[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A Mondex like Protocol
Two Mondex units, upon command of their respective operators, can pass
money from one to the other via infra_red signals. I think that this
requires tamper proof units.
I understand that the Mondex protocol is currently undisclosed. I have no
information about that protocol but am merely trying to find a protocol
that fits the little that I know about Mondex. Are there other guesses?
Here is one way it might work. Upon an operator receive command, the payee
unit transmits a DH greeting along with the value of a counter located in
the payee unit. (The integrity of the counter value in the greeting is
somehow ensured.) It continues to send this greeting while it awaits a
greeting.
Upon a pay command from its operator, a payer unit transmits a DH greeting
and continues to send that while it awaits a greeting. When either unit
receives a greeting it computes the shared secret key ala DH. The payer
decrements its cash value and generates a pay order enciphered under the
secret key. The pay order includes the counter value from the payee's
greeting. This order is transmitted repeatedly until an acknowledgement is
received or times out. If it times out then the money is lost. When the
payee receives a pay order, it verifies that the counter value is correct
and then increments the counter, preventing replay. The payee then
increments its cash value and sends ciphered acknowledgements for a brief
period. The payer may give one final acknowledgement acknowledgement which,
if lost, merely means that the receiver will time-out sending
acknowledgements.
The common DH modulus is known to all units and but otherwise secret. This,
of course, requires a extraordinary tamper resistance. Only the state must
be kept secret, not the hardware behavior.
Here is the money integrity argument for this protocol. The units are
collectively responsible for preventing counterfeiting. For counterfeiting
to happen some unit must increment its cash value when there was no
corresponding decrement in another unit. A unit increments its cash value
when it decodes a pay order from someone who knows the global secret DH
modulus. That someone must have been a legitimate unit that decreased its
cash value. Replay is impossible because each such transaction is uniquely
identified by the recipient's counter value. The recipient never increments
its cash value twice for the same counter value.