Anonymous and Secure electronic Transaction Protocol – ASET – …brlek/Recherche/ListePublis/Articles/... · 2005-03-16 · pp. 459- 459 1/28 ANN.TÉLÉCOMMUN., 60, n° 3-4, 2005

pp. 459- 459

1/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

Abstract

We present a new protocol for electronic transactions which is not only secure but alsoanonymous, the latter characteristic being obtained by associating an encryption device witha chip card. Security is ensured by the use of encryption, electronic signature and authenti-cation. In order to check the validity of the security properties enforced by the protocol, amodel and a specification are provided. The protocol modeling language is a process algebrawith value passing extended by an observation mechanism allowing the specification of secu-rity levels, by cryptographic primitives, and by a function call feature on private channelsallowing the modeling of interactions with the crypto-system. The anonymity is expressed byan information flow property. The verification method, based on bisimulation, is provedconsistent and complete and analysis confirms that this approach ensures not only anonymity(thanks to the fact that the client never discloses to the merchant any information permittinghis identification), but also the quasi-impossibility of any fraudulent transaction.

Key words:

APPROXIMATE EXPRESSIONS AT LOW AND HIGH FREQUENCIES OF INDUCED VOLTAGES OF COMMON MODE AT THE ENDS

OF AN ARMOURED LINE SUBMISSIVE AT A PUNCTUAL INJECTION OF CURRENT

Résumé

Nous présentons un nouveau protocole de transaction électronique sécuritaire et surtoutanonyme par l’association d’un logiciel de cryptage et d’une carte à puce. La sécurité duprotocole est assurée par l’utilisation des techniques cryptographiques telles que le chiffre-ment, la signature électronique et l’authentification. En vue de s’assurer que les propriétésde sécurité que le protocole doit assumer sont vérifiées, un modèle du protocole et une spéci-

Anonymous and Secure electronic TransactionProtocol – ASET – un protocole anonyme et

sécuritaire pour les transactions électroniquesSrecko BRLEK*, Sardaouna HAMADOU**, John MULLINS***

* Dép. de Génie Informatique, École Polytechnique de Montréal.Laboratoire LaCIM, Dép. d’Informatique, Université du Québec à Montréal. Supported by an NSERC grant(Government of Canada) E-mail: brlek’©lacim.uqam.ca** Laboratoire CRAC, Dép. de Génie Informatique, École Polytechnique de Montréal. Supported by a NATEQ docto-ral scholarship (Government of Quebec) E-mail: sardaouna.hamadoucpo1ymt1. ca.*** Laboratoire CRAC, Dép. de Génie Informatique, École Polytechnique de Montréal. Supported by an NSERCgrant (Government of Canada). E-mail: john.mullins’©polymtl.ca. Mailing address: B.P 6079, Suce. Centre-ville,Montréal (Québec), Canada, H3C 3A7.

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 459

fication de l’anonymat sont donnés. Le langage de modélisation du protocole est une algèbrede processus avec passage de paramètres par valeur étendue d’un mécanisme appelé ob-servation permettant de spécifier des niveaux de sécurité, de primitives cryptographiques etd’un mécanisme d’appel de fonction sur des canaux privés permettant la modélisation del’interaction avec le crypto-système. L’anonymat est exprimé comme une propriété de flotd’information. La méthode de vérification, basée sur la bisimulation, est cohérente et com-plète. L’analyse confirme que l’anonymat est assuré par le fait que le client ne révèle aumarchand aucune information pouvant l’identifier tout en garantissant la quasi-impossibilitéd’une fraude.

Mots clés :

Contents

I. INTRODUCTION

The development of an efficient security system is a challenging project. It systematicallyrequires the definition of the security objectives and the characterization of the ways toachieve them. One approach consists in considering the following three facets of security:security objectives; potential attacks; security mechanisms for attack detection and preven-tion. A universal security mechanism for preventing attacks does not exist, but an efficientand unavoidable one is provided by cryptographic techniques.

In electronic commerce there are basically two types of electronic payment systems (see[1] for a complete classification) : electronic currency (e-cash) allowing parties to exchangeelectronic tokens representing some value (in the saine way banknotes represent the papermoney value) and credit-debit (account based systems) consisting in exchanging directly thefinancial data (through secured channels operated by financial institutions) between parties.Electronic cash dissemination encounters lots of resistance fromn financial institutions sinceit represents a serious competition. Such systems are spreading (see [10, 11, 24, 33, 36]) buttheir use is limited on one hand to micro-payments (smnall amnounts whose handlingcharges would be prohibitive if performed with credit-debit cards), and on the other hand toclearing houses regrouping private networks of users. Nevertheless for all other transactionsthe use of credit-debit cards seemns unavoidable [15, 22, 5] at least for the near future.

In electronic B2C commerce most of the merchants use the SSL protocol [15] in order tosecure the client’s banking data when a transaction is processed over the Internet network. Inthe SSL protocol both the merchant and client are assumed to be “honest”. Indeed, the mer-chant may “freely” use the client’s banking data and conversely the client may repudiate a

460 S. BRLEK – ANONYMOUS AND SECURE ELECTRONIC TRANSACTION PROTOCOL

ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 2/28

I. IntroductionII. SETand formal verification methodsIII. ASET: Anonymous and Secure

Electronic Transaction

IV. Modeling the protocolV. Anonymity specification

VI. ConclusionReferences (38 ref.)

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 460

completed transaction. In order to ensure the security of electronic transactions involvingcredit cards, the major players Visa and MasterCard, in association with some of the top cor-porations (GTE, IBM, Microsoft, Netscape, etc.), have implemented a security standard forsuch transactions: Secure Electronic Transaction (SET). SEThas a global scope and its specifi-cation is available for instance on Visa’s Web site [22]. SET’s main objectives are the confi-dentiality and integrity of the transaction’s data, as well as the authentication of both theclient and merchant. Overall,SET consists of five sub-protocols:

• Client’s registration:the client (cardholder) transmits to a trusted Certificate Authority(CA) the card data and his public key signature. Upon validation, the CA issues a publickey certificate (digital ID) including the hash code of the card number and a secretnonce.

• Merchants registration:the merchant’s registration is similar to the client’s S/He regis-ters his/her encryption and signature public keys and obtains two certificates.

• Purchase Request:it allows the client to securely send payment instructions to the mer-chant but the latter does not have access to the client’s card data.

• Payment Authorization:it allows the merchant to check with the payment Gatewaywhether the client’s card has sufficient provision.

• Transaction Payment:the merchant issues a payment request to the Gateway.

The two first phases of the protocol are processed at the initial transaction from a givenclient and a given merchant only. The issued certificates are used for their mutual authenti-cation for any subsequent transaction. The last three phases constitute the electronic transac-tion itself.

However, if e-cash payment systems have the particularity of yielding transactions com-pletely anonymous (see [19] for an excellent overview of anonymous e-cash), many electro-nic commerce protocols involving credit cards, such as SSL and SET, are not designed toensure anonymity among the customers. These protocols often require the customer to revealinformations not strictly necessary for the security enforcing. Nowadays the collection andexploitation of such information (data warehousing) is of growing concern for many custo-mers, reluctant more than ever to give them out. For the near future at least, a large part of theelectronic market will rest on credit card based models in which, for obvious reasons, the cre-dit card number is known by the issuer (bank) and linked to the real identity of the cardhol-der. Therefore they do not ensure anonymity towards the issuer but it is possible (andcertainly desirable) to ensure the customer’s anonymity towards the merchant. Van Herrewe-ghen [38] was the first to propose the anonymization of the existing systems that use certifi-cates such as SET and iKP : he introduced a pseudonym server that acts as an intermediatecertificate issuer in existing certificate-based systems; the pseudonym one-time certificates(the customer must obtain a new certificate for every transaction) are used for authenticationinstead of the real long-term certificates which are linked to the cardholder’s identity. Syver-son et al. [35] propose a protocol for unlinkable serial transactions suitable for a variety ofnetwork-based subscription services. Rather than a new payment systemn, their protocol is anew approach to the amiomiymnizatiomi of the existing payment systemns. Like in the vanHerreweghen approach, they use a one-time blinded certificate for each transaction toachieve anonymity.

