xi by fanzhongqing

VIEWS: 11 PAGES: 4

									               STUDY ABOUT THE SECURITY OF E-CHEQUE PAYMENT
            BASED ON DIGITAL WATERMARKING AND DIGITAL SIGNATURE
                        Liang Qinglong1 Zhang Lincong2 Dai Hua2 Xie Jun2 Li Binfa2
            1 School of Economic Information Engineering, Southwest University of Finance and Economy
                                  2School of Computer Science, Sichuan University
Abstracts: The security problems of E-cheque payment in E-business are studied in this paper. Based on the analysis
of the developing circumstance and the security gap of it, a security guarantee system combining digital
watermarking and digital signature is proposed. Both of the entity authentication and watermarking content
authentication make it impossible to gain unauthorized access to E-cheque, to edit or forge it. According to the
analysis of this system, the security, creditability and authenticity of the E-cheque could be achieved by it.
Keywords: E-cheque, digital watermarking, digital signature, semi-fragile watermarking
      With the fast development of the e-commerce,                  (1) The seller and buyer decide to use
the turnover of e-commerce is booming [1]. Online              E-cheque, and confirm each other’s identity via
payment, which is the key of the e-business,                   CA;
attracts more and more attention. And E-cheque,                     (2) The buyer signs digitally on the E-cheque
being one of the most important means of                       using his/her private key.
online-payment, becomes a hotspot. It is able to                    (3) The buyer encrypts E-cheque using the
transfer money between bank accounts, just like                seller’s public key, so the buyer becomes the
what the traditional cheque does. It could achieve             unique authorized receiver of the E-cheque.
all functions of the traditional cheque via Internet                (4) The buyer sends the E-cheque to the seller
or wireless equipments. E-cheque is delivered                  via network.
through the network, so it is very fast and reduces                 (5) The seller decrypts the E-cheque using
the clients’ loss to the lowest level. Meanwhile the           his/her own private key.
bank can provide standardized fund information                      (6) The seller confirms the buyer’s digital
for the clients who were involved in the                       signature using the buyer’s public key.
e-commerce. Public Key Infrastructure is used in                    (7) The seller confirms the E-cheque via the
the current E-cheque; it can achieve basic payment             bank system.
privacy, reliability and integrity, and resolves the                (8) The seller delivers the goods to the buyer
problem of forgery in a certain degree, which                  or provides service.
often happens when using traditional cheque.                        The process is shown in Fig.1
1.  E-cheque Payment System Based on
    Digital Signature                                             Buyer                            E_cheque               Seller
1.1 Current E-cheque System
                                                                                                                  ify
      Public Key Infrastructure based on digital                                            V eri f y         Ver
                                                                     Notification




                                                                                                                            E_cheque




signature is prevalent in current E-cheque system.
Because of the use of asymmetry cryptosystem,                                                           CA
the system includes the seller, the buyer of the                                                   fy         Veri
E-cheque, the bank system and a third-party CA                                              Veri                     fy

