A Novel Logic for Analyzing Electronic Payment Protocols

ITM Web of Conferences, Jan 2016

A novel formal method which can be used to analyze security properties such as accountability, fairness and timeliness in electronic payment protocols is proposed. The novel method extends Qing-Zhou approach based on logic reasoning by adding a simple time expression and analysis method. It increases the ability to describe the event time, and extends the time characteristics of the logical inference rules. An anonymous electronic cash payment protocol is analyzed by the novel logic, and the result shows that the fairness of the protocol is not satisfied due to the timeliness problem in protocol. The novel logic method proposed in this paper has a certain theoretical and practical significance for the design and formal analysis of electronic payment protocols. At the same time, its idea has a certain guiding value for improving the security of other security protocols.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

https://www.itm-conferences.org/articles/itmconf/pdf/2016/02/itmconf_ita2016_01002.pdf

A Novel Logic for Analyzing Electronic Payment Protocols

ITM Web of Conferences A Novel Logic for Analyzing Electronic Payment Protocols Yi LIU 0 Xing-Tong LIU 0 Chao-Jing TANG 0 0 College of Electronic Science and Engineering, National University of Defence Technology , Changsha , China A novel formal method which can be used to analyze security properties such as accountability, fairness and timeliness in electronic payment protocols is proposed. The novel method extends Qing-Zhou approach based on logic reasoning by adding a simple time expression and analysis method. It increases the ability to describe the event time, and extends the time characteristics of the logical inference rules. An anonymous electronic cash payment protocol is analyzed by the novel logic, and the result shows that the fairness of the protocol is not satisfied due to the timeliness problem in protocol. The novel logic method proposed in this paper has a certain theoretical and practical significance for the design and formal analysis of electronic payment protocols. At the same time, its idea has a certain guiding value for improving the security of other security protocols. 1 Introduction Electronic payment has made unprecedented progress in recent years, and the security problems in electronic payment activities are increasingly being valued by everyone. Electronic payment protocol is the technical basis for the security of electronic commerce activities, and all kinds of security services are provided by electronic payment protocols for consumers. The analysis and research of electronic payment security protocol has become an important issue in the field of information security [1]. However, the electronic payment protocol is the same as other cryptographic protocols. Even though electronic protocols are carefully designed, there are still security vulnerabilities. Secure and reliable electronic payment protocols are important guarantees for the security of electronic payment activities. In order to ensure the correctness and security of electronic payment protocols, it is necessary to analyze protocols accurately and find out defects and vulnerabilities in protocols through formal analysis method. The results obtained can be used to guide the design of the protocol or make up for the defects of the original protocol. Therefore, it has important theoretical significance and application value to research the formal analysis method of electronic payment protocol. Nowadays, the main formal analysis methods of electronic payment protocol are logic reasoning, model checking, and theorem proving method. The method of model checking cannot analyze some special security properties like accountability, fairness and anonymity due to lack of the ability of logical reasoning. Approach based on logic is a kind of important formal analysis method of electronic payment protocol in recent years. Kailar logic [2] can analyze the accountability in protocol, but it can’t analyze the fairness; Qing-Zhou logic[3][4] can be used for the analysis of accountability and fairness in protocol. The common properties of protocols are described by the ATL logic (alternating time temporal logic) based on game theory in paper [5]. The fairness and timeliness are analyzed through the model checking tool MOCHA. However, most of the current logic methods can only be used to analyze some secure properties. Therefore, it is a hotspot and trend to improve the analysis ability of existing typical electronic payment security protocol logic methods in current formal method research. In this paper, a novel logic is proposed for the analysis of electronic payment protocols by adding simple time expression and time analysis method. The ISI protocol is analyzed using the proposed novel logic and the analysis result shows that ISI protocol does not provide timeliness. Therefore, the novel logic has the ability to describe and analyze the timeliness of electronic payment protocols. 