Yi Mu and Vijay Varadharajan. School of Computing and IT, University of Western Sydney, Nepean, PO Box 10, Kingswood, N.S.W.

Transcription

1 Anonymous Internet Credt Cards Y Mu and Vjay Varadharajan School of Computng and IT, Unversty of Western Sydney, Nepean, PO Box 10, Kngswood, N.S.W. 2747, Australa Emal: fymu,vjayg@ct.nepean.uws.edu.au Abstract In credt based payment systems, condental data such as PIN and credt card number embedded n an electronc credt card must be protected. The authentcty of an electronc credt card n a payment process s normally acheved through an on-lne trusted server such as a nancal nsttuton that runs the payment system. Ths paper consders some novel secure electronc credt card based payment schemes for the Internet, where the nvolvement of the on-lne nancal nsttuton s reduced to a mnmum. Our protocols use the technque of proof of knowledge of dscrete logarthms that enables a prover to prove a secret wthout revealng the secret to the verer. 1 Introducton A fundamental requrement for the Internet to really become an open marketplace for goods and servces n practce s the need for secure chargng and payment mechansms. Gven the explosve growth n the use of the Internet, and n the servces and applcatons beng oered over the Internet, the mechansms enablng secure commercal transactons form the foundaton stone of ths electronc nformaton revoluton. Needless to say securty aspects become crtcal to the successful operaton of any of these electronc payment schemes. Broadly speakng, there are two classes of electronc payment schemes. Schemes such as DgCash [1, 2] and NetCash [3] consder cash-based electronc payments. Others such as KP [4], NetBll [5], NetCheque [6], CyberCash [7], STT[8], SEPP [9], and SET [10] consder credt and debt based electronc payments. Our focus n ths paper s on credt based electronc payment systems. In general, an on-lne credt card payment system nvolves at least the followng partes: Clents (Servce Users) requestng servces from Merchants who provde the servces, and Banks (or Fnancal Insttutons) provdng guarantee and transfer of cash and credts between Clents and Merchants. STT, SEPP, and SET refer to the Fnancal Insttuton as the Acqurer whereas KP models ths usng a Gateway that acts as an ntermedary to the exstng nancal network. We use generc terms such as oer, order and slp n descrbng the payment schemes. The Merchant presents the nformaton about the servce n terms of an Oer. When the Clent wshes to make a purchase, s/he sends an Order and a payment Slp to the Merchant. The Oer s ntended for the merchant whereas the Slp s passed on to the Fnancal Insttuton. The Merchant requests the authorzaton from the Fnancal Insttuton, and upon recept of the authorzaton, the Merchant conrms to the Clent the concluson of the payment transactons. Ths s then followed by the servce delvery. Under these systems, the nancal nsttuton must be on-lne, where t serves as a trusted authentcaton center for merchants and customers by verfyng the authentcty of payment slps. The obvous reason for needng an on-lne server s that merchants do not have

