Dipartimento di Informatica ed Applicazioni
Universita' di Salerno
84100 Baronissi (Salerno), Italy
Dipartimento di Informatica ed Applicazioni
Universita' di Salerno
84100 Baronissi (Salerno), Italy
While there is an enormous volume of money coming from online advertisement fees, actually there are no standard means to measure the exposure of web pages and hence the impact of an online advertising campaign. Metering schemes are required to monitor client and server interactions in order to have a secure and reliable measure of the usage of a Web site. In this paper we adapt an electronic payment protocol based on hash chains to support measuring the access to web pages and discuss a viable implementation.
secure metering, auditing, usage based accounting, cryptography.
Actually, the most diffused approaches for making money on the Internet are the exchange of physical goods or services and of commercial information through advertising. The annual volume of money involved in online advertising is in the order of billions of dollars and is still growing. There is hence the need to develop secure mechanisms to measure accesses to web pages and avoid any form of cheating for both the involved parties (clients, servers and audit agencies).
To measure accurately the amount of visits a site receives and hence the exposure of the advertising several metering scheme have been produced [1,2,3]. In a metering scheme, the players are the clients who surf the web, the servers which offer services and display advertisements, and an audit agency that counts the number of clients accessing the advertising pages. Typically the contract is between the audit agency and the servers, who agree on a certain amount of money the server earns for each received visit. As showed in , metering scheme are afflicted by hit inflation and hit shaving attacks. In fact, servers are motivated to simulate a larger number of visits to increase the amount of money they can claim from the audit agency (hit inflation). On the other hand, the audit agency could omit to pay the server for some number of visits (hit shaving), avoiding to pay for the visits the server claims to have received. Different settings and remedies are presented in .
We propose a metering scheme which is based on the well known idea of hash chains, previously used for user authentication and micro-payment systems . Differently from other similar approaches, we minimize the overhead due to the additional communication required to implement the protocol and still provide an efficient and flexible scheme. Our scheme can be used both for measuring the access to a given web page and for counting the number of visits through a referring page.
2. The authenticated metering protocol
We consider metering system consisting of n clients, say C1, ... ,Cn, interacting with an audit agency A and a server S. The audit agency wants to hold a measure of the number of times the clients visit the web pages hosted by the server S. The players agree on a one-way hash function H with the properties of pre-image resistance, 2nd-pre-image resistance and collision resistance .
The metering scheme we present here is based on the authentication of clients. Indeed, clients which are previously registered by the audit agency can access the services provided by the server S. The basic scheme can be easily extended to many servers, by constructing different hash chains for each different server.
The operations of the basic system are structured in the following way:
Initialization The Initialization phase starts when a client Ci contacts the audit agency and requests access to the provided service. A number of subsequent operations are started by each of the players:
- The Audit Agency calculates a random seed, say wi, the value of the k-th application of the hashing function H, wik=Hk(s), and stores the tuple [idC,k,wi] holding the seed and the number of guaranteed accesses with the client identifier idC. Then it sends the two tuples [idC,k,wi] and [idC,wik] to the client Ci and the server, respectively.
- The Client stores the tuple sent by A and retrieves the initial seed, the number k of accesses he has registered for, and then the he generates and stores the k values H1=H(wi), H2=H(H(wi)), ... , Hk= H( Hk-1(wi))
- The Server stores the tuple received from A in its database of registered clients, associating it with a counter LCi initially set to 0;
Interaction Interaction happens when the client Ci visits the server site S and wants to access the restricted services offered by S
- The client Ci, sends the tuple holding the actual token Hj(wi) for the j-th access, and updates the access counter decrementing its value;
- The server S on the reception of the tuple from the client, performs access control comparing the received value with the one stored, verifying that H(Hj(wi))=wij; if the test is positive then he will update its store with the new value H(Hi(wi)) associated with the client and increment the visitor's counter LCi;
Verification The verification phase begins when the server S claims the payment after a certain number of visits received in a certain period of time previously agreed with the agency.
