FIDES A Middlwar E-Commrc Scurity Solution Alksandra Nnadić, Ning Zhang, Stphn Barton Dpartmnt of Computr Scinc, Univrsity of Manchstr Oxford Road, Manchstr M13 9PL, UK {annadic, nzhang, s.k.barton}@cs.man.ac.uk Abstract This papr rports on th on-going Fair Intgratd Data Exchang Srvics (FIDES) projct aimd at dvloping a scurity middlwar solution to support -commrc transactions and th provision of th important fair xchang and nonrpudiation scurity srvics. Fair xchang nsurs that ithr both businss partis participating in a transaction rciv th xchangd valuabl itms or nithr party rcivs anything usful. Non-rpudiation nsurs that nithr party involvd in th xchang can falsly dny snding or rciving a particular itm and thrfor taking part in th transaction. Kywords: E-commrc, Scurity, Fair xchang, Non-rpudiation. 1 Introduction Whil -commrc will clarly hav a big impact on th way popl will conduct businss in th futur, on of th most important obstacls to furthr xpansion of -commrc has bn th lack of adquat scurity protctions. As Computr Crim and Scurity Survy (2002), conductd by th Computr Scurity Institut and FBI Intrnational Crim Squad, rvald - financial losss from Intrnt attacks wr on th ris third yar in a row and 90% of th survy rspondnts (primarily larg corporations and govrnmnt agncis) rportd scurity brachs. Scurity thrats to -commrc transactions com not only from xtrnal attackrs, who may attmpt to avsdrop or modify th mssags, or act undr fals idntity, but also from insidrs, i.. misbhaving businss partnrs. Th Intrnt has nabld companis and organizations to stablish ad-hoc businss rlations with partis whom thy may hav nvr mt bfor and, thrfor, thr is a lack of trust among businss partnrs and disputs ar likly to occur. In ordr to mitigat th risks associatd with conducting -commrc transactions and hlp stablish trust among potntial businss partnrs, adquat scurity srvics should b in plac to nsur that xchangs of valuabl businss itms ar prformd fairly and that vidnc of -transactions cannot b rpudiatd. Such srvics should prvnt situations whr on party has rcivd th xpctd itm whil th othr has not (fairnss), and protct businss partnrs against fals dnials that a particular itm has bn snt (non-rpudiation of origin) or rcivd (non-rpudiation of rcipt). For instanc, in an -purchas procss, a mrchant should rciv a buyr s -paymnt if and only if th purchasd -goods ar dlivrd to th buyr as promisd. Altrnativly, th buyr should obtain som vidnc, such as an -rcipt, crtifying that h has mad th paymnt, and this rcipt can assur th buyr that th goods will b dlivrd. Additionally, important lctronic businss corrspondnc rquirs a crtifid -mail dlivry srvic analogous to rcordd/crtifid mail providd by a convntional Post Offic to assur th sndr that th rcipint rcivs his -mail if and only if h rcivs th -rcipt signd by th rcivr. Furthrmor, in th procss of lctronic contract signing, businss partis nd to xchang thir digital signaturs fairly to avoid th situation whr on party is lgally bound to th contract, whil th othr is taking his tim to look for a bttr offr and latr withdraw from th dal. Th Fair Intgratd Data Exchang Srvics projct (FIDES), sponsord by DTI/EPSRC, was launchd in Sptmbr 2001 with an aim of dvloping a scurity middlwar solution to support -commrc transactions. Th cor part of th FIDES is a family of novl and 1
fficint scurity protocols for achiving fair xchang and non-rpudiation scurity srvics. Th protocols facilitat xchangs of various businss data typs (digital signaturs, -goods, -paymnts, tc.) and fairnss is guarantd through th us of an off-lin and transparnt smi-trustd third party (STTP). Th srvics of th STTP ar invokd only in xtrm circumstancs,.g. whn th normal xchang procss cannot complt succssfully du to unfair bhaviour of participants or a ntwork failur. Th xchangd itms njoy th confidntiality protction against th STTP, should it b invokd. Th protocols rduc th amount of trust placd on th STTP and impos low communication and computational ovrhads on th participants, which maks thm suitabl for implmntation in both wird and wirlss ntworks. Mutual authntication btwn protocol participants and mssag intgrity and privacy protctions can b achivd though othr xisting and standard mchanisms,.g. SSL. This dcoupling contributs to modularity and flxibility of th FIDES systm and its ability to b intgratd with various othr scurity mchanisms. Th rst of th papr is organizd as follows. Sction 2 provids a brif ovrviw of th solutions for fairnss and non-rpudiation. Sction 3 prsnts scurity rquirmnts for th FIDES protocol family and thir main dsign principls. Th FIDES protocol family is dscribd in dtail in Sction 4. Th FIDES systm architctur and implmntation dtails ar prsntd in Sction 5. Finally, Sction 6 outlins our conclusions. 