A Study in Electronic Commerce: Specification
Cornell University
Computer Science Department
Masters of Engineering Project
Spring 1998
Han-Yang Lo
Sanjeev Topiwala
Joyce Wang
with
assistance from Keith Sollers
Under the supervision of:
Professor Fred B. Schneider
last
modified: Monday, 4/27/98
Introduction
Overview
of System
Properties
of System
Assumptions
High
Level Functional Specification
- Setup
- Bank
- Merchant
- Client
- Communication
Protocols
- Client -- Bank
- Client -- Merchant
- Merchant -- Bank
- Features
- Bank Server
- Merchant Server
- Consumer Client
- Algorithms
- Coins
Programming
Languages and Platform Support
Demonstration
of System
Notes
References
Introduction
The growth of the Internet has
created a whole new marketing and sales paradigm. Merchants can
sell practically anything over the Internet at any time. They can
reach audiences far beyond their physical locations and can sell
at cheaper prices. On the flip side consumers appreciate the
convenience and ease of shopping from home. They also like the
varied product selection and discount prices. The Internet brings
together these advantages for both merchants and consumers. For
this reason, the Internet is believed to be where the future of
commerce lies.
However, at the current time,
consumers must generally use credit cards or checking accounts to
make purchases. Although these methods are safe and secure, they
do not provide the anonymity and untraceability of cash. As the
number of financial transactions over the network grows,
consumers will demand a form of secure electronic cash to protect
their privacy. This is where V-óa$h
steps in. V-óa$h is a secure, anonymous, and untraceable
system that allows consumers to make purchases over the Internet.
They can be confident that their purchases occur as if they were
spending cash at the mall.
Overview of System
The system consists of three main
components: a bank server, a merchant server, and a consumer
client. Each of these components communicates with each other
over secure channels.
Anonymity means that the merchant
does not know who the consumer is. Untraceability means that the
bank cannot find out where the money came from. To this end, when
the client (Alice) wants to withdraw some cash, she generates
coins, blinds them and sends them to the bank for
authentication. The bank signs these coins with its key, and
sends them back to Alice. Then Alice unblinds the coins. Thus
Alice withdraws money from her account at the bank, which is
authenticated by the bank and usable, but the bank does not know
the serial number of the coin.
Now when Alice is shopping online
at Bob’s, she can spend the money by sending the coins to
Bob, the merchant. Bob, in turn sends the coins to the bank for on-line
validation, to confirm that the coins are valid and have not
been spent already. After getting the confirmation, Bob completes
the transaction with Alice by giving her the merchandise she has
purchased.
At the high-level, this scheme is
motivated from the implementation described in David Chaum's
Scientific American paper (see references), along with several
discussions obtained on the internet by other groups attempting
to explain/implement an electronic cash system. Many low-level
details were obtained by group consensus during the design
process.
Properties of System
- Anonymous and untraceable
purchases.
- Detection of double
spending.
- Authentication of all
parties.
- Audit through logs. (see
above "logging
functionality")
- Authorization of
transactions through bank.
Assumptions
- Client and Merchant have
accounts at the same bank
- Average transaction is
around $201
- Communication channels are
secure using standard encryption algorithms
- Software binary executable
is secure
High Level Functional
Specification
Setup
Setup
functionality is limited:
- Databases
for key management are beyond the scope of this project.
The "databases" are implemented as a file, thus
are not scaleable. 4/23/98
- The electronic registration for
both the merchant and consumer are not implemented as
part of the specifications. It would probably be issued
as a separate disk to the users. 4/23/98
- There
is a testing utility for the bank to generate
user and merchant public/private key pairs.
Bank
- Bank creates a database of
client/merchant V-óa$h accounts
- Bank creates a database for
storing serial numbers of spent coins.
