is it prac*cal to build a truly distributed payment system?kabhb2/digitally/docs/ccs... · ·...
TRANSCRIPT
Isitprac*caltobuildatrulydistributedpaymentsystem?
RossAnderson,KhaledBaqerCambridge
CCS,Vienna,Oct262016
Centralisa*onandtech
• Thependulumhasswungbackandforthbutformostofmyworkinglifewe’vebeencentralisingpaymentsandpuKngthemonline
• E.g.UKATMsmovedonline-onlyin1993• EMVusesshared-keycryptocard<->bank• Howeversomeapplica*onshavealwaysresistedthemoveonline
• Manyothersuseofflineasafallback• Andbitcoin:isitreallydistributed?CCS,Vienna,Oct262016
Prepaymentmeters
• TheSTSspecifica*onwedid20+yearsago(IEEES&P95)isnowusedin100+countries
• Idea:copy20-digitciphertextfroma*cket
CCS,Vienna,Oct262016
Mobilemoneyachievements
• Helpedpoorestcommuni*esinmanyways!• Broughtbankingservicestohundredsofmillionswhodidn’thavethem
• Builtmechanismsfordirectpaymentsandremiaances;storeofvalue;personalsafety;transac*onhistory;accesstocredit
• Provideddirectchannelforgovernmentpaymentsandservices
• ConnectedlotsofpeopletotheonlineworldCCS,Vienna,Oct262016
Whataretheremainingchallenges?
• Extendpaymentstoareaswithnomobileservice(mountains,deserts,islands)?
• Makeservices*llworkwhennetworkserviceintermiaent(conges*on,powercuts)?
• Cutnetworkcharges/transac*onfees?• Establishstandardsandinteroperabilityforinterna*onalremiaances?
CCS,Vienna,Oct262016
TheDigiTallyproject
• TheGatesFounda*onaskedforideastoincreasemerchantuseofmobilemoney
• Wetalkedtooperatorsandusersinseveralcountries:topissueswerenetworkaccess,thencosts(thoughthisvariesbetweencountries)
• So:howcanyoudoapaymentbetweentwophoneswhenthere’snoGSMsignal?
• It’seasywithtwosmartphones,butwhataboutbasichandsets?
CCS,Vienna,Oct262016
DigiTally
• DigiTallyisaprototypepursesystemwebuilttodoresearchonofflinemobilepayments
• Itworksbycopyingshortauthen*ca*oncodesfromonephonetoanother
• OurprototypeisimplementedinoverlaySIMsforuseinsimplephones
• ItcanalsobeimplementedinyourSIMtoolkitorasasmartphoneapp
CCS,Vienna,Oct262016
OverlaySIMs
• Tamper-resistantSIM• S*cksontopoftheregularSIM
• Bypassesthemobilenetworkoperator
• Independentsecuredevice,likeSEinNFC
• Canbeusedtocomputeauthoriza*oncodes,justasinEMV
CCS,Vienna,Oct262016
Background:ShortMessageAuthen*ca*on
• Shortmessageauthen*ca*oncodes:telextestkeys,firingcodes,CVVauthcodes
• Goal:operateinofflineorconstrainedenvironments
• Tradeoffsbetweensecurityandusability• Wesetouttodesignforusability• Ourstar*ngpointwasminimumchangetothefamiliartransac*onflow
CCS,Vienna,Oct262016
Background:M-Pesatransac*on
• AlicewantstopayBobKsh400($4)• Bobgivesherhisphonenumber• Aliceentersit,and‘$4’• She’saskedforherPIN• AnencryptedSMSissenttothephonecompany
• Aperarandomdelay(+-1minute)Bobgetsaconfirma*onSMS
CCS,Vienna,Oct262016
DigiTallypayment,step1
• AlicewantstopayBob$4forataxiride• ThefirststepisforeachofthemtogivetheothertheirphonenumberwhichtheyeachenterintotheirDigiTallymenus
