A calculus for cryptographic protocols: the spi calculus
Proceedings of the 4th ACM conference on Computer and communications security
Notes on Nominal Calculi for Security and Mobility
FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
| Hi-index | 0.00 |
Recently, two major bankcard payment instrument operators VISA and MasterCard published specifications for securing bankcard payment transactions on open networks for open scrutiny. (VISA: Secure Transaction Technology, STT; MasterCard: Secure Electronic Payment Protocol, SEPP.) Based on their success in operating the existing on-line payment systems, both proposals use advanced cryptographic technologies to supply some security services that are well-understood to be inadequate in open networks, and otherwise specify systems similar to today's private-network versions. In this paper we reason that when an open network is used for underlying electronic commerce some subtle vulnerabilities will emerge and the two specifications are seen not in anticipation of them. A number of weaknesses are found as a result of missing and misuse of security services. Missing and misused services include: authentication, non-repudiation, integrity, and timeliness. We identify problems and devise solutions while trying to keep the current successful working style of financial institutions being respected.