Académique Documents
Professionnel Documents
Culture Documents
a r t i c l e i n f o a b s t r a c t
Article history: Mail order systems offer a convenient purchase service, in which buyers need not visit the store physi-
Received 16 September 2011 cally and instead choose what they want via a table of contents. Without a third party to play the roles
Received in revised form 30 March 2012 of verifier and recorder, however, buyers face a potential problem of being cheated by a malicious seller.
Accepted 3 April 2012
Thus, we aim to develop a mail order system over the Internet that can guarantee user anonymity and
Available online 13 April 2012
secrecy during the transaction process. The low computation of the mutual authentication between
the parties involved contributes to the practicality of this new system, while the correctness of this
Keywords:
process can be confirmed by the BAN logic model.
E-commerce
Mail-order
Ó 2012 Elsevier B.V. All rights reserved.
Smart card
Mutual authentication
BAN logic
1. Introduction in this system, no one records the details of the transaction. This
may cause a serious problem in that a malicious seller could feasi-
In recent decades, the rapid development of the Internet has led bly choose not to send the commodity in order to cheat the buyer
to the great popularity of electronic commerce services. People after receiving payment.
often buy something or handle financial investments through elec- Inheriting the merits of the original mail order mechanism, we
tronic commerce services, such as electronic auctions, lotteries, aim to realize this concept over the Internet, which can eliminate
and payment systems. Due to the convenience and economic the above-mentioned security problem. The Internet mail order
benefits of e-commerce, more and more traditional services have system is a money-concerned mechanism that uses an electronic
been converted to the electronic mode, like e-voting, e-traveler payment system, such as electronic cash (E-Cash) (Ling et al.
checks, and e-invoices. As a result, people are now paying more 2007, Wang et al. 2007, Chaum et al. 1990), electronic check
attention to the issues of security and privacy; however, the digita- (Chaum et al. 1989, Chen 2005, Chang et al. 2009), or electronic
lization of one traditional commerce service that is applied very traveler’s check (Chang and Chang 2009, Liaw et al. 2007). Many
often in our daily life, i.e., the traditional mail order service, has re- scholars have analyzed the various types of electronic payment
ceived very little attention. systems (Yu et al. 2002, Ferreira and Dahab 1998). According to
Traditional mail order service (Fig. 1) is a commonly used their analyses, even though electronic cash has the advantages of
approach to shopping. As a simple transaction, it has many advan- being simple and convenient to carry, it retains the same charac-
tages. The seller sends a menu of commodities to individual guests teristics as actual cash. When electronic cash is lost or stolen, the
or buyers in schools and companies who order regularly. The buyer user must bear the risk since it cannot be reissued. Although the
chooses the commodities she/he likes from the menu, sends the electronic check has added the signature protocol, it is still vulner-
purchase order back to the seller, and pays the money to the able to the problem of being stolen or embezzled. Due to the
seller’s account. Then, the seller checks to see whether she/he requirement for personal identification with a check, an electronic
has received the money. If so, she/he sends the commodities to traveler’s check seems to be more secure; however, it also involves
the buyer and the transaction is complete. This system deals with the drawbacks of a complex authentication procedure, as illus-
business as a simple transaction flow. More specifically, the buyer trated in Fig. 2.
does not need to visit the store each time in person but only the When the seller receives the check, she/he cannot confirm the
bank once. The bank is just a third party to handle the money; it validity of the check, so she/he must send the check to the bank
does not serve as the verifier or recorder of the transaction. Thus, or a fair third party. Another problem is that, in the electronic
check and electronic traveler’s check system, personal information
⇑ Corresponding author. Tel.: +886 4 24517250x3721; fax: +886 4 27066495. is usually stored in the bank’s database directly. If an intruder or
E-mail addresses: leejs@fcu.edu.tw (J.-S. Lee), logoduo@hotmail.com (K.-S. Lin). bank employee accesses the database and obtains the user’s
1567-4223/$ - see front matter Ó 2012 Elsevier B.V. All rights reserved.
http://dx.doi.org/10.1016/j.elerap.2012.04.001
J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396 389
2. System requirements
Table 1
Notations of the new mechanism.
Table 2
The database of BANK.
Secure channel
Table 3
The information of Bob in the database.