In this paper we prescrit a new protocol inspired by the SET protocol and called Anony-mous and Secure Electronic Transaction (ASET), allowing electronic transactions and ensu-

S. BRLEK – ANONYMOUS AND SECURE ELECTRONIC TRANSACTION PROTOCOL 461

3/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 461

ring the anonymity of the client for the merchant while maintaining the guarantee of paymentto the merchant. In our knowledge, it is the first bank card-based system designed to ensurethe customer’s anonymity towards the merchant. Unlike the van Herreweghieni and Syversonapproaches, we do not use the Chaum’s blinded signature techniques [10] which require cus-tomers to register new certificates for every transaction to achieve anonymity. The customerdoes not need to authenticate himself to the merchant who is guaranteed to be payed. Fur-thermore, not only the merchant cannot link a transaction to a customer, but also he may notlink two different transactions of the same customer even if the customer identity is hidden.Finally, the disclosure of the identity for one transaction must not lead to the loss of anony-mity for all other transactions performed by the same costumer. Our protocol corresponds tothe payment phase of SET, that is to its last three steps, and its formal model is described witha modeling language called Security Protocol Process Algebra (SPPA). SPPAis like a CCSpro-cess algebra with value passing [25], extended on the one hand syntactically for taking expli-citly into account the specification of the security levels, and semantically on the other handfor allowing the analysis of the crypto-protocols. The intruder model is Dolev and Yao’s [12],which is simple and easily automated. Anonymity is specified by an admissible informationflow property [26]. The verification method is based on bisirnulation, which lias been provento be consistent and complete [18].

The paper is organized as follows. Section II surveys previous work on the formal verifi-cation of the protocol SET . The description of the protocol ASET is given in Section III. ThenSection IV contains the modeling of the protocol and the intruder. Finally the specification ofthe confidentiality and anonymity properties in terms of information flow can be found inSection IV.

II. SET AND FORMAL VERIFICATION METHODS

From the early 90’s, many payment systems on open networks have been proposed. Thisinitial blossoming, now apparently stabilized, has lead to the implementation of complex andambitious systems. Such complex system are likely to contain errors (a recent attack againstthe iKP electronic payment protocols is described in [27]), but their complexity makes themvery hard to verify. Therefore, it’s not surprising that, even if there are numerous formalverification methods proposed for crypto-protocols during this period, few have been for-mally checked. So far, the most complex systems being formally checked are Kerberos IV[4], TSL (successor of SSL) [29] and the registration phase of SET [3]. We briefly review theprevious work on the verification of the SET protocol which is close to our protocol.

In [23] Meadows and Syverson proposed a language for the SET specification but left theverification for further research. They used the temporal logic NPATRL to specify many SET

requirements. In [17] Kessler and Neumann proposed an authentication logic extending theAUTLOG logic of belief used for the modeling of accountability in electronic commerce, andused that logic for the formal checking of SET. Their analysis focused on the merchant’s abi-lity to prove the authenticity of the client’s purchase order and concluded that this objectivehas been fulfilled. Bella, Massacci and Paulson [2] proved that the presence of the doublesignature in the payment authorization request implies that the client is actually the messagesender. However, this does not guarantee non-repudiation. In fact, the analysis carried out by


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 4/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 462

Van Herreweghen [37] reveals some open problems, in particular the fact that SET does notdeliver any secure acknowledgment to the client. Bolignano [7] described a verificationmethodology for the analysis of payment protocols by means of proofs in modal logic. Thecase study was done on C-SET, a variant of SET. In [20] Lu and Smolka proposed a simplifiedversion of SET checked with FDR, a modelchecker based on the language CSP. Their analysisconcluded that the simplified version is secure. Panti et al. [28] proposed two attacks on theversion of Lu and Smolka. Nevertheless these attacks cannot be performed on SET itself.Finally Bella et al. [3] analyzed the registration phase of SET with the help of the Isabelletheorem prover. Their analysis revealed some ambiguities and contradictions in the specifi-cation of SET. For instance, in the original specification provided by Mastercard and Visa [22](in: Programmer’s Guide,p.12) it is stipulated that SET ensures the confidentiality of thecardholder’s data in the message exchanges with the merchant, but later (p. 66) it is sugges-ted to send the client’s card number to the merchant from the Payment Gateway. They alsodiscovered that the verification of properties such as authentication (of messages) and(client-merchant) agreement cannot be proved for the whole protocol. This is due to theoptional use of nonces.

III. ASET: ANONYMOUS AND SECURE ELECTRONIC TRANSACTION

The encryption software SSL [15] of Netscapetm is actually the most widely used systemof electronic payment. It requires the transmission of the client’s banking data to the mer-chant in a secure way. The risk of fraud by the merchant who stores this data is high, not tomention the fact that the merchant site could be a virtual screen used for the large-scale cap-ture of banking data. In an attempt to reduce the risk of fraud, Visa and Mastercard, in asso-ciation with major players in the industry, proposed in 1997 the SET protocol, a paymentsystem designed especially for electronic commerce. This system, intended to be a world-wide standard, is a purely software solution while according to many players:

«Assuming protection by a purely software solution will never be totally secure. It seemsthat the safest solution at the time being is obtained by associating an encryption device withthe use of a chip card.» 1

It is in that context that we propose ASET, a protocol allowing to purchase securely andanonymously over the Internet by associating cryptographic mechanisms with a chip card.Anonymous refers here to the non-disclosure of the client’s identity to the merchant.

III.1 The ASET protocol

The ASET protocol is an electronic payment protocol with the objective of ensuring theconfidentiality of the data relevant to the payment, the integrity and authentication of mes-sages, the non-repudiation and the client’s anonymity for the merchant. To achieve these


5/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1. Pierre Bresse et al. in[8], p. 37.

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 463

goals,ASET uses cryptographic primitives such as encryption (both symmetric and publickeys) and electronic signature. In order to ensure the “freshness” of messages, the use of ses-sion nonces is preferred to the time stamping requesting synchronization of many differentclocks, which is a problem in distributed systems. A nonce is a random “freshness challenge” to defeat playback attacks. The sending entity generates an unguessable randomvalue and inserts this value into the message. The recipient of the message must copy thisvalue into the corresponding response message.

Trace of a transaction:a transaction requests the commitment of four agents: the client,the merchant and their respective financial institutions (2 banks). We assume the following:

• The client owns an account in a financial institution which delivers him a chip card pro-tected by a password or PIN and containing: an electronic signature software, a privatesignature key, a private encryption key, the public encryption key and the public signa-ture verification key of his bank.

• The merchant owns a private signature key, an encryption private key, a certificate of hisprivate keys of encryption and signature verification signed by his bank, and the publickeys of his bank.

• The banks possess their own pair of encryption and signature keys as well as the res-pective certificates. The client’s bank knows the client’s public keys.

The transaction is performed in five phases

Initialization: when a client agrees to make a purchase, the merchant returns him hispublic keys certificate certm.

Merchant’s Authentication:in order to guarantee the certificate’s validity the client opensa session (login) with his financial institution, thus identifying himself. Then he transmitsthe merchant’s certificate to the bank which, in turn, proceeds with its verification andconfirms or denies its validity.

Purchase Order:once the merchant is authenticated, the client proceeds with the pur-chase by sending to the merchant the necessary data for the payment in such a way that themerchant cannot identify him nor get access to its banking data, having meanwhile the gua-rantee to be paid if the bank validates the transaction. The payment data is accompanied bythe client’s bank certificate.

Authentication of the client’s bank certificate:in order to validate the certificate providedby the client, the merchant asks his bank (if different from the client’s bank) for its authenti-cation.

Payment Request:at this point, the merchant knows the valid public keys of the client’sbank. He prepares the payment request which includes the digital payment details receivedfrom the client and sends it to the bank. The bank checks whether the two messages agreeand validates the transaction.


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 6/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 464

Receipt delivery:when the merchant receives the confirmation from the bank, he trans-mits a receipt to the client together with the bank’s confirmation. In this way the client knowsif the payment was authorized or not.

The complete description of the protocol is given here in «Alice and Bob» style.

