INTRODUCTION
With the onset of the Information Age, our nation is becoming increasingly dependent upon network communications. Computer-based technology is significantly impacting our ability to access, store, and distribute information. Among the most important uses of this technology is electronic commerce: performing financial transactions via electronic information exchanged over telecommunications lines. A key requirement for electronic commerce is the development of secure and efficient electronic payment systems. The need for security is highlighted by the rise of the Internet, which promises to be a leading medium for future electronic commerce.
Electronic payment systems come in many forms including digital checks, debit cards, credit cards, and stored value cards. The usual security features for such systems are privacy (protection from eavesdropping), authenticity (provides user identification and message integrity), and no repudiation (prevention of later denying having performed a transaction) .
The type of electronic payment system focused on in this paper is electronic cash. As the name implies, electronic cash is an attempt to construct an electronic payment system modelled after our paper cash system. Paper cash has such features as being: portable (easily carried), recognizable (as legal tender) hence readily acceptable, transferable (without involvement of the financial network), untraceable (no record of where money is spent), anonymous (no record of who spent the money) and has the ability to make "change." The designers of electronic cash focused on preserving the features of untraceability and anonymity. Thus, electronic cash is defined to be an electronic payment system that provides, in addition to the above security features, the properties of user anonymity and payment untraceability..
In general, electronic cash schemes achieve these security goals via digital signatures. They can be considered the digital analog to a handwritten signature. Digital signatures are based on public key cryptography. In such a cryptosystem, each user has a secret key and a public key. The secret key is used to create a digital signature and the public key is needed to verify the digital signature. To tell who has signed the information (also called the message), one must be certain one knows who owns a given public key. This is the problem of key management, and its solution requires some kind of authentication infrastructure. In addition, the system must have adequate network and physical security to safeguard the secrecy of the secret keys.
This report has surveyed the academic literature for cryptographic techniques for implementing secure electronic cash systems. Several innovative payment schemes providing user anonymity and payment untraceability have been found. Although no particular payment system has been thoroughly analyzed, the cryptography itself appears to be sound and to deliver the promised anonymity.
These schemes are far less satisfactory, however, from a law enforcement point of view. In particular, the dangers of money laundering and counterfeiting are potentially far more serious than with paper cash. These problems exist in any electronic payment system, but they are made much worse by the presence of anonymity. Indeed, the widespread use of electronic cash would increase the vulnerability of the national financial system to Information Warfare attacks. We discuss measures to manage these risks; these steps, however, would have the effect of limiting the users' anonymity.
WHAT IS ELECTRONIC CASH?
We begin by carefully defining "electronic cash." This term is often applied to any electronic payment scheme that superficially resembles cash to the user. In fact, however, electronic cash is a specific kind of electronic payment scheme, defined by certain cryptographic properties. We now focus on these properties.
Electronic Payment
The term electronic commerce refers to any financial transaction involving the electronic transmission of information. The packets of information being transmitted are commonly called electronic tokens. One should not confuse the token, which is a sequence of bits, with the physical media used to store and transmit the information.
We will refer to the storage medium as a card since it commonly takes the form of a wallet-sized card made of plastic or cardboard. (Two obvious examples are credit cards and ATM cards.) However, the "card" could also be, e.g., a computer memory.
A particular kind of electronic commerce is that of electronic payment. An electronic payment protocol is a series of transactions, at the end of which a payment has been made, using a token issued by a third party. The most common example is that of credit cards when an electronic approval process is used. Note that our definition implies that neither payer nor payee issues the token.
The electronic payment scenario assumes three kinds of players:
a payer or consumer, whom we will name Alice.
a payee, such as a merchant. We will name the payee Bob.
a financial network with whom both Alice and Bob have accounts. We will informally refer to the financial network as the Bank.
