Professional Documents
Culture Documents
1007/s10207-004-0063-7
Abstract. We analyzed two non-repudiation protocols forwarded by the TTP and the encrypted message is
and found some new attacks on the fairness and termina- directly transferred to the recipient. Based on this ap-
tion property of these protocols. Our attacks are enabled proach, several protocols and improvements have been
by several inherent design weaknesses, which also ap- proposed. Recent evolution of these protocols has re-
ply to other non-repudiation protocols. To prevent these sulted in efficient, optimistic [3, 4] versions where the
attacks, we propose generic countermeasures that con- TTP is involved only if something goes wrong and re-
siderably strengthen the design and implementation of solve and abort subprotocols are supposed to guarantee
non-repudiation protocols. The application of these coun- that every party can complete the protocol in time with-
termeasures is finally shown by our construction of a new out having to wait for actions of the other potentially
fair non-repudiation protocol. malicious party [14, 25, 26]. These protocols only require
that the communication channels to and from the TTP be
Keywords: Security protocols – Fair non-repudiation – asynchronous, i.e., that messages be delivered after an ar-
Protocol design – Protocol analysis bitrary but finite amount of time. As no messages are lost,
this guarantees a response from the TTP in the resolve
and abort subprotocols.
Remarkably, many of the proposed protocols do not
1 Introduction satisfy all security properties they are supposed to pro-
vide. Possible attacks are not based on the underlying
In many applications for electronic business and other ideas but are enabled by several inherent design weak-
binding telecooperations one essential security require- nesses involving details of the realization. This observa-
ment is that either all parties reach their goals or no tion has motivated the development of the design princi-
party reaches its goal. In other words, the protocols ples proposed in this paper.
have to provide fairness [2]. Furthermore, undeniability The remainder of the paper is organized as follows.
of an exchange of data may be required for commercial After defining fair non-repudiation with timeliness we
transactions. While non-repudiation [23] can be pro- demonstrate attacks on two protocols for efficient fair non-
vided by standard cryptographic mechanisms like digital repudiation with timeliness. Some of these attacks are re-
signatures, fairness is more difficult to achieve. A var- lated to previously published ones [9, 13]. Next, the design
iety of protocols has been proposed in the literature to weaknesses enabling the attacks are discussed, and design
solve the problem of fair message transfer with non- principles to avoid these known attacks are proposed. Fi-
repudiation. One possible solution comprises protocols nally, we introduce a new efficient protocol that has been
based on a trusted third party (TTP) with varying de- developed in accordance with our design principles.
grees of involvement. In early published protocols, the
messages were forwarded by the TTP [10]. A more effi-
cient solution was proposed by Zhou and Gollmann [27]. 2 Fair non-repudiation respecting timeliness
Here, the TTP acts as a lightweight notary. Instead of
passing the complete message through the TTP and thus This paper concentrates on message transfer protocols
possibly creating a bottleneck, only a short-term key is with certain security properties: Party A sends message
254 S. Gürgens et al.: On the security of fair non-repudiation protocols
M to party B such that A can prove that B has received Security goal for A: Fair non-repudiation of receipt
M (non-repudiation of receipt) and B can prove that A At any possible end of the protocol execution from A’s
has sent M (non-repudiation of origin). Furthermore, the point of view either A owns a valid EOR by B for message
protocol should not give the originator A an advantage M or B has not received M and B has no valid EOO by A
over recipient B, or vice versa (fairness), and both parties for M .
should be able to reach, without depending on the other Security goal for B: Fair non-repudiation of origin
party’s actions, a state where they can stop the protocol At any possible end of the protocol execution from B’s
while preserving fairness. point of view either B has received M and owns a valid
Nonrepudiation of origin and non-repudiation of re- EOO by A for M or A has no valid EOR by B for M .
ceipt require evidence of origin (EOO) and evidence of Security goal for A and B: Timeliness At any pos-
receipt (EOR). All parties participating in the protocol sible state in the protocol execution each party can com-
have to agree that these evidences constitute valid proofs plete the protocol without any action of other untrusted
that the particular receive or send event has happened. In parties.
case of a dispute an arbitrator or judge has to verify EOO
and EOR. Therefore, for every non-repudiation protocol This definition of fair non-repudiation protocols is
one has to specify what exactly constitutes valid EOO closely related to certified e-mail protocols [4, 7, 11, 15].
and EOR. This can be done by specifying the verification The substantial difference between both kinds of fair ex-
algorithm the judge has to execute in order to verify the change protocols is the fact that the evidence of origin
evidence for dispute resolution. for the message is optional in certified e-mail protocols.
