An End-To-End Secure Mobile Payment System Using Public Key Infrastructure System

An End-To-End Secure Mobile Payment

System Using Public Key

Infrastructure System

1Dept of Computer Applications, Bishop Heber College (Autonomous), Tiruchirappalli – 620 017

Email: brittork@gmail.com

2_{Dept of Computer Science, St.Joseph’s College (Autonomous),}

Tiruchirappalli – 620 002

Received: 01/03/2011; Accepted: 26/04/2012

ABSTRACT

The exponential growth of wireless technologies and mobile devices, the mobile commerce becomes a significant for every one’s life. Its popularity introduces a new channel for the research that is, M-Payment or Mobile Payment in terms of identifying new applications, designing frameworks, and producing innovative business models. The development of secured mobile payment system becomes a major research topic in the field of mobile commerce. A study reveals that there are wide ranges of mobile payment solutions and models available in the market, but there is no specific and global mobile payment system for academic institutions without huge investment. To overcome, this paper proposes a novel model called Mobile Payment Consortia System (MPCS) to carry out the transactions from the bank to the academic institutions for the payment of fees by students through mobile phone. MPCS provides an end-to-end security using Public Key Infrastructure (PKI). This paper mainly focuses on strong authentication and secure communication between the institution server and MPCS Server. This model can be extended to all educational institutions, training divisions and universities so as to help the necessary payments by the students through mobile devices.

Keywords: Mobile payment, Mobile Payment Consortia, Secured

Transactions, Public Key Infrastructure

1. INTRODUCTION

Mobile Commerce is an emerging discipline that involves mobile devices, applications; middleware and mobile networks. Mobile Commerce is a natural successor to e-commerce. Today, there has been a notable increase in consumer use of mobile applications. Mobile phones are well suited with mobile commerce to reach the customers through messages anywhere and at any time. In this scenario, m-commerce applications have been facilitated by ATMs, banking networks, electronic bill payment systems and several such applications.

The rapid growth of wireless networks and services fueled by next generation mobile communication systems research has ushered in the area of ubiquitous computing. Light weight portable computers, IP based office and home appliances, and the popularity of Internet are strong forces to the service providers to support seamless user mobility. Realizing commercially viable secured IP mobility support over the current cellular infrastructure remains a research challenge.

There are wide range of Mobile Commerce services and applications to users such as Mobile Banking, Mobile Entertainment, Mobile Information Services, Mobile Marketing Mobile Shopping, Mobile Ticketing and Telematics Services includes Remote Diagnosis and Maintenance of Vehicles, Navigation Services, Vehicle Tracking and Theft Protection, Emergency Services.

Mobile Payments are a natural evolution of e-payment schemes that will facilitate mobile commerce. A mobile payment or m-payment means that any payment where a mobile device is used to initiate, authorize and confirm an exchange of financial value in return for goods and services. Mobile devices may include mobile phones, PDAs, wireless tablets and any other device that connect to mobile telecommunication network and make it possible for payments to be made. Mobile payments can become a complement to cash, cheques, credit cards and debit cards. It can also be used for payment of bills with access to account-based payment instruments such as electronic funds transfer, Internet banking payments, direct debit and electronic bill presentment.

Research reveals that different approaches came to the market for mobile payment system to address the existing needs of common man, but a global solution does not exist so far. However, a system for the payment of fees through mobile in higher academic institutions has never been thought off either in the national level or in the international level. Existing electronic payment solutions are not secure enough, too difficult and slow to use, or available only for a selected clientele. Considering that there are a number of

higher academic institutions, the traditional procedure of payment of fees leads to a cumbersome practice and is time consuming.

Thus an urgent need arises to design a technology for mobile payment system with due care on End-to-End security of financial transactions between the client and the banks. Considering the fact, this paper, it is proposed to design and develop the Mobile Payment System using Public Key Infrastructure. The proposed architecture is designed and well suited to the academic institutions to carry out the payments and financial services, in particular payment of fees by students from the customer’s bank to the institution’s bank where they study using mobile device anytime and anywhere.

The paper is organized as follows: Section 2 presents the review of research papers related to the architecture of existing mobile payment system. The Architectural design for Mobile Payment Consortia System is presented briefly in section 3. Section 4 illustrates secure transaction processes between the Institution Server (IS) and the MPCS server. The proposed algorithm for entity authentication and secure communication flow are presented in Section 5. Section 6 is conclusion.

2. REVIEW OF LITERATURE

Several studies have been conducted till recently to implement mobile payment system more effectively in diversified applications. Different payment systems such as mobile phone-based system, SIM or Smart card-based system, Point-of-Sale(POS)-based system, and Mobile wallet are found in the market [1].

There are different solutions such as bank driven, mobile network operator driven and independent payment systems found in the market [2]. Mobile payment system models are also classified into theoretical model, scenario-specific model and open or scenario-independent model [3]. The theoretical model generally provides a layered or module-based framework and which illustrates the payment procedures, principles and security issues in a simplified base but not a practical one [4]. Scenario-specific model could be classified into disconnected interaction model, server-centric model, client-centric model and Kiosk centric model [5].

