Review of the
Seventh International Financial Cryptography Conference
Gosier, Guadeloupe, FWI
January 27-30, 2003
Review by Jean Camp, Program Co-Chair
March 1, 2003
jean_camp@harvard.edu
Monday 1/27/2003
Keynote talk: Digital Cash - ahead of its time or just a bad idea?
Tim Jones (Mondex)
Session Chair: Rebecca Wright. Mondax was an attempt to bring crypto to the masses. Why did it fail? Did it have any successes? What was learned?
Tim Jones, who choose to introduce himself as Co-inventor of Mondex and therefore the person whose fault it all is.
This is a business presentation on why bringing crypto to the masses failed even with the support of major corporations.
"Of all the things we did wrong one was an absolute corker." So he begins with a history of Mondex. Initially the banks choose to create EFTPOS-UK 1986. The banks conceptualized as an electronic check and that led to 250£ into a architecture based on an flawed intellectual premise. There were huge debates he classifies as jihads on DES v. RSA. "EFTPOS-UK was a turkey so it didn't matter but we learned."
The UK banks felt debit cards happened _to_ _them_ instead of there being control. The banks wanted to control the next big thing - the charge card, the credit card, and then the debit card using the same architecture. You have high->medium->low transactions so it appears that the next will be ecash. So there was a particular specific search, and then there was a choice for an 'accounted'* model.
(An accounted model means that the ecash is debited and then loaded on the card. After it is spent it is ends up at the bank again.)
At the close down meeting the right questions were asked: Why don't we have a business case? Because it is too expensive? Why? Because we have all these accounting steps? why? because we don't know if the data coming in as money is truly money. so let's get rid of all the steps by implementing RSA, ensuring data, and locating liability appropriately
March 2, 1990 Mondex insight: every purse in a peer-to-peer network is a secured node that removed the need for accounting steps
What we did right:
What we did wrong:
(In my opinion this is a condemnation of the choice to be closed. Not that I
am arguing against the existence of the ill-mannered cool-than-thou dot snob
thing happening. Yet I was deeply in net commerce early on The corker: We Picked the Wrong Kind of Everywhere
Town trials are the worst way to do diffusion, because there is an immediate
boundary created because it does not work outside. Even in the town it is
impossible to get _every_ single merchant to take it. (Naff off? is that some
English rude word?) So customers are not sure where it works. When you go and do
a town trail because the worst merchants will embrace the system because they
are the ones with the worst cash controls and most severe need for Mondex. The
least relevant shops with established facilities took it, like upscale locales.
Yet the worse places won't take it (like coin-operated laundries). This was also
visible in the Upper West Side trial. Town trials are wrong, and the brand
becomes associated with failure. You are also trying to talk to every
demographic segment.
redefine everywhere by brand association. (I believe that is what the EFTPOS
cards did because they connected with VISA.) By bonding with a known brand then
you create a comprehensible customer promise that fits with the way humans
extent trust. It also creates a demographic target. It means that instead of
getting every single technical challenge right, and making it work in every
environment there is a single technical challenge. You can make it work
perfectly in a rather narrow rather than work at all everywhere.
Who is closest to getting this right? Mass transit systems. You can buy the
cards in petrol stops (that's a gas station for us).
Where is Mondex. Well, you can bet on the net. (ha ha ha). The Dutch were
going to use interactive television which is awful. The only product that
interactive tv consistently delivers is a screen that says "please wait". Since
there are small winnings you can download money from the ban, make the lottery
bet, and get your (almost certainly very small winnings) back on the card where
you can spend it again.
The merchants used UK debit because it was better for them for a check,
Koreans are adding it to debit cards. So after two years Mondex will be
everywhere.
No one anticipated pervasive networks. These make server ecash possible. In a
networked world where the cost of communications is decreasing even faster than
processing power (see the work of Andrew Odzkylo for this).
M-commerce looks promising. Ring tones and logos are deliverable to Nokia
phones. So m-commerce has already go beyond the fantasy no-revenue model of the
Internet. There is a picture of my hotel taken this morning. It is just pants.
("Pants" is the English kid rude word. Americans can translate that as "Stink").
The phone is a Vodephone leading edge. (He also has an orange SPV. That is
Microsoft's first cell phone. It is a bit like a Handspring Trio. ) 5 million
could subscribe to pay a couple of euros for the next hot new single delivered in
MP3 the moment it is released.
Server-based ecash is pants/stink for privacy. IC cards balances the states'
right to regulate with the users right to privacy. So Mondex might come later,
because society has not been harmed by privacy loss. Only the elites have
experience true privacy problems.
So every card has a Mondex pin. But the card does not need to be linked with
an account a person of anything else. The pins are token identifiers. Inside
each smart card there is a transaction history file. Any user can set it to a
record size. It was initially set to a company standard of 10, and users can
wipe this by doing a series of cheap transactions. (I do not buy that argument.
I think the user should control records distribution and storage. That's not so
hard and allows for ease of dispute resolution. )
Contactless has got to happen. People like that flexibility. Contactless
makes the product cool. Bankers never think about cool. He proposed a throbbing
pellet. If you are into leather who knows what your token might look like. (I
propose that a throbbing token is a completely boy idea. Of course I like boys.)
Security assessment. Public scrutiny is not a sensible way to protect a
payment system. On your side of the debate you say that strength requires
widespread analysis. Tim advocates controlled access to assessment.
Paul Kosher (sp?) got inside the product with a brilliant attack with a
differential attack. He dismisses the claims of Texas (Sandia National Labs) of
having broken Mondex. Basically he says if someone with a facilities of the US
government can break it --that is not the threat model.
He believes publishing security holes is not a good idea.
Stuart Schechter: Maybe it is not broken because it is not being used.
TJ: As long as you keep looking and maintain your humility and be honest and
humble. (That honesty issue with respect to power and secrets is a chronic
problem.)
Concludes by saying the net has delayed ubiquitous computing but it will
come, and we will have to agree to disagree on security mgt.
A truly charming talk. An insight on the meaning of ubiquitous. But IMHO he
was so totally wrong on the security by obscurity thing. See Matt Blaze's
response to his critics on publishing the master key attack.
Mike Smith: Well you refuse to believe Sandia. Tim Jones: That Sandia
National Labs can break it means that we have a reasonable work factor. What
concerns me is the silicon fabs in Eastern China. So my worry is how fast is it
that the fabs in China get access to the information. There is a club of good
guys working together.
Nicko: Do you put controls in Mondex that structurally prevent switching
value and speed of transaction amounts?
Tim: There are value, origination, merchant, bank. Bank ones hold large money
pots. Origination are bank withdrawal. Merchants are up to tens of thousands.
There is a velocity of money control.
Adam: there are many systems since ecash, yet these have found no traction.
Why?
Tim: Ecash has to be available everywhere. The hurdle to get people to adopt
something extra is high. Vodephone and Orange have tried to get people sign up
for a stored value account. This is because of the electronic money controls on
ecash. Vodeophone and Orange cannot get people to open another account.
Nicko: Can't you solve that by filling up the everything pot and then having
the consumers pay for the telecom.
Tim: No because a combination of accounting regulation and the fact that
telephone companies are the most desperate and cash-strapped companies. Go in
today and offer a telecom company the ability to have their cash be credited
weeks later than the monies are credited today. It will be a very short
conversation. One way to fix this is to allow the operators to credit the
telephony portion to balance sheets at a high frequency.
Richard: You are putting much weight on the prediction that people need
privacy. Criminals will be the most attracted. Governments oppose it. Aren't you
putting much weight on that guess?
Tim: Proximity cash with a contactless card is more useful for something
which is not always on the net. I do think the privacy argument will play
through. The server cash will be there. But you can use the same brand and use
both cards and tokens. There will be an increasing number of people interested
in privacy.
Ray: You mentioned the cards as anonymous but there is a purse id. Can you
link serial transactions?
Tim: The purse id follows the token one step. So some effort can create a
layer of indirection by using a clean card.
Q (from someone identifying himself as from Sandia); We have not seen any
Mondex cards since the first ones out of curiosity. You said that we were the
only people who loaded money onto it. But is that because we were smart enough
or because we were interested and curious?
Tim: We picked the best people we could find and tried to get them to break
it. Many people tried to break it. There was a lot of noise, and there was
interest. Ross Anderson claimed to break it but he never gave us a loaded card
or a card id.
Q (same person): But maybe it is just not yet worth breaking.
Tim: Mondex does research on the dimensions of attack.
Paul: So much of your panning about how this might fly invokes the privacy
issue, yet your model seems to assume that there is no privacy in the network.
If that happens your assumptions go away. But you seem sanguine about this.
Tim: You are right. I am very sanguine because I am not part of it any more.
Agoric Inc has some interesting ideas about peer economics. I think we need
something that respects the fact that millions of copies can be sold.
I argued at lunch that part of the reason Mondex was not cool was that it was
closed, and a cool product would have gotten traction. He disagreed. I think it
should be included as part of the cost -- that being closed by definition closes
things off to you. I also argued that bankers have a risk-averse culture of
integrity which is woefully absent in commercial computer programming and that
an open system allows people to watch your suppliers. He maintains that they can
watch their suppliers very well thank you, and closed does not imply trust in
suppliers.
Micropayments and E-cash Session Chair: Jacques Stern
Using Trust Management to Support Transferable Hash-Based Micropayments
Simon Foley
A quick recap. A payer signs a contract promising to reimburse thru a hash
chain. There is a hash chain of length n, issued to a principal payee. The first
decision must be made by the payee is "is the payer trustworthy?"
There is a series a payments. Then the payee seeks payment and the trustor
asks if the request for payment is legitimate?
Using these questions the has based micropayment scheme can be based on some
trust calculus. Therefore Blaze & Jane's Keynote system can be applied in a
valuable and consistent manner. The rest of the presentation is details of the
application.
We should think of a contract as a certificate that is being issued b the
payor that authenticates the payee of having the right to assert demands for
payment. Examples given are, trust a payee for up to some threshold. Or for a
payor trust any request for payment based on verification of the contract.
Payee compliance check can check is the payor is authorized to make the first
payment. After that the KeyNote verification requires only checking the
consistency of the hash chain.
Richard: Is there a requirement for a pre-existence trust relationship? Why
is there a policy question there?
Simon: Because the trust question is based on the trust of the key.
Richard F.: So when say trust the party you mean trust the key.
In delegating hash chain contracts both the validity of the payment and the
transfer of the payments must be trusted. How does the party that is receiving
the delegated payment confirm that the delegator will not try to both delegate
and obtain payment? Keynote can clarify and solve this problem by confirming
that the first hash payment is valid and by verifying the contract of the
delegator. Thus if the delegator cashed in there would be nonrepudiation when
the final payee can prove rights to the payment.
He applies KeyNote to show how the use of trust calculus and contracts can
enable complex subcontract and subcontractors with limits by clarifying the
trust dependencies understandable. One cool thing is that the credential in a
subcontract then the subcontractor can break the has chain in a different manner
(e.g. payee gets p^n, p^8n and can delegate p^4n for a second payment.)
