Conference Paper

A Solution for Wireless Privacy and Payments based on E-cash.

Authors:
  • University of Edinburgh and IOG
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

The IEEE 802.11 Wireless Local Area Network (WLAN) specifications have been the subject of increased attention due to their rapid commercial adaptation and the introduction of new security and privacy concerns. The IEEE 802.1x standard was introduced in order to overcome the initial security shortcomings of the Wired Equivalent Privacy (WEP) protocol. The IEEE 802.1x standard is an extensible standard that couples 802.11 networks with various authentication services through the incorporation of an Extensible Authentication Protocol (EAP) authentication dialog. The existing implementations of EAP dialogs are based on standard cryptographic solutions for authentication and session key generation but do not, however, provide any form of user anonymity or privacy. Anonymity and privacy are currently of pressing interest, especially in the context of WLANs, which are simultaneously the best medium to provide privacy (there is no physical phone number or connection end-point with a predetermined owner) as well as the most threatening medium to user privacy, as they have the potential of disclosing not only the identity of the user, but also their physical location. At the same time, the potential "perfect hiding" capabilities of WLAN users also highlights the need to control anonymity by introducing more flexible authentication mechanisms. Moreover, payment for wireless services is completely decoupled from the above procedures, raising additional efficiency and privacy concerns. In this work we propose a new EAP authentication dialog based on anonymous electronic cash that provides for privacy, anonymity control, payment acceptance and billing, and authentication. Our solution is based on the notion of "public-key embedding e-cash," an e-cash variant we present and formalize in this paper. We present a concrete description of the new EAP authentication dialog in the context of IEEE 802.1x. We also present an effi- cient implementation of a public-key embedding e-cash scheme based on RSA blind signatures and prove its security.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Our scheme adopts credit-based charging, i.e. the system charges each mobile user after it has finished a sequence of services for the user, just as the practical situation in the real world. It is different from the others which provided approaches of debit-based charging, i.e. each mobile user has to purchase payment token(s) before she/he starts accessing the services provided by the system [6,12]. What are the differences between charging mobile users in advance and charging them after the services? ...
... The comparisons between our proposed scheme and the others are summarized in Table 1. In Table 1, the authors of [6] also mentioned untraceability and revokeability, but they did not realize them in their scheme. We believe that realizing untraceability and revokeability is not trivial. ...
Article
Full-text available
Smart mobile phones are widely popularized and advanced mobile communication services are provided increasingly often, such that ubiquitous computing environments will soon be a reality. However, there are many security threats to mobile networks and their impact on security is more serious than that in wireline networks owing to the features of wireless transmissions and the ubiquity property. The secret information which mobile users carry may be stolen by malicious entities. To guarantee the quality of advanced services, security and privacy would be important issues when users roam within various mobile networks. In this manuscript, an anonymous authentication scheme will be proposed to protect the security of the network system and the privacy of users. Not only does the proposed scheme provide mutual authentication between each user and the system, but also each user’s identity is kept secret against anyone else, including the system. Although the system anonymously authenticates the users, it can still generate correct bills to charge these anonymous users via a credit-based solution instead of debit-based ones. Furthermore, our protocols also achieve fair privacy which allows the judge to revoke the anonymity and trace the illegal users when they have misused the anonymity property, for example, if they have committed crimes. Finally, in this paper, we also carry out complete theoretical proofs on each claimed security property.
... This incentive scheme does not require BV owners to sign a long-term contract and obey restricted connection times, thus giving the BV owners total freedom to user their own BVs. The reward is in the form of E-cash [11] and BV owners could redeem it later at the operator of the V2G network for battery maintenance, cheaper charging/parking, etc. ...
... Blind signature technique is introduced by David Chaum in 1982 [22], which enables a recipient to get signature on a message without revealing this message to the signer. Since then it has been widely used in applications like E-voting [23], E-cash [11], etc., where user anonymity is required. Brands developed the first restrictive blind signature scheme [24], which restricts the signed message to conform certain rules rather than being totally random. ...
Article
Vehicle-to-grid (V2G) networks are important components of the smart grid (SG) for their capability of providing better ancillary services and facilitating the adoption of renewable resources. The operation of the V2G networks is based on continuously monitoring the status of individual battery vehicle (BV) as well as a carefully designed incentive scheme to attract sufficient participating BVs. However, the close monitoring tends to raise privacy concerns from the BV owners about identity and location information leakage, which have not been considered in previous works. In this paper, we make the first attempt to identify the privacy-preserving issues and propose a precise reward scheme in V2G networks, both of which are important towards bringing the concept of V2G network into practice. In V2G networks, it is the service providers (individual BVs) who need privacy protection rather than the service consumer (power grid). This unique characteristic renders privacy protection solutions proposed for conventional network systems not directly applicable. To protect privacy of BVs in V2G networks, we present , a secure communication architecture which achieves privacy-preserving for both BVs' monitoring and rewarding processes. Extensive performance analysis shows that only incurs moderate communication and computational overheads.
