Security analysis of an e-commerce solution

The escalation in the number of people with access to the Internet has fuelled the growth of e-commerce transactions. In order to stimulate this growth in e-commerce, the adoption of new business models will be required. In this thesis, we propose the idea of bringing the multi-level marketing business model into the e-commerce world. For e-commerce applications to take advantage of the business potential in this business model, some challenging security problems need to be resolved. Our proposed protocol provides a method for fair exchange of valuable items between multiple-parties in accordance with the multi-level marketing business model. It also provides the required security services needed to increase the overall customers' trust in e-commerce, and hence increase the rate of committed online transactions. These security services include content assurance, confidentiality, fair exchange and non-repudiation. The above security services are usually attained through the use of cryptography. For example, digital rights management systems deliver e-goods in an encrypted format. As these e-goods are decrypted before being presented to the end user, cryptographic keys may appear in the memory which leaves it vulnerable to memory disclosure attacks. In the second part of this thesis, we investigate a set of memory disclosure attacks which may compromise the confidentiality of cryptographic keys. We demonstrate that the threat of these attacks is real by exposing the secret private keys of several cryptographic algorithms used by different cryptographic implementations of the Java Cryptographic Extension (JCE

Blockchain based Decentralized Applications: Technology Review and Development Guidelines

Blockchain or Distributed Ledger Technology is a disruptive technology that provides the infrastructure for developing decentralized applications enabling the implementation of novel business models even in traditionally centralized domains. In the last years it has drawn high interest from the academic community, technology developers and startups thus lots of solutions have been developed to address blockchain technology limitations and the requirements of applications software engineering. In this paper, we provide a comprehensive overview of DLT solutions analyzing the addressed challenges, provided solutions and their usage for developing decentralized applications. Our study reviews over 100 blockchain papers and startup initiatives from which we construct a 3-tier based architecture for decentralized applications and we use it to systematically classify the technology solutions. Protocol and Network Tier solutions address the digital assets registration, transactions, data structure, and privacy and business rules implementation and the creation of peer-to-peer networks, ledger replication, and consensus-based state validation. Scaling Tier solutions address the scalability problems in terms of storage size, transaction throughput, and computational capability. Finally, Federated Tier aggregates integrative solutions across multiple blockchain applications deployments. The paper closes with a discussion on challenges and opportunities for developing decentralized applications by providing a multi-step guideline for decentralizing the design of traditional systems and implementing decentralized applications.Comment: 30 pages, 8 figures, 9 tables, 121 reference

Scaling Distributed Ledgers and Privacy-Preserving Applications

This thesis proposes techniques aiming to make blockchain technologies and smart contract platforms practical by improving their scalability, latency, and privacy. This thesis starts by presenting the design and implementation of Chainspace, a distributed ledger that supports user defined smart contracts and execute user-supplied transactions on their objects. The correct execution of smart contract transactions is publicly verifiable. Chainspace is scalable by sharding state; it is secure against subsets of nodes trying to compromise its integrity or availability properties through Byzantine Fault Tolerance (BFT). This thesis also introduces a family of replay attacks against sharded distributed ledgers targeting cross-shard consensus protocols; they allow an attacker, with network access only, to double-spend resources with minimal efforts. We then build Byzcuit, a new cross-shard consensus protocol that is immune to those attacks and that is tailored to run at the heart of Chainspace. Next, we propose FastPay, a high-integrity settlement system for pre-funded payments that can be used as a financial side-infrastructure for Chainspace to support low-latency retail payments. This settlement system is based on Byzantine Consistent Broadcast as its core primitive, foregoing the expenses of full atomic commit channels (consensus). The resulting system has extremely low-latency for both confirmation and payment finality. Finally, this thesis proposes Coconut, a selective disclosure credential scheme supporting distributed threshold issuance, public and private attributes, re-randomization, and multiple unlinkable selective attribute revelations. It ensures authenticity and availability even when a subset of credential issuing authorities are malicious or offline, and natively integrates with Chainspace to enable a number of scalable privacy-preserving applications