The need for and details of the contract are clarified by the use of KeyNote.
A Micro-Payment Scheme Encouraging Collaboration in Multi-Hop Cellular
Networks Markus Jakobsson, Jean-Pierre Hubaux, and Levente Buttyan
You have a set of base stations and a set of mobile system moving around. In
traditional systems the mobile station would reach the base station in a single
hop. In multiple hop networks the base station can be reaching by using routing
and sharing in the other mobile stations. Currently there are no created
networks yet there are many research proposals in such a scheme.
The major advantage is power. There is an advantage to transmit in multiple
hoops, there are lower power requirements. Another advantage is cost as base
stations are expensive, or extended capacities for the base station with no
increased cost.
We assume upstream is multihop but downstream is singlehop so this means that
the power advantage stays but the cost advantages are decreased.
Why should mobile nodes forward? Selfish behavior is optimal behavior.
Therefore this paper proposes a micro-payment scheme.
Marti et al proposed a watchdog and path rater which does not discuss
misbehavior
Buchegger looks are reputation-base collaboration which seems to be subject to
pseudo-spoofing
Rivest looked at aggregation requiring probabilistic payments (using lottery
tickets as payments) but this has nor previously been applied to routing
Micali and Rivest talked about probabilistic payments with deterministic
debts. Again very useful but not previously used for routing.
The general schemes is that the source sends a payment token with the
packets. Each node interprets the token as a lottery ticket. If it is a winning
ticket you submit the reward claim. In any case you forward the token and the
packet. Assume the mobile devices are selfish and the base is honest.
Attacks: taking only winning tickets sniff packets for other winning tickets
crediting a friend (e.g., here send this msg, you'll win with this one) ticket
pooling tampering with claims tampering with reward levels, particularly useful
with near-source collusion
Protocol requires a shared symmetric key for each mobile station and a base
station. Each mobile device keeps track of immediate neighbors and the distance
to the base station in hops.
Packet dropping a higher receiving neighbor frequency than sending neighbor.
Auditing technique in the spirit of fraud for existing telephony networks. No
formal model or proofs given. These actions are for future research.
Adam: What about the digital silk road paper? How does that relate? A: The
main difference is that silk road is pure p2p and here we have an operator and
take advantage of this. Roger: How can we detect someone who is cheating if
there is a model for cheating. What about people framing others for cheating? A:
We consider only selfish nodes but not malicious nodes. We consider strictly
rational self-optimizing nodes. Paul: It could be beneficial is you could knock
out competitors. A; Not in the general case
On the Anonymity of Fair Off-line e-Cash Systems Matthieu Gaud and Jacques
TraorŽ
Franel, Tsiounis, Yung improved the security of Solages and Traore 98. Yet in
neither case was either anonymity or security propertly proven. In this
presentation those works are reviewed . Yet after examination it turns out that
both are provable anonymous. Yet neither of these are provably secure because
both depend on Chaum's blind signature problem.
delayed: Retrofitting Fairness on the Original RSA-Based E-Cash Shouhuai Xu
and Moti Yung
moved up: How Much Security is Enough to Stop a Thief? Stuart Schechter and
Michael Smith
Instead of wondering how hard is it in technical terms to break a system
think like an economist. Think about, "what it costs to find a vulnerability"
and then think about, " What is the value for the adversary to break into a
system?"
In order to make the investigation of this model manageable we parse the
paper by modeling the attacker as a thief. If the attacker is motivated by
nationalism or ego it is much less feasible to evaluate the willingness to pay.
By modeling a thief we can assume the thief only wants attacks that are valued
more than they are worth. So a core of this model is the formalization of the
outside threat using tools of economics.
There has been some study about converting access to loot: steal data, sell
it access data, encrypt it - resell a person their own data sell access - break
into a machine and sell access
So we can assume thieves are interested in a very high rate of return since
they are, by definition, not legitimate business people. So consider the types
of thieves. There are serial theft, parallel theft and one-time thieves. Well,
the economics of stealing are not so different from the economics of honesty. So
the greatest concern is the parallel and automated threat.
Notice the concern is outside theft or social engineering because social
engineering or insider theft do into scale.
So the approach is to create the expected value for one thief (the one-time
thief). Then expand it in time to the serial attack. Now when you add the second
attack you have to consider the possibility that you attack no longer functions.
So the probability of detection increases over time and the probability of
failure increases over time. while a simple first sketch would show target
independence, targets are not independent. Not only is there patching and
increased observation but also the attacker learns some marginal amount during
each attack. (This is shown in formal notation.)
Note that doubling the probability of detection decreases the value of the
vulnerability by half. Therefore this illustrates the value of both intrusion
detection and the value of patching to decrease the value of a vulnerability.
Using this model it is possible to make a business case for security.
It is also the case that anonymity decreases risks to the thief. Increased
anonymity decreases risks and non-revocable anonymity significantly reduces the
expected cost or risk of being detected for the thief.
Paul: what does this imply about sharing information? It seems that this
model suggest that sharing information does not help the sharer. According to
your model there is no risk in sharing.
Scott: Currently people do not share because of stock market responses.
Citibank did just this and their stock price took a hit but they increased
overall customer trust.
Rebecca: It is clearly an oversimplification to suggest that there is no
increase in risk. Right now the common oversimplification is that sharing
information creates only risk. What you hear now is a debate about responsible
disclosure. There is a community of attackers who share information.
Scott: When you find a vulnerability do you share it with everyone. But what
if you have partial information? Most of the value is in victims' combining
information to understand complete attacks more quickly. This is an area for
further work to make this formal and prove it.
Drew: What about stock manipulation attacks?
Scott: Does the market act rationally adjusting stock based on vulnerability
information? Large market fluctuations are based on lack of understanding.
Understanding should be increased.
Adam: Criminals like anonymity. They like that but they do it through
identity theft and breaking into chains of machines. They avoid formal privacy
systems which may be monitored. Does anonymity really help
Scott: Breaking into a system requires a risk. A chain of servers creates a
set of transactional risks. What I am saying is not that anonymity should not be
built in but rather than anonymity should be revocable.
Q: What about liability?
Scott: I will talk about that tomorrow.
Rachel G: You talk about sharing partial information, what good is partial
information?
Scott: How much do you want to use this attack against someone who has some
clues and can know to watch you?
Q: What's the use of this model?
Scott: This model begins when crypto stops. There will always be
implementations with millions of lines of code. There will always be
integration. This is even being used to price brute force attacks.
Panel: Does anyone really need MicroPayments? Moderator: Nicko van Someren
(nCipher) Participants: Tim Jones (Ex Mondex) Andrew Odlyzko (University of
Minnesota.) and Ron Rivest (MIT, PepperCoin), Duncan May (journalist at large)
Andrew: Four Fundamental Reasons MicroPayments Will Never Happen 1. a gold
dollar Americans go to Europe and say why don't we have a dollar. the Susan B
Anthony failed and so the mint came up with a gold dollar. Three Americans have
gold dollars. These have disappeared without a trace. Why? New payment schemes
take a long time. Coins worked in Europe because the paper money was taken off
the market. Credit cards took decades. Internet time is a myth when you are
talking about changing the habits of millions of people who already have a good
substitute. 2. enabling small transaction Sellers do not want small
transactions. Sellers want large transactions. Bundling is common in software,
subscription servers, bundling brings in more revenues because of the law of
large numbers given the heterogeneity of preferences across the elements of a
bundle. 3. Flat rate vs metering Flat rate prices are far preferable If you a
producer of zero marginal cost goods you want people to use them and get value.
Flat rate gets more customers and more use. 4, price discrimination Going back
to the nineteenth century there is a large literature about the value of price
discrimination. Price discrimination requires data about use. Greater gains can
be achieved by matching user and price -- and anonymous systems prevent price
discrimination.
He has a paper on each one of these points on his web page.
www.dtc.umn.edu/~odlyzko/ read 'em and weep.
Ron Rivest Micropayments are for things when the cost of the transaction is
so small and
Micropayments exist as attention span (banner ads) and giving up data for
small things. There was 300M $ of paid content on the net. Half of that was
annual subscriptions. 14% were single purchase. 6% were some other subscription
form. so 14-30% of sales would be single use. Some subscription services have
failed. *69 failed as a subscription service, but it works well as 75¢ per use.
We don't have a choice between subscriptions and pay per use. They work well
together. Pay per use may bring in a subscriber. When diffusion is small
subscription is not optimal. The killer ap for micropayments is music downloads.
The music industry is in trouble. Their prices are too high. Their business
model is weak. "Music users prefer pay-per-download to subscription." 60% of
American have downloaded music, about 1% have paid. Many who did not pay would
be prefer to pay rather than search. There are two parties. The sellers and the
buyers. The buyers might prefer pay for download.
The mobile ring-tone market is also pay for single use. in the NY Times they
are trying to sell music on the web "Echo". Universal sells singles at 99¢ a
song. Pay per use will always be available. To support this there is a need to
keep transactions processing costs small. A founder of music sites found that
credit card companies were charging 35¢ for each 99¢ transaction, By keeping the
bank out of the loop it is possible to get substantial processing savings. You
can do a RSA verification faster than a disk access. Since we don't have
Hettinga to talk about bearer-based systems. I have concerns about these systems
so I believe in a database and it is easier to have a per-user database.
Tim Jones The range of transactions that are currently mediated is large. It
is not self evident of why the share of physical money should collapse in favor
of non-transactional subscription transactions. Why should the move to the
electronic world fundamentally alter the payment choice that has been constant
for hundreds of years?
Those of us in the GSM world are very certain about "SMS was an afterthought
in the GSM standard and children took it and created a new language and maybe a
new culture." There are some new things that will come along and maybe
anticipate. For example my daughter was passed on the M25 and some boys held up
their cell phone number. They did SMS and ended up going clubbing that night.
There are a number of people who are contributing to an open source computing
environment which is growing in strength and scale. They are not being paid in
an economically sound way. The range of payment options to reflect the value
that people in this business world are creating is not adequate. This seems like
a case where there are peers who appreciate value, and could assign it. In this
case a large value can be created through a very small set of transactions.
Think of beta wear where there is a free version and a pay version. If the
option is to send 50¢ then there is no need to send a free one. That doesn't
hurt you but if you think of the millions of desktops then it is incredibly
valuable. We are not exploring properly the price elasticity of demand.
In the word of real life cash there are many small transactions that occur
every day. It would be a poorer world if we could not replicate the school bake
sale where the purchaser is 7 and merchant 9.
Duncan The reason I am here is I have followed the track of 28 systems. Some
set of them have gone right into the ground.
Nicko All the schemes seek the James Bond profile - they wanted to rule the
world. So they failed the test of the playground and the cardboard box.
I disagree with Andrew with his concept of flat rate. If you have a flat rate
you could pay 10¢ a minute or $100 a month. If I can take an extreme example.
