Formal%20Specification%20and%20Verification%20of%20a%20Micropayment%20Protocol

1
Formal Specification and Verification of a
Micropayment Protocol

• Alex X. Liu
• The University of Texas at Austin, U.S.A.

October 13, 2004 Co-author Mohamed G. Gouda
2
Microcommerce

• What is microcommerce?
• Buy and sell goods/services for small amount of
  money
• 1 per web page access
• Can we use credit cards for microcommerce?
• No, per transaction fee is too high (29 2)
• Microcommerce on Internet
• Micropayment Protocols

3
Micropayment Protocols

• Proposed micropayment protocols
• Compaq's Millicent
• Rivest and Shamirs PayWord
• Andersons NetCard
• Jutla and Yung's PayTree
• Hauser et al.'s Micro iKP
• W3Cs MPTP
• Are they secure?
• Need formal specification and verification

4
PayWord Protocol

• Developed by Rivest and Shamir in 1996
• Three parties Bank, User, Vendor
• All parties know the same one-way hash function h
• (From h(x), one cannot derive x)
• Outline of PayWord
• User first creates an empty array c0, c1, ,
  cn
• c0 c1 c2
  ... cn-1 cn
• Then this array becomes a hash chain
• Sends c0 to Vendor by public key cryptography
• User?Vendor (c2, 2) in plain text
• User?Vendor (c5, 3) in plain text
• This protocol has two security problems!

h
h
h
h
h
5
1. Message Modification Attack

• Vulnerable to message modification attack
• An attacker can modify (ci, m) to (h(ci),
  m-1). Both valid.
• Neither U nor V can detect this attack.
• Solution
• use securely salted one-way hash function
• c0 c1 c2
  ... cn-1 cn
• ci-1h(ss, ci) for each i
• ss is session secret shared between U and V.
  Unknown to attacker.

h(ss, .)
h(ss, .)
h(ss, .)
h(ss, .)
h(ss, .)
6
2. Message Loss Attacks

• Vulnerable to message loss attack
• An attacker can discard a payment message from U
  to V
• Due to lack of ack mechanism, neither U nor V can
  detect
• Solution add unforgeable ack messages
• U sends V a payment (ci, m)
• V sends U an ack h(ci, ss)
• Attacker knows h(ss, ci) (ci-1), but not
  h(ci, ss).

7
New PayWord Protocol

• Assume U and V have a shared secret sk
• Can be achieved by public key cryptography
• Each hash chain has a sequence number seq
• There are two phases
• request-reply phase
• pay-ack phase

8
Request-reply phase

• U picks three numbers
• n max number of coins needed to pay V (by
  estimation)
• cn a random number
• ss a session secret
• U computes hash chain
• c0 c1 c2
  ... cn-1 cn
• U send request message (c0 seq ss)sk to V
• V check whether it is a valid message by seq
• If the request message is valid, it replies c0
  back to U

h(ss, .)
h(ss, .)
h(ss, .)
h(ss, .)
h(ss, .)
9
Pay-ack phase

• U sends a payment (ci, m) to V
• V checks whether it is a valid one
• ci-m (ss, ci) ?
• If yes, sends acknowledgement h(ci, ss) to U
• U
  V

payment ( ci, m )
ack h( ci, ss )
payment ( ci, m )
ack h( ci, ss )

10
Formal Specification in AP-notation
11
Convergence Theory Basic Concepts

• State an assignment of values to all variables
  and all channels
• Transition two states (p, q) that p transitions
  to q by protocol action
• Computation an infinite sequence of states where
  any pair of two successive
  states is a protocol transition.
• Safe state occurs in a protocol computation
  where the first state
• is an initial state of the protocol
• Error state transits from a safe state by an
  adversary action
• Unsafe state A state of a protocol that is not
  safe is called an unsafe
• state if it is an error
  state of the protocol or if it occurs
  in any protocol computation (p.0, p.1,
  p.2, ) where p.0 is an
  error state of the protocol.

12
Convergence Theory Security

• A protocol is secure if it satisfies the
  following three conditions
• Closure In each protocol computation whose first
  state is safe,
  every state is safe.
• Convergence In each protocol computation whose
  first state is unsafe, there is a
  safe state.
• Protection In each protocol transition, whose
  first state is unsafe, the critical variables of
  the protocol do not change their values.

13
State Transaction Diagram
S.1
S.4
u.1
R.1
R
v.1
v.1
M.1
M
R.2
u.3
S.2
R.4
v.1
L
u.2
v.2
v.2
R
L.1
T
M
M.3
R.5
u.4
S.5
v.1
u.3
v.2
L
u.4
R.3
R
L.4
T
M.2
M
v.2
u.2
S.3
R.6
R
u.2
L
M.4
L.2
L.3
v.1
M
u.4
T
S.6
u.2
u.4
L
L.5
L.6
v.2
T
S.4
14
STD a closer look
R.1
R
v.1
v.1
M.1
M
R.2
S.2
v.1
L
u.2
L.1
T

• S.2 (c0 seq ss)sk in channel from U to V
• Adversary actions
• R message replay
• M message modification
• L message loss
• Consider message modification attacks
• M.1 a modified request message is in channel
  from U to V
• L.1 V discards modified message because seq is
  not correct
• No critical variables are updated in unsafe states

15
Conclusions

• Present two security fixes to PayWord protocol
• Specify the new secure version of PayWord
• Formally verify that this protocol is secure
  against message loss, modification and replay
  attacks