The goal of this project was to design protocols to support emerging services in high speed networks, and to demonstrate them in a trial system. Cambridge University Computer Laboratory's principal role was to design a payment mechanism and integrate it in a prototype multimedia application.
Over the last few years there have been a number of proposals for
making payments over the net. These can be grouped into electronic
cash or credit/debit card systems. In the first case the customer buys
a number of electronic coins from the bank and spends them with one or
more merchants, who can then redeem the coins with the bank. In the
second case an bank card transaction processing system is overlaid on
the existing credit card legacy infrastructure. This is how things are
done today, but such systems - notably as SSL and SET - suffer from
relatively high transaction costs and prove uneconomic for payments
smaller than a certain threshold.
The NetCard protocol supports micropayments. It was designed on the assumption that in order to control network and processing costs, small transactions would not be authorised online to the bank. It presents a number of micropayment protocols for use in electronic commerce, and discusses how these can be made robust against attacks on either the legacy credit card infrastructure or the public key certification mechanisms that are currently being built. NetCard can be combined with electronic credit card systems to provide solutions to a broader range of application requirements.
The key innovation is that, instead of having to do a digital
signature each time the customer spends a coin, she can sign a whole
stick of coins that are hashed together in a recursive way and then
spend these coins one at a time. The recursive hashing technique
greatly reduces the computational complexity in applications where a
series of low value payments are made to the same merchant. This work
appeared at the 1996 Cambridge Workshop on Security Protocols, and has
also stimulated research by others, both within the security group at
Cambridge and in the world at large. Links to such work are given
Payment mechanisms are probably the most visible part of electronic commerce, but several other mechanisms are needed to complete the picture. This has motivated some work on cryptographic primitives.
The first of these was the Guy Fawkes protocol. The objective was to associate a single act of authentication with a stream of future transactions / statements. Hash chains, as used in the NetCard protocol, are utilised in a different way to establish secure association at low computational cost. The operation is equivalent to a digital signature with the additional benefit that it provides forward security. This work is being published as a technical report.
We designed a new hash function, Tiger, to support both the NetCard and Guy Fawkes protocols. This was designed to run extremely fast on the new 64-bit processors such as DEC Alpha, while still running reasonably quickly on existing hardware such as Intel 80486.A reference implementation can be got by clicking here, while a note on how we generated the Tiger S-boxes can be got by clicking here. This appeared at the third international workshop on Fast Software Encryption.
Next, we turned our attention to the intellectual property problem. We came up with a method to combine decryption with copyright marking. Content owners can broadcast a single encrypted version of an audio file for example while subscribers are given slightly different deciphering keys that produce slightly different decrypted versions. That is how individual copies can be identified or illegal resellers can be traced. This work appeared as a paper at the 1997 Fast Software Encryption Workshop. It is this research that we chose to take further and we are currently being funded by Intel to do more work on copyright marking.
Finally, we decided to look deeper into a problem that is causing more
and more problems in the electronic commerce environment, namely
public key certification. At the moment there is no single approach
that fulfils all the requirements. By publishing a book -
The Global Trust Register - containing the
fingerprints of the world's most important public keys, we enabled
system users to gain an extra level of assurance of the integrity of
top level public keys. The book links trust in the electronic world to
established physical publishing mechanisms and thus cuts through the
debate on how to bootstrap trust in cyberspace. We published the
first edition in February 1998; it has now been taken over
by MIT Press who will publish the 1999 and subsequent editions.
For years, banking system designers have trusted the tamper resistance claims made by the manufacturers of smartcards and other security processors. This is very unwise. Tamper Resistance - A Cautionary Note describes how to penetrate these devices and recover key material. It has been accepted for the 1996 Usenix Electronic Commerce Workshop, where it has won the Best Paper award. It is also available in HTML format.