Abstract
UEPS, the Universal Electronic Payment System, is an electronic funds transfer product which is well suited to developing country environments, where poor telecommunications make offline operation necessary. It is designed around smartcard based electronic wallet and chequebook functions: money is loaded from the bank, via bank cards, to customer cards, to merchant cards, and finally back to the bank through a clearing system. This architecture is uniquely demanding from the point of view of security.
As far as we are aware, UEPS is the first live financial system whose authentication protocol was designed and verified using formal analysis techniques. This was achieved using an extension of the Burrows-Abadi-Needham [BAN] logic, and raises some interesting questions: firstly, such formal logics had been thought limited in scope to verifying mutual authentication or key sharing [GKSG]; secondly, our work has found hidden assumptions in BAN, and a problem with the postulates of the Gong-Needham-Yahalom logic [GNY], both concerning freshness; thirdly, we highlight the need for a formalism to deal with cryptographic chaining; and fourthly, this type of formal analysis turns out to be so useful that we believe it should be routine for financial and security critical systems.
Chapter PDF
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
M. Burrows, M. Abadi and R. Needham, “A logic of Authentication”, Report 39, Digital Systems Research Center, Palo Alto, Ca.
D. Chaum, “Achieving Electronic Privacy”, in Scientific American, 267 no 2, August 1992, pp 76–81
Y. Desmedt and J.-J. Quisquater, "Public-key Systems Based on the Difficulty of Tampering', in Advances in Cryptology — CRYPTO 86, Springer Lecture Notes in Computer Science 263 pp 111–117
L. Gong, Cryptographic Protocols for Distributed Systems (PhD Thesis), University of Cambridge 1990.
V. D. Gligor, R. Kailar, S. Stubblebine and L. Gong, “Logics for Cryptographic Protocols — Virtues and Limitations”, in Proceedings, Computer Security Foundations Workshop IV, IEEE 1991, pp 219–226
L. Gong, R. M. Needham and R. Yahalom, “Reasoning about Belief in Cryptographic Protocols”, in Proceedings of the 1990 IEEE Computer Security Symposium on Research in Security and Privacy, pp 234–248
G. Garon and R. Outerbridge, “DES Watch: An Examination of the Sufficiency of the Data Encryption Standard for Financial Institution Information Security in the 1990's, in Cryptologia XV no 3, July 1991, pp 177–193
M. Hesse, Structure of Scientific Inference, Macmillan 1974, pp 142–146
R. Kailar and V. D. Gligor, “On Belief Evolution in Authentication Protocols”, in Proceedings, Computer Security Foundations Workshop IV, IEEE 1991, pp 103–116
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1992 Springer-Verlag
About this paper
Cite this paper
Anderson, R.J. (1992). UEPS — A second generation electronic wallet. In: Deswarte, Y., Eizenberg, G., Quisquater, JJ. (eds) Computer Security — ESORICS 92. ESORICS 1992. Lecture Notes in Computer Science, vol 648. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0013910
Download citation
DOI: https://doi.org/10.1007/BFb0013910
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-56246-7
Online ISBN: 978-3-540-47488-3
eBook Packages: Springer Book Archive