Conceptual Framework
There are four major components in an electronic cash system: issuers, customers, merchants, and regulators. Issuers can be banks, or non-bank institutions; customers are referred to users who spend E-Cash; merchants are vendors who receive E-Cash, and regulators are defined as related government agencies. For an E-Cash transaction to occur, we need to go through at least three stages:
1. Account Setup: Customers will need to obtain E-Cash accounts through certain issuers. Merchants who would like to accept E-Cash will also need to arrange accounts from various E-Cash issuers. Issuers typically handle accounting for customers and merchants.
2. Purchase: Customers purchase certain goods or services, and give the merchants tokens which represent equivalent E-Cash. Purchase information is usually encrypted when transmitting in the networks.
3. Authentication: Merchants will need to contact E-Cash issuers about the purchase and the amount of E-Cash involved. E-Cash issuers will then authenticate the transaction and approve the amount E-Cash involved.
Classification of e-Cash
E-Cash could be on-line, or off-line. On-Line E-Cash refers to amount of digital money kept by your E-Cash issuers, which is only accessible via the network. Off-line E-Cash refers to digital money which you keep in your electronic wallet or other forms of off-line devices. Another way to look at E-Cash is to see if it is traceable or not. On-line credit card payment is considered as a kind of "Identified" E-Cash since the buyer's identity can be traced. Contrary to Identified E-Cash, we have "anonymous" E-Cash which hides buyer's identity. These procedures can be implemented in either of two ways:
On-line payment means that Bob calls the Bank and verifies the validity of Alice's token3 before accepting her payment and delivering his merchandise. (This resembles many of today's credit card transactions.)
Off-line payment means that Bob submits Alice's electronic coin for verification and deposit sometime after the payment transaction is completed. (This method resembles how we make small purchases today by personal check.)
Note that with an on-line system, the payment and deposit are not separate steps. We will refer to on-line cash and off-line cash schemes, omitting the word "electronic" since there is no danger of confusion with paper cash.
Properties of Electronics Cash
Specifically, e-cash must have the following four properties, monetary value, interoperability , retrievability & security.
Monetrary value E-cash must have a monetary value; it must be backed by either cash (currency), or a back-certified cashiers checqe when e-cash create by one bank is accepted by others , reconciliation must occur without any problem. Stated another way e-cash without proper bank certification carries the risk that when deposited, it might be return for insufficient funds.
Interoperable E-cash must be interoperable that is exchangeable as payment for other e-cash, paper cash, goods or services , lines of credits, deposit in banking accounts, bank notes , electronic benefits transfer ,and the like .
Storable & Retrievable Remote storage and retrievable ( e.g. from a telephone and communication device) would allow user to exchange e-cash ( e.g. withdraw from and deposit into banking accounts) from home or office or while traveling .the cash could be storage on a remote computer’s memory, in smart cards or in other easily transported standard or special purpose device. Because it might be easy to create counterfeit case that is stored in a computer it might be preferable to store cash on a dedicated device that can not be alerted. This device should have a suitable interface to facilitate personnel authentication using password or other means and a display so that the user can view the cards content .
E-Cash Security
Security is of extreme importance when dealing with monetary transactions. Faith in the security of the medium of exchange, whether paper or digital, is essential for the economy to function.
There are several aspects to security when dealing with E-cash. The first issue is the security of the transaction. How does one know that the E-cash is valid?
Encryption and special serial numbers are suppose to allow the issuing bank to verify (quickly) the authenticity of E-cash. These methods are suseptible to hackers, just as paper currency can be counterfeited. However, promoters of E-cash point out that the encryption methods used for electronic money are the same as those used to protect nuclear weapon systems. The encryption security has to also extend to the smartcard chips to insure that they are tamper resistant. While it is feasible that a system wide breach could occur, it is highly unlikely. Just as the Federal Government keeps a step ahead of the counterfeiters, cryptography stays a step ahead of hackers.
Physical security of the E-cash is also a concern. If a hard drive crashes, or a smartcard is lost, the E-cash is lost. It is just as if one lost a paper currency filled wallet. The industry is still developing rules/mechanisms for dealing with such losses, but for the most part, E-cash is being treated as paper cash in terms of physical security.
