Alan L Tyree

Virtual Cash - Payments on the Internet - Part 1

The Internet and World Wide Web

The "Internet" is a worldwide network of computer networks. Although precise figures are difficult or impossible to obtain, best estimates at the time of writing are that there are more than 30 million users linked to the network via some 6 to 7 million host computers. Numbers are said to be growing at 15% per month.1

The "World Wide Web" has opened the Internet to use by ordinary computer users. The Web provides graphics, sound, animation and hypertext which allows even the inexperienced user to "navigate" the Internet. Establishing "pages" of information on the net using the Web is inexpensive and provides an opportunity to reach millions of users.

The commercial potential of the Web is obvious. Products may be attractively presented at small cost. Information products may be delivered via the Internet so that music, pictures, software and text may be provided directly to users at a delivery cost which is a fraction of any other method. Customers are not limited to any geographical area.2

Payment Mechanisms3

In order to realise the full commercial potential of the Internet, it must be possible to make secure payments via the Internet itself. A useful Internet payment system must satisfy several criteria:

Currently payments on the Internet are made by credit card numbers, but the method is clearly unsatisfactory. It is too expensive to allow full exploitation of the commercial potential and the lack of proper authentication means that it is too untrustworthy to function world wide.

If we think for a moment about the characteristics of a cheque which have made it a useful payment mechanism the problem will become clearer. In one sense, the cheque is a message sent from the drawer to the drawee and then on to the drawee bank. The physical characteristics of paper guarantee that the message has not been altered. The signature of the drawer guarantees that the message is authentic.4

The problem for an Internet payment system is to devise an electronic message form that shares these characteristics. Surprisingly, it can be done. The solution requires a short digression into the world of spies, lovers and coded messages.

A short introduction to cryptography

One of the world's oldest and simplest coding systems can be used to illustrate the problems and potential of cryptography. The Caesar Cipher operates with the usual alphabet and a "shift" of the alphabet.5 So, using a shift of 3, we can use the following "pad" to encode messages.

ABCDEFGHIJKLMNOPQRSTUVWXYZ
CDEFGHIJKLMNOPQRSTUVWXYZ AB

Note that the alphabet contains a "blank". Now suppose that Brandon wishes to send Cynthia a message in code. The message is "I LOVE YOU". Brandon sends "LCORYHCARX". Cynthia, who knows the "key" can decode the message. They live happily ever after.

Here is the lesson. There is a process which is used to encode and a process which is used to decode. If both parties know the process being used and both know the key, in this case the offset of the alphabet, then coding and decoding are mechanical tasks.

Notice several other characteristics of the process. Cynthia can be fairly certain that the message has come from Brandon since only he knows the key. Furthermore, any attempt to meddle with the message will be immediately apparent since the decoded message will be faulty.

The system breaks down in two ways. First is that the code is too easy to break.6 Albert breaks the code, intercepts and changes the message to "LCORDWKCARX"7. Brandon is rejected, Albert steps in and true love is thwarted.

The second problem with the Caesar Cipher is that both parties must know the key. How are we to distribute keys securely? Since they cannot be sent by the message network, they must be sent by trusted messenger. Brandon sends his trusted messenger, Albert, with the key, leading to the same unfortunate results as above.

The first problem with the Caesar Cipher is relatively easy to deal with. Sophisticated coding methods are available which are secure even from the most determined code-breaker. These coding methods may be embedded in chips which can then be placed in ATMs or in other machinery to provide secure transmission of messages.8

The solution to the key distribution problem is more interesting and rests on a remarkably clever idea: might it not be possible to use one key for encoding and an entirely different key for decoding? The surprising answer is "yes" and the resulting methods are known as Public Key Cryptography.9

In Public Key Cryptography each person has two keys, a public and a secret key. The public key is actually published in a directory. The encoding and decoding processes have the following remarkable characteristics: a message encoded with a person's private key can only be decoded with the same person's public key; and a message encoded using a person's public key can only be decoded with the person's private key. Encoding with the secret key is often called a "digital signature" since it uniquely identifies the sender.

Public Key Cryptography allows for tamper-proof authenticated messages to be sent. In the above example, Brandon encodes the message with his secret key. Cynthia decodes the message using the only means available for decoding, Brandon's public key: see Figure 1. The message cannot have been altered since it would then be unintelligible. Further, it can only have come from Brandon since it was decoded with his public key. True love triumphs!

B B's Secret Key C

Figure 1 Digital signature: The message may be decoded by using B's public key. Anyone can read it, but it could only originate with B

Notice however that anyone can read the message by applying Brandon's public key. He may be happy for the whole world to know of his love, but on the other hand he may be shy and wish that the message remain private. Brandon may send a secret message to Cynthia by encoding with her public key: see Figure 2. Since the message may only be decoded with her secret key, the message is safe from prying eyes.

B C's Public Key C

Figure 2: Secret message: Only C can read the message since it may only be decoded by using C's secret key. Although it purports to be sent by B, it could have originated with anyone.

The problem is that anyone could have sent the message. Brandon clearly wishes to ensure that Cynthia knows that it is he who is declaring his love. The solution is a two step encoding: Brandon first encodes the message using Cynthia's public key. This ensures that only she can read it using her secret key. He then encodes the already encoded message with his secret key: see Figure 3. This ensures that the message comes from him since it may only be deciphered by use of his public key.

B C's Public Key B's Secret Key C

Figure 3: Secret authenticated message: decode first with B's public key then with C's secret key. Only C can read, only B could originate.