Bob 1 BANK
Secure channel
Secure channel
it is hard to find another message M0 such that h(M0 ) = h(M). that Sj believes in BANKj ) Bob ( + Sj .
(iii) Collision resistance – It is computationally infeasible to find HðUBBob ;SIDj Þ
two different inputs with the same digest; i.e. it is difficult A5. Bobj ) Bob ( + Sj .
to find M and M0 conducing that h(M) = h(M0 ). As UBBob is embedded into the smart card of Bob and SIDj is
selected by Bob, we can assume that Bob has jurisdiction
HðUBBob ;SIDj Þ
4.1.1. Mutual authentication over Bob ( + Sj .
We use the BAN logic model to prove the mutual authentication Now, we prove the mutual authentication of our mecha-
of our mechanism. The notations used in BAN logic are defined in nism. From A5, Bob must believe in what he generated. Thus,
Table 5. we obtain the following:
The flowchart and the goals of our mechanism are listed as
follows: HðUBBob ;SIDj Þ
HðUBBob ;SIDj Þ
R11. Sj j Bobj Bob ( + Sj . 4.1.4. No forgery of digital cash
The digital cash ht(r,UBBob) of the legal user Bob contains the
As R6,R11, and the nonce-verification rule, we acquire shared information UBBob = h(AIDBob, x). That is, the cash includes
HðUBBob ;SIDj Þ
the master key x of BANK. If a malicious attacker Eve intends to
R12:Sj j Bobj Bob ( + Sj : ðG3Þ forge digital cash, she should fail to achieve this attempt. This is be-
cause no one can fake the UBBob without the master key x under the
From I3, we obtain assumption of the one-way hash function. Even if Eve can obtain r
HðUBBob ;SIDj Þ and n from the BANK database, she cannot calculate hn1(r, UBBob)
R13. Bob/ < Bob ( + Sj >HðUBBob ;SIDj Þ . without the UBBob under the assumption of the second pre-image
resistance. In the same way, if Eve tries to obtain the next valid
Subsequently, we can apply R1, R13, and the message- digital cash hn1(r,UBBob) from hn(r,UBBob), it is computationally
meaning rule to derive infeasible based on the assumption of the pre-image resistance.
HðUBBob ;SIDj Þ Due to the reasons mentioned above, no one but BANK can gener-
R14. Bobj Sj j Bob ( + Sj . ate valid digital cash; thus, this essential can be preserved in this
new mechanism.
According to A1 and I3, we can obtain
HðUBBob ;SIDj Þ 4.1.5. Double Spending
R15. Bobj #ðBob ( + Sj Þ. In the payment phase, when a legal buyer Bob wants to pay m
Due to R14, R15, and the nonce-verification rule, we get the units of the digital cash, he applies the smart card to compute
final goal R16. hn+1m(r,UBBob). Then, BANK computes and compares
HðUBBob ;SIDj Þ hm(hn+1m (r, UBBob)) with the one stored in the database. If they
R16:Bobj Sj j Bob ( + Sj : ðG4Þ are different, the request is rejected; otherwise, BANK updates
Therefore, both Bob and Sj can use the shared information the remaining number and the cash information in the database.
H(UBBob, SIDj) to construct a session key with random nonce N, If Bob intends to reuse the digital cash hn+1m(r, UBBob), he will fail.
which guarantees the mutual authentication. This is because BANK is able to detect this attempt according to the
update of hn+1m(r, UBBob) in the database. Therefore, when BANK
4.1.2. Integrity of transaction data receives the digital cash, it computes and compares
In the payment phase, when the legal buyer Bob wants to pur- hm(hn+1m(r,UBBob)) with hn+1m(r,UBBob), which is stored in the
chase something from the store Sj, he has to make his choice and database. Obviously, they are different, so BANK must reject the
send ½SIDj ; C US hðUBBob ;NÞ to BANK along with a random nonce N. When purchased request. That is, even a legal buyer Bob cannot launch
BANK receives the request, it can employ h(UBBob, N) to decrypt the double spending successfully. Hence, we can conclude that the
message and obtain CUS. Next, BANK computes and sends ½C US hðSBj ;NÞ new method is able to prevent double spending.
