Trusted Third Parties

Trusted third parties (TTPs) play a central role in electronic commerce. Basic protocols like fair exchange and public key certification cannot operate without them. Traditionally, a TTP is implemented on a single host, so that, if used for a security-critical application such as certification of public keys, the security of the complete application relies on the integrity of this host.

We designed a generic architecture for dependable TTP services using the protocols developed in WP2. We achieved dependability by distributing the trust onto several parties, such that confidentiality and availability of the service are guaranteed even if some servers are corrupted.

The results of WP2 provide support for transactional paradigms and group membership protocols and we used these to implement a distributed TTP. This required tools from distributed cryptography or threshold cryptography, such as a distributed signature scheme and a threshold cryptosystem. Threshold schemes are non-trivial extensions of the ordinary cryptographic schemes because the secret key cannot merely be replicated at all servers: a corrupted server might disclose the key. The existing schemes for threshold cryptographic protocols have all been formulated in a synchronous environment with secure atomic broadcast available. Because these assumptions are either unrealistic or unrealistically inefficient in an Internet environment, and because cryptographic protocols cannot always be combined in a nice modular way, further work was needed in order to provide the necessary secure cryptographic tools. This included the development of distributed signature schemes and threshold cryptosystems in partial-synchrony or asynchronous communication models.

Distributing the TTP also implies changing the applications that use the TTP; for example, a user request to the TTP might be replaced by requests to a quorum of all TTP servers, or might be repeated until one TTP server answers. We therefore developed the necessary abstraction layer for the interface between client and server for TTP applications.

Fair exchange between mutually distrusting parties is an important problem for electronic commerce. Protocols using the so-called "optimistic" approach have been proposed that rely on a TTP, but only for handling exceptions. The TTP is not involved in regular transactions if both partners comply and no messages are lost. We provided the specification and a prototype implementation of a dependable TTP for fair exchange using the optimistic approach.