隨著網際網路的普及與電子商務的興起，網路拍賣儼然已成為時下最熱門的購物方式之一，但其中發生過為數不少的詐騙事件，這樣多少都會造成消費者對於線上購物有所顧忌，進而阻礙網路拍賣的發展。面對日益嚴重的網路詐騙問題，各大拍賣網站紛紛提出保障方案，然而現行的解決方案皆有其缺失，因此有必要對網路拍賣環境設計一個公平的交易方式。
有鑑於今日網路拍賣的詐騙問題頻傳，且尚無正式標準解決此問題，本研究提出了一個適用於網路拍賣的公平交換協定，讓參與拍賣活動的買賣雙方，能以一個公平的方式進行交易。此協定是以Nenadic, et al.（2005）提出之可驗證與可復原的加密DSA簽章（Verifiable and Recoverable Encryption of DSA Signature）與Song和Korba（2004）提出的電子現金技術為基礎，所設計出的一個公平交換協定，此協定能滿足：(1)確保交易結果的公平性、(2)保障交易訊息的隱私性、(3)產生不可否認證據以證明交易雙方參與其中、(4)允許買方驗證商品，以確保所收到商品是交易前指定的、(5)降低拍賣網站對於交易過程的涉入程度。本研究期望透過密碼學的方法來保障買賣雙方的交易安全，進一步解決網路拍賣弊端，提升網路拍賣的安全性。

With the popularity of internet and the rise of electronic commerce, internet auctions have become one of the most popular shopping ways. But, there are so many cheating events in internet auctions, which will cause the consumers to doubt of the feasibility of online shopping and obstruct the development of internet auctions. Facing the increasing cheating problems of internet auctions, some major auction websites guarantee their customers against all lost and bring out some policies. However, these policies have some deficiencies, so it is necessary to design a fair transaction way for the environment of internet auctions.
Because the cheating problems in the internet auction are getting worse, there is still no standard protocol to solve these problems. This study proposes a fair exchange protocol for internet auctions, which can let the buyer and seller deal with the transaction in a fair way. This protocol is based on the verifiable and recoverable encryption of DSA signature posed by Nenadic, et al. (2005) and the technique of electronic cash posed by Song and Korba (2004) to design a fair exchange protocol. This protocol can: (1) assure the fairness of transaction result, (2) protect the privacy of transaction message, (3) produce non-repudiation evidence to prove the participation of buyer and seller, (4) allow the buyer to verify the goods that are correct, and (5) reduce auction websites’ involving extent during the transaction process. This study using the cryptography method to ensure the transaction security between buyers and sellers, and expects to solve the problem and promote the security of internet auctions.

第壹章　緒論　1
第一節　研究背景　1
第二節　研究目的　4
第三節　研究架構　5
第貳章　文獻探討　7
第一節　公平交換協定　7
一、公平交換需求　8
二、公平交換協定類型　9
第二節　密碼學技術　12
一、對稱式密碼系統　13
二、非對稱式密碼系統　14
三、雜湊函數　15
四、數位簽章　16
五、數位憑證　19
六、公開金鑰基礎建設　20
第三節　可驗證與可復原的加密DSA簽章　21
一、DSA為基礎之VRES　21
二、VRES安全性分析　22
第四節　電子現金　23
第參章　網路拍賣公平交換協定　27
第一節　協定架構　27
第二節　協定符號與參數　28
第三節　協定執行流程　29
一、前置作業階段　29
二、交易進行階段　30
三、紛爭處理階段　34
第肆章　安全及複雜度分析　39
第一節　安全性分析　39
一、內部攻擊分析　39
二、安全需求分析　41
第二節　應用模型檢查方法　42
一、模型檢查簡介　42
二、SPIN與Promela簡介　43
三、正規驗證　45
第三節　複雜度分析　50
第伍章　結論與未來研究方向　53
參考文獻　55
附 錄 一　59
附 錄 二　75

1.刑事警察大隊，網拍安全靠自保，刑事警察網，2005/05/12。2005/10/15，取自：http://www.kmph.gov.tw/cid/ArticleDetail.aspx?Parm=2707,29,2823,873,6。