2 A Short History of Fairnss and Non-rpudiation Achiving fair xchang ovr th Intrnt is quit diffrnt from that in non-lctronic world. In convntional world, th xchang of valuabl itms is prformd simultanously in ordr to achiv fairnss. For instanc, a customr is paying for th goods at th tim of rciving thm, and businss partis ar physically prsnt at th sam plac and sign th contract roughly at th sam tim. On th othr hand, it is physically impossibl to achiv simultanous xchang ovr th Intrnt du to srial natur of th undrlying ntwork. In such circumstancs, on party is forcd to snd his itm first and thrby may gt into a disadvantagous position. Non-rpudiation is a spcial cas in a broadr problm of fair xchang. Mor spcifically, it can b considrd as fair xchang of an itm for a digital signatur on th itm. Digital signaturs provid a mchanism for stablishing th authnticity and intgrity of a mssag and th idntity of its originator. Thrfor, th rcipint s digital signatur on th rcivd itm is considrd as a non-rpudiabl acknowldgmnt of th rcption of th itm. In addition, xchang of digital signaturs has bcom a common practis for lctronic contract signing. Th lgal us of digital signaturs on th Intrnt has bn rgulatd by EU Elctronic Signatur Dirctiv (1999). Solutions for fair xchang hav volvd from th two-party approach, in which th participants prform an xchang without any involvmnt of a third party, to th trustd third party (TTP) approach, in which a TTP is involvd to hlp th participants with th xchang and achiving fairnss. Two-party protocols (.g. Blum 1983, Evn t al. 1985) ar basd on gradual xchang of small parts of itms to nsur that th xchang occurs psudo-simultanously and that nithr party can obtain substantial advantag ovr th othr. On way of achiving this is to hav th participants rlas thir itms bit-by-bit in an intrlaving mannr. Howvr, this approach has som srious shortcomings: (1) th xchangd itms must hav th sam numbr of bits to guarant fairnss, (2) a larg numbr of rounds of communication is rquird to xchang and vrify all th bits, (3) participating partis ar rquird to hav approximatly qual computational powr, (4) and thr ar no guarants of th quality of 2
th itms rassmbld at th nd from th rcivd bits. Although rasonably convincing in thory, this approach is too impractical for ral-lif applications. On th othr hand, rlying on a TTP to mdiat th xchang procss is a common practis in traditional transactions - Post Offic is a third party trustd to dlivr rcordd or crtifid mail and obtain a rcipt from th rcivr. Similarly, contracts ar oftn ngotiatd and signd through a third party solicitor. According to Pagnia and Gärtr (1999), thr is no strong fair xchang protocol tolrant against misbhaving participants without a TTP. Although this thory sms to contradict th two-party approach, in gradual xchang protocols thr is always on (last) bit that cannot b xchangd fairly, and, although it cannot caus too much damag, it provs that th abov thory holds. Th dgr of th TTP s involvmnt in this class of protocols varis arlir protocols wr rlying on an intrmdiary or in-lin TTP (Bahrman and Tygar 1994, Dng t al. 1996, Zhou and Gollmann 1996b, tc.), which collcts th xchangd itms from th participating partis, chcks thir corrctnss and forwards thm to th corrsponding rcipints. Improvmnts in rducing th TTP s involvmnt hav rsultd in th advnt of on-lin TTPs (Schnir and Riordan 1998, Zhang and Shi 1996, Zhou and Gollmann 1996a, tc.), which hlp by validating, gnrating and storing th vidnc of transactions. Still, both in-lin and on-lin TTPs hav to b involvd in