Compatibility with Existing Payment Infrastructure

On migrating a payment protocol which has been implemented in a fixed net- work to a wireless one, the important issue needed to be concerned iscompat- ibility. That is, any mobile SET system should be compatible with existing SET payment infrastructure. To achieve this property, the modification at the merchant’s and the payment gateway’s infrastructures should be minimized. Both the SET payment operations on mobile devices and on fixed devices

should be able to operate on the same payment infrastructure efficiently. In the proposed SET system, although there are some modifications to the existing SET payment operations on the client’s mobile device, the client’s

PReqsent to the merchant has the same structure as that of the original SET’s

PReq. Therefore, it can be implemented on the existing SET infrastructure. Moreover, the proposed system can be operated in the same scenario as that of SET/A+ [WLY99].

4.4.9

Authenticated Key-Exchange Protocols for Wire-

less Networks

Authenticated key-exchange (AKE) protocol is used to provide authentication and to secure communications among engaging parties. Generally, existing AKE protocols employ public-key cryptography which is not suitable for se- curing the communications in wireless environments due to the limitations that have been presented in chapter 1. Therefore, it is suggested that, in this thesis, all AKE protocols employed in the proposed payment protocols are the AKE protocols for wireless networks [HP98, BP98, WSZ01, WC01, LCGS03]. In this section, we present overviews of the existing AKE protocols for wireless networks.

Several AKE protocols for wireless networks [HP98, BP98, WSZ01, WC01] have been proposed including their analyses [Her01, HP98]. The protocols proposed by Horn et al. [HP98] and Boyd et al. [BMN01] employ elliptic- curve cryptosystems to reduce the computation and resource consumption of engaging parties, especially the client. The difference between these protocols is that Horn et al.’s protocol [HP98] is PKI-based whereas Boyd et al.’s pro- tocol [BMN01] is password-based. Wong et al.’s protocol [WC01] is based on challenge-response between parties. Recently, Zhu et al. [ZWCY02] proposed a password-based AKE protocol using RSA algorithm. Horn et al. [HMM02]

proposed an analysis of the existing AKE protocols for wireless networks in- cluding Boydet al.’s protocol [BP98] and Horn et al.’s protocol [HP98]. They argued that both protocols are suitable for wireless communications although Boydet al.’s protocol [BP98] requires more communication passes. Lam et al.

[LCGS03] proposed a public-key based AKE protocol which reduces client’s computation by applying only public-key encryptions at the client side.

4.5

Summary

In this chapter, we examined existing mobile payment frameworks and showed that the frameworks themselves do not satisfy the formal model introduced in chapter 3 and the payment systems based on the existing frameworks do not satisfy the practical and secure mobile payment system stated in our formal model. We then proposed a mobile payment framework which satisfies the formal model. Our framework not only incorporates the main features of agent-based and proxy-based frameworks in terms of transaction performance, but also solves their security problems.

We have demonstrated the usability of the proposed framework by applying it to SET protocol [Mas97] which has been deployed in the existing frameworks. The results has shown that the SET payment system based on our framework is able to solve the problems of the SET payment systems based on the existing frameworks as described below:

• To deal with the problem of high computational load at the client in SET/A+ [WLY99], our SET payment operations are divided into two parts; one resides at the client’s mobile device performing low computa- tional tasks and the other is brought with a payment agent performing high computational tasks at the issuer who acts as the client’s assistant.

• We solved the problem of SET/A [RdS98] regarding the session key gen- eration mentioned in [WLY99] with the assistance of the issuer.

• The concern about the trustworthiness of the proxy server previously presented in section 2.4.1 has been relieved by establishing partial-trust relationship between the client and the issuer.

• The client’s credit-card information is not required to be transmitted over the air interface. This results in security enhancement of the system.

In addition, we have shown that the proposed SET system satisfies not only all transaction security properties (T Sec) stated in the Definition 3.10 of the formal model, but alsoclient privacy property which is a major goal of the SET transaction. Furthermore, the proposed system has no modification at both the merchant and the payment gateway. It results in full compatibility with the existing SET payment infrastructure.

Note that, comparing to the proposed model presented in chapter 3, the proposed SET system does not satisfy trust relationships among engaging par- ties (T rust) stated in the Definition 3.1.10 because the SET protocol itself does not satisfy this property. We did not modify the SET protocol descriptions since we aim to preserve the compatibility with the existing SET infrastruc- ture. However, the suggestion on modifying the SET protocol to achieveT rust has been provided in section 4.4.2.