... These proposals have focused on providing incentives for sharing of wireless communication resources among different WISPs, while they do not take authentication delay and privacy issues into consideration. The studies that are most closely related to the proposed PPAB architecture are in the class of E-cash-based authentication schemes [27]–[30]. These schemes take advantage of blind signatures as the authentication credential to provide anonymity and unlinkability for the user authentication and billing. ...
Article
Full-text available
Wireless metropolitan area sharing networks (WMSNs) are wide-area wireless networks with nodes owned and managed by independent wireless Internet service providers (WISPs). To support seamless roaming in emerging WMSNs, in this paper, we propose a localized and distributed authentication and billing architecture that aims at enabling efficient and privacy-preserving mutual authentication between mobile users (MUs) and WISPs. User anonymity and identity privacy can be protected, even in the presence of collusion between WISPs and a roaming broker (RB), which is considered to be the strongest user privacy protection. An efficient billing architecture is introduced and performed in the same stage of roaming, where U-tokens are defined and can be purchased by MUs from an RB as authentication credentials for the MUs to access the wireless network. The WISPs, thus, can cash the collected U-tokens in the RB for payment. We show that the proposed authentication and billing architecture can support localized inter-WISP authentication through the divisible blind signature scheme and a local witness strategy. A detailed analysis on a number of performance metrics, such as computation time and power consumption, is given to validate the performance of the proposed architectures.
... Since the data transmitted wirelessly is less secure than in the wired network, maximizing the security is more important. Security services such as privacy [28], authentication [29], message integrity [30], confidentiality [31] and non-repudiation [32] are the essential for the success of mobile payment systems. ...
Article
Full-text available
The Mobile Commerce is an emerging discipline that involves mobile devices, middleware and mobile networks. Mobile Payment is a natural evolution of e-payment scheme that will facilitate mobile commerce. Today, there has been a notable increase in customer use of mobile applications. Mobile phones are well suited with mobile payment to reach the customers through messages anywhere and at any time. A study reveals that there are wide ranges of mobile payment systems found in the market using various services like Short Message Service (SMS), but there is no specific payment system for academic institutions to collect the fees as well as for student community to pay the fees without huge investment. This paper proposes a secure account-based mobile payment system namely, Mobile Payment Consortia System (MPCS) to carry out the transactions from the student bank to academic institutions for the payment of fees by students through mobile phone. Mobile Payment Consortia System provides an efficient way to achieve high level security using Public Key Infrastructure (PKI). The proposed framework provides a great opportunity for both the students and academic institutions in terms of payment. This model can be extended to any institutions of academic nature so as to help the necessary payments by the students through mobile devices.
Chapter
Introduction Preliminaries and Background Description of the Universal Authentication and Billing Architecture Security Analysis Performance Evaluation Discussions Conclusions References
Article
This paper proposes a simple method that equips UMTS-based telecom companies with a mechanism to prove the records on mobile users’ phone bills. In the history of mobile phone communication, we have seen countless unsettled disputes where the mobile user disagrees with the telecom company either on the calling time or on the duration, or even on whether or not a call was actually made. In this paper, a provable billing protocol will be presented that can effectively solve disagreements between the two parties. Equipped with a non-repudiation function, the proposed protocol enables the service provider to hold on to the solid proofs as to exactly when and to which number a mobile phone user made a call so that the mobile user cannot deny; at the same time, the mobile user also gets to have his/her own share of proofs as to when and how the mobile services were accessed, so that the bill can be double checked to make sure nothing goes wrong. And, to make it even better, this new protocol is perfectly compatible with the standard UMTS protocol and is therefore readily applicable to the current mobile phone communication environments. KeywordsUMTS-Billing-Charging-AKA-Mobile communication system
Conference Paper
The emergence of wireless and mobile networks has made possible the introduction of a new research area M-Commerce or Mobile Commerce. Mobile payment is a natural successor to web centric payments which has emerged as one of the sub domains of mobile commerce applications. A study reveals that there are wide ranges of mobile payment solutions and models which are available with the aid of various services such as Short Message Service (SMS), but there is no specific mobile payment system for educational institutions to collect the fees as well as for student community to pay the fees without huge investment. This paper proposes a secured framework for Mobile Payment Consortia System (MPCS) to carry out the transactions from the bank to the academic institutions for the payment of fees by students through mobile phone. Mobile Payment Consortia System provides an end-to-end security using Public Key Infrastructure (PKI) through a Mobile Information Device Profile (MIDP)-enabled mobile device. This framework provides an efficient, reliable and secured system to perform mobile payment transactions and reduces transactional cost for both students and educational institutions. Mobile Payment Consortia System is designed with strong authentication and non-repudiation by employing digital signatures. Confidentiality and message integrity are also provided by encrypting the messages at application level and by using public key certificates and digital signature envelops.
