is it prac*cal to build a truly distributed payment system?kabhb2/digitally/docs/ccs... · ·...

Isitprac*caltobuildatrulydistributedpaymentsystem?

RossAnderson,KhaledBaqerCambridge

CCS,Vienna,Oct262016

Centralisedordistributedpayment?


Centralisa*onandtech

•  Thependulumhasswungbackandforthbutformostofmyworkinglifewe’vebeencentralisingpaymentsandpuKngthemonline

•  E.g.UKATMsmovedonline-onlyin1993•  EMVusesshared-keycryptocard<->bank•  Howeversomeapplica*onshavealwaysresistedthemoveonline

•  Manyothersuseofflineasafallback•  Andbitcoin:isitreallydistributed?CCS,Vienna,Oct262016

Prepaymentmeters

•  TheSTSspecifica*onwedid20+yearsago(IEEES&P95)isnowusedin100+countries

•  Idea:copy20-digitciphertextfroma*cket


Themobilemoneyrevolu*on


Mobilemoneyachievements

•  Helpedpoorestcommuni*esinmanyways!•  Broughtbankingservicestohundredsofmillionswhodidn’thavethem

•  Builtmechanismsfordirectpaymentsandremiaances;storeofvalue;personalsafety;transac*onhistory;accesstocredit

•  Provideddirectchannelforgovernmentpaymentsandservices

•  ConnectedlotsofpeopletotheonlineworldCCS,Vienna,Oct262016

Whataretheremainingchallenges?

•  Extendpaymentstoareaswithnomobileservice(mountains,deserts,islands)?

•  Makeservices*llworkwhennetworkserviceintermiaent(conges*on,powercuts)?

•  Cutnetworkcharges/transac*onfees?•  Establishstandardsandinteroperabilityforinterna*onalremiaances?


TheDigiTallyproject

•  TheGatesFounda*onaskedforideastoincreasemerchantuseofmobilemoney

•  Wetalkedtooperatorsandusersinseveralcountries:topissueswerenetworkaccess,thencosts(thoughthisvariesbetweencountries)

•  So:howcanyoudoapaymentbetweentwophoneswhenthere’snoGSMsignal?

•  It’seasywithtwosmartphones,butwhataboutbasichandsets?


DigiTally

•  DigiTallyisaprototypepursesystemwebuilttodoresearchonofflinemobilepayments

•  Itworksbycopyingshortauthen*ca*oncodesfromonephonetoanother

•  OurprototypeisimplementedinoverlaySIMsforuseinsimplephones

•  ItcanalsobeimplementedinyourSIMtoolkitorasasmartphoneapp


OverlaySIMs

•  Tamper-resistantSIM•  S*cksontopoftheregularSIM

•  Bypassesthemobilenetworkoperator

•  Independentsecuredevice,likeSEinNFC

•  Canbeusedtocomputeauthoriza*oncodes,justasinEMV


Background:ShortMessageAuthen*ca*on

•  Shortmessageauthen*ca*oncodes:telextestkeys,firingcodes,CVVauthcodes

•  Goal:operateinofflineorconstrainedenvironments

•  Tradeoffsbetweensecurityandusability•  Wesetouttodesignforusability•  Ourstar*ngpointwasminimumchangetothefamiliartransac*onflow


Background:M-Pesatransac*on

•  AlicewantstopayBobKsh400($4)•  Bobgivesherhisphonenumber•  Aliceentersit,and‘$4’•  She’saskedforherPIN•  AnencryptedSMSissenttothephonecompany

•  Aperarandomdelay(+-1minute)Bobgetsaconfirma*onSMS


DigiTallypayment,step1

•  AlicewantstopayBob$4forataxiride•  ThefirststepisforeachofthemtogivetheothertheirphonenumberwhichtheyeachenterintotheirDigiTallymenus

•  Thisisjustlikeincurrentsystems,whereAliceandBobusethephonesystemtoverifyandstoreeachother’sphonenumbers