ach protocol run and thir availability is crucial for th functioning of th protocols. Thy also hav th full accss to th xchangd itms so th privacy of th itms violatd. Thrfor, ths TTPs ar potntial prformanc and scurity bottlncks. A big stp towards mor fficint solutions was th introduction of off-lin TTPs that intrvn only in cas of disput causd by a ntwork failur or a party s misbhaviour (Asokan t al. 2000, Bao t al 1998, Boyd and Foo 1999, Chn 1998, Ray and Ray 2000, Zhang and Shi 2003, Zhou and Gollmann 1997, tc.). Th rst of th tim, whn th ntwork functions wll and participants bhav corrctly or ar capabl of rsolving th disputs thmslvs, th off-lin TTP dos not oprat in th protocol xcution. Our rsarch is focusd on dvising protocols with furthr rducd rquirmnts and trust placd on, and th rol playd by, th off-lin TTP. Thrfor, th third party in our protocols is calld smi-trustd third party (STTP). 3 Prliminaris In this sction, w first dscrib th -transaction modl usd for th FIDES protocols, and thn summaris th scurity rquirmnts satisfid by th FIDES solution. 3.1 E-transaction Modl In gnral, -transactions can b dcomposd into svral stags (Fig. 1). In th first stag, businss partis mutually authnticat ach othr and agr on a sssion ky that will b usd to protct th subsqunt communication. In th scond stag, businss partis ngotiat th contnt of businss itms to b xchangd,.g. -paymnts, contracts, -goods, tc. Th actual xchang of th agrd itms taks plac during th third, i.. xcution, stag. Th FIDES protocols ar xcutd during th xcution stag (solid lins in Fig. 1), i.. thy dal only with th actual xchangs of th agrd businss itms and rsolving possibl disputs that may occur in th procss. Thy do not mandat any particular mchanisms to b usd in th first and scond stag (dashd lins in Fig. 1). W assum that businss partis P a and P b may not trust ach othr, and ithr of thm may misbhav in an attmpt to gain th othr party s itm without giving out his own on. Thy hav agrd to mploy an off-lin STTP P t to hlp with th xchang procss if thy cannot rach a fair compltion thmslvs. It is assumd that P t may misbhav by 3
attmpting to accss th xchangd itms, but P t dos not conspir with ithr of P a and P b. Othrwis, any such collusion can b xposd, and, consquntly, P t will b discrditd. (1) Mutual authntication and scur channl stablishmnt Party P a (2) Ngotiation (3) Excution (3.1) Exchang of businss itms Party P b (3.2) Disput rsolution STTP P t (3.2) Disput rsolution Figur 1. Gnral -transaction modl W also assum th xistnc of a Crtification Authority (CA) in th modl, which issus public-ky crtificats to th participants. Th FIDES protocols ar public-ky basd and can b dividd into two classs according to th typ of public-ky algorithm thy us. Th protocols support th us of both RSA (Rivst t al. 1978) and DSA (FIPS 186-2), as both ar widly rcognisd by -commrc community. RSA is a d facto commrcial standard for ncryption, has bn spcifid by ISO/IEC 9796 for th us in digital signaturs, and has bn built into many standards and commrcial products, such as S/MIME, PGP, SSL/TLS, PEM, tc. Th National Institut of Standards and Tchnology (NIST) proposs DSA for th us in Digital Signatur Standard (DSS), which is th official digital signatur standard in th Unitd Stats. 3.2 Scurity Rquirmnts FIDES has bn dsignd to satisfy th following scurity rquirmnts. (S1) Strong fairnss: FIDES fair xchang protocols guarant that, by th nd of an xchang procss, if on party has obtaind th othr party s itm or can obtain it with th assistanc of th STTP, thn th othr party has obtaind this party s itm or can obtain it with th assistanc of th STTP. (S2) Non-rpudiation: FIDES crtifid dlivry protocols guarant that, by th nd of th xchang procss, th rcipint will b in possssion of an unforgabl and non-rpudiabl proof that th sndr has indd originatd th itm (non-rpudiation of origin), and th sndr will b in possssion of a similar proof that th rcipint has indd rcivd th itm (non-rpudiation of rcipt). (S3) Confidntiality of th xchangd itms: No party xtrnal to th xchang procss, including th STTP, will gain any knowldg of th xchangd itms. (S4) E-goods contnt/quality assuranc: For crtifid -goods