Monday 1/27/2003
Keynote talk: Digital Cash - ahead of its time or just a bad idea?
Tim Jones (Mondex)
Session Chair: Rebecca Wright. Mondex was an attempt to bring crypto to the masses. Why did it fail? Did it have any successes? What was learned?
Tim Jones, who choose to introduce himself as Co-inventor of Mondex and therefore the person whose fault it all is.
This is a business presentation on why bringing crypto to the masses failed even with the support of major corporations.
"Of all the things we did wrong one was an absolute corker." So he begins with a history of Mondex. Initially the banks choose to create EFTPOS-UK 1986. The banks conceptualized as an electronic check and that led to 250M£ into a architecture based on an flawed intellectual premise. There were huge debates he classifies as jihads on DES v. RSA. "EFTPOS-UK was a turkey so it didn't matter but we learned."
The UK banks felt debit cards happened _to_ _them_ instead of there being control. The banks wanted to control the next big thing - the charge card, the credit card, and then the debit card using the same architecture. You have high->medium->low transactions so it appears that the next will be ecash. So there was a particular specific search, and then there was a choice for an 'accounted'* model.
(An accounted model means that the ecash is debited and then loaded on the card. After it is spent it is ends up at the bank again.)
At the close down meeting the right questions were asked: Why don't we have a business case? Because it is too expensive? Why? Because we have all these accounting steps? why? because we don't know if the data coming in as money is truly money. so let's get rid of all the steps by implementing RSA, ensuring data, and locating liability appropriately
March 2, 1990 Mondex insight: every purse in a peer-to-peer network is a secured node that removed the need for accounting steps
What we did right:
What we did wrong:
(In my opinion this is a condemnation of the choice to be closed. Not that
I amarguing against the existence of the ill-mannered cool-than-thou dot snob
thing happening. Yet I was deeply in net commerce early on The corker: We Picked the Wrong Kind of Everywhere
Town trials are the worst way to do diffusion, because there is an immediate
boundary created because it does not work outside. Even in the town it is impossible
to get _every_ single merchant to take it. (Naff off? is that some english rude
word?) So customers are not sure where it works. When you go and do a town trail
because the worst merchants will embrace the system because they are the ones
with the worst cash controls and most severe need for Mondex. The least relevant
shops with established facilities took it, like upscale locales. Yet the worse
places won't take it (like coin-operated laundries). This was also visible in
the Upper West Side trial. Town trials are wrong, and the brand becomes associated
with failure. You are also trying to talk to every demographic segment.
redefine everywhere by brand association. (I believe that is what the EFTPOS
cards did because they connected with VISA.) By bonding with a known brand then
you create a comprehensible customer promise that fits with the way humans extent
trust. It also creates a demographic target. It means that instead of getting
every single technical challenge right, and making it work in every environment
there is a single technical challenge. You can make it work perfectly in a rather
narrow rather than work at all everywhere.
Who is closest to getting this right? Mass transit systems. You can buy the
cards in petrol stops (that's a gas station for us).
Where is Mondex. Well, you can bet on the net. (ha ha ha). The Dutch were
going to use interactive television which is awful. The only product that
interactive tv consistently delivers is a screen that says "please wait".
Since there are small winnings you can download money from the ban, make the
lottery bet, and get your (almost certainly very small winnings) back on the
card where you can spend it again.
The merchants used UK debit because it was better for them for a check, Koreans
are adding it to debit cards. So after two years Mondex will be everywhere.
No one anticipated pervasive networks. These make server ecash possible. In
a networked world where the cost of communications is decreasing even faster
than processing power (see the work of Andrew Odzkylo for this).
M-commerce looks promising. Ring tones and logos are deliverable to Nokia phones.
So m-commerce has already go beyond the fantasy no-revenue model of the Internet.
There is a picture of my hotel taken this morning. It is just pants. ("Pants"
is the english kid rude word. Americans can translate that as "Stink"). The
phone is a Vodephone leading edge. (He also has an orange SPV. That is Microsoft's
first cell phone. It is a bit like a Handspring Trio. ) 5 million could subscribe
to pay a couple of euros for th next hot new single delivered in MP3 the moment
it is released.
Server-based ecash is pants/stink for privacy. IC cards balances the states'
right to regulate with the users right to privacy. So Mondex might come later,
because society has not been harmed by privacy loss. Only the elites have experience
true privacy problems.
So every card has a Mondex pin. But the card does not need to be linked with
an account a person of anything else. The pins are token identifiers. Inside
each smart card there is a transaction history file. Any user can set it to
a record size. It was initially set to a company standard of 10, and users can
wipe this by doing a series of cheap transactions. (I do not buy that argument.
I think the user should control records distribution and storage. That's not
so hard and allows for ease of dispute resolution. )
Contactless has got to happen. People like that flexibility. Contactless makes
the product cool. Bankers never think about cool. He proposed a throbbing pellet.
If you are into leather who knows what your token might look like. (I propose
that a throbbing token is a completely boy idea. Of course I like boys.)
Security assessment. Public scrutiny is not a sensible way to protect a payment
system. On your side of the debate you say that strength requires widespread
analysis. Tim advocates controlled access to assessment.
Paul Kosher (sp?) got inside the product with a brilliant attack with a differential
attack. He dismisses the claims of Texas (Sandia National Labs) of having broken
Mondex. Basically he says if someone with a facilities of the US government
can break it --that is not the threat model.
He believes publishing security holes is not a good idea.
Stuart Schechter: Maybe it is not broken because it is not being used.
TJ: As long as you keep looking and maintain your humility and be honest and
humble. (That honesty issue with respect to power and secrets is a chronic problem.)
Concludes by saying the net has delayed ubiquitous computing but it will come,
and we will have to agree to disagree on security mgt.
A truly charming talk. An insight on the meaning of ubiquitous. But IMHO
he was so totally wrong on the security by obscurity thing. See Matt Blaze's
response to his critics on publishing the master key attack.
Mike Smith: Well you refuse to believe Sandia. Tim Jones: That Sandia National
Labs can break it means that we have a reasonable work factor. What concerns
me is the silicon fabs in Eastern China. So my worry is how fast is it that
the fabs in China get access to the information. There is a club of good guys
working together.
Nicko: Do you put controls in Mondex that structurally prevent switching value
and speed of transaction amounts?
Tim: There are value, origination, merchant, bank. Bank ones hold large money
pots. Origination are bank withdrawal. Merchants are up to tens of thousands.
There is a velocity of money control.
Adam: there are many systems since ecash, yet these have found no traction.
Why?
Tim: Ecash has to be available everywhere. The hurdle to get people to adopt
something extra is high. Vodephone and Orange have tried to get people sign
up for a stored value account. This is because of the electronic money controls
on ecash. Vodeophone and Orange cannot get people to open another account.
Nicko: Can't you solve that by filling up the everything pot and then having
the consumers pay for the telecom.
Tim: No because a combinationof accounting regulation and the fact that telephone
companies are the most desperate and cash-strapped companies. Go in today and
offer a telecom company the ability to have their cash be credited weeks later
than the monies are credited today. It will be a very short conversation. One
way to fix this is to allow the operators to credit the telephony portion to
balance sheets at a high frequency.
RIchard: You are putting much wieght on the prediction that people need privacy.
Criminals will be the most attracted. Governments oppose it. Aren't you putting
much weight on that guess?
Tim: Proximity cash with a contactless card is more useful for something which
is not always on the net. I do think the privacy argument will play through.
The server cash will be there. But you can use the same brand and use both cards
and tokens. There will be an increasing number of people interested in privacy.
Ray: You mentioned the cards as anonymous but there is a purse id. Can you
link serial transactions?
Tm: The purse id follows the token one step. So some effort can create a layer
of indirection by using a clean card.
Q (from someone identifying himself as from Sandia); We have not seen any Mondex
cards since the first ones out of curiosity. You said that we were the only
people who loaded money onto it. But is that because we were smart enough or
because we were interested and curious?
TIm: We picked the best people we could find and tried to get them to break
it. Many people tried to break it. There was a bitalot of noise, and there was
interest. Ross Anderson claimed to break it but he never gave us a loaded card
or a card id.
Q (same person): But maybe it is just not yet worth breaking.
Tim: Mondex does research on the dimensions of attack.
Paul: So much of your panning about how this might fly invokes the privacy
issue, yet your model seems to assume that there is no privacy in the network.
If that happens your assumptions go away. But you seem sanguine about this.
Tim: You are right. I am very sanguine because I am not part of it any more.
Agoric Inc has some interesting ideas about peer economics. I think we need
something that respects the fact that millions of copies can be sold.
I argued at lunch that part of the reason Mondex was not cool was that it was
closed, and a cool product would have gotten traction. He disagreed. I think
it should be included as part of the cost -- that being closed by definition
closes things off to you. I also argued that bankers have a risk-averse culture
of integrity which is woefully absent in commercial computer programming and
that an open system allows people to watch your suppliers. He maintains that
they can watch their suppliers very well thank you, and closed deos not imply
trust in suppliers.
Micropayments and E-cash Session Chair: Jacques Stern
Using Trust Management to Support Transferable Hash-Based Micropayments
Simon Foley
A quick recap. A payer signs a contract promising to reimburse thru a hash
chain. There is a hash chain of length n, issued to a principal payee. The first
decision must be made by the payee is "is the payor trustworthy?"
There is a series a payments. Then the payee seeks payment and the trustor
asks if the request for payment is legitimate?
Using these questions the has based micropayment scheme can be based on some
trust calculus. Therefore Blaze & Jane's Keynote system can be applied in a
valuable and consistent manner. The rest of the presentation is details of the
application.
We should think of a contract as a certificate that is being issued b the payor
that authenticates the payee of having the right to assert demands for payment.
Examples given are, trust a payee for up to some threshold. Or for a payor trust
any request for payment based on verification of the contract.
Payee compliance check can check is the payor is authorized to make the first
payment. After that the KeyNote verification requires only checking the consistency
of the hash chain.
Richard: Is there a requirement for a pre-existence trust relationship? Why
is there a policy question there?
Simon: Because the trust question is based on the trust of the key.
Richard F.: So when say trust the party you mean trust the key.
In delegating hash chain contracts both the validity of the payment and the
transfer of the payments must be trusted. How does the party that is receiving
the delegated payment confirm that the delegator will not try to both delegate
and obtain payment? Keynote can clarify and solve this problem by confirming
that the first hash payment is valid and by verifying the contract of the delegator.
Thus if the delegator cashed in there would be nonrepudiation when the final
payee can prove rights to the payment.
He applies KeyNote to show how the use of trust calculus and contracts can
enable complex subcontract and subcontractors with limits by clarifying the
trust dependencies understandable. One cool thing is that the credential in
a subcontract then the subcontractor can break the has chain in a different
manner (e.g. payee gets p^n, p^8n and can delegate p^4n for a second payment.)
The need for and details of the contract are clarified by the use of KeyNote.