Notations: the four agents are the merchant’s bank (A), the client’s bank (B), the client(C) and the merchant (M). The secret session key shared by the principals X and Y is denotedby Kxy and the public key of X by Kx. { m} K denotes the cryptogram obtained by encryptingthe messagem with the key K. The signature of a message y by the principalX is denoted by[y]x, its identifierby idx and certx denotes the certificate of its public keys of encryption andsignature verification both delivered by his financial institution. The parameters nx and refx,denote respectively a session nonce and a reference number provided by the principal X.Finally, listP is the list of products purchased,receipt is the receipt delivered to the client bythe merchant, $ is the amount of the transaction andstatus (accepted or refused) is the statusof the transaction.

Initialization(1) M→C: CertmMerchant ‘s Authentication(2) C→B: {( x, [x]c)} Kb

where x = (nc, idc, certm)(3) C←B: {( nb, refb, [x]b)} Kc

where x = (nc, nb, idc, certm, refb)

Purchase Order(4) C→M: (listP, {(nc, Kcm)} Km)(5) C←M: {( nm, refm, $, [x]m)} Kcm

where x = (nc, nm, idm, refm, listP, $)(6) C→M: (refm, {(nc, nm, certb, refm, refb, $, reqC2B)} Kcm)

where reqC2B = [(nc, nm, nb, idm, idc, refm, refb, $)]c

Authentication of the client’s bank certificate(7) M→A: {( x, [x]m)} Ka(8) M←A: [x]a

where x = (n′m, idm, certb)

Payment Request(9) M→B: {(x, [ x]m)} Kb where x = (nc, nm, nb, idm, refm, refb, $, reqC2B)(10) M← Β : {( refm, status, reqB2C, [x]b)} Km

where x = (nc, nm, idm, idb, refm, refb, $,status, reqC2B)ReqB2C = [(nc, nm, nb, idm, idc, refm, refb, $,status)]b

Receipt Delivery(11) C← M: {( receipt, status, reqB2C, [x]m)} kcm

where x = (nc, nm, refm, refb, receipt, status, reqC2B)


7/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 465

IV. MODELING THE PROTOCOL

We now define the Security Protocol Process Algebra(SPPA) of terms and model theintruder as a deductive system (according to the model of Dolev and Yao [12]), representingthe set of terms he may infer. SPPA is a process algebraà la CCS [25] using value passingextended in two ways. It is extended syntactically in order to take explicitly into account thespecification of the security levels, function calls and cryptographic primitives. It is alsoextended semantically in order to cover the analysis of crypto-protocols. Here is a descriptionof its syntax and semantics.

IV.1. Syntax of SPPA

Algebra of messages. SPPAuses an algebra of messages based on the syntactic categoriesof the identifiers of principals, variables and numbers denoted respectively by the sets I, Vand N. The set of terms T is built as follows:

t ::= n (integer) id (identifier) x (variable)

(t, t, …, t) (tuples) { t} t (encryption)

[t]t (signature) h(t) (hashing)

For each term t, we denote by fυ(t) the set of free variablesin t. A message is a closedterm (i.e. not containing variables) and the set of closed terms is denoted by M. For sake ofsimplicity we distinguish a subset K ⊆ M of messages that may be used as encryption keys.In order to deal with public encryption we use an idempotent operator [–]–1 : K→K such thata–1 denotes the private key corresponding to the public key a, and conversely. In the symme-tric case it suffices to state that a–1 = a. Of course we assume the encryption and hashing tobe perfect.

Private functions. We consider a finite setF of private functions over messages. Wewrite dom(f ) for the domain of messages of f. By convention,f (a) = fail if a ∉ dom(f ).Moreover, for each identifier id we assume the sets,Fid of private functions to be disjoint, sothat

F = ∪id ∈ I

Fid, and Fid ∩ Fid′ = φ⇔ id≠ id ′.

Informally, the principal identified by id has only access to functions in Fid, which usuallycontains the following functions:


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 8/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 466

pairing: pairid (a1, a2,... ,an) = (a1, a2, …, an)with domain {(a1, a2, ... ,an) ∀ iai ∈ M and n ∈ N};

extraction: extractidn, i ((a1, a2,... ,an)) = ai for 1≤ i ≤ n,

with domain {(a1, a2,... ,an) ∀ iai ∈ M};

encryption: encid (k, a) = {a} k with domain K3M;

decryption: decid(k–1,{a} k) = awith domain {(k–1,{a} k) k ∈ K and a ∈ M};

hashing: hashid(a) = h(a) with domain M;

signature: signid(k, a) = [a]k with domain K3M;

signature check: checksignid(k–1, a, [a]k)with domain {(k–1, a, [a]k) k ∈ K and a ∈ M}.

A test like checksign (testing whether its entry is in its domain) is treated as a constantfunction, for example the Boolean constant true.

Prefixes. We consider a finite setC of public channels used to specify messageexchanges between the principals. Each public channel c has a predefined domain dom(e) ofmessages that may transit through it. We assume here that dom(c) = M for each c. The pre-fixes of SPPAare obtained as follows:

µ ::= c (t) (output) c(x) (input) x := f (t) (functional call) for each termtwhere x ∉ fυ(t).

Agents.Let µ be a prefix and t, t′ two terms. The agents of SPPAare built as follows:

S::= 0 (empty) µ.S (prefix) [t = t′] S (match) S + S (sum) S S (parallel) S/O (O-obs.) S\L (restriction)

where L is a set and O, a partial function called observation criterion and defined in Sec-tion IV.2. Given an agent S, the set f υ(S) of free variables is the set of variables x of S thatare not in the scope of any input prefix c(x) or functional prefix x := f (t).

Principals. Intuitively, the closed agents are used to specify the principals. More preci-sely, a principal is modeled by a couple (S, id) where S is a closed agent and id ∈ I, an iden-tifier. Such a notation allows to bind an agent S and its sub-agents to their unique principal bythe mean of its identifier id. If no confusion arisesX is used instead of (SX, idX) where SX isan initial agent of the principal X, that is the closed agent specifying the behavior ofX insidethe protocol. For sake of simplicity, we often write µ. A instead of (µ.S, id), A1 A2 instead of(S1 S2, id), A1+ A2 instead of (S1+ S2, id), and [a = a′] A1 instead of ([a = a′]S1, id ), where A = (S, id), A1 = (S1, id) and A2 = (S2, id) and so on.

Processes and protocol specification. For the specification of a security protocol in SPPA

we adopt the classical approach [13, 31] requesting to specify the principals as concurrentagents. Let A, A1, … An. be n principals, the processes of SPPAare built as follows:


9/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 467

P :: = A (principal) A1 … An (protocol) P\L (restriction) P/O (O-obs.)

where is an associative and commutative operator forcing the communication on thepublic channels used by the protocol (in practice it is convenient to use one channel per exe-cution step of the protocol).

IV.2. Semantics of SPPA

Markers. Markers are simply annotations on the labels of the transition system generatedby the derivation of the rules of the operational semantics of processes in SPPA. Markers aredistinct from prefixes. Therefore they do not appear in the syntax of processes and the seman-tics confine their use to the communication between the principals and other committed par-ties in order to keep the informations on the exchanged values. Indeed, in process algebras,communications are usually expressed by replacing an input and its associated output by thesilent action ‘r, causing a loss of information.

Briefly stated, the occurrence of an output marker δ cid

X

(a) means that the principal X

emitted the message a on channel c, and the occurrence of an input marker δcidX

(a) means thatthe principal X received the message a on channel c. Every marker belongs to the principalidentified by its parameter.

Actions. given a message a ∈ M, the actions of SPPAare defined as follows:

α :: = c (a) (output) c(a) (input) a′ := f (a) (functional call which returns a′ such that a′ = f (a)) δ(a) (mark) τ (silent action)

The set of all actions is Act and the one of actions only observable by X is

ActX = {a′ := f (a) ∈ Act ∈ FidX and a ∈ M}

∪ { δ c

id

X

(a), δc

idX(a) ∈ Act c ∈ C and a ∈ M}.

Observation criterion. An observation criterion is a partial function O :Act* F →Act used to express the behavior of a process as seen by an observer, allowing

thus to define levels of security and also the non observable actions from these levels.Two sequences of actions γ1 et γ2 lead to the saine observation α with respect to O if γ1, γ2

∈ O–1 (α) where O–1(α) = {γ ∈ Act* O(γ ) = α}. Given a subset L ⊆ Act \ { τ}, we considerthe observation criterion OL defined by

OL–1(α) = 5(Act\L)* α (Act\L)* if α ∈ L,

(Act\L)* if α = τ,


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 10/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 468

meaning that only the actions of L are visible with respect to O. In particular the observationcriterion OAct3 ∪ C, often denoted by Ox, describes naturally the sequences of actions in theprotocol being observable by a principal X.