The architecture and business model for Secure Mobile Payment System (SEMOPS) [6] is based on mobile-phone based payment system. The SEMOPS is a universal and open mobile payment system that supports micro, mini and macro payments. However, there are still some limitations in SEMOPS model such as possible attacks on payment transaction by the illegitimate merchant and no guarantee for comprise-resistant payment processors.

The integrated payment architecture provides a common payment solution for Serbia citizens by combining SMS based applications, Point of Sale device and mobile commerce application. The solution provides two interfaces such as ISO 8583 and WEB service interface to communicate with the banks. However, there are serious security issues cited in the proposed solution [7]. The SMS will be stored on the user’s phone that presents a tempting target for attackers and the fixed amount of money can be transferred in order to be charged on the mobile phone carrier bill. The mobile phone should synchronize with the merchant system in Point of Sale (POS) applications.

An innovative architecture, namely SIMPA, is based on Session Initiation Protocol (SIP) for next generation mobile phone networks developed by [8]. SIP is designed as the signaling protocol for the 3G mobile networks with the support of Multimedia services including VoIP and Instant Message (IM). SIMPA architecture supports P2P payments and traditional security properties such as privacy, confidentiality and integrity. However, the demerits in SIP network are lack of scalability, security restrictions, complex maintenance and configuration, controlled infrastructure, restriction on usability.

The development of secured mobile payment system becomes a major research topic in the field of mobile commerce. The security is required at various levels such as mobile platforms, services or protocols, network technologies and mobile devices to perform the mobile payment transactions successfully. In order to achieve security capabilities such as transaction security, entity authentication, transaction privacy, transaction Integrity and anonymity, the protocol designers consider the methods such as public key infrastructure, symmetric and asymmetric cryptography and biometry.

In order to achieve security capabilities such as transaction security, entity authentication, transaction privacy and transaction Integrity, and anonymity, the protocol designers consider the following methods: public key infrastructure, symmetric and asymmetric cryptography and biometry. Recently, most of the protocols are proposed based on public key infrastructure [9, 10, 11] whereas remaining employ symmetric-key operations [12, 13, 14]. Since the data transmitted through wireless, maximizing the security is more important with security services such as privacy [10, 11], authentication [15, 16], message integrity [17, 18], confidentiality [19] and non-repudiation [20, 21] for the success of the mobile payment systems.

Having studied the existing solutions for mobile payment system, we propose a novel model namely Mobile Payment Consortia System to carry out the fund transactions from the bank to the academic institutions for the payment

of fees by students through mobile phone. MPCS provides end-to-end security using Public Key Infrastructure, while carrying out the payment transactions. This architecture increases convenience in payment processes in particular, payment of fees by students through fund transfer in a real time basis from the customer’s bank to the institution’s bank where they study using mobile device anytime and anywhere.

3. THE ARCHITECTURAL DESIGN OF MPCS

The MPCS model is designed with various security levels like device authentication, client and client/server authentication, and secure transaction among the interacting entities using Public Key Infrastructure (PKI). The PKI provides strong security services that allow distribution and use of public keys and certificates with security and integrity. Both privacy and authentication can be provided using the combination of encryption and digital certificates. The message digest algorithm can ensure the message integrity effectively. The major security of non-repudiation mechanism is well supported only by the digital signature. The strong encryption mechanism offers data confidentiality.

The Mobile Payment Consortia System (MPCS) allows user to pay the fees such as tuition fee, exam fee, etc., to his/her institution through the mobile phone. MPCS provides the necessary technical infrastructure such as acquiring user information from the institution server, connectivity, Payment authorization, and communication to facilitate m-payments and acts as an intermediary between the banks, the institution and the clients. The system is specifically designed for the institution related payments for the registered clients using mobile devices. The client must have an account in a bank and he/she must be registered with his/her Institution. The client uses username and password, provided by the Institution Server (IS), when he/she made a request to the Institution for payment service.

Once the request is made by the client, the client is authenticated by decrypting the username and password. If the username and password are mapped with the institution server database records, the client is authenticated. Institution Server then, sends the authenticated user profile as an encrypted format to the MPCS for client authorization. The MPCS then, allows the user to enter the fee amount, by which both the client is authorized for payment service and the payment request is confirmed by the MPCS.

Once the authentication and authorization process is completed, MPCS makes a request for payment (PR) to the institution’s bank. The payment request is forwarded to the client’s bank by the institution bank. The client’s

bank authenticates the client with the Bank-ID as well as account number and securing confirmation of the request of institution bank by the MPCS. Hence the requested amount is debited from the clients’ account and credited to the bank associated with the consortia of the institution account by interacting with the bank. Once the transaction is completed electronically a payment confirmation message is sent by the institution bank to the MPCS and then, MPCS is sent to the Institution Server.

The institution also confirms the same message to the client and the request is carried out successfully. The MPCS is unique for any academic institution to make the students as their clients and the payment of fees can be done through mobile anywhere and at any time. The architectural design of MPCS is depicted in Figure 1.