A Micro-Payment Scheme Encouraging Collaboration in Multi-Hop Cellular
Networks Markus Jakobsson, Jean-Pierre Hubaux, and Levente Buttyan
You have a set of base stations and a set of mobile system moving around. In
traditional systems the mobile station would reach the base station in a single
hop. In multiple hop networks the base station can be reaching by using routing
and sharing in the other mobile stations. CUrrently there are no created networks
yet there are many research proposals in such a scheme.
The major advantage is power. There is an advantage to transmit in multiple
hoops, there are lower power requirements. Another advantage is cost as base
stations are expensive, or extended capacities for the base station with no
increased cost.
We assume upstream is multihop but downstream is singlehop so this means that
the power advantage stays but the cost advantages are decreased.
Why should mobile nodes forward? Selfish behavior is optimal behavior. Therefore
this paper proposes a micro-payment scheme.
Marti et al proposed a watchdog and path rater which does not discuss misbehavior
Buchegger looks ar reputation-base collaboration which seems to be subject
to pseudo-spoofing
Rivest looked at aggregation requiring probabilistic payments (using lottery
tickets as payments) but this has nor previously been applied to routing
Micali and Rivest talked about probabalistic payments with deterministic debts.
Again very useful but not previously used for routing.
The general schemes is that the source sends a payment token with the packets.
Each node interprets the token as a lottery ticket. If it is a winning ticket
you submit the reward claim. In any case you forward the token and the packet.
Assume the mobile devices are selfish and the base is honest.
Attacks: taking only winning tickets sniff packets for other winning tickets
crediting a friend (e.g., here send this msg, you'll win with this one) ticket
pooling tampering with claims tampering with reward levels, particularly useful
with near-source collusion
Protocol requires a shared symmetric key for each mobile station and a base
station. Each mobile device keeps track of immediate neighbors and the distance
to the base station in hops.
Packet dropping a higher receiving neighbor frequency than sending neighbor.
Auditing technique in the spirit of fraud for existing telephony networks. No
formal model or proofs given. These actions are for future research.
Adam: What about the digital silk road paper? How does that relate? A: The
main difference is that silk road is pure p2p and here we have an operator and
take advantage of this. Roger: How can we detect someone who is cheating if
there is a model for cheating. What about people framing others for cheating?
A: We consider only selfish nodes but not malicious nodes. We consider strictly
rational self-optimizing nodes. Paul: It could be beneficial is you could knock
out competitiors. A; Not in the general case
On the Anonymity of Fair Off-line e-Cash Systems Matthieu Gaud and Jacques
TraorŽ
Franel, Tsiounis, Yung improved the security of Solages and Traore 98. Yet
in neither case was either anonymity or security propertly proven. In this presentation
those works are reviewed . Yet after examination it turns out that both are
provable anonymous. Yet neither of these are provably secure because both depend
on Chaum's blind signature problem.
delayed: Retrofitting Fairness on the Original RSA-Based E-Cash Shouhuai Xu
and Moti Yung
moved up: How Much Security is Enough to Stop a Thief? Stuart Schechter and
Michael Smith
Instead of wondering how hard is it in technical terms to break a system think
like an economist. Think about, "what it costs to find a vulnerability" and
then think about, " What is the value for the adversary to break into a system?"
In order to make the investigation of this model manageable we parse the paper
by modeling the attacker as a thief. If the attacker is motivated by nationalism
or ego it is much less feasible to evaluate the willingness to pay. By modeling
a thief we can assume the thief only wants attacks that are valued more than
they are worth. So a core of this model is the formalization of the outside
threat using tools of economics.
There has been some study about converting access to loot: steal data, sell
it access data, encrypt it - resell a person their own data sell access - break
into a machine and sell access
So we can assume thieves are interested in a very high rate of return since
they are, by definition, not legitimate business people. So consider the types
of thieves. There are serial theft, parallel theft and one-time theives. Well,
the economics of stealing are not so different from the economics of honesty.
So the greatest concern is the parallel and automated threat.
Notice the concern is outside theft or social engineering because social engineering
or insider theft do nto scale.
So the approach is to create the expected value for one thief (the one-time
thief). Then expand it in time to the serial attack. Noe when you add the second
attack you have to consider the possibility that you attack no longer functions.
So the probability of detection increases over time and the probability of failure
increases over time. while a simple first sketch would show target independence,
targets are not independent. Not only is there patching and increased observation
but also the attacker learns some marginal amount during each attack. (THis
is shown in formal notation.)
Note that doubling the probability of detection decreases the value of the
vulnerability by half. Therefore this illustrates the value of both intrusion
detection and the value of patching to decrease the value of a vulnerability.
Using this model it is possible to make a business case for security.
It is also the case that anonymity decreases risks to the thief. Increased
anonymity decreases risks and non-revokable anonymity significantly reduces
the expected cost or risk of being detected for the theif.
Paul: what does this imply about sharing information? It seems that this model
suggest that sharing information does not help the sharer. According to your
model there is no risk in sharing.
Scott: Currently people do not share because of stock market responses. Citibank
did just this and their stock price took a hit but they increased overall customer
trust.
Rebecca: It is clearly an oversimplification to suggest that there is no increase
in risk. Right now the common oversimplification is that sharing information
creates only risk. What you hear now is a debate about responsible disclosure.
There is a community of attackers who share information.
Scott: When you find a vulnerability do you share it with everyone. But what
if you have partial information? Most of the value is in victims' combining
information to understand complete attacks more quickly. This is an area for
further work to make this formal and prove it.
Drew: What about stock manipulation attacks?
Scott: Does the market act rationally adjusting stock based on vulnerability
information? Large market fluctuations are based on lack of understanding. Understanding
should be increased.
Adam: Criminals like anonymity. They like that but they do it through identity
theft and breaking into chains of machines. They avoid formal privacy systems
which may be monitored. Does anonymity really help
Scott: Breaking into a system requires a risk. A chain of servers creates a
set of transactional risks. What I am saying is not that anonymity should not
be built in but rather than anonymity should be revokable.
Q: What about liability?
Scott: I will talk about that tomorrow.
Rachel G: You talk about sharing partial information, what good is partial
information?
Scott: How much do you want to use this attack against someone who has some
clues and can know to watch you?
Q: What's the use of this model?
Scott: This model begins when crypto stops. There will always be implementations
with millions of lines of code. There will always be integration. This is even
being used to price brute force attacks.
Panel: Does anyone really need MicroPayments? Moderator: Nicko van Someren
(nCipher) Participants: Tim Jones (Ex Mondex) Andrew Odlyzko (University of
Minnesota.) and Ron Rivest (MIT, PepperCoin), Duncan May (journalist at large)
Andrew: Four Fundamental Reasons MicroPayments Will Never Happen 1. a gold
dollar Americans go to Europe and say why don't we have a dollar. the Susan
B Anthony failed and so the mint came up with a gold dollar. Three Americans
have gold dollars. These have disappeared without a trace. Why? New payment
schemes take a long time. Coins worked in Europe because the paper money was
taken off the market. Credit cards took decades. Internet time is a myth when
you are talking about changing the habits of millions of people who already
have a good substitute. 2. enabling small transaction Sellers do not want small
transactions. Sellers want large transactions. Bundling is common in software,
subscription servers, bundling brings in more revenues because of the law of
large numbers given the heterogeniety of preferences across the elements of
a bundle. 3. Flat rate vs metering Flat rate prices are far preferable If you
a producer of zero marginal cost goods you want people to use them and get value.
Flat rate gets more customers and more use. 4, price discrimination Going back
to the nineteenth century there is a large literature about the value of price
discrimination. Price discrimination requires data about use. Greater gains
can be achieved by matching user and price -- and anonymous systems prevent
price discrimination.
He has a paper on each one of these points on his web page. www.dtc.umn.edu/~odlyzko/
read 'em and weep.
Ron Rivest Micropayments are for things when the cost of the transaction is
so small and
Micropayments exist as attention span (banner ads) and giving up data for small
things. There was 300M $ of paid content on the net. Half of that was annual
subscriptions. 14% were single purchase. 6% were some other subscription form.
so 14-30% of sales would be single use. Some subscription services have failed.
*69 failed as a subscription service, but it works well as 75¢ per use.
We don't have a choice between subscriptions and pay per use. They work well
together. Pay per use may bring in a subscriber. When diffusion is small subscription
is not optimal. The killer ap for micropayments is music downloads. The music
industry is in trouble. Their prices are too high. Their business model is weak.
"Music users prefer pay-per-download to subscription." 60% of American have
downloaded music, about 1% have paid. Many who did not pay would be prefer to
pay rather than search. There are two parties. The sellers and the buyers. The
buyers might prefer pay for download.
The mobile ring-tone market is also pay for single use. in the NYTimes they
are trying to sell music on the web "Echo". Universal sells singles at 99¢ a
song. Pay per use will always be available. To support this there is a need
to keep transactions processing costs small. A founder of music sites found
that credit card companies were charging 35¢ for each 99¢ transaction, By keeping
the bank out of the loop it is possible to get substantial processing savings.
You can do a rsa verification faster than a disk access. Since we don't have
Hettinga to talk about bearer-based systems. I have concerns about these systems
so I believe in a database and it is easier to have a per-user database.
Tim Jones The range of transactions that are currently mediated is large. It
is not self evident of why the share of physical money should collapse in favor
of non-transactional subscription transactions. Why should the move to the electronic
world fundamentally alter the payment choice that has been constant for hundreds
of years?
Those of us in the GSM world are very certain about "SMS was an afterthought
in the GSM standard and children took it and created a new language and maybe
a new culture." There are some new things that will come along and maybe anticipate.
For example my daughter was passed on the M25 and some boys held up their cell
phone number. They did SMS and ended up going clubbing that night.
There are a number of people who are contributing to an open source computing
environment which is growing in strength and scale. They are not being paid
in an economically sound way. The range of payment options to reflect the value
that people in this business world are creating is not adequate. This seems
like a case where there are peers who appreciate value, and could assign it.
In this case a large value can be created through a very small set of transactions.
Think of beta wear where there is a free version and a pay version. If the
option is to send 50¢ then there is no need to send a free one. That doesn't
hurt you but if you think of the millions of desktops then it is incredibly
valuable. We are not exploring properly the price elasticity of demand.
In the word of real life cash there are many small transactions that occur
every day. It would be a poorer world if we could not replicate the school bake
sale where the purchaser is 7 and merchant 9.
Duncan The reason I am here is I have followed the track of 28 systems. Some
set of them have gone right into the ground.
Nicko All the schemes seek the James Bond profile - they wanted to rule the
world. So they failed the test of the playground and the cardboard box.
I disagree with Andrew with his concept of flat rate. If you have a flat rate
you could pay 10¢ a minute or $100 a month. If I can take an extreme example.
The British domestic gas market is de-regulated. Customers used to have an account
with British Gas. British Gas sends out 128M bills a year and the customers
pay quarterly in arrears. New entrants are coming to the market. The only way
they can compete with each other is to compete on the price of transactions.