to Sj, where SBj is the secret key shared between BANK and Sj. If a
malicious attacker Eve tries to modify the transaction data SIDj 4.1.6. Reissue of smart card
and CUS in Step 1 of the payment phase, she will be able to decrypt In this new mechanism, digital cash is stored in a smart card. If
½SIDj ; C US hðUBBob ;NÞ . Nevertheless, it is computationally infeasible for the user loses the smart card or if the card is broken, then the user
her to achieve that without the session key h(UBBob, N) due to the needs to apply for a new one. In the smart card reissue phase, the
symmetric encryption assumption. legal user Bob offers his IDBob and PWBob to BANK through a secure
On the other hand, she may try to compute h(UBBob, N) in order channel. While BANK receives the request, it can use the master
to decrypt the ciphertext. Even if she can intercept the random key x to calculate and search RIDBob = h(h(IDBob,PWBob),x) from
nonce N in Step 1, she still cannot obtain h(UBBob, N) without UBBob the database to confirm the validity of the user. If the search is
under the assumption of the one-way hash function. Again, Eve invalid, BANK will reject the request; otherwise, it computes
may try to obtain the UBBob in order to construct the session key. UBBob = h(AIDBob,x) and embeds {AIDBob, h(IDBob, PWBob), UBBob, n,
Since UBBob = h(AIDBob, x), even though Eve can know the anony- h(), ht(r, UBBob)} into a new smart card. Finally, BANK issues the
mous AIDBob of Bob, she cannot compute UBBob without the master new card to Bob through a secure channel and completes the smart
key x under the assumption of the second pre-image resistance. For card reissue phase.
the same reason, if Eve tries to learn or modify CUS in Step 2 of the If a malicious attacker Eve aims to obtain the smart card or dig-
payment phase, she will fail to decrypt the ciphertext without the ital cash, she may try to masquerade as Bob to apply for a reissued
session key h(SBj, N) under the first assumption. Thus, the integrity smart card. Nevertheless, she does not know the IDBob and PWBob,
of transaction data in Steps 1 and 2 is guaranteed. so she cannot succeed in forging. Even if Eve can obtain RIDBob from
the BANK database, she cannot retrieve IDBob and PWBob from the
4.1.3. Anonymity of buyer RIDBob according to the assumption of pre-image resistance. There-
In the registration phase, the legal buyer Bob offers his IDBob and fore, only the real Bob is able to ask for the reissue of a smart card
PWBob to BANK through a secure channel. Then BANK uses IDBob, containing digital cash.
PWBob, random number r, as well as master key x to generate a
temporary identification AIDBob = h(h(IDBob, PWBob), r, x) for Bob. 4.1.7. Non-repudiation
Next, Bob can use AIDBob to purchase services, thus preventing In the payment phase, when BANK receives a purchase request
his personal information from being known. If a malicious attacker from the buyer Bob, it computes h(UBBob,N) to decrypt
nþ1m
Eve wants to learn the real identification IDBob of Bob, she may try ½SIDj ; C US ; h ðr; UBBob Þ; mhðUBBob ;NÞ . Since Bob has negotiated the
to retrieve IDBob from AIDBob. Since AIDBob is public, Eve can obtain shared information UBBob with BANK in advance, they can compute
Bob’s temporary identification; however, under the assumption of and use h(UBBob,N) to encrypt message. If BANK can retrieve the
the pre-image resistance, it is computationally infeasible for her to plaintext in Step 2 of the payment phase, this means that the mes-
factorize the component of AIDBob. Consequently, Eve cannot sage has been generated by Bob; BANK then calculates and stores
obtain the IDBob from AIDBob, and thus the anonymity of buyer ½TIhðhðUBBob ;SIDj Þ;xÞ into database. When a transaction dispute occurs,
can be guaranteed. if Bob intends to repudiate that he bought CUS from Sj, he must fail.
394 J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396
Table 6 Table 8
Functionality comparisons. Experimental situation of the new mechanism.
