6.2 Potential Attacks
7.3.2 Pre Protocol Stage
The messages in the pre protocol stage are listed in Table 7.2 and described in detail below.
Firstly, the unique product-ID generated by M , product-price, product-description and a public key PwM is advertised by the M online. The M can use his/her own web-site or a third party listing service to advertise these details. The T T P -P ool which is a list of potential T T P s that could be used in the transaction is advertised by the M . As per our assumption A2, a C who wish to purchase a product, selects a T T P from T T P -P ool and registers with it. The T T P selection process gives control to the C for choosing a T T P than relying on a particular T T P proposed by the M .
Table 7.2: Pre Protocol Stage a. C → M : encryption||sSiC[h(encryption)]
encryption=ePwM{product-ID||Order||sSiC[h(Order)]||PiC||
N1C||ViCcert}
Order=P seudo-ID-iC||T T P ||payment-method||product-price b. M → T T P : encryption||sSiM[h(encryption)]
encryption=ePT T P{T ransaction-ID||K1||K1−1||
P seudo-ID-iM ||N1M}
c. T T P → M : encryption||sST T P[h(encryption)]
encryption=ePiM{K1||T T P ||P seudo-ID-iM ||
sST T P[h(K1||T T P ||P seudo-ID-iM )]||T ransaction-ID||
N1M||N1T T P}
d. M → P V : encryption||sSM[h(encryption)]
encryption=ePP V{pseudo-ID-M ||product-description||m||
PM||product-ID||N2M||K1||T T P ||P seudo-ID-iM
||sST T P[h(K1||T T P ||P seudo-ID-iM )]}
e. P V → M : encryption||sSP V[h(encryption)]
encryption=ePM{P Vcert||Encryptcert||N2M||N1P V} P Vcert=X1||sSP V[h(X1)]
X1=product-ID||product-description||eK1{m}
Encryptcert=X2||sSP V[h(X2)]
X2= h(eK1{m})||K1||T T P ||P seudo-ID-iM f. M → T T P : encryption||sSiM[h(encryption)]
encryption=ePT T P{T ransaction-ID||P seudo-ID-iM ||
P seudo-ID-iC||Encryptcert||N1T T P||N3M}
g. T T P → M : encryption||sST T P[h(encryption)]
encryption=ePiM{T T Pcommit||N3M||N2T T P} T T Pcommit=Y1||sST T P[h(Y1)]
Y1=T ransaction-ID||P seudo-ID-iM ||
P seudo-ID-iC||h(eK1{m})
Message a: The C registers with T T P and creates a concatenation which includes;
product-ID, Order, a digital signature on the hash of Order using SiC, PiC only used in Ti, fresh nonce generated by C and the T T P issued public signature verification certificate.
The C then encrypts the concatenation using M ’s advertised public key. Then the hash of this encryption is signed by C using SiC to create sSiC[h(encryption)]. C sends both the digital signature and the encryption to M . We use the same notation to represent digital signatures sent in each subsequent message. The digital signatures can be verified by the M using ViCcert.
The Order includes; P seudo-ID-iC registered with T T P used only during Ti, T T P chosen and registered by C, P ayment-method to indicate which digital cash system to use and product-price.
Message b: As detailed in our assumption A2, after receiving C’s message, M registers with the same T T P . A concatenation is created by M which includes; a unique transaction ID generated by M for Ti, public and private key pair to be escrowed with T T P , P seudo-ID-iM registered with T T P used only during Ti and a fresh nonce.
M encrypts the concatenation using PT T P and signs the hash of the encryption using SiM. M then sends both parts to the T T P .
Message c: Once the message is received, T T P verifies whether the public/private key pair to be escrowed is in the correct format. If satisfied, T T P then creates a con-catenation which includes; K1 , T T P , P seudo-ID-iM (we refer to these as “the three components”), T T P ’s digital signature on the hash of the three components, the trans-action ID, M ’s nonce and a new nonce. After this, T T P encrypts the concatenation using PiM and signs the hash of the encryption using ST T P. Both parts are then sent to the M .
Message d: After receiving T T P ’s message and registering with P V according
to our assumption A1, M now needs to get product m certified and encrypted by the P V using K1 escrowed with T T P . For this, M creates a concatenation which in-cludes; pseudo-ID-M , product-description, m, PM, product-ID, new nonce, the three components & T T P ’s digital signature on the hash of the three components. The con-catenation is encrypted by M using PP V and signs the hash of the encryption using SM only used with P V according to A1. Both the encryption and the signature are then sent to P V .
Message e: P V after receiving the message, checks whether the product matches its product-description. If it matches, P V encrypts m using K1and generates a product verifier certificate P Vcert which includes X1 and a signed hash of X1 using SP V. X1 consists of the product−ID, product−description and encrypted product.
At the same time, P V also verifies T T P ’s digital signature on the three components received in the previous message. If satisfied, P V generates an Encryption Certificate.
The Encryptcert includes X2 and a digital signature on the hash of X2 using SP V. X2 consists of a hash of the encrypted product and the three components verified to have come from T T P . P V then creates a concatenation which includes; P Vcert, Encryptcert, N2M and N1P V. The concatenation is then encrypted using PM which is shared only with P V . P V signs the hash of the encryption using SP V and before sending both parts to M .
Message f: After receiving the message, M now creates a concatenation which includes; the T ransaction-ID, P seudo-ID-iM , P seudo-ID-iC, Encryptcert, N1T T P and a new nonce. The concatenation is then encrypted using PT T P and the hash of the encryption is signed using SiM. Both parts are then sent to T T P . It must be noted that, with the Encryptcert, the T T P only receives a hash of the encryption but not the actual encrypted product.
Message g: Lastly, once the message is received, the Encryptcert is verified by the T T P . The verification indicates that the product was encrypted using key K1 escrowed with T T P . Following this, a commitment certificate called that T T Pcommit is issued by the T T P . The T T P then creates a concatenation which includes; the T T Pcommit, M ’s previous nonce and N2T T P. The concatenation is encrypted by PiM and a signed hash of the encryption using ST T P is appended before sending both parts to M . The T T Pcommit includes Y1 and a digital signature of T T P by signing the hash of Y1 using ST T P. Y1 consists of the T ransaction-ID, P seudo-ID-iM , P seudo-ID-iC and a hash of the encrypted product.