The largest cost is managing the customer account. If one could have networked
meter where customers could pay as they go then you could cut out the cost.
It could be a compelling economic case. So we don't have to think of the Internet
as streaming video and download of video.
The problem with beans is that the economic model is broken. You have to get
the economics right.
Richard: what can the 10 yr old sell on line for 10¢.
Tim: The nine year old was a physical transaction. Mondex could have received
10¢ for each angel cake. (Is that a cupcake in the UK?)
Richard: What about intangible goods?
TIm: I see it in open source. What if you could charge 10¢ instead of open
source being free? Right now we have two price points: free and widely high.
Richard: Were you in the car with your daughter?
Tim: I was driving a car. A week later I was at a Banker's cruise and I was
the keynote and I told the story. And then one of the blokes in the car came
up and was the driver?
Drew: So when I was at security foundations Paul played hookie and we were
at Italy and we needed to pay 1000 lira at a tollbooth. They took credit cards.
I don't think the Italian government was paying a 25¢ overhead for that.
Ron: Part of the transactions processing cost is fraud. As technology gets
better the space for specialized transactions mechanisms decreases.
Nicko: Credit card providers charge flat rate plus a percentage because they
can. There is a fraud cost for the credit cards. THere is a lower cost for the
debit cards.
Drew: It is highly amusing that CA has a $4 fee for any credit transaction
because they don't want to figure out the fee.
Paul: For the eight year old maybe she could sell her song for 10¢. That is
a post-music model. The other thing is to reinforce this that they can live
together for cell phones. I have paid per minute every single minute I have
used on my cell phone and it works out for me.
Nicko: In Europe the pay as you talk has passed the value of the subscription
base.
Andrew: Cell phone pricing had flat monthly rate and repaid plans. If you look
at usage every day subscriber use is decreasing. We are looking at number of
subscribers. So they are going for the marginal person. Users have overwhelmingly
shifted to flat rate plan. This has caused a tripling when everyone else in
the world is decreasing. The US is the world champion is wireless use per subscriber.
per phone revenues are going.
Tim: But per customer revenue will go down. But that does not mean that the
average revenue for customer in the that set if going down. And there is a second
major break on usage. And that is price point for pay as you talk is incredibly
high compared with any steady state based on cost. This is in part based on
transactions processing.
Jean: Human management. Attention span.
Andrew: There is evidence in it from the INDEX experiment (search terms:
INDEX bandwidth Berkeley). I argue strongly for this in my paper. Another
set of experiment that AT&T did was in the seventies on metered local rates.
We did it on a state wide basis. Turned out that 70-80 who would have saved
money for the metered rate hated it, because 1) insurance concept to know
it is available to use if needed at no more cost 2) overestimate of usage.
people overestimate their resources systematically 3) the hassle factor, they
just did not want to worry about it for example just understanding it was
hard for people. For example, people were played flat rate per call. There
are too many choices and too much complexity. That is why flat rate is so
good.
Ron: If micropayments are going to pay it the ease of use has to be handled
very well. Work by Dan Ariely at the Media Lab on micropayments talks about
handling this.
TIm: Jean has hit on a general issue on acceptance. Getting people to load
some pot of money is terribly difficult. The prize strategically for those who
could get people to do it is enormous. If you could do it you are suddenly in
an extroidinary position like PayPal. PayPal got a certain amount of traction.
THen Ebay and Citibank all had a go and they all fell by the wayside because
there was already an incumbent. So Ebay ended up having to buy PayPal. The first
set of corporations that can solve will find themselves starting with a small
window.
Duncan: People will not sign up for multiple payment systems. Only Paypal this
morning pulled out. I would expect to see a large number of competing players
so there must be very efficient settlement mechanisms so you there must be a
very effective market for clearing.
Richard: Can I make the case that 3% is competitive. Not that they are not
making wads of money. It is easiest to ignore is that you have so many players
and each of them absorbs some liability for what it does. If you don't have
any players you don't have to worry about risk. Then there is the lenders' risk.
The deal of the century is the global arbitration fee. WIthout that assurance
neither you nor the merchant will give up your half. If a microcredit system
is developed so that a million people lose their quarters, then that would be
terrible.
Duncan: There is a 90 day loss period where the arbitrate is huge.
Adam: Micropayments can come in and be more effective
Drew: If you have to download some software you lose 90% of your market. But
micropayments have that problem.
Adam: Paypal.
Tim: Paypal is an extension of VISA to non-traditional merchants. PayPal is
a B2B and C2B for non-traditional merchants. But the mobile phone companies
have a very effective authorization mechanism.
Ron: The future of micropayments is in M-space.
Nicko: What about the great unbanked, people who cannot get credit.
Ron: I think that is orthogonal. It depends upon how the system is built.
Tim: Picking up Richard's point that the credit card world is a risk acceptance
market. That is an interesting model that has done great things. But if you
have a net connected world you can chain the transactions together and have
settlement happen as the chain happens. I just offer it to spark thoughts in
other folks. Current appliance delivery creates factory to distribution hub,
management of hub, inter-hub transport, and hub to consumer. There is nothing
in theory to prevent that from being a market that clears step by step instead
of competing for the entire chain.
Andrew: It will come on the back of mass transportation or cell phones. You
already have something because it alone has value. It has to be added to one
fo those.
Duncan: You have ot pay 250,000£ to talk to Mondex. We need a system that will
start small,
Ron: I have started a small company. PayPal shows that new mechanisms can work.
We will grow the old-fashioned way based on demand.
Paul: I agree with Andrew's conclusion but not with is inference. I say this
as someone who buys rolls of gold dollars at the bank. The point I want to raise
that this was supposed to be an illustration of the transitional threshold but
that is not the case. But I talk to people in Europe in Canada. They are nostalgic
for the era of bills. Bills have a superior interface - it is easier to carry
7 bills than 7
Nicko; The coin pound was accepted not only because ergonomics but because
it was called a sovereign. That leveraged nostalgia. It was called a thatcher
- it was thick, brassy and thought it was a sovereign.)
Tim: Kuhnian paradigm shifts take decades. There are problems that ecash can
solve like the queues in bars and it is impossible to purchase. He proposes
a bar with vending machines where everything is on tap so there is no bar with
a single point of failure. I strongly advocate dynamic vending machines so people
pay for congestion. Using a smart card you can do a loyalty program and encourage
ecash adoption. Yet that is in another mental space.
Ron: Why is price discrimination impossible with micro payments?
Andrew: Basically price discrimination is not incompatable with micropayments
but it is harder. Most productive price discrimination is based on identity.
That is a little harder for micropayments.
Nicko closes an excellent panel.
Security, Anonymity, and Privacy Session Chair: Gene Tsudik
On the Economics of Anonymity Alessandro Acquisti, Roger Dingledine,
and Paul Syverson
Economics is about efficiency. Yet inefficiency is an inherent part of anonymity.
Anonymity is a complex problem because of traffic issues users who use anonymous
systems also provide anonymity ti other users. That is users hide amongst each
other thus by getting anonymity you provide anonymity.
One solution to address this problem is for a large organization (corporation
or government) to provide anonymity and require all its users. However, should
this be used then any communication that is anonymous nonetheless comes from
that organization.
There are not yet decentralized trust algorithms,
In economics consumers pay. Yet by its nature users of anonymity both use and
provide anonymity. The hordes in coach are better off, privacy wise than the
guys in first class. So the guys in first class have ot pay a premium for anonymity.
Inefficiency costs that propagate back to the user chase users away. Usability
is a critical usability suggestion.
Under what conditions will a system with many players not implode? Public good
with free riding.
Yet in this case free riding is not strictly possible because inherent in the
use of the system is providing anonymity to others. Thus those with great interest
in anonymity could provide nodes and services. This is promising in that there
is broad market support for low overhead services but inadequate support (at
this time) for high cost anonymity. There is also the potential for altruistic
agents. Public service entities
Reputation and social capital may provide adequate awards (SETI @ home and
remailer statistics). There can be an optimal level of free riding. An open
problem is exit node liability.
q: You were talking about free rides in that anonymous systems were providing
free ride. IN p2p networks the sharing of files we can provide anonymous systems.
Something like Kazaa could be used to optimize.
Paul: Once you add the anonymity on top of it. You would have to add it for
free. You get it because you are at GA Tech and you just want to do it. So there
is free riding for users since it is bootstrapped in.
Jean: Is the tendency of systems to implode a function of whether Metcalfe's
Law applies (each free rider adds increasing value, the nth user adds n+1 value)
or if it has decreasing returns so that as n gets large the value of the next
ride is ever lower.
Paul: We currently have existence results. That question could only be answered
with analytic simulation. You would have to take a specific system and see how
that plays out.
Julian: Would there be a high correlation between value of anonymity and crime
and this is a core problem? Are there legitimate users with high value? Don't
you think the value if for the bad guy is a problem?
Paul: But the bad guys can provide the resources for all the good guys.
Stuart S: What about the value of concentrated trust in a case like ZKS where
transparency allows for trust?
Paul: You could do the same analysis for several nodes that you can do for
one.
Squealing Euros: Privacy Protection in RFID-Enabled Banknotes Ari Juels
and Ravikanth Pappu
Squealing is both a noise made by distressed animals and slang for exposure
of private information.
RFID radio frequency identification. Shows a picture like: : www.aurigintech.com/
smart-ID.gif at www.aurigintech.com/ Smart-ID-Auto.htm
RFID tags are passive devices that identify themselves usually by simply shouting
their identity. They have no battery but obtain temp power from the EMF produced
by the reader.
RFID tags will be the ubiquitous replacement for the bar code. Gillette has
ordered half a billion. (This is because in retail drug stores razors are the
most frequently stolen item.) Inventory control and failure rates of scans drive
this interest. PRADA use described. Here is a PRADA description : www.aurigintech.com/
smart-ID.gif and he discusses the cases from the autoID http://www.autoidcenter.org/main.asp
Pets from MA shelters now have RFIDs to locate lost kitties (thru a cat scan
ha ha). (Ron Rivest's cat, Jack, has one so they call it the Lojack chip.)
European Central Bank plans to put RFIDs in euro notes.
Let me repeat that in case all the implications of suddenly non-anonymous cash
are not clear: European Central Bank plans to put RFIDs in euro notes.
Here are some bonus uses: -more efficient mugger (we offer detailed information
about our purses) -viruses or attacks based on product choice
ECB is prototyping advanced systems without public discussions. Then there
is security by obscurity. Yet reverse engineering a RFID is fairly trivial.
If you encrypt the serial number of the banknote then the encrypted ID becomes
the serial number. What about LE access key? Then the tag broadcasts its jurisdiction
information. This also requires extremely secure key.
RFID have little or no processing power so crypto is not an option. What they
have is the ability to control read and write access on the basis of static
keys.