(Certification Authority). The system user’s                     Bank of                                                  Bank of
                                                                  Buyer                            E_cheque                seller
identity certification is digital, and every party
should apply for a unique copy. CA is responsible
for the dispatchment and management of digital                                      Fig.1   system for e-cheque paying
certification. Before the transaction for system                                             based on digital signature
users, they should establish a reliable connection             1.2 Process of Digital Signature
via CA using each other’s digital certification.                    (1) The sender prepares the plain digital
Thus, digital signature and encrypted conversation             message to be transferred.
confirm the legal transaction and authentic                         (2) The sender applies a Hash algorithm to
contents.                                                      the plain message and gets the message digest of
      Here is the implementation process of the                it.
system:                                                             (3) The sender encrypts the digest with his
                                                               private key, gets the digital signature, and attaches
it to the message.                                      and digital signature, which could satisfy the
       (4) The sender generates a DES key randomly,     above requirements.
and encrypts the message with this key, thus forms      2.  E-cheque Payment System Combined
the cryptograph.                                            With Digital Watermarking and Digital
       (5) The sender encrypts the DES key, using           Signature
the receiver’s public key, and then sends the           2.1 Security of Digital Certification
encrypted DES key and the cryptograph to the                  Just as the former system, CA manages
receiver.                                               Users’ certifications. Digital certifications are used
       (6) The receiver gets the encrypted DES key      to identify online trading participators’ identities;
and the cryptograph, and then decrypts the DES          they are the identity cards for individuals or
key with his private key to obtain the DES key.         organizations involved in online business.
       (7) The receiver decrypts the cryptograph        Therefore, a security guarantee mechanism is
using DES key to obtain the plain message, and          needed for the dispatchment and management of
then drops the DES key.                                 certifications, and there are many papers related to
       (8) The receiver decrypts the sender’s digital   the subject. [3] [4]
signature using the sender’s public key to obtain       2.2 Digital Watermarking
the message digest. The receiver applies the same             Digital watermarking is a technique for
Hash algorithm as the sender used to the received       embedding information into the insensitive carrier
message to create a new message digest.                 data (e.g. image) using certain algorithms, without
       (9) The receiver compares the message digest     affecting the carrier’s content and usage, and
from the sender with this new one, to judge             human being cannot detect the information. Only
whether the message has been modified or not. [2]       specialized detecting tools or software could
1.3 Security Analysis of the System                     apperceive the hidden digital watermark. Thus, it
      The payment system based on digital               could avoid hostile attacks. At present, most of the
signature basically satisfies the following             watermarking solutions adopt symmetric system
requirements: (1) the sender can’t deny his signing;    of cryptology.
(2) the receiver can’t deny his receiving; (3) the            Because of the requirements of information
integrity of the information transferred is ensured.    imperceptibility and integrity, Semi-fragile
      But the digital signature itself would be         watermarking is introduced into this system.
attached to the E-cheque to be sent, so this            Semi-fragile watermarking is a kind of
transmission risks detection by unauthorized            watermarking technique that can suffer reasonable
parties. Though this could be resolved by               distortion (e.g. JPEG compressing), and would be
encrypting the plain text with traditional              damaged by unreasonable distortion. [5] It brings
encryption technique, it is not so reliable, because    content authenticity, integrity verification, as well
of the rapid improvement of software technique          as imperceptibility. Therefore it ensures that even
and computer hardware, it is possible to decrypt        the watermark is attacked, it wouldn’t be modified
the cryptograph. Even the hackers are not able to       at all. It could be used to identify if the image has
decrypt it, they may resend the information after       been tampered, destroyed, thus make sure of the
tampering it, and thus make the receiver could not      authenticity of image content, and the embedded
get the original information.                           information could be extracted without loss.
      According to this analysis, a much more           Because of these advantages, semi-fragile
reliable payment system should satisfy the              watermarking can be combined with digital
following requirements.                                 signature to build up a more secure E-cheque
      (1) Identity verification; the security of the    payment system.
authorized users’ application for digital               2.2.1 A Possible Algorithm
certification.                                                For      semi-fragile    watermarking,      the
      (2) Content certification; the integrity of the   watermark should be validate when below certain
information and the authentication.                     critical value, and invalidated when above the
      (3) Protection of sensitive information during    value. Semi-fragile watermarking can be achieved
the transfer process.                                   through carefully adjustment of the robust
      As a resolution, we propose an E-cheque           watermarking after it becomes anamorphic to a
payment system based on digital watermarking            certain degree. [6][7] An example is described here:
Design the watermarking according to the                   each other’s identity.
quantification characteristic, let x ◊ q stand for                ①Both sides decide to trade, and pay in
quantifying x to quantification step length q’s            E-cheque.
integer multiple:                                                 ②Both sides establish conversation with CA,
                   x ◊ q=q[x/q+.5]                         and send requests to ask for identity verification.
      If a stands for integer scalar, q1 & q2 are                 ③Both sides use their own private key to
