[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A Mondex like Protocol (2)
An improved Mondex like protocol
About a week ago I posted a protocol that meets the requirements of the
Mondex cards as I understand them. It was overkill. I wasn't clear in my
own mind what properties of Diffie Hellman I was depending on. Here is an
improvement that does not use DH and thus uses less compute power.
Two Mondex units, upon command of their respective operators, can pass
money from one to the other via infrared signals. I think that this
requires tamper proof units.
I understand that the Mondex protocol is currently undisclosed. I have no
information about that protocol but am merely trying to find a protocol
that fits the little that I know about Mondex. Are there other guesses?
When a receiving unit, the payee, is instructed by its operator to be ready
to receive a payment, it increments an internal counter. The payee
transmits an infrared message including its unique id, the counter value
and a simple checksum. This message is repeated until some timeout or a
valid transmission from a payer is received.
The payer unit, having been instructed by its operator to pay, awaits such
a message. Upon receipt it decrements its local balance and constructs a
record consisting of the payee's id, the payee's counter value, the payment
amount and a secret shared by all money units. The payer then transmits a
message with the payment amount, and the secure hash of the record. This
transmission is repeated until an acknowledgment or a timeout.
Upon receipt the payee is able to reconstruct the payer's record and
compute the secure hash. If the computed hash matches the received hash
then the payee can be sure that some legitimate payer unit has decremented
its local balance and it is thus valid for the payee to increment its value
by that amount. It then transmits one acknowledgment.
If the receiver's transmission is garbled but the checksum does not catch
it then the transmitted money is lost. The payer thinks it has authorized a
balance increment but no unit recognizes the authorization as its own.
Garbled transmission from a payer are ignored when the hash check fails.
Subsequent transmissions will hopefully succeed.
Note that this scheme uses no crypto.