Even in fair non-repudiation protocols there are in- All other requirements for certified e-mail match those for
termediate states where one party seems to have an ad- non-repudiation protocols. Thus, non-repudiation proto-
vantage, for example, if a TTP has transmitted evidence cols as defined above are a generalization of certified e-
first to one party and the other party is still waiting for mail protocols and can be applied to a certified e-mail
the next step of the TTP. We say a protocol is fair if scenario in a straightforward manner.
at the end of the protocol execution no party has an ad-
vantage over the other party. This means that if there is
3 Attacks on two non-repudiation protocols
an unfair intermediate situation for one party, this party
must be able to reach a fair situation without the help of In this section we show different attacks on two non-
other untrusted parties. For any party P we say a protocol repudiation protocols that are supposed to provide fair-
execution has ended for P if either P has executed all pro- ness and respect timeliness. One protocol was proposed
tocol steps or any remaining protocol step depends on the by Zhou et al. [25, 26] and has already been analyzed and
execution of protocol steps by other untrusted parties. We improved in [9]. The second protocol is a very similar
say a protocol execution is completed for P if the protocol one proposed by Kremer and Markowitch [14, 17]. This
execution has ended and P can be sure that no action by protocol has been analyzed in [18]. Several other proto-
any other party enables P to continue with the protocol cols [15, 16, 20–22] build on this protocol. Both protocols
execution. (which we will henceforth call ZDB protocol and KM pro-
In this paper we consider a refined version of the tocol, respectively) use an offline TTP, i.e., a TTP that is
definition of fair non-repudiation with strong fairness and involved only in case of incorrect behavior of a malicious
timeliness by Kremer et al. [17], according to which strong party or of a network error. The basic idea of the main
fairness is achieved if either A receives EOR and B re- protocol part not involving the TTP stems from [27]. The
ceives M and EOO or neither party receives any valuable structure of the two protocols is very similar. However,
information. Our definition takes into account the worst small details in the protocol design permit several differ-
case in which message M is considered to be valuable in- ent attacks. Both protocols are designed to provide fair
formation for B. In case knowledge of M is irrelevant, the non-repudiation with timeliness as described in Defin-
definition can easily be relaxed. We specify the security ition 1, and both realizations are based on the same ideas.
goals relative to the role in the protocol. The security goal
of the originator of a message has to be satisfied in all sce-
narios where the originator acts in accordance with the 3.1 The general idea
protocol specification while the recipient may act mali-
ciously. In contrast, the security goal of the recipient has – Party A generates a label L the purpose of which is to
to be satisfied in scenarios where the originator can act link all protocol messages.
maliciously. – In the first step of the main protocol, message M is sent
to B encrypted using a symmetric key K computed by
Definition 1. A message transfer protocol for origina- A: C = eK (M ). Only after evidence of origin (EOOC )
tor A and recipient B provides fair non-repudiation with and receipt for C (EORC ) are exchanged, A sends K
timeliness if the following security goals are satisfied for all and EOOK to B. B can then decrypt C, resulting in M ,
possible messages M . and returns evidence of receipt for K (EORK ).
S. Gürgens et al.: On the security of fair non-repudiation protocols 255
– Two subprotocols abort and resolve involving a trusted Table 1. The ZDB protocol
third party TTP shall provide fairness and timeliness.
– The abort subprotocol can be invoked by A at any Exchange subprotocol
stage of the protocol. If no resolve has happened ear- 1. A→B : f1 ,f5 ,B,L,C,TTP,ETTP (K),
lier, the TTP confirms the abort and will answer any EOOC ,subK
future resolve request of a principal for this combina- 2. IF B gives up THEN quit ELSE
tion of A, B, and label L with the abort message. B→A : f2 , A, L, EORC
– Missing evidence of origin or receipt of key K and the 3. IF A gives up THEN abort ELSE
missing key itself can be obtained by either party by A→B : f3 , B, L, K, EOOK
using the resolve subprotocol. As the first message of 4. IF B gives up THEN resolve ELSE
the main protocol includes K encrypted with the pub- B→A : f4 , A, L, EORK
5. IF A gives up THEN resolve
lic key of the TTP (ETTP (K)), the TTP can extract
this key and therefore produce a signature conK that Abort sub-protocol which can only be performed by A
serves for B as evidence of origin of K, and for A as ev-
1. A → TTP : f7 , B, L, sigA (f7 , B, L)
idence of receipt of K. Furthermore, TTP can submit 2. IF resolved THEN
K to B. TTP → A : f2 , f6 , A, B, L, K, conK , EORC
ELSE
TTP → A : f8 , A, B, L, abort
3.2 The ZDB protocol
Resolve sub-protocol, where initiator U is either A or B
For the description of the ZDB protocol we use the follow-
1. U → TTP : f1 ,f2 ,f5 ,A,B,L,TTP,ETTP (K),
ing notation.