Operational semantics. The operational semantics of SPPA is an extension of the CCS

with value passing one [25] and is defined in Table 1 where a ∈ M is a message,L ⊆ Act, asubset of actions,P and P′, two processes, and A1, …, An, A′1, … , An, some principals withidAj1

= id1 and idAj2= id2. We sketch it briefly.

Output and Input rules. The output mechanism allows a principal A to send a messageon public channels. Dually, the input mechanism should handle any message on a publicchannel.

Function and Fail rules. The function call and the return of values transit on privatechannels and, in the case where a parameter is out of the domain bounds, an exception israised.

Sum, Parallel and Match rules. Non-deterministic choice, parallelism and conditionaloperators are defined in the usual way.

Protocol and Synchronization rules. The concurrency operator is a parallelism operatorwhere the synchronization is performed between the issuer and receiver on the public chan-nels. We differentiate the Parallel and Synchronization rules to allow a process to use thesame channel to input and output messages without allowing communication between itssub-processes. For example, consider the initiator process P = c (m).P′ and the responder pro-cess Q = c(x).Q′, then the process R1 = P Q behaves as an initiator or a responder but itssub-processes P and Q cannot communicate over c, while R2 = P Q defines a protocolwhere the processes P and Q communicate over the channel c.

Restriction rule. The process P \ L where L is a set of actions behaves as P restricted tothe actions that are not in L.

O-Observation rule. If P is a process and O an observation criterion, then P/O, calledO-observationof P, denotes the process P as observed through the criterion O. For instance,P/OL (where L is a set of actions) is observed with respect to O as P where the actions out-side of L are replaced by the silent action τ.

IV.3. Modeling the ASET protocol in SPPA

We now specify every principal X by a process (a closed agent) modeling its behaviorthroughout the execution of the protocol. It is denoted by the same letter. We denote respec-tively by KSx (resp. KSx

–1) the signature private (resp. public) key of the principal X and by C = {ci/1 i < 11} the set of public channels where channel ci corresponds to the step (i) in theprotocol. In addition to the usual private functions Fid over each of the principals, we assume


11/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 469

that both financial institutions possess a private function checkCertX (X = A or B) allowingthem to check the validity of a certificate. We also assume that each process uses differentvariables (whose the scope is limited to the process itself). The models of the client and hisbank are given in Table 2.

As an example, in the client model each process Ci corresponds to its behavior at his cur-rent step within the protocol. For instance the process Ci means that, after receiving a mes-sage x1 on the public channel c1, the client must prepare a message x2 consisting of itssession nonce nc, its identifier idc and the message x (here equals to certm). Then he signs themessage, encrypts it with his bank’s public key, sends it over the public channel c2 andbehaves like process C2. One should remember that if any action returns the fail result, thenthe process becomes automatically a null process corresponding to a deadlock.

The merchant’s and his bank’s model are given in Table 3.


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 12/28

TABLE 1. – Semantics of SPPAprocesses.

Légende française

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 470

Table II. – Specification of the client and his bank processes in SPPA


13/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 471

TABLE III. – Specification of the merchant and his bank processes in SPPA

Finally, the ASET protocol is modeled simply by the synchronization of all these processesand is specified by

ASET := M C B A.

Intruder model. We still have to represent the intruder (enemy) E equipped with adeductive system having the capability to deduce all E-feasible messages, defining thus apredicate T → M meaning intuitively “from the set of terms T, the intruder can infer M”:

1. T, M → M: from any set T of messages appended with a message M, E may infer M;

2. If T → M1, …, T → Mn, then T → pairE(M1, …, Mn): E may generate all n-tuples ofE-feasible messages;

3. If T → M then T → extractEn, i (M): E may extract the components of an n-tuple;

4. If T → M then T → hashE(M): E may compute the hashing of every E-feasible message;


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 14/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 472

5. If T → M and T → K, then T → encE(K, M): E may encrypt every E-feasible messagewith every E-feasible key;

6. If T → M and T → K, then T → decE(K,M): E may try to decrypt every E-feasiblemessage with every E-feasible key;

7. If T → M and T → K, then T → signE(K, M): E may try to sign every E-feasible mes-sage with every E-feasible key;

8. If T → M, T → K and T→ [M′] K′ then T → checksignE(K, M, [M′] K′): E may try tocheck every signature.

The intruder may use these rules in order to generate messages at will and cannot produceany message in another way. Let aE be the set of the intruder’s initial elements of knowledge,and specially for the protocol ASET,

aE = { KSe, Ke–1, idE, ne, Kem, certe, certb, Kb, KSb

–1, Ka, KSa–1}

The intruder knows all the public keys excepted the client’s public keys, which are usedonly by his bank and are never transmitted over the public network. The intruder could be aknown client or merchant, that is to say, someone having a valid account in a financial insti-tution, but cannot be one of the banks. We denote the enemy process by

E = ε (aE)

where ε denotes the generic enemy process (a canonical and most general enemy: see [6])and is defined as:

ε (T) ::= ̂c ∈ C

(c(y) .ε (T ∪ { y}) + ^T → m

^c ∈ C

c (m).ε (T)

The first summation indicates that if the intruder reads a new message y on a public chan-nel, then the message is added to his knowledge data base T. The second summation allowshim to send any E-feasible message m from T on a channel at will. Note that the intruder’sactions are only the output and input actions. The way lie generates the messages is notcoded in the transition system.

Finally the protocol execution with the participation of the intruder reduces to the concur-rency of honest agents with him, which is modeled by the parallel composition:

ASETE := E M C B A.

V. ANONYMITY SPECIFICATION

The exact meaning of the term security,or even of confidentiality,has not yet reached aconsensus among the information security community. Nevertheless we all agree that secu-rity requires a strict control of the information flow between the agents manipulating objects


15/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 473

in systems with many security levels. Thus many information-flow-based security propertieshave been proposed, including non-interference. This property can detect any causal depen-dency of low-level behavior relative to a high-level action. However any system involvingdeclassification of information (a crypto-system is such) is beyond the scope of non-interfe-rence. There is indeed a causal dependency of the cryptogram {m} K relative to the mes-sage-key pair (m, K). Also it has been proposed in [26] that admissible interference takesthat case in account together with a consistent and complete bisimulation-based verificationmethod. In this section, we first briefly recall these notions and then express the confidentia-lity property in terms of admissible interference. Finally we show how anonymity can beconsidered as a special case of confidentiality.

Observation-based bisimulation. The reader may consult [25] for the notions of simu-lation (#) and bisimulation (.). A process P is said O-simulatedby a processQ, writtenP # O, Q, if P/O # Q/O. Similarly P is O-bisimilar to Q, written P . O Q if P/O . Q/O. Inother words, two processes are O-bisimilar if they are bisimilar for an O-observer.

Non-interference. Let P be a process and let {H, L} be a partition of the set Vis = Act\{ τ} of visible actions. We say that H causes interference on L (inside P) if there existsactions of H (in P) triggering the occurrence of actions in L which otherwise would notoccur. For instance consider the actions in Figure 1. Assuming that α1 ∈ H and α2 ∈ L,action α1 causes interference on α2 in process Q since the occurrence of α1 is revealed to anylow-level user by the triggering of α2 while process P satisfies non-interference.

Non-interference (of H on L) may be reformulated in terms of observation-based simula-tion: H does not interfere on L in P if P OH∪ L-simulates its OL-observation, that is to say, ifany behavior observable from the low-level is a behavior of the process observable from thehigh-level. Formally,P satisfies the non-interference if

P/OL OH∪ L P.

This property coincides with the strong non-interference property based on bisimulation(BSNNI) proposed by Focardi and Gorrieri [14].

Admissible Interference. Now let D ⊆ Vis be a set of declassifying actions and {H, D,L}, a partition of the set Vis. Admissible interference is an information flow property requi-


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 16/28

P Qandα1 α1

α2 α2

α2

Fig 1. – SPPAprocesses P et Q.

Légende frnçaise.

