1

Experimenting with Electronic Commerce on the

PalmPilot

Neil Daswani Dan Boneh

daswani@cs.stanford.edu dabo@cs.stanford.edu

Public Key Solutions ‘99April 12 - 14

2

Overview

Security Applications on a PDA(advantages / disadvantages?)

How about a payment system?(wide-deployment of PDAs?)

Is this feasible with existing PDA technology?

3

Outline

Trade-offsE-Commerce on the PalmPilotPDA-PayWordPerformanceConclusions

4

Trade-offs

Vs. SmartCards no tamper resistance no cryptographic accelerators

direct line of communication with user more processing power more memory

5

Trade-offs

Vs. Desktops

less memory less processing power

portable

6

E-Commerce on the PalmPilot

Security Features (Lack of?)Cryptographic PrimitivesAuthenticationMemory Mgmt. & BackupsPrototypical Application

7

Security Features (Lack of?)

Databases -- No Access Control non-volatile creatorID “secret” attribute (just a suggestion)

Password Entry

8

* DES, SHA-1, RSA figures obtained with SSLeay* ECC-DSA figures obtained with Certicom Security Builder Toolkit

Cryptographic PrimitivesAlgorithm Time

DES Encryption 4.9ms / blockSHA-1 2.7ms / block512-bit RSA key gen. 3.4 minutes512-bit RSA sig. gen. 7028 ms512-bit RSA sig. verify 438 ms163-bit ECC-DSA key gen. 597 ms163-bit ECC-DSA sig. gen 776 ms163-bit ECC-DSA sig. verify 2448 ms

9

E-Commerce on the PalmPilot

Authentication Pro: direct line of communication with

owner Con: entering passwords

Memory Management & Backups Encrypted Storage (Instrument Manager) PalmPilot Databases (deletion, double

spending)

10

E-Commerce on the PalmPilot

Small payments ($5 -> $50)

Target Application: Pony Vending Machine

11

E-Commerce on the PalmPilot

Where to start? PayWord (Rivest, Shamir)

Why PayWord? amortize cost of signatures coins = hash tokens

12

PDA-PayWord

PalmPilot implementation of PayWord

Minimize cryptographic operations

Minimize storage requirements

13

PDA-PayWord Characteristics

Vendor-Specific

Pre-Pay (Debit-Based)

Vendor = Bank

Hash Chain Based

14

PDA-PayWord: Withdrawal

Y0

Y1

Yk

{Y{Ykk, k, d, vid}, k, d, vid}SSECC-DSAECC-DSA(User)(User)

User’s Wallet

Bank

Pre-Paid?

YesHCC=HCC={Y{Ykk, k, d, exp,vid}, k, d, exp,vid}SSRSARSA (Bank) (Bank)

15

PDA-PayWord: Purchase

Y0

Y1

Yk-i Yk-i, i, HCC

User’s Wallet

Yk-i

Yk-i+1

Yk

Vendor

16

PDA-PayWord: Withdrawal Timings

Amount($)

Hash ChainSize (words)

Avg time(ms)

5 100 504

10 200 896

20 400 1667

50 1000 3970

Sign Withdrawal Request (ECC-DSA) +Receive HCC = 1874msHash Chain CertificateVerification: 1008ms

Note: d = 5

17

PDA-PayWord: Purchase Timings

InstrumentAmount ($)

HashesReq’d

(words)

TransactionTime (ms)

5 70 1090

10 170 1467

15 370 2267

50 970 4580

(First time $1.50 buy)

18

PDA-PayWord Variations

Multiple hash chains / Multiple denominations

Storing “sentinel” values

Multiple Vendors (Introduce Online Broker)

19

Conclusions / Summary

PDA = portable commerce device w/o

tamper resistanceSuitable for small paymentsCommerce protocols can be adapted

Example: PDA-PayWord leverages best of ECC and RSA

20

Acknowledements

Certicom

Andrew Toy