A Research on Security Analyses of Offline Electronic Cash Systems

• Main Authors: Yao-Ching Liu, 劉曜慶
• Other Authors: Ya-Fen Chang
• Format: Others
• Language: en_US
• Published: 2014
• Online Access: http://ndltd.ncl.edu.tw/handle/e7szv8

碩士 === 國立臺中科技大學 === 資訊工程系碩士班 === 102 === Electronic cash (e-cash) plays an important role in electronic commerce. With the rapid growth of network technologies, e-cash provides a way to pay with convenience, security, anonymity and unforgeability. Offline electronic cash systems possess a superior property because the bank is not involved when a merchant verifies a customer’s e-cash. This makes the computational resource needed by the bank reduced, the overall system efficiency increased, electronic cash systems practical, and offline electronic cash systems become an important research topic. Recently, several corresponding studies have been proposed. However, double spending only can be detected when a merchant contacts the bank. This may make offline electronic cash systems be threatened seriously. In 2013, Mohanty et al. proposed a certificateless group signcryption scheme and presented an offline e-cash system based on their signcryption scheme. They claimed that their scheme could protect the anonymity of customers better. In addition, the group manager has the ability to reveal the identity of the e-cash’s owner for some special situation to prevent the problem of e-cash abuse. However, we find that Mohanty et al.’s e-cash system is vulnerable to forgery attack and double spending. In this study, we will review Mohanty et al.’s offline electronic cash system and show how a dishonest customer can apply for a coin with any customer’s identity, how to forge a valid e-cash, and how a malicious merchant spends an honest customer’s coin twice in Chapter 2. In the same year, Baseri et al. proposed an offline electronic cash (e-cash) system using RSA cryptosystem and asserted that their system satisfied anonymity, double spending detection, unforgeability, and date attachability properties and prevented forging . However, we find that their e-cash system is insecure against identity forgery. In Chapter 3, we show that an adversary has three ways to forge a valid identity to withdraw electronic coin (e-coin) from his account at the bank and pay it to the merchant in payment phase. When double spending is detected, the bank cannot reveal the attacker’s real identity. The found security flaws and system vulnerability will be shown in detail, and what damage it causes to the e-cash system will be explained.