subK ,EOOC ,EORC
– M : message being sent from A to B 2. IF aborted THEN
– K: symmetric key generated by A TTP → U : f8 , A, B, L, abort
– M, N : concatenation of two messages M and N ELSE
– H(M, K): a one-way hash function applied to message TTP → U : f2 , f6 , A, B, L, K, conK , EORC
M and key K
– eK (M ) and dK (M ): encryption and decryption of
message M with key K f2 have been sent by U , these values are not required in
– C = eK (M ): committed ciphertext for message M the TTP’s response to U .
– L = H(M, K): label to link C and K
– f1 , f2 , . . . , f8 : message flags to indicate the purpose of
the respective message 3.3 The KM protocol
– ETTP (K) encryption of key K with TTP’s public key
– sigA (M ): principal A’s digital signature on message For the description of the KM protocol we use the same
M with A’s private signature key. Note that the plain- notation as for the ZDB protocol, and the following ones:
text is not recoverable from the signature, i.e., for – fEOOC , fEORC , fsub , . . . : message flags to indicate the
signature verification the plaintext needs to be made purpose of the respective message
available – EOOC = sigA (fEOOC , B, TTP, L, H(C)): evidence of
– EOOC = sigA (f1 , B, L, C): evidence of origin of C origin of C
– EORC = sigB (f2 , A, L, EOOC ): evidence of receipt of – EORC = sigB (fEORC , A, TTP, L, H(C)): evidence of
C receipt of C
– EOOK = sigA (f3 , B, L, K): evidence of origin of K – subK = sigA (fsub , B, L, ETTP (K)): evidence of sub-
– EORK = sigB (f4 , A, L, EOOK ): evidence of receipt of mission of K to the TTP
K – EOOK = sigA (fEOOK , B, L, K): evidence of origin of
– subK = sigA (f5 , B, L, K, TTP, EOOC ): evidence of K
submission of K to the TTP – EORK = sigB (fEORK , A, L, K): evidence of receipt of
– conK = sigTTP (f6 , A, B, L, K): evidence of confirma- K
tion of K by the TTP – RecX = sigX (fRecX , Y, L): recovery request
– abort = sigTTP (f8 , A, B, L): evidence of abortion – conK = sigTTP (fconK , A, B, L, K): evidence of confir-
– A → B : M : Party A sends message M with B being mation of K by the TTP
the intended recipient – abort = sigA (fabort , B, L): abort request
The protocol consists of one main exchange proto- – cona = sigTTP (fcona , A, B, L): evidence of abort
col and two subprotocols abort and resolve. The protocol confirmation
steps are shown in Table 1. The protocol also consists of one main exchange pro-
As already remarked in [12], there is some redundancy tocol and two subprotocols abort and resolve. The steps of
in the TTP’s response to resolve requests. As EORC and these three parts are shown in Table 2.
256 S. Gürgens et al.: On the security of fair non-repudiation protocols
Table 2. The KM protocol label L , the attack always succeeds. Thus, the protocol
is unfair for A (assuming that knowledge of M is valu-
Exchange subprotocol able information for B). This attack is not possible on
1. A→B : fEOOC ,fsub ,B,TTP,L,C,ETTP (K), the ZDB protocol because knowledge of K is necessary to
EOOC , subK generate a valid subK .
2. IF B gives up THEN quit ELSE
B→A : fEORC , A, TTP, L, EORC 3.4.2 Sending wrong subK or ETTP (K)
3. IF A gives up THEN abort ELSE
A→B : fEOOK , B, L, K, EOOK On the other hand, signing the plaintext K has the draw-
4. IF B gives up THEN resolve ELSE back that B is not able to check the validity of the sig-
B→A : fEORK , A, L, EORK nature subK . This enables a different attack on the ZDB
5. IF A gives up THEN resolve protocol published by Boyd and Kearney [9], which is not
Abort subprotocol, which can only be performed by A, possible on the KM protocol. By sending an invalid subK ,
but involves B as well A can prevent the termination of B.