Signature and Identification. In a public key system, a user identifies herself by proving that she knows her secret key without revealing it. This is done by performing some operation using the secret key which anyone can check or undo using the public key. This is called identification. If one uses a message as well as one's secret key, one is performing a digital signature on the message. The digital signature plays the same role as a handwritten signature: identifying the author of the message in a way which cannot be repudiated, and confirming the integrity of the message.
Secure Hashing A hash function is a map from all possible strings of bits of any length to a bit string of fixed length. Such functions are often required to be collision-free: that is, it must be computationally difficult to find two inputs that hash to the same value. If a hash function is both one-way and collision-free, it is said to be a secure hash.
The most common use of secure hash functions is in digital signatures. Messages might come in any size, but a given public-key algorithm requires working in a set of fixed size. Thus one hashes the message and signs the secure hash rather than the message itself. The hash is required to be one-way to prevent signature forgery, i.e., constructing a valid-looking signature of a message without using the secret key. The hash must be collision-free to prevent repudiation, i.e., denying having signed one message by producing another message with the same hash.
Note that token forgery is not the same thing as signature forgery. Forging the Bank's digital signature without knowing its secret key is one way of committing token forgery, but not the only way. A bank employee or hacker, for instance, could "borrow" the Bank's secret key and validly sign a token.
E-Cash and Monetary Freedom
Prologue
Much has been published recently about the awesome promises of electronic commerce and trade on the Internet if only a reliable, secure mechanism for value exchange could be developed. This paper describes the differences between mere encrypted credit card schemes and true digital cash, which present a revolutionary opportunity to transform payments. The nine key elements of electronic, digital cash are outlined and a tenth element is proposed which would embody digital cash with a non-political unit of value.
It is this final element of true e-cash which represents monetary freedom - the freedom to establish and trade negotiable instruments. For the first time ever, each individual has the power to create a new value standard with an immediate worldwide audience.
Why monetary freedom is important
If all that e-cash permits is the ability to trade and store dollars, francs, and other governmental units of account, then we have not come very far. Even the major card associations, such as Visa and MasterCard, are limited to clearing settling governmental units of account. For in an age of inflation and government ineptness, the value of what is being transacted and saved can be seriously devalued. Who wants a hard drive full of worthless "cash"? True, this can happen in a privately-managed digital cash system, but at least then it is determined by the market and individuals have choices between multiple providers.
Key elements of a private e-cash system
This section compares and contrasts true e-cash to paper cash as we know it today. Each of the following key elements will be defined and explored within the bounds of electronic commerce:
- Secure
- Anonymous
- Portable (physical independence)
- Infinite duration (until destroyed)
- Two-way (unrestricted)
- Off-line capable
- Divisible (fungible)
- Wide acceptability (trust)
- User-friendly (simple)
- Unit-of-value freedom
Achieving the non-political unit of value
The transition to a privately-operated e-cash system will require a period of brand-name recognition and long-term trust. Some firms may at first have an advantage over lesser-known name-brands, but that will soon be overcome if the early leaders fall victim to monetary instability. It may be that the smaller firms can devise a unit of value that will enjoy wide acceptance and stability (or appreciation).
Epilogue
True e-cash as an enabling mechanism for electronic commerce depends upon the marriage of economics and cryptography. Independent academic advancement in either discipline alone will not facilitate what is needed for electronic commerce to flourish. There must be a synergy between the field of economics which emphasizes that the market will dictate the best monetary unit of value and cryptography which enhances individual privacy and security to the point of choosing between several monetary providers. It is money, the lifeblood of an economy that ultimately symbolizes what commercial structure we operate within.
E-Cash Regulation
A new medium of exchange presents new challenges to existing laws. Largely, the laws and systems used to regulate paper currency are insufficient to govern digital money.
The legal challenges of E-cash entail concerns over taxes and currency issuers. In addition, consumer liability from bank cards will also have to be addressed (currently $50 for credit cards). E-cash removes the intermediary from currency transactions, but this also removes much of the regulation of the currency in the current system.