Conference Paper
We propose a novel inter-WISP roaming architecture based on trusted third party (TTP) and partially blind signature technique in wireless metropolitan area networks (WMAN). The proposed architecture aims to not only greatly improve user privacy and identity anonymity even in the presence of cooperation between the wireless Internet service provider (WISPs) and the TTP, but also dramatically reduce the required size of central database devised to minimize any possible service abuse. In addition, an efficient billing scheme among mobile users (MUs), WISPs and TTP, is introduced to address billing issues associated with roaming. Moreover, a localized inter-WISP authentication scheme is also proposed to support seamless handoff. Detailed analysis on a number of important performance metrics, such as computation time, handoff latency and power consumption, is conducted to verify the performance of the proposed schemes.
Conference Paper
Full-text available
Smart and tiny mobile phones are widely popularized and advanced mobile communication services are provided increasingly such that ubiquitous computing environments will come true soon. It is a pleasure for mobile users to work or get recreations in the mobile network environments. However, just as the cases in wireline networks, there are many security threats to mobile network systems and their impact on the security is more serious than that in wireline networks owing to the features of wireless transmissions and the ubiquity property in mobile network systems. The secret personal information, important data, or classified documents which mobile users carry may be stolen by malicious entities. In order to guarantee the quality of the advanced communication services, the security and privacy would be important issues when mobile users roam to the mobile networks. In this paper, an anonymous authentication scheme will be proposed to protect both the security of the mobile network system and the privacy of mobile users. Not only does the proposed scheme provide mutual authentication between each user and the system, but also the identity of each user can be kept secret against anyone else, including the system. Although the system anonymously authenticates the users, it can still make correct bills to charge these anonymous users. Finally, our protocols also achieve the goal of fair privacy which allows the judge to be able to revoke the anonymity and trace the illegal users when they misused the anonymity property such as they committed crimes.
Article
In the future world of ubiquitous computing, wireless devices will be everywhere. Personal area networks (PANs) will enable communications between devices both embedded in the environment and mobile on vehicles and persons. This research determines the future prospects of PANs by examining criteria that will lead to success and barriers to implementation. An initial set of issues in each of these areas is identified from the literature. The Delphi Method is used to determine what experts believe what are the most important success criteria and barriers. Critical success factors that will determine the future of personal area networks include reliability of connections, interoperability, and usability. Important barriers that may inhibit the deployment of PAN are security, interference and coexistence, and regulation and standards.
Conference Paper
Full-text available
Blind signatures are the central cryptographic component of digital cash schemes. In this paper, we investigate the security of the first such scheme proposed, namely Chaum’s RSA-based blind signature scheme, in the random-oracle model. This leads us to formulate and investigate a new class of RSA-related computational problems which we call the “one-more-RSA-inversion” problems. Our main result is that two problems in this class which we call the chosen-target and known-target inversion problems, have polynomially-equivalent computational complexity. This leads to a proof of security for Chaum’s scheme in the random oracle model based on the assumed hardness of either of these problems.
Conference Paper
Full-text available
This paper describes TAPI, an offline scheme intended for general Internet-based micropayments. TAPI, which extends and combines concepts from the KeyNote Microchecks and OTPCoins architectures, encodes risk management rules in bank-issued users' credentials which are in turn used to acquire small-valued payment tokens. The scheme has very low transaction overhead and can be tuned to use different risk strategies for different environments and clients. © IFIP International Federation for Information Processing 2003.