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 474

ring that interference of H on L is only possible via declassifying actions. In [26] the authorspropose to express this property in terms of non-interference as follows: each sub-process P′of P not performing any declassifying action (consequently behaving like P′ \D) must satisfynon-interference. This property, called admissible interference (BNAI) is expressed formallyas follows:P satisfies admissible interference if

∀ P′ ∈ D(P) (P′ \D)/OL OH∪ L (P′ \D).

Where D(P) = {P′∃ γ∈ Act* P →γP′ }.

The following theorem (called Unwinding theorem in the security community) is an alge-braic characterization of the admissible interference whose cornplete proof is given in [18].

Theorem 1 (Unwinding).P satisfies admissible interference if and only if

∀ P′ ∈ D(P) P′ \D. OL P′ \ (D ∪ H)

Confidentiality. First we specify confidentiality and prove afterwards that the client’sanonymity for the merchant is a particular case of confidentiality. To reduce confidentiality toadmissible interference and apply Theorem 1, one has to carefully partition the protocolactions. The following definitions will serve this purpose:

Definition 2. We define the set of keys known to the intruder by

KE = { K ∈ K T → K}

given the set of intruder’s knowledge T at this step of the protocol.

Definition 3. Let m and m′ be messages. We define the relation contains on the set ofmessages M (denoted m a m′: m′ contains m) as follows.

for K∈ K for K∈ K

and the relation contains in clear (denoted m aclear m′) relatively to the intruder’s know-ledge, by the following rules.

for K∈ Km a m′

}}m a [m′]K

m aclearm′}}}m aclear (…, m′, …)

–}}m aclearm

m a m′}}m a (m′)K

m a m′}}m a (m′)K

m a m′}}m a h(m′)

m a m′}}m a (…, m′, …)

–}m a m


17/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 475

The last rule of aclear express the fact that encrypting a message under a key that isalready known by the intruder is “useless” for a confidentiality purpose. The encrypted mes-sage is “equivalent” to the message in clear (with respect to the intruder’s knowledge) froma secrecy point of view. Note that both relations a and aclear define partial order on the setM.

Definition 4. Let Mc denote the set of confidential messages exchanged in the protocol.Mc includes all the private and secret keys of honest principals. We define the set of secretmessages,denoted Msec, as the set

Msec = {m′∈ M ∃ m ∈ Mc and aclear m′}

of messages that contain in clear some confidential message.Note that if aE denotes the set of intruder’s initial knowledge, then we must have

Mc ∩ aE = φ, i.e, the intruder does not know any confidential message initially.We are now ready to define the high-level, low-level and declassification actions. Our

approach consists in determining if there exist some actions of honest principals which maylead to the disclosure of a confidential message. Consider for instance the simplified version(Table IV) of the Wide Mouthed Frog (WMF) protocol [9] which is intended to establish a ses-sion key for A and B with the help of a server S.

Table IV. – Wide Mouthed Frog protocol.

Légende française.

(1) A →S: A, B, {KAB} KAS

(2) S→B: { A, KAB} KBS

(3) A →B: { M} KAB

In the message (1) A sends to S its name, the name of the intended receiver B, and then afresh key KAB encrypted under the key KAS, shared between A and S. In (2),S forwards thekey and the sender name to the receiver B, encrypted under the keyKBS, shared between Band S. Finally A sends to B the messageM encrypted under K. At the end both KAB and Mshould remain secret for the intruder. Now suppose that the intruder intercepts a cipher {m} K(m and K–1 are supposed unknown to the intruder), then the only way that he can deduce themessage m is to “force” an honest principal (see the attack in Table V).

• to send him the decryption key K–1. It’s the case of the cipher {M} KAB, where the server

sends to the intruder the key KAB encrypted under the intruder’s key, which is equivalentto send the secret key in clear (w.r.t Definition 3).

• or to decrypt the cipher and send him the message as it’s the case of the cipher {KAB} KASthat the server decrypt and sends the message (i.e. the key KAB) to the intruder.


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 18/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 476

So we consider the sending of the cipher {m} K as a safe action (given K–1 not in the intru-der’s knowledge) while the sending of K–1 or m as unsafe. Indeed, whenever a low-level pro-cess (for instance an intruder) is manipulating a message containing (in clear or not) aconfidential message, then some information flow (containing the confidential message) pas-sed fromn high-level processes to the low-level process (since the intruder doesn’t know anyconfidential message initially). So we must ensure that the flow occurred in a safe way, forinstance if the manipulated message is encrypted under a key that the corresponding decryp-tion key is not known to the intruder.

High-level actions are defined as the private actions of honest principals whose resultscontain a confidential message in clear, Le messages that shall be kept secret. Low-levelactions are defined as actions of the intruder’s involving a confidential message, such asreading or outputting any message that contains (not necessary in clear) a confidential mes-sage. Finally, declassifying actions are defined as the private actions of honest principals ona confidential message resulting in an unintelligible message for the intruder such asencrypting and signing actions (signature alone cannot reveal the signed message becausehashing is a one way function). Since an honest principal may send a nonconfidential ack-nowledgment after receiving a confidential message (which allows the intruder to know thatthe high-level action occurred without revealing the confidential message), we admit suchinterference and consider the output of the acknowledgment as a declassifying action. Anyother action is considered as the silent action τ. Formally, let X be a principal, then the setsH, L and D, of high-level, low-level and declassifying actions respectively are defined asfollows.

Table V. – Secrecy attack against the Wide Mouthed Frog protocol.

Légende française.

(1) A →Ι(S): A, B, {KAB} KAS

(2) I (A) →S: A, I, {KAB} KAS

(3) S→ I : { A, KAB} KIS

(4) A → I (B): { M} KAB

H = ∪ X≠ E HX (revealing a confidential message to honest principals)

D = ∪ X≠ E DX (declassifying a confidential message)

L = ∪ m≠ Mc { δc

E(m′), δ c

E(m′) ActE m a m′}

where HX and DX, the high-level and declassification actions of the principal X are given inTable VI.


19/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 477

Table VI. – High-level and declassification actions of SPPAprocesses.

Légende française

We are now ready for stating, as a reformulation of Theorem 1 above, that confidentialityis preserved by a protocol if no intruder can discriminate between behaviors of the normalprotocol and behaviors of the protocol exchanging no confidential information. In otherwords, confidentiality is preserved if no highlevel action containing a confidential messageinterferes with a low-level action unless a declassifying action has occurred. Formally:

Corollary 5 (Confidentiality). The protocol ASETensures the confidentiality property if

∀ QED(ASETE) Q\D≈ OL Q\(D ∪ H).

For example, let P = A S B E be the process that specifies the WMF protocol,aE = { A, B, I, KiS} be the initial knowledge of the intruder and Mc = { M, KAB, KAS, KBS} bethe set of confidential messages. P does not ensure the confidentiality property since itssub-process

Q = 0 c2 ({ A, KAB)} KIS

). 0 B ε(T)

where T = {A, B, I, KIS,{KAB} KAS, {M} KAB}, does not satisfy BNAI. HereQ is the state rea-ched when A has sent his two messages intercepted by the intruder who forwarded the firstmessage to the server after replacing B′s name by the intruder’s one and the server ready tosend the key KAB to the intruder over the channel c2. Q does not verify BNAI simply becauseby removing the high-level action δ

S c

2({( A, KAB)} KIS) (process Q\(D ∪ H)) , it cannot execute

the low-level action δcE({( A, KAB)} KAB)} KIS) while masking the high-level action (process

Q\D) would allow this low-level action to be performed, hence the bisimulation abovedoesn’t hold.


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 20/28

1925-Her/Telecom 60/3-4 14/03/05 11:20 Page 478

Now our objective is to give a formal proof of customer’s anonymity towards the mer-chant. We will reduce the anonymity to a confidentiality problem and apply Corollary 5.

Anonymity. In order to analyze anonymity as a security property, we need to define it ina precise way. But rather than a single property, it seems that there are many different flavorsof anonymity and its requirements vary according to the applications:web browsing, e-mail,electronic voting, electronic payment, electronic publishing, etc. A formal definition shouldbe applicable to all these various situations and some efforts have been done in that direction:existing techniques for formal specification and analysis of anonymity include theapproaches based on process algebra [32] and those that use modal logic of knowledge [34,16] for non-deterministic protocols, and [30] for the probabilistic model. So our intention isnot to define a new formal framework to anonymity that will be applicable to the differentflavors of anonymity (future works will address this problem using admissible interferenceproperty). In the following, we prove (for this particular protocol) that the anonymity wewant to analyze reduces to a problem of confidentiality so that it can be formally analyzed byapplying Corollary 5. First, let us define precisely what we mean by anonymity.