2.李雅萍，2003年我國家庭資訊通信技術應用概況，資策會FIND網站，2003/12/25。2005/10/06，取自：http://www.find.org.tw/0105/howmany/howmany_disp.asp?id=65。
3.阮健錫，使用離線半信任第三方公平交換協定之研究，義守大學資訊管理研究所碩士論文，2003。
4.林沛欣，應用模型檢查方法偵測電信系統之特徵交互影響問題，交通大學資訊工程研究所碩士論文，2002。
5.奇摩拍賣買家/賣家保障方案，Yahoo!奇摩拍賣網站，無日期。2005/10/06，取自：http://tw.bid.yahoo.com/phtml/auc/tw/tos_add/protection.html。
6.胡釗維、林宏達，讓eBay在中國當老二的網拍公司，商業周刊，第921期，2005/07，頁68-69。
7.粘添壽、吳順裕，資訊與網路安全技術，旗標，2004/05，頁7-17。
8.陳曉藍，網路詐騙滿天飛－拍賣網紛提保障方案，東森新聞報，2004/06/30。2005/10/21，取自：http://www.ettoday.com/2004/06/30/10846-1651678.htm。
9.雷欽隆、范俊逸，行動電子商務安全，資通安全專輯，第16期，2005/06。
10.購物安全保障，eBay拍賣網站，無日期。2005/10/06，取自：http://pages.tw.ebay.com/help/community/fpp-guide.html。
11.Abe, M. & Fujisaki, E., How to Date Blind Signatures, Advances in Cryptology-ASIACRYPT’96, (LNCS 1163), 1996, pp. 244-251.
12.Asokan, N., Fairness in electronic commerce, PhD thesis, University of Waterloo, May 1998.
13.Asokan, N., Shoup, V. & Waidner, M., Asynchronous protocols for optimistic fair exchange, Proceedings of the IEEE Symp, On Security and Privacy, Oakland, CA, May 3-6, 1998, pp. 86-100.
14.Bao, F., Deng, R. & Mao, W., Efficient and practical fair exchange protocols with off-line TTP, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 3-6, 1998, pp. 77-85.
15.Bao, F., Deng, R., Nguyen, K. Q. & Varadharajan, V., Multi-Party Fair Exchange with an Off-Line Trusted Neutral Party, Proceedings of DEXA’99 Workshop on Electronic Commerce and Security, Florence, Italy, 1999, pp. 858-863.
16.Ben-Or, M., Goldrich, O., Micali, S. & Rivest, R., A fair protocol for signing contracts, IEEE Transactions on Information Theory, 36(1), 1990, pp. 40-46.
17.Bllom, B., Space/time Trade-offs in Hash Coding with Allowable Errors, Communications of the ACM, July, 1970.
18.Blum, M., How to exchange (secret) keys, ACM Transactions on Computer Systems, (1), 1983, pp. 175-193.
19.Chaum, D., Blind Signatures for Untraceable Payments, Advances in Cryptology: Proceedings of CRYPTO’82, New York, U.S.A., 1983, pp. 199-203.
20.Chaum, D., Fiat, A. & Naor, M., Untraceable Electronic Cash, Advances in Cryptology－CRYPTO’88 Proc., (LNCS 403), 1990, pp. 319-327.
21.Clarke, E., Grumberg, O., Jha, S., Lu, Y. & Veith, H., Progress on the state explosion problem in model checking. In Informatics, 10 Years Back, 10 Years Ahead, (LNCS 2000), 2001, pp. 176-194.
22.Damgard, I., A Design Principle for Hash Functions, Proceeding, CRYPTO’98, Springer-Verlag , 1998.
23.Deng, R. H., Gong, L., Lazar, A. A. & Wang, W., Practical protocol for certified electronic mail, Journal of Network and Systems Management, 4(3), 1996, pp. 279-297.
24.Diffie, W. & Hellman, M. E., New Directions in Cryptography, IEEE Transactions on Information Theory, 22(6), 1976, pp. 644-654.