THash: hash cost, TE: symmetric encryption cost, TD: symmetric decryption cost, m: In this section, we analyze the performance of the novel mech-
the amount of digital cash.
anism. The computational cost of the new mechanism is illustrated
in Table 7. The analysis focuses on the computational overhead of
The reason is that no one can compute the purchase message the payment and dealing confirmation phases. To highlight the
nþ1m practicality of the new method, we conduct experiments that sim-
½SIDj ; C US ; h ðr; UBBob Þ; mhðUBBob ;NÞ without h(UBBob,N) under the
assumption of the symmetric encryption function. Thus, Bob ulate the system. Details of the platform are shown in Table 8.
cannot deny that he has sent the order to BANK. For this reason, The buyer may use several amounts of digital cash (m) to pur-
the essential of non-repudiation can be guaranteed in this new chase; thus, we suppose that there are three kinds of the amount
mechanism. m = 10, m = 15, and m = 20 in the simulation. Next, we performed
the novel mechanism for 10,000 rounds and calculated the average
4.1.8. Perfect forward secrecy computational cost of each participant. In our experiment, since
In this mechanism, the legal user Bob can use the session key the plaintext is no longer than 512 bits, the cost of AES symmetric
h(UBBob, N) to communicate with BANK securely. If a malicious cryptosystem is lower than the SHA1 function. The performance is
attacker Eve is able to compromise h(UBBob,N), she still cannot ap- shown in Table 9. It is clear that the efficiency of the new method is
ply this session key to recover the previous sessions or derive the satisfactory, since all steps can be done in a short time period.
keys for future sessions. This is because each session contains an To demonstrate that the new method can be applied to light-
individual random nonce; thus, all session keys are distinct. Even weight devices, we modify the frequency of CPU to four different
if the attacker is able to collect the valid random nonce for other levels (Fig. 9). According to the results, the new method can work
sessions, she cannot succeed in deriving other session keys without fluently even if the user uses an intelligent mobile phone in which
the knowledge of UBBob under the assumption of the one-way the CPU frequency is no more than 500 MHz to complete the
hash function. Even if Eve can compromise the session key transaction.
h(h(UBBob, SIDj), N) shared between Bob and Sj, she cannot decrypt
the previous messages or construct future session keys. Hence, 5. Security analyses
we can conclude that the new mechanism can guarantee the
essential of perfect forward secrecy. In this section, we analyze how the new mechanism can resist
common attacks in electronic commerce.
4.1.9. Comparison between BitCoin and proposed mechanism
To highlight the practicability of our proposal, we compare the 5.1. Replay attack
confirmed essentials of BitCoin with those of the proposed mecha-
nism in Table 6. It is clear that the function of a trustworthy third Assume that a malicious attacker Eve is able to intercept the
party, namely the server, in BitCoin is only to provide users with messages during the transmission. If Eve intercepts the request
secure communication. The server does not get involved in the message from a legal user Bob and tries to launch the replay attack
dealing, so the tracing of illegal transactions cannot be ensured to get service from BANK, she has to pass the verification of the
in BitCoin. More precisely, there is no component that can be payment phase. If the message is a replayed one, it is easy for BANK
totally trusted to keep all transaction records in BitCoin. Once a to be aware of this attempt according to the freshness of random
dispute occurs, no one can help to resolve the problem. This is nonce. That is, Eve must replace N with a valid nonce N0 to pass
unreasonable for the entire transaction. In our proposed mecha- the verification that the nonce is fresh. Even though Eve can use
nism, however, since we have introduced a trustworthy third N0 to pass the first verification, she cannot construct the session
party, i.e., BANK, to record all of the transactions, an illegal deal key h(UBBob, N0 ) without the knowledge of UBBob under the assump-
or a dispute problem can be handled well. tion of the one-way hash function. Thus, BANK can be conscious of
Although both the BitCoin and mail order mechanism adopt the this replayed attempt after it tries to compute h(UBBob, N0 ) to
hash chain as the core technique to generate E-Cash, BitCoin has decrypt the encrypted message.
much higher computation costs than a mail order system. This is
due to the fact that BitCoin employs sophisticated computations 5.2. Server master key guessing attack
to mint E-Cash. This complexity guarantees that it is computation-
ally infeasible for users to generate E-Cash by themselves. Thus, If a malicious attacker Eve aims to guess the master key x of
distributed computing is required for supporting the high compu- BANK, she may try to register at BANK first. Then, she can try to re-
tation cost, which is an unfriendly constraint in the field of trieve the master key from four parameters containing x as below.