2 Concepts and Definitions The definitions and symbols used in the novel logic are defined as follows: 2.1 Basic Symbol A, B: Parties participate in protocol; TTP: Trust third party; M: Message transferred in protocol; (M, n): Indicates that message m is combined with message n; Ka : The public key of the party A, which is used to verify the digital signature of A. Ka1 is the secret key that corresponds to Ka ; K : Dual key of K. If K is an asymmetric key, then K =K 1 . If K is a symmetric key, then K =K ; {m}K : Cipher text of message m encrypted with the secret key K; T: Time of occurrence; EOO (evidence-of-origin): It is non-repudiation evidence that is provided to the receiver in electronic payment protocol, which is used to prove that the sender has sent the message; EOR (evidence-of-receipt): It is non-repudiation evidence that is provided to the sender in electronic payment protocol, which is used to prove that the receiver has received the message sent by the sender. 2.2 Time System We describe the time when event occurs by adding a condition in the formula language of formal logic, like A  m at T. m is a message, and A is one of the parties in protocol. T is a time expression. This definition increases the description of the occurrence time of sending and receiving message. Set I  {0,1, 2, 3,...} {1, 2, 3,...} , stands for integers, then the time expression defines as follows: 1. x is constant time element, while x  I . 2. X is variable time element, while X is an variable element in I. 3. X|TS is time binding expression, while X is an variable time element and TS  I . 4. [T] is time expression, while T is a time binding expression. The constant time element is represented by a lower case t with a subscript, and the variant time element is represented by a capital letters T with a subscript. Time binding expression is a variable time element X with a certain value of constant time element as t(t TS ) . Once the value of the variable time element is bound by a time binding expression, its function is the same as the time constant. It can’t be bound again before the binding value is released. In logical formulas, the time expression [X|I] can be abbreviated to [X], and [X|{x}] can be abbreviated to [x], where x is a constant time element or a variable time element with bound value. The value of the variable time element is bound to the first appearance of operations in its formula. 2.3 Protocol and Environment Protocol party set Principle={TTP,A,B,C,…,P,Q,R…}, where A,B,Q,R,…, are participants in protocol. They can either be honest or dishonest. That is, they can obey the execution of the protocol, and also can not obey the implementation of the protocol. In general, we assume that these parties are dishonest and that they may be able to interrupt the execution of the protocol at will. TTP(Third trust party) is a special party, which is regarded as a fair trusted third party by other parties participate in protocol. It can be served as the TTP role by the bank or the arbitration organization. Another important part of the environment is the communication channel. Communication channels can be both reliable and unreliable, depending on the specific operating environment. Usually, the communication channel between general parties is unreliable, while the communication channel between the TTP and other parties is recoverable. That is the communication channel may not be always paralyzed, the message can be transmitted finally. Protocol statement defines what messages should be sent and received by parties in the current round , which is described as follows : A  B:m at T : represents A sent message m to B at T. 2.4 Possession Sets in Protocol Assuming the protocol begins to run at T0 , A is an arbitrary party participate in protocol. At the beginning of protocol, the initial possession sets of A is Oa (T0 ) . When protocol execution to Tx , the possession sets of A becomes Oa (Tx ) . Besides, we defines Oa (Te ) is the final possession sets of A at the end of protocol. When the protocol runs to any time, the possession sets of A contains the information that is not deleted in the possession sets before and the message which is received and sent at this time. The possession sets of A changes constantly with execution of protocol, until Oa  Oa (Te ) . When the protocol runs at Tx , the possession sets of A changes from Oa (Ty ) to Oa (Tx ) ∧(Ty  Tx), which means Ty is the moment before Tx . It follows the following rules : ( 1 ) If the execution of the protocol statement is A  B:m at Tx . m is a new message generated by A, which means m  Oa (Ty ) . Then Oa (Tx )  Oa (Ty ) {m} . If m is not a new message generated by A, we get m  Oa (Ty ) . ( 2 ) If the execution of the protocol statement is B  A:m at Tx , while m  Oa (Ty ) , then Oa (Tx )  Oa (Ty ) {m} . ( 3 ) Otherwise, Oa (Tx )  Oa (Ty ) . 