Use and El Gamal system with group G of order q. Published generator g. Key
generation public key is y, private x. Each note has a signed ciphertext number
that can be re-encrypted upon bank use, some number is C=Ey[ID,r]
One innovative idea in this is to restrict access by requiring physical optical
access. So each note would have a printed number that provides access that allows
reading. Shops currently have these. Thus illegitimate reprogrammers would have
to have visual access. There can still be rogue readers. But using connectivity
the supervision can be of the readers, so that each reader confirms that the
previous reader has done its job correctly.
Cloning attacks are still possible but it is more easily detected. Re-encrypted
readers can be authenticated and makes tracking easier.
Solution is not ideal but there is work in progress at RSA labs and in the
EU.
Nicko: A re-writable id is dangerous from from a forgery point of view. Could
you now do something that does not require it given that you have hundreds of
bits. You could generate many random bits in write-only and have a sequence
number in the r/w system.
Ari: That is a solution we are discussing.
Adam: This might just be a investment wrt counterfeiting.
delayed by travel: Retrofitting Fairness on the Original RSA-Based E-Cash
Shouhuai Xu and Moti Yung
If we have no anonymous cash maybe it's not a problem (that's a joke).
review of
Fairness in this framework means revokable anonymity when the user re-spends
a coin.
Fairness has been implemented in discrete log systems using both on-line and
off-line trusted third parties. So the question of interest here is it possible
to implement fairness using an off-line party and preserving the fundamental
RSA scheme. Some systems have used (Chaum Fiat Naro Crypto '88) on which we
can build.
Review CFN 88 and simplify. 1: security parameter H, H1: hash functions 3,
N: 3 is public exponent and N is bank secret
Coins: x = H1(...), y = H(..) coin = {H (x1, y1) x .. x H(x.5I, y.5I)}^.33333333
mod N at least one (x,y) tuples valid
You can view each pair as one-time Lomberg signatures. reveal signatures by
showing x,y
Use El Gamal with two generators to embed user key. TTP obtains user key.
Provide that key to a trusted third party. During withdrawal the key of the
trusted third party is made available to the bank. Coins can be traced to withdrawal
sessions or all coins provided by one user.
Bank is trusted only not to use customer's money but is not trusted not to
abuse customer anonymity. TTP is trusted to revoke customer anonymity but is
not trusted with customer's money.
open research problems include unforgeability because hardness one-more-RSA
inversion is not known and RSA-based revocation.
11:00 - 12:30 Attacks Cryptanalysis of the OTM signature scheme from FC'02 Jacques Stern and
Julien Stern
Authentication is proof by a user that he knows a secret. A proof may be transferable
or not. Assymetric systems require that no secret be exposed for authentication.
Symmetric requires secret exposure or sharing for authorization but it is very
fast. There is no such thing as symmetric signatures because the secrets must
be shared. Symmetric authentication is in some ways superior to asymetric authentication
while asymetric signatures are better (by definition) than the (nonexistent)
symmetric signatures.
First example: Access Control Some devices only need to grant access to authorized
persons: example a car park reader. Symmetric: device contains all secretes
Asymetirc: device need recognize access request secret
2nd: Access on Payment (toll booth) Symmetric: impossible because non-reputation
is required Asymetric: device contains only a public key and users perform costly
operations
What is needed is a pre-processing step where costly message-independent data
are generated combined with a low-cost on-the-fly final step. on-line/off-line
signatures
Previous work: schnorr 88: one modular multiplication 92, 96, 99 Girault et
al: one regular multiplication 02 Okamoto et al: one modular reduction of a
small number 90: Even et al.: one multiplication 01: Shamir: the core operation
is one modular reduction of a very small number, extremely efficient and a small
signature block produced
Overview of the GPC protocol. The OTM scheme is a small change in terms of
processing power from GPS. The number of messages is very low, except instead
of r+e*s send r+e mod s. But the problem is that the reply step will not hold
because there are limits on the size of the reply in the GPS protocol. So guess
the part of e so that it is sufficiently small. So use the least significant
bits of e. Pick a random r. Then compute x= g (truncated e) mod n We receive
the challenge and check our guess. Repeat as necessary.
OTM is not inherently flawed. But the parameters were too small to prevent
effective attack. If the parameters size of the key, the number of digits in
e, and challenge size are increased then the system becomes secure against guessing
attacks. So how does this change the parameters?
With correct parameters OTM authentication still is 100 bits smaller than GPS
However: OTM requires a modular reduction of 320 bits by 160 bits GPS requires
a regular multiplication
This means GPS is twice as fast as OTM.
dovetailing (r,e) wrt x Add r to a small multiple of s so the least bits or
r are equal to e
If the core operation in OTM is replaced by dovetailing this requires another
verification check then this requires three verification operation. Implementation
is a simple loop. Using dovetailing with increased OTM parameters the implementation
can be as efficient as GPS.
"Man in the Middle" Attacks on Bluetooth Dennis KŸgler
Attacks: unit keys are used for eavesdropping and impersonation (aka cloning)
PIN guessing: used for recovering link key Cipher is weak. Privacy: device tracking
is possible.
Add to these the man in the middle attack. These are based on page hopping
and channel hopping sequence. This is based on a slave ID and clock setting.
So this is a periodic sequence of 32 frequencies. Channel hoping is used for
communication.
Page requests consists of master repeatedly sending slave ID. Slave scans for
own id. SLave sends an ID packet in response. Master sends FHS. Slave resends
ID. So all the attacker has to do is respond more quickly than the slave, and
then reconnect the slave using the same master id but a different offset so
the slave and master do not detect each other. If slave and attacker respond
at the same time the communications is jammed. Then only the attacker repeats,
because only the attacker understands what happened. ANother attack: Since the
initiation is a 3 way handshake, the attacker can use the half-open connection
to generate a timeout so the slave ceases scanning. (Attacker initiates with
slave ID).
ANother think is master clock is sued for both frequency hopping and cipher
initiation. It is possible to inject a Man in the middle during an encrypted
communication due to cipher weaknesses and the information in the packet header.
Since the same information is used for encryption and decryption it is possible
to insert altered packets.
Compare this with other attacks. Jakobsson-Wetzel establish a connection to
both devices and pretend to be the other device this attack fails if encryption
is turned on or one device is non-connectable (because the attacker becomes
master and both victims must be slaves). This attack can be expanded using the
techniques here to implement an attack when one attack is the master.
Proposed solutions are end-to-end security => integrating mac in every packet.
Or wired equivalent security which requires point-to-point security. Even with
this the cipher is based on the clock.
Inherent in frequency hopping is the ability to create mis-synchronization.
Encryption is needed, with full synchronization including frequency synchronization.
Unencrypted packet headers with important ACK information are a problem.
Nicko: Your conclusion should be if you want to use bluetooth for finance the
encryption should be in the application layer
A; You should use SSL equivalent.
Nicko: My sell phone has a decent amount of computing power. You should not
reply on transport for financial cryptography.
A; Both are required. And the power limits of the mobile devices must be acknowledged.
Fault based cryptanalysis of the Advanced Encryption Standard (AES) Johannes
Blšmer and Jean-Pierre Seifert
This includes fault attacks and errors, physical fault generation.
For the AES specifically the time operation is vulnerable. An investigation
of an unskilled textbook implementation vulnerable to attack by fault generation.
Fatal attacks on DEX include breaking a sealed tamper-proof device and putting
in wrong ciphertext.
To begin an description of what a fair smart card attacker might do to alter
and disturb the calculation by altering only the external contacts. An attacker
can vary the voltage input and, if it does not cause a card reset. However,
the power supply is assumed to suffer from natural spikes. For each card there
is a range of parameters that would cause a faulty output that would be, for
example, generating an extended pulse that does not spike quickly but rather
increases the input some voltage about the specified tolerance but not so
high as to reset, say 118% expected voltage. Similarly with the clock can
be finely tuned the execution can be altered by causing the CPU to omit instructions.
Concentrated optical attacks (for example a focused camera flash) on the right
places on a controller it is possible to alter any bit of an EPROM by altering
the CMOS path (remember c means complementary) to creating a lower resistance
channel on the preferred path. This requires removing the surrounding casing
but not physical contact.
Another attack uses a inductor to read the events occurring inside the smart
card. By charging the inductor (also known as an active coil) the reverse can
be true -- you can use the coil to cause events inside the chip. He offers a
nice table for attacks on smart cards.
This is all of interest because AES is most commonly implemented on bank smartcards
using 8 bit CPUs.
The speaker illustrates how the general smart card attacks can be used on the
most common implementation of AES. For example, using timing attacks critical
steps in AES in particular critical XOR operations is that the ciphertext is
quite weak.
The concern is that counteracting fault attack is usually done by some naive
countermeasures. Hardware manufacturers should be aware and use: carefully developed
logic families, sensors for light and temperature, etc. Only such hardware countermeasures
can counteract the source of the attack because once the attack has been made
trying to defend against it by calculations is not feasible.
14:00 - 15:30 Panel: Economics of Security Moderator: L. Jean Camp Participants:
Drew Dean (SRI), Andrew Odlyzko (University of Minnesota) and Stuart Schechter
(Harvard) Do we spend enough on electronic security? How can we judge when we
are spending too much? Is there any way to evaluate expenditure? Is the value
of cryptography subject to economic measurement?
Economics of Security Panel Notes 1/28/03
Jean Camp, moderator
Notes by Rebecca Wright
Panelists: Drew Dean Andrew Odlyzko Stuart Schechter
Initial presentations
Brief intro from Jean: what is security market?
Andrew Odlyzko
We are techies, used to formal models. Most people are not as sophisticated,
and need simpler explanations and descriptions.
Example: Honor System Virus This virus works on the honor system. Please forward
this message to everyone you know and then delete all the files on your hard
disk. Thank you for your cooperation.
This is a joke to us, but close to something that happens in reality.
Also, necessary to recognize needs of organizations and people in organizational
contexts. Example: a major problem with secure systems is that secretaries could
not forge their bosses' signatures. When systems that require this are implemented,
bosses share their passwords with their signatures. Similarly, adoption of provably
secure time-stamping systems does not work well with intuitive flexible ideas
that back-dating is appropriate in some cases.
Delegation: ask neighbor - please let the plumber in to fix the leaky faucet.
Expectations: let the plumber in. If related business occurs, like electrician
shows up, can probably let the electrician in. But if electrician and plumber
start taking out your furniture, your neighbor would probably call you or the
police. A certain amount of human judgment is expected. (This is why you don't
ask your neighbor's 6 year old.)
Intentional ambiguity: proposed SEC rule alternate wordings.
The desire for human and ambiguousness can limit the adoption of security technologies.
Example of successful adoption of security technologies: HP9000 After market
Rampup (graph). Printer manufacturers make the money on the toner cartridges
more than the printers themselves. Competitors can also make compatible toner
cartridges. Printer manufacturers have started to put security measures in to
prevent/slow other manufacturers. Very quantifiable example. He thinks we'll
see more examples like this: manufacturers using very specific solutions to
improve answer to specific question.