The British domestic gas market is de-regulated. Customers used to have an
account with British Gas. British Gas sends out 128M bills a year and the
customers pay quarterly in arrears. New entrants are coming to the market. The
only way they can compete with each other is to compete on the price of
transactions. The largest cost is managing the customer account. If one could
have networked meter where customers could pay as they go then you could cut out
the cost. It could be a compelling economic case. So we don't have to think of
the Internet as streaming video and download of video.
The problem with beans is that the economic model is broken. You have to get
the economics right.
Richard: what can the 10 yr old sell on line for 10¢.
Tim: The nine year old was a physical transaction. Mondex could have received
10¢ for each angel cake. (Is that a cupcake in the UK?)
Richard: What about intangible goods?
TIm: I see it in open source. What if you could charge 10¢ instead of open
source being free? Right now we have two price points: free and widely high.
Richard: Were you in the car with your daughter?
Tim: I was driving a car. A week later I was at a Banker's cruise and I was
the keynote and I told the story. And then one of the blokes in the car came up
and was the driver?
Drew: So when I was at security foundations Paul played hookie and we were at
Italy and we needed to pay 1000 lira at a tollbooth. They took credit cards. I
don't think the Italian government was paying a 25¢ overhead for that.
Ron: Part of the transactions processing cost is fraud. As technology gets
better the space for specialized transactions mechanisms decreases.
Nicko: Credit card providers charge flat rate plus a percentage because they
can. There is a fraud cost for the credit cards. There is a lower cost for the
debit cards.
Drew: It is highly amusing that CA has a $4 fee for any credit transaction
because they don't want to figure out the fee.
Paul: For the eight year old maybe she could sell her song for 10¢. That is a
post-music model. The other thing is to reinforce this that they can live
together for cell phones. I have paid per minute every single minute I have used
on my cell phone and it works out for me.
Nicko: In Europe the pay as you talk has passed the value of the subscription
base.
Andrew: Cell phone pricing had flat monthly rate and repaid plans. If you
look at usage every day subscriber use is decreasing. We are looking at number
of subscribers. So they are going for the marginal person. Users have
overwhelmingly shifted to flat rate plan. This has caused a tripling when
everyone else in the world is decreasing. The US is the world champion is
wireless use per subscriber. per phone revenues are going.
Tim: But per customer revenue will go down. But that does not mean that the
average revenue for customer in the that set if going down. And there is a
second major break on usage. And that is price point for pay as you talk is
incredibly high compared with any steady state based on cost. This is in part
based on transactions processing.
Jean: Human management. Attention span.
Andrew: There is evidence in it from the INDEX experiment (search terms:
INDEX bandwidth Berkeley). I argue strongly for this in my paper. Another set of
experiment that AT&T did was in the seventies on metered local rates. We did
it on a state wide basis. Turned out that 70-80 who would have saved money for
the metered rate hated it, because 1) insurance concept to know it is available
to use if needed at no more cost 2) overestimate of usage. people overestimate
their resources systematically 3) the hassle factor, they just did not want to
worry about it for example just understanding it was hard for people. For
example, people were played flat rate per call. There are too many choices and
too much complexity. That is why flat rate is so good.
Ron: If micropayments are going to pay it the ease of use has to be handled
very well. Work by Dan Ariely at the Media Lab on micropayments talks about
handling this.
Tim: Jean has hit on a general issue on acceptance. Getting people to load
some pot of money is terribly difficult. The prize strategically for those who
could get people to do it is enormous. If you could do it you are suddenly in an
extraordinary position like PayPal. PayPal got a certain amount of traction.
Then EBay and Citibank all had a go and they all fell by the wayside because there
was already an incumbent. So EBay ended up having to buy PayPal. The first set
of corporations that can solve will find themselves starting with a small
window.
Duncan: People will not sign up for multiple payment systems. Only Paypal
this morning pulled out. I would expect to see a large number of competing
players so there must be very efficient settlement mechanisms so you there must
be a very effective market for clearing.
Richard: Can I make the case that 3% is competitive. Not that they are not
making wads of money. It is easiest to ignore is that you have so many players
and each of them absorbs some liability for what it does. If you don't have any
players you don't have to worry about risk. Then there is the lenders' risk. The
deal of the century is the global arbitration fee. Without that assurance
neither you nor the merchant will give up your half. If a microcredit system is
developed so that a million people lose their quarters, then that would be
terrible.
Duncan: There is a 90 day loss period where the arbitrate is huge.
Adam: Micropayments can come in and be more effective
Drew: If you have to download some software you lose 90% of your market. But
micropayments have that problem.
Adam: Paypal.
Tim: Paypal is an extension of VISA to non-traditional merchants. PayPal is a
B2B and C2B for non-traditional merchants. But the mobile phone companies have a
very effective authorization mechanism.
Ron: The future of micropayments is in M-space.
Nicko: What about the great unbanked, people who cannot get credit.
Ron: I think that is orthogonal. It depends upon how the system is built.
Tim: Picking up Richard's point that the credit card world is a risk
acceptance market. That is an interesting model that has done great things. But
if you have a net connected world you can chain the transactions together and
have settlement happen as the chain happens. I just offer it to spark thoughts
in other folks. Current appliance delivery creates factory to distribution hub,
management of hub, inter-hub transport, and hub to consumer. There is nothing in
theory to prevent that from being a market that clears step by step instead of
competing for the entire chain.
Andrew: It will come on the back of mass transportation or cell phones. You
already have something because it alone has value. It has to be added to one for
those.
Duncan: You have ot pay 250,000£ to talk to Mondex. We need a system that
will start small,
Ron: I have started a small company. PayPal shows that new mechanisms can
work. We will grow the old-fashioned way based on demand.
Paul: I agree with Andrew's conclusion but not with is inference. I say this
as someone who buys rolls of gold dollars at the bank. The point I want to raise
that this was supposed to be an illustration of the transitional threshold but
that is not the case. But I talk to people in Europe in Canada. They are
nostalgic for the era of bills. Bills have a superior interface - it is easier
to carry 7 bills than 7
Nicko; The coin pound was accepted not only because ergonomics but because it
was called a sovereign. That leveraged nostalgia. It was called a thatcher - it
was thick, brassy and thought it was a sovereign.)
Tim: Kuhnian paradigm shifts take decades. There are problems that ecash can
solve like the queues in bars and it is impossible to purchase. He proposes a
bar with vending machines where everything is on tap so there is no bar with a
single point of failure. I strongly advocate dynamic vending machines so people
pay for congestion. Using a smart card you can do a loyalty program and
encourage ecash adoption. Yet that is in another mental space.
Ron: Why is price discrimination impossible with micro payments?
Andrew: Basically price discrimination is not incompatible with micropayments
but it is harder. Most productive price discrimination is based on identity.
That is a little harder for micropayments.
Nicko closes an excellent panel.
Security, Anonymity, and Privacy Session Chair: Gene Tsudik
On the Economics of Anonymity Alessandro Acquisti, Roger Dingledine, and
Paul Syverson
Economics is about efficiency. Yet inefficiency is an inherent part of
anonymity.
Anonymity is a complex problem because of traffic issues users who use
anonymous systems also provide anonymity to other users. That is users hide
amongst each other thus by getting anonymity you provide anonymity.
One solution to address this problem is for a large organization (corporation
or government) to provide anonymity and require all its users. However, should
this be used then any communication that is anonymous nonetheless comes from
that organization.
There are not yet decentralized trust algorithms,
In economics consumers pay. Yet by its nature users of anonymity both use and
provide anonymity. The hordes in coach are better off, privacy wise than the
guys in first class. So the guys in first class have ot pay a premium for
anonymity.
Inefficiency costs that propagate back to the user chase users away.
Usability is a critical usability suggestion.
Under what conditions will a system with many players not implode? Public
good with free riding.
Yet in this case free riding is not strictly possible because inherent in the
use of the system is providing anonymity to others. Thus those with great
interest in anonymity could provide nodes and services. This is promising in
that there is broad market support for low overhead services but inadequate
support (at this time) for high cost anonymity. There is also the potential for
altruistic agents. Public service entities
Reputation and social capital may provide adequate awards (SETI @ home and
remailer statistics). There can be an optimal level of free riding. An open
problem is exit node liability.
q: You were talking about free rides in that anonymous systems were providing
free ride. IN p2p networks the sharing of files we can provide anonymous
systems. Something like Kazaa could be used to optimize.
Paul: Once you add the anonymity on top of it. You would have to add it for
free. You get it because you are at GA Tech and you just want to do it. So there
is free riding for users since it is bootstrapped in.
Jean: Is the tendency of systems to implode a function of whether Metcalfe's
Law applies (each free rider adds increasing value, the nth user adds n+1 value)
or if it has decreasing returns so that as n gets large the value of the next
ride is ever lower.
Paul: We currently have existence results. That question could only be
answered with analytic simulation. You would have to take a specific system and
see how that plays out.
Julian: Would there be a high correlation between value of anonymity and
crime and this is a core problem? Are there legitimate users with high value?
Don't you think the value if for the bad guy is a problem?
Paul: But the bad guys can provide the resources for all the good guys.
Stuart S: What about the value of concentrated trust in a case like ZKS where
transparency allows for trust?
Paul: You could do the same analysis for several nodes that you can do for
one.
Squealing Euros: Privacy Protection in RFID-Enabled Banknotes Ari Juels
and Ravikanth Pappu
Squealing is both a noise made by distressed animals and slang for exposure
of private information.
RFID radio frequency identification. Shows a picture like: :
www.aurigintech.com/ smart-ID.gif at www.aurigintech.com/ Smart-ID-Auto.htm
RFID tags are passive devices that identify themselves usually by simply
shouting their identity. They have no battery but obtain temp power from the EMF
produced by the reader.
RFID tags will be the ubiquitous replacement for the bar code. Gillette has
ordered half a billion. (This is because in retail drug stores razors are the
most frequently stolen item.) Inventory control and failure rates of scans drive
this interest. PRADA use described. Here is a PRADA description :
www.aurigintech.com/ smart-ID.gif and he discusses the cases from the autoID
http://www.autoidcenter.org/main.asp
Pets from MA shelters now have RFIDs to locate lost kitties (thru a cat scan
ha ha). (Ron Rivest's cat, Jack, has one so they call it the Lojack chip.)
European Central Bank plans to put RFIDs in euro notes.
Let me repeat that in case all the implications of suddenly non-anonymous
cash are not clear: European Central Bank plans to put RFIDs in euro notes.
Here are some bonus uses: -more efficient mugger (we offer detailed
information about our purses) -viruses or attacks based on product choice
ECB is prototyping advanced systems without public discussions. Then there is
security by obscurity. Yet reverse engineering a RFID is fairly trivial. If you
encrypt the serial number of the banknote then the encrypted ID becomes the
serial number. What about LE access key? Then the tag broadcasts its
jurisdiction information. This also requires extremely secure key.
RFID have little or no processing power so crypto is not an option. What they
have is the ability to control read and write access on the basis of static
keys.