dlivry or -goods purchas, th rcivr of th -goods is abl to vrify that th itm h is to rciv will indd match with th promisd contnt/quality, as, othrwis, a mismatch btwn th promisd/xpctd and rcivd -goods may hav financial implications to th rcivr. (S5) Rducd rol of th STTP: Scurity, computational and storag rquirmnts placd on th STTP ar rducd as much as possibl to simplify its implmntation and managmnt and incras th scurity of FIDES, as th STTP may b a focal point of scurity and dnialof-srvic attacks. (S6) Transparncy of th STTP: Participation of th STTP in an -transaction is transparnt in th sns that th itms rcovrd by th STTP ar indistinguishabl from thos snt by th original sndrs. This can b a dsirabl proprty in situations whr th STTP is invokd du 4
to a ntwork failur or systm crash rathr than unfair bhaviour of participants, which may bring bad publicity to thm. 4 Th FIDES Protocol Family In this sction, w dscrib th gnral structur of, and th cryptographic primitivs usd in, th FIDES protocol family dsign. Mor dtaild dscriptions of som of th FIDES protocols can b found in (Shi t al.2003, Nnadic t al. 2004a, Nnadic t al. 2004b, Nnadic t al. 2004c). Th FIDES protocols hav a common structur, although thy diffr in th typs of businss itms and public-ky algorithms supportd. Thy can b applid to xchangs of two typs of businss itms: confidntial -goods (contnt/quality of which has bn crtifid by an indpndnt crtification authority) and digital signaturs. Th following approach is takn whn on of th xchangd itms is an -goods - th -goods is firstly ncryptd with a symmtric ky and transfrrd to th rcipint, and thn th suitabl protocol is invokd for th xchang of th dcryption ky and th othr party s itm. Th dcryption ky is linkd to th ncryptd -goods through a spcialisd crtificat issud by a crtification authority that vrifis and guarants th contnt/quality of th ncryptd -goods. For instanc, if th - goods is an -chck, this indpndnt authority can b a bank that has issud th -chck; if th -goods is Windows 2000 softwar, Microsoft itslf may crtify its quality. Whn th xchangd itm is a digital signatur, no symmtric ky ncryption is applid. Th main cryptographic primitivs utilisd in th dsign of th protocols ar Vrifiabl Encryption (VE) of a ky/signatur and Vrifiabl and Rcovrabl Encryption (VRE) of a ky/signatur. For both VE and VRE, th rcivr can vrify that th ncryption indd contains th corrct ky/signatur. For VRE, th rcivr can additionally vrify that a dsignatd STTP can rcovr th ncryptd itm from its ncryption. Th dsigns of RSAbasd VE and VRE for kys and signaturs ar summarisd in Tabl 1. DSA-basd primitivs hav bn omittd du to spac limitation and will b publishd sparatly. Each protocol suit consists of a pair of protocols - an xchang protocol prformd by businss partis and a rcovry protocol involving a STTP. At a high lvl, th protocols work as follows (Fig. 2). STTP P t Party P a Party P b Normal xchang protocol (E1) VE of P a s ky/signatur (E2) VRE of P b s ky/signatur + RA (E3) P a s dcryption scrt for VE (E4) P b s dcryption scrt for VRE (R1) VRE of P b s ky/signatur + RA + P a s dcryption scrt for VE (R2) P b s dcryption scrt for VRE (R3) P a s dcryption information for VE Rcovry protocol Figur 2. Th FIDES protocols framwork Normal xchang protocol: (E1): P a gnrats VE of his itm (ky or signatur) using a scrt and transfrs th VE to P b. 5
(E2): P b can vrify th corrctnss of P a s VE, but, at this point, P b can larn no additional information about P a s itm. If P b is satisfid with this vrification, h uss his scrt to gnrat VRE of his itm, and, in addition, producs a Rcovry Authorisation (RA) tokn, which authoriss P a to rqust th rcovry of P b s VRE from STTP P t if crtain conditions ar mt. Th RA tokn is intrprtd as follows: P t will rcovr P b s scrt from VRE for P a (which will nabl P a to gain P b s itm from VRE), if and only if P a provids P t with his scrt, which will allow P b to dcrypt P a s VE. P b transfrs his VRE and th RA tokn to P a. (E3): P a vrifis th corrctnss of P b s VRE and th RA tokn, and, if satisfid, P a is convincd that it is scur for him to rlas his scrt first, which will nabl P b to dcrypt VE to obtain