Merchant
Assumption 1
- Merchant requests software
- Software includes a
built-in public/private key pair
- Keypair is encrypted
using a 10 digit PIN: see Bank Setup, #3 (may
not be implemented by 4/27/98)
- PIN is sent to the
merchant through the mail (or can be given to the
merchant at the bank), like the PIN for ATM cards
- Merchant installs the
software
- Fills out electronic
registration which includes account number and
merchant public key (see above "electronic
registration")
- Sends information
encrypted using the bank’s public key
- Bank receives and decrypts
the information (see above "electronic
registration")
- Bank sends a set of
"challenge" questions (see
above "electronic
registration")
- Signed with the
bank’s private key
- Encrypted with the
received public key
- Merchant answers the
challenges (see above "electronic
registration")
- Decrypts the message
- Verifies that the
challenges came from the bank
- Signs the challenge
reply with the merchant’s private key
- Encrypts the signed
reply with the bank’s public key
- Bank verifies merchant
responses (see above "electronic
registration")
- Associates the
merchant, account number, public key in database
- Merchant designs web page
Client
Assumption 1
- Client requests software
- Software includes a
built-in public/private key pair
- Keypair is encrypted
using a 10 digit PIN: see Bank Setup, #3 (may
not be implemented by 4/27/98)
- PIN is sent to the
client through the mail (or can be given to the
client at the bank), like the PIN for ATM cards
- Client installs the software
- Fills out electronic
registration which includes account number and
client public key (see above "electronic
registration")
- Sends information
encrypted using the bank’s private key
- Bank receives and decrypts
the information (see above "electronic
registration")
- Bank sends a set of
"challenge" questions (see
above "electronic
registration")
- Signed with the
bank’s private key
- Encrypted with the
received public key
- Client answers the
challenges (see above "electronic
registration")
- Decrypts the message
- Verifies that the
challenges came from the bank
- Signs the challenge
reply with the client’s private key
- Encrypts the signed
reply with the bank’s public key
- Bank verifies client
responses (see above "electronic
registration")
- Associates the
client, account number, public key in database
Communication Protocols
Logging
functionality has now been integrated and testing. There will be
no automatic recovery of data (manual recovery from logs).
4/26/98
All communication protocols
have Assumption 3
Client
-- Bank
- Client initiates connection
with the bank
- Client sends a
symmetric key
- encrypted
with the bank’s public key
- Bank decrypts the
message with its private key
- Bank acknowledges
the session key by returning the session key
- signed by
the bank’s private key
- encrypted
using the session key
- Client sends:
- account number
encrypted with symmetric key and
- symmetric key
signed with the client private key
- this entire packet
encrypted with the symmetric key
- All messages from this point
are encrypted using the session key
- To withdraw money:
- Client sends a
message requesting withdrawal amount
- Bank checks the
account
- If there is
enough money in the account
- If the
client hasn’t gone over the maximum
daily withdrawal limit
- If the request is
invalid:
- the bank
sends an ERROR message and disconnects
- Otherwise, the
request is valid, and the bank sends an
acknowledgement
- The client software
generates and blinds the serial numbers for the
appropriate number of coins and sends them to the
bank
- The bank signs these
coins with a specific private key for each coin
denomination, and sends the signed, blinded coins
back to the client
- The bank keeps a
copy of these signed blinded coins until it
receives a confirmation of receipt from the
consumer(not implemented)
- The client software
receives the coins:
- unblinds the
coins
- verifies the
bank signature (makes sure it returns the
original serial number)
- acknowledges
receipt of coins, and sends receipt to
bank
- Bank debits the
client’s account upon receipt of
acknowledgment
- If the bank does not
receive an acknowledgment, bank resends coins
upon client request (assumption that
this will not happen. Resend implementation
partially coded, but not integrated or tested.
... does not exist in the current applications.
4/23/98)
- To deposit coins:
- The client sends the
bank the serial numbers of the coins to be
deposited
- The bank validates
the coins:
- verifies
that the coins were signed by the bank
- checks the
coins against the spent coin database to
prevent "double spending"
- If the coins are
valid, the bank credits the client’s account
- Clients
should not have any invalid coins
- To correct a
mistake, clients must contact the bank --
verification using logfiles. (see above "logging
functionality")
- Bank sends a receipt
to the client
- Client stores the
receipt
- To get change:
- The client deposits
the largest denomination coin
- The client withdraws
an amount equal to that denomination
- The client
software automatically creates the
necessary number of serial numbers
- This
withdrawal does not count toward the
maximum daily withdrawal
Client
-- Merchant
- Merchant sets up a web page
for the merchandise
- Purchase page
includes a button that will spawn an external
application at the client site
- Sends the external
application:
- merchant’s
public key
- IP address
of the merchant’s server
- Port number
of the merchant’s server
- Total amount
of purchase
- Client sends a symmetric key
to the merchant
- Encrypted using the
merchant’s public key
- Merchant
acknowledges
- Everything from this point
is encrypted using the symmetric key
- Merchant sends a bill for
the goods
- If the client
decides not to accept the charges, the client
terminates the connection
- The client sends the coins
- The merchant validates the
coins with the bank
- If the coins are valid:
- The merchant sends a
signed receipt to the client. (not
yet implemented 4/23)
- The merchant makes
the goods available to the client (downloading,
mail order, etc.)