Conference Paper
Full-text available
Recently, there has been an interest in creating practical anonymous electronic cash with the ability to conduct payments of exact amounts, as is typically the practice in physical payment systems. The most general solution for such payments is to allow electronic coins to be divisible (e.g., each coin can be spent incrementally but total purchases are limited to the monetary value of the coin). In Crypto'95, T. Okamoto presented the first efficient divisible, anonymous (but linkable) off-line e-cash scheme requiring only O(logN) computations for each of the withdrawal, payment and deposit procedures, where N = (total coin value)/ (smallest divisible unit) is the divisibility precision. However, the zero-knowledge protocol used for the creation of a blinded unlinkable coin by Okamoto is quite inefficient and is used only at set-up to make the system efficient. Incorporating “unlinkable” blinding only in the setup, however, limits the level of anonymity offered by allowing the linking of all coins withdrawn—rather than a more desirable anonymity which allows only linking of subcoins of a withdrawn coin. In this paper we make a further step towards practicality of complete (i.e., divisible) anonymous e-cash by presenting a solution where all procedures (set-up, withdrawal, payment and deposit) are bounded by tens of exponentiations; in particular we improve on Okamoto's result by 3 orders of magnitude, while the size of the coin remains about 300 Bytes, based on a 512 bit modulus. Moreover, the protocols are compatible with tracing methods used for “fair” or “revokable” anonymous cash.
Conference Paper
Full-text available
Blind signatures are the central cryptographic component of digital cash schemes. In this paper, we investigate the security of the first such scheme proposed, namely Chaum's RSA-based blind signature scheme, in the random-oracle model. This leads us to formulate and investigate a new class of RSA-related computational problems which we call the "one-more-RSA-inversion" problems. Our main result is that two problems in this class which we call the chosen-target and knowntarget inversion problems, have polynomially-equivalent computational complexity. This leads to a proof of security for Chaum's scheme in the random oracle model based on the assumed hardness of either of these problems.
Conference Paper
Full-text available
Electronic cash, and other cryptographic payment systems, offer a level of user anonymity during a purchase, in order to emulate electronically the properties of physical cash exchange. However, it has been noted that there are crime-prevention situations where anonymity of notes is undesirable; in addition there may be regulatory and legal constraints limiting anonymous transfer of funds. Thus pure anonymity of users may be, in certain settings, unacceptable and thus a hurdle to the progress of electronic commerce. The conceptual contribution of this work is based on the claim that given the legal, social, technical and efficiency constraints that are imposed, anonymity should be treated as a Control Parameter facilitating flexibility of the level of privacy of note holders (determined by the dynamic conditions and constraints). In light of this parameterization, we review recently developed technical tools for tracing and anonymity revocation (e.g., owner tracing and coin tracing). We elaborate on the differences in the various technologies with respect to security assumptions and we discuss practical considerations of computational, bandwidth and storage requirements for user, shop, bank and trustees as well as whether the trustees must be on-line or off-line. We also claim that while anonymity revocation can potentially reduce crime it can also produce instances where the severity of the crime is increased as criminals try to social engineer around tracing revocation. To prevent this we suggest the notion of “distress cash.” the technical side, we provide efficiency improvements to a protocol for coin tracing and point at a technical solution for distress cash.
Conference Paper
Full-text available
In this paper, we propose a new financial instrument known as executable digital cash, or X-cash. X-cash is a means of binding an offer to the accompanying goods or payment, enabling the processes of searching and paying to be unified. The result is a mechanism by which electronic trades can occur in a highly distributed setting with strong security guarantees. When a party receives an X-cash offer, he or she can verify that it is bona fide and can initiate a trade immediately, without contacting the originator directly. X-cash may therefore be used, among other things, to enable mobile agents to carry funds and make payments on-site without running the risk of ”pick-pocketing”. In this paper, we introduce X-cash, describe some variants, and sketch proofs of its security properties.
Article
Full-text available
. Electronic cash, and other cryptographic payment systems, offer some level of user anonymity during a purchase, in order to emulate electronically the properties of physical cash exchange. However, it has been noted that there are crime-prevention situations where anonymity of notes is undesirable; in addition there may be regulatory and legal constraints limiting anonymous transfer of funds. Thus pure anonymity to users may be, in certain settings, unacceptable and thus a hurdle to the progress of electronic commerce. The conceptual contribution of this work is based on the claim that given the legal, social, technical and efficiency constraints that are imposed, anonymity should be treated as a Control Parameter facilitating flexibility of the level of privacy of note holders (determined by the dynamic conditions and constraints). We review "anonymity control" which provides the balance between strong anonymity for the user and anonymity revocation for crime preventio...
Article
Full-text available
The 802.11 standard for wireless networks includes a Wired Equivalent Privacy (WEP) protocol, used to protect link-layer communications from eavesdropping and other attacks. We have discovered several serious security flaws in the protocol, stemming from misapplication of cryptographic primitives. The flaws lead to a number of practical attacks that demonstrate that WEP fails to achieve its security goals. In this paper, we discuss in detail each of the flaws, the underlying security principle violations, and the ensuing attacks. 1.
