Author

David Shaw

Date of Award

2012

Document Type

Thesis - ECU Access Only

Publisher

Edith Cowan University

Degree Name

Doctor of Philosophy

School

School of Computer and Security Science

Faculty

Faculty of Computing, Health and Science

First Supervisor

Professor Craig Valli

Second Supervisor

Doctor P.A.H. Williams

Abstract

Remote transactions globally transfer trillions of dollars annually. Many of these information exchanges are mediated, implicitly or explicitly, by a complex web of agencies that add to costs and introduce additional opportunities for error or misconduct. Further, additional records are created as part of the audit and transaction process. These transaction records may be used to enhance performance and generate new transactions, and are consequently of value. Further, these records provide some protection against error or misconduct by allocating responsibility for each transaction component. The conventional approach to remote transaction security is to add complexity and layers of arbitration to minimise losses at the cost of ease of use and flexibility. This research examined transaction characteristics and explored means of reducing the additional costs while providing transactions with security, flexibility and scalability. The critical issue is the control of transaction information which is principally used for dispute resolution and audit. However, it may also be used for unethical and even illegal purposes. Conventional techniques for information security such as encryption, hashing and signatures are reviewed and, additionally, reduction in participant numbers coupled with broadening of the hardware basis has been explored and recommendations are made for securing particular electronic remote transactions. User-management of transaction components and information is discussed, along with user-based mediation of identity, however, some form of arbitration or adjudication relying on transaction records need be assumed. The principal threat to transaction records is not the anonymous hacker, but the obsolescence imposed by ongoing changes in hardware, software and organisational procedures. Conservation of paper documents is an established discipline however, conservation of electronic records and hardware require additional considerations. The credit card transaction is used as a basis for the development of a prototype to increase the security of transactions under user control but the processes and methods are applicable to a much wider variety of transactions and can be implemented in a secure, flexible format. A user controlled prototype scheme with electronic signature usage is defined and common attack avenues are examined. The prototype software was developed and tested on Nokia mobile phones and the transactions performed provided flexibility and scalability with strong security. User choices in security levels are implemented and each unique transaction is uniquely processed making the transactions resistant to a variety of attacks. It is considered that while “User mediation” is feasible and may become common in some transactions it is unlikely to replace arbitration in high value transactions. While self-enforcing transactions are feasible in arbitrated and adjudicated regimes with some form of pre-arranged context, the existence of selfenforcing transactions without pre-existing context is not yet decided. In summary, these methods may change the way many current transaction regimes and applications do business and in doing so, will alter the balance of power in transactions by putting control onto the user with concomitant transfer of costs.

Share

 
COinS