quantification length and q1<=q2, thus:                    encrypt digital certification, which form a digital
               ((a◊q1) ◊q2) ◊q1)=a◊q1                      envelop, then send it to CA.CA decrypts their
      it means that quantify a to q1’s even multiple,      envelope with their public keys, in order to
then quantify it with q2, as long as q1<=q2, the           identify their identity. The trading procedure will
result could be quantified with q1 to counteract the       continue if nothing is wrong.
impact of quantification of q2. [8]                        (2) A requests BkA for an E-cheque
2.2.2 Watermark embedding procedure                              ① A establishes conversation with BkA,
      On the payer side, when the user wants to            requests a E-cheque. Then A signs digitally on
make an payment by online E-cheque, he should              E-cheque and encrypted with BkA Key. After that
obtain a E-cheque through local computers or               A takes the encrypted cheque and digital envelope
POPs, including the same information as normal             as watermark, using the bank’s Key’ as password
cheque and user’s digital signature, certificate, etc.     to embed into the image, and then sends the image
This system adopts asymmetrical keys as                    to BkA.
watermark embedding and extracting key, [9] [10]                 ②After BkA receives the image, it extracts
the payer uses the payee’s key to embed E-cheque           the watermark using its Key and special software.
into the carrier image, to ensure the secrecy, safety,     When the validation of watermark’s integrity is
invisibility and integrity of communication.               done, it decrypts the digital envelope to identify
      The embedding procedure is shown in Fig.2:           A’s identity. If A is authorized, then BkA decrypts
                                                           the cheque with its Key. If the signature were right,
    E-cheque                                               A’s payment ability would be checked. If all right,
                     Embedding
                                       Watermarked image   BkA generates an E-cheque on A’s demand.
                      algorithm
  Relevant key                                                    ③BkA signs on the E-cheque, and encrypts
                                                           it with A Key’, then uses it as watermark, BkA
                                                           Key as password to embed into the image, and
       Fig.2 Watermark embedding procedure                 then sends the image to A.
2.2.3Extaction and verification of digital                 (3) Delivering E-cheque from A to B through CA
watermarking                                                      ① A extracts watermark with BkA Key’,
     When extracting, the payee uses his own key           after validating the integrity of watermark, and
and watermarked image as inputs of extraction              then decrypts E-cheque with A Key. If the content
algorithm to extract related characteristic value,         is all right, A signs on the E-cheque and encrypts it
and compares it with the threshold. If the                 with B Key’, then together with digital envelope
percentage is bigger than the threshold, it had not        as watermark, CA Key’ as password, to embed
been modified, and then extracts the E-cheque to           them into the carrier image, and then sends it to
be processed.                                              CA.
                                                                  ②CA extracts watermark with CA Key, after
    Watermarked image
                          Embedding
                                                           validating, identify A’s identity according to the
                           algorithm        E-cheque       digital envelope.
      Relevant Key                                                ③CA uses E-cheque as watermark, B Key’
                                                           as password to embed the E-cheque into the
       Fig.3 Watermark extracting procedure                carrier image, then sends it to B.
2.3 Improved Payment System                                       ④B extracts watermark with B Key, after the
     To describe the scene, let A stand for payer,         validating, decrypts it with B Key, after the
B for payee, BkA for the bank of payer, BkB for            signature being checked, sends confirm
the bank of payee; Key for private key, Key’ for           information to CA.
public key.                                                       CA’s participation monitors both sides’
(1) Authenticating process among A,B,CA, to identify       trading processes, thus makes the whole procedure
undeniable, and ensures the security of system.                                     BkA. If everything is ok, BkB ask BkA for
(4) B interacts with BkB, to verifies the E-cheque                                  transfer or batch transfer after a certain time.
      ① establishes conversation with BkB,
        B                                                                                 ④ BkB sends message of the completed
requests for authentication of E-cheque. Then B                                     payment to B; B sends this information to CA, and
signs on the cheque, and encrypts it with BkB                                       provides goods or service according to contract;
Key’, together with digital envelope as watermark                                   CA puts this transaction on record. So, that’s the
information and BkB Key’ as password to embed                                       whole process of trading.
the watermark into the carrier, and then sends it to                                      In conclusion, this E-cheque payment system
BkB.                                                                                covers two function modules: the pivotal
      ②BkB extracts watermark with BkB Key,                                         information is imperceptible and data integrity
after the validating, BkB identifies B by digital                                   authentication is achieved. The whole system has
envelope.                                                                           the advantages of security, scientific operation and
      ③ BkB decrypts the cheque, validates the                                      efficiency. A description for part of its procedure is
cheque and inquires A’s payment capability from                                     shown in Fig.4
                    Watermarked                                                       Private
       Watermark                                  Internet                          key of BkA
                      image                                                                                Private key
       embedding
                                                                        Watermark           Encrypted        of BkA