2 the rght to access the PINs and credt card numbers of clents. However, the cost of an on-lne servce has to be taken nto account n the overall assessment. In ths paper, we propose three novel credt based systems that present a promse for merchants not to use an on-lne bankng servce durng the processng of a payment. In other words, n our systems merchants can ensure the authentcty of the credt cards wthout any help from the nancal nsttuton that provdes the credt card servce. Merchant can contact the on-lne authentcaton server for a hgher level of assurance, but the opton s chosen only f merchants want tohave a further conrmaton from the nancal nsttuton before delverng the goods or provdng servce. The sgncance of our schemes have not been shared by the exstng schemes mentoned above. Our schemes are based on the methods of proof of knowledge on the equalty of logarthms (for convenence, we refer to t as equalty proof of knowledge[11] and non-nteractve equalty proof[12]). The dea behnd our scheme s that when purchases an tem from a merchant, a clent can prove hs PIN and credt card number embedded n hs electronc credt card to the merchant wthout revealng the secrets. In partcular, we wll also show that usng ths technque we can make clents n our payment system anonymous. Our rst scheme, usng the nteractve equalty proof[11], s somewhat smlar to Chuam's electronc wallet, but the scheme s used to a derent payment system. However, the second and the thrd schemes are entrely new: The second scheme, usng the non-nteractve equalty proof, reduces communcaton ows between clent and merchant. The thrd scheme acheves anonymous credt cards. The rest of ths paper s organzed as follows. In Secton 2, we ntroduce the scheme of equalty proof of knowledge. In Secton 3, we construct our protocol wthout consderng the anonymty of clents. In Secton 4, we ntroduce non-nteractve equalty proof of knowledge and construct an mproved payment protocol. In Secton 5, we consder clents anonymty, based on the equalty proof of several secrets, and propose a new protocol. 2 Equalty Proof of Knowledge The credt based payment scheme that wll be ntroduced n ths paper s based on the scheme of provng knowledge wthout revealng anythng about the content that has been proven. Ths scheme of proof was ntally proposed by Chaum and Pedersen [11] and Verheul and Tlborg [12]. We assume that the prover s P and the verer s V. The common knowledge ncludes the the generators g 2 G (1 n). The P can prove that she knows a secret x from h = g x mod q wthout revealng the secret, where q s large prme. A condence parameter l s used to specfy the level of the condence of the protocol. The protocol s gven below. In Protocol 1, the prover P chooses a number r 2 R Z p, computes a, n terms of a = g r mod q; (1 n), and sends t to V. V then chooses a challenge c 2 l and sends t to P. Upon recept of c, P computes z = cx + r (modq) as a response and then sends t to V, where q s a large prme number. V checks f the equalty g z = hc a holds for all. If t does, the V wll accept t. If not, then there s a probablty less than 1=l that t wll stll be accepted by V. Ths protocol proves the knowledge of x to V wthout revealng x. The vercaton of completeness, soundness, and securty of the protocol s gven n [12]. For convenence, we ntroduce the denton of knowledge of equalty proof. Denton 1 Gven a challenge c and a correspondng response z, k[x; c; z] fg 1 ; :::; g n ;h 1 ; :::; h n ;a 1 ; :::; a n ;z;cg s the knowledge of equalty proof of the secret x from fg x g.

3 Protocol 1 P V r 2 R Z p a = g r mod q; (1 n) a z = cx + r (modp),,,,,,,,,,! chooses c (0 <c l) c,,,,,,,,,, z,,,,,,,,,,! 8, g z = h c a Wth k[x; c; z], the verer can verfy the authentcty of the secret wthout knowng the secret. 3 Constructon of Our Protocol Our protocol s based on the equalty proof of knowledge gven above and does not need an on-lne authentcaton server such as a bank that runs the system. The authentcty of the credt cards s based on knowng the secret data embedded n the credt card. The secret data s constructed by concatenatng the PIN number, credt number, and salt shared wth the nancal nsttuton. The clent can prove to the merchant that he knows the PIN number and the credt card number wthout revealng them to the merchant. The notatons that wll be used n the descrpton of the protocols are as follows: C: Clent, M: Merchant, B: Bank, TA:Trusted Certcaton Authorty, t p : Tmestamp generated by party P, d p : Prvate Key of user P, e p : Publc Key of user P (assocated wth d p ), h::: ep : Publc Key Encrypton usng e p, h::: dp : Publc Key based Sgnature usng d p. 3.1 Constructon of Credt Card and Payment Tokens An electronc credt card s obtaned by a clent at the stage of regstraton wth the bank. Ths can be done ether through a secure channel or va physcal contact wth the bank. The nformaton embedded n a credt card s as follows: clent's ID (C),

4 condence level (l), h = g x mod q, =1; 2; :::; n, where g are the common generators (g 2 G) and x s the concatenaton of PIN number, credt card number and salt, expry date (E), and the maxmum amount (A) that can be used. The credt s denoted by symbol C expressed as follows: C = hc; l; h 1 ; :::; h n ; E; A db (1) The credt card s dgtally sgned by the bank usng ts secret key d b. We have assumed that the number of generators (n) s xed by the bank. Therefore, t s unque n the system. The salt embedded n the credt card s unque for each clent. The owner of the credt card knows the secret x. When usng the credt card, the clent must prove to the merchant that she knows x wthout revealng the secret to the merchant. When a clent wants to use the credt card for a purchase, she constructs a payment slp (S). The payment slp contans the credt card nformaton, the ID of merchant (M), order (O), the amount $ (ncludng currency type) and a tmestamp (t c ). S = hc;m;o; $;t c dc (2) s sgned by the clent. After clent has pad for the goods, the merchant sends the clent a recept (R) as a undenable proof of the recept of the payment. The recept contans hashed credt card nformaton, hashed amount that has been pad, hashed order, the challenge, and a tmestamp. The recept for clent C s gven by The recept s sgned by the merchant. 3.2 System Setup R c = hh(c);h($);h(o);c;t m dm (3) Assume that there exsts a trusted certcate authorty (TA) such as a bank B that runs the payment system and ssues certcates for all partes nvolved n the system. The TA could be an authorzed department n the nancal nsttuton. Therefore, t s reasonable to assume that all partes nvolved n our system have a par of legtmate publc/secret keys (e p ;d p ) and the correspondng publc key certcate (Cert p ) sgned by the TA, where the subscrpt p denotes a party P. The certcate token for party P s constructed as follows: Cert p = hp; e p ;t;t 0 ;B db ; (4) where t and t 0 denote a tmestamp and expry tme respectvely. Consder a clent C who has regstered wth the nancal nsttuton that runs the system. In other words, C possesses hs electronc credt card ssued by the bank. The clent and the bank share nformaton on the credt card such as the credt card number, PIN, and salt (we refer to the concatenaton of these data as x). However, there could be an opton that the bank keeps only g x mod q and deletes x. Once a clent can prove that she knows x by usng an equalty proof of knowledge, she wll be allowed to use the credt card.

