2010 International Conference on e-Education, e-Business, e-Management and e-Learning

A LIGHTWEIGHT AND SECURE PROTOCOL FOR MOBILE PAYMENTS VIA WIRELESS INTERNET IN M-COMMERCE
1Ali Akbar Tabandehjooy
Shiraz university Vartie@gmail.com
ABSTRACTOne of the important ways f e-commerce is using mobile devices because of time reduction and being location independent and most of all its personalized aspect .because of these major traits IT professionals and merchants are encouraged using mobile devices more and more every day. Here in this article we are proposing a protocol for mobile payments that security and authentications are implemented with a complex key. KEYWORDS: M-commerce, Mobile devices, Mobile Payment, Payment security

2Navid Nazhand
Pnu university navidnazhand@gmail.com in the merchant payment system .The third method is payment for mobile commerce applications. In this method of mobile payment, the user chooses what he/she wants to buy and conducts the transaction with a secure mobile payment system. The main advantage of this method is that consumers can pay anytime, anywhere. A disadvantage is that the current mobile phone technology is not 100% appropriate to mobile commerce. With the third generation of mobile phones and the development of wireless technologies, mobile payment solutions will likely gain a significant market share. Some existing mobile payment protocols are briefly explained in section II. Section III details our new protocol for mobile payment. Section IV explains security issues of proposed protocol. Finally, section V concludes this work. II. RELATED WORK In this section, several existing payment protocols will be delved. In general, these payment protocols composed of four engaging parties[3], which are including client (C), merchant (M), issuer (clients financial institution) and acquire (merchants financial institution. Both issuer and acquire are presented by payment gateway (PG) which acts as medium between them and both client and merchant for clearing purpose. There are three primitive payment transactions occurred within these payment protocol, payment (which made by client about payment to merchant), value subtraction (which made by client in order to request issuers or payment gateway to deduct requested money amount from clients account) and value claim (which made by merchant in order to request acquirer or payment gateway to transfer request money amount into merchants account). Their high-level protocol steps are shown as below. CM: Payment Request, Value Subtraction Request MPG: Value Subtraction Request, Value Claim Request PGM: Value Claim Response, Value Subtraction Response MC: Payment Response, Value Subtraction Response A. Secure Electronic Transaction (SET) protocol The SET protocol is the well-known credit card payment protocol, which consists of request/response message pairs. All parties engaging in SET payment protocol are required to obtain public key certificates. The SET protocol consists of five transaction steps, which is payment initialization,
495

I.

INTRODUCTION

Mobile payment is a payment via a mobile device which includes mobile phone, PDA, mobile computer and etc. variety of usage and privacy of these devices are the main reasons that cause people rely on these devices and use them in their trades. Other advantages of mobile devices are their availability and their portability. Each technology has its benefits and also its dark side, for instance mobile devices especially cell phones and PDAs are not comparable with desktop computer because of their Monitor Screen, keyboard and memory capacity and CPU strength. Many things that we do with desktop computers cannot be done with mobile devices. On the other side wireless networks has some limitations such as bandwidth and network connection cost. Limitation of mobile devices caused mobile payment protocol designers cannot implement functions such as cryptography. [1] According to researches, mobile payments can be classified into three different methods [2]. The first method is an alternative payment method on Internet. By giving a cell phone number, users can use their phone to complete their transactions and be charged on their mobile carrier phone bill. The main advantages are that it is a fast and method giving the opportunity to consumers to pay without a credit card and it does not require that the merchant invest in any special components or equipment. A disadvantage is that only fixed amount of money can be transferred, in order to be charged on the mobile phone carrier bill. A second method of mobile payment is to pay at a POS (point of sale) with a mobile phone. Consumers must synchronize with the merchant system to complete a transaction. An advantage of this method is that it is useful for micro-payments. When the consumers do not have coins available, they can buy goods with their mobile phone. A disadvantage is that most of the applications require a mobile phone modification and the installation of a device
978-0-7695-3948-5/10 $26.00 2010 IEEE DOI 10.1109/IC4E.2010.130

Authorized licensed use limited to: St. Joseph's College of Engineering & Technology. Downloaded on June 04,2010 at 04:43:28 UTC from IEEE Xplore. Restrictions apply.

purchase order, authorization, capture payment and card inquiry phase [1, 4, 6]. B. Internet Key protocol (iKP) The iKP protocols are based on public key cryptography and differ from each other based on the number of parties those posses their own public key pairs. This number indicated by the name of the individual protocols: 1KP, 2KP and 3KP. The greater number of parties that hold public-key pairs, the greater the level of security provided. The engaging parties of iKP are including customer, merchant and payment gateway (acquirer). [1, 4, 5] C. Tellez J. et al.s anonymous payment protocol Tellez J. et al. [p3-14] proposed anonymous payment protocols based on client centric model, which employs a digital signature scheme with message recovery using selfcertified public keys. It consists of five engaging parties, which including client, merchant, acquirer, issuer and payment gateway. This payment protocol also consists of two-sub protocols, which are merchant registration protocol and payment protocol. [7] D. Kungpisdans et al.s mobile payment protocol Kungpisdan proposed a secure account based mobile payment protocol that employs symmetric key operations which require lower computation at all engaging parties. In general, there are five parties involved in this protocol, which are client, merchant, issuer, acquirer and payment gateway. Kungpisdan S. et al.s protocol is composed of two-sub protocols, which is merchant registration protocol and payment protocol. Before starts making payment, client is required register with merchant by running merchant registration protocol. After completion of registration protocol, client and merchant share a set of secret key Xi. The client also shared secret Yi with issuer and secret Zj is shared between merchant and payment gateway. [1] E. Tan Soo Funs et al.s A Lightweight & Private Mobile payment protocol. a secure lightweight mobile payment protocol by using mobile network operator which employs symmetric key operations that enables protect payers privacy , ensures end-to-end security properties,provides accountability and satisfies engaging parties security requirements. The proposed mobile payment protocol consists of two-sub protocols, which are registration protocol and payment protocol. Both payer and payee are required to register with their own mobile network operator (MNO) before any transaction could take place. The payment protocol is based on Credit Push Model, which the transaction flow is completely controlled by the Payer. [3] There major problems that can be seen in these protocols: The merchant and acquire should not take part in client payment protocol, because it raises processing

rates for a simple payment and also takes longer to process. High rates of using cryptography algorithms, hash and digital signature. As you can see in Table 1.[3] Limiting user to use particular devices that special software is being installed on it. It might assumed that participating merchant and acquire and using many cryptography algorithms could have higher security in payment, but we solved this problem so easier in our protocol. III. OUR PROPOSED PROTOCOL Our world prospers a lot from the internet. Improving third generation of cell phones and different protocols to connect these devices to the internet solved the problem of How to connect to the internet. PDAs and mobile computers use wireless adapters that support IEEE802.11x standards to connect to the internet by using Wi-Fi and Wi-Max protocols. Each person can be a potential customer who may need to purchase anything. There is no difference between a customer and E-buyer. A customer is a person who purchases from a market physically and E-buyer is a person who buys thing from E-commerce websites.Purposed protocol provides two different solutions for these two kinds of customers. Mobile device used in this proposed protocol
Tab 1: The comparison between different cryptography algorithms Cryptographic Operations Payer Payee PG

Public-key Encryptions

Public-key Decryptions

Signature Generations

Signature Verifications

Symmetric Key encryptions/ decryptions Hash Functions

Keyed-hash Functions

SET IKP Kungpisdan Tan Soo Fun SET IKP Kungpisdan Tan Soo Fun SET IKP Kungpisdan Tan Soo Fun SET IKP Kungpisdan Tan Soo Fun SET IKP Kungpisdan Tan Soo Fun SET IKP Kungpisdan Tan Soo Fun SET IKP Kungpisdan Tan Soo Fun

1 1 1 1 2 3 2 4 5 3 2 2 2 2 -

1 1 3 1 2 2 5 6 2 4 1 1 2 -

1 2 1 1 1 1 2 1 2 1 1 -

496

Authorized licensed use limited to: St. Joseph's College of Engineering & Technology. Downloaded on June 04,2010 at 04:43:28 UTC from IEEE Xplore. Restrictions apply.

that is being used by the customer, plays the role of a POS (point of sale) device. A. First method: As you can see in figure 1, in this method the customer goes to a market and after selecting his needed goods he wants to pay for them. Customer uses his mobile device for payment. He sends a request to the issuer in order to do the payment. This is the same as withdraw money from his account and insert it in to merchant account. The issuer has to provide a payment gateway to the customer so that he can commit the transaction. All the information that need to be transferred between the issuer and customer via the gateway, need to be encrypted / decrypted with WTLS protocols. The customer has to insert some information into the payment gateway. This information includes : account number or the card number that customer need to withdraw the money from. account or card number password a complex key the account number or the card number that customer want to insert the money to. the amount of money needed to be transferred. Issuer is obliged to do all the needed banking transactions between acquire and himself in a secured tunnel. Aquire has to send a suitable massage to merchant after inserting money to his account. This could be a text message (sms) or an email. It depends on the agreements between themselves. If because of any reasons there would be any problem occurred during these transactions, issuer has to rollback all these transactions. B. Second method: As you can see in figure 2, in this method the customer is an e-buyer who tries to buy goods from e-commerce websites. The web site must provide the payment possibility for e-buyer.

In this case, acquire has to provide a payment gateway to the customer. The owner of virtual market (e-commerce web site) should make an agreement with acquire before that, because of some security reasons. The customer has to insert some information into the payment gateway. This information includes: account number or the card number that customer need to withdraw the money from. account or card number password a complex key The payment gateway redirects from the website which customer purchases from, so the amount of money which should transfer is known by the PG. As I mention before the owner of virtual market made an agreement with acquire before this redirection, so the PG knows the account number or card number which the money must insert into. Acquire is obliged to do all the needed banking transactions between Issuer and himself in a secured tunnel. When the transaction complete successfully, a transaction id should be given to the customer and a suitable message should be sent for the owner of virtual market. If because of any reasons there would be any problem occurred during these transactions, acquire has to roll-back all these transactions. IV. SECURITY ANALYSIS Security in m-commerce has four major factors 1.Athentication 2.Confidentiality 3.Integrity 4.Nonrepudiations. We evaluate our protocol in three steps to explain how we can implement these for factors in it. Step 1: A complex key which issuer give it. When issuer wants to inaugurate an account for a customer, takes all his details such as his birthday, identification number and etc. A complex key is generated by a private key which is given to the customer by the issuer and a number which is related to a customer details. For example issuer wants the customer to inter a summation of his private key and his identification number. By such these algorithms we can have a lot of different complex key. In this protocol never ask customer to enter his private key. It causes that a complex key become so secure. Nobody can find that what the private key is! And in each payment transaction a complex key will be different. All the algorithms which will use for generating the complex key are very simple in implementing for the issuer. So if the customer wants to transfer a large amount of many, two or more complex key must be taken from him. A complex key is very simple but very secure because only the issuer and the customer know about its details and how it is generated.

Figure 1: First method which customers use to pay

497

Authorized licensed use limited to: St. Joseph's College of Engineering & Technology. Downloaded on June 04,2010 at 04:43:28 UTC from IEEE Xplore. Restrictions apply.

REFEREBCES [1]Kungpisdan S., Srinivasan B., and Phu Dung Le, A Secure Accountbased Mobile Payment p protocol, Proceedings of the International Conference on Information Technology: Coding and Computing, Vol. 1, Las Vegas, USA, 2004a, pp. 35-39. [2] Natali Delic, Ana Vukasinovic. Mobile Payment Solution-Symbiosis between banks, application service providers and mobile network operators, Proceedings of the Third International Conference on Information Technology: New Generations (ITNG2006). [3] Tan Soo Fun, Leau Yu Beng, Jonathan Likoh, Rozaini Roslan. A Lightweight and Private Mobile Payment Protocol by Using Mobile Network Operator, Proceedings of the International Conference on Computer and Communication Engineering 2008 May 13-15, 2008 Kuala Lumpur, Malaysia -978-1-4244-1692-9/08 [4] Mohony D.O., Peirce M. and Tewari Histesh, Electronic Payment Systems for E-Commerce, Artech House, United States of America, 2001. [5] Bellare, M., Garay, J., Hauser, R., Herzberg, A., Steiner, M.,Tsudik, G., Van Herreweghen, E., and Waidner, M, Design,Implementation, and Deployment of the iKP Secure Electronic Payment system, IEEE Journal of Selected Areas in Communications, 2000, pp. 611-627. [6] http://www.setco.org/set_specifications.html [7] Tellez J. & Sierra J, Anonymous Payment in a Client Centric Model for Digital Ecosystem, IEEE DEST, 2007 [8] Kungpisdan, S., Srinivasan, B., and Phu Dung, L,Lightweight Mobile Credit-Card Payment Protocol,Berlin Heidelberg: Springer Verlag, 2003a, pp. [9] Kungpisdan, S., Srinivasan, B., and Phu Dung, L, Lightweight Mobile Credit-Card payment Protocol, Berlin Heidelberg:Springer Verlag, 2003a, pp. 295-308. [10] C. Wang & H-f. Leung, A Private and Efficient Mobile Payment Protocol, London: Springer-Verlag, LNAI, 2005,pp.1030-1035. [11] Jun Liu, Jianxin Liao, Xiaomin Zhu, A System Model and Protocol for Mobile Payment, Proceedings of the IEEE International Conference on e-Business Engineering (ICEBE05), 2005. [12] Panko R. R, Corporate Computer and Network Security, Prentice Hall, Upper Saddle River, New Jersey, 2004. [13] Pousttchi, K, Conditions for Acceptance and Usage of Mobile Payment Procedures, Proceedings of the MBusiness Conference, 2003. [14] M. Ding and C. Unnithan, Mobile Payments (mPayments) An Exploratory Study of Emerging Issues and Future Trends,Deakin University, 2002. [15] Krueger, M, The future of M-Paymentsbusiness options and policy issues, Seville. Spain, 2001

Figure 2: Second method which customers use to pay

So the complex key guarantees Authentication and Nonrepudiations. Step 2: A complex key which acquire give it. This complex key is completely same as the complex key which we describe in step1 with a very important difference. Acquire doesnt know anything about the private key and customers details. So he cant generate the key. In this case, the complex key is same as the password which the customer entered for his account or credit card. When these information transfer to the issuer then he checks them are they correct or not? Then he starts to commit the transaction but if they are not correct the transaction rolled back. The question is that how the issuer knows about the algorithm which was used for generating the complex key? The issuer and acquire must make an agreement with each other about the algorithms which can be used for giving the complex key from the customer. Step 3: cryptography In all steps of exchanging data from payment gateways to financial institutions and financial institutions to each other, data must be encrypt and decrypt with both ends. They can use the complex key for their cryptography. It causes the transaction to become more secure and private. By cryptography we can say our proposed protocol has Confidentiality and Integrity. V. CONCLUTION In this paper we try to propose a lightweight and secure protocol for mobile payments. We use a kind of complex key to authenticate a customer and prevent his nonrepudiation. Cryptography in all data exchange makes the protocol Confidentiality and its Integrity. The major factor that we improve for payments is trust. In proposed protocol we significantly increase the customer trust by complex key, because they never enter their secure information for their electronic payments.

498

Authorized licensed use limited to: St. Joseph's College of Engineering & Technology. Downloaded on June 04,2010 at 04:43:28 UTC from IEEE Xplore. Restrictions apply.