Due: Friday April 23, 2004

For general homework policies, see Homework 1. All homework must be submitted in machine-readable form, preferably in Microsoft Word, by email to jieh@cs.cmu.edu with a copy to shamos@cs.cmu.edu. The page count next to each problem’s point value is merely a suggestion of how long an appropriate answer might be. You are free to write more or less provided that you answer the question.

This homework is worth a total of 250 points.

Problem 1. [125 points] Offline 3-D Secure

A problem with the 3-D Secure protocol for authenticating credit-card users is that it requires a real-time dialog between the card user and the issuing bank. This means that the protocol cannot be used in offline situations, such as for purchases on a cruise ship that does not have a real-time connection to a payment gateway, or on a bus or with a Coke machine.

Assume that the credit card is replaced by a PDA with a32-bit processor and an infrared port (not a magnetic stripe card or smart card). These are issued by banks just like credit cards. The user appears personally at the office of the issuing bank. He goes through a sign-up procedure and provides proof of his identity. The bank then initializes a PDA with some user-specific data, including credit card information, prints his name on the front and gives it to him. “Authentication” in this problem means having the user prove he is really the person whose name is on the PDA.

To use the PDA offline as a credit card, the user lines up the infrared port of the PDA with the infrared port of a reading machine or laptop. The PDA communicates with the reading machine at 200 kilobits per second. Your challenge is to develop an offline protocol for authenticating the user of these PDAs. What this means precisely is that the reading machine can issue a challenge to the PDA owner to prove that he is the person named on the front of the PDA. If the person responds to the challenge correctly, then the machine knows he is the right person and fraud in the credit card transaction will be avoided. All of this must take place only between the PDA and the reading machine. No access to any network or the Internet during the dialog is permitted. The reading machine and the PDAs are made by the same company.

You may obtain some useful ideas from Geldkarte. But remember that Geldkarte does not authenticate the identity of the cardholder – it just verifies that the card was validly issued and is a genuine card. The use of a PIN in Geldkarte helps assure the system that the cardholder is authentic, but if a hacker who finds a card has a merchant terminal he can try all 10,000 PINs to find the correct one, so Geldkarte does not meet the requirements of this problem.

Your solution must have the property that someone who finds the PDA on the street cannot determine in less than 1000 years how to answer the challenge correctly. Your solution must also not allow replay attack. That is, if Eve records all the messages between the PDA and the reading machine she will not be able to fool the machine into believing she is the real owner of the PDA.

(a) [100 points, 1-2 pages] Describe the architecture of your system and list each step in the authentication process.

(b) [25 points, 1 paragraph] Tell why your protocol will or will not revolutionize world credit card processing.

The best hint for this problem (both parts) is that it is not nearly as difficult as it seems.

Problem 2. [125 points] Certified eChecks

One of the few drawbacks of the automated clearing house is that ACH transaction records do not have signatures. That is, there is no underlying written document containing the signature of the originator of the transaction that can be verified in case of dispute.

A second problem is that ACH entries must go through clearance and settlement before funds become available to the payee. This means that the payee must wait until funds appear in his account before releasing any goods for which payment is being made.

In the paper world, both problems are solved through the use of certified checks. To certify a check, the maker of a check takes it to his own bank (the drawee bank). This bank verifies that the maker has sufficient funds to pay the check, places a hold on the funds (so they cannot be withdrawn or used to pay another check), and marks “CERTIFIED” on the check, which is then signed by an officer of the bank. The check then becomes an obligation of the bank rather than of the maker. The payee no longer has to worry whether the check is good, and therefore can release goods immediately upon receipt of the check. To avoid confusion with the term “certification” as used in certification authorities, we will used the term “ACCEPTED CHECK” to mean a “CERTIFIED CHECK.”

The purpose of this problem is to explore the possibility of certified ACH debits. By contrast, an ACH credit is more like a giro than a check. An ACH credit is presented to the payor’s bank (not the payee) and a transfer is made to the payee’s account, possibly in a different bank. The payee does not learn of the payment until it has been made. With a check, the check itself is presented to the payee, who deposits it in his bank but then must wait for settlement for the funds to become good. An ACH debit is closer to a check. It is initiated by the payee (with the permission of the payor). The payee submits the transaction through his bank, which causes funds to be drawn from the payor’s account. If there aren’t sufficient funds in the payor’s account, the debit will fail. It may take several business days for the failure to occur.

(a). [50 points, 1 page] Show how to use digital signatures to turn an ACH debit into a signed document that cannot be repudiated. For example, for Alice to pay her vendor $10,000, she would send the vendor a digitally signed record containing her bank account number, the amount of the payment, the date on which the payment is due, the vendor’s bank account, etc., as with a dematerialized check. The vendor would then submit this record through ACH, which would result in the money being deducted from Alice’s account. If Alice denies having authorized the payment, the ACH record will have her digital signature to prove otherwise.

Explain how digital certificates will be used in this process, if necessary, and what steps must be taken to prevent vendor from submitting the same record multiple times and thus receiving more money than it deserves. A good answer will explain how the vendor and Alice’s bank will verify her signature.

(b) We haven’t dealt with acceptance yet. So that the vendor knows the funds are good at the moment Alice submits her ACH debit, Alice will first send the debit record to her bank. Her bank will look up her account and if she has enough money to cover the payment, her bank will add the words “ACCEPTED BY DRAWEE BANK” and digitally sign the record. So the record will have two signatures, Alice’s and the bank’s, just like an accepted check. This acceptance procedure can be completely automated so it should take no more than 15 seconds.

(i) [25 points, 1-2 paragraphs] Explain the processing the bank will go through to verify Alice’s signature to decide whether to accept the record. Then explain the processing the bank will go through to sign it. A good answer will discuss the internal records the bank must keep to avoid paying the record more than once if it is submitted more than once by the payee.

(ii) [25 points, 1-2 paragraphs] Explain the processing the vendor will go through to verify both Alice’s signature and the bank’s signature to decide whether to ship the goods.

(iii) [25 points, 1-2 paragraphs] One day the newspaper announces that the secret key used by Alice’s bank to sign “ACCEPTED BY DRAWEE BANK” has been compromised. Tell what steps the bank must go through to prevent making payment on any records that seem to be accepted (because they have the bank’s signature) but were never actually accepted by the bank. A good answer will discuss the role of certificate revocation lists in this process (if they have any role). Tell also how the bank will resume normal operations again after compromise of the key.