Definition 6. The protocol ASET ensures the customer’s anonymity towards the merchantif the following requirements are satisfied:

(i) it is not possible for the merchant to trace the identity of customer based on the proto-col (untraceability);

(ii) different transactions performed by the same customer may not be linked by the mer-chant, even if his identity remains hidden (unlinkability);

(iii) the disclosure of the identity for one transaction must not lead to the loss of anonymityfor all other transactions performed by the same customer (perfect unlinkability).

With respect to the definition above, the following proposition holds.

Proposition 7. The protocol ASETensures the anonymity of the customer towards the mer-chant if and only if it ensures the confidentiality of the customer’s identity idc (together withthe bank’s nonce nb) towards the merchant.

Proof. 1. Anonymity ⇒ confidentiality of idc is obvious by the untraceability require-ment.

2. Now suppose that the confidentiality of idc and nb, is ensured. We must prove that bothuntraceability and unlinkability requirements hold. This will be done by an induction on thestructure of the message:

Message in clear: m contains the non encrypted identifier (or the certificate) of X. Forthe client, by our hypothesis, this case cannot occur.

Signed message (hashed message): m = (m′, [m′]X) is a signed message by X and the veri-fication of the signature with his signature public key is confirmed. This case requires accessto the client’s signature. But in ASET, there are only two messages signed by the client (steps(2) and (6) of the protocol) and both messages contain his identifier idC, thus the success ofthe verification of the signature depends on the prior knowledge of the client’s identity whichis not possible by hypothesis.


21/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 479

Encrypted message under a symmetric key:{ m} Kxyis an encrypted message with the

secret key Kxy shared by X and Y (non corrupted, ie. no one else could encrypt m under Kxyexcept the two principals X and Ywho share the secret key),Yknowing the identity of X. Forexample, suppose that we remove the sender’s identity in the first message of the WMF proto-col. When the server receives the message it is supposed to ignore who sends the message.But the server can try to decrypt the message with all the keys KXS shared with the otherprincipals. Since only the right key will succeed to decrypt it, the server can determine whois the sender even if the message does not contain his identity. But this case suppose that thesecret shared key is linkable to the identities of the principals who share it. That is not thecase for the secret key randomly generated by the customer in the ASET protocol.

Encrypted message under a public key:{ m} Kx, Y encrypts a fresh message m (for ins-

tance a nonce) with a public key of X and gets back information that only the knowledge ofthe message m could infer, meaning that X has decrypted his message and gets involved in arun of the protocol. The freshness of mensures thatX is involved in the present session of therun of the protocol, i.e the answer is not a replay of an old session. This case requires notonly the knowledge of the client’s encryption public key (shared only with his bank) but alsointerference with the high-level action admissible only if the client has decrypted the mes-sage. However, the only state where the client process attempts to decrypt a message with his private key is the state reached by the process C2 (see Figure 2) and in this state, thedecryption decC (Kc

–1, x5) is followed (after the extract and pair actions) by a failure of thechecksignC(KSb

–1, x10, x9) test if the message does not contain his identifier. Since the failaction may be caused by other situations (client’s inability to decrypt the message, wrongnonce, etc.) then the success of this case depends on prior knowledge of idc on the part of theprincipal that has encrypted the message.

Hence the confidentiality of idC implies the untraceability of his identity. For the unlinka-hility, note that the three items directly linked to the customer are his identifier idc, his publickeys and his signature. The unlinkability is ensured by the fact that any message that containsidc, or encrypted under the customer public key, or signed by the customer is “padded” withthe random fresh nonce nb which is different for every transaction. If nb is not confidential (tothe merchant) then, the disclosure of idc for one transaction will allow the merchant to linkthis transaction to all other transactions performed by the customer since he knows all theparameters of the signed message ReqB2C. The verification of the bank signature will allowhim to determine if the transaction was performed or not by this particular client.

For this protocol our objective is to ensure that only the client’s bank may identify him.Anonymity is thus ensured by the confidentiality of his identifier idc and his bank’s nonce nBrelative to the merchant, the merchant’s bank and every intruder (the merchant and his bankhave both to be considered on the intruder’s side!). Therefore the set of high-level and declas-sifying actions are defined as follows:

Ha = ∪ X ∈ { C, B} HX, (Actions revealing idc in clear to honest principals)

Da = ∪ X ∈ { C, B} DX, (Actions declassifying idc)

La = ∪ m∈ Mc{ δc

E (m′), δ c

E

(m′) ∈ ActE m m′}

where Mc = { idc, nb, Kb–1, Kc

–1, KSb, KSc}, that is the client’s identifier, the bank’s sessionnonce and their private keys. Although the merchant and his bank are considered on the


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 22/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 480

low-level (intruder’s side), we consider their actions as the silent action τ. The reason is thatwe model their collaboration with the intruder by adding their private keys to the intruder’sknowledge. Hence if any honest merchant or his bank can disclose the client’s identity, sowould the intruder since he may play their roles. Therefore, it is sufficient to focus on theintruder’s actions. The (client’s) anonymity property of the protocol ASET is expressed byreformulating Corollary 5.

Corollary 8 (Anonymity). The protocol ASETpreserves the client’s anonymity if

∀ QED(ASETE) Q\Da ≈ OLa Q\(Da ∪ Ha).

We have not yet completed the automatic verification of these properties because the toolis still in the development stage. Nevertheless, manual analysis confirms that the client iden-tification id, remains confidential during the progress of the protocol. This result is formali-zed by the following theorem.

Theorem 9. The protocol ASETpreserves the client’s anonymity to the merchant, that is,the bisimulation defined in Corollary 8 is verified.

Proof. Let P = αl.α2 …… αn.P′ and Q = βl.β2 …….βn.Q′ be two processes. Suppose that∀ i (1≤ i ≤n) α i is neither an input action nor an output one. Let γ = γl.γ2 …….γn+m be anysequence obtained by inserting βj in the sequence of α i preserving their order, that is ∀ k (1≤k≤n + m), ∃! i (1 ≤ i ≤ n) or ∃! j (1 ≤ j ≤ m) such that γk = α i or γk = βj and if γk1 = α i1(resp βj1) and γk2 = α i2 (resp βj2) then k1 ≤k2 iff i1≤ i2 (resp j1 ≤ j2). For any such sequenceγ, we have

P Q γ

P′ Q′

that is, the order of α i and βj in γ does not make any difference since any such sequenceleads to the same observation P′ Q′.

Now, for the bisimulation above, we want to avoid the following situation:

(S1)

where a high-level action interferes with a low-level one. It is then sufficient to show that forthe two honest principals (client and his bank), any sequence of their private actions betweentheir input and output actions never ends by the following situation:

(S2)

since any occurrence of any low-level action may appear after the output action leading to thesituation (S1) above. According to the specifications of the client and his bank (Table II) wehave the following sequences.


23/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

…h lτ*

…h τ*

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 481

Client’s bank:

• c2(Z1). .… [z6 = idc] checksignB(KSc–1, z3, z4). …

z10 := encB(Kc, (nb, refb, z9)).c

3 (z10)

• c9(z11). …Z23 := pairB(z5, z16, nb, z17, z6, z18, refb, z20, status).z24 := signB(KSb, z23).z25 := pairB(z5, z16, z17, idb, z18, refb, z20, status, z24).z26 := signB(KSb, z25).z27 := encB(Km, (z18, status, z24, z26)).c 1

0 (x27).0

Client:

• c1(x1).x2 := pairC(nc, idc, x1).x3 := signC(KSc, x2).x4 := encC (Kb, (x2, x3)).c

3 (x4)

• c3(x5).… x11 := encC(Km, (nc, Kcm)).x12 := pairC(listP, x11).c

4 (x12)

• c5(x13).… x20 := pairC(nc, x15, x7, idm, idc, x16, x8, x17).x21 := signC(KSc, x20).x22 := pairC(nc, x15, certb, x16, x8, x17, x21).x23 := encC(Kcm, x22).x24 := pairC(x16, x23).c

6 (x24)

• c11(x25)… x32 :=pairC(nc, x15, x7, idm, idc, x16, x8, x9, x27). checksignC(KSb

–1, x32, x29).0

First, note that the protocol never requires a principal to transmit his private keys. There-fore we may consider the keys of honest principals are never corrupted (we assume perfectcryptography). Furthermore, messages are also assumed to be well formed, that is, it is notpossible to confuse a nonce with a transaction reference, an identifier with an amount, etc...