Even the improved version proposed in [9], where
1. A → TTP : fabort , L, B, abort subK is included in EOOC , is susceptible to a similar at-
2. IF resolved OR aborted THEN stop ELSE
tack where A sends a wrong ETTP (K). Then the resolve
TTP → A : fcona , A, B, L, cona
TTP → B : fcona , A, B, L, cona
subprotocol stops with an error when started by B. This
again prevents B from terminating. However, A can con-
Resolve subprotocol, where X and Y are either A or B struct a resolve request with the correct encryption of the
key, which allows A to complete the protocol at any time.
1. X → TTP : fRecX ,fsub ,fEORC ,fEOOC ,Y ,
L,H(C),ETTP (K),RecX ,subK ,
In [24] Zhou proposed a variant that is designed to pre-
EORC ,EOOC vent the original Boyd and Kearney attack, but it fails to
2. IF aborted OR recovered THEN stop ELSE do so. Instead, this variant only works against our new
TTP → A : fconK ,fEORC ,A,B,L,K, attack.
conK ,EORC
TTP → B : fconK , A, B, L, K, conK 3.4.3 Reuse of labels and keys
has been settled in such a way that further disputes using these principles to security protocols in general, one
cannot occur. On the other hand, B will not keep has to check that they apply for the particular scenario.
incomplete evidence for a run that failed because of Naming participants, for example, might be inappropri-
a wrong label. ate in a scenario where anonymity is required.
– In the second protocol run A can send wrong ETTP (K) Another related article on implementing non-repudia-
and subK to prevent a successful resolve by B. tion protocols is written by Louridas [19]. This article
This attack may also be successful against related proto- concentrates on protocols with active TTP and provides
cols proposed in [9, 15, 24, 25]. Variants of this attack may rather high-level suggestions for protocol design. In con-
also be applied to optimistic multi-party non-repudiation trast, our design principles aim at the more efficient op-
protocols like [16, 21]. timistic protocols and give detailed advice on how to im-
Remark: The attack involves a risk for A. A has to reuse prove the security of these kinds of fair exchange protocols.
the key K, which is already known to B. Therefore, B Besides the importance of how to construct labels,
might be able to decrypt M after the first message of the messages, etc., it should be noted that a necessary prereq-
second protocol run and A would not get any evidence of uisite for any non-repudiation protocol to work is that the
receipt. However, assuming that A is the malicious party parties agree, in a verifiable way, on those message parts
and B the honest party being attacked, there is no rea- that constitute valid evidence of origin and receipt, re-
son to assume that B might try old keys to decrypt a new spectively. This includes the agreement on the particular
message. Furthermore, remembering all old protocol runs algorithms and modes to use for encryption and signature
and performing a check for every new protocol run would generation and verification.
be an undesirable overhead for B.
4.1 Unique labels
Verifiability: The creation of a label should be verifiable detects an error in the unsigned part of this message, it
by anybody. In other words, this means that all parties cannot determine the cheating party and thus fails to re-
can compute the label on their own and compare this solve such a conflict. This example shows that not only
result to the received label. the correct construction of a message must be verifiable,
Uniqueness: It should be ensured that a label uniquely but also the party responsible for an incorrect message
identifies a protocol run and the corresponding mes- should be detectable.
sages. Choosing the same label again must always re- The KM protocol [14, 17] suffers from another prob-
sult in an identical exchange. This can be ensured lem: The encrypted key can be reused in a different ex-
by deriving the label from all the information that change transaction. As the TTP cannot detect this kind
uniquely identifies this exchange transaction. of cheating, it can be misused as a decryption oracle, thus
Secrecy: The values that are used to compute the la- revealing the secret key even if it belongs to a different
bel must not reveal any additional useful information transaction.
about the exchanged items. This prevents the label
from leaking information. 4.2.2 Design principles
The possibility of identifying the intention of a mes- ment is also important for fault tolerance reasons, as
sage is important for the security of many protocols: a lost message can be retrieved from the TTP by re-
A standard attack is to use a message intended for step sending the previous request.
k in step k . This can be prevented (and is prevented by
all protocols mentioned above) by including unique flags
4.3.3 Examples
in the respective signatures. Otherwise, EOOC of the KM
protocol could be taken for EORC and vice versa, as the
The TTP has to check all items of a resolve request be-
only difference besides the flags is the party’s name in-
fore making any decisions. If they are correct and it can
cluded in the signature. Furthermore, a uniquely chosen
generate the desired items for both parties, the exchange
label L shows which exchange transaction this signature
should be resolved. If at least one item is not correct, the
belongs to. Thus, this label L should be incorporated in
TTP should either send a failure message or abort this ex-
every protocol message.