- For each client Ci the server sends to A a tuple (Ci,wi LCi, LCi), containing the client's identifier associated with the last token and the visits counter;
- The agency A verifies that the value returned from S for the Ci client that effectuated j visits, with LCi=j, say vC is equal to Hk-j(wi)
2.1 Improved verification phase
In the previous protocol, the audit agency is able to verify with accuracy the number of the visits that the server claims to have received by the clients. However the price paid back is that the size of the proof is proportional with the number of clients. To improve the efficiency of the verification phase, we must modify the interaction between the server and the agency relying on the key idea of the authentication tree introduced by Merckle . Indeed, the values of the token wi relative to the token in the hash chain for the number of visit of the client Ci can be arranged as the leaves of a tree (the authentication tree). According to different agreements between the server and the audit agency, the size of the communication as well as the whole time spent for the verification can be reduced.
In this section we will briefly discuss a prototype implementation of the basic scheme of the protocol developed for the Linux platform, using Netscape Navigator (ver. 4.76) and the Apache Web Server (ver. 1.3.19).
The scenario we consider is the one where a web server decides to give access to its resources only if the clients are registered at the audit agency. The clients are motivated to register since in this way they get access to the services provided by S. The scheme applies well also in the case when S requests payment for its services. In this case, clients buy a number of accesses paying a fee to the audit agency during the registration phase.
The exigence of transparency for the client side of computation lead us to consider a plug-in for the realization of the protocol. Once that the plug-in is downloaded and installed on the client' computer, operation which is performed just once during the registration phase, no additional operations are requested to the users to execute the protocol.
The server side of the implementation has the task to authenticate the clients and provide in the positive case the resources requested. The verification of the access is performed verifying the correctness of the token sent by comparing its value with the one resulting from the application of the hash function to the value stored in the database. A first implementation of our protocol used a CGI to perform server side operations.
Figure 1. (a) meter request; (b) meter response.
Whenever the browser forwards an HTTP request for a protected web page, the web server answers with a message which activates the plug-in. At this point the plug-in constructs the meter-request which is handled by the CGI module. If the authentication is performed successfully the CGI program returns the home page of the monitored web site. As you can see in Figure 1, the communication overhead due to the additional bytes needed for the meter request/response is very small.
Figure 2. The architecture of the CGI based solution
A better solution relies on the development of an Apache module which allows the modification of the basic request loop of the web server, introducing handlers which are activated according to the different request type. In particular it is possible to give directives in the server configuration file, allowing all the requests for a web page contained in a particular server directory to be redirected to a new installed handler. For our purposes, this is important since a server site which would like to adopt the proposed metering scheme, can reduce the necessary intervention to few modifications on the web server.
We would like to thank Rocco Scappatura for fruitful comments and discussions on the topics of this paper. This work is partially supported by National Council for Research (C.N.R.) under grant CNRRG008BF3: "Pubblicità Online: Nuove Misure per Nuovi Media. Auditing e Accounting sicuro sul WEB".
- M. Franklin and D. Malkhi. Auditable Metering with Ligthweigth Security. Financial Criptography (FC '97) volume 1318 of LNCS, pages 151--160. Springer-Verlag, Berlin, 1997
- M. Naor and B. Pinkas. Secure accounting and auditing on the web. Proceedings of 9th World Wide Web Conference (WWW9) 1998.
- M. Naor and B. Pinkas. Secure and efficient metering. Proceedings of International Conference on the Theory and Application of Cryptographic Techniques (Eurocrypt '98), volume 1403 of LNCS, pages 576--590, Espoo, Finland, 1998.
- V. Anupam, A. Mayer, K. Nissim, B. Pinkas, and M. K. Reiter. On the security of pay-per-click and other web advertising schemes. Proceedings of 9th World Wide Web Conference (WWW9) 1998.
- M.K. Reiter, V. Anupam, and A. Mayer. Detecting hit shaving in click-through payment scheme. Proceedings of 3th USENIX Workshop on Electronic Commerce, pages 155--166, September 1998.
- R. Rivest and A. Shamir. Payword and micromint: Two simple micropayment schemes. Proceedings of International Workshop on Security Protocols, 1996.
- A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography
- R. C. Merkle. A certified digital signature. Proceedings of International Conference on the Theory and Application of Cryptographic Techniques (Crypto '89),volume 435 of LNCS, pages 218--238. Springer-Verlag, Berlin, 1990