Use and El Gamal system with group G of order q. Published generator g. Key
generation public key is y, private x. Each note has a signed ciphertext number
that can be re-encrypted upon bank use, some number is C=Ey[ID,r]
One innovative idea in this is to restrict access by requiring physical
optical access. So each note would have a printed number that provides access
that allows reading. Shops currently have these. Thus illegitimate reprogrammers
would have to have visual access. There can still be rogue readers. But using
connectivity the supervision can be of the readers, so that each reader confirms
that the previous reader has done its job correctly.
Cloning attacks are still possible but it is more easily detected.
Re-encrypted readers can be authenticated and makes tracking easier.
Solution is not ideal but there is work in progress at RSA labs and in the
EU.
Nicko: A re-writable id is dangerous from from a forgery point of view. Could
you now do something that does not require it given that you have hundreds of
bits. You could generate many random bits in write-only and have a sequence
number in the r/w system.
Ari: That is a solution we are discussing.
Adam: This might just be a investment wrt counterfeiting.
delayed by travel: Retrofitting Fairness on the Original RSA-Based E-Cash
Shouhuai Xu and Moti Yung
If we have no anonymous cash maybe it's not a problem (that's a joke).
review of
Fairness in this framework means revocable anonymity when the user re-spends
a coin.
Fairness has been implemented in discrete log systems using both on-line and
off-line trusted third parties. So the question of interest here is it possible
to implement fairness using an off-line party and preserving the fundamental RSA
scheme. Some systems have used (Chaum Fiat Naro Crypto '88) on which we can
build.
Review CFN 88 and simplify. 1: security parameter H, H1: hash functions 3, N:
3 is public exponent and N is bank secret
Coins: x = H1(...), y = H(..) coin = {H (x1, y1) x .. x H(x.5I,
y.5I)}^.33333333 mod N at least one (x,y) tuples valid
You can view each pair as one-time Lomberg signatures. reveal signatures by
showing x,y
Use El Gamal with two generators to embed user key. TTP obtains user key.
Provide that key to a trusted third party. During withdrawal the key of the
trusted third party is made available to the bank. Coins can be traced to
withdrawal sessions or all coins provided by one user.
Bank is trusted only not to use customer's money but is not trusted not to
abuse customer anonymity. TTP is trusted to revoke customer anonymity but is not
trusted with customer's money.
open research problems include unforgeability because hardness one-more-RSA
inversion is not known and RSA-based revocation.
11:00 - 12:30 Attacks Cryptanalysis of the OTM signature scheme from FC'02 Jacques Stern and
Julien Stern
Authentication is proof by a user that he knows a secret. A proof may be
transferable or not. Asymmetric systems require that no secret be exposed for
authentication. Symmetric requires secret exposure or sharing for authorization
but it is very fast. There is no such thing as symmetric signatures because the
secrets must be shared. Symmetric authentication is in some ways superior to
asymmetric authentication while asymmetric signatures are better (by definition)
than the (nonexistent) symmetric signatures.
First example: Access Control Some devices only need to grant access to
authorized persons: example a car park reader. Symmetric: device contains all
secretes Asymmetric: device need recognize access request secret
2nd: Access on Payment (toll booth) Symmetric: impossible because
non-reputation is required Asymmetric: device contains only a public key and
users perform costly operations
What is needed is a pre-processing step where costly message-independent data
are generated combined with a low-cost on-the-fly final step. on-line/off-line
signatures
Previous work: Schnorr 88: one modular multiplication 92, 96, 99 Girault et
al: one regular multiplication 02 Okamoto et al: one modular reduction of a
small number 90: Even et al.: one multiplication 01: Shamir: the core operation
is one modular reduction of a very small number, extremely efficient and a small
signature block produced
Overview of the GPC protocol. The OTM scheme is a small change in terms of
processing power from GPS. The number of messages is very low, except instead of
r+e*s send r+e mod s. But the problem is that the reply step will not hold
because there are limits on the size of the reply in the GPS protocol. So guess
the part of e so that it is sufficiently small. So use the least significant
bits of e. Pick a random r. Then compute x= g (truncated e) mod n We receive the
challenge and check our guess. Repeat as necessary.
OTM is not inherently flawed. But the parameters were too small to prevent
effective attack. If the parameters size of the key, the number of digits in e,
and challenge size are increased then the system becomes secure against guessing
attacks. So how does this change the parameters?
With correct parameters OTM authentication still is 100 bits smaller than GPS
However: OTM requires a modular reduction of 320 bits by 160 bits GPS requires a
regular multiplication
This means GPS is twice as fast as OTM.
dovetailing (r,e) wrt x Add r to a small multiple of s so the least bits or r
are equal to e
If the core operation in OTM is replaced by dovetailing this requires another
verification check then this requires three verification operation.
Implementation is a simple loop. Using dovetailing with increased OTM parameters
the implementation can be as efficient as GPS.
"Man in the Middle" Attacks on Bluetooth Dennis KŸgler
Attacks: unit keys are used for eavesdropping and impersonation (aka cloning)
PIN guessing: used for recovering link key Cipher is weak. Privacy: device
tracking is possible.
Add to these the man in the middle attack. These are based on page hopping
and channel hopping sequence. This is based on a slave ID and clock setting. So
this is a periodic sequence of 32 frequencies. Channel hoping is used for
communication.
Page requests consists of master repeatedly sending slave ID. Slave scans for
own id. SLave sends an ID packet in response. Master sends FHS. Slave resends
ID. So all the attacker has to do is respond more quickly than the slave, and
then reconnect the slave using the same master id but a different offset so the
slave and master do not detect each other. If slave and attacker respond at the
same time the communications is jammed. Then only the attacker repeats, because
only the attacker understands what happened. Another attack: Since the
initiation is a 3 way handshake, the attacker can use the half-open connection
to generate a timeout so the slave ceases scanning. (Attacker initiates with
slave ID).
Another think is master clock is sued for both frequency hopping and cipher
initiation. It is possible to inject a Man in the middle during an encrypted
communication due to cipher weaknesses and the information in the packet header.
Since the same information is used for encryption and decryption it is
possible to insert altered packets.
Compare this with other attacks. Jakobsson-Wetzel establish a connection to
both devices and pretend to be the other device this attack fails if encryption
is turned on or one device is non-connectable (because the attacker becomes
master and both victims must be slaves). This attack can be expanded using the
techniques here to implement an attack when one attack is the master.
Proposed solutions are end-to-end security => integrating mac in every
packet.
Or wired equivalent security which requires point-to-point security. Even
with this the cipher is based on the clock.
Inherent in frequency hopping is the ability to create mis-synchronization.
Encryption is needed, with full synchronization including frequency
synchronization. Unencrypted packet headers with important ACK information are a
problem.
Nicko: Your conclusion should be if you want to use Bluetooth for finance the
encryption should be in the application layer
A; You should use SSL equivalent.
Nicko: My sell phone has a decent amount of computing power. You should not
reply on transport for financial cryptography.
A; Both are required. And the power limits of the mobile devices must be
acknowledged.
Fault based cryptanalysis of the Advanced Encryption Standard (AES) Johannes
Blšmer and Jean-Pierre Seifert
This includes fault attacks and errors, physical fault generation.
For the AES specifically the time operation is vulnerable. An investigation
of an unskilled textbook implementation vulnerable to attack by fault
generation.
Fatal attacks on DEX include breaking a sealed tamper-proof device and
putting in wrong ciphertext.
To begin an description of what a fair smart card attacker might do to alter
and disturb the calculation by altering only the external contacts. An attacker
can vary the voltage input and, if it does not cause a card reset. However, the
power supply is assumed to suffer from natural spikes. For each card there is a
range of parameters that would cause a faulty output that would be, for example,
generating an extended pulse that does not spike quickly but rather increases
the input some voltage about the specified tolerance but not so high as to
reset, say 118% expected voltage. Similarly with the clock can be finely tuned
the execution can be altered by causing the CPU to omit instructions.
Concentrated optical attacks (for example a focused camera flash) on the
right places on a controller it is possible to alter any bit of an EPROM by
altering the CMOS path (remember c means complementary) to creating a lower
resistance channel on the preferred path. This requires removing the surrounding
casing but not physical contact.
Another attack uses a inductor to read the events occurring inside the smart
card. By charging the inductor (also known as an active coil) the reverse can be
true -- you can use the coil to cause events inside the chip. He offers a nice
table for attacks on smart cards.
This is all of interest because AES is most commonly implemented on bank
smartcards using 8 bit CPUs.
The speaker illustrates how the general smart card attacks can be used on the
most common implementation of AES. For example, using timing attacks critical
steps in AES in particular critical XOR operations is that the ciphertext is
quite weak.
The concern is that counteracting fault attack is usually done by some naive
countermeasures. Hardware manufacturers should be aware and use: carefully
developed logic families, sensors for light and temperature, etc. Only such
hardware countermeasures can counteract the source of the attack because once
the attack has been made trying to defend against it by calculations is not
feasible.
14:00 - 15:30 Panel: Economics of Security Moderator: L. Jean Camp
Participants: Drew Dean (SRI), Andrew Odlyzko (University of Minnesota) and
Stuart Schechter (Harvard) Do we spend enough on electronic security? How can we
judge when we are spending too much? Is there any way to evaluate expenditure?
Is the value of cryptography subject to economic measurement?
Economics of Security Panel Notes 1/28/03
Jean Camp, moderator
Notes by Rebecca Wright
Panelists: Drew Dean Andrew Odlyzko Stuart Schechter
Initial presentations
Brief intro from Jean: what is security market?
Andrew Odlyzko
We are techies, used to formal models. Most people are not as sophisticated,
and need simpler explanations and descriptions.
Example: Honor System Virus This virus works on the honor system. Please
forward this message to everyone you know and then delete all the files on your
hard disk. Thank you for your cooperation.
This is a joke to us, but close to something that happens in reality.
Also, necessary to recognize needs of organizations and people in
organizational contexts. Example: a major problem with secure systems is that
secretaries could not forge their bosses' signatures. When systems that require
this are implemented, bosses share their passwords with their signatures.
Similarly, adoption of provably secure time-stamping systems does not work well
with intuitive flexible ideas that back-dating is appropriate in some cases.
Delegation: ask neighbor - please let the plumber in to fix the leaky faucet.
Expectations: let the plumber in. If related business occurs, like electrician
shows up, can probably let the electrician in. But if electrician and plumber
start taking out your furniture, your neighbor would probably call you or the
police. A certain amount of human judgment is expected. (This is why you don't
ask your neighbor's 6 year old.)
Intentional ambiguity: proposed SEC rule alternate wordings.
The desire for human and ambiguousness can limit the adoption of security
technologies.
Example of successful adoption of security technologies: HP9000 After market
Rampup (graph). Printer manufacturers make the money on the toner cartridges
more than the printers themselves. Competitors can also make compatible toner
cartridges. Printer manufacturers have started to put security measures in to
prevent/slow other manufacturers. Very quantifiable example. He thinks we'll see
more examples like this: manufacturers using very specific solutions to improve
answer to specific question.
