Formal Specification and Verification of a Micropayment Protocol

1. Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author:Mohamed G. Gouda

2. Microcommerce • What is microcommerce? • Buy and sell goods/services for small amount of money • 1¢ per web page access • Can we use credit cards for microcommerce? • No, per transaction fee is too high (29 ¢ + 2%) • Microcommerce on Internet • Micropayment Protocols The University of Texas at Austin

3. Micropayment Protocols • Proposed micropayment protocols • Compaq's Millicent • Rivest and Shamir’s PayWord • Anderson‘s NetCard • Jutla and Yung's PayTree • Hauser et al.'s Micro iKP • W3C’s MPTP • …… • Are they secure? • Need formal specification and verification The University of Texas at Austin

4. PayWord Protocol • Developed by Rivest and Shamir in 1996 • Three parties: Bank, User, Vendor • All parties know the same one-way hash function h (From h(x), one cannot derive x) • Outline of PayWord: • User first creates an empty array c[0], c[1], …, c[n] • c[0]c[1] c[2] ... c[n-1] c[n] • Then this array becomes a hash chain • Sends c[0] to Vendor by public key cryptography • UserVendor: (c[2], 2) in plain text • UserVendor: (c[5], 3) in plain text • This protocol has two security problems! h h h h h The University of Texas at Austin

5. 1. Message Modification Attack • Vulnerable to message modification attack • An attacker can modify (c[i], m) to (h(c[i]), m-1). Both valid. • Neither U nor V can detect this attack. • Solution: use securely salted one-way hash function • c[0]c[1] c[2] ... c[n-1] c[n] • c[i-1]=h(ss, c[i]) for each i • ss is session secret shared between U and V. Unknown to attacker. h(ss, .) h(ss, .) h(ss, .) h(ss, .) h(ss, .) The University of Texas at Austin

6. 2. Message Loss Attacks • Vulnerable to message loss attack • An attacker can discard a payment message from U to V • Due to lack of ack mechanism, neither U nor V can detect • Solution: add unforgeable ack messages • U sends V a payment: (c[i], m) • V sends U an ack: h(c[i], ss) • Attacker knows h(ss, c[i]) (=c[i-1]), but not h(c[i], ss). The University of Texas at Austin

7. New PayWord Protocol • Assume U and V have a shared secret sk • Can be achieved by public key cryptography • Each hash chain has a sequence number seq • There are two phases • request-reply phase • pay-ack phase The University of Texas at Austin

8. Request-reply phase • U picks three numbers • n : max number of coins needed to pay V (by estimation) • c[n]: a random number • ss : a session secret • U computes hash chain • c[0]c[1] c[2] ... c[n-1] c[n] • U send request message (c[0] | seq | ss)sk to V • V check whether it is a valid message by seq • If the request message is valid, it replies c[0] back to U h(ss, .) h(ss, .) h(ss, .) h(ss, .) h(ss, .) The University of Texas at Austin

9. Pay-ack phase • U sends a payment (c[i], m) to V • V checks whether it is a valid one • c[i-m]=(ss, c[i]) ? • If yes, sends acknowledgement h(c[i], ss) to U U V payment ( c[i], m ) ack h( c[i], ss ) payment ( c[i’], m’ ) ack h( c[i’], ss ) … The University of Texas at Austin

10. Formal Specification in AP-notation The University of Texas at Austin

11. Convergence Theory: Basic Concepts State: an assignment of values to all variables and all channels Transition: two states (p, q) that p transitions to q by protocol action Computation: an infinite sequence of states where any pair of two successive states is a protocol transition. Safe state: occurs in a protocol computation where the first state is an initial state of the protocol Error state: transits from a safe state by an adversary action Unsafe state: A state of a protocol that is not safe is called an unsafe state if it is an error state of the protocol or if it occurs in any protocol computation (p.0, p.1, p.2, …) where p.0 is an error state of the protocol. The University of Texas at Austin

12. Convergence Theory : Security • A protocol is secure if it satisfies the following three conditions: • Closure: In each protocol computation whose first state is safe, every state is safe. • Convergence: In each protocol computation whose first state is unsafe, there is a safe state. • Protection: In each protocol transition, whose first state is unsafe, the critical variables of the protocol do not change their values. The University of Texas at Austin

13. State Transaction Diagram S.1 S.4 u.1 R.1 R v.1 v.1 M.1 M R.2 u.3 S.2 R.4 v.1 L u.2 v.2 v.2 R L.1 M T M.3 R.5 u.4 S.5 v.1 u.3 v.2 L u.4 R.3 R L.4 T M.2 M v.2 u.2 S.3 R.6 R u.2 L M.4 L.2 L.3 v.1 M u.4 T S.6 u.2 u.4 L L.5 L.6 v.2 T S.4 The University of Texas at Austin

14. STD: a closer look • S.2: (c[0] | seq | ss)sk in channel from U to V • Adversary actions: • R: message replay • M: message modification • L: message loss • Consider message modification attacks • M.1: a modified request message is in channel from U to V • L.1: V discards modified message because seq is not correct • No critical variables are updated in unsafe states R.1 R v.1 v.1 M.1 M R.2 S.2 v.1 L u.2 L.1 T The University of Texas at Austin

15. Conclusions • Present two security fixes to PayWord protocol • Specify the new secure version of PayWord • Formally verify that this protocol is secure against message loss, modification and replay attacks The University of Texas at Austin