SPP Secure Payment Protocol: Protocol Analysis, Implementation and Extensions

Kovan, Gerry

January 2005

Internet commerce continues to grow rapidly. Over 60% of US households use the internet to shop online. A secure payment protocol is required to support this rapid growth. A new payment protocol was recently invented at IBM. We refer to the protocol as SPP or Secure Payment Protocol. This thesis presents a protocol analysis of SPP. It is essential that a thorough security analysis be done on any new payment protocol so that we can better understand its security properties. We first develop a method for analyzing payment protocols. This method includes a list of desirable security features and a list of proofs that should be satisfied. We then present the results of the analysis. These results validate that the protocol does contain many security features and properties. They also help understand the security properties and identify areas where the protocol can be further secured. This led us to extend the design of the protocol to enhance its security. This thesis also presents a prototype implementation of SPP. Three software components were implemented. They are the Electronic Wallet component, the merchant software component and the Trusted Third Party component. The architecture and technologies that are required for implementation are discussed. The prototype is then used in performance measurement experiments. Results on system performance as a function of key size are presented. Finally, this thesis presents an extension of SPP to support a two buyer scenario. In this scenario one buyer makes an order while another buyer makes the payment. This scenario enables additional commerce services.

Computer Science

Secure Payment Protocol

Internet Commerce

Public Key Cryptography

SSL

Digital Signatures

SPP Secure Payment Protocol: Protocol Analysis, Implementation and Extensions

Kovan, Gerry

January 2005

Internet commerce continues to grow rapidly. Over 60% of US households use the internet to shop online. A secure payment protocol is required to support this rapid growth. A new payment protocol was recently invented at IBM. We refer to the protocol as SPP or Secure Payment Protocol. This thesis presents a protocol analysis of SPP. It is essential that a thorough security analysis be done on any new payment protocol so that we can better understand its security properties. We first develop a method for analyzing payment protocols. This method includes a list of desirable security features and a list of proofs that should be satisfied. We then present the results of the analysis. These results validate that the protocol does contain many security features and properties. They also help understand the security properties and identify areas where the protocol can be further secured. This led us to extend the design of the protocol to enhance its security. This thesis also presents a prototype implementation of SPP. Three software components were implemented. They are the Electronic Wallet component, the merchant software component and the Trusted Third Party component. The architecture and technologies that are required for implementation are discussed. The prototype is then used in performance measurement experiments. Results on system performance as a function of key size are presented. Finally, this thesis presents an extension of SPP to support a two buyer scenario. In this scenario one buyer makes an order while another buyer makes the payment. This scenario enables additional commerce services.

Computer Science

Secure Payment Protocol

Internet Commerce

Public Key Cryptography

SSL

Digital Signatures

可預防雙重支付的離線小額匿名交易機制 / Anonymous off-line micro-payment protocol with double spending prevention

林承毅

Unknown Date

近年來手機的普及率日漸增加，手機逐漸成為生活中不可或缺的工具，因此許多生活方式逐漸的偏向由手機端完成，例如:找路不需要再透過地圖,上網查資料不需要再透過電腦，人們逐漸地把實體錢包轉向利用手機支付的電子錢包，像是中國支付寶等支付系統。利用手機當作錢包已經是現今手機發展的主要方向，然而對於手機的安全支付議題也日漸重視，近年來有安全晶片的保護下使用者的手機安全也有一定程度的提升，但是在離線交易的情況下惡意使用者的操作依然是可以欺騙安全晶片並製造出雙重支付的問題。 2016年陳等人提出了一個基於NFC系統的匿名行動付款協定，然而該協定中必須要有銀行端的介入才能執行交易。在本論文中，我們基於陳等人的線上交易協定為基礎下發展了本篇論文的新交易協定，此交易協定可以適用於離線以及線上的環境。 離線環境下的雙重支付行為一直交易的過程中難以預防的攻擊，在本篇論文中我們透過安全晶片、符號化和本論文研究的雜湊鍊來預防雙重支付行為，且能保障使用者在交易過程中的匿名性。 / As the coverage of mobile phone has been constantly increased in recent years, the mobile phones have become an indispensable tool in life. Many ways of lives are gradually done through the mobile terminals, for example: No longer need to find the way through the map or search information through the computer, people have also gradually turned to electronic payment via e-wallets instead of paying via physical wallets, such as AliPay in China. Adopting the mobile phone as a wallet is nowadays the main development direction of mobile phones. Meanwhile, people are paying more and more attention to the topics on the security of mobile payment than before. In recent years, under the protection of secure element, the security of users’ mobile phone has been enhanced to a certain extent. In the case of off-line transactions, malicious users are capable of fooling secure element and making double spending. In 2016, Chen et al. proposed a NFC-Based anonymous mobile payment protocol. In that protocol the transaction can only be executed with the involvement of issuer. In this research, we introduce a new protocol which can support both on-line and off-line transactions. Our protocol is modified from that of Chen et al.’s idea. In our protocol, to prevent a malicious user, we use a secure element which stores sensitive information that cannot be altered by the user. In this way, the cheating behavior of a malicious user can be prevented. On the other hand, by using the token techniques, the anonymity of a user can be achieved from the view of a merchant. In this study, we focus on double spending which can make merchant a lot of cost at off-line transaction. We used hash chain to verify the correctness of transactions and prevent the double spending.

雙重支付

NFC

離線交易

安全交易

Token

Double Spending

NFC

Off-line Payment

Secure Payment

Token