Speed bumps on the information superhighway. Cp - criminals will always find
a way to make money. Security can be a speed bump to slow them down. (Rather
than provably or certifiably secure systems.) Also cp - use of vaccinations,
where a small percentage of vaccinations in the population can make a dramatic
difference in lowering the spread of a disease.
Stuart Schechter
Measuring Security: are we spending enough on security?
What we don't know:
How secure is a system? What we're getting for our money What we would get if
we spent more What we mean by security, anyway?
As a result, we spend too much on some systems and too little on others.
Why measure?
Determine which systems/components incur the most risk. Build/purchase
systems that are more secure. Measure risk (essential to getting better
insurance rates)
The security process: figure. Scope of this talk: measure security
What is security?
Process of inhibiting those who would attack your valuables (i.e. make it
harder, like the speed bumps Andrew discussed).
Measuring difficulty: social sciences may be helpful here. Prices can be
useful as a measure of difficulty as a cost. How hard is it for a society to
make certain things happen?
The Market Assumption
A market for vulnerabilities will emerge when one individual finds it easier
to find one, the other has more to gain from doing so. If you pay a fixed price
to find a flaw, the adversary could do it too.
The security or robustness of a system against a mode of failure can eb
measured economically, in units of dollars. Ie, the market price to find a flaw.
Security fails in different ways or failure modes - how system failure can be
induced, what is lost. Different sites have different requirements as different
'valuables' are there with different implications of different kinds of failure.
Must measure two products against same mode of failure in order to compare which
is better (figure).
Bounding security
Placing an upper bound (e.g. on competitors system): offer to sell a
vulnerability. Offering price is upper bound until vulnerability fixed.
Placing a lower bound (e.g. on your own system): offer to buy all
vulnerabilities offered at a given price. Opportunity cost bounds security. BUT
this can be very expensive if the system isn't secure.
Security experts are regularly asked: which product is more secure? If we can
agree on a measure of security, companies may invest in using it. Need to
establish trust between buyers and sellers - must actually deliver money in
above scenarios.
Drew Dean
On the economics of computer security
Thesis: High assurance, secure systems are luxury goods.
Look at how they are built:
Lovingly crafted by hand by Math/CS PhD:s Fewer features than mass market
systems Slower to market Extremely expensive Only appeal to a small niche
These are features of luxury goods, not mass market goods.
Market-wise, you get trapped in a feedback cycle:
Assurance isn't a checkbox feature Hard to tell if you have it Difficult to
explain to customers Result: little demand, small market, high unit prices
Options w/formal methods (graph) cost x assurance for different formal
methods
We're now in the lower left hand corner (low cost methods, low assurance
results). We don't need to get all the way to the upper right hand corner (high
cost methods, high assurance results). But he'd like to see us move to higher
assurance, recognizing that higher costs result.
Current economic climate makes proactive expenditures difficult. Costs of
nothing are hard to quantify, so don't get compared to.
Predictions: nothing happens w/respect to security until a "train wreck"
occurs. Intel got serious about formal methods after writing off $467M fo the
FDIV bug.
Discussion
Q: Andrew, re your printer graph and Stuart's talk - is there something in
the graph that could be considered an "upper bound"? A: not sure
Q: re: lemon market. Computers are not less complex than cars. Can we hope to
succeed in removing lemons from computer market as it was removed from new car
market (and now only a problem in used car market? A (Stuart): quantification is
a requirement to make this happen (analogous to consumer reports).
Q: luxury markets tend to evolve into necessity markets. Will this happen
here? A (Drew): analogy - security market would be like airplane makers needing
to know how rivets work at the level of quantum mechanics. Non- composability of
security is an issue.
Q: (to Stuart) question of market for vulnerabilities vs. blackmail. A: need
for a trust to develop in the market. When introduced by company (e.g. RSA) can
be successful.
Q: (from Adam Shostak) Most current attacks are using known vulnerabilities.
Researchers move on to sexier problems even though solutions to the easier
problems are not yet affecting practice. What will happen 5 years out? A
(Andrew): Not sure buffer overflows will be a problem in 5 years, but also
practice will be slow to adopt. They're doing quite well already, thank you very
much, and don't really need to pay for your security solutions. Systems are in
fact robust, in a different way than we usually mean, but sufficient for their
uses. Eg faxing signatures around. We will continue to operate "at the edge of
frustration" When things are too complicated, people don't accept them.
Q: (Jean) Some people do prepare for the worst-case scenarios. Ex - NY new
where every school and day care center was in the WTC debris zone and was able
to contact them. A: (Andrew). Yes, such things are a part of any infrastructure,
and people will overcome certain kinds of competitive instincts and using
reserves in response to emergencies. This is part of the human ambiguity we live
with.
A: (Drew, to Adam's question). Buffer overflow attacks took off after
publication (when??), known since 60's. Lots of research work in 1990's or so,
now tailing off because we have the techniques (even though they aren't much
deployed). Drew thinks that buffer overflows will be solved by deployment, but
that we'll see race conditions rise to dominance again.
Q: (Paul Syverson). To Drew: question analogies to airline and automotive
industry. E.g. flight controller for 777 was triple redundant and formally
verified. Also, in 1930's, car crash implied death. This is where we are now in
the computer industry. Role of insurance, govt regulation, consumer pressure in
going through this process.
Q: (unknown speaker, French). Requirements of different agencies are
different from each other and differ over time. How can you balance security
needs w/needs to reduce costs? Biodiversity will be discussed after its lack
causes a failure, but probably not before, as it would require additional
resources to deploy. (And even if you get it in there, you have to constantly
fight the efficiency guys who will come in to cut unnecessary expenses). A:
(Drew) yes, to some degree you're right. Quote - a program which has not been
specified can not be incorrect, it can only be surprising. The company must
understand its requirements in order to solve them (though of course the process
must be iterative to deal with changing environment), No generic answer. A
(Stuart) Requirements and security get put to the side because the market
doesn't "want a secure product". Need to get product to market dominates
discussion. Only would need to put in security if competitors did, which they
don't. (Chicken and egg problem?)
Q: (Rivest) Discussion has been focused on cost to developers of putting in
security. What about cost to society of not having it? A (Drew) Good question.
Lately the idea of strict liability has been thrown around. Tragedy of the
commons. All of society pays when latest virus goes around, but nobody wants to
pay to solve the problem. Eventually something will happen, but doesn't know
when. A (Stuart) society is a general term, which makes this hard to answer.
Rational consumers do want to buy something that is better. But, consumers and
society don't know how to get to next step. Need an understanding of risk
assessment to help consumers understand when one solution is better than
another. (Rivest) My running an insecure system can hurt others, not just me.
Q (Adam) Do you really think consumers are making an irrational decision
today, or are they just valuing security less than we do (and realistically
assessing the cost of current secure solutions as too high)? A (Stuart) Yes,
they are making rational decisions because cost to even assess security is high,
as well as those to use potentially more secure nonstandard solutions (which are
incompatible with dominant solutions). A (Andrew) Example, complexity of
installing patches, when most consumers aren't attacked anyway. They are
behaving rationally and selfishly.
Q (Richard Field) Expand on Ron's point. Understands Drew's point that a
catastrophe would be required to make something happen. What are roles of
external entities such as insurers, lenders, politicians, end users, regulators,
critical infrastructure people, investors, venture capitalists, etc. Will they
drive those decisions even though security is hard to measure? A (Drew) Answer
to question "which system is better, A or B" is currently that they are both
bad. On the other hand, if we could just get rid of buffer overflows and race
conditions, we'd be in a substantially improved situation. From research
perspective, need incremental solutions but need them to be actually deployed.
Without market choices, external factors won't have too much influence. A
(Stuart) Seeing it start to happen, e.g. Counterpane and monitoring firms are
working out some deals with monitoring and liability rates (more into??)
Q (Rachel from Harvard): I don't run a Microsoft SQL server and don't know
anyone who does. Yet, there was a cost to me and many I knew to not be able to
read mail because of an SQL security problem. How can I hope to address a
problem outside of my domain, and how does it fit in any model? A (Stuart) Part
of the problem is that we expect to be able to use networks for very low flat
rate cost, which doesn't give an incentive to the providers to fix things. And
adversaries have same cheap access we do. Economic design of systems can have
security implications. A (Drew) DDOS zombie attacks are even harder because a
longer chain is involved.
Q: (Jean) Would the security in software market work if there were a market
in security? We have a monopoly in software. Is this the problem?
A (Stuart) Contends that Microsoft has more lines of code out there than
anyone else. If you could measure security of systems, Microsoft would be at a
larger disadvantage because their insecurities would be clear and their cost to
improve is higher. Plus they have to constantly build more features and compete,
so hard to also add security at the same time. A (Andrew) There is a danger in
monoculture, though there are also advantages which they exploited to become a
monopoly. What we are seeing know is the interplay between these conflicting
concerns. A (Drew) Not clear to me that an absence of a monopoly would change
things. Look at subset that is competitive, such as database market - even
there, security is not very high of any of the competing products. Would perhaps
give more choice to the small number of sophisticated consumers who care.
Wouldn't have huge swing otherwise.
Rump Session
Rump Session Chair: Juan Garay,
Roger Dingledine
Discusses attacks on mixnets, and pseudonym nets. Described the trust that is
committed to the mixnet provider. real anonymity requires that forward and
reverse packets be indistinguishable. It requires availability of multiple
sources for lists of mixnets.
Glen Nuckolls: Efficient multi-source data query Currently users query a
single data source to get a query. How does the user know the response is from
the server?
Data provider computes a digest and sends it to untrusted publisher. Query
can then be verified. The digest functions as cryptographic checksum.
Advantages are the untrusted publisher and allows an increase in unreliable
communications.
Implemented with a binary source tree sorted at the leaves so the
verification is feasible. Can apply to a general class of structures. Secure
assuming collision-free in hash function.
Benny Pinkas Protocol based key hiding
YAKE? - yet another key escrow system this is protocol-based and does not
depend on the particular cipher or hash applies to SSL, TLS, SSH2 Interoperable
with current implementations and therefore supports incremental introduction.
Key recovery is done doing hidden channels so it is impossible to filter it.
The only way to find it is to examine the source. So it is not a good idea to
trust closed source implementations of security protocols. Furthermore only one
side needs to run this protocol.
Applications: governments can add hidden recovery to existing systems.
hackers: can patch servers with this and obtain keys Closed source providers:
only reverse engineer reveals the attack.
The attacker changes implementation of client or server. New implementations
generates a EAF: encryption recovery key with public key or recovery agency. The
data would look like a random nonce to any but the escrow agent.
Implementation issues: low capacity channels, available fields are shorter.
SSL example: client randomness (public) server randomness (public) premaster
secret (PMS) 46 bytes of secret data RSA is used, PMS is generated by client
Client can generate PMS from short seeds embed encryption in client randomness
SSL 3.0 padding for the block encryption (8 bytes) SSL 3.0 only checks last
byte of decrypted pad. so set length to 8 bytes embed EAF in 52 bits of
encrypted pad FInd a 12bit suffice st when the entire block is decrypted last
byte has correct value
Implemented, modified ssldump for key recovery.
