Jorge López Hernández-Ardieta

An optimistic fair exchange protocol based on signature policies

The growth of the e-commerce has allowed companies and individuals to sell and purchase almost any kind of product and service through the Internet. However, during the purchase transaction there is a moment during which the seller has sensitive information from the buyer, typically his/her credit card information, while the buyer has nothing from the seller. This situation clearly places the buyer at disadvantage and is, together with fear of fraud, one of the reasons of the lack of confidence in e-commerce. For resolving this situation a new fair exchange protocol based on signature policies is presented. A signature policy is a set of rules to create and validate electronic signatures, under which an electronic signature can be determined to be valid in a particular transaction context. Due to the signature policy-based design, the proposed protocol allows the buyer to decide if trust or not in the rules that will manage the transaction, increasing the users confidence in e-commerce. Security, fairness and timeliness characteristics of the protocol are evaluated. Implementation guidelines are also provided taking into consideration latest security standards.

A taxonomy and survey of attacks on digital signatures

Non-repudiation is a desired property of current electronic transactions, by which a further repudiation of the commitments made by any involved party is prevented. Digital signatures are recognized by current standards and legislation as non-repudiation evidence that can be used to protect the parties involved in a transaction against the others false denial about the occurrence of a certain event. However, the reliability of a digital signature should determine its capability to be used as valid evidence. The inevitability of vulnerabilities in technology and the non-negligible probability of an occurrence of security threats would make non-repudiation of evidence difficult to achieve. We consider that it is of the utmost importance to develop appropriate tools and methods to assist in designing and implementing secure systems in a way that reliable digital signatures can be produced. In this paper, a comprehensive taxonomy of attacks on digital signatures is presented, covering both the signature generation and verification phases. The taxonomy will enable a rigorous and systematic analysis of the causes that may subvert the signature reliability, allowing the identification of countermeasures of general applicability. In addition, an intensive survey of attacks classified under our taxonomy is given.

Formal Validation of OFEPSP+ with AVISPA

Formal validation of security protocols is of utmost importance before they gain market or academic acceptance. In particular, the results obtained from the formal validation of the improved Optimistic Fair Exchange Protocol based on Signature Policies (OFEPSP+) are presented. OFEPSP+ ensures that no party gains an unfair advantage over the other during the protocol execution, while substantially reducing the probability of a successful attack on the protocol due to a compromise of the signature creation environment. We have used the Automated Validation of Internet Security Protocols and Applications (AVISPA) and the Security Protocol ANimator for AVISPA (SPAN), two powerful automated reasoning technique tools to formally specify and validate security protocols for the Internet.

Extended electronic signature policies

A signature policy collects the rules to create and validate electronic signatures under which they become binding in a particular transactional context. These policies have been widely adopted to enforce the binding property of signatures in business scenarios. However, current standards only cover the definition of the requirements to be fulfilled by a single signature. As a consequence, business models where more than one signature is required in order to make the transaction effective cannot adhere to the benefits of signature policies. This paper is the first to propose a solution where the dependences and relationships among the signatures generated in the same transaction can be established. In particular, the ASN.1 definition of an extended signature policy is presented along with the procedures to be followed by the transacting parties. This work will be submitted to the IETF PKIX Work Group to be considered as an Experimental Request For Comments document (RFC).

Using Reconfigurable Hardware Through Web Services in Distributed Applications

This paper proposes a simple solution to use reconfigurable hardware in the context of distributed applications. The remote access to the reconfigurable resources is carried out through Web Services technology. So it is possible to exploit the synergy of reconfigurable computing and distributed applications. A web service has been developed to remotely use the whole functionality of a reconfigurable platform. An example application has been developed in order to study the advantages and drawbacks of this methodology.