5 Consder a merchant M who has regstered wth the bank B and can provde the credt based payment servce. Ths means that the merchant s ready to act as a verer of the equalty proof of knowledge. As mentoned before, the merchant should not know x, but she wll be convnced by the clent that the clent who makes the payment s a legtmate party and the owner of the credt card. The bank B s the authorty that runs the system. The bank s on-lne, but t mght not be necessary to get nvolved n the actual payment process. It could get nvolved only f t s absolutely necessary. That s, when the merchant asks t to do so. An example of ths stuaton would be the case when the amount of payment s large, thus the bank should check the avalable amount remanng on the clent's account. Ths stuaton s the same as the exstng non-electronc credt card systems. Protocol 2 C M r 2Z p a = g r mod q; (1 n) w = hs; a ; n c dc z = cx + r (modp) hoffer dm ; Cert m,,,,,,,,,,,,, Cert c; hw em,,,,,,,,,,,,,! chooses c = DktkMkL (1 L l) hc;n cdm,,,,,,,,,,,,, hz;n cdc,,,,,,,,,,,,,! 8, g z = h c a goods; hc;n c;k sec ; R c 3.3 The Protocol Protocol 2 descrbs the payment protocol. The merchant M broadcasts the oers through the Internet. The oers have been sgned by the merchant usng hs prvate key. When the clent decdes to purchase an tem descrbed n an oer, she sends the merchant hs payment slp contanng the nformaton on an order and the electronc credt card. Once a payment has been receved, the merchant veres the clent's sgnatures n the slp and mplements the equalty proof of knowledge for the secret x. The goods and recept wll be sent to the clent, provded every check s successful. The provson of goods/servce s encrypted wth a symmetrc sesson key k s, whch has been protected usng C's publc key. Note that the challenge c sent to the clent s a bt concatenaton of current date, tme, the merchant's ID, and a random number R. Ths constructon s mportant, snce t removes the rsk of occurrence of two dentcal challenges n derent payments. Increasng the sze of the data does not change the condence level, snce only R s randomly chosen. The system functons n a smlar fashon to a non-electronc credt card system such as Vsa or MasterCard. The payment receved by the merchant can be deposted to the bank later on; for nstance at the end of each day. There could be an addtonal opton that the merchant contacts

6 the bank for the vercaton of the authentcty of the credt card before delverng the goods. Ths could happen when the payment s large. However, for a large number of small payments, the merchant mght not need to contact the bank for reducng the cost of transactons. In the depost phase, the merchant sends the knowledge of equalty proof k[x; c; z] along wth the payment slp to the bank. The depost token s constructed as follows: fcert m ; Cert c ; hhw; k[x; c; z];t m dm eb g The bank returns a recept wth respect to the transacton. The recept s constructed as follows: R b = hc; M; w; H(S);t b db The bank keeps w and c as evdence of the transacton. 4 The Scheme Based on Non-nteractve Proofs In the prevous scheme, the merchant needs to send a challenge to the clent. In ths secton, we show an mproved scheme that does not requre the nvolvement of the merchant n an equalty proof usng the non-nteractve method of equalty proof of knowledge [13]. 4.1 Non-nteractve Equalty Proof In the non-nteractve method, the prover and verer do not need to nteract each other. In other words, the verer does not need to send a challenge n the process of a proof. The challenge s actually computed by the prover tself. One agan assumes that the prover s P and the verer s V. The common knowledge s the generators g 2 G (1 n). P wll prove that she knows the secret x from h = g x mod q wthout revealng the secret. Denton 2 A par (c; z) satsfyng c = H(g 1 k:::kg n ka 1 k:::ka n kh 1 k:::kh n ) (5) and z = cx + r (6) s the knowledge of an equalty proof of x, denoted byk[1:n; g ;a ;h ]. H denotes a strong one-way hash functon. fa g, c, and z are called commtment, challenge, and response respectvely. K[1:n;g ;a ;h ] can only be gven f the secret x s known, accordng to equatons (5) and (6). Wth K[1:n;g ;a ;h ], one can verfy the knowledge of equalty proof, by checkng g z = hc a ( =1; :::; n). The dea behnd ths s the fact that a K[ ] can be forged f the challenge c s known before the computaton of the commtment a. Snce c can only be computed after a group of fa g has been computed or r has been chosen, the equalty proof s equvalent to the one studed prevously and cannot be forged.