- The client logs the
charges. (see above "logging
functionality")
- If the validation fails:
- The merchant tells
the client
- Both parties log the
failure. (see above "logging
functionality")
- The client puts the
coins in the "BadCoins" purse
- The client must
contact the bank to correct an invalid mistake
– verification using files. (see
above "logging
functionality")
- The client may
attempt to purchase the item with other coins in
the purse
Merchant
-- Bank
- Merchant initiates
connection with the bank
- Merchant sends a
symmetric key and the account number
- encrypted
with the bank’s public key
- Bank decrypts the
message with its private key
- Bank acknowledges
the session key by returning the session key
- signed by
the bank’s private key
- encrypted
using the session key
- Merchant sends:
- account number
encrypted with symmetric key and
- symmetric key
signed with the merchant private key
- this entire packet
encrypted with the symmetric key
- All messages from this point
are encrypted using the session key
- The merchant sends:
- the
coins received from the client
- total
amount of payment
- The bank makes sure that the
coins are valid
- The coins were
signed by the bank
- The coins have not
been used before ("double spending")
- If the coins are valid:
- The bank credits the
merchant's account
- The bank sends a
signed receipt to the merchant
- Both parties log the
transaction. (see above "logging
functionality")
- If the validation fails, the
bank logs the serial numbers of the coins and the
merchant's account number. (see above "logging functionality")
Features
Bank
Server
- Track serial numbers of
spent coins
- Validate coins
- Prevent reuse of
spent coins
- Implemented using a
database
- Sign various denominations
of coins
- Different signature
for each coin denomination
- Maintain client/merchant
accounts
- Owner's public key
- Credit/Debit
accounts
- Verify available
funds
- Verify maximum daily
withdrawal
- Generate
public/private keypair (implemented
for testing only 4/23)
- Encryption algorithms –
see communication protocols for exact use
- Log file – see Table 1
Merchant Server
- Account with bank
- To allow
Credit/Debit of funds
- Web page
- List of merchandise
- Merchant’s
public key accessible
- Deposit coins
- Issue receipts for purchases
- Public/Private key pair
- Encryption algorithms –
see communication protocols for exact use
- Log file – see Table 1
Consumer Client
- Account with bank
- To allow
Credit/Debit of funds
- Generate random serial
numbers for coins
- Apply blind signature to
coins
- To maintain
untraceability
- Withdraw money from bank
- In $20 increments
(similar to an ATM)
- With a maximum of
$100 per day (similar to an ATM)
- Deposit coins
- Coin exchange with bank
- To obtain exact
change for payments
- Exact payment makes
tracing consumer more difficult
- Implemented using
deposit and then withdraw
- Public/Private key pair
- Encryption algorithms –
see communication protocols for exact use
- Log file – see Table 1
Table 1 Log Files
| |
Log
kept by Bank |
Log
kept by Merchant |
Log
kept by Client |
| Bank |
|
1. Transaction date
2. Amount deposited
3. Success / failure |
1. Transaction date
2. Amount withdrawn / deposited
3. Serial numbers / denominations
4. Signed coins |
| Merchant |
1. Transaction date
2. Account number
3. Amount deposited |
|
1. Transaction date
2. Coins used in payment
3. Merchant ID |
| Client |
1. Transaction date
2. Account number
3. Amount withdrawn / deposited
4. Breakdown of coins issued per denomination |
1. Transaction date
2. Amount of purchase |
|
Algorithms
- Asymmetric key algorithm
- To allow bank to
identify client/merchant’s account number
- To encrypt symmetric
session key for establishing secure channels of
communication
- Implemented using
RSA
- Symmetric key algorithm
- To speed up
communication across channels
- Implemented using
DES
- Signature algorithm
- To allow bank to
sign various denominations of coins
- Implemented using
DSA
- Blinding signature algorithm
- To maintain
untraceability
- Implemented using
RSA
- Random number generator
- To generate coin
serial numbers
- To generate blinding
factors
- Implemented using a
linear congruential generator
Coins
- Binary denominations (e.g.
$0.01, $0.02, $0.04…, $1.28, $2.56, $5.12)
- Minimum of $0.01
- Maximum of $5.12 (based
on Assumption 2)
- Minimizes the number
of coins necessary to purchase items
- Data format
Programming Languages
and Platform Support
- The V-óa$h system will be written using C++
with MFC and will support Windows 95/NT PC platforms.
Demonstration of
System
The system will be demonstrated
by creating a simple user interface with the above functionality.
A single merchant web site will be created with a few
purchaseable items. The client will indicate that he/she wishes
to purchase this product, after acquiring the funds from the
bank. The interface will spawn the software that initiates the
payment transaction. A test validation suite was used to test the
cryptographic algorithms.
Notes
1Amount
was chosen to be between the amount of most micropayments and
most credit card payments. Additionally, a lower amount is
preferable given the security level of the system. Coin size and
denomination considerations also played a role.
References
Digital Cash Home Page:
http://www.digicash.com
RSA Data Security Home Page:
http://www.rsa.com
Certicom white papers on ECC:
http://www.certicom.com/ecc/wpaper.htm
IEEE Internet Computing -
Interview with David Chaum:
http://www.computer.org/internet/ic1997/w6toc.htm
Scientific American Article by
David Chaum:
http://ganges.cs.tcd.ie/mepeirce/Project/Chaum/sciam.html