25.Even, S., Goldreich, O. & Lempel, A., A randomized protocol for signing contracts, Communications of the ACM, 28(6), June, 1985, pp. 637-647.
26.Fan, C. I. & Lei, C. L., Low-computation partially blind signatures for electronic cash, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, (81-A), 1998, pp. 940-949.
27.Franklin, M. K. & Reiter, M. K., Fair exchange with a semi-trusted third party, Proceedings of the 4th ACM Conferences on Computer and Communications Security, April 1-4, 1997, pp. 1-5.
28.Holzmann, G. J., Design and validation of protocols: a tutorial, Computer Networks and ISDN Systems, (25), 1993, pp. 981-1017.
29.Holzmann, G. J., The model checker Spin, IEEE Transactions on Software Engineering, 23(5), 1997, pp. 279-295.
30.Merkle, R., C., A Fast Software One-Way Hash Function, Journal of Cryptology, 3(1), 1990, pp. 43-58.
31.National Institute of Standards and Technology, A proposed federal information processing standard for digital signature standard (DSS), Federal Register, 56(169), 1991, pp. 42980-42982.
32.Nechvatal, J., Public-Key Cryptography, Contemporary Cryptology: The Science of Information Integrity, G. J. Simmons, ed., Piscatoway, N. J.:IEEE Press, 1992, pp. 177-288.
33.Nenadic, A., Zhang, N., Shi, Q. & Goble, C., DSA-based Verifiable and Recoverable Encryption of Signatures and its Application in Certified E-Goods Delivery, Proceedings of the 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE'05), 2005, pp. 94-99.
34.NIST, The digital signature standard proposed by NIST, Communications of the ACM, 35(7), 1992, pp. 36-40.
35.Palshikar, G. K., An introduction to model checking, embedded.com, December 2, 2004, Retrieved November 11, 2005, from the World Wide Web: http://www.embedded.com/showArticle.jhtml?articleID=17603352.
36.Ray, I., Ray, I. & Natarajan, N., An Anonymous and Failure Resilient Fair-Exchange E-Commerce Protocol, Decision Support Systems, (39), 2005, pp. 267-292.
37.RFC 3280, RFC-ARCHIVE, 2002. Retrieved October 18, 2005, from the World Wide Web: http://www.rfc-archive.org/getrfc.php?rfc=3280.
38.Rivest, R., The MD4 Message Digiest Algorithm, Proceedings, Crypto’90, Springer-Verlage , August 1990.
39.Sandholm, T. W. & Lesser, V. R., Advantages of a leveled commitment contracting protocol, Proceedings of the 13th National Conference on Artificial Intelligence, Portland, OR, The MIT Press, Massachusetts, 1996, pp. 126-133.
40.Schneier, B., Applied Cryptography, John Wiley and Sons, Inc., 1994, pp. 17-24.
41.Shapiro, C. & Varian, H. R., Information Rules, Harvard Business School Press, 1998.
42.Song, R. & Korba, L., How to Make E-cash with Non-Repudiation and Anonymity, Proceeding of the International Conference on Information Technology (ITCC 2004), Las Vegas, Nevada, USA, 2004, pp. 167-172.
43.Stallings, W., Cryptography and Network Security Principles and Practices, 3nd ed, Englewood Cliffs, NJ: Prentice Hall, 2003.
44.Wang, X., Feng, D., Lai, X. & Yu, H., Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD, Cryptology ePrint Archive, August 17, 2004, Retrieved November 25, 2005, from the World Wide Web: http://eprint.iacr.org/2004/199.pdf.
45.Wu, C. K. & Varadharajan, V., Fair Exchange of Digital Signatures with Off-line Trusted Third Party, Proceedings of Information and Communications Security (ICICS2001), (LNCS 2229), Springer-Verlag, 2001, pp. 466-470.
46.Zhang, N., Shi, Q. & Merabti, M., A flexible approach to secure and fair document exchange, The Computer Journal, 42(7), 1999, pp. 569-581.
47.Zhou, J. & Gollmann, D., A Fair Non-repudiation Protocol, Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, CA, May, 1996, pp. 55-61.