Public Key Cryptography is very secure and reliable. There are several different algorithms available for using it. The main Public Key method, the RSA algorithm, is patented. Several jurisdictions have passed legislation which gives effect to "digital signatures".

Digital Cash

The simplest form of providing for Internet payments takes us back to an earlier time in banking, when banks issued bank notes for general circulation. In the Internet literature, these methods are usually referred to as "digital coins" or "virtual coins". The reference to "coins" rather than notes emphasises the fact that payments may be for very small amounts.

A "digital coin" is a message issued by a bank and encrypted with its private key.10 The message will contain the following information: the serial number of the coin, the identity of the bank and its Internet address, the amount of the coin, and an expiry date. Because the "coin" is encoded with the bank's secret key it may only be read by using the bank's public key. It cannot be altered without destroying it. The bank keeps a record of the serial number of the "coin".

When a customer wishes to be issued with "coins" he or she sends a request to the bank. The request must be encoded with the customer's secret key. The bank may then decode the message with the customer's public key and have confidence that the request is what it appears to be and that it originated with the customer.

The "coins" are "issued" to a particular customer by encoding the coin with the customer's public key. This message is then sent to the customer who decodes it using his or her private key. Even if the message is intercepted it would be worthless since only the customer to whom the "coins" are issued can read the message. The "coins" thus received are stored on the customer's private system.

A customer who wishes to purchase something on the Internet may send the "coin" to the merchant. The "coin" should be encrypted with the merchant's public key to prevent interception. The merchant decodes using his or her private key and then does two things with the received message: first, the message is decoded using the bank's public key to verify that it is a "coin" for the appropriate amount of the payment. Secondly, the merchant must ascertain that the "coin" has not already been spent. This is done by asking the bank to verify that the serial number of the coin is still current.

Assuming that the "coin" is valid, the simplest scenario is that the bank credits the merchant's account and then cancels the serial number so that the "coin" may not be spent again. Alternatively, the bank cancels the serial number and issues a new "coin" to the merchant that is identical in all respects save the serial number.

Electronic cheques

The same techniques can be used to provide for electronic cheques and bills of exchange. The "cheque" is a message which contains all of the ordinary information appearing on a paper cheque and which is then "signed digitally", that is, it is encoded by encrypting with the "drawer's" secret key. It is then sent to the "payee". The "payee" may further "indorse" the instrument by encoding the already encoded message with his or her private key. A complete "chain" of signatures may be built up so that none of the "indorsers" may deny that it is their indorsement. For the usual reasons, any alteration is apparent.

When the instrument is paid by the "drawee" it is so marked and the resulting message is encoded with the bank's secret key thus providing proof of payment. In order to avoid duplication, each "cheque" must have a unique serial number.

What's next?

The schemes described here allow for a complete record of payment to be maintained. In that sense they are not like "cash". In the next article in the series I will discuss schemes which permit anonymous transactions. These may be implemented so that the issuing institution cannot maintain information about the purchases of its customers. Extended versions would allow anonymous transactions between customers and merchants and between customer and customer.

Electronic cash, like real bank notes, represent a liability of the issuing institution on which no interest is paid. To the extent that these methods of payment replace cash they detract from the governmental income ("seigniorage") derived from the issue of legal tender. In this regard, the various Internet payment schemes raise issues similar to those raised by stored value cards and discussed in "Smart Cards", (1995) 6 JBFLP XXX.

To be continued.

Alan L Tyree
Landerer Professor of Information Technology and Law
University of Sydney

1 The only place to obtain any reasonably accurate estimate of the size and use of the Internet is from the Internet itself. See Larry Landweber. International Connectivity. Version 14 - June 15, 1995. ftp://ftp.cs.wisc.edu/connectivity_table/Connectivity_table.ps Computer Sciences Dept. University of Wisconsin - Madison, 1210 W. Dayton St., Madison, WI 53706, U.S.A; Network Wizards, Menlo Park, California, http://www.nw.com/. Internet Domain Survey, July 1995.

2 This ease of delivery justifiably causes concern for holders of intellectual property rights. See for, example, Dreier T, "Copyright Digitized: Philosophical Impacts and Practical Implications for Information Exchanges in Digital Networks" in World Intellectual Property Organization ("WIPO") Worldwide Symposium on The Impact of Digital Technology on Copyright and Neighboring Rights 187 (March 31-April 2, 1993).

3 An index to payments related developments may be found on the Web at http://ganges.cs.tcd.ie//mepeirce/project.html

4 These guarantees are not absolute, of course. The common law has developed methods for allocating the risks when there is "system failure".

5 See Sedgewick, "Algorithms", Addison Wesley, 1983 and later editions of the same work. It seems doubtful that Caesar ever used such a simple encryption.

6 It is, however, the basis for the most secure encryption of all. In the coding table substitute in the second line a sequence of randomly generated letters that is as long as the message to be encoded. Such a method is known as a "One time pad" and is the most secure encryption known.

7 "I LOATH YOU"

8 The method of choice for many years was the DES (Data Encryption Standard) still used in most commercial encryption. This has been overtaken by the "Clipper" chip.

9 Rivest, Shamir and Adleman "A method for obtaining digital signatures and public-key cryptosystems" (1978) 21 Communications of the ACM 2.

10 The method presented here is actually a simplification of workable methods. The additional complexities serve only to reduce demands on computer resources.