Conference Paper
Recently, several “divisible” untraceable off-line electronic cash schemes have been presented [8, 11, 19, 20]. This paper presents the first practical “divisible” untraceable1 off-line cash scheme that is “single-term”2 in which every procedure can be executed in the order of log N, where N is the precision of divisibility, i.e., N = (the total coin value)/(minimum divisible unit value). Therefore, our “divisible” off-line cash scheme is more efficient and practical than the previous schemes. For example, when N = 217 (e.g., the total value is about $ 1000, and the minimum divisible unit is 1 cent), our scheme requires only about 1 Kbyte of data be transfered from a customer to a shop for one payment and about 20 modular exponentiations for one payment, while all previous divisible cash schemes require more than several Kbytes of transfered data and more than 200 modular exponentiations for one payment. In addition, we prove the security of the proposed cash scheme under some cryptographic assumptions. Our scheme is the first “practical divisible” untraceable off-line cash scheme whose cryptographic security assumptions are theoretically clarified.
Conference Paper
Automation of the way we pay for goods and services is already underway, as can be seen by the variety and growth of electronic banking services available to consumers. The ultimate structure of the new electronic payments system may have a substantial impact on personal privacy as well as on the nature and extent of criminal use of payments. Ideally a new payments system should address both of these seemingly conflicting sets of concerns.
Conference Paper
This paper proposes the first ideal untraceable electronic cash system which solves the most crucial problem inherent with real cash and all previous untraceable electronic cash systems. The main advantage of the new system is that the customer can subdivide his cash balance, C (dollars), into many pieces in any way he pleases until the total value of all subdivided piece equals C. This system can be implemented efficiently. In a typical implementation, the data size of one piece of electronic cash is less than 100 bytes regardless of the face value of piece, the computation time for each transaction is several seconds, assuming the existence of a Rabin scheme chip. The security of this scheme relies on the difficulty of factoring.
Conference Paper
The use of credit cards today is an act of faith on the p a t of all concerned. Each party is vulnerable to fraud by the others, and the cardholder in particular has no protection against surveillance.
Conference Paper
It is becoming increasingly easy and common for organizations to routinely exchange data on individuals. Because each individual provides most organizations essentially the same uniquely identifying information, such, as social security number, or name, age and place of birth, the records held by one organization on an individual are readily matched or linked with those held by other organizations. Thus, organizations are capable of exchanging information about individuals whenever and to whatever extent they choose. Clearly some such transfers of information are quite useful and beneficial to society. The problems stem from the inability of anyone, particularly the individuals whose data is involved, to control or even effectively monitor such transfers. These problems were not present in completely paper based systems, where the transfer of information about an individual was only through credential documents issued to the individual by one organization and shown by the individual to other organizations.
Conference Paper
Without Abstract
Article
David Chaum has introduced the idea of blind signatures, an extension of the concept of digital signatures, as a way to protect the identity and privacy of a user in electronic payment and service networks. Blind signatures also prevent so-called “dossier creation” about users by organizations.While the concept of blind signatures still allows authorities to distinguish between valid and false data, it prevents these authorities from connecting specific data or actions to specific users.With the growing emphasis on the protection of the privacy of user data and user actions in electronic systems, blind signatures seem to be a perfect solution. This paper however, discusses a problematic aspect of blind signatures, showing that this perfect solution can potentially lead to perfect crime.We use a real crime case as an example.
Conference Paper
)Markus JakobssonMoti YungyAbstractWe present an e-money system where both value of fundsand user anonymity can be revoked or suspended unconditionally,but only by the cooperation of banks and consumerrights organizations. We introduce the "ultimate crime,"where an active attacker gets the bank's key or forces thebank to give "unmarked bank notes". Our system, unlike allcurrent anonymous systems, can prevent such a crime fromsuccessfully being perpetrated, and employs...
Article
It is shown that the large-scale automated transaction systems of the near future can be designed to protect the privacy and maintain the security of both individuals and organizations. A new approach is described in which: (1) an individual uses a different account number or 'digital pseudonym' with each organization; (2) individuals conduct transactions using personal card computers that might take a form similar to a credit-card-sized calculator, and include a character display, keyboard, and a limited distance communication capability; (3) individuals keep secret keys from organizations and organizations devise other secret keys that are kept from individuals.
Conference Paper
The use of cryptographic hash functions like MD5 or SHA-1 for message authentication has become a standard approach in many applications, particularly Internet security protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis. We present new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths. Moreover we show, in a quantitative way, that the schemes retain almost all the security of the underlying hash function. The performance of our schemes is essentially that of the underlying hash function. Moreover they use the hash function (or its compression function) as a black box, so that widely available library code or hardware can be used to implement them in a simple way, and replaceability of the underlying hash function is easily supported.