In terms of transaction performance, it can be seen that, with the proposed framework which incorporates the features of agent-based and proxy-based frameworks, high computational SET protocol has been successfully operated in the wireless environment. From the discussion in section 4.4.7, it can be seen that the system based on the proposed framework is more likely to satisfy acceptable transaction performance (AT P) than the systems based on the existing frameworks.

To satisfy practical and secure mobile payment system stated in the Defi- nition 3.15 of the proposed model, our system must satisfy Goals, P R, T Sec, T rust, and AT P. From the discussion in this chapter, we have shown that T rust, AT P, and T Secare satisfied. The analysis of the other properties will be presented in chapter 7.

It could be noted that applying a payment protocol designed for a non proxy-based framework that is more lightweight than SET protocol to our framework therefore results in higher transaction performance. In chapter 5, two lightweight, non proxy-based mobile payment protocols will be proposed. Deploying these protocols in our framework will result in high transaction performance and security that is likely to be acceptable by mobile users.

Chapter 5

Securing Account-Based Mobile

Payment

In chapter 4, a new framework for practical and secure mobile payment has been introduced. The framework allows any kind of payment protocols to operate in it with secure and better transaction performance compared to ex- isting mobile payment frameworks. Applying a fixed-network payment proto- col to the framework offers better transaction performance than performing it alone in a wireless environment. Moreover, deploying a lightweight, non proxy- based mobile payment protocol in the proposed framework greatly enhances the transaction performance of the payment system.

In this chapter, we propose a family of non-proxy, account-based payment protocols, namely Kungpisdan-Srinivasan-Le (KSL) protocol version 1 (called KSLv1) and KSL protocol version 2 (called KSLv2), which work efficiently in wireless environments. These protocols mainly apply symmetric-key oper- ations and keyed-hash functions at the client’s mobile device. In KSLv1, only the client is not required to perform any public-key operations, whereas in KSLv2, none of the parties is required to have public-key certificate.

symmetric-key cryptographic techniques. Section 5.2 presents the crypto- graphic technique that works behind the proposed protocols. Section 5.3 intro- duces notations for the proposed protocols. Sections 5.4 and 5.5 present KSLv1 and KSLv2 protocols in details. In section 5.6, the security and performance of the proposed protocols are discussed. Section 5.7 shows how the proposed protocols can be applied to the proposed framework previously introduced in chapter 4. Section 5.8 summarizes the chapter.

5.1

Enhancing Security of Symmetric Cryp-

tography

In this section, we review existing techniques to enhance security of symmetric cryptography that is the background of the cryptographic technique which works behind KSLv1 and KSLv2 protocols.

In communication scenario, the concept of secret chaining [MB01, Cim02] has been widely implemented. Generally, the secret chaining is the method to generate a number of secrets from a master secret, and each of them is used as a session secret for authentication purpose during a transaction. An obvious example is one-time password proposed by Lamport [Lam81].

The purpose of secret chaining is to solve the problem of transferring a static, long-term shared secret over an insecure network. This can be done by sending a session secret derived from the master secret instead. A good secret chaining scheme should provide forward secrecy property in that it is difficult for an attacker to derive the next session secret from the current session secret. Several secret chaining techniques have been proposed [MB01, Cim02]. In Marvelet al.’s approach [MB01], a chain of secrets was applied to MAC (Mes- sage Authentication Code) previously proposed by Tsudik [Tsu92]. The mes- sage format in this approach is shown as follows:

MAC(Message, Ki), Message

where Message stands for a message to be sent to its intended recipient and Ki is a member in the set of secrets which cannot be generated by the recipient of this message. It can be seen that this message can be generated only by the party who knows the secretKi.

In order to provide message privacy and to identify the originator of the message, the secret chaining technique was applied to Kerberos system based on symmetric-key operations [Cim02]. The message format in this approach is given as follows:

{i, Ki, Message}KAB

where KAB is a key shared between a party A and a party B generated by a Key Distribution Center (KDC), i is an index of Ki, and Ki cannot be generated by the recipient of the message. It can be seen that the privacy of the above message can be achieved by the encryption with the key KAB in that only the parties who have KAB can decrypt the message. Furthermore, we can identify the originator of the message fromKAB and Ki in that we can ensure that the party who has both keys has originated this message.

In the next section, we present a symmetric cryptographic technique which enhances transaction security properties of symmetric cryptography (referred to section 3.1.9 of the proposed formal mobile payment model).