Lightweight Security Primitives for E-Commerce

Emerging applications in electronic commerce of ten involve very low cost transactions which ex ecute in the context of ongoing extended client server relationships For example consider a web site server which o ers repeated authenticated personalized stock quotes to each of its subscribers clients The value of a single transaction e g de livery of a web page with a customized set of quotes does not warrant the cost of executing a handshake and key distribution protocol Also a client might not always use the same machine during such an extended relationship e g a PC at home a laptop on a trip Typical transport session layer security mechanisms such as SSL and S HTTP either require handshake key distribution for each transaction or do not support client mobility We propose a new security framework for extended relationships between clients and servers based on persistent shared keys We argue that this is a pre ferred model for inexpensive transactions executing within extended relationships Our main contri bution is the design and implementation of a set of lightweight application layer primitives for generating and maintaining persistent shared keys without requiring a client to store any informa tion between transactions and securing a wide range of web transactions e g subscription au thenticated and or private delivery of information receipts with adequate computational cost Our protocols require public key infrastructure only for servers vendors and its usage only once per client upon rst interaction