A roadmap to electronic payment transaction guarantees and a Colored Petri Net model checking approach
Introduction
Electronic payment systems are expected to ensure that payment transactions occur atomically. This means that each participating node must reach the same conclusion as to whether an ongoing payment is to be completed, even in the face of failures. Atomicity is one of the key properties (Atomicity, Consistency, Isolation and Durability) – known as ACID properties – of modern transactional information systems [20]. In these systems, the mechanism used for achieving atomic commitment (e.g. the two-phase commit protocol) is bundled together with a specific program-to-program communication protocol and that protocol lives on top of an appropriate infrastructure. In electronic payments, participants may use communication protocols for which there are no transactional variants (e.g. HTTP) and the programs may be deployed in very heterogeneous application environments. For these reasons, electronic payment systems cannot rely on traditional transaction mechanisms.
Another problem is that in addition to potential system crashes and accompanying message omission failures, we have to take into account the possibility of fraudulent behavior by the payment participants, as well as, the well-known security flaws of the Internet infrastructure. A payment protocol must provide an appropriate combination of transaction guarantees that depends on the application domain. Thus, we need means for proving the expected transaction guarantees and for studying the protection requirements against potential security flaws and intrusion attacks [6].
We focus on payment transaction guarantees like money conservation, no double spending, goods atomicity, distributed payment atomicity and certified delivery or validated receipt. Security concerns [1], [36] are skimmed only to the degree needed to enable safe payments, in the presence of various transaction attack scenarios or potentially fraudulent behavior. Also, we refer to the high-level transaction guarantees of fairness [2] and protection of participants’ interests [47].
The proposed model checking approach verifies the forenamed transaction guarantees from different participants’ perspectives that are selected based on the adopted trust model. We suggest the construction and validation of a Colored Petri Net (CP-net) that reflects all protocol execution scenarios, including unilateral transaction aborts, potentially fraudulent behavior and all site failure and message loss possibilities. Valuable features of the CP-net modeling language that play an important role in our model checking approach are: (i) the fact that the formalism builds upon true concurrency instead of an interleaving-based semantics, (ii) the fact that CP-nets provide a compact description of control, synchronization and data manipulation resulting in an explicit representation of both model states and events and (iii) the wide range of analysis alternatives, which allow to conveniently express and subsequently check the required model correctness criteria and the expected payment transaction guarantees.
The model is built in CPN Tools [13], an advanced toolset for editing, simulating and analyzing CP-nets [22]. The expected guarantees are verified by CTL-based (Computation tree Temporal Logic) model checking. Our approach is described in terms of a CP-net developed for NetBill, a system for Internet-based micropayments for information goods and services.
Section 2 provides an overview of electronic payments and defines the transaction guarantees of interest. Section 3 describes the proposed model building and validation approach. Section 4 refers to the CTL-based model checking of the expected transaction guarantees in terms of the developed NetBill CP-net. Section 5 outlines related model checking works and other CP-net solutions to specific e-commerce problems. We conclude with a discussion on the usefulness of the proposed approach and its potential impact.
Section snippets
Electronic payment models
The growing importance of e-commerce and the ever-increasing number of business transaction models has resulted in a plethora of payment systems. On-line payments involve communication with a trusted third party (TTP) during payment and in general they are considered as more secure than offline payments that involve only the payer and the payee.
The vast majority of Internet payment systems are on-line systems that perform either:
- •
Credit-card payments (First Virtual, CyberCash, iKP, Anonymous
The Colored Petri Net modeling language
Apart from the proposed CP-net analysis, two alternatives have been used in model checking payment transaction guarantees. The work of [19] uses the SPIN model checker and the one reported in [21] employs a Communicating Sequential Processes approach and the Failure Divergence Refinement (FDR) tool [39]. Both of them adopt a process-based representation of the system, where processes are described using events and operators. Events cause a process to change state, but the representation of
Model checking payment transaction guarantees
The NetBill system aims to provide a wide range of payment transaction guarantees, from those mentioned in Section 2.2. Protocol’s design adopts an encryption-based atomicity approach [44], where the goods are initially sent to C in an encrypted form and therefore cannot be used, without the required decryption key. The key is dispatched only on receipt of the corresponding payment. On the other hand, payment systems that adopt an authority-based atomicity approach [38] require the TTP to
Related work
Part of our work refers to model checking fault tolerance with respect to the described payment transaction guarantees. In related work, we refer to the analysis reported in [8] for verifying the redundancy mechanisms employed in fault-tolerant control systems. Two different formalisms are interchangeably used to specify a system: the Calculus of Communicating Systems (CCS)/Meije process algebra [4] and a Labeled Transition System (LTS) representation developed with the ATG tool [40]. The JACK
Conclusion
This work’s contribution is a systematic approach in the development and validation of high-level CP-net models of electronic payment systems. We proposed the use of four different types of places and an automata-driven model building technique. The developed models are appropriate for model checking all levels of transaction atomicity guarantees, as well as potential protocol-level intrusion attacks. In the obtained model checking results we take into account all cases of site failures,
Acknowledgments
We acknowledge the CPN Tools team at Aarhus University, Denmark for kindly providing us the license of use of the valuable CP-net toolset. Also, we acknowledge the anonymous referees for their thorough contribution in improving the quality of the present article.
