Sj Smart card computes Vi,j=h(h(μi⊕PWi, SIDj)||UIDi) UIDi, T1, h(Vij||T1) T2, h(Vij'||T2) Computes skk=h(T1||T2|| Vij) Eskk(T2+1) Eskk(T2+1) Eskk(T2+1) Eskk(T2+1) Computes skk=h(T1||T2|| Vij') Decrypts and checks T2+1

  14. A Novel Key Agreement Scheme in a Multiple Server Environment Superiorities • No encrypted key table needed • Mutual authentication without RC’s support • Efficiency • Practicability

  15. A New Sealed-bid Electronic Auction (1/11) • Traditional English auction • Dutch auction • Sealed-bid auction.

  16. Requirements Anonymity Public verifiability Non-repudiation Traceability Accountability of bidder Unforgeability Fairness Privacy Confidentiality Low overhead cost A New Sealed-bid Electronic Auction (2/11)

  17. A New Sealed-bid Electronic Auction (3/11) Liaw et al.’s protocol • The advertisement stage • The auctioneer broadcasts M1 and its signature on the Internet. • The registration stage Web Third party T Bidder B M1, H(r), H(w), H(x), H(y), H(z) EPT [Binfo, PB, r, M1] EPB [M1, r, x, Bid]

  18. A New Sealed-bid Electronic Auction (4/11) Liaw et al.’s protocol The bidding stage Bidder B Third party T Bank A Auctioneer U EPA [M1, Bid, payment, deposit, y] EPB [M1, Bid, Certd, y] E PT [M1, Bid, Certd, price, y, r] EPB [M1, Bid, order, price, r] E PU [M1, order, Max-p, z]

  19. A New Sealed-bid Electronic Auction (5/11) Liaw et al.’s protocol The exchange of the product and the payment stage Third party T Web Bank A Auctioneer U Bidder B SSU <M1, Max-p, order>, M2, H(M2, bill) • EPA[M2, Bid, Max-p, • x, zx, pay] • EPU [M2, Bid, Max-p, zx, paid] EPB[M2, Bid, Max-p, paid, bill]

  20. A New Sealed-bid Electronic Auction (6/11) • The drawbacks of Liaw et al.’s scheme • The conspiracy attack • The forgery attack • No privacy

  21. Bidder B Third party T Web {SignB, EKB (Binfo, NB, KB, M1), E PT[KB ]} M1, H(x), H(y), P EKB [M1, NB+1, x, Bid] A New Sealed-bid Electronic Auction (7/11) Our scheme • The advertisement stage • U computes SSU <M1, H(bill)>, and then broadcasts them and their plaintext to everyone. • The registration stage SignB=SSB<Binfo, NB, H(KB)>

  22. Bidder B Bank A Third party T EPA[Bid, payment, deposit] EPB [Bid, Certd] {Bid||(M1, Certd, sealed-bid)||SSB<Bid, sealed-bid>} EKB(M1, Bid, order, y)|| SST<Bid, order, sealed-bid> A New Sealed-bid Electronic Auction (8/11) Our scheme The bidding stage Certd : A deposit deducting certification

  23. Bidder B Third party T Web (all order’s and sealed-bid’s), Bid|| EKB(order, rB-1mod P) (all order’s and ri-1’s), (M1, Max-p, W- order) A New Sealed-bid Electronic Auction (9/11) Our scheme The opening stage

  24. Bidder B Bank A Auctioneer U EPA [M1, Bid, Max-p, pay] EPU[M1, Bid, Max-p, paid] EPU[M1, SST <Bid, order, sealed-bid >] EPB[M2, Bid, Max-p, paid, bill] A New Sealed-bid Electronic Auction (10/11) Our scheme The exchange of the product and the payment stage

  25. A New Sealed-bid Electronic Auction (11/11) Computation comparisons

  26. An Authenticated PayWord Scheme without Public Key Cryptosystems • In 1996, Rivest and Shamir proposed a well known micro-payment scheme, called “PayWord”. • Drawbacks: • The certificate abuse attack. • The customer’s public key is issued by a bank.

  27. Adachi et al.’s improved scheme (2005) Credit Authentication Phase Bank Vender C Request Reply IDC, M (IDC , M, rV) Withdraws from C CC A valid message M = (IDV , w0, n, E) SKC CC =(IDC , M, YES, rV, I)SKB

  28. Adachi et al.’s improved scheme (2005) Purchase Phase C Vender (wi, i) Validate wi-1=h(wi) Checks i Stores(wi, i) If i=n, the venderperforms settlement phase.

  29. Adachi et al.’s improved scheme (2005) Settlement Phase Vender Bank (wk, k), CC Checks hk(wk) with w0 Stores (wk, k), money

  30. Drawbacks of Adachi et al.’s scheme • Prepaid • (wk, k) is released in the public channel and unauthenticated. • PKI signature is inefficient.