SSH2 is even easier. Have not looked at IPSEC
Paul Syverson: Universal Encryption for Re-encryption of RFID tags with
Markus Jakobsson, Ari Juels, Philippe Golle
mixnets takes in msgs and reorders and encrypts them. Basic chaumiam mix
review. If a server goes away then people keep encrypting messages and other
msgs cannot be obtained. new idea: mixing without keys - no need for PKI, no key
protection El Gamal with re-encryption Universal re-encryption means providing
an encryption of the message and an encrypted message of the number one and can
be re-encrypted because E(1) is the universal blank (cool). any message resent
thru the network will look different every time. Alice can go to supermarket and
at home the frig re-encrypts A reader can re-encrypt all tags a user is carrying
universal re-encryption is a new primitive with nice applications open issues:
universal semantic security, existential construction resistance
Gene: what if the reader is dishonest Paul: You can detect it with shuffle
proofs
Shin'ichiro Matsuo: TIcket scheme for an Intelligent transportation NTT
web site has more information
Digital signature schemes take too long for a high speed transportation
system. require challenge-and-response to prevent abuse. this takes too long.
thus introduce a ticket system that uses hashes and requires only a single
communication for use with a tamper-resistant device
The ticket issuer issues a ticket seed. The ticker is the hash of the ticket
seedded and the GPS location. THe hop sends a receipt to the traveler. The
traveler can verify the shop then confirm. Neither knows the seed so forgeries
have a low degree of probability of success.
The hash-based ticket system requires less communication (1 less msg) and
less computation. Implemented the ticket with a Pentium moving on the car 50mph.
There is a full paper and information about the prototype available on the NTT
web site.
Makoto Yokoo Mechanism Design and Information Security NTT Mechanism design
is about designing an incentive mechanism so that individuals share preferences.
Yet sharing a preference disadvantages an individual. Pareto optimal Desirable
outcome: the one who values the outcome most highly will get it. Second price
auctions have been shown to result in optimal price.
Revelation principle: if we can design a mechanism that achieves a certain
property then we can achieve the same property by a strategy-proof direct
mechanism.
Example: Government using second price auction (remember a second-price
auction means that winner pays the second bid. so bids are
b1>b2>b3>b4... then the party bidding b1 wins and pays b2).
Secure combination auction protocol papers that describe the entire system is
available.
Nicko van Someren: Digital Signed Physical Bearer Notes work from Ncipher
Physical notes are protected by work factor based on complexity of
construction. Yet they must be reproducible (so the treasury can print them) so
any party with adequate skill and investment can reproduce them.
Digital signatures have their security based on hard computations verifiable
without sufficient knowledge.
It would be nice to have digital signatures on physical notes. But simply
applying a digital signature to a note is a problem because you cannot tell it
is the original. You could just run it thru photocopier. So you need a way to
make notes unique.
Random unique tags: numbers, paint dots, metal strips, entropy in some
biometrics Tags must be irreproducible.
Pappu et al provides microscopic properties created by lattice interference
amorphous light polarization (A physical one-way function) strong soup: take
advantage of randomness of physical mixing (Making snowflake) Randomness is not
adequate there must be a template, biometrics have templates to use Using
convolution optical templates may be created. Take a unique physical tag that
cannot be reproduced. Then write a digitally signed contract linked to that
snowflake. Combining those allows a functionally unforgeable banknote. Thus high
value physical bearer devices could be made more useful.
Ron: There was an early RSA licensee who took the randomness of the fibers in
the paper bill itself and then signed the bill. They went under. oh well.
Moti: This is a flaky idea but it might work.
Moti Young: Cryptographic protocols for markets with price discrimination We
should use crypto to implement price discrimination as well as auction design.
Economics is a colonial field every-economics, let's call this crypto economics.
Seller: good production requires $1500 Buyers: would pay <400, 600,
800> with min price the good would not be offered. with dis. the good would
be offered
Price discrimination is good economics but bad business: unfairness,
re-selling up So maybe incent customers: once seller price point has been met
refund to customers. Price discrimination requires users and sellers share
information simultaneously. Commitment and hidden information help.
Secure function evaluation.
there are n people. each buyer computes payment. seller computes price at
selling points. each buyer pays via a fulfillment server. no one else learns
individual price Vi election techniques can be used to prevent reselling prices
Paillier cryptosystem we can implement efficient protocols to solve oblivious
market.
Juan Garay: Strengthening ZK protocols using signatures with Phil MacKenzie,
Ke Yang Non-malleability from Unforgeability this coming Eurocrypt, making ZK
more robust ZK is an interactive protocol of proving knowledge of a secret
without sharing any knowledge of the secret ZK secure in isolated or controlled
synchronous systems ZK in the real world means multiple parties, not always
reliable communications, malicious parties Non-malleable ZK means that a
man-in-the-middle cannot prove a secret the MitM does not know universally
composible ZK -arbitrary/composed protocols remains secure and non-malleable
(think object-oriented and thread safe) [Ca '00] Concurrent ZK -logarithmic
number of rounds and lots of other SK work
Start with ZK commit-challenge-response and use the known random public
verification key then wrap the protocol with a freshly generated key pair then
bind signature wrapper to proof (also allows concurrency) also include the
initial claim of the user before the challenge in the wrapper
Wednesday, 29-Jan-2003
09:00 - 10:00 Keynote talk: Listening In on the UN: Technology Lessons
from the Diplomats Richard Field (U.S. Delegate, UNCITRAL E-Commerce Working
Group; Secretary, Am. Bar Assoc. Section of Science & Technology
Law).
Session Chair: Jean Camp.
Abstract: Enabling rules on electronic signatures and records, international
registry systems and electronic documents of title have all been the topics of
recent international negotiation--at the U.N., the Hague Conference, UNIDROIT
and other international diplomatic bodies. This talk will look at recent
successes, failures and ongoing global harmonization work that have a direct
bearing on the development of payment and financial systems.
I am here to tell you what the diplomats are thinking. Not the standards
people but the diplomats. While you think transferable paper is not money to a
diplomat it all the same questions. Ten years ago I sat down with the technology
people and it took two years to understand what each other were thinking. Now
there is a global UN awareness of what a certificate authority is. When a
country comes into the UN there is a heavy cultural
You need to be aware because the law will drive what you can do. You have to
pay attention because the law will shape the market and the market will shape
your solutions.
Finally you can affect the process that is going on. Out of the Hague the US
pushed something called the judgments convention -- a country must enforce the
judgments in other countries. As e-commerce started two consumer people Jamie
Love and his spouse have single-handedly stopped that convention in its tracks.
Whether you stop something or not you can affect. There are NGO's and people who
need expertise. If you have something to say you can say it.
What causes an issue to get to the top of the international agenda? It is
very expensive it is very slow. Really slow. But the process does lend itself to
one thing --problems end up making themselves known. The issues out in the world
where some group is having a problem
The international maritime community has problem with paper and
ownership.DOcuments of title were getting there after the goods. The finance
people have come. The international votaries are having serious problems. These
are trade issues where it is slowing down development.
Liability is always a lurking elephant.
There were 6,000 references to the MA code alone, the legal formalities, to
writing and signatures.
How can you sell a product and get financed for your risk if there are a
thousand laws. Evidence rules vary wildly. What is the value if a signature gets
past the front door. The law is trying to leave this to the process of judicial
resolution because it is changing so quickly. There is variation, the US
approach and the EU approach.
Harmonization is a tremendous problem. Social passionate issues: gambling,
Nazi, explicit sexuality. The general solution is these international trade
barriers is not to address consumers, but it is getting harder and harder.
In e-commerce incorporation by reference requires the ITC was planning to do
an eterms repository. Should it be on your own server. Should standard terms be
legislated. Standard short form standard of attorney has one line "do my
banking" referencing three pages. What about when the reference is in a
different language? What is a guarantee on a check? What is a limited
endorsement?
Do you want enabling rules or regulatory rules?
Enabling lets business do more certain things with predictability
reliability. What click-wrap. Contracts have eliminated all fair use and right
to criticize a product. Is this is enforceable? This tends to be US vs EU with
the EU advocating regulation.
Limits of contracts will be the major battleground for the next decades.
Why doesn't technology solve these problems? Why doesn't Palladium and DRM
solve all of these problems? The legal and diplomatic communities do not know
how to approach it.
How has this be approached? 1. get rid of formalities 2. applications
relating to formalities 3. build real business applications
general principles of technology neutrality and party autonomy with a ideal
functional equivalence between paper and electronics. The diplomatic instinct is
to avoid two sets of rules. The instinct is to stay technologically neutral and
define the old technology as neutral (paper in therefore neutral).
On paper you have biometrics identification (face to face) tied to the paper
contents usually providing integrity. So recipient is liable for fraud. Yet when
you are not face to face the liability changes. If you mail check the bank is
responsible for authenticating and if the signer were irresponsible then the
signer is liable if negligent. So paper rules change.
Electronic agents, lawyers call them 'automated electronic systems'. Agents
can enter into a contract on your behalf. A contract is a meeting of the minds
in many countries. So if you download an agent audit makes a contract is that
your intent? The diplomatic impulse is "yes". Is that fair? WIll that work in
the future? The diplomats need to hear from you if it is right or fair.
A core desire is you want to recognize if something is foreign. We have seen
most of this in UNCITRAL. Basically the global rule is that "Don't say it does
not have affect just because it is electronic." This was a radical change.
The failure so far with this is that there is no global law on
authentication, non-repudiation, and liability. In the US we have Reg E, Reg Z.
Why do people use cards in the US? Because the consumer is protected the banks
face a strict liability. B2B is different. If there is a commercially agreed
upon legal procedure the company is liable.
Technological neutrality - Baum and Froomkin set up the PKI group. The rest
of the ABA hated it. Therefore everything we have is technically neutral. No
state can write a law requiring a PKI. The Europeans love that PKI.
Paul: Doesn't the PKI raise constitutional questions
Richard: everything the US has done in the past five years has Constitutional
implications. This one is on safe ground because of the Commerce Clause.
Not to 2, the applications. Where are they coming from? In 1980s there was a
convention on bills of exchange and promissory notes. That was all paper. Should
we adjust this for electronic notes. Transferable payment instruments and
negotiable payment instruments. The UN also has a convention on the
international carriage of goods: sea, roads, etc. What about on-line?
How do you prove an electronic message represents goods? Well, what kind of
goods?
Tangible goods, intangible, international on-line arbitration.
The Hague has a law on the international transfer of securities. No longer do
people get a certificate. Then it became the fact that GM would record your
ownership. Now Merrill Lynch has 1M shares and each customer has 50 shares. The US
solved this by declaring a new kind of property. ML goes bankrupt. What do you
own? We invented it. All the conference wanted to say was what is it, and where
are the goods. We are going to define where it is? So the UN has only decided
where it is and that is grossly abused.