The bank’s specification is then made of the two sequences… d.τ. and …h.d.τ 4 (or…h.d.h.d.τ2) which are obviously not corresponding to situation (S2). Indeed, in the firstsequence, if the encryption action z10 := encB() occurred then the preceding test [z6 = idc] hassucceeded. Therefore the bank will use the right key Kc to encrypt the message. From thedefinitions of Ha and Da and the assumption above,z10 encB(Kc, (nb, refb, z9)) belongs to Dasince nb ∈ Msecand Kc

–1 ∉ KE. Likewise,δ B c 3

(z10) = τ since nb a z10 (z10 = {(nb, refb, z9)} Kc)

but nb �clear z10. For the second sequence, clearly z23 ∈ Msecsince nb is a confidential mes-sage. Therefore z23 := pairB(z5, z16, nb, z17, z6, z18, refb, z20, status) is in Ha and z24 :=signB(KSb, z23) is in Da. For the last four actions, if z25 does not contain in clear nb or idc(normally it should be the case!) then all the four actions are the silence action τ leading tothe sequence …h.d.τ4. Now suppose that the intruder has succeeded (by any mean) to includenb or idc in z25 (we may suppose that the merchant’s nonce nm, ie z16, is replace by the bank’sone) then z25 := pairB(z5, z16, z17, idb, z18, refb, z20, status, z24) is a high-level action, followedthen by the declassification action z26 := signB(KSb, z25). Still, the last two actions remainsilent actions τ. Indeed x16 is assumed to be the merchant’s transaction reference refm and inorder to be accepted by the bank, it should not be confused with a nonce or a principal iden-tifier. Since x24 and x26 are signatures alone,(z18, status, z24, z26) does contain nb or idc


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 24/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 482

(because of x24 at least) but does not contain them in clear. Therefore these two actions can-not be neither in Ha nor in Da. Hence they are the r action and the resulting sequence ish.d.h.d.τ2.

Now let’s take a closer look to the client’s specification. It contains the four sequences…d.τ, …τ2.d, …h.d.τ4 and …h.τ. Indeed in the first sequence, the client will always use hisbank’s public key (stored in his chip-card) to encrypt the message x2 and since he alwaysincludes his identifier idc in the message, the encryption action x4 encC(Kb, (x2, x3)) is ahigh-level one. The output action δ C

c 2(x4) is the τ action simply because the cryptogram x4

contains idc but not in clear. For the second sequence, note that the output message x12 =(listP, {(nc, Kcm)} Kc) does not contain any confidential message and by definition the pro-duction of a non-confidential message is a declassification action. Consider now the thirdsequence … h.d.τ4: it is very close to the second sequence of the bank’s specification and fol-lows from the saine argumentation. Finally in the last sequence x32 contains in clear idc andnb (x7), hence x32 := pairC(nc, x15, x7, idm, idc, x16, x8, x17, x27) is in Ha and is followed bychecksignC(KSb

–1, x32, x29) which is a τ action since checksign does not appear neither in thedefinition of high-level actions nor in the declassification one. Only this last sequence cor-responds to the situation (S2). However this situation is harmless since the last two actionsh.τ of the latter sequence are the last actions of the client and are not followed by his outputaction.

Before concluding, let us note that the nonces nc, nm and the session key Kcmmay be cor-rupted by an intruder. The intrusion consists in intercepting the merchant’s certificate in mes-sage (1) and replacing it with the (valid) intruder’s certificate (who must be a registeredmerchant), i.e. a merchant known by the financial institutions. The intruder plays the role ofan honest merchant for the client and tries to fraud the merchant. But the client’s bank, afterauthenticating the intruder’s certificate, will include the intruder’s identifier in message (10).The intruder can try to substitute his id with the merchant’s one, encrypt the message withthe merchant’s public key and transmit it. In this case the verification of the bank’s signatureby the merchant fails. The intruder will have to deliver the goods to the client who knowshim since he has been authenticated by the bank, and he cannot let the merchant and clientbelieve that the transaction has been refused. To illustrate briefly how the BNAI property cancapture this confidentiality failure, let

aE = {KSe, Ke–1, idE, ne, Kem, certe, certb, Kb, KSb

–1, Ka, KSa–1}

be the set of the intruder’s initial knowledge and

Mc = { idc, nc, nm, nb, Kcm, KSm, KSc, KSb, KSa, Km–1, Kc

–1, Kb–1, Ka

–1}

be the set of confidential messages. Consider the sub-process

Q = ε(aE ∪ { certm}) M1 C3 B2 A

of the ASETE where M1, C3 and B2 are the processes defined in Tables II and III. Q is thestate reached after the bank has authenticated the intruder’s certificate and the client is readyto send him the session key Kcm. Since the authenticated merchant is the intruder, the clientwill use his public key Ke to encrypt the message {(nc, Kcm)}, that is x11 encC(Ke, (nc, Kcm)),x12 := pairC(listP, x11) and c

4 (x12) are high-level actions. So, on one hand we have by hiding

high-level actions


25/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 483

Q\D = ε(aE ∪ { certm}) M1\ D τ3.(C4\D) B2\D A\D

and, on the other hand, by removing them

Q\(D ∪ H) = ε(aE ∪ { certm}) M1\ (D ∪ H) 0 B2\(D ∪ H) A\(D ∪ H).

They are clearly not bisimilar since the first process allows the low-level action δ

Ec 4

((listP, {(nc, Kcm)} Ke)) leading to the disclosure of nc and Kcm to occur while the second

one cannot. Although this is a harmless breach of confidentiality, it has to be noted.

VI. CONCLUSION

We have proposed ASET, a protocol for electronic commerce that enhances the protectionof personal data and privacy by providing a new feature, namely the anonymity of the clienttowards the merchant. In our knowledge, it is the first bank card-based system (not a media-ting system such as NetBill and CyberCash) designed to ensure the customer’s anonymitytowards the merchant. Unlike the traditional “costly” approaches, we do not use the Chaum’sblinded signature techniques which require customers to register new certificates for everytransaction to achieve anonymity. The customer does not need to authenticate himself to themerchant who is guaranteed to be payed. Furthermore, not only the merchant cannot link atransaction to a customer, but also he may not link two different transactions of the samecustomer even if the customer identity is hidden. Finally, the disclosure of the identity forone transaction must not lead to the loss of anonymity for all other transactions performed bythe same customer. We have also outlined the guidelines for the specification and the verifi-cation of the security properties it should have, and a complete proof of the anonymity pro-perty. Moreover,ASET guarantees non-repudiation, does not request any optional parameter,and can be formally analyzed easily.

Acknowledgments

The authors are grateful to the anonymous referees for both their careful reading andvaluable comments they provided.

Manuscrit reçu le 25 novembre 2003Accepté le 10 septembre 2004


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 26/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 484

REFERENCES

[1] ABRAZHEVICH (D.), Classification and Characteristics of Electronic Payment Systems, In: K. Bauknecht, S.K.Madria and G. Pernul (eds.), EC-Web200l, Springer LNCS 2115, p. 81-90, 2001.

[2] BELLA (G.), MASSACCI (F.), PAULSON (L.), The Verification of an Industrial Payment Protocol: The SET

Purchase Phase, In: Vijay Atluri (editor), Proc. 9th ACM Conf. on Comp. and Comm. Security,ACM Press,p. 12-20, 2002.

[3] BELLA (G.), MASSACCI (F.), PAULSON (L.), TRAMONTANO (P.), Formal Verification of Cardholder Registration inSET, Proc. of 6thEurvp. Symp. on Research in Comp. Security(ESORICS00) Springer LNCS 1895, p. 159-174,2000.