Speed bumps on the information superhighway. Cp - criminals will always find
a way to make money. Security can be a speed bump to slow them down. (Rather
than provably or certifiably secure systems.) Also cp - use of vaccinations,
where a small percentage of vaccinations in the population can make a dramatic
difference in lowering the spread of a disease.
Stuart Schechter
Measuring Security: are we spending enough on security?
What we don't know:
How secure is a system? What we're getting for our money What we would get
if we spent more What we mean by security, anyway?
As a result, we spend too much on some systems and too little on others.
Why measure?
Determine which systems/components incur the most risk. Build/purchase systems
that are more secure. Measure risk (essential to getting better insurance rates)
The security process: figure. Scope of this talk: measure security
What is security?
Process of inhibiting those who would attack your valuables (i.e. make it harder,
like the speed bumps Andrew discussed).
Measuring difficulty: social sciences may be helpful here. Prices can be useful
as a measure of difficulty as a cost. How hard is it for a society to make certain
things happen?
The Market Assumption
A market for vulnerabilities will emerge when one individual finds it easier
to find one, the other has more to gain from doing so. If you pay a fixed price
to find a flaw, the adversary could do it too.
The security or robustness of a system against a mode of failure can eb measured
economically, in units of dollars. Ie, the market price to find a flaw.
Security fails in different ways or failure modes - how system failure can
be induced, what is lost. Different sites have different requirements as different
'valuables' are there with different implications of different kinds of failure.
Must measure two products against same mode of failure in order to compare which
is better (figure).
Bounding security
Placing an upper bound (e..g on competitors system): offer to sell a vulnerability.
Offering price is upper bound until vulnerability fixed.
Placing a lower bound (e.g. on your own system): offer to buy all vulnerabilities
offered at a given price. Opportunity cost bounds security. BUT this can be
very expensive if the system isn't secure.
Security experts are regularly asked: which product is more secure? If we can
agree on a measure of security, companies may invest in using it. Need to establish
trust between buyers and sellers - must actually deliver money in above scenarios.
Drew Dean
On the economics of computer security
Thesis: High assurance, secure systems are luxury goods.
Look at how they are built:
Lovingly crafted by hand by Math/CS PhD:s Fewer features than mass market systems
Slower to market Extremely expensive Only appeal to a small niche
These are features of luxury goods, not mass market goods.
Market-wise, you get trapped in a feedback cycle:
Assurance isn't a checkbox feature Hard to tell if you have it Difficult to
explain to customers Result: little demand, small market, high unit prices
Options w/formal methods (graph) cost x assurance for different formal methods
We're now in the lower left hand corner (low cost methods, low assurance results).
We don't need to get all the way to the upper right hand corner (high cost methods,
high assurance results). But he'd like to see us move to higher assurance, recognizing
that higher costs result.
Current economic climate makes proactive expenditures difficult. Costs of nothing
are hard to quantify, so don't get compared to.
Predictions: nothing happens w/respect to security until a "train wreck" occurs.
Intel got serious about formal methods after writing off $467M fo the FDIV bug.
Discussion
Q: Andrew, re your printer graph and Stuart's talk - is there something in
the graph that could be considered an "upper bound"? A: not sure
Q: re: lemon market. Computers are not less complex than cars. Can we hope
to succeed in removing lemons from computer market as it was removed from new
car market (and now only a problem in used car market? A (Stuart): quantification
is a requirement to make this happen (analogous to consumer reports).
Q: luxury markets tend to evolve into necessity markets. Will this happen here?
A (Drew): analogy - security market would be like airplane makers needing to
know how rivets work at the level of quantum mechanics. Non- composability of
security is an issue.
Q: (to Stuart) question of market for vulnerabilities vs. blackmail. A: need
for a trust to develop in the market. When introduced by company (e.g. RSA)
can be successful.
Q: (from Adam Shostak) Most current attacks are using known vulnerabilities.
Researchers move on to sexier problems even though solutions to the easier problems
are not yet affecting practice. What will happen 5 years out? A (andrew): Not
sure buffer overflows will be a problem in 5 years, but also practice will be
slow to adopt. They're doing quite well already, thank you very much, and don't
really need to pay for your security solutions. Systems are in fact robust,
in a different way than we usually mean, but sufficient for their uses. Eg faxing
signatures around. We will continue to operate "at the edge of frustration"
When things are too complicated, people don't accept them.
Q: (Jean) Some people do prepare for the worst-case scenarios. Ex - NY new
where every school and day care center was in the WTC debris zone and was able
to contact them. A: (Andrew). Yes, such things are a part of any infrastructure,
and people will overcome certain kinds of competitive instincts and using reserves
in response to emergencies. This is part of the human ambiguity we live with.
A: (Drew, to Adam's question). Buffer overflow attacks took off after publication
(when??), known since 60's. Lots of research work in 1990's or so, now tailing
off because we have the techniques (even though they aren't much deployed).
Drew thinks that buffer overflows will be solved by deployment, but that we'll
see race conditions rise to dominance again.
Q: (Paul Syverson). To Drew: question analogies to airline and automotive industry.
E.g. flight controller for 777 was triple redundant and formally verified. Also,
in 1930's, car crash implied death. This is where we are now in the computer
industry. Role of insurance, govt regulation, consumer pressure in going through
this process.
Q: (unknown speaker, French). Requirements of different agencies are different
from each other and differ over time. How can you balance security needs w/needs
to reduce costs? Biodiversity will be discussed after its lack causes a failure,
but probably not before, as it would require additional resources to deploy.
(And even if you get it in there, you have to constantly fight the efficiency
guys who will come in to cut unnecessary expenses). A: (Drew) yes, to some degree
you're right. Quote - a program which has not been specified can not be incorrect,
it can only be surprising. The company must understand its requirements in order
to solve them (though of course the process must be iterative to deal with changing
environment), No generic answer. A (Stuart) Requirements and security get put
to the side because the market doesn't "want a secure product". Need to get
product to market dominates discussion. Only would need to put in security if
competitors did, which they don't. (Chicken and egg problem?)
Q: (Rivest) Discussion has been focused on cost to developers of putting in
security. What about cost to society of not having it? A (Drew) Good question.
Lately the idea of strict liability has beenthrown around. Tragedy of the commons.
All of society pays when latest virus goes around, but nobody wants to pay to
solve the problem. Eventually something will happen, but doesn't kno when. A
(Stuart) society is a general term, which makes this hard to answer. Rational
consumers do want to buy something that is better. But, consumers and society
don't know how to get to next step. Need an understanding of risk assessment
to help consumers understand when one solution is better than another. (Rivest)
My running an insecure system can hurt others, not just me.
Q (Adam) Do you really think consumers are making an irrational decision today,
or are they just valuing security less than we do (and realistically assessing
the cost of current secure solutions as too high)? A (Stuart) Yes, they are
making rational decisions because cost to even assess security is high, as well
as those to use potentially more secure nonstandard solutions (which are incompatible
with dominant solutions). A (Andrew) Example, complexity of installing patches,
when most consumers aren't attacked anyway. They are behaving rationally and
selfishly.
Q (Richard Field) Expand on Ron's point. Understands Drew's point that a catastrophe
would be required to make something happen. What are roles of external entities
such as insurers, lenders, politicians, end users, regulators, critical infrastructure
people, investors, venture capitalists, etc. Will they drive those decisions
even though security is hard to measure? A (Drew) Answer to question "which
system is better, A or B" is currently that they are both bad. On the other
hand, if we could just get rid of buffer overflows and race conditions, we'd
be in a substantially improved situation. From research perspective, need incremental
solutions but need them to be actually deployed. Without market choices, external
factors won't have too much influence. A (Stuart) Seeing it start to happen,
e.g. Counterpane and monitoring firms are working out some deals with monitoring
and liability rates (more into??)
Q (Rachel from Harvard): I don't run a Microsoft SQL server and don't know
anyone who does. Yet, there was a cost to me and many I knew to not be able
to read mail because of an SQL security problem. How can I hope to address a
problem outside of my domain, and how does it fit in any model? A (Stuart) Part
of the problem is that we expect to be able to use networks for very low flat
rate cost, which doesn't give an incentive to the providers to fix things. And
adversaries have same cheap access we do. Economic design of systems can have
security implications. A (Drew) DDOS zombie attacks are even harder because
a longer chain is involved.
Q: (Jean) Would the security in software market work if there were a market
in security? We have a monopoly in software. Is this the problem?
A (Stuart) Contends that Microsoft has more lines of code out there than
anyone else. If you could measure security of systems, Microsoft would be
at a larger disadvantage because their insecurities would be clear and their
cost to improve is higher. Plus they have to constantly build more features
and compete, so hard to also add security at the same time. A (Andrew) There
is a danger in monoculture, though there are also advantages which they exploited
to become a monopoly. What we are seeing know is the interplay between these
conflicting concerns. A (Drew) Not clear to me that an absence of a monopoly
would change things. Look at subset that is competitive, such as database
market - even there, security is not very high of any of the competing products.
Would perhaps give more choice to the small number of sophisticated consumers
who care. Wouldn't have huge swing otherwise.
Rump Session
Rump Session Chair: Juan Garay,
Roger Dingledine
Discusses attacks on mixnets, and pseudonym nets. Described the trust that
is committed to the mixnet provider. real anonymity requires that forward
and reverse packets be indistinguishable. It requires availability of multiple
sources for lists of mixnets.
Glen Nuckolls: Efficient multi-source data query Currently users query a single
data source to get a query. How does the user know the response is from the
server?
Data provider computes a digest and sends it to untrusted publisher. Query
can then be verified. The digest functions as cryptographic checksum.
Advantages are the untrusted publisher and allows an increase in unreliable
communications.
Implemented with a binary source tree sorted at the leaves so the verification
is feasible. Can apply to a general class of structures. Secure assuming collision-free
in hash function.
Benny Pinkas Protocol based key hiding
YAKE? - yet another key escrow system this is protocol-based and does not depend
on the particular cipher or hash applies to SSL, TLS, SSH2 Interoperable with
current implementations and therefore supports incremental introduction.
Key recovery is done doing hidden channels so it is impossible to filter it.
The only way to find it is to examine the source. So it is not a good idea to
trust closed source implementations of security protocols. Furthermore only
one side needs to run this protocol.
Applications: governments can add hidden recovery to existing systems. hackers:
can patch servers with this and obtain keys Closed source providers: only reverse
engineer reveals the attack.
The attacker changes implementation of client or server. New implementations
generates a EAF: encryption recovery key with public key or recovery agency.
The data would look like a random nonce to any but the escrow agent.
Implementation issues: low capacity channels, available fields are shorter.
SSL example: client randomness (public) server randomness (public) premaster
secret (PMS) 46 bytes of secret data RSA is used, PMS is generated by client
Client can generate PMS from short seeds embed encryption in client randomness
SSL 3.0 padding for the block encryption (8 bytes) SSL 3.0 only checks last
byte of decrypted pad. so set length to 8 bytes embed EAF in 52 bits of encrypted
pad FInd a 12bit suffice st when the entire block is decrypted last byte has
correct value
Implemented, modified ssldump for key recovery.