3 Logic Analysis Methods 3.1 Logic Component Our method consists of the following 5 logical components : ( 1 ) A  x : For any party B, A can make B believe in formula x by performing a series of operations without leaking any secret y  x ; be deduced from axioms. Therefore, the inference rule above indicates that  is theorem when  is theorem and  contains  . The 6 axioms in the axiom set are as follows : A1. A  x ∧ A  y => A (x  y) A2. A  x ∧(x=>y) => A  y A  Kb B A3. A  {m}Kb1 at Tx Tx => A  B  m at [TY | TY  TX ] ∧ A4. A  B  {m}k at Tx ∧ A  B  k at TY A  B  m at max(TX ,TY ) A5. A  m at T => A  m at T A6. A  {m}K at T∧ A  K => A  m at T When the time of events is not analyzed, all time expressions in the above axioms use [X|I], and the operation at can be omitted. The steps of using the novel logic to analyze protocols are as follows : ( 1 ) Before giving the basic assumption of the protocol, we have to give all the constant and variable time elements that are used in the process of protocol reasoning. The actual value of the constant element may not be given, but if there is a constraint relationship between the different time constant, the constraint relationship should be pointed out. It is required to describe the time dependence of the events in protocol using the formula apparently, while giving the basic assumptions and the target of the protocol. at => ( 2 ) The proof procedure of protocol target is divided into two steps. The first step is called logical reasoning, which proves the first part of the protocol target. The second step is called time calculus, which proves the latter half of the protocol target. The function of this procedure is to prove that the result obtained in the logic reasoning satisfies the time constraints specified in the protocol target. The method used in this procedure is the proof approach of algebraic equation and inequality, so it is easy to grasp and use. If the formula is established at any time of the protocol, the time description at T can be omitted. 3.3 Protocol Analysis Procedure Protocol analysis consists of the following 5 steps. ( 1 )List the initial possession sets of the parties in protocol. ( 2 )List the initial assumptions of the protocol : (a)The basic assumptions (b)The credible assumptions (c) The protocol comprehension assumptions ( 3 )List EOO and EOR, and analyze whether the design of EOO and EOR meets the requirements of accountability. ( 4 )Analyze whether EOO  Ob (Te ) ∧ EOR  Oa (Te ) is set up at the end of the protocol. ( 5 ) Analyze whether the protocol is to achieve the target of fairness, which means whether the protocol meets EOO  Ob (Te ) if and only if EOR  Oa (Te ) at the end of the execution time Te . 4 ISI Protocol Analyses ISI protocol[6] is an anonymous electronic cash payment protocol proposed by Medvinsky and Neuman, including three participants : customer A, merchant B and the currency server CS trusted by both parties. The purpose is customer A pay the merchant B through the currency server CS, while B provides payment receipt to A. Throughout the payment process, the customer A remain anonymous, and CS play a role as TTP. Protocol steps are as follows : ( 1 ) A  B : K ab at T 0 ( 2 ) B  A :{Kb}Kab at Tr ( 3 ) A  B :{{coins}Kcs1 , SK a, K _ ses, S _ id}Kb at Ts ( 4 ) B  CS :{{coins}Kcs1 , SK b,transaction}Kcs at Tk ( 5 ) CS  B :{{new _ coins}Kcs1}SKb at Tc ( 6 ) B  A :{{amount,Tid , date}K1}SKa at Td b In the ISI protocol, Kab represents the session key between A and B. Ka and Kb respectively stand for the public key of customer A and merchant B, while Kcs and Kcs1 stand for the public key and private key of currency server CS. {coins}Kcs1 represents electronic currency of A. All currency is issued by CS. SKa and SKb represent the shared key of A and B. K _ ses represents the key to a service that would like to be obtained. S _ id is an identifier for the service to be obtained. Transaction represents specific transaction processing. The analysis procedure of the