J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396 395
Table 9
Performance of each participant in the payment phase.
Table 10
The information of Bob in the database.
RIDBob . AIDBob . rBob . nBob . hnBob þ1 ðr Bob ; UBBob Þ . ½TIhðhðUBBob ;SIDj Þ;xÞ
If the malicious attacker Eve is able to compromise the database Burrows, M., Abadi, M., and Needham, R. A logic of authentication. ACM Transactions
on Computer Systems, 8, 1, 1990, 18–36.
of BANK, then she can obtain some information of Bob as depicted Chaum, D., Boer, B. D., Heyst, E. V., Mjolsnes, S., and Steenbeek, A. Efficient off-line
in Table 10. electronic check. In Proceedings of the 89th Workshop on the Theory and
Since the information of the verifier is only kept in the smart Application of Cryptographic Techniques on Advances in Cryptology, Germany,
1989, 294–301.
card, even though Eve can compromise the database of BANK, she Chaum, D., Fiat, A., and Naor, M. Untraceable electronic cash. In Proceedings of the
cannot obtain any verifier to pass the verification. Thus, we can 88th Advances in Cryptology, California, USA, 1990, 319–327.
conclude that the new mechanism is capable of withstanding the Chen, W. K. Efficient on-line electronic checks. Applied Mathematics and
Computation, 162, 3, 2005, 1259–1263.
stolen verifier attack.
Chang, C. C., Chang, S. C., and Lee, J. S. An on-line electronic check system with
mutual authentication. Computers and Electrical Engineering, 35, 2009, 1–4.
6. Conclusions Chang, C. C., and Chang, S. C. The design of e-traveler’s check with efficiency and
mutual authentication. In Proceedings of the 3rd International Conference on
Ubiquitous Information Management and Communication, USA, 2009, 309–316.
By all accounts, Internet-based commerce services are neces- Citibank. Available at http://www.citibank.com. Last accessed on July 30, 2009.
sary. Currently, there is no global mail ordering system that allows Ferreira, L. D. C., and Dahab, R. A scheme for analyzing electronic payment systems.
In Proceedings of the 14th Computer Security Applications Conference, Phoenix, AZ,
buyers to pay bills without personally visiting stores or banks. Our USA, 1998, 137–146.
proposed system has realized a novel type of online service that Lamport, L. Password authentication with insecure communication.
not only keeps the advantages of previous electronic payment Communications of the ACM, 24, 11, 1981, 770–772.
Ling, Y., Xiang, Y., and Wang, X. RSA-based secure electronic cash payment system.
systems but also guarantees mutual authentication between buyer
In Proceedings of 2007 IEEE International Conference on Industrial Engineering and
and seller. Moreover, this system can overcome different kinds of Engineering Management, Hangzhou, China, 2007, 1898–1902.
malicious attacks and ensure the legal rights and behaviors of both Liaw, H. T., Lin, J. F., and Wu, W. C. A new electronic traveler’s check scheme based
on one-way hash function. Electronic Commerce Research and Applications, 6, 4,
buyers and sellers. Benefiting from a light computational load, this
2007, 499–503.
system can work well for mobile commerce, and the SIM card can Menezes, A., Oorschot, P. V., and Vanstone, S. Handbook of Applied Cryptography. CRC
play the role of a smart card. As telecommunication companies Press, USA, 1996. 321–376.
cooperate with banks, it can also allow users to pay phone bills Nakamoto, S. Available at BitCoin, http://bitcoin.org/bitcoin.pdf. Last accessed on
January 20, 2012.
via banks. In practice, Citibank cooperates with telecommunication Paypal. Available at https://www.paypal.com. Last accessed on August 2, 2009.
companies to make the purchasing procedure more convenient for Wang, C. J., Tang, Y., and Li, Q. ID-based fair off-line electronic cash system with
users. All of these practical uses make the novel mechanism multiple banks. Journal of Computer Science and Technology, 2007, 487–493.
Yu, H. C., Hsi, K. H., and Kuo, P. J. Electronic payment systems: an analysis and
feasible. comparison of types. Technology in Society, 24, 3, 2002, 331–347.