• Thisisjustlikeincurrentsystems,whereAliceandBobusethephonesystemtoverifyandstoreeachother’sphonenumbers
CCS,Vienna,Oct262016
DigiTallypayment,step2
• IfBobwants$4fromAlice,heselectshernameandenterstheamount,“$4”,onhisphone
• Itshowsan8-digitauthoriza*onrequest,say‘47610825’whichheshowsorreadsorshowstoAlice
• Shetaps“$4”and“47610825”onherphone• Iftheyagreeonthetwophonenumbersandtheamount,thenAlice’sphoneproceedstothenextstage
CCS,Vienna,Oct262016
DigiTallypayment,step3
• AliceentersherPIN(justlikeinanormalphonepayment)
• Herphonedisplays“$4paid”andan8-digitauthoriza*onresponse,say“64093527”,whichshereadsorshowstoBob
• Hetapsinthecode• Ifit’scorrect,hisphonedisplays“$4received”atonce,withafulllogofthetransac*on
CCS,Vienna,Oct262016
Underthehood–firstprotocol
• AliceagreestopayBobXandeachofthementersboththisamountandtheotherparty’sphonenumberintotheirphones
• Bobchoosesa3-digitnonceNBandformsa3-digitMACC(usingthesharedsecretkeyK)ofBandX.HetellsAlicethevalues(NB,C)whereC=MacK(B,A,X,NB)mod10^3
CCS,Vienna,Oct262016
Firstprotocol(con*nued)
• AliceverifiestheMAC,thenauthorisesthetransac*on(usingherPIN)tocreateanonceandtheresponsetothechallenge(NA,R)whereR=MacK(A,NA,C,NB,B)mod10^4
• BobentersNAandRintohispurse,andchecksitincrementsbyX
• ThisverifiedinastraighyorwardwayusingtheBANlogic(seeProtocolsWorkshoppaper)
CCS,Vienna,Oct262016
Firstprotocol–bugs
• BobnowchoosesahigherpriceXʹ• Bobgeneratesnewnonces,tofindacollision:
MacK(A,X,NB,B)≡MacK(A,Xʹ,NBʹ,B)≡Cmod10^3
• Bobabortsallothertrialtransac*ons• Bobthengives(NB,C)toAlice,butonhisSIMusesNBʹandXʹ.
• Thus,AlicepaysX;BobgetsXʹ>X• Fix:R=MacK(A,NA,X,NB,B)CCS,Vienna,Oct262016
Furtherdesignconstraints
• BobcouldtrytoaddmoneytohisSIMcardbyfakingtransac*onswithfakecustomersandjustguessingtheresponseR
• Bobcanalsotrytofaketransac*onswithrealcustomersA,bykeepingarecordoftheirMacK(A,NA,X,NB,B)replies:– BobcanchooseAandNA– iftherealAlicehasalreadypaidn*mes,thenBobfindssome(NB,R)fakeatransac*onwithprobn·10−3
• Issue:mostformaltoolsdon’ttrackentropy!
CCS,Vienna,Oct262016
Evolu*on2:Delay-TolerantNeedham–Schroeder
• Bankshappywithuniversalsharedsecretsonlyforsmalltransac*ons.Sowhataboutbigones?
• Answer:turnthebugintheNeedham-Schroeder(NS)protocolintoafeature!
• AandBcanaskforSam’shelptoestablishKAB• EitherofthemstartsNSprotocolwithSamwhenconnec*vityisavailable,andgetsencryptedKAB
• Challenge:exchangingdigitsfortheencryptedkey,as20digitsgiveyouonly66bits
• Generalmechanismfordelay-tolerantnetworks?CCS,Vienna,Oct262016
Fieldtrial
• Ini*alusabilitystudywithJoeSevillaandLornaMutegi,StrathmoreUniversity,Nairobi
• Threeoutlets:– Bookshop(one*ll,quiet)– Coffeeshop(two*lls,burstytraffic)– Cafeteria(five*lls,madlybusyatmeal*mes)
• Wean*cipatedproblemsatthecafeteria!• Twelvestudents(splitmale/female,arts/science,urban/rural)
CCS,Vienna,Oct262016
Whatwefound
• Itworkedfineinthebookshop,asexpected• Thecoffeeshopstaffdidn’tlikeitastheyweremakingcoffeeandalsotakingmoney
• Thecafeteriastaff,tooursurprise,stronglypreferredittoM-Pesa!