change. In case of abort, the TTP should try to determine
In contrast to signed messages that are relatively
who is responsible for this cheating attempt and then
easy to verify, an encrypted message can only be ver-
take the appropriate measures. For example, if one party
ified at decryption, which demands additional care for
creates an incorrect message and signs it, this proves its
such a construction. A good example is an encryption like
attempt to cheat. Then the TTP might decide to abort
ETTP (fK , L, K) that allows a decrypting TTP to recover
the exchange, even if this is unfair for the cheating party.
not only the key K, but also the flag fK and the label L.
But as fairness only has to be guaranteed to parties that
These values fK and L should then define the context in
execute the protocol correctly, this behavior against ma-
which the TTP is allowed to reveal the key K. To pre-
licious parties is consistent with the fairness definition.
vent attacks on such a ciphertext, the used encryption
The replies of the TTP should be implemented in such
scheme should provide non-malleability, i.e., it should be
a way that contacting the TTP a second time with the
impossible to modify this ciphertext to construct a differ-
same values results in the same answer as at the first time
ent meaningfully related ciphertext.
if the first request has already been successfully answered
(the ZDB protocol uses this feature). This can be imple-
4.3 TTP actions mented by simply remembering all previous decisions.
However, in practice the storage of the TTP is limited
4.3.1 Motivation
and the exchanged information cannot be remembered
In the ZDB and the KM protocols the TTP cannot fully infinitely. To overcome this problem, time limits can be
check the validity of the evidence that both parties want used, for example by adding the time parameters start
to exchange. This leads to the problem that the TTP may and duration to the label. We do not discuss this further
send some values that do not constitute valid evidence. in this paper.
But as the TTP is trusted by both parties, it should al-
ways send correct responses to these parties. 5 An improved asynchronous optimistic fair
In the KM protocol the TTP sends only once the re- non-repudiation protocol
sult of its conflict resolution to both parties. If one of
these parties does not store the respective message, it is In accordance with the guidelines proposed in the previ-
impossible to receive it from the TTP again. This leaves ous section, we construct a new asynchronous optimistic
such a party in a state of uncertainty, which should be fair non-repudiation protocol. We first give a short de-
avoided not only for fairness reasons but also for fault tol- scription of the protocol messages and then present our
erance reasons. improved protocol.
encryption and signature generation and verification is party is mentioned at the correct position in L. If any
assumed to be implicitly defined by naming the TTP. In of these checks fails, the evidence for message M is
case the parties have to negotiate the encryption algo- considered invalid.
rithms and parameters before the actual protocol starts,
protocol messages used for evidence need to be expanded
to contain the result of the negotiation in a verifiable way. 5.2 The fair non-repudiation protocol
However, specifying all protocol parameters and possible
Our protocol consists, like the KM and the ZDB proto-
encryption algorithms is beyond the scope of this paper.
cols, of a main part and two subprotocols for abort and
In accordance with our design principles for a unique
resolve. The main part performs the exchange of non-
label, in Sect. 4.1 we defined the label L = H(A, B, TTP,
repudiation evidence as described in Table 3.
H(C), H(K)). This label is verifiable by every party that
We consider equivalent a message that is not correct
knows A, B, TTP, C or H(C), and K or H(K). Further-
and one that is not received at all, as in both cases the
more, we have shown in Sect. 4.1 that it ensures secrecy
given actions for conflict resolution can be performed.
and uniqueness.
The purpose of the abort and resolve subprotocols is
Most protocol messages are signatures on a publicly
to resolve conflicts with the help of the TTP. They are ex-
known unique flag, a unique label identifying the current
ecuted mutually exclusively, which is ensured by the TTP
transaction, and the data to be signed. While the signa-
by remembering the previous actions for this label L. The
ture ensures authenticity of such a message, the label and
abort protocol is specified in Table 4.
the flag define the context to which this message belongs.