7 4.2 The Payment Protocol The algebrac settng s the same as n Protocol 2. We assume that the clent wants to purchase an tem from the merchant. To generate the knowledge of equalty proof of x, the clent executes an ntalzng run (RUN) that has the followng steps: RUN: The clent: chooses r at random n Z p and denes r Dktkr, computes a = g r mod q; 1 n, and computes (c; z)=k[1:n;g ;a ;h ]. In the ntalzng run, the clent needs to make sure that the r has not been used before. One possble soluton s to concatenate the current date and tme to r. The payment protocol s llustrated as follows (Protocol 3): Protocol 3 C M executes RUN w = hs;k[:];n c dc hoffer dm ; Cert m,,,,,,,,,,,,, Cert c; hw em,,,,,,,,,,,,,! 8, g z = h c a goods; hc;k s;n cec ; R c In Protocol 3, once the clent wants to purchase an tem lsted n the oer, she needs to execute the ntalzng run to obtan a current K[:]. In step two, the clent sends the merchant the slp and the knowledge of equalty proof on x. These nformaton are sgned by the clent usng hs prvate key and then encrypted usng the publc key of the merchant. Upon recept of ths nformaton, the merchant veres all sgnatures theren and the authentcty of the knowledge of equalty proof. If the checks are successful, the merchant sends the clent the encrypted goods, encrypted delvery key k s, and a recept. Note that K[:] must be sgned along wth the current payment slp S by the clent. Ths wll remove the rsk of a dshonest merchant reusng t. Note that the condence level dened prevously s not applcable n the present system, and hence has been removed from the credt card token. In the depost phase, the merchant sends w to the bank. The depost token s constructed as follows: fcert m ; Cert c ; hhw; t m dm eb g The bank checks the correctness of w and ensures that the set fa g has not been used before. If the checks are successful, t provdes a recept wth respect to the depost made to the merchant. The recept s constructed as follows: R b = hc; M; w; H(S);t b db The bank needs to keep w as evdence of the transacton.

8 5 Anonymous Electronc Credt Card In ths secton, we consder clent anonymty. Ths s, clents' IDs are not revealed to the merchant when processng a purchase run. The anonymty of clents s based on the non-nteractve equalty proof studed n Secton Anonymous Certcate The clent should obtan an anonymous publc key certcate from the bank, the trusted certcate authorty. The certcate contans an anonymous ID of the clent (^C = fg Cks ;g Cks ; :::; g Cks 1 2 n g), the publc key, a tmestamp, expry tme, and the ID of the ssuer: Cert 0 c = h ^C; e c ;t;t 0 ;B db (7) s s salt that s shared by the clent and TA. The authentcty of the anonymous certcate s based on an equalty proof of knowledge on C, namely the proof of the owner of the certcate wthout revealng the ID of the owner to the verer. The bank has the mappng between ^C and the real ID of the clent. Therefore, the anonymty s only aganst merchants. Ths could be sucent n a credt based payment system. However, f clents are allowed to have anonymous accounts wth the bank, t s possble to make the credt card payments entrely anonymous. We wll not consder ths topc further n ths paper. 5.2 Constructon of Anonymous Credt Card When an electronc credt card becomes anonymous, merchants are not able to know the ID of the card holder. The structure of a credt card s smlar to the one studed n the prevous secton; the only derence s that t uses the anonymous ID of the clent. ^C = h ^C; h 1 ; :::; h n ; E; A db (8) The authentcty of the credt card reles upon two equalty proofs of knowledge of Cks and x. The rst proof ensures that the clent s the owner of the credt card. The second proof shows that the clent knows the secret data x. Now the payment slp and recept tokens have ^C nstead of C. 5.3 The Knowledge of Proof of Several Secret Numbers In ths subsecton, we dene and formalze the buldng blocks of our scheme. They are based on the non-nteractve equalty proofs of knowledge. The denton of the knowledge of proof of m secret numbers s as follows: Denton 3 A m +1 tuple (c; z 1 ; :::; z m ) satsfyng c = H(g 1 k:::kg n ka 1 k:::ka n kh (1) k:::kh (m) k:::kh (m) 1 k:::kh(1) 1 n n ) and z 1 = cx 1 + r; ::: z m = cx m + r: s the knowledge of equalty proof of x 1 ; :::; x m, denoted byk[1:n;g ;a ;h (1) ; :::; h (m) ]. Each response z corresponds to a secret number x, whle the challenge c and the commtment r are unque. Wth the knowledge of the proof, one can verfy the authentcty ofx 1 ; :::; x m,by checkng g z j =(h (j) ) c a ( =1; :::; n; j =1; :::; m)