P a s itm. (E4): If P b rcivs P a s scrt corrctly, it transfrs his scrt to P a. At this point, if P a is satisfid with th vrification outcom of P b s dcryption scrt, th xchang protocol is compltd succssfully and P a uss th rcivd scrt to dcrypt VRE and obtain P b s itm. Othrwis, if this final vrification fails or P a fails to rciv anything from P b s altogthr, P a can rqust P t for th rcovry of P b s dcryption scrt, by invoking th rcovry protocol. Rcovry protocol: (R1): P a transfrs P b s VRE and th RA tokn and his dcryption scrt to P t. P t vrifis th corrctnss of ths itms, and, if satisfid, P t rcovrs P b s dcryption scrt from P b s VRE. (R2): P t snds P b s dcryption scrt to P a who uss it to dcrypt P b s itm from VRE. (R3): P t also snds P a s dcryption scrt to P b to nsur fairnss. Tabl 1. RSA-basd cryptographic primitivs - E k (x) dnots ciphrtxt of a data itm x ncryptd with a symmtric ky k; - h(x) is a on-way strong-collision-fr hash function; - x, y dnots th concatnation of data itms x and y; - pk i = ( i, n i ) and sk i = (d i, n i ), i {a, b, t}: P i s RSA public and privat ky, with n i public modulus; - h(x) d i mod n i : P i s RSA signatur on data itm x; - C bt = (P b, pk bt, w bt, s bt ): crtificat issud by P t for P b s additional RSA public/privat ky pair pk bt = ( bt, n bt ), sk bt = (d bt, n bt ), whr n bt is RSA modulus chosn by P t and bt = b. Numbr w bt is dfind as w bt = (h(sk t, pk bt ) -1 d bt ) mod n bt, and s bt is P t s signatur on th itms (P b, pk bt, w bt ); - k i, i {a, b}: P i s symmtric ky for ncryption/dcryption of -goods D i ; - RSA-EGCrt i = (dsc i, hd i, k i, sign it ), i {a, b}: RSA-basd -goods crtificat issud by P t linking ncryptd P i s -goods D i with its scrt dcryption ky k i, whr dsc i is -goods dscription, hd i = h(e ki (D i )), k i = k i i mod n i, and sign it is P t s RSA signatur on th itms (dsc i, hd i, k i ); - r a, r b : P a s and P b s scrt random numbrs usd to gnrat VE and VRE, rsptivly; VE of P a s ky k a VE of P a s signatur Gnration: y a = r a a mod na ; x a = (r a k a ) mod n a ; Vrification: x a a mod na?= (y a k a ) mod n a ; Gnration: y a = r a a mod na ; x a = (r a (h(x)) d a ) mod n a ; Vrification: x a a mod na?= (y a h(x)) mod n a ; 6
VRE of P b s ky k b Gnration: y b = r b b mod (n b n bt ); x b = (r b k d b b) mod n b ; xx b = (r b h(y b ) d bt) mod n bt ; Vrification: x b b mod nb?= (y b k b ) mod n b ; xx b b mod nbt?= (y b h(y b )) mod n bt ; VRE of P b s signatur Gnration: y b = r b b mod (n b n bt ); x b = (r b h(x) d b) mod n b ; xx b = (r b h(y b ) d bt) mod n bt ; Vrification: x b b mod nb?= (y b h(x)) mod n b ; xx b b mod nbt?= (y b h(y b )) mod n bt ; Rcovry by P t : d bt = (h(sk t, pk bt ) w bt ) mod n bt ; r b = (y b mod n bt ) d bt mod n bt ; P b s Rcovry Authorization (RA) tokn: P b s RSA signatur on itms C bt, y b, y a, P a ; 5 Th FIDES Systm Th FIDES systm is fully implmntd in Java and th high lvl ovrviw of its architctur is shown in Fig. 3. For ach ntrpris it consists of a FIDES Srvr and a st of FIDES Clints. FIDES STTP Srvrs ar assumd for intr-ntrpris disput rsolution, i.. for th xcution of th rcovry protocols. Th FIDES Srvr is th cor of th systm through which businss usrs from an ntrpris accss th functionality of th FIDES srvics. It listns to both intrnal rqusts from within-ntrpris businss usrs, as wll as xtrnal transaction rqusts from its businss partnrs. Businss usrs us GUI-basd FIDES Clints to scurly accss th srvics on th FIDES Srvr. Communications btwn a FIDES Clint and its Srvr, and btwn any two FIDES Srvrs (including FIDES STTP) is carrid out through Java Mssaging Srvic (JMS). Intrnal communication btwn FIDES Clints and FIDES Srvr 1 Entrpris 1 Intrant Application Srvr 1 FIDES Srvr 1 Extrnal communication btwn FIDES Srvrs and FIDES STTPs Intrnt Fair xchang protocol ngotiation and xcution Rcovry Intrnal communication btwn FIDES Clints and FIDES Srvr 2 Entrpris 2 Intrant Application Srvr 2 FIDES Srvr 2 FIDES Clints FIDES Databas FIDES STTP Srvr FIDES Databas FIDES Clints STTP Figur 3. FIDES systm architctur An ntrpris runs its own FIDES Srvr. It is assumd that th itms to b xchangd, such as contracts and -goods, hav bn prviously ngotiatd btwn businss partnrs and scurly stord in a cntral databas connctd to ach FIDES Srvr. Information rgarding ntrpris businss usrs and thir FIDES srvic accss rights, businss partnrs whom th ntrpris has businss transactions with, STTPs trustd by th ntrpris to hlp 7