CCS,Vienna,Oct262016
Whatwefound
• Itworkedfineinthebookshop,asexpected• Thecoffeeshopstaffdidn’tlikeitastheyweremakingcoffeeandalsotakingmoney
• Thecafeteriastaff,tooursurprise,stronglypreferredittoM-Pesa!
• Theydidnothavetowaitaboutaminutefortheconfirma*onSMStocomethrough
• Fullusabilitystudypaperinprepara*on…
CCS,Vienna,Oct262016
Pre-marketresearch
• Wetalkedto– theincumbent– theotherphonecompany– thePresident’soffice– andonebankthathasbeentryingtoestablishitsownmobilemoneysystemusingoverlaySIMs
• Wethendidmarketresearchinoneoftherichesttowns(Thika)andoneofthepoorest(Busia)
CCS,Vienna,Oct262016
Whatwefound
• Therichcountythoughtitaninteres*ngtech,butofmostuseforcontrollingmoney
• Thepoorcountythoughtitwasawesomeandcouldtransformtheirlives
• Thephonenetworkisawfulthere,sophonepaymentsarereallyhard
• HowevertheincumbentphonecompanywantstomaximiseprofitsfromitsSIMspace
• Thatmeansgamblingapps,notofflinepaymentsCCS,Vienna,Oct262016
Theprojectsofar• TheGatesFounda*onpaidustodevelopatechtoextendmobilepaymentsoffline
• We’vedonethat,anditworks–bothinthelabandthefield
• DeploymentinKenyalookshardfornow• We’vebeentalkingtophoneandpaymentcompanieselsewhere,andtobodiesliketheWorldFoodProgramme
CCS,Vienna,Oct262016
Whytoolslikethismaaer
• Perhapssomethingotherthanpaymentwillbethekillerapp
• Pay-as-you-gosolarenergyisgrowingfast• Delay-tolerantnetworkswillbepervasive!• Also,we’renowgeKngtamper-resistantdevicesandenclaveseverywhere
• Lightweightshared-keycryptocanbeusedforop*mis*cbootstrapping,ratecontrol/DoSpreven*on
CCS,Vienna,Oct262016
Lessonslearned• Builditandtryitout!• (MythesisadviserRogerNeedhamusedtosay‘goodresearchcomesfromrealproblems’)
• Startwiththepeople,notthetech• Lookatneeds,designforusability• Ceremonies–protocolswithhumanpar*cipants–areworthsystema*cstudy
• Shortmessageauthen*ca*onprotocolsareasurprisinglycommonexample
• Ask:canIdomorewithless?CCS,Vienna,Oct262016
Deeperlessonslearned
• Economicincen*vesdeterminenotjustsecurity,butdeployabilitytoo
• Ins*tu*onsmaaer,andregula*on• Opendisrup*vetechnologyisaboutdefea*ngregula*onsoastoreplace*redins*tu*ons
• Ask:“what’sthesourceofmarketpower?”• Here,it’snotjustnetworkeffects;ashortresourcetheabilitytoturncashintoelectrons
• Theincumbentsawoffabitcoinchallenger!• Finally–thinkthroughtheethicsCCS,Vienna,Oct262016
More
• MoreonDigiTallyattheprojectwebpagehap://www.cl.cam.ac.uk/~kabhb2/DigiTally/
• Moreonthesecuritygroupathap://www.cl.cam.ac.uk/research/security/
• Moreonbankfraudinourbloghap://www.lightbluetouchpaper.org
• Andgetmybookonsecurityengineeringfromhap://www.cl.cam.ac.uk/~rja14/book
CCS,Vienna,Oct262016