SSH2 is even easier. Have not looked at IPSEC
Paul Syverson: Universal Encryption for Re-encryption of RFID tags with
Markus Jakobsson, Ari Juels, Philippe Golle
mixnets takes in msgs and reorders and encrypts them. Basic chaumiam mix review.
If a server goes away then people keep encrypting messages and other msgs cannot
be obtained. new idea: mixing without keys - no need for PKI, no key protection
El Gamal with re-encryption Universal re-encryption means providing an encryption
of the message and an encrypted message of the number one and can be re-encrypted
because E(1) is the universal blank (cool). any message resent thru the network
will look different every time. Alice can go to supermarket and at home the
frig re-encrypts A reader can re-encrypt all tags a user is carrying universal
re-encryption is a new primitive with nice applications open issues: universal
semantic security, existential construction resistance
Gene: what if the reader is dishonest Paul: You can detect it with shuffle
proofs
Shin'ichiro Matsuo: TIcket scheme for an Intelligent transportation NTT
web site has more information
Digital signature schemes take too long for a high speed transportation system.
require challenge-and-response to prevent abuse. this takes too long.
thus introduce a ticket system that uses hashes and requires only a single
communication for use with a tamper-resistant device
The ticket issuer issues a ticket seed. The ticker is the hash of the ticket
seedded and the GPS location. THe hop sends a receipt to the traveler. The traveler
can verify the shop then confirm. Neither knows the seed so forgeries have a
low degree of probability of success.
The hash-based ticket system requires less communication (1 less msg) and less
computation. Implemented the ticket with a pentium moving on the car 50mph.
There is a full paper and information about the prototype available on the NTT
web site.
Makoto Yokoo Mechanism Design and Information Security NTT Mechanism design
is about designing an incentive mechanism so that individuals share preferences.
Yet sharing a preference disadvantages an individual. Pareto optimal Desirable
outcome: the one who values the outcome most highly will get it. Second price
auctions have been shown to result in optimal price.
Revelation principle: if we can design a mechanism that achieves a certain
property then we can achieve the same property by a strategy-proof direct mechanism.
Example: Government using second price auction (remember a second-price auction
means that winner pays the second bid. so bids are b1>b2>b3>b4... then the party
bidding b1 wins and pays b2).
Secure combination auction protocol papers that describe the entire system
is available.
Nicko van Someren: Digital Signed Physical Bearer Notes work from Ncipher
Physical notes are protected by work factor based on complexity of construction.
Yet they must be reproducible (so the treasury can print them) so any party
with adequate skill and investment can reproduce them.
Digital signatures have their security based on hard computations verifiable
without sufficient knowledge.
It would be nice to have digital signatures on physical notes. BUt simply applying
a digital signature to a note is a problem because you cannot tell it is the
original. You could just run it thru photocopier. So you need a way to make
notes unique.
Random unique tags: numbers, paint dots, metal strips, entropy in some biometrics
Tags must be irreproducable.
Pappu et al provides microscopic properties created by lattice interference
amorphous light polarization (A physical one-way function) strong soup: take
advantage of randomness of physical mixing (Making snowflake) Randomness is
not adequate there must be a template, biometrics have templates to use Using
convolution optical templates may be created. Take a unique physical tag that
cannot be reproduced. Then write a digitally signed contract linked to that
snowflake. Combining those allows a functionally unforgeable banknote. Thus
high value physical bearer devices could be made more useful.
Ron: There was an early RSA licensee who took the randomness of the fibers
in the paper bill itself and then signed the bill. THey went under. oh well.
Moti: This is a flaky idea but it might work.
Moti Young: Cryptographic protocols for markets with price discrimination We
should use crypto to implement price discrimination as well as auction design.
Economics is a colonial field every-economics, let's call this crypto economics.
Seller: good production requires $1500 Buyers: would pay <400, 600, 800> with
min price the good would not be offered. with dis. the good would be offered
Price discrimination is good economics but bad business: unfairness, re-selling
up So maybe incent customers: once seller price point has been met refund to
customers. Price discrimination requires users and sellers share information
simultaneously. Commitment and hidden information help.
Secure function evaluation.
there are n people. each buyer computes payment. seller computes price at selling
points. each buyer pays via a fulfillment server. no one else learns individual
price Vi election techniques can be used to prevent reselling prices
Paillier cryptosystem we can implement efficient protocols to solve oblivious
market.
Juan Garay: Strengthening ZK protocols using signatures with Phil MacKenzie,
Ke Yang Non-malleability from Unforgeability this coming Eurocrypt, making ZK
more robust ZK is an interactive protocol of proving knowledge of a secret without
sharing any knowledge of the secret ZK secure in isolated or controlled synchronous
systems ZK in the real world means multiple parties, not always reliable communications,
malicious parties Non-malleable ZK means that a man-in-the-middle cannot prove
a secret the MitM does not know universally composible ZK -arbitrary/composed
protocols remains secure and non-malleable (think object-oriented and thread
safe) [Ca '00] Concurrent ZK -logarithmic number of rounds and lots of other
SK work
Start with ZK commit-challenge-response and use the known random public verification
key then wrap the protocol with a freshly generated key pair then bind signature
wrapper to proof (also allows concurrency) also include the initial claim of
the user before the challenge in the wrapper
Wednesday, 29-Jan-2003
09:00 - 10:00 Keynote talk: Listening In on the UN: Technology Lessons
from the Diplomats Richard Field (U.S. Delegate, UNCITRAL E-Commerce Working
Group; Secretary, Am. Bar Assoc. Section of Science & Technology Law).
Session Chair: Jean Camp.
Abstract: Enabling rules on electronic signatures and records, international
registry systems and electronic documents of title have all been the topics
of recent international negotiation--at the U.N., the Hague Conference, UNIDROIT
and other international diplomatic bodies. This talk will look at recent successes,
failures and ongoing global harmonization work that have a direct bearing
on the development of payment and financial systems.
I am here to tell you what the diplomats are thinking. NOt the standards people
but the diplomats. WHile you think transferable paper is not money to a diplomat
it all the same questions. Ten years ago I sat down with the technology people
and it took two years to understand what each other were thinking. Now there
is a global UN awareness of what a certificate authority is. When a country
comes into the UN there is a heavy cultural
You need to be aware because the law will drive what you can do. You have to
pay attention because the law will shape the market and the market will shape
your solutions.
Finally you can affect the process that is going on. OUt of the Hague the
US pushed something called the judgments convention -- a country must enforce
the judgments in other countries. As e-commerce started two consumer people
Jamie Love and his spouse have single-handedly stopped that convention in
its tracks. Whether you stop something or not you can affect. There are NGO's
and people who need expertise. If you have something to say you can say it.
What causes an issue to get to the top of the international agenda? It is very
expensive it is very slow. Really slow. But the process does lend itself to
one thing --problems end up making themselves known. The issues out in the world
where some group is having a problem
The international maritime community has problem with paper and ownership.DOcuments
of title were getting there after the goods. The finance people have come. The
international votaries are having serious problems. These are trade issues where
it is slowing down development.
Liability is always a lurking elephant.
There were 6,000 references to the MA code alone, the legal formalities, to
writing and signatures.
How can you sell a product and get financed for your risk if there are a thousand
laws. Evidence rules vary wildly. What is the value if a signature gets past
the front door. The law is trying to leave this to the process of judicial resolution
because it is changing so quickly. There is variation, the US approach and the
EU approach.
Harmonization is a tremendous problem. Social passionate issues: gambling,
Nazi, explicit sexuality. The general solution is these international trade
barriers is not to address consumers, but it is getting harder and harder.
In e-commerce incorporation by reference requires the ITC was planning to do
an eterms repository. Should it be on your own server. Should standard terms
be legislated. Standard short form standard of attorney has one line "do my
banking" referencing three pages. What about when the reference is in a different
language? What is a guarantee on a check? What is a limited endorsement?
Do you want enabling rules or regulatory rules?
Enabling lets business do more certain things with predictability reliability.
What click-wrap. Contracts have eliminated all fair use and right to criticize
a product. Is this is enforceable? This tends to be US vs EU with the EU advocating
regulation.
Limits of contracts will be the major battleground for the next decades.
Why doesn't technology solve these problems? WHy doesn't Palladium and DRM
solve all of these problems? The legal and diplomatic communities do not know
how to approach it.
How has this be approached? 1. get rid of formalities 2. applications relating
to formalities 3. build real business applications
general principles of technology neutrality and party autonomy with a ideal
functional equivalence between paper and electronics. THe diplomatic instinct
is to avoid two sets of rules. The instinct is to stay technologically neutral
and define the old technology as neutral (paper in therefore neutral).
On paper you have biometrics identification (face to face) tied to the paper
contents usually providing integrity. So recipient is liable for fraud. Yet
when you are not face to face the liability changes. If you mail check the bank
is responsible for authenticating and if the signer were irresponsible then
the signer is liable if negligent. So paper rules change.
Electronic agents, lawyers call them 'automated electronic systems'. Agents
can enter into a contract on your behalf. A contract is a meeting of the minds
in many countries. So if you download an agent audit makes a contract is that
your intent? The diplomatic impulse is "yes". Is that fair? WIll that work in
the future? The diplomats need to hear from you if it is right or fair.
A core desire is you want to recognize if something is foreign. We have seen
most of this in UNCITRAL. Basically the global rule is that "Don't say it does
not have affect just because it is electronic." This was a radical change.
The failure so far with this is that there is no global law on authentication,
nonrepudiation, and liability. In the US we have Reg E, Reg Z. Why do people
use cards in the US? Because the consumer is protected the banks face a strict
liability. B2B is different. If there is a commercially agreed upon legal procedure
the company is liable.
Technological neutrality - Baum and Froomkin set up the PKI group. The rest
of the ABA hated it. Therefore everything we have is technically neutral.
No state can write a law requiring a PKI. The Europeans love that PKI.
Paul: Doesn't the PKI raise constitutional questions
Richard: everything the US has done in the past five years has Constitutional
implications. This one is on safe ground because of the Commerce Clause.
Not to 2, the applications. WHere are they coming from? In 1980s there was
a convention on bills of exchange and promisory notes. That was all paper. Should
we adjust this for electronic notes. Transferable payment instruments and negotiable
payment instruments. The UN also has a convention on the international carriage
of goods: sea, roads, ets. What about on-line?
How do you prove an electronic message represents goods? Well, what kind of
goods?
Tangible goods, intangible, international on-line arbitration.
The Hague has a law on the international transfer of securities. No longer
do people get a certificate. Then it became the fact that GM would record your
ownership. Now Merril Lynch hs 1M shares and each customer has 50 shares. The
US solved this by declaring a new kind of property. ML goes bankrupt. What do
you own? We invented it. All the conference wanted to say was what is it, and
where are the goods. We are going to define where it is? So the UN has only
decided where it is and that is grossly abused.