with disput rsolution, and rcords of all businss transactions xcutd through th FIDES systm ar all stord in th cntral databas and maintaind by th FIDES Srvr. Using th FIDES systm, Entrpriss 1 and 2 may fairly xchang thir valuabl businss itms though th following procss. An authorisd businss usr from Entrpris 1 uss a FIDES Clint installd on his machin to spcify which itm (prviously ngotiatd and stord in th FIDES databas) is to b snt and which itm is xpctd in rturn from Entrpris 2. H may also spcify a prfrrd timout for th transaction (othrwis a dfault timout is usd). This spcification is snt to th FIDES Srvr 1 that, upon authnticating and authorizing th usr s rqust, initiats a ngotiation with FIDES Srvr 2 from Entrpris 2. During this phas, th two Srvrs furthr ngotiat th transaction dtails, including a uniqu transaction idntifir, th xchang protocol to b usd, a mutually trustd STTP for possibl disput rsolution, timout valu, tc. Aftr this initial ngotiation, FIDES Srvr 2 forwards this transaction rqust to authorisd businss usrs at Entrpris 2, as th Srvr itslf should not automatically accpt transaction rqusts without human intrvntion or without prior auto-configuration. Using his FIDES Clint, an authorisd usr from Entrpris 2 xamins th list of transactions that ar awaiting confirmation. If th rqust from Entrpris 1 is accptd, th transaction will b xcutd through th ngotiatd protocol. Each FIDES Srvr stors th itms xchangd togthr with th transactional rcords in its databas, and businss usrs involvd ar notifid of th outcom. If th transaction fails for any rason, th Srvr attmpts to automatically rsolv it with th hlp of th agrd STTP. If th STTP is unavailabl at that momnt, businss usrs ar notifid and th transactional vidnc can b xportd to a disk and th rsolution by th STTP can b prformd manually using th vidnc fil. Altrnativly, automatd rsolution may b r-invokd at a latr tim. 5.1 FIDES Srvr Figur 4 shows th main componnts of th FIDES Srvr architctur - th Transaction Managr, FIDES Protocol Library, Crypto Library, JMS and Scur Storag. Intrant (FIDES Clints) JMS Transaction Managr Saf storag FIDES Protocol Library Intrnt (FIDES Srvrs and STTPs) CRYPTO Library VE VRE Crtificats Java CRYPTO Library (SUN, Cryptix) OpnSSL Crtificat Library Figur 4. FIDES Srvr architctur Th Transaction Managr taks car of authnticating and authorising transaction spcifications snt by a FIDES Clint, managing and auditing transactions. It kps th stat and vidnc of a transaction in prsistnt storag, implmnts th timout and rtry logic to ovrcom unrliabl communications, and initiats transaction rcovry with a STTP in prsnc of any failurs. Th JMS componnt shuffls mssags btwn diffrnt ntitis in th FIDES systm through a JMS (Java Mssag Srvic) providr. FIDES is a providr-indpndnt solution, 8
i.. it is portabl across JMS-compliant providrs. So far, th application has bn tstd using th Sun ONE Mssag Quu and PrismTch s OpnFusion JMS providrs. Th FIDES Protocol Library provids th cor functionality for composing and vrifying FIDES protocol mssags. It intracts with th Transaction Managr during a protocol xcution, which kps th contxt and maintains th stat of a transaction. This componnt maks th us of th cryptographic primitivs providd by th Crypto Library, including VE, VRE, digital signaturs, hash functions, public- and symmtric-ky algorithms, tc. Th motivation for sparating th functionality of th FIDES Protocol Library from that of th Crypto Library is to allow asy plug-in of cryptographic mthods by various JAVA cryptographic providrs. W hav usd th OpnSSL Cryptograhic Library to implmnt X.509 crtificat issuing, and, for all th othr cryptographic mthods, w hav usd th libraris providd by Cryptix and SUN JCE. 5.2 FIDES Clint A FIDES Clint provids a GUI-basd application intrfac that allows a businss usr (i.. an mploy of an ntrpris) to scurly accss th FIDES srvics