The validity of an abort request is checked in the following
– fK , fEOOC , fEORC , fEOO , fEOR , fcon , fabort , faborted : manner:
publicly known unique flags that indicate the purpose
1. Compute L = H(A, B, TTP, H(C), H(K)).
of a message
2. Check that party A (identified by the first value that
– K: symmetric key randomly chosen by A
is hashed for computing L) supplied a valid signature
– C = eK (M ): symmetric encryption of A’s message M
sigA (fabort , L). Only after this check succeeds does
– L = H(A, B, TTP, H(C), H(K)): unique label used to
the TTP execute this abort subprotocol.
link messages of one protocol run
– EK = ETTP (fK , L, K): key K encrypted with the The resolve protocol for party P ∈ {A, B} is defined
public key of the TTP. The asymmetric encryption in Table 5.
scheme must be non-malleable to prevent any modifi- The validity of a resolve request by party P is checked in
cations of the label L. This ensures that this cipher- the following manner:
text cannot be used in a different context
– EOOC = sigA (fEOOC , L, EK)
– EORC = sigB (fEORC , L, EK) Table 3. Our fair nonrepudiation protocol
– EOO = sigA (fEOO , L, K): evidence of origin issued by
A A→B : A, B, TTP, C, H(K), EK, EOOC
– EOR = sigB (fEOR , L, K): evidence of receipt issued B : Compute L and verify EOOC (if not OK,
quit exchange)
by B
B→A : EORC
– con = sigTTP (fcon , L, K): TTP’s replacement for evi-
A : Verify EORC (if not OK, start abort subpro-
dence of origin and receipt, respectively tocol)
– sigA (fabort , L): A’s request to abort an exchange A→B : K, EOO
– aborted = sigTTP (faborted , L): TTP’s decision to abort B : Test whether this constitutes a valid NRO
an exchange evidence (if not, start resolve subprotocol)
The goal of our protocol is to exchange non-repudiation B→A : EOR
evidence, which we define as follows: A : Test whether this constitutes a valid NRR
evidence (if not, start resolve subprotocol)
NRO evidence for message M = dK (C): A, B, TTP, C,
K, and EOO (in case of an exchange without TTP) or
con (with TTP involvement).
Table 4. The abort subprotocol for party A
NRR evidence for message M = dK (C): A, B, TTP, C,
K, and EOR (in case of an exchange without TTP) or
A → TTP : A, B, H(C), H(K), sigA (fabort , L)
con (with TTP involvement). TTP : If A has sent a valid abort request:
These evidences can be checked by any party with the fol- If the exchange has been resolved:
lowing steps: TTP → A : con
1. Compute M = dK (C) and Else // exchange not resolved
L = H(A, B, TTP, H(C), H(K)) TTP → A : aborted
If A has sent an invalid request:
2. Check signature EOO or con (or EOR or con in the
TTP → A : Error: invalid request
case of NRR evidence). Then check that the signing
S. Gürgens et al.: On the security of fair non-repudiation protocols 261
Table 5. The resolve subprotocol can be started by A or B Making the NRR evidence transparent requires a ma-
jor modification to our protocol. The idea for such a so-
P → TTP : A, B, H(C), H(K), EK, EOOC , EORC lution is to enable TTP to generate a modified signature
TTP : If P has sent a valid request: EOR. This can be achieved with cryptographic primitives
If the exchange has not been aborted: like verifiable encryption (e.g., [5, 6]) or convertible signa-
If the exchange has been resolved
tures (e.g., [8, 20]).
before or decrypting EK succeeds:
TTP → P : K, con
If decrypting EK fails (A cheated 5.3.2 Message confidentiality
and no resolve happened yet):
TTP → P : aborted Our protocol can ensure message confidentiality if A
Else // exchange aborted sends C to B using an encrypted channel (e.g., SSL/TLS).
TTP → P : aborted Then even the TTP cannot learn anything about the ex-
If P has sent an invalid request: changed message M .