Today the mobile payment services are received well and high level of security must be provided in the design. In order to apply PKI to the mobile phone (GPRS enabled), it requires high-speed key generation algorithm, certificate generation

Mobile user (students)

GPRS phone

User authentication _{User authorization &}

Institution Institution server MPCS User profile Payment confirmation Banks Fund transfer

Student bank _{Institution bank}

Payment request &

PR confirmation

payment notification

and verification algorithm, efficient digital signature algorithm, best message digest function, and strong encryption and decryption schemes.

4. SECURE COMMUNICATION BETWEEN IS AND MPCS

The major components of the proposed model are student, institution, student bank, institution bank and Mobile Payment Consortia System (MPCS), which acts as a payment gateway between institution server and institution bank that operates under the institution private network. The transaction processes between the student and the institution server are discussed in [1].

The institution server keeps the record for all the registered clients. The authentication of the client is done by the Institution Server by verifying the username and password. After authentication, the institution server is connected with student’s database for retrieving the student details such as student name, bank name, branch name, account holder name, account number, the fee amount, mobile number, secret key and IMEI number and sends the student’s profile to the MPCS server. The information flow on the network is secured by encrypting and decrypting the message using public key infrastructure.

Mobile Payment Consortia System (MPCS) server acts as an intermediary between the institution and the banks and it is also responsible for authorizing the clients for payment service, generating the payment request, creating the transaction logs, routing and delivering the notifications to the remaining entities, etc. It plays a role as a Payment Gateway (PG) for the institution. MPCS authorizes the payment services with the client by verifying option and the fee amount. Once the MPCS authorizes the payment services, MPCS makes a request for payment (PR) to the institution’s bank using the Payment Interface.

MPCS makes a request for payment (PR) to the institution’s bank using the Payment Interface. The bank identifies the client with the Bank-ID and makes confirmation of the payment using their private bank application. Hence the requested amount is debited from the clients’ account and credited to the institution bank account. Once the transaction is completed electronically, a confirmation message is sent by the institution bank to the MPCS server.

This paper considers authentication and secure communication only between the IS and MPCS server. The client sends the request for payment to the institution server. The institution server authenticates the client for payment service. Once the client is authenticated, the institution server sends the users profile to the MPCS server for authorization. Since MPCS is generates the Payment Request (PR) to the institution server, MPCS authorizes the client by checking the fee amount. The process of sending the user profile is depicted in figure 2.

Once the user authentication process is completed by the institution server, then it starts handshake processes with MPCS server for secure communication. The proposed model authenticates both the institution server and the MPCS server using challenge-response mechanism. When the institution server initiates the communication with the MPCS, the MPCS server sends an encrypted RAND-number using shared PIN number to the institution server. The institution server extracts the PIN number from its database and decrypts the RAND number given by the MPCS. If the RAND number is decrypted successfully by the institution server, then MPCS server is identified and authenticated and generates SRES based the RAND number sent by the MPCS. Finally, the institution server encrypts the SRES using shared PIN number and sends to the MPCS server.

Meanwhile, the MPCS server generates SRES based on RAND number which is sent to the IS. The MPCS server then, decrypts the SRES and compares the SRES which sent by the IS and generates by the MPCS. If both of them match, the institution server is authenticated to the MPCS server. Once each entity is authenticated, the institution server and MPCS server exchanges their public keys each other. To exchange the public keys between the IS and the MPCS in a secured manner, the PKI infrastructure is used. The process of public key exchanges between the IS and the MPCS server is

Encrypted authenticated user's profile

presented in figure 3. The IS and IS/MPCS authentication is showed as an algorithm in figure 4. The algorithm for exchanging the public keys is depicted in figure 5.

After exchanging the public keys by the IS and the MPCS server, the IS sends the user profile that includes student name, bank name, branch name, account holder name, account number, amount (fee yet to be collected), institute bank account number, mobile number, secret key and IMEI number to Mobile Payment Consortia System (MPCS). The process of sending the user profile to the MPCS server is presented as an algorithm in figure 6. After receiving the user profile, sent by the institution server, the MPCS server sends the payment interface to the student mobile device.

PIN Encrypted public key (M1) H IS's public key IS's private key Digested Digested public key public key Public key digital signature (M2) Concatenate M1 M2 Encrypted concatenate message Session key Institution server−side

MPCS server−side Decrypted confidential data IS's public key IS's public key public key IS's H Decrypted (M1) M1 M2 Splitting Digest Message integrity PIN Decrypted concatenate message Session key IS's public key

5. ALGORITHMS FOR DEVICE AND CLIENT/SERVER AUTHENTICATION 5.1. Algorithm for Authentication Between IS and IS/MPCS

Algorithm ISMPCSAuthN( ) {

{

//IS establishes handshake with MPCS for secure communication.

//Institution Server side

GET RAND-no; //MPCS sends RAND number to IS; Extract PIN-no from IS database;

RAND = decrypt(RAND-no using shared PIN-no between IS and MPCS);

IF RAND is decrypted successfully {

MPCS server is identified and authenticated; SRES = compute SRES(using RAND and PIN-no); ESRES = encrypt (SRES using shared PIN-no); Send ESRES to MPCS;

} ELSE

{

Invