[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bootstrapping Trust in SET

This essay addresses some of the issues of trust that keep coming up.  It
also addresses David P. Kemp question:
>I'd like to see your proposal for converting wetware shared secrets
>into a cryptographic shared secret, reliably and with more than a
>trivial number of bits.

>The Secure Electronic Transaction (SET) protocol is being developed by 
>Visa and Mastercard with the assistance of GTE, IBM, Microsoft, Netscape, 
>SAIC, Terisa, and Verisign.  It offers examples of time based, CRL, 
>physical, and capability revocation in one protocol.  N.B. This description 
>is based on the February 23, 1996 Draft for Public Comment, a 269 page 
>document.  Specifications are subject to change, and this note 
>oversimplifies many of the issues.

The Draft is available from http://www.mastercard.com/
>A brief overview of SET
>SET uses a X.509 certificate authority hierarchy with a single, globally
>>trusted, root.  This hierarchy exists to authentic certificates held the 
>three classes of leaf entity, Cardholders, Merchants, and Acquirer Payment 
>Gateways.  Acquirer Payment Gateways are the interface between Merchants 
>and the Acquiring bank.  I assume they would generally be run by that bank.  
>The protocol uses the existing bankcard association financial network to 
>communicate authorization requests between the acquiring bank and the 
>issuing bank.
>SET includes a secure protocol for cardholders to get their certificates 
>through network web sites.  It also has the characteristic that a cardholder 
>can charge a purchase from a merchant without allowing the merchant to 
>learn the credit card number used.

Bootstrapping Trust in SET

The protocol by which a cardholder gets a certificate thru a web page
illustrates two ways that trust is established in SET.  These are by
certificates, and by shared secrets.

First the cardholder gets a plastic card by traditional means.  She also
installs software to handle the SET MIME type.  Then she connects to her
bank's web page and asks to be issued a certificate.  The web server sends
a web page which invokes the SET MIME handler.

The MIME handler has a certificate for the root CA compiled in.  It sends a
request for a new cardholder certificate and the web server replies with
all the certificates needed to validate the web server's certificate.  The
server also sends a form which is much like the form the cardholder filled
out to obtain the plastic.

The MIME handler validates the web server's certificate and displays the
form for the cardholder to fill in.  She fills in the form, including the
"Grandmother's maiden name" shared secret.  The MIME handler then generates
a public/secret key pair and a random DES key, encrypts the DES key with
the public key of the server, encrypts the form data and the cardholder's
public key with the DES key and sends the whole package to the server.

The server now has enough information to validate the user and issue a

Here is my analysis of how trust is established in this protocol:

(1) The cardholder must trust the root CA key embedded in the MIME handler.
 This trust might be established by getting the program directly from the
bank (on a floppy or some such).

(2) The cardholder must trust the CA Hierarchy.  It is reasonable for her
to trust it because everything in the CA hierarchy is being run by the
banking system which shares her interest (because of the $50 limit on
cardholder liability) in avoiding fraud with her card.

Items (1) and (2) allow the cardholder to trust the web server, and reveal
her shared secret to the web server.

(3) The web server can trust the cardholder because it can verify the
shared secret.

(4) Both parties are protected from Man in the Middle attacks because the
shared secret is returned encrypted through the server's public key.

IMHO, anytime we talk of trust, whether it be a web or a hierarchy, the
trustor must be able to establish common interest with every link between
him and the object to be trusted before he can establish trust.  Such
common interest might be lacking in, for example, a government run identity
certificate web.  Just the well known history of governments issuing false
passports to spies could be sufficient to break the common interest for
some people.

Regards - Bill

Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA