COS 496: Information Security

Spring 1999

General information
Schedule
Homework

Assignment 2: Lottery Security Design

You have been hired by the agency that runs the state lottery to design a strategy for managing the interaction between the lottery's central office and the "lottery terminals" in stores throughout the state.  Your task in this assignment is to write a memo describing your proposed design, and discussing how well your design meets the criteria set out below.  You will be graded partly on your design, and partly on your analysis and critique of your own design.

How the Lottery Works

Lottery tickets cost \$1 each and are sold by lottery terminals that are placed in convenience stores throughout the state.  Each lottery ticket has three things printed on it: the identity of the terminal that printed it, a timestamp that marks when it was printed, and a "lucky number" which is an integer between 0 and 9,999,999 inclusive.   Lottery tickets go an sale at 8:00 AM every Monday, and can be bought until 11:00 PM on Saturday.  Lottery terminals are programmed to refuse to dispense tickets between 11:00 PM Saturday and 8:00 AM Monday.

At 11:30 PM every Saturday, a random number generator in the central lottery office generates the "weekly drawing" which is a randomly chosen integer between 0 and 9,999,999 inclusive.  On Sunday, anybody who has a ticket that (a) was sold within the last week, and (b) has a lucky number that matches the weekly drawing, can turn in that ticket.  The lottery agency has one week to validate the ticket; if it is successfully validated, the person who turned it in gets \$5,000,000 in cash.  Any number of winning tickets, or none at all, might exist.

Tickets are dispensed by lottery terminals, which are small hardware devices that the lottery agency leases to the owners of convenience stores throughout the state. The store puts the terminal next to the store's cash register.  A customer who wants to buy a lottery ticket enters his or her chosen lucky number by pressing buttons on the terminal, or the customer presses a special button asking the terminal to generate a lucky number randomly.  The customer then pays the store clerk \$1.  Finally, the store clerk presses a button that causes the terminal to dispense the ticket to the customer.

At the end of the week, each store tells the lottery agency how many tickets the store sold that week.  The store gives the lottery ninety cents for each sale that the store reports; the store gets to keep the other ten cents.

Practical Considerations

Tickets are printed on special paper that is hard to forge, and they use special ink that is hard to erase.  But since the cost to create each ticket is necessarily low, it is certainly possible for a determined criminal to forge a ticket or to modify a legitimate ticket.  In other words, you can't necessarily tell whether a ticket is forged just by looking at it.

You can assume that the lottery terminals are tamperproof, in the sense that there is no way to open up the terminal or modify its innards without irrevocably breaking the terminal.  However, a criminal might steal a terminal and hide it or might smash a terminal to bits deliberately.

Each terminal has an accurate, tamperproof clock inside it.

Some store owners are dishonest and may try to "lowball" you by lying about how many tickets they sold and pocketing the extra money.  One of your goals is to make it hard for store owners to do this without getting caught.

Each terminal costs you \$50 per week; this includes maintenance plus the amortized cost of buying the terminal.

You can add one or more modems to each terminal, and you can add any number of modems at the central office, but every modem (plus its associated dedicated phone line) costs \$10 per week.   A modem that you decide to "build in" to a terminal can be put inside the tamperproof module so that it is impossible for anyone to tamper with the modem without breaking it.

If you want, you can have each terminal create a weekly log of its activities on a floppy disk.  This facility costs \$1 per terminal per week, and you can assume that it is tamperproof.   You can have a lottery courier drive out to a store and use a special key to open the terminal and get a copy of the log.  A courier can visit 200 stores per week, and it costs you \$2000 per week per courier for salary, benefits, the courier's car, and police officers to do background checks on the couriers.

There are 10,000 lottery terminals in the state.

Criteria

Your design should strive to meet the following three criteria, which are listed in decreasing order of importance:
• It should be virtually impossible for anyone to create a bogus "winning" ticket (for example, by forging the ticket rather than buying it from a legitimate terminal, or by buying a legitimate ticket and changing its numbers or its timestamp) and cash in that ticket successfully.
• It should be difficult for a merchant to sell a ticket without eventually turning over ninety cents for that ticket to the lottery agency.
• The cost of your design should be as low as possible.  Note that you have enough data to calculate the cost, including the cost of the terminals, and any modems, logging hardware, and/or couriers you decide to use.