TM
Systems Research Center
MilliCent™
Scrip, security and
secrets
Dr. Mark S. Manasse
DIGITAL Systems Research Center, Palo Alto
http://www.millicent.digital.com/
TM
Microcommerce
Systems Research Center
 Microcommerce is commerce where each
transaction may be inexpensive.
 For us, “inexpensive” is around 0.1¢/transaction.
Others set the limit at $1/transaction.
 Microcommerce allows transactions for:
– news articles,
– stock quotes,
– index queries.
TM
Why is microcommerce
difficult?
Systems Research Center
 The vendor and the financial agent need adequate
revenue, despite:
– small (0.1¢, by my definition) transactions
– on-line service
• no one wants to wait a long time for a page
– reasonable commissions
– liability issues
TM
Designing a financial system
Systems Research Center
 Customers sign up with a financial intermediary
– software implements “wallet” functionality
– wallet is loaded from credit card or bank account
 Value is transferred from wallet to vendor as
needed
 Four basic approaches
– centralized notational (e.g., CyberCoin, NetBill)
– distributed notational (e.g., Mondex)
– centralized token (e.g., Millicent, DigiCash)
– distributed token (e.g., PayWord, MiniPay)
TM
Cryptography
Systems Research Center
 Public-key versus shared-key
– RSA versus DES
 Authentication versus encryption
– Signature and identity versus privacy
 Public key signatures are non-repudiable
 Shared-key authentication can be produced by
anyone holding the shared key
TM
Public-key cryptography 1: RSA
Systems Research Center
 Do arithmetic in group of integers mod pq.
 Given public key e, private key d can be found from
inverting e mod p-1 and q-1, and then using the
Chinese remainder theorem.
 Encryption and decryption are done by
exponentiating message to the e or d power.
 Fermat’s little theorem makes it work:
– m^(1+k*(p-1)) = m (mod p)
TM
Public-key cryptography 2: El
Gamal
Systems Research Center
 Instead of using difficulty of factoring, we can use
difficulty of taking discrete logarithms.
 Pick a modulus and a generator of a large
subgroup.
 Secret keys are random numbers; public keys are
the generator to the secret key power.
 Encrypt a message by picking a blinding exponent,
and multiplying the message by public key to the
exponent. Also send generator to the exponent;
recipient can raise to the secret key, and divide.
TM
Public-key cryptography 3:
other cool tricks
Systems Research Center
 Key exchange (Diffie-Hellman)
 Different arithmetic groups
– elliptic curves
TM
Shared-key cryptography
Systems Research Center
 DES, RC-4, etc. work by having permutation
functions that take the key and data and mix the
bits in a seemingly random (and hard to analyze)
fashion.
 We can still hide information from people who don’t
know the key, but not from each other.
TM
Hash functions
Systems Research Center
 A one-way hash function, like MD5 or HMAC-MD5,
has the properties:
– one-way:
• given hash(S), it is hard to find S
– collision-free:
• given S and hash(S), it is hard to find T such
that S T and hash(S) = hash(T)
TM
Applications of
one-way hash functions
Systems Research Center
 Suppose that A and B share a secret S.
 When A wants to communicate M to B:
– for integrity and authenticity
• A can send hash(M,S) together with M,
• B can check hash(M,S).
– for secrecy
•
•
A can generate and send a random number
N, and hash(N,S) XOR M, instead of M,
only A and B can recover M.
TM
Performance guidelines:
cryptographic costs
Systems Research Center
 Very roughly, a commodity computer can do:
– public-key cryptography (RSA 1024bits)
• 20 signatures or 100 verifications/second
– shared-key cryptography (DES)
• 10,000s encryptions/second
• 1MByte/second
– one-way hashing (MD5, SHA-1)
• 100,000s hashes/second
• 15MBytes/second, i.e. network speed
TM
Performance guidelines:
disk and network costs
Systems Research Center
 Generously, a commodity computer can do:
– 100 seeks/disk/second
• In Millicent, needed data fits in memory.
– 1000 TCP connections/second
• Alta Vista front-end machines handle 100
connections/second each on average.
TM
Vendor:
assumptions and calculations
Systems Research Center
 There are roughly 30M seconds/year.
 The cost of business is ¥15M/computer/year.
– Average revenue must be at least ¥½/second.
 Because of burstiness, the vendor may have a 50:1
peak to average load.
– So it must reach a 25¢/second peak.
 If the average transaction is for ¥0.1, the vendor
must be able to handle 250 transactions/second.
 In addition, the vendor must pay for merchandise.
TM
Financial agent:
assumptions and calculations
Systems Research Center
 The agent gets a (roughly) 2% commission.
– It must have a ¥25/second average revenue.
