This Article 
 Bibliographic References 
 Add to: 
A Flexible Payment Scheme and Its Role-Based Access Control
March 2005 (vol. 17 no. 3)
pp. 425-436
Jinli Cao, IEEE Computer Society
This paper proposes a practical payment protocol with scalable anonymity for Internet purchases, and analyzes its role-based access control (RBAC). The protocol uses electronic cash for payment transactions. It is an offline payment scheme that can prevent a consumer from spending a coin more than once. Consumers can improve anonymity if they are worried about disclosure of their identities to banks. An agent provides high anonymity through the issue of a certification. The agent certifies reencrypted data after verifying the validity of the content from consumers, but with no private information of the consumers required. With this new method, each consumer can get the required anonymity level, depending on the available time, computation, and cost. We use RBAC to manage the new payment scheme and improve its integrity. With RBAC, each user may be assigned one or more roles, and each role can be assigned one or more privileges that are permitted to users in that role. To reduce conflicts of different roles and decrease complexities of administration, duty separation constraints, role hierarchies, and scenarios of end-users are analyzed.

[1] D. Chaum, “Blind Signature for Untraceable Payments,” Proc. Advances in Cryptology–Crypto '82, pp. 199-203, 1983.
[2] B. Cox, J.D. Tygar, and M. Sirbu, “NetBill Security and Transaction Protocol,” Proc. First USENIX Workshop Electronic Commerce, 1995.
[3] MastercardVisa, SET 1.0— Secure Electronic Transaction Specification, http://www.mastercard.comset.html, 1997.
[4] D. Chaum, “DigiCash, an Introduction to E–Cash,” http:/, 1995.
[5] H. Wang, J. Cao, and Y. Kambayashi, “Building a Consumer Anonymity Scalable Payment Protocol for the Internet Purchases,” Proc. 12th Int'l Workshop Research Issues on Data Eng.: Eng. E-Commerce/E-Business Systems, pp. 159-168, 2002.
[6] D. Chaum and H. Antwerpen, “Undeniable Signatures,” Proc. Advances in Cryptology–Crypto '89, pp. 212-216, 1990.
[7] A. Chan, Y. Frankel, and Y. Tsiounis, “An Efficient Off-Line Electronic Cash Scheme as Secure as RSA,” NU-CCS-96-03, Northeastern Univ., 1995.
[8] R. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Comm. ACM, vol. 21, pp. 120-126, 1978.
[9] M. Franklin and M. Yung, “Secure and Efficient Off-Line Digital Money,” Proc. 20th Int'l Colloquium Automata, Languages, and Programming, pp. 265-276, 1993.
[10] T. Poutanen, H. Hinton, and M. Stumm, “NetCents: A Lightweight Protocol for Secure Micropayments,” Proc. Third USENIX Workshop Electronic Commerce, 1998.
[11] D. Pointcheval, “Self-Scrambling Anonymizers,” Proc. Financial Cryptography, pp. 259-275, 2001.
[12] D. Ferraiolo, J. Cugini, and D. Kuhn, “Role-Based Access Control (RBAC): Features and Motivations,” Proc. Computer Security Applications Conf., pp. 241-248, 1995.
[13] D. Ferraiolo, R. Sandhu, S. Gavrila, R. Kuhn, and R. Chandramouli, “Proposed NIST Standard for Role-Based Access Control,” ACM Trans. Information System Security, vol. 4, no. 3, pp. 224-274, 2001.
[14] R. Sandhu, D. Ferraiolo, and R. Kuhn, “The NIST Model for Role-Based Access Control: Towards a Unified Standard,” Proc. Fifth ACM Workshop Role-Based Access Control, pp. 47-63,, 2000.
[15] V. Gligor, S. Gavrila, and D. Ferraiolo, “On the Formal Definition of Separation-of-Duty Policies and Their Composition,” Proc. 19th IEEE CS Symp. Research in Security and Privacy, , 1998.
[16] J. Barkley, K. Beznosov, and J. Uppal, “Supporting Relationships in Access Control Using Role Based Access Control,” Proc. Fourth ACM Workshop Role Based Access Control, pp. 55-65, 1999.
[17] D. Ferraiolo, J. Barkley, and D. Kuhn, “Role-Based Access Control Model and Reference Implementation within a Corporate Intranet,” ACM Trans. Information and System Security (TISSEC), vol. 2, pp. 34-64, 1999.
[18] R. Sandhu, “Role Activation Hierarchies,” Proc. Third ACM Workshop Role Based Access Control, http:, 1998.
[19] R. Sandhu, “Future Directions in Role-Based Access Control Models,” Proc. Int'l Workshop Information Assurance in Computer Networks, pp. 22-26, 2001,
[20] M. Bellare, O. Goldreich, and H. Krawczyk, “Stateless Evaluation of Pseudorandom Functions: Security beyond the Birthday Barrier,” Proc. 19th Ann. Int'l Cryptology Conf. Advances in Cryptology, pp. 270-287, 1999.
[21] R. Canetti, O. Goldreich, and S. Halevi, “The Random Oracle Methodology” Proc. 30th ACM Symp. Theory of Computing (STOC '98), pp. 209-218, 1998.
[22] R. Rivest, “The MD5 Message Digest Algorithm,” Internet RFC 1321, 1992.
[23] T. EIGamal, “Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Trans. Information Theory, vol. 31, pp. 469-472, 1985.
[24] D. Chaum, A. Fiat, and M. Naor, “Untraceable Electronic cash,” Proc. Advances in Cryptology–Crypto '88, pp. 319-327, 1990.
[25] C. Schnorr, “Efficient Signature Generation by Smart Cards,” Cryptology, vol. 4, pp. 161-174, 1991.
[26] T. Yiannis, “Fair Off-Line Cash Made Easy,” Proc. Advances in Cryptology–Asiacrypt '98, pp. 240-252, 1998.
[27] T. Okamoto, “An Efficient Divisible Electronic Cash Scheme,” Proc. Advances in Cryptology–Crypto '95, pp. 438-451, 1995.
[28] T. Yiannis and M. Yung, “On the Security of ElGamal-Based Encryption,” Proc. Int'l Workshop Practice and Theory in Public Key Cryptography,, 1998.
[29] M. Burrows, M. Abadi, and R. Needham, “A Logic of Authentication,” Proc. Royal Soc., , 1996.
[30] H. Wang and Y. Zhang, “Untraceable Off-Line Electronic Cash Flow in E-Commerce,” Proc. 24th Australian Computer Science Conf. (ACSC 2001), pp. 191-198, 2001.
[31] H. Wang, Y. Zhang, J. Cao, and V. Varadharajan, “Achieving Secure and Flexible M-Services through Tickets,” IEEE Trans. Systems, Man, and Cybernetics, special issue on M-Services, vol. 33, no. 6, pp. 697-708, 2003.
[32] D. Goldschlag, M. Reed, and P. Syverson, “Onion Routing for Anonymous and Private Internet Connections,” Comm. ACM, vol. 24, pp. 39-41, 1999.

Index Terms:
Electronic-cash, anonymity, integrity, trace ability, hash function.
Hua Wang, Jinli Cao, Yanchun Zhang, "A Flexible Payment Scheme and Its Role-Based Access Control," IEEE Transactions on Knowledge and Data Engineering, vol. 17, no. 3, pp. 425-436, March 2005, doi:10.1109/TKDE.2005.35
Usage of this product signifies your acceptance of the Terms of Use.