Tax questions immediately arise as to how to prevent tax evasion at the income or consumption level. If cash-like transactions become easier and less costly, monitoring this potential underground economy may be extremely difficult, if not impossible, for the IRS.
The more daunting legal problem is controlling a potential explosion of private currencies. Large institutions that are handling many transactions may issue electronic money in their own currency. The currency would not be backed by the full faith of the United States, but by the full faith of the institution. This is not a problem with paper currency, but until the legal system catches up with the digital world, it may present a problem with e-cash.
Electronic Cash under Current Banking Law
The current federal banking system originated during the Civil War with the enactment of the National Bank Act of 1864 and the creation of a true national currency.
Since the enactment of that first major federal banking legislation, an elaborate, complex and overlapping web of statutes and regulations has developed governing banking institutions and the "business of banking" in the United States.
The rapidly developing electronic cash technologies raise numerous questions of first impression as to whether these technologies fall within existing banking regulation, and if so, how.
There are also questions as to how the technologies mesh with the existing payments system.
Indeed, certain of the new technologies raise the possibility of a new payments system that could operate outside the existing system. Even if it could not, there are numerous legal questions as to what law governs their operation and as to the applicability of existing banking law to these technologies.
This article identifies and briefly addresses some of the key issues, which include, among others, bank regulatory, consumer protection, financial privacy and risk allocation issues as well as matters of monetary policy.
Because the legal conclusions as to the applicability of banking statutes to any particular electronic cash arrangement may depend in large part upon the specific facts presented by that arrangement, this article of necessity provides only general responses to the complex legal issues involved in this area.
DIGITAL CASH SYSTEMS
1. Types and Examples of E-Cash Transactions
Electronic cash used over computer networks (usually without involving a plastic card), variously called "digital cash," "electronic cash," "e-cash," "cybercurrency," or "cybercash," among other phrases, may have various characteristics. For example, it may require on-line third-party payment servers to process transactions, or it may be designed so that value can be exchanged directly between remote transacting parties (e.g., purchaser and vendor) without the involvement of on-line or off-line third-party payment servers. Digital cash systems are under development in Europe and the U.S. and include:
Digital Cash an Amsterdam based firm that makes stored value cards for electronic transactions, is running trials of on-line currency in Holland. In proposed full-blown arrangement, customers would use local currency to buy equivalent amount of digital cash from a bank. Bank's computer would instruct special software on user's own PC to issue that amount of money. Instructions would be coded strings of numbers included in e-mail messages. Users would spend their electronic cash by sending these strings to sellers. String is untraceable (bank can say only if the number is valid, not to whom it was issued), so this framework would offer anonymity.
First Virtual Holdings, a California company that has built a credit-card payment system that relies on a private e-mail network to circumvent Internet security problems, began operating on the Internet in the fall of 1994. Both buyer and seller must have accounts with First Virtual Holdings. When buyer wishes to purchase an item over the Internet, buyer gives seller buyer's account number. Seller ships product. Seller e-mails lists of purchases to First Virtual.
First Virtual e-mails buyers to confirm transactions. It is reported that once buyer confirms, First Virtual charges buyer's conventional credit card and money is transferred to seller's account. If buyer does not confirm, First Virtual withholds settlement.
Potential Steps in Digital Cash Transactions
While there are many possible approaches to structuring digital cash transactions, one approach might unfold as follows:
Cash Management Services
Flagship Bank provides cash management services to help your business make the most of every dollar. With a broad range of services and information systems, we can help you identify potential earnings, increase savings, and streamline record keeping. Here is a sample of what is available:
E-Banking for Business - real-time access to your accounts
Sweep accounts - automatically transfer cash to interest bearing accounts
Lockbox Service - quick way to convert receivables to cash
Account Reconciliation - manage your checking accounts more efficiently
Wire Transfer Services - quick and secure method to send and receive funds
Electronic Funds Transfer - economical way to send and receive funds for next day availability
Rely on your Account Manager to recommend the most appropriate package of cash management services to fit your particular business needs.