References (48)
- et al.
An anonymous and failure resilient fair-exchange e-commerce protocol
Decision Support Systems
(2005) - et al.
Finite-state analysis of two contract signing protocols
Theoretical Computer Science
(2002) - et al.
State of the art in electronic payment systems
IEEE Computer
(1997) - N. Asokan, Fairness in Electronic Commerce, PhD Thesis, University of Waterloo, Ontario, Canada,...
- et al.
Modeling and verification of cryptographic protocols using Coloured Petri Nets and Design/CPN
Nordic Journal of Computing
(2005) - et al.
Algebre de proessus at synchronization
Theoretical Computer Science
(1989) - S. Basagiannis, P. Katsaros, A. Pombortsis, Interlocking control by distributed signal boxes: design and verification...
- S. Basagiannis, P. Katsaros, A. Pombortsis, Intrusion attack tactics for the model checking of e-commerce security...
- et al.
Systems and Software Verification – Model-Checking Techniques and Tools
(2001) - et al.
Model checking fault tolerant systems
Software Testing, Verification and Reliability, Wiley
(2002)
The integration project for the JACK environment
Bullentin of the EATCS
e-Business & e-Commerce: How to Program
Cited by (33)
Modeling and safety analysis for collaborative safety-critical systems using hierarchical colored Petri nets
2024, Journal of Systems and SoftwareFormal model-based quantitative safety analysis using timed Coloured Petri Nets
2018, Reliability Engineering and System SafetyCitation Excerpt :A Petri net model is in a livelock condition when it reaches a subset of its markings from which it has no possibility of exiting. According to [43], one of the following two forms can be taken to check the absence of livelocks: if the state space and its SCC graph are isomorphic and contain no self-loops, then the system model is livelock-free; if the state space contains self-loops or if there exists at least one strongly connected component that consists of more than one node (i.e., the number of nodes in the SCC graph is less than the ones in the state space), then we need to check if all terminal components are trivial (i.e., consist of a single node and no arcs). A non-standard query for the latter situation could be found in [43].
Verification of the safety communication protocol in train control system using colored Petri net
2012, Reliability Engineering and System SafetyCitation Excerpt :Fig. 4 shows part of the state space analysis report for the safety layer model. Liveness properties provide information regarding [37]: Dead markings, i.e., markings with no enabled transitions.
Performance analysis and verification of safety communication protocol in train control system
2011, Computer Standards and InterfacesCitation Excerpt :Errors in the CPN model of protocols can be discovered by analyzing the state space of it, which is also called occurrence graph or reachability graph, containing all possible events and reachabilitiy states [17,18]. State space analysis is used to explore a standard set of dynamic properties for the developed high-level protocol model and to validate (or correct) the model with respect to a set of model correctness criteria that include [19]: the absence of self-loop terminal markings,
Quantitative analysis of a certified e-mail protocol in mobile environments: A probabilistic model checking approach
2011, Computers and SecurityCitation Excerpt :Conclusions and future work insights are given in Section 6. Given the widespread use of wireless and mobile communications (Miorandi et al., 2007; Bi et al., 2001; Zhang et al., 2010; Liaskos et al., 2010), it is essential for protocol designers to verify the security properties (Katsaros, 2009) that they are supposed to provide as well as to quantify their cost-related properties. This fact makes probabilistic model checking a promising approach towards quantitative analysis of protocols (Kwiatkowska et al., 2004; Basagiannis et al., 2009).
PARAMETERIZED REACHABILITY GRAPH FOR SOFTWARE MODEL CHECKING BASED ON PDNET
2023, Computing and Informatics