[4] BELLA (G.), PAULSON (L. C.), Kerberos Version IV: Inductive analysis of the secrecy goals,Proc. of 5th Europ.Symp. on Research in Comp. Security (ESORICS98), Springer LNCS 1485, p. 361-375, 1998.

[5] BELLARE (M.), GARAY (J.A.), HAUSER (R.), HERZBERG(A.) KRAWCZYK (H.), STEINER (M.), TSUDIK (G.), VAN

HERREWEGHEN(E.), WAIDNER (M.), Design, implementation and deployment of the iKP secure electronicpayment systemn,IEEE J. 1st Selected Areas Comm., 18(4), p. 611-627, 2000.

[6] BODEI (C.), DEGANO (P.), FOCARDI (R.), GORRIERI (R.), MARTINELLI (F.). Techniques for security checking:Non-Interference vs Control Flow Analysis. Proc. of the Final Workshop Tosca, ENTCS62, 2001.

[7] BOLIGNANO (D.), Towards the Formal Verification of Electronic Commerce Protocols. In Proc. of 10th

Computer Security Foundations Workshop, p. 133-146, 1997.[8] BRESSE (P.), BEAURE D’A UGÈRES (G.), THIUILLIER (S.), Paiement Numérique sur Internet,International

THOMSON Publishing, 1997.[9] BURROWS (M.), ABADI (M.), NEEDHAM (R.), A Logic of Authentication,ACM Transactions on Computer

Systems,1(8), p. 18-36, Feb. 1990.[10] CHAUM (D.), Blind Signatures for Untraceable Payments, In David Chaum, Ronald L. Rivest, and Alan T.

Sherman, editors,Advances in Cryptology – CRYPTO’82, pages 199-203. Plenum Press, August 1983.[11] DANIEL SIMON (R.), Anonymous Communication and Anonymous Cash, In Neal Koblitz, editor,Advances in

Cryptology – CRYPTO’96, Lecture Notes in Computer Science,LNCS 1109, pages 61-73. Springer-Verlag,August 1996.

[12] DOLEV (D.), YAO (A. C.), On the security of public key protocols,IEEE Transactions of Information Theory,IT-29(2), p. 198-208, 1983.

[13] FOCARDI (R.), GHELLI (A.), GORRIERI (R.), Using non interference for the analysis of security protocols, In H.Orman and C. Meadows, editors,Proc. of theDIMACSWorkshop on Design and Formal Verification of SecurityProtocols,Rutgers University, 1997.

[14] FOCARDI (R.), GORRIERI (R.), A classification of security properties for process algebras,Journal of ComputerSecurity,3(l), p. 5-33,1994/1995.

[15] GARFINKEL (S.), SPAFFORD(G.), Web Security & Commerce. Cambridge, MA: O’Reilly and Assoc, 2001.[16] HUGHES(D.), SHMATIKOV (V.), Information Hiding, Anonymity and Privacy: A Modular Approach. Journal of

Computer Security,special issue on selected papers of WITS 2002 (ed. J. Guttman), vol. 12(1), pages 3-36,2004.

[17] KESSLER (K.), NEUMANN (H.), A Sound Logic for Analyzing Electronic Commerce Protocol,Proc. of 5th

Europ. Symp. on Res. in Comp. Sec. (ESORICS98) Springer LNCS 1485, p. 345-360, 1998.[18] LAFRANCE (S.), MULLINS (J.), Bisimulation-based non-deterministic admissible interference with applications

to the analysis on cryptographic protocols,Inter. J. in Inform, and Soft. Tech., p. 1-25, 2002.[19] LAW (L.), SABETT (S.), SOLINAS (J.), How to make a mint: the cryptography of anonymous electronic cash.

National Security Agency, Office of Information Security Research and Technology, Cryptology Division,June 1996.

[20] LU (S.), SMOLKA (S. A.), Model Checking the Secure Electronic Transaction (SET) Protocol, In Proc. of 7th

Inter. Symp. on Modeling, Analysis and Simulation of Comp. and Telecom. Systems, p. 358-365, 1999.[21] MACGREGOR(R.), EZVAN (C.), LIGUORI (L.), HAN (J.), Secure Electronic Transactions: Credit Card Payment on

the Web in Theory and Practice,IBM RedBook 5C24-4978-OO,1997, Available electronically at www. red-books . ibm. com/SG244978.

[22] Mastercard & VISA,SETSecure Electronic Transaction Specification,May 1997. Available electronically athttp : //www. setco. org/setspecifications . html

[23] MEADOWS (C.), SYVERSON (P.), A Formal Specification of Requirements for Payment Transactions in the SET

Protocol,Proc. of 2 Conf. on Financial Cryptography,Springer LNCS 1465, p. 122-140, 1998.


27/28 ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 485

[24] MEDVINSKY (G.), NEUMAN (C.), NetCash: A design for practical electronic currency on the Internet. Proc. ofthe 1st ACM Conf. on Computer and Communications Security, p. 102-106, November 1993.

[25] MILNER (R.), Communication and concurrency. Prentice-Hall, 1989.[26] MULLINS (J.), Nondeterministic admissible interference. J. of Uni. Comp. Sci., 6(11), p. 1054-1070, 2000.[27] OGATA (K.), FUTATSUGI (K.), Flaw and modification of the iKP electronic payment protocols,Information

Processing Letters,86(2), p. 57-62, 2003.[28] PANTI (M.), SPALAZZI (L.), TACCONI (S.), VALENTI (S.), Automatic verification of security in payment protocols

for electronic commerce,Proc. 4th Inter. Conf. on Enterprise Inform. Systems (ICEIS’02), p. 968-974, 2002.[29] PAULSON (L. C.), Inductive analysis of the internet protocol TLS, ACM Trans. on Inform, and Sys. Sec.,2(3),

p. 332-351, 1999.[30] SHMATIKOV (V.), Probabilistic Model Checking of an Anonymity System,Journal of Computer Security,spe-

cial issue on selected papers of CSFW-15 (ed. S. Schneider), vol. 12(3/4), p. 355-377, 2004.[31] SCHNEIDER (S.), Security properties and CSP, IEEE Symp. on Security and Privacy, p. 174-187, 1996.[32] SCHNEIDER(S.), SIDIROUPOULOS(A.), CSPand Anonymity,In Proc. ES-ORICS, volume 1146 of LNCS , p.198-218,

Springer-Verlag, 1996.[33] SCHOENMAKERS (B.), Basic Security of the ecash Payment System. In Bart Preneel and Vincent Rijmen, edi-

tors, Computer Security and Industrial Cryptography: State of the Art and Evolution,Lecture Notes inComputer Science,LNCS 1528, p. 342-356. Springer-Verlag, June 1998.

[34] SYVERSON (P.), STUBBLEBINE (S.) Group Principals and the Formalization of Anonymity,In Proc. WoldCongress on Formal Methods,volume 1708 of LNCS, pages 140-156. Springer-Verlag, 1999.

[35] SYVERSON (P.), STUBBLEBINE (S.), GOLDSCLILAG (D.), Unlinkable Serial Trans- actions: Protocols andApplications,In ACM Transactions on Information and System Security,vol. 2, n° 4, November 1999.

[36] TYGER (J. D.), SIRBU (M.), NetBill: An Internet Commerce System Optimized for Network Delivered Services.IEEE Personal Communications,2(4), p. 34-39, 1995.

[37] VAN HERREWEGHEN(E.), Non-repudiation in SET: Open Issues,Proc. of 4th Conf. on Financial CryptographySpringer LNCS 1962, p. 140-156, 2001.

[38] VAN HERREWEGLIEN (E.), Secure Anonymous Signature-Based Transactions.In F. Cuppens, Y. Deswarte, D.Gollmann, and M. Waidner, editors,Proceedings of the Sixth European Symposium on Research in ComputerSecurity (ESORICS),Volume 1895 of Lecture Notes in Computer Science. Springer-Verlag, November 2000.


ANN. TÉLÉCOMMUN., 60, n° 3-4, 2005 28/28

1925-Her/Telecom 60/3-4 14/03/05 11:01 Page 486

Documents

Anonymous and Secure electronic Transaction Protocol – ASET – …brlek/Recherche/ListePublis/Articles/... · 2005-03-16 · pp. 459- 459 1/28 ANN.TÉLÉCOMMUN., 60, n° 3-4, 2005