UN has been have been having a new transaction on mobile receivables. Think
about where a bank wants to lend you money and take an interest in something of
yours. If you do not pay back the loan they get priority over others. How do you
set priority? It has to be public knowledge so you file in a jurisdiction. So
what about mobile equipment? Aircraft frames and aircraft engines and space
ships all have their own regimes. Think about the financing for the aircraft
industry - it is huge. SO there is a global electronic registry that places
mobile things in a jurisdiction. It will not be in the US or France. The
convention does not talk about authentication or non-repudiation. So they have
ignored that issue. The international civil aviation authority owns all the data
and they are indemnified but the registry is liable for its own mistakes.
OAS is active in the Organization for American States. Negotiable bills of
lading for roads but have not gotten on electronic bills of lading. The US and
Mexico agree but Canada disagrees. While Brazil follows a more European
approach.
Goods can be tangible intangible and mixed goods. Money is just a form of
intangible goods. Buy a car. And it has software in it and GPS access. The
Uniform Electronic Transactions Act says that there is such a thing as a
negotiable instrument. IT says it has to be secure. The assumption was that it
was an electronic token as opposed to a registry. Now they want it to be a
registry.
UETA came from the mortgage industry that wants to trade mortgages
electronically more effectively.
States can enact UETA only as it was originally adopted (token based). When
there is a registry it will be centralized. Negotiable instruments are converted
from physical to electronic. When does one cease to be the item of interest?
Incentives to improve security - how do you improve the system over time? You
shift liability to the party best able to improve it. The Australian have
adopted a new EFT. They said if you use PIN security and the user writes the PIN
number then the user writes his or her number. This suggests that there will
never be a better system because there is no incentive.
Closing: participate. contact Richard. This talk suggested that next years'
papers might include: maritime digital titles transferable and negotiable
electronic records (token mortgages) international digital votaries this are
some real world problems with specific risks and data characteristics for FC.
Fair Exchange Session Chair: Ari Juels
Timed Fair Exchange of Standard Signatures Juan Garay and Carl Pomerance
Fair exchange is focused on the ability to recover and it is also difficult
to do massive parallel. Some of these solutions put a bid burden on the prover,
for example requires the prover generate a puzzle
The goal is to create a bounded computationally system with timing. The
contribution of this work is timed fair exchange of standard signatures which
admit blinding -new time structure called mirror time-lines -protocol timed for
fair exchange of arbitrary values
There is prior work on time -Cypherpunks mailing list sends material into the
future. (May 93) There are time capsules for key escrow so that you get
verification at escrow time (Bellare & Goldwaaer 96 97) (Rivest Shamir
Wagner) building secure puzzles to hold secrets -computationally intense
Boneh& Naor 00) time commitments extension to standard signatures - not for
standard signatures authors' previous work include time-released signatures.
So square a number some (mod N), you can do this is a series so the distance
grows exponentially so you can release the information by reversing roots
beginning with the greatest distance from the initial variable. Time lines
created for g, g^2, ...., g^2^k. You You can create time line values by
multiplication by R.
So you begin the exchange by committing to a time line-hidden value. Security
constraints: binding to value, privacy......
*privacy here is specialized to mean that the data owner can set an initial
time and within that computational time the data are hidden
The creation here is a time line that has first increasing and then
decreasing distance. This means a time line can be defined by the initial point,
the median, and the end. The initial act is to prove knowledge of the first
point.
Asynchronous Optimistic Fair Exchange Based on Revocable Items Holger Vogt
revocable items are digital items. detailed descriptions exist for both items
and the items can be checked when the descriptions are given.
exchanges without trusted third parties have been limited to specialized
applications. the general fair systems have used a TTP
Some solutions have no automated dispute resolution. Those that do include
TTP. Then some solutions where the third party is involved in every exchange and
have problems with scalability. There are also optimistic protocols meaning that
the trustee is needed only for dispute resolution. In terms of transaction costs
and scalability optimistic fair exchanges are optimal.
Of optimistic exchanges the are synchronous and asynchronous.
This proposal is for items where generatability is required. Generatability
means that the trustee can generate the item i.e., escrow systems. Weak
generatability means that the trustee can know if the user is cheating.
Auctions
Session chair: Ari Juels
imho: Auctions are of increasing importance in the policy world. Privacy in
auctions yields stronger auctions because in public auction design price is
often used to signal out-of-band and manipulate the auction. Some solid
overviews of the economics of auctions can be found at: Arrow, ÒThe Economics of
Agency,Ó Chapter 2, in Principals and Agents, pp. 37-51. Telecom companies use
of open information to communicate in high value spectrum auctions is a chronic
and systemic problem for public agencies trying to capture the value of the
spectrum for the public. An good place to look at the problems with auction
design and what crypto might contribute is at http://www.nuff.ox.ac.uk/users/klemperer/papers.html
A classic example is the use of least significant digits in a bid to signal to
other bids the plans in the next round. You can see this in Mercury in 1997. For
example are there anonymous descending price repeated round auctions?
Fully Private Auctions in a Constant Number of Rounds Felix Brandt
A fully private repeat round auction. Note that this is implemented using an
ElGamal with a public key that all bidders participate in creating. (This would
be optimal for governments since all telecom bidders are known well in advance
and makes charges against gov't easier to defend against.) By using repeated
round the protocol can combine the advantages of an open auction (as bids are
exposed and the winner's curse problem is mitigated) and help prevent next-round
signaling by removing the identity of the signaler. (For example a BTT signal to
fight hard for a particular spectrum segment has true meaning, Bob's Excellent
Phone Company does not have the same force.)
Secure Generalized Vickrey Auction using Homomorphic Encryption Koutarou
Suzuki and Makoto Yokoo
A solid overview on the types of auctions using homomorphic encryption.
Determine how to take price without revealing price. GVA is a generalization of
Vickrey (aka second price) auction for a combinatorial auction and is incentive
compatible. The implementation shown here is a secure GVA that hides prices.
Thursday, 30-Jan-2003
09:00 - 10:30 Panel: Trusted Computing Platforms: The Good, The Bad and
The Ugly
Moderator: Moti Yung Dirk Kuhnman (HP), Paul Kocher (Cryptography Research),
Marc Briceno (independent security researcher) TCPA and Palladium "trusted
platform" activities have raised many questions and objections. In this panel,
we will confront the proponent and opponents of these ideas and raise more
awareness regarding ways of use and abuse of these ideas.
The good part is all good. The keys can be protected. The bad is that the
corporate alliances e.g. Microsoft and Intel can exert undue control, and kill
open source
Dirk Kuhnman About the corporate position and the labs position. The HP
corporate is that we will sell whatever Microsoft offers. As to what extent HP
has influence as to whatever comes up Palladium, there is little.
As for the labs which has the technical directorship of the TCPA committee.
There is a book on Trusted Computer by HP labs. O am one of the proofreader of
this book. Apart from this I have been mostly involved in developing and
researching open source software systems. I have helped to kick off the HP lab
for secure Linux that was marketed for a year and then taken off the market.
1. The unavoidable
2. the questionable why is it not always good to be good why trusting
yourself may not be good enough why openness is not always trustworthy 3. The
avoidable
3. The Unavoidable IT technology is neither a tool nor a medium but something
else. Telephones and mail the medium does not itself alter the messages.
Computers on the other hand alter the message. Agents on the computer can
obfuscate or modify the actions so that the user's goals are undermined by the
active nature of the computer.
So how can we create a tool so that the tools does not alter our intents when
it transfers our knowledge? AS these machines perform billions of operations per
second there is no way the user can supervise the processor. So a hardware
platform is required.
Dirk's Q why it is not always good to be good? Technically savvy people want
to have total control over all the elements of their own computers. Yet when
your machine is communicating with others you are always facing a situation
where there are implicit agreements with others. There is no cultural framing to
communicate the implicit baseline.
So when you communicate it is simply necessary that each user give up some
freedom to allow the larger network to work.
2 Q Why trusting yourself is not good enough Here is the hypothesis is that
if you are very capable then you should be trusted to be the capable
administrator that you are.
Here you will solve the trustworthiness for your own system. But you cannot
communicate the trustworthiness of yourself to others. The system must verify
itself. Attaching the trustworthiness to human operators or brands is flawed, it
must be attached to a computer.
This is not democratic since only the established players will be trusted. So
TPCA Is an empowerment technology not a control technology.
2Q why openness is not always trustworthy In order to have assurance you have
to walk thru the code and have procedures. But if someone could alter the code
then it would no longer be trustworthy. Security is orthogonal to licensing.
According to GPL you can alter code but altering security code removes it
assurance.
The users who have secure Linux are banks and companies that invest for
themselves. And this is not distributed.
The open source has to have a model that allows sharing and confirms
trustworthiness. < He says big vendors and companies have not stepped in to give assurances. But
probably the government will have to tax and generate secure software. < 3. The avoidable There is a virtue in not controlling something is that if a
user cannot alter the behavior of his or her computer to be untrustworthy then
the user should be trusted by virtue of the users loss of autonomy.
Much of the discussion of TCPA is about what a major company will build on it
- how Microsoft will leverage this to control users.
If code is law then it must be validated by public discourse. So components
that are not controlled must be open source so they can be vetted. Therefore
TCPA makes open code much mor important.
Conclusion Instead of fighting this technology the community should focus on
supporting the software and building something on it because openness is a
necessary but not sufficient condition for creating a trustworthy TPCA.
Paul Kocher The company I work for has done work for the RCAA and the EFF.
From a business perspective we can see both sides. Whoever will pay use we will
work for them.
What is trustworthy computing: can you build a computer a user can trust? can
you build a computer a networked anonymous person can trust?
We are doing a terrible job of building machines worthy of a user trust
because the complexity of a system is continuously increasing. It is no longer
possible for a single person to know all things and all bits inside a machine.
So even experts can no longer be certain.
For Disney and RCAA they want to control high value commodity content on the
machines of remote users.
What are intellectual property rights and are they a good thing? Among
technical people the notion of intellectual property rights is one that people
meet with hostility. Intellectual property is the ability to dictate your own
work. << intellectual property is property and by definition property is
the right to exclude others from access. refusing access to words means limiting
speech rights. so intellectual property is a passionate debate because it a
conflict between the two core American rights: the right to property and the
right to speech>>
Intellectual property owners have a right to remove the autonomy of users so
they can be certain about the use of their content.
As cryptographers we have failed to developed workable business requirements
for intellectual property systems. Practical applied research should solve
Hollywood's problems or they will push for additional controls. So we will turn
over to Lucky.
I would argue that power always increases the desire for control and
Hollywood is exerting because they can not need to. technology will never offer
a static certainty business model change. reality TV has changed video
entertainment market. it dynamic industry all legislative in world change that.
I would argue that power always increases the desire for control and
Hollywood is exerting because they can not need to. technology will never offer
a static certainty business model change. reality TV has changed video
entertainment market. it dynamic industry all legislative in world change that.