on th FIDES Srvr (subjct to accss control policy). Upon succssful authntication of th usr, th Srvr starts a sssion with th Clint. Th Clint and th Srvr ar loosly coupld and communicat by xchanging asynchronous JMS mssags, whil th srvr kps th track of th sssion. Th FIDES Clint provids th following srvics: (1) initiating transactions with businss partnrs, (2) browsing transaction rqusts from businss partnrs and accpting/rjcting thm, (3) tracking all mssags xchangd with th Srvr, (4) sarching transactions, businss partnrs and STTPs, (5) xporting transactional rcords to a disk, (6) adding businss partnrs and businss itms to th cntral FIDES databas, and (7) administrativ tasks, including updating passwords/crdntials, and, for administrators, businss usr managmnt. A snapshot of th FIDES Clint GUI is shown in Fig. 5. Figur 5. A snapshot of th FIDES Clint GUI 5.3 FIDES STTP Th FIDES STTP Srvr provids an on-lin facility for disput rsolution and rcovry of xchangd itms, in cass whn a normal xchang procss fails to complt succssfully. If a disput ariss during an xchang procss, rcovry will b attmptd automatically with th STTP that was ngotiatd btwn th two FIDES Srvrs. If automatd rsolution fails du to a ntwork failur or unavailability of th STTP, businss usrs hav an option to 9
manually xport transactional rcords to a disk and tak/snd thm to th STTP for th manual rcovry, or to r-initiat th automatd rcovry. Th STTP also issus spcial public-ky and -goods crtificats (such as crtificats C bt and RSA-EGCrt i from Tabl 1), basd on which th STTP rcovrs th disputd itms. Th srvics of a STTP in th FIDES systm could b providd by stablishd and trustd crtification authoritis, such as VriSign, or banks, in cass th xchangd itms contain -paymnts, or spcialisd agncis, all of which would b rquird to run FIDES STTP Srvrs to handl th disput rsolution. 5.4 FIDES Evaluation Th FIDES systm will b assssd and valuatd by conducting cas studis with th hlp of th FIDES projct businss partnr spcialisd in financial markting and -procurmnt solutions. Th cas studis ar pland to xploit th FIDES systm in thr main B2B scnarios contract signing, crtifid -goods and crtifid -paymnts dlivry and to assss how wll th systm accomplishs th rquirmnts from th nd-usr (i.. businss usr) point of viw. Th following aspcts will b considrd applicability of th systm on diffrnt platforms, varity of businss itms and -commrc scnarios supportd, usrfrindlinss, convninc of us and as of maintnanc of th systm, th lvl of scurity offrd, th tim and cost of prforming transactions using th FIDES systm in comparison with th traditional ways, nabling communication with gographically distant businss partnrs, tc. Th FIDES Systm is to b intgratd with OpnFusion, a middlwar solution by th FIDES projct partnr, in ordr to advanc th commrcial xploitation of th systm, and an additional aspct of th valuation will b focusd on th intgration issu. 6 Conclusions Incrasingly, ntrpriss and financial institutions ar building thir on-lin prsnc through th Intrnt wb sits. Although som of thm ar still utilising th Intrnt solly for advrtising, mor ar starting to us thir wb sits to conduct -commrc transactions. Fairnss and non-rpudiation ar two ky scurity rquirmnts for -commrc transactions as thy protct th participants from malicious businss partnrs, which is ndd in nvironmnts whr partis may conduct transactions with partis with whom thy might not hav prvious businss history or may not trust fully. This papr has prsntd our FIDES solution for provision of fairnss and nonrpudiation scurity srvics. FIDES is a mssag-orintd middlwar with modular and configurabl architctur so that diffrnt systm componnts can b asily rplacd,.g. cryptographic and JMS providrs, authntication and confidntiality protction componnts, tc. Th FIDES protocols support two most widly usd public-ky algorithms, RSA and DSA, allow an xchang of a wid rang of businss itms and impos low scurity and storag rquirmnts on th off-lin and transparnt STTP. Thy bn dsignd and implmntd as Java API and can b pluggd into any -commrc systm to allow furthr dvlopmnt with littl or no modification. Our futur work will involv finalising th implmntation of th FIDES systm and running a systm trial and conducting cas studis with th involvmnt of our commrcial partnr. Rfrncs Asokan, N., Schuntr M., Waidnr, M. (2000) Optimistic Fair Exchang of Digital Signaturs, IEEE Journal on Slctd Aras in Communications, Vol. 18, pp593-610. Atnis G. (1999) Efficint Vrifiabl Encryption (and Fair Exchang) of Digital Signaturs, ACM Confrnc on Computr and Communications Scurity, pp138-146. 10