A Simplified Electronic Cash Protocol
A Basic Electronic Cash Protocol
If the payment is to be on-line, we can use Protocol 3 (implemented, of course, to allow for payer anonymity). In the off-line case, however, a new problem arises. If a merchant tries to deposit a previously spent coin, he will be turned down by the Bank, but neither will know who the multiple spender was since she was anonymous. Thus it is necessary for the Bank to be able to identify a multiple spender. This feature, however, should preserve anonymity for law-abiding users.
The solution is for the payment step to require the payer to have, in addition to her electronic coin, some sort of identifying information which she is to share with the payee. This information is split in such a way that any one piece reveals nothing about Alice's identity, but any two pieces are sufficient to fully identify her.
This information is created during the withdrawal step. The withdrawal protocol includes a step in which the Bank verifies that the information is there and corresponds to Alice and to the particular coin being created. (To preserve payer anonymity, the Bank will not actually see the information, only verify that it is there.) Alice carries the information along with the coin until she spends it.
At the payment step, Alice must reveal one piece of this information to Bob. (Thus only Alice can spend the coin, since only she knows the information.) This revealing is done using a challenge-response protocol. In such a protocol, Bob sends Alice a random "challenge" quantity and, in response, Alice returns a piece of identifying information. (The challenge quantity determines which piece she sends.) At the deposit step, the revealed piece is sent to the Bank along with the coin. If all goes as it should, the identifying information will never point to Alice. However, should she spend the coin twice, the Bank will eventually obtain two copies of the same coin, each with a piece of identifying information. Because of the randomness in the challenge-response protocol, these two pieces will be different. Thus the Bank will be able to identify her as the multiple spender. Since only she can dispense identifying information, we know that her coin was not copied and re-spent by someone else.
Off-line cash.
Withdrawal:
Alice creates an electronic coin, including identifying information.
Alice blinds the coin.
Alice sends the blinded coin to the Bank with a withdrawal request.
Bank verifies that the identifying information is present.
Bank digitally signs the blinded coin.
Bank sends the signed blinded coin to Alice and debits her account.
Alice unblinds the signed coin.
Payment:
Alice gives Bob the coin.
Bob verifies the Bank's digital signature.
Bob sends Alice a challenge.
Alice sends Bob a response (revealing one piece of identifying info).
Bob verifies the response.
Bob gives Alice the merchandise.
Deposit:
Bob sends coin, challenge, and response to the Bank.
Bank verifies the Bank's digital signature.
Bank verifies that coin has not already been spent.
Bank enters coin, challenge, and response in spent-coin database.
Bank credits Bob's account.
Note that, in this protocol, Bob must verify the Bank's signature before giving Alice the merchandise. In this way, Bob can be sure that either he will be paid or he will learn Alice's identity as a multiple spender.
PROPOSED OFF-LINE IMPLEMENTATIONS
Having described electronic cash in a high-level way, we now wish to describe the specific implementations that have been proposed in the literature. Such implementations are for the off-line case; the on-line protocols are just simplifications of them. The first step is to discuss the various implementations of the public-key cryptographic tools we have described earlier.
Including Identifying Information
We must first be more specific about how to include (and access when necessary) the identifying information meant to catch multiple spenders. There are two ways of doing it: the cut-and-choose method and zero-knowledge proofs.
Cut and Choose. When Alice wishes to make a withdrawal, she first constructs and blinds a message consisting of K pairs of numbers, where K is large enough that an event with probability 2-K will never happen in practice. These numbers have the property that one can identify Alice given both pieces of a pair, but unmatched pieces are useless. She then obtains signature of this blinded message from the Bank. (This is done in such a way that the Bank can check that the K pairs of numbers are present and have the required properties, despite the blinding.)
When Alice spends her coins with Bob, his challenge to her is a string of K random bits. For each bit, Alice sends the appropriate piece of the corresponding pair. For example, if the bit string starts 0110. . ., then Alice sends the first piece of the first pair, the second piece of the second pair, the second piece of the third pair, the first piece of the fourth pair, etc. When Bob deposits the coin at the Bank, he sends on these K pieces.