TTP → P : Error: invalid request
6 Conclusions
1. Compute L = H(A, B, TTP, H(C), H(K)).
2. Check that EOOC and EORC are valid signatures In this paper we have discussed the analysis of two dif-
generated by the parties named in the first and second ferent non-repudiation protocols that are supposed to be
message items, respectively. Only after these checks fair and provide timeliness but fail to do so. Our analysis
succeed does the TTP execute this resolve subprotocol has shown that the KM protocol is unfair for the origina-
for P . tor A, that the ZDB protocol does not provide timeliness
for the recipient B, and that both protocols allow an at-
The success of decrypting EK is checked as follows:
tack that makes them unfair for B. The attack on the KM
1. The TTP decrypts EK using its private key: protocol that results in unfairness for A is possible be-
DTTP (EK) = (fdecrypt, Ldecrypt, Kdecrypt) cause the context of the key K encrypted for the TTP
2. Check that fdecrypt ≡ fK , that Ldecrypt ≡ L, and that is not determined, which enables B to use this message
Kdecrypt was used to compute L. If any of these checks part in a different protocol run. The ZDB protocol allows
fails, the TTP considers the decryption of EK unsuc- A to send some signature not being verifiable by B, thus
cessful. This means that A must have generated an hindering B from performing a successful resolve subpro-
incorrect EK on purpose (i.e., A must have tried to tocol. Finally, the attack possible on both protocols uses
cheat) since EK is contained in A’s signature EOOC . the fact that, although all signatures contain the same la-
After the TTP processes a valid request for conflict reso- bel, the evidence of origin and receipt of ciphertext C and
lution, it has to store either (L, state=aborted, aborted) evidence of origin and receipt of K are in fact not con-
or (L, state=resolved, K, con) forever. If the TTP de- nected, thus allowing the latter to be valid in more than
tects an invalid request, it just notifies the sender but one protocol run.
does not store anything about it. All this considered, the Motivated by our analysis, we have presented coun-
TTP’s reactions guarantee a response to every request, termeasures to these attacks that serve as general design
and its decision clearly determines whether an exchange principles for fair exchange protocols. Finally, we have
is aborted or resolved. presented our own protocol that does not allow the at-
tacks possible for the KM and ZDB protocols. Our pro-
5.3 Protocol extensions tocol is very efficient, as the main protocol part only re-
quires one signature per message, and EOO and EOR
5.3.1 Transparent TTP consist of only one signature each. Furthermore, only the
first protocol message is dependent on the length of mes-
Our protocol can be modified to make involvement of the sage M , which ensures that even the exchange of very
TTP transparent for party B, which means that the NRO long messages has just a minimal impact on the efficiency
evidence always looks the same – regardless of whether of our protocol.
or not the TTP was involved. We simply define EK as
follows:
References
EK = ETTP (fK , L, K, EOO) .
1. Abadi M, Needham R (1996) Prudent engineering practice for
cryptographic protocols. IEEE Trans Softw Eng 22(1):6–15
In the resolve protocol the TTP decrypts DTTP (EK) = 2. Asokan N (1998) Fairness in electronic commerce. PhD thesis,
(fdecrypt, Ldecrypt, Kdecrypt, EOOdecrypt ) and additionally University of Waterloo, Canada
checks that this EOO is A’s signature on (fEOO , L, K). If 3. Asokan N, Schunter M, Waidner M (1997) Optimistic pro-
tocols for fair exchange. In: Matsumoto T (ed) 4th ACM
all the checks are successful, the TTP will provide EOO conference on computer and communications security, Zürich,
instead of con in a resolve request by B. Switzerland, April 1997. ACM Press, New York, pp 6–17
262 S. Gürgens et al.: On the security of fair non-repudiation protocols
4. Asokan N, Shoup V, Waidner M (1998) Asynchronous 15. Kremer S, Markowitch O (2001) Selective receipt in certi-
protocols for optimistic fair exchange. In: Proceedings of fied e-mail. In: Progress in Cryptology – INDOCRYPT 2001,
the IEEE symposium on research in security and pri- Chennai, India, 16–20 December 2001. Lecture notes in com-
vacy, Oakland, CA, May 1998. IEEE Press, New York,hack puter science, vol 2247. Springer, Berlin Heidelberg New York,
pp 86–99 pp 136–148
5. Asokan N, Shoup V, Waidner M (1998) Optimistic fair ex- 16. Kremer S, Markowitch O (2003) Fair multi-party non-
change of digital signatures. In: Nyberg K (ed) Advances in repudiation protocols. Int J Inf Secur 1(4):223–235
Cryptology – EUROCRYPT ’98, Espoo, Finland, June 1998. 17. Kremer S, Markowitch O, Zhou J (2002) An intensive sur-
Lecture notes in computer science, vol 1403. Springer, Berlin vey of fair non-repudiation protocols. Comput Commun
Heidelberg New York, pp 591–606 25(17):1606–1621
6. Ateniese G (1999) Efficient verifiable encryption (and fair 18. Kremer S, Raskin J-F (2001) A game-based verification of
exchange) of digital signatures. In: Proceedings of the 6th non-repudiation and fair exchange protocols. In: CONCUR
ACM conference on computer and communications security 2001 – Concurrency Theory, Aalborg, Denmark, August 2001.