9 5.4 Anonymous Protocol The anonymous protocol s smlar to the non-anonymous one, except that the clent now needs to prove to the merchant both the ID and the secret x usng the proof gven n Denton 3. RUN: The clent: chooses r at random n Z p and denes r Dktkr, computes a = g r mod q; (1 n), and computes (c; z 1 ; :::; z m )=K[1:n;g ;a ;h (1) ; :::; h (m)]. The protocol s gven as follows: Protocol 4 C M executes RUN (m = 2) w = hs;k[:];n c dc hoffer dm ; Cert m,,,,,,,,,,,,, Cert 0 c ; hwem,,,,,,,,,,,,,! 8, g z 1 goods; hc;k;n cec ; R c,,,,,,,,,,,,, 8, g z 2 =(^C) c a = h c a0 The clent's sgnature s vered usng hs publc key e c embedded n the anonymous publc key certcate. In the depost phase, the merchant sends w to the bank. The depost token s constructed as follows: fcert m ; Cert 0 c; hhw; t m dm eb g The bank needs to check all the nformaton n w ncludng the authentcty of the clent and the valdty of the credt card and then returns a recept wth respect to the depost made to the merchant. The recept s constructed as follows: R b = h ^C;M;w;H(S);tb db 6 Concluson We haventroduced three methods for the establshment of credt based electronc payment systems over Internet, usng the technques of equalty proof of knowledge. In partcular, we have presented a constructon of payment that allows anonymty of clents. The major feature of the system les n the purchase phase where the merchant nvolved can ensure the authentcty of the credt card nformaton wthout any help from the nancal nsttuton that runs the system. Ths has gven a greater exblty to the payment system as t gves a further choce to the merchants whether to use the on-lne bank or not.

10 References [1] D. Chaum, A. Fat, and M. Naor, \Untraceable electronc cash," n Advances n Cryptology, CRYPTO '88 Proceedngs, pp. 319{327, [2] D. L. Chaum, \Achevng electronc prvacy," Scentc Amercan, pp. 96{101, August [3] G. Medvnsky and B. C. Neuman, \Netcash: A desgn for practcal electronc currency on the nternet," n Proceedngs of the ACM Conference on Computer and Communcaton Securty, November [4] G. Medvnsky and B. C. Neuman, \kp - a famly of secure electronc payment protocols," < ecommerce/>. [5] M. Srbu and J. D. Tygar, \Netbll: An nternet commerce system optmzed or network delvered servces," < netbll>. [6] B. C. Neuman and G. Medvnsky, \Requrements for network payment: The netcheque tm perspectve," n Proceedngs of the IEEE CompCon'95, March [7] CyberCash, \The cybercash tm system - how t works," < [8] STT, \Secure transacton technology," < Stt-os.html>. [9] SEPP, \Secure electronc payment protocol," < [10] \Secure electronc transactons," n VISA amd MasterCard, < [11] D. Chaum and T. P. Pedersen, \Wallet databases wth observers," n Advances n Cryptology, CRYPTO '92 Proceedngs, pp. 89{105, Sprnger-Verlag, [12] E. R. Verheul and H. C. A. van Tlborg, \Bndng elgamal: A fraud-detectable alternatve to key-escrow proposals," n Advances n Cryptology, EUROCRYPTO '97 Proceedngs, pp. 119{ 133, Sprnger-Verlag, [13] J. Camensch, \Ecent and generalzed group sgnatures," n Adances n cryptology - EURO- CRYPT'97, Lecture Notes n Computer Secence 1233, pp. 465{479, Sprnger-Verlag, Berln, 1997.