Bahrman, A., Tygar, J. D. (1994) Crtifid Elctronic Mail, Intrnt Socity Symposium on Ntwork and Distributd Systm Scurity, pp3-19. Bao, F., Dng, R., Mao, W. (1998) Efficint and Practical Fair Exchang Protocols with Off-lin TTP, IEEE Symposium on Scurity and Privacy, pp77-85. Boyd, C., Foo, E. (1998) Off-lin Fair Paymnt Protocol Using Convrtibl Signaturs, Advancs in Cryptology ASIACRYPT 98, LNCS, Springr-Vrlag, Brlin, Grmany, Vol. 1514, pp271-285. Blum, M. (1983) How to Exchang (Scrt) Kys, ACM Transactions on Computr Systms, Vol. 1, pp175-193. Chn, L. (1998) Efficint Fair Exchang With Vrifiabl Confirmation of Signaturs, Advancs in Cryptology - ASIACRYPT 98, LNCS, Springr-Vrlag, Brlin, Grmany, Vol. 1514, pp286-299. Computr Scurity Institut and FBI Intrnational Crim Squad (2002) Computr Crim and Scurity Survy, [onlin], http://www.gocsi.com/. Dng, R. H., Gong, L., Lazar, A.A., Wang, W. (1996) Practical Protocols for Crtifid Elctronic Mail, Journal of Ntwork and Systm Managmnt, Vol. 4, No. 3, pp279-297. National Institut of Standards and Tchnology (NIST) (2000) Digital Signatur Standard (DSS), Fdral Information Procssing Standards (FIPS) Publication 186-2. Evn, S., Goldrich, O., Lmpl, A. (1985) A Randomizd Protocol for Signing Contracts, Communications of th ACM, Vol. 28, pp637-647. Th Europan Parliamnt and th Council of th Europan Union (1999) EU Elctronic Signatur Dirctiv (Dirctiv 1999/93/EC), [onlin], http://www.nciphr.com/insights/complianc/l_u-signatur.html. FIDES - Fair Intgratd Data Exchang Srvics, [on-lin], www.cs.man.ac.uk/~nnadic/fides/fids.html. Franklin, M. K., Ritr, M. (1997) Fair Exchang with a Smi-Trustd Third Party, ACM Confrnc on Computr and Communications Scurity, pp1-5. Nnadic, A., Zhang, N., Barton, S. (2004) Fair Crtifid E-mail Dlivry, to appar in Procdings of th ACM Symposium on Applid Computing (SAC 04). Nnadic, A., Zhang, N., Barton, S. (2004) A Scurity Protocol for Crtifid E-Goods Dlivry, to appar in Procdings of Intrnational Confrnc on Information Tchnology, Coding and Computing (ITCC 04), IEEE Computr Socity. Nnadic, A., Zhang, N. Barton, S. (2004) A Scur and Fair DSA-basd Signatur Exchang Protocol, to appar in Procdings of IEEE Symposium on Computrs and Communications, IEEE Computr Socity. Pagnia, H., Gärtnr, F. (1999), On th Impossibility of Fair Exchang without a Trustd Third Party, Tchnical Rport TUD-BS-1999-02, Univrsity of Darmstadt, Grmany. Ray, I., Ray, I. (2000) An Optimistic Fair Exchang E-commrc Protocol with Automatd Disput Rsolution, Confrnc on Elctronic Commrc and Wb Tchnologis EC-WEB 00, LNCS, Springr- Vrlag, Brlin, Grmany, Vol. 1875, pp84-93. Rivst, R., Shamir, A., Adlman, L. (1978) A Mthod for Obtaining Digital Signaturs and Public-ky Cryptosystms, Communications of th ACM, ACM Prss, Vol. 21, No. 2, pp120-126. Schnir, B., Riordan, J. (1998) A Crtifid E-mail Protocol, Annual Computr Scurity Applications Confrnc, ACM Prss, pp347-352. Shi, Q., Zhang, N., Mrabti, M. (2003) Signatur-basd Approach to Fair Documnt Exchang, IEE Procdings - Communications, Vol. 150, No. 1, pp21-27. Zhang, N., Shi, Q. (1996) Achiving Non-Rpudiation of Rcipt, Th Computr Journal, Vol. 39, No. 10, pp844-853. Zhang, N., Shi, Q. (2003) An Efficint Protocol for Anonymous and Fair Documnt Exchang, Computr Ntworks Journal, Vol. 41, pp19-28. Zhou, J., Gollmann, D. (1996) A Fair Non-Rpudiation Protocol, IEEE Symposium on Scurity and Privacy, pp55-61. 11
Zhou, J., Gollmann, D. (1996) Obsrvations on Non-Rpudiation, Advancs in Cryptology - ASIACRYPT 96, LNCS, Springr, Kyongju, Kora, Vol. 1163, pp133-144. Zhou, J., Gollmann, D. (1997) An Efficint Non-Rpudiation Protocol, Computr Scurity Foundations Workshop, IEEE Comput. Soc. Prss, Los Alamitos, CA, USA, pp126-132. 12