•  IfBobwants$4fromAlice,heselectshernameandenterstheamount,“$4”,onhisphone

•  Itshowsan8-digitauthoriza*onrequest,say‘47610825’whichheshowsorreadsorshowstoAlice

•  Shetaps“$4”and“47610825”onherphone•  Iftheyagreeonthetwophonenumbersandtheamount,thenAlice’sphoneproceedstothenextstage



•  AliceentersherPIN(justlikeinanormalphonepayment)

•  Herphonedisplays“$4paid”andan8-digitauthoriza*onresponse,say“64093527”,whichshereadsorshowstoBob

•  Hetapsinthecode•  Ifit’scorrect,hisphonedisplays“$4received”atonce,withafulllogofthetransac*on


Underthehood–firstprotocol

•  AliceagreestopayBobXandeachofthementersboththisamountandtheotherparty’sphonenumberintotheirphones

•  Bobchoosesa3-digitnonceNBandformsa3-digitMACC(usingthesharedsecretkeyK)ofBandX.HetellsAlicethevalues(NB,C)whereC=MacK(B,A,X,NB)mod10^3


Firstprotocol(con*nued)

•  AliceverifiestheMAC,thenauthorisesthetransac*on(usingherPIN)tocreateanonceandtheresponsetothechallenge(NA,R)whereR=MacK(A,NA,C,NB,B)mod10^4

•  BobentersNAandRintohispurse,andchecksitincrementsbyX

•  ThisverifiedinastraighyorwardwayusingtheBANlogic(seeProtocolsWorkshoppaper)


Firstprotocol–bugs

•  BobnowchoosesahigherpriceXʹ•  Bobgeneratesnewnonces,tofindacollision:

MacK(A,X,NB,B)≡MacK(A,Xʹ,NBʹ,B)≡Cmod10^3

•  Bobabortsallothertrialtransac*ons•  Bobthengives(NB,C)toAlice,butonhisSIMusesNBʹandXʹ.

•  Thus,AlicepaysX;BobgetsXʹ>X•  Fix:R=MacK(A,NA,X,NB,B)CCS,Vienna,Oct262016

Furtherdesignconstraints

•  BobcouldtrytoaddmoneytohisSIMcardbyfakingtransac*onswithfakecustomersandjustguessingtheresponseR

•  Bobcanalsotrytofaketransac*onswithrealcustomersA,bykeepingarecordoftheirMacK(A,NA,X,NB,B)replies:–  BobcanchooseAandNA–  iftherealAlicehasalreadypaidn*mes,thenBobfindssome(NB,R)fakeatransac*onwithprobn·10−3

•  Issue:mostformaltoolsdon’ttrackentropy!


Evolu*on2:Delay-TolerantNeedham–Schroeder

•  Bankshappywithuniversalsharedsecretsonlyforsmalltransac*ons.Sowhataboutbigones?

•  Answer:turnthebugintheNeedham-Schroeder(NS)protocolintoafeature!

•  AandBcanaskforSam’shelptoestablishKAB•  EitherofthemstartsNSprotocolwithSamwhenconnec*vityisavailable,andgetsencryptedKAB

•  Challenge:exchangingdigitsfortheencryptedkey,as20digitsgiveyouonly66bits

•  Generalmechanismfordelay-tolerantnetworks?CCS,Vienna,Oct262016

Fieldtrial

•  Ini*alusabilitystudywithJoeSevillaandLornaMutegi,StrathmoreUniversity,Nairobi

•  Threeoutlets:– Bookshop(one*ll,quiet)– Coffeeshop(two*lls,burstytraffic)– Cafeteria(five*lls,madlybusyatmeal*mes)

•  Wean*cipatedproblemsatthecafeteria!•  Twelvestudents(splitmale/female,arts/science,urban/rural)


Thestudents


Thebookshop


Thecoffeeshop


Thecafeteria


Whatwefound

•  Itworkedfineinthebookshop,asexpected•  Thecoffeeshopstaffdidn’tlikeitastheyweremakingcoffeeandalsotakingmoney

•  Thecafeteriastaff,tooursurprise,stronglypreferredittoM-Pesa!