UN has been have been having a new transaction on mobile receivables. THink
about where a bank wants to lend you money and take an interest in something
of yours. If you do not pay back the loan they get priority over others. How
do you set priority? It has to be public knowledge so you file in a jurisdiction.
So what about mobile equipment? Aircraft frames and aircraft engines and space
ships all have their own regimes. Think about the financing for the aircraft
industry - it is huge. SO there is a global electronic registry that places
mobile things in a jurisdiction. It will not be in the US or France. The convention
does not talk about authentication or nonrepudiation. So they have ignored that
issue. The international civil aviation authority owns all the data and they
are idemnified but the registry is liable for its own mistakes.
OAS is active in the Organization for American States. Negotiable bills of
lading for roads but have not gotten on electronic bills of lading. The US
and Mexico agree but Canada disagrees. While Brazil follows a more European
approach.
Goods can be tangible intangible and mixed goods. Money is just a form of intangible
goods. Buy a car. And it has software in it and GPS access. The Uniform Electronic
Transactions Act says that there is such a thing as a negotiable instrument.
IT says it has to be secure. The assumption was that it was an electronic token
as opposed to a registry. Now they want it to be a registry.
UETA came from the mortgage industry that wants to trade mortgages electronically
more effectively.
States can enact UETA only as it was originally adopted (token based). When
there is a registry it will be centralized. Negotiable instruments are converted
from physical to electronic. When does one cease to be the item of interest?
INcentives to improve security - how do you improve the system over time? You
shift liability to the party best able to improve it. The Australian have adopted
a new EFT. They said if you use PIN security and the user writes the PIN number
then the user writes his or her number. This suggests that there will never
be a better system because there is no incentive.
Closing: participate. contact Richard. This talk suggested that next years'
papers might include: maritime digital titles transferable and negotiable electronic
records (token mortgages) international digital votaries this are some real
world problems with specific risks and data characteristics for FC.
Fair Exchange Session Chair: Ari Juels
Timed Fair Exchange of Standard Signatures Juan Garay and Carl Pomerance
Fair exchange is focused on the ability to recover and it is also difficult
to do massive parallel. Some of these solutions put a bid burden on the prover,
for example requires the prover generate a puzzle
The goal is to create a bounded computationally system with timing. The contribution
of this work is timed fair exchange of standard signatures which admit blinding
-new time structure called mirror time-lines -protocol timed for fair exchange
of arbitrary values
There is prior work on time -Cypherpunks mailing list sends material into the
future. (May 93) There are time capsules for key escrow so that you get verification
at escrow time (Bellare & Goldwaaer 96 97) (Rivest Shamir Wagner) building secure
puzzles to hold secrets -computationally intense Boneh& Naor 00) time commitments
extension to standard signatures - not for standard signatures authors' previous
work include time-released signatures.
So square a number some (mod N), you can do this is a series so the distance
grows exponentially so you can release the information by reversing roots beginning
with the greatest distance from the initial variable. Time lines created for
g, g^2, ...., g^2^k. You You can create time line values by multiplication by
R.
So you begin the exchange by committing to a time line-hidden value. Security
constraints: binding to value, privacy......
*privacy here is specialized to mean that the data owner can set an initial
time and within that computational time the data are hidden
The creation here is a time line that has first increasing and then decreasing
distance. This means a time line can be defined by the initial point, the median,
and the end. The initial act is to prove knowledge of the first point.
Asynchronous Optimistic Fair Exchange Based on Revocable Items Holger Vogt
revokable items are digital items. detailed descriptions exist for both items
and the items can be checked when the descriptions are given.
exchanges without trusted third parties have been limited to specialized applications.
the general fair systems have used a TTP
Some solutions have no automated dispute resolution. Those that do include
TTP. Then some solutions where the third party is involved in every exchange
and have problems with scalability. There are also optimistic protocols meaning
that the trustee is needed only for dispute resolution. In terms of transaction
costs and scalability optimistic fair exchanges are optimal.
Of optimistic exchanges the are synchronous and asynchronous.
This proposal is for items where generatability is required. Generatability
means that the trustee can generate the item i.e., escrow systems. Weak generatability
means that the trustee can know if the user is cheating.
Auctions
Session chair: Ari Juels
imho: Auctions are of increasing importance in the policy world. Privacy
in auctions yields stronger auctions because in public auction design price
is often used to signal out-of-band and manipulate the auction. Some solid
overviews of the economics of auctions can be found at: Arrow, ÒThe Economics
of Agency,Ó Chapter 2, in Principals and Agents, pp. 37-51. Telecom companies
use of open information to communicate in high value spectrum auctions is
a chronic and systemic problem for public agencies trying to capture the value
of the spectrum for the public. An good place to look at the problems with
auction design and what crypto might contribute is at http://www.nuff.ox.ac.uk/users/klemperer/papers.html
A classic example is the use of least significant digits in a bid to signal
to other bids the plans in the next round. You can see this in Mercury in
1997. For example are there anonymous descending price repeated round auctions?
Fully Private Auctions in a Constant Number of Rounds Felix Brandt
A fully private repeat round auction. Note that this is implemented using
an ElGamal with a public key that all bidders participate in creating. (This
would be optimal for governments since all telecom bidders are known well
in advance and makes charges against gov't easier to defend against.) By using
repeated round the protocol can combine the advantages of an open auction
(as bids are exposed and the winner's curse problem is mitigated) and help
prevent next-round signaling by removing the identity of the signaler. (For
example a BTT signal to fight hard for a particular spectrum segment has true
meaning, Bob's Excellent Phone Company does not have the same force.)
Secure Generalized Vickrey Auction using Homomorphic Encryption Koutarou
Suzuki and Makoto Yokoo
A solid overview on the types of auctions using homomorphic encryption. Determine
how to take price without revealing price. GVA is a generalization of Vickrey
(aka second price) auction for a combinatorial auction and is incentive compatible.
The implementation shown here is a secure GVA that hides prices.
Thursday, 30-Jan-2003
09:00 - 10:30 Panel: Trusted Computing Platforms: The Good, The Bad and
The Ugly
Moderator: Moti Yung Dirk Kuhnman (HP), Paul Kocher (Cryptography Research),
Marc Briceno (independent security researcher) TCPA and Palladium "trusted
platform" activities have raised many questions and objections. In this panel,
we will confront the proponent and opponents of these ideas and raise more
awareness regarding ways of use and abuse of these ideas.
The good part is all good. The keys can be protected. The bad is that the corporate
alliances e.g. Microsoft and Intel can exert undue control, and kill open source
Dirk Kuhnman ABout the corporate position and the labs position. The HP corporate
is that we will sell whatever Microsoft offers. As to what extent HP has influence
as to whatever comes up Palladium, there is little.
As for the labs which has the technical directorship of the TCPA committee.
There is a book on Trusted Computer by HP labs. O am one of the proofreader
of this book. Apart from this I have been mostly involved in developing and
researching open source software systems. I have helped to kick off the HP lab
for secure Linux that was marketed for a year and then taken off the market.
1. The unavoidable
2. the questionable why is it not always good to be good why trusting yourself
may not be good enough why openness is not always trustworthy 3. The avoidable
3. The Unavoidable IT technology is neither a tool nor a medium but something
else. Telephones and mail the medium does not itself alter the messages. Computers
on the other hand alter the message. Agents on the computer can obfuscate
or modify the actions so that the user's goals are undermined by the active
nature of the computer.
So how can we create a tool so that the tools does not alter our intents when
it transfers our knowledge? AS these machines perform billions of operations
per second there is no way the user can supervise the processor. So a hardware
platform is required.
Dirk's Q why it is not always good to be good? Technically savvy people want
to have total control over all the elements of their own computers. Yet when
your machine is communicating with others you are always facing a situation
where there are implicit agreements with others. There is no cultural framing
to communicate the implicit baseline.
So when you communicate it is simply necessary that each user give up some
freedom to allow the larger network to work.
2 Q Why trusting yourself is not good enough Here is the hypothesis is that
if you are very capable then you should be trusted to be the capable administrator
that you are.
Here you will solve the trustworthiness for your own system. But you cannot
communicate the trustworthiness of yourself to others. The system must verify
itself. Attaching the trustworthiness to human operators or brands is flawed,
it must be attached to a computer.
This is not democratic since only the established players will be trusted.
So TPCA Is an empowerment technology not a control technology.
2Q why openness is not always trustworthy In order to have assurance you have
to walk thru the code and have procedures. But if someone could alter the code
then it would no longer be trustworthy. Security is orthogonal to licensing.
According to GPL you can alter code but altering security code removes it assurance.
The users who have secure Linux are banks and companies that invest for themselves.
And this is not distributed.
The open source has to have a model that allows sharing and confirms trustworthiness.
< He says big vendors and companies have not stepped in to give assurances. But
probably the government wil have to tax and generate secure software. < 3. The avoidable There is a virtue in not controlling something is that if
a user cannot alter the behavior of his or her computer to be untrustworthy
then the user should be trusted by virtue of the users loss of autonomy.
Much of the discussion of TCPA is about what a major company will build on
it - how Microsoft will leverage this to control users.
If code is law then it must be validated by public discourse. So components
that are not controlled must be open source so they can be vetted. Therefore
TCPA makes open code much mor important.
Conclusion Instead of fighting this technology the community should focus on
supporting the software and building something on it because openness is a necessary
but not sufficient condition for creating a trustworthy TPCA.
Paul Kocher The company I work for has done work for the RCAA and the EFF.
From a business perspective we can see both sides. Whoever will pay use we will
work for them.
What is trustworthy computing: can you build a computer a user can trust? can
you build a computer a networked anonymous person can trust?
We are doing a terrible job of building machines worthy of a user trust because
the complexity of a system is continuously increasing. It is no longer possible
for a single person to know all things and all bits inside a machine. So even
experts can no longer be certain.
For Disney and RCAA they want to control high value commodity content on the
machines of remote users.
What are intellectual property rights and are they a good thing? AMong technical
people the notion of intellectual property rights is one that people meet with
hostility. Intellectual property is the ability to dictate your own work. <<
intellectual property is property and by definition property is the right to
exclude others from access. refusing access to words means limiting speech rights.
so intellectual property is a passionate debate because it a conflict between
the two core American rights: the right to property and the right to speech>>
Intellectual property owners have a right to remove the autonomy of users so
they can be certain about the use of their content.
As cryptographers we have failed to developed workable business requirements
for intellectual property systems. Practical applied research should solve
Hollywood's problems or they will push for additional controls. So we will
turn over to Lucky.
I would argue that power always increases the desire for control and hollywood is exerting because they can not need to. technology will never offer a static certainty business model change. reality tv has changed video entertainment market. it dynamic industry all legislative in world change that.
I would argue that power always increases the desire for control and hollywood is exerting because they can not need to. technology will never offer a static certainty business model change. reality tv has changed video entertainment market. it dynamic industry all legislative in world change that.