  31. The proposed scheme Credit Authentication Phase Bank Vender C (IDC||(PWC||M||RC||NC||IDV)KC,B )|| (IDV||(PWV||IDC||RV||NV)KV,B) (IDC||(PWC||M||RC||NC||IDV)KC,B ) (IDC||(IDV||RV||NC+1)KC,B)|| h(M, SK) (IDV||(IDC||M||RC||IC||NV+1)KV,B) || (IDC||(IDV||RV||NC+1)KC,B) Note: M = (IDV , w0, n, E) RC=grc mod P RV=grv mod P SK= RCrv mod P= RVrc mod P

  32. The proposed scheme Purchase Phase Vender C (IDC, wi⊕SK, i) Validate wi-1=h(wi) Checks i Stores(wi, i) If i=n, the venderperforms settlement phase.

  33. The proposed scheme Settlement Phase Vender Bank IDV||(PWV||IDC||wk||k)KV,B Decrypt message Checks PWV Checks hk(wk) with w0 Stores (wk, k), money

  34. Ticket circulation model [21] Issuer CA Service Provider Issue (wholesale) Shop Network Service Provider CARD Transfer Transfer(sale) Transfer Redeem (Consume/Present) User Broker User

  35. Simplified UMTS-AKA mechanism [15] Parameters MO USIM AUTN Generation RES ENCR_TMSI f2 TMSI XRES f2 RAND K f3 CK Ciphering facility RAND K f3 CK Ciphering facility f4 IK f4 IK TMSI ENCR_TMSI RAND, AUTN RES

  36. Note: • USIM: UMTS subscriber identity module • MO: mobile operator • TMSI: temporary mobile subscribe identity • IMSI: international mobile subscriber identity • AUTN: H(RAND, K, parameters)

  37. IDM3G protocol flowchart [15]

  38. Note: • AV( Authentication Vector): {CK, IK, Auth, RAND and XRES} • MAC1=H(RAND, ENCR_SP_IP, IK) • MAC2=H(RAND, ENCR_TMSI, IK) • ATTRIBUTES: the IMSI of the specific user

  39. Drawbacks of IDM3G protocol • Indirect communication • No shared session key • No DR management

  40. Notations • Z: A public huge number is greater than 10000 • N1, N2: The nonce values are generated by UE • a, b: The seeds of the hash function are generated by UE • t1: A specific serial number which represents a start date of the DR • t2: A serial number which denotes the valid date of the DR • t3: A serial number which denotes the transfer date of the DR • t: A serial number which denotes the current date • T: A timestamp • Ek(m): Symmetric-key encryption of “m” with key k • CK: A pre-shared encryption key between UE and MO • IK: A pre-shared integrity key between UE and MO • TK: A temporary key between the user and SP • AK: A session key for access services

  41. Online registration stage

  42. Note: • MAC1=H(RU, ENCR_SP_IP, ENCR_TK, IK) • MAC3=H(RU, RS, TK) • Reg_Data={UID, Payment, t2, UID_PW_DIGEST, a, b} • MAC4=H(Reg_Data, N1, RU, RS) • =Ht1(a) • =HZ-t2(b) • Parameters={, , Z, N1+1} • MAC5=H(ENCR_UID, ENCR_Parameters, RU, RS) • UE stores {UID, , , Z, t2, t1}

  43. Login and access service stage

  44. Note: • MID: multimedia identity • SERVICE_REQ:{UID, MID, N2, UID_PW_DIGEST, RS+1} • SP computes AK=H(N2 Ht-t1()  Ht2-t()) • UE computes AK=H(N2 Ht-t1()  Ht2-t()) • SP stores (t1, t2, ,  ) in user A’s record.

  45. Transfer transaction stage

  46. Note: • CKA, IKA and TKA have been established. • ENCR_TRANS_REQ=ETKA(UIDA, UIDA_PW_DIGEST, Ht3-t1(), , UIDB) • MAC6=H(ENCR_TRANS_REQ, T, IKA) • SP stores (Ht3-t1(), , t3, t2) in user B’s record. • SP stores (TRANS_REQ, T, MAC6) in user A’s record. • Transfer_Data=ETKB(UIDB, t3, t2, Ht3-t1(), , UIDA) • B stores (UIDB, Ht3-t1(), , Z, t3, t2) in his UE. • ENCR_CONFIRM=ECKB(H(Ht3-t1(), , t3, t2)) • B’s AK=H(N2 Ht-t3(Ht3-t1())Ht2-t())

  47. Conclusions • Four security mechanisms of E-business • key agreement • electronic auction • The electronic paying services • Digital management over 3G • Low computation cost • Transmission efficiency • Ubiquitous computing

  48. Thanks for your attention

More Related