Whatwefound

•  Itworkedfineinthebookshop,asexpected•  Thecoffeeshopstaffdidn’tlikeitastheyweremakingcoffeeandalsotakingmoney

•  Thecafeteriastaff,tooursurprise,stronglypreferredittoM-Pesa!

•  Theydidnothavetowaitaboutaminutefortheconfirma*onSMStocomethrough

•  Fullusabilitystudypaperinprepara*on…


Pre-marketresearch

•  Wetalkedto–  theincumbent–  theotherphonecompany–  thePresident’soffice– andonebankthathasbeentryingtoestablishitsownmobilemoneysystemusingoverlaySIMs

•  Wethendidmarketresearchinoneoftherichesttowns(Thika)andoneofthepoorest(Busia)


Busia,nearLakeVictoria


Busiacountyoffice


Whatwefound

•  Therichcountythoughtitaninteres*ngtech,butofmostuseforcontrollingmoney

•  Thepoorcountythoughtitwasawesomeandcouldtransformtheirlives

•  Thephonenetworkisawfulthere,sophonepaymentsarereallyhard

•  HowevertheincumbentphonecompanywantstomaximiseprofitsfromitsSIMspace

•  Thatmeansgamblingapps,notofflinepaymentsCCS,Vienna,Oct262016

Theprojectsofar•  TheGatesFounda*onpaidustodevelopatechtoextendmobilepaymentsoffline

•  We’vedonethat,anditworks–bothinthelabandthefield

•  DeploymentinKenyalookshardfornow•  We’vebeentalkingtophoneandpaymentcompanieselsewhere,andtobodiesliketheWorldFoodProgramme


Whytoolslikethismaaer

•  Perhapssomethingotherthanpaymentwillbethekillerapp

•  Pay-as-you-gosolarenergyisgrowingfast•  Delay-tolerantnetworkswillbepervasive!•  Also,we’renowgeKngtamper-resistantdevicesandenclaveseverywhere

•  Lightweightshared-keycryptocanbeusedforop*mis*cbootstrapping,ratecontrol/DoSpreven*on


Lessonslearned•  Builditandtryitout!•  (MythesisadviserRogerNeedhamusedtosay‘goodresearchcomesfromrealproblems’)

•  Startwiththepeople,notthetech•  Lookatneeds,designforusability•  Ceremonies–protocolswithhumanpar*cipants–areworthsystema*cstudy

•  Shortmessageauthen*ca*onprotocolsareasurprisinglycommonexample

•  Ask:canIdomorewithless?CCS,Vienna,Oct262016

Deeperlessonslearned

•  Economicincen*vesdeterminenotjustsecurity,butdeployabilitytoo

•  Ins*tu*onsmaaer,andregula*on•  Opendisrup*vetechnologyisaboutdefea*ngregula*onsoastoreplace*redins*tu*ons

•  Ask:“what’sthesourceofmarketpower?”•  Here,it’snotjustnetworkeffects;ashortresourcetheabilitytoturncashintoelectrons

•  Theincumbentsawoffabitcoinchallenger!•  Finally–thinkthroughtheethicsCCS,Vienna,Oct262016

More

•  MoreonDigiTallyattheprojectwebpagehap://www.cl.cam.ac.uk/~kabhb2/DigiTally/

•  Moreonthesecuritygroupathap://www.cl.cam.ac.uk/research/security/

•  Moreonbankfraudinourbloghap://www.lightbluetouchpaper.org

•  Andgetmybookonsecurityengineeringfromhap://www.cl.cam.ac.uk/~rja14/book


is it prac*cal to build a truly distributed payment system?kabhb2/digitally/docs/ccs... · ·...

Documents