Marc Briceno aka Lucky Green In my statements you will hear quite a bit
of intent. Because trusted computing is ensuring your betrayal.
I want trusted computing very very badly. I know I cannot trust my computer.
I would love to be able to tell what state my computer is in.
Let us look at public statements about what the technology is intended to
do. TCPA is supposed to make the PC the core of the home entertainment industry.
The head of TCPA made five or six comments about how TCPA is absolutely not
for DRM. The head of TCPA has said, "There is certain content that owners
will not make available on the PC platform. That is unacceptable and we will
solve this problem one way or another." This was the second TCPA working group.
The business objective of TPCA is DRM first and foremost. AS was said at
USENIX security that the contents providers will never see anything over NTSC
resolution unless they plug the 'analog hole", meaning make it impossible
Micosoft claims it losses millions from illegal copying and Microsoft wants
to end that. TCPA will do this.
TCPA is about defining the future of the PC. Anyone who would purchase a
machine has done so. So how does one grow the market? According to the PC
industry the market is saturated. Another market is the home entertainment
center. At the center of the home entertainment system can be Sony 5.0 or
something Microsoft. Sony sells more consumer electronics than MS have ever
sold software. THis market is giant and will be hotly contested. Microsoft
believes that TCPA is the only way to win its coming battle with Sony for
the heart of the home.
THe objective it prevent user autonomy. This enforces three levels of access:
1. highest level access you can see everything going on, you can know what
is happening and you know the state this is reserved for owners of high value
content not users 2. user access 3. minimal access
Trustworthy computing now means that third parties can trust the computer
to enforce rules in opposition to the desire of the users.
Gates: Control of our own documents is much more interesting Levy: You can
cause Word to create documents that can only be read for the next week without
additional payment
Quiz: What does a federal prosecutor call a bit of software that inter-operates
with DRM protected file formats? A: A DMCA violation! Meaning five years if
you create software that reads DRM protected formats so that creating interoperable
technology is a felony. $50,000 per device
This will allow the feds MS media player license agreement: Microsoft reserves
the right to disable your ability to use other software on your computer.
When soliciting members the proposal was to enable secure boot. WIthin the
working groups the purpose was to enable DRM to serve the MPAA Later the pitch
was to enable DRM for everybody Now TPCA is to eliminate all spam viruses
and hacking. Next pending is the architecture if being pitched to Office of
Homeland Security.
MSFT: Palladium will not be required to read files created prior to the introduction
of Palladium.
Potential countermeasures To reject TCPA. Demand owner overrride. the security
of simple trusted system depends on the owner not having access to the keys.
if you do not have access to all the keys then you cannot control your own
machines.
caveat emptor: if a system tells you that you are loading keys make sure
it the use is not flagged to enable enforcement.
Kocher: laws are on the books. Philosophical question: do intellectual property
owners have the right to provide content for proprietary platforms? Currently
several examples, such as cable boxes, copy-protected software, etc. His sense
is there's nothing inherently wrong with this. He believes is the functioning
of the market.
Marc: I made no issues of the IP issues because I do not think they are relevant
for the property debate. I know that intellectual property is on people's
minds. I do not care if content providers include various restrictions that
content owners use. What concerns me is that the content providers through
the operating system providers are turning the general purpose machine into
a a machine with a platform for a back door that I cannot control or close.
I care because TCPA is designed to make computers less secure.
Dirk: I was worried about a Palladium discussion. Palladium isn't Palladium
anymore. Palladium is not TCPA. There was a point about preventing root access
on your machine. This is about preventing root access while engaging in communications
with another entity. After this you will have access on your system. This
is about contractual agreements in communications situations. Now the good
guys don't want to do any harm but they cannot prove they don't want to do
any harm. User override will be possible. Conceptually and technically TCPA
clearly allows user override. If user override means key access - then lack
of user access is very good because loss of user autonomy makes users trustworthy.
Migratable keys can come with different security classification.
Paul: One comment providing user override with the platform previously known
as Palladium, well, there are so many changes you have to change all the architecture
and they keyboard and everything else I cannot see how anyone could come up
with a such a strong PC. It will not exist.
Marc: I would also like to have 20 devices of perfect security devices. TCPA
takes root access from a user - if you are root then you determine which instructions
your CPU sees and executes. Under the TCPA regime the system cannot work.
It requires removal of user autonomy. TCPA is about protecting content from
others who believe the information must be protected from you after you purchase
it. Paul immediately proposed an override that was an off button. Dirk proposed
that you can turn it off if you are not on line and not using any Microsoft
software.
Moti: Before questions I have something to say about what Paul said: the
research community failed to create a DRM solution. No we cannot solve the
DRM problem.
Drew: To Dirk, I was at the DRM workshop last year. The EU will get the same
horrible laws we are. Consumers will refuse to purchase DRM products. They
are not serving a market so purchasers will not sell.
Paul: I think market driven systems are the way to go. If users don't like
it they will avoid it.
Ray: TCPA tries to solve the problems of content owner. Can we make the problem
of content owners and machine users distinct?
Dirk: researchers have tried to come up with the min amount of crypto primitives
that allow for a secure boot. If you can find out that a simple mechanism
is possible to have monitored boot then let us know. Can we allow for a secure
boot without allowing things? Not possible now.
Paul: Users want to be able to put information in front of a website and
know what the remote computer is what they think.
Adam: In regards to Drew's comment about a pocket veto it will be difficult
to buy a system which does NOT have TCPA elements built in. I bought this
machine so you need to have office to create complex Microsoft documents.
I am a technical person and I explored all the available alternatives so my
ability to packet veto that I don't want and don't like is not there.
Marc: This loops around to the market force in TCPA in Palladium. As HP has
said, HP ships whatever Microsoft desires. I asked a senior AMD person if
they would support TCPA because Microsoft and Intel decided on the feature
so they had to include it. The market force are distorted. Those who work
in large MS environments know that they build incompatibilities so that one
person's upgrading forces anyone who would communicate to upgrade. The current
goal is to mandate the use of this technology by the Federal government.
Dirk: It is likely that TCPA systems may be cheaper than others. As for plans
to embed TCPA on chip then there would be a requirement to cut off TCPA. It
is possible to run Linux on TCPA if it is loaded on the box at the vendor.
Getting technology without TCPA in the future may not be possible. As for
the comments that TCPA is actually pushed it is only pushed because the original
intent of this technology is DRM. IBM sells TCPA computers where losing a
laptop does not mean using their data. HP will sell a similar thing. There
is a nice business without TCPA. In fact the original intention is to work
through the corporate space for road warriors or teleworkers. This market
is already there. We are facing groups that are fighting TCPA on political
grounds.
Drew: I was talking about mass media and office is completely different.
Let me remind the panelists of CT by 92. I do not believe in the power of
mandates.
Julian: TPCA is giving up your rights on your own computer so others can
trust you. What do I gain if I give up control? What if something goes wrong?
Then it is all my fault. THen if there is a bug who should I blame.
Drew: Worse yet if you broadcast viruses to many users are you liable.
Paul: We have reached a point regardless - you have no control over your
PC anyway.
Julian: You decide which applications you run. But you know what applications
you run.
Paul: An install program is to install whatever you want. Right now consumers
have lost power in dictating what goes into technology. People accept the
worse material. What is needed is the consumers' union which revolutionized
non-technical goods that altered the sale of unsafe products. USers should
have products that meet their needs.
Dirk: The evolving area of computer security economics is dealing with this
question I doubt agencies cannot work because they cannot access the software.
They are not able to verify the software. Closed code is not good enough for
this community and not good enough for government. It takes along time to
understand this and individual consumers cannot do this. I know one thing
if we just say we cannot do this then we have given up our control of technology.
We should go back to paper.
10:30 - 11:00 Coffee Break
11:00 - 12:30 Cryptographic Tools and Primitives Session Chair: Benny
Pinkas
On The Computation-Storage Trade-offs of Hash Chain Traversal Yaron Sella
Nice overview of hash chains and their use in authentication.
There are two naive approaches to traverse a hash chain you can store only
the root and then compute all others, causing storage of O(1) and computation
O(n). A second is to store all the links with computation O(1) and storage
(n) Last year there was a FC paper to traverse a hash train so that storage
is O(log n) and computation is O(log n).
Here the focus is on O(c) computation for some storage trade-off. For example,
heavily loaded servers.
The hash tree traversal protocol provides with a constant O(M) computation
and storage requirements O(kn^1/k) Then starting with the case n=1 then illustrates
that length optimality is an interesting and open question wrt this protocol.
Yaron starts with a "B partition" and divides the chain in subsections and
stores the left-most link of subsection. Then recursively b partition and
shows an example. Then shows it so that the root is the base of the first
b partition and then the partition creates new trees/subsections.
The protocol begins with a b partition. each time a b partition occurs there
is a pebble placed in the subsections left neighbor. The pebble induces b
partition at its node. A pebble is a dynamic storage element that dies after
it is done. Very nice dynamic illustration of the general protocol on a short
hash chain.
He expands it nicely in double hash chains for the case of two parties committing.
The use of simple visual aids is very effective but cannot be reflected in
the notes.
Verifiable Secret Sharing for General Access Structures, with Application
to Fully Distributed Proxy Signatures Javier Herranz and Germ‡n S‡ez
This work is related to secret sharing , threshold protocols and proxy signatures.
This protocol allows delegation of signing capabilities from one distributed
entity to another.
Illustrates some interesting applications and use with three types of delegation:
full delegation, proxy-protected delegation and proxy-unprotected delegation.
(Fits well with Richard Field's point about the meaning of power of attorney
and how we don't know how that might map. This work expands that understanding.)
He wants to expand this work to other signature schemes in the future.
Non-interactive Zero-Sharing with Applications to Private Distributed
Decision Making Aggelos Kiayias and Moti Yung
Private distributing decision making is a core problem in cryptography. It
requires security, privacy, efficiency and trust. Generic protocols are not
efficient especially as the number of participants expands or as the group
members change.
This work builds on previous e-voting work and proposes applications of PDDM.
These applications take more narrowly defined crypto protocols and systems
and, with small reconfiguration, apply them to a far larger and arguably more
realistic set of general problems.
Closing Remarks Phong Nguyen, General Co-Chair
Please fill out the feedback. Taxi coordinating list. Thanks. Figures on
conference. 40% non-US. 6% Asian. 40% academic, 40% industry, 20% students.
By hours Internet surfing was more popular than physical surfing.
T shirts are still available.
Jean's Closing Remarks Every time I leave I come away with six papers I want
to do. A paper on the possible implications of Euro RFID for the policy audience.
An analytic simulation of different anonymous systems. A survey paper on all
the micro-payment systems used in transit system. A risk analysis about the
change of keys based on the lifetime cycle of money assuming that banks can
re-encrypt. (e.g., in Russia dollars are held a very long time as insurance
against ruble failure. In the US most dollars go from ATM > consumer >merchant
> bank. US solutions would be damaging for Russia.)
Session Chair: Andrew Odlyzko