If Alice re-spends her coin, she is challenged a second time. Since each challenge is a random bit string, the new challenge is bound to disagree with the old one in at least one bit. Thus Alice will have to reveal the other piece of the corresponding pair. When the Bank receives the coin a second time, it takes the two pieces and combines them to reveal Alice's identity.
Although conceptually simple, this scheme is not very efficient, since each coin must be accompanied by 2K large numbers.
The trouble with E-cash
Recently, I browsed a "cybermall" selling smoked Vermont hams and sailboats on the World Wide Web. The smoked ham looked particularly tasty: thick slices surrounded by a bed of parsley. Below beckoned a button marked "order"; I decided to take a brave step into electronic commerce, took a deep breath, and clicked. Up came the order form ... sort of. "The Internet is the world wide network that carries your order form to us," I read, "while it is massive, fast, and convenient, it is not, unfortunately secure. If you were to include credit card information in your order form, it might be read by someone else before it arrives here." The proposed solution? Pick up the phone and order the old-fashioned way--with your voice.
The electronic agora is open, but few are shopping. Many think that's about to change, thanks to the arrival of electronic money, or e-cash. The Internet, still growing at 10% a month, passed a magic point sometime last year, call it the moment when the Net stopped being just a network and became a "market"--a market of 20 million people without a medium of exchange. Over this vacuum looms a format war, except what's at stake here is not CD- ROMs or VCRs, it is the nature of money There's a rush underway to establish the protocols that will define what electronic money, or e-cash, is. The players range from the big--Visa, Microsoft, Citibank--to the obscure—Digital Cash, CyberCash, and First Virtual Holdings, to name a few.
The process, for now, resembles the free-for-all that surrounded the U.S. banking industry in the 19th century, until the creation of the Federal Reserve. Before the Fed, banks circulated their own private currency and bank checks weren't as widely accepted, since you couldn't trust the solvency of the issuer. The same pattern is being repeated in the digital marketplace; government agencies like the Federal Reserve, Department of the Treasury, and the Office of Technology Assessment have no official opinion on how e- cash should be implemented. Without clear ground rules, uncertainty will undermine e-cash's usefulness. What's at stake here? At worst, we'll be left with an inflexible currency that's costly to use, easy for marketers' to trace, and hard to trade between individuals; at best, we'll get the digital equivalent of a dollar bill--the benefit of cash without the cost of paper.
CONCLUSION
Electronic cash system must have a way to protect against multiple spending. If the system is implemented on-line, then multiple spending can be prevented by maintaining a database of spent coins and checking this list with each payment. If the system is implemented off-line, then there is no way to prevent multiple spending cryptographically, but it can be detected when the coins are deposited. Cryptographic solutions have been proposed that will reveal the identity of the multiple spenders while preserving user anonymity otherwise.
Token forgery can be prevented in an electronic cash system as long as the cryptography is sound and securely implemented, the secret keys used to sign coins are not compromised, and integrity is maintained on the public keys. However, if there is a security flaw or a key compromise, the anonymity of electronic cash will delay detection of the problem. Even after the existence of a compromise is detected, the Bank will not be able to distinguish its own valid coins from forged ones.
The untraceability property of electronic cash creates problems in detecting money laundering and tax evasion because there is no way to link the payer and payee. However, this is not a solution to the token forgery problem because there may be no way to know which deposits are suspect. In that case, identifying forged coins would require turning over all of the Bank's deposit records to the trusted entity to have the withdrawal numbers decrypted.
Allowing transfers magnifies the problems of detecting counterfeit coins, money laundering, and tax evasion. Coins can be made divisible without losing any security or anonymity features, but at the expense of additional memory requirements and transaction time. In conclusion, the potential risks in electronic commerce are magnified when anonymity is present. Anonymity creates the potential for large sums of counterfeit money to go undetected by preventing identification of forged coins. It is necessary to weigh the need for anonymity with these concerns. It may well be concluded that these problems are best avoided by using a secure electronic payment system that provides privacy, but not anonymity.
No comments:
Post a Comment
leave your opinion