protocol is as follows : ( 1 )List the initial possession sets. At the initial time of the protocol operation, the initial state of the A and B is Oa (T0 )  {Kcs } Ob (T0 )  {Kcs } A  Kcs CS B  Kcs CS ( 2 )List the credible assumptions of the protocol are as follows : T1: A  CS  m1  A  P  m  1 Assume that the currency server is fully in accordance with the provisions of the protocol and will not do anything that is harmful to any party in the protocol. If A can prove that CS has sent message m1 to him, then A can prove some other party P has sent the message m1 to CS which made CS send m1 to A. ( 3 )List the evidence of origin (EOO) and the evidence of receipt(EOR) as follows : EOR={new _ coins}Kcs1 EOR={amount,Tid , date}K1 b Assume that the equation EOO  Ob (Te ) satisfied at the end of the protocol Te . According to axiom A3 and the credible assumption T1, we will get : According to the credible assumption T1, we can obtain : B  A  k at [T | T  Te ] ( 5 ) Because it is a protocol for anonymous payment, B only needs to prove the payment of someone is effective, without the need to prove who the payer is. So the equation ( 5 ) can meet the requirement of accountability. Assume that the equation EOR  Oa (Te ) satisfied at the end of the protocol, which means A  {amount,Tid , date}Kb1 satisfied. Since we can’t prove A  Kb B , A  B  {amount,Tid , date}Kb1 can not be derived. Therefore the evidence of receipt EOR in protocol can not achieve the target of non-repudiation. It is proved by the novel logic that ISI payment protocol does not meet the accountability. ( 4 ) After all the steps of the protocol are completed, there will be A  EOR and B  EOO . Therefore, EOO  Ob (Te ) ∧ EOR  Oa (Te ) is set up at the end of the protocol. ( 5 )Then analyze the fairness of the protocol. The fairness objective is: EOO  Ob (Te ) if and only if EOR  Ob (Te ) ( 6 ) That is two parties obtain the evidence of each other for non-repudiation at the same time. Because CS is completely believable, so we can obtain CS  B :{new _ coins}Kcs1 at Tc and {new _ coins}Kcs1 Ob(Tc)  EOO Ob(Tc) . Only after the sixth step is completed, {amount,Tid , date}Kb1 Oa(Td ) is established. According to the of the between and steps protocol, the relationship Tc Td is Tc  Td . So EOO  Ob (Tc ) ∧ EOR  Ob (Te ) ∧ (Tc  Td ) , which can not achieve fairness. The main reason is that the implementation of the protocol does not have specific constraints on the relevant event time in the process. After the completion of the third step of the protocol, B is required to perform the fourth step in certain time delay tb . And it’s also required to perform the sixth step operation within a certain time delay tc after receipt of {new _ coins}Kcs1 . If A did not receive {amount,Tid , date}Kb1 after the certain period of time, the protocol is terminated. Due to CS is completely believable, (Tc -Tk )  ts must be satisfied. ts is processing delay of CS. So in order to make A received EOR at the end of the protocol, tb  ts  tc  ta must be established. It means the behavior delay of B must be constraint to satisfy tb  tc  ta -ts , in order to ensure the fairness of the protocol. In this paper, the analysis of ISI protocol specifically illustrates how the novel logic analyzes the temporal relations between events in the electronic payment protocol. The novel logic is not a simple logic method, but an integrated approach. The logic reasoning in the process of the objective proof of protocols is based on the proof method in Qin-Zhou logic approach, but the time calculus part uses the method of algebra and set theory. It is suitable for analyzing the timeliness of electronic payment protocols. Further more, this idea can be introduced to other formal methods to analyze the security of cryptographic protocols. B  CS  new _ coins at [T | T  Te ] ( 4 ) 5 Conclusions 1. P. McCorry , S.F. Shahandashti , F Hao , 20th Financial Cryptography and Data Security , ( 2016 ) 2. Kailar R , IEEE Trans. on Software Engineering , 22 , 313 - 328 ,( 1996 ) 3. DC Zhou , SH Qing, ZF Zhou , Journal of Software , 12 , 1318 - 1328 ( 200l ) 4. SH Qing , Journal of Software , 16 , 1758 - 1765 ( 2005 ) 5. Kremer S , Universit'e Libre de Bruxelles Facult'e des Sciences ( 2003 -2004) 6. G. Medvinsky , C. Neuman , Proc of the 1st ACM Conference on Computer and ComAnications Security , 102 - 106 ( 1993 )


This is a preview of a remote PDF: https://www.itm-conferences.org/articles/itmconf/pdf/2016/02/itmconf_ita2016_01002.pdf

Yi Liu, Xing-Tong Liu, Chao-Jing Tang. A Novel Logic for Analyzing Electronic Payment Protocols, ITM Web of Conferences, 2016, DOI: 10.1051/itmconf/20160701002