Marc Briceno aka Lucky Green In my statements you will hear quite a bit of
intent. Because trusted computing is ensuring your betrayal.
I want trusted computing very very badly. I know I cannot trust my computer.
I would love to be able to tell what state my computer is in.
Let us look at public statements about what the technology is intended to do.
TCPA is supposed to make the PC the core of the home entertainment industry. The
head of TCPA made five or six comments about how TCPA is absolutely not for DRM.
The head of TCPA has said, "There is certain content that owners will not make
available on the PC platform. That is unacceptable and we will solve this
problem one way or another." This was the second TCPA working group.
The business objective of TPCA is DRM first and foremost. AS was said at
USENIX security that the contents providers will never see anything over NTSC
resolution unless they plug the 'analog hole", meaning make it impossible
Microsoft claims it losses millions from illegal copying and Microsoft wants
to end that. TCPA will do this.
TCPA is about defining the future of the PC. Anyone who would purchase a
machine has done so. So how does one grow the market? According to the PC
industry the market is saturated. Another market is the home entertainment
center. At the center of the home entertainment system can be Sony 5.0 or
something Microsoft. Sony sells more consumer electronics than MS have ever sold
software. This market is giant and will be hotly contested. Microsoft believes
that TCPA is the only way to win its coming battle with Sony for the heart of
the home.
The objective it prevent user autonomy. This enforces three levels of access:
1. highest level access you can see everything going on, you can know what is
happening and you know the state this is reserved for owners of high value
content not users 2. user access 3. minimal access
Trustworthy computing now means that third parties can trust the computer to
enforce rules in opposition to the desire of the users.
Gates: Control of our own documents is much more interesting Levy: You can
cause Word to create documents that can only be read for the next week without
additional payment
Quiz: What does a federal prosecutor call a bit of software that
inter-operates with DRM protected file formats? A: A DMCA violation! Meaning
five years if you create software that reads DRM protected formats so that
creating interoperable technology is a felony. $50,000 per device
This will allow the feds MS media player license agreement: Microsoft
reserves the right to disable your ability to use other software on your
computer.
When soliciting members the proposal was to enable secure boot. Within the
working groups the purpose was to enable DRM to serve the MPAA Later the pitch
was to enable DRM for everybody Now TPCA is to eliminate all spam viruses and
hacking. Next pending is the architecture if being pitched to Office of Homeland
Security.
MSFT: Palladium will not be required to read files created prior to the
introduction of Palladium.
Potential countermeasures To reject TCPA. Demand owner override. the
security of simple trusted system depends on the owner not having access to the
keys. if you do not have access to all the keys then you cannot control your own
machines.
caveat emptor: if a system tells you that you are loading keys make sure it
the use is not flagged to enable enforcement.
Kocher: laws are on the books. Philosophical question: do intellectual
property owners have the right to provide content for proprietary platforms?
Currently several examples, such as cable boxes, copy-protected software, etc.
His sense is there's nothing inherently wrong with this. He believes is the
functioning of the market.
Marc: I made no issues of the IP issues because I do not think they are
relevant for the property debate. I know that intellectual property is on
people's minds. I do not care if content providers include various restrictions
that content owners use. What concerns me is that the content providers through
the operating system providers are turning the general purpose machine into a a
machine with a platform for a back door that I cannot control or close. I care
because TCPA is designed to make computers less secure.
Dirk: I was worried about a Palladium discussion. Palladium isn't Palladium
anymore. Palladium is not TCPA. There was a point about preventing root access
on your machine. This is about preventing root access while engaging in
communications with another entity. After this you will have access on your
system. This is about contractual agreements in communications situations. Now
the good guys don't want to do any harm but they cannot prove they don't want to
do any harm. User override will be possible. Conceptually and technically TCPA
clearly allows user override. If user override means key access - then lack of
user access is very good because loss of user autonomy makes users trustworthy.
Migratable keys can come with different security classification.
Paul: One comment providing user override with the platform previously known
as Palladium, well, there are so many changes you have to change all the
architecture and they keyboard and everything else I cannot see how anyone could
come up with a such a strong PC. It will not exist.
Marc: I would also like to have 20 devices of perfect security devices. TCPA
takes root access from a user - if you are root then you determine which
instructions your CPU sees and executes. Under the TCPA regime the system cannot
work. It requires removal of user autonomy. TCPA is about protecting content
from others who believe the information must be protected from you after you
purchase it. Paul immediately proposed an override that was an off button. Dirk
proposed that you can turn it off if you are not on line and not using any
Microsoft software.
Moti: Before questions I have something to say about what Paul said: the
research community failed to create a DRM solution. No we cannot solve the DRM
problem.
Drew: To Dirk, I was at the DRM workshop last year. The EU will get the same
horrible laws we are. Consumers will refuse to purchase DRM products. They are
not serving a market so purchasers will not sell.
Paul: I think market driven systems are the way to go. If users don't like it
they will avoid it.
Ray: TCPA tries to solve the problems of content owner. Can we make the
problem of content owners and machine users distinct?
Dirk: researchers have tried to come up with the min amount of crypto
primitives that allow for a secure boot. If you can find out that a simple
mechanism is possible to have monitored boot then let us know. Can we allow for
a secure boot without allowing things? Not possible now.
Paul: Users want to be able to put information in front of a website and know
what the remote computer is what they think.
Adam: In regards to Drew's comment about a pocket veto it will be difficult
to buy a system which does NOT have TCPA elements built in. I bought this
machine so you need to have office to create complex Microsoft documents. I am a
technical person and I explored all the available alternatives so my ability to
packet veto that I don't want and don't like is not there.
Marc: This loops around to the market force in TCPA in Palladium. As HP has
said, HP ships whatever Microsoft desires. I asked a senior AMD person if they
would support TCPA because Microsoft and Intel decided on the feature so they
had to include it. The market force are distorted. Those who work in large MS
environments know that they build incompatibilities so that one person's
upgrading forces anyone who would communicate to upgrade. The current goal is to
mandate the use of this technology by the Federal government.
Dirk: It is likely that TCPA systems may be cheaper than others. As for plans
to embed TCPA on chip then there would be a requirement to cut off TCPA. It is
possible to run Linux on TCPA if it is loaded on the box at the vendor. Getting
technology without TCPA in the future may not be possible. As for the comments
that TCPA is actually pushed it is only pushed because the original intent of
this technology is DRM. IBM sells TCPA computers where losing a laptop does not
mean using their data. HP will sell a similar thing. There is a nice business
without TCPA. In fact the original intention is to work through the corporate
space for road warriors or teleworkers. This market is already there. We are
facing groups that are fighting TCPA on political grounds.
Drew: I was talking about mass media and office is completely different. Let
me remind the panelists of CT by 92. I do not believe in the power of mandates.
Julian: TPCA is giving up your rights on your own computer so others can
trust you. What do I gain if I give up control? What if something goes wrong?
Then it is all my fault. THen if there is a bug who should I blame.
Drew: Worse yet if you broadcast viruses to many users are you liable.
Paul: We have reached a point regardless - you have no control over your PC
anyway.
Julian: You decide which applications you run. But you know what applications
you run.
Paul: An install program is to install whatever you want. Right now consumers
have lost power in dictating what goes into technology. People accept the worse
material. What is needed is the consumers' union which revolutionized
non-technical goods that altered the sale of unsafe products. Users should have
products that meet their needs.
Dirk: The evolving area of computer security economics is dealing with this
question I doubt agencies cannot work because they cannot access the software.
They are not able to verify the software. Closed code is not good enough for
this community and not good enough for government. It takes along time to
understand this and individual consumers cannot do this. I know one thing if we
just say we cannot do this then we have given up our control of technology. We
should go back to paper.
10:30 - 11:00 Coffee Break
11:00 - 12:30 Cryptographic Tools and Primitives Session Chair: Benny
Pinkas
On The Computation-Storage Trade-offs of Hash Chain Traversal Yaron Sella
Nice overview of hash chains and their use in authentication.
There are two naive approaches to traverse a hash chain you can store only
the root and then compute all others, causing storage of O(1) and computation
O(n). A second is to store all the links with computation O(1) and storage (n)
Last year there was a FC paper to traverse a hash train so that storage is O(log
n) and computation is O(log n).
Here the focus is on O(c) computation for some storage trade-off. For
example, heavily loaded servers.
The hash tree traversal protocol provides with a constant O(M) computation
and storage requirements O(kn^1/k) Then starting with the case n=1 then
illustrates that length optimality is an interesting and open question wrt this
protocol.
Yaron starts with a "B partition" and divides the chain in subsections and
stores the left-most link of subsection. Then recursively b partition and shows
an example. Then shows it so that the root is the base of the first b partition
and then the partition creates new trees/subsections.
The protocol begins with a b partition. each time a b partition occurs there
is a pebble placed in the subsections left neighbor. The pebble induces b
partition at its node. A pebble is a dynamic storage element that dies after it
is done. Very nice dynamic illustration of the general protocol on a short hash
chain.
He expands it nicely in double hash chains for the case of two parties
committing. The use of simple visual aids is very effective but cannot be
reflected in the notes.
Verifiable Secret Sharing for General Access Structures, with Application
to Fully Distributed Proxy Signatures Javier Herranz and Germ‡n S‡ez
This work is related to secret sharing , threshold protocols and proxy
signatures.
This protocol allows delegation of signing capabilities from one distributed
entity to another.
Illustrates some interesting applications and use with three types of
delegation: full delegation, proxy-protected delegation and proxy-unprotected
delegation. (Fits well with Richard Field's point about the meaning of power of
attorney and how we don't know how that might map. This work expands that
understanding.)
He wants to expand this work to other signature schemes in the future.
Non-interactive Zero-Sharing with Applications to Private Distributed
Decision Making Aggelos Kiayias and Moti Yung
Private distributing decision making is a core problem in cryptography. It
requires security, privacy, efficiency and trust. Generic protocols are not
efficient especially as the number of participants expands or as the group
members change.
This work builds on previous e-voting work and proposes applications of PDDM.
These applications take more narrowly defined crypto protocols and systems
and, with small reconfiguration, apply them to a far larger and arguably more
realistic set of general problems.
Closing Remarks Phong Nguyen, General Co-Chair
Please fill out the feedback. Taxi coordinating list. Thanks. Figures on
conference. 40% non-US. 6% Asian. 40% academic, 40% industry, 20% students. By
hours Internet surfing was more popular than physical surfing.
T shirts are still available.
Jean's Closing Remarks Every time I leave I come away with six papers I want
to do. A paper on the possible implications of Euro RFID for the policy
audience. An analytic simulation of different anonymous systems. A survey paper
on all the micro-payment systems used in transit system. A risk analysis about
the change of keys based on the lifetime cycle of money assuming that banks can
re-encrypt. (e.g., in Russia dollars are held a very long time as insurance
against ruble failure. In the US most dollars go from ATM > consumer
>merchant > bank. US solutions would be damaging for Russia.)
Session Chair: Andrew Odlyzko