Middleware support for non-repudiable business-to-business interactions

The wide variety of services and resources available over the Internet presents new opportunities for organisations to collaborate to reach common goals. For example, business partners wish to access each other’s services and share information along the supply chain in order to compete more successfully in the delivery of goods or services to the ultimate customer. This can lead to the investment of significant resources by business partners in the resulting collaboration. In the context of such high value business-to-business (B2B) interactions it is desirable to regulate (monitor and control) the behaviour of business partners to ensure that they comply with agreements that govern their interactions. Achieving this regulation is challenging because, while wishing to collaborate, organisations remain autonomous and may not unguardedly trust each other. Two aspects must be addressed: (i) the need for high-level mechanisms to encode agreements (contracts) between the interacting parties such that they can be used for run-time monitoring and enforcement, and (ii) systematic support to monitor a given interaction for conformance with contract and to ensure accountability. This dissertation concerns the latter aspect — the definition, design and implementation of underlying middleware support for the regulation of B2B interactions. To this end, two non-repudiation services are identified — non-repudiable service invocation and non-repudiable information sharing. A flexible nonrepudiation protocol execution framework supports the delivery of the identified services. It is shown how the services can be used to regulate B2B interactions. The non-repudiation services provide for the accountability of the actions of participants; including the acknowledgement of actions, their run-time validation with respect to application-level constraints and logging for audit. The framework is realised in the context of interactions with and between components of a J2EE application server platform. However, the design is sufficiently flexible to apply to other common middleware platforms.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

CALYPSO: Private Data Management for Decentralized Ledgers

Distributed ledgers provide high availability and integrity, making them a key enabler for practical and secure computation of distributed workloads among mutually distrustful parties. Many practical applications also require strong confidentiality, however. This work enhances permissioned and permissionless blockchains with the ability to manage confidential data without forfeiting availability or decentralization. The proposed Calypso architecture addresses two orthogonal challenges confronting modern distributed ledgers: (a) enabling the auditable management of secrets and (b) protecting distributed computations against arbitrage attacks when their results depend on the ordering and secrecy of inputs. Calypso introduces on-chain secrets, a novel abstraction that enforces atomic deposition of an auditable trace whenever users access confidential data. Calypso provides user-controlled consent management that ensures revocation atomicity and accountable anonymity. To enable permissionless deployment, we introduce an incentive scheme and provide users with the option to select their preferred trustees. We evaluated our Calypso prototype with a confidential document-sharing application and a decentralized lottery. Our benchmarks show that transaction-processing latency increases linearly in terms of security (number of trustees) and is in the range of 0.2 to 8 seconds for 16 to 128 trustees

Assessing the Competing Characteristics of Privacy and Safety within Vehicular Ad Hoc Networks

The introduction of Vehicle-to-Vehicle (V2V) communication has the promise of decreasing vehicle collisions, congestion, and emissions. However, this technology places safety and privacy at odds; an increase of safety applications will likely result in the decrease of consumer privacy. The National Highway Traffic Safety Administration (NHTSA) has proposed the Security Credential Management System (SCMS) as the back end infrastructure for maintaining, distributing, and revoking vehicle certificates attached to every Basic Safety Message (BSM). This Public Key Infrastructure (PKI) scheme is designed around the philosophy of maintaining user privacy through the separation of functions to prevent any one subcomponent from identifying users. However, because of the high precision of the data elements within each message this design cannot prevent large scale third-party BSM collection and pseudonym linking resulting in privacy loss. In addition, this philosophy creates an extraordinarily complex and heavily distributed system. In response to this difficulty, this thesis proposes a data ambiguity method to bridge privacy and safety within the context of interconnected vehicles. The objective in doing so is to preserve both Vehicle-to-Vehicle (V2V) safety applications and consumer privacy. A Vehicular Ad-Hoc Network (VANET) metric classification is introduced that explores five fundamental pillars of VANETs. These pillars (Safety, Privacy, Cost, Efficiency, Stability) are applied to four different systems: Non-V2V environment, the aforementioned SCMS, the group-pseudonym based Vehicle Based Security System (VBSS), and VBSS with Dithering (VBSS-D) which includes the data ambiguity method of dithering. By using these evaluation criteria, the advantages and disadvantages of bringing each system to fruition is showcased

Review of Peer-to-Peer (P2P) Lending Based on Blockchain

Peer-to-Peer (P2P) lending is a financing business model that has gained popularity in recent years due to the ease of loan application, disbursement, and repayment processes. The volume of Peer-to-Peer (P2P) Lending transactions have a significant growth. One of the reasons for the popularity of Peer-to-Peer (P2P) lending is its utilization of technology in both the application and loan repayment processes. One such technology gaining traction in Peer-to-Peer (P2P) lending is blockchain technology. The popularity of blockchain technology lies in its ability to enhance the transparency of the transaction process. This literature study aims to address three main questions: What are the characteristics of blockchain suitable for Peer-to-Peer (P2P) lending , the benefits of implementing blockchain technology in Peer-to-Peer (P2P) lending and the challenges of Peer-to-Peer (P2P) lending based on blockchain. The findings reveal that there are characteristics of blockchain that can be applied to Peer-to-Peer (P2P) lending, bringing numerous benefits to the overall Peer-to-Peer (P2P) lending process. However, challenges persist in the implementation of blockchain technology in Peer-to-Peer (P2P) lending. The insights gained from this literature review are intended to guide researchers interested in studying the application of blockchain technology in the context of Peer-to-Peer (P2P) lending