            Original image
                               +       Public key of
                                           BkA
                                                                    N   verification
                                                                                Y
                                                                                              check
                                                                                                 E_cheque                   Check
                                                                                                                           A’accout
                                                                                                                                           N

                                                                Public                          verification
                                       Digital envelop                          Digital
                                                               key of A         envelop
                                        encryption                        Certification          Y
              encryption
                                                                    N     verification                  Watermark           Creating
         Private      Information Private                                                     Public
                                                                                                        embedding          E_cheque
                                               Certification
         key of B     of cheque key of A                                            Original
                                                                                             key of A                            Digital
                                                   of A                              image
                       after digital                                                                                             signed
                       signed
                                                         Internet                          +            Y
                                                                                                              encryption
                                                                                                                            Public
                                                                                                                           key of A
                      A                                                                          BkA
      Fig.4 Part of Secure system for E-cheque paying based on semi-fragile watermarking and digital signature
2.4 Analysis of Security                                                            error code and loss compression would lead to
      This system introduces digital watermarking                                   quality loss. These changes are invisible, so it
into the payment system, which was based on                                         would cause wrong judgments in systems only
digital signature. The integrity and the                                            based on digital signature. But for this System,
imperceptibility of semi-fragile watermark make                                     wrong judgments could be avoided by semi-fragile
the payment process of E-cheque to be more                                          watermarking. Studies about adopting digital
secure. Although it would take a little time to                                     watermarking in payment system are still at
embed and extract the watermark, the security of                                    primary stage, so there are still a lot of works to do.
the new system has been greatly improved.                                           The security gap and some unknown attacks of the
3.   Conclusion                                                                     system need to be discovered , analyzed and
      E-cheque has some obvious advantages over                                     studied.
other means; it is highlighted by the present                                       Bibliography
e-business research. Since it is proper for large                                   Choist, Whinston AB. The future of E-Commerce:
amount of bankroll flows, its security problems                                        integrate and customize. IEEE computer
seem to be critical. In this paper, we make use of                                     1999,32(1):133~138
semi-fragile watermarking to design an E-cheque                                     Schneider M, Chang SF. A robust content based
payment system based on digital watermarking                                           digital signature for image authentication. In:
and digital signature, and thus ensure that the                                        Proceedings of the IEEE International
E-cheque won’t be easily detected when                                                 Conference on Image Processing, Vol 3.
transferred via network, or even be attacked, it                                       Lausanne: IEEE Computer Society Press, 1996.
would be impossible to be decrypted; and because                                       227~230.
of its vulnerability, it is also impossible to be                                   Housley R . , Polk W ., Solo D. RFC 2459,
tampered. And what’s more, channel transmission                                        IFTF ,January 1999.

								
To top