(CCS ’99), Singapore, November 1999. ACM Press, New York, Lecture notes in computer science, vol 2154. Springer, Berlin
pp 138–146 Heidelberg New York, pp 551–565
7. Ateniese G, Nita-Rotaru C (2002) Stateless-recipient certified 19. Louridas P (2000) Some guidelines for non-repudiation proto-
e-mail system based on verifiable encryption. In: Topics in cols. Comput Commun Rev 30(5):29–38
Cryptology – CT-RSA, San Jose, CA, 18–22 February 2002. 20. Markowitch O, Saeednia S (2001) Optimistic fair exchange
Lecture notes in computer science, vol 2271. Springer, Berlin with transparent signature recovery. In: Financial Cryptogra-
Heidelberg New York, pp 182–199 phy – FC 2001, Grand Cayman, British West Indies, 19–22
8. Boyd C, Foo E (1998) Off-line fair payment protocol using February 2001. Lecture notes in computer science, vol 2339.
convertible signatures. In: Advances in Cryptology – ASI- Springer, Berlin Heidelberg New York, pp 339–350
ACRYPT ’98, Beijing, China, October 1998. Lecture notes in 21. Markowitch O, Kremer S (2000) A multi-party optimistic non-
computer science, vol 1514. Springer, Berlin Heidelberg New repudiation protocol. In: Information Security and Cryptology
York, pp 271–285 – ICISC 2000, Seoul, Korea, December 2000. Lecture notes in
9. Boyd C, Kearney P (2000) Exploring fair exchange proto- computer science, vol 2015. Springer, Berlin Heidelberg New
cols using specification animation. In: Information Security York, pp 109–122
– ISW 2000, Wollongong, Australia, December 2000. Lecture 22. Markowitch O, Kremer S (2001) An optimistic non-repudiation
notes in computer science, vol 1975. Springer, Berlin Heidel- protocol with transparent trusted third party. In: Information
berg New York, pp 209–223 Security – ISC 2001, Malaga, Spain, October 2001. Lecture
10. Coffey T, Saidha P (1996) Non-repudiation with mandatory notes in computer science, vol 2200. Springer, Berlin Heidel-
proof of receipt. ACM SIGCOMM Comput Commun Rev berg New York, pp 363–378
26(1):6–17 23. Zhou J (1996) Non-repudiation. PhD thesis, University of
11. Deng RH, Gong L, Lazar AA, Wang W (1996) Practical London, December 1996
protocols for certified electronic mail. J Netw Syst Manage 24. Zhou J (2001) Achieving fair non-repudiation in electronic
4(3):279–297 transactions. J Organiz Comput Electron Commerce 11(4):
12. Ferrer-Gomila JL, Payeras-Capellà M, Huguet i Rotger L 253–267
(2000) An efficient protocol for certified mail. In: Information 25. Zhou J, Deng R, Bao F (1999) Evolution of fair non-
Security – ISW 2000, Wollongong, Australia, December 2000. repudiation with TTP. In: Information Security and Privacy
Lecture notes in computer science, vol 1975. Springer, Berlin – ACISP ’99, Wollongong, Australia, 7–9 April 1999. Lecture
Heidelberg New York, pp 237–248 notes in computer science, vol 1587. Springer, Berlin Heidel-
13. Gürgens S, Rudolph C (2002) Security analysis of (un-) fair berg New York, pp 258–269
non-repudiation protocols. In: Formal Aspects of Security 26. Zhou J, Deng R, Bao F (2000) Some remarks on a fair ex-
2002 – BCS FASec 2002, London, UK, 18–20 December 2002. change protocol. In: Public Key Cryptography – PKC 2000,
Lecture notes in computer science, vol 2629. Springer, Berlin Melbourne, Australia, January 2000. Lecture notes in com-
Heidelberg New York, pp 97–114 puter science, vol 1751. Springer, Berlin Heidelberg New York,
14. Kremer S, Markowitch O (2000) Optimistic non-repudiable in- pp 46–57
formation exchange. In: Biemond J (ed) 21st symposium on 27. Zhou J, Gollmann D (1996) A fair non-repudiation proto-
information theory in the Benelux, Wassenaar, The Nether- col. In: Proceedings of the IEEE symposium on security and
lands, May 2000, Werkgemeenschap Informatieen Communi- privacy, Oakland, CA, May 1996. IEEE Press, New York,
catietheorie, Enschede, pp 139–146 pp 55–61