 Because of burstiness, an on-line agent may have
a 10:1 peak-to-average load.
– So it must reach a ¥250/second peak.
 For ¥0.1 average transaction, the agent must
handle 2500 transactions/second. Something has
to give:
– transaction grain
– commission
– on-line
TM
Millicent: concepts
Systems Research Center
 Scrip [~ software pre-paid phone card, with PIN]
– vendor-specific currency
• not quite cash, account, bearer certificate, ...
– generated by either brokers or vendors
– based on secrets and cryptography
 Brokers
– financial agents that handle real money
– sellers of vendor scrip to customers
 Vendors
 Customers
TM
The big picture
Systems Research Center
Using secure macrocommerce,
exchange money for scrip
sold by broker
Vendor
Jurisdiction V
Jurisdiction B
$$$ (monthly)
Broker
(actually, a
broker network)
Using broker scrip,
customer purchases
Using secure
vendor scrip.
macrocommerce,
exchange money for
broker scrip.
Customer
$ (weekly)
Jurisdiction C
Exchange
the vendor’s
scrip for service.
TM
A closer look at a piece of scrip
Systems Research Center
 A piece of scrip consists of a body, with the
following fields:
– Vendor: a name for the vendor,
– Props: any data describing customer properties
(possibly including a name),
– Value: the value of the scrip,
– Expiry: the expiration time for the scrip,
– ID#, Cust ID#: some ID material
 and of a hash:
– Stamp: a proof of validity for the piece of scrip.
TM
A closer look at the stamp of
a piece of scrip
Systems Research Center
 Stamp = hash(Scrip body, Master scrip secret)
 Master scrip secret is used for certifying scrip.
– It is not known to the customer.
– It is used for many pieces of scrip for one
vendor.
 ID# identifies Master scrip secret,
and in addition includes a sequence number.
TM
Scrip stamp generation
(at vendor or broker)
Systems Research Center
Master scrip secret 4
Master scrip secret 5
Master scrip secret 6
Vendor Value ID# Cust ID# Expiry
Stamp
Customer
Hash
Props
Master scrip secret 5
TM
Scrip stamp validation
(at vendor)
Systems Research Center
Master scrip secret 4
Master scrip secret 5
Master scrip secret 6
Vendor Value ID# Cust ID# Expiry
Stamp
Compare
Customer
Stamp
Hash
Props
Master scrip secret 5
TM
Making a purchase
Systems Research Center
 The customer generates a request and attaches
some scrip to it.
– The customer provides an integrity check using
a customer secret (CS) shared with the vendor.
– The customer sends Scrip, Request, hash(Scrip,
Request, CS)
 The vendor checks the integrity of the request and
the validity of the scrip.
 Then the vendor sends a reply and any change:
Scrip’, Reply, hash(Scrip’, Stamp, Reply, CS)
TM
Request stamp computation
(at customer and vendor)
Systems Research Center
Hash
Request
Scrip
Customer secret
Request stamp
TM
The customer secret
Systems Research Center
 Customer secret does not require extra negotiation.
– Customer secret is derived from another secret,
Master customer secret.
• Customer secret
= hash(Cust ID#, Master customer secret)
 Master customer secret is not known to the
customer.
– It is used for many customers of one vendor.
 Cust ID# identifies Master customer secret,
and in addition includes a sequence number.
TM
Customer secret computation
(at broker or vendor)
Systems Research Center
Master customer secret 2
Master customer secret 3
Master customer secret 4
Vendor Value ID# Cust ID# Expiry
Cust ID#
Props
Customer
secret
Master customer secret 3
Hash
TM
The cost of processing
a purchase
Systems Research Center
 The vendor verifies adequacy of payment, plus:
– a scrip stamp using 1 hash (against tampering),
– a request stamp using 2 hashes (against theft)
for customer secret and request stamp,
– serial number (against double-spending).
 The vendor provides service and returns change
using 2 hashes for new scrip and reply stamps.
 For a scrip purchase the broker does 3 more
hashes to create and transmit scrip and customer
secret.
TM
Advantages of scrip
Systems Research Center
 Because scrip is vendor-specific currency,
double-spending is easy to detect.
– It requires only a local lookup
(using a unique sequence number).
– In contrast, other kinds of currency may require
a round-trip to a central authority.
 Forgery is hard.
– Scrip includes a stamp.
 Scrip cannot be stolen.
– Payment is cryptographically tied to request.
TM
MilliCent System Architecture
Systems Research Center
Vendor
Broker
Server
Price
File
Broker
Price
Configurator
HTTP
Document
Tree
User
Browser
Vendor
Server
Wallet
HTTP
Browser
Cache
Wallet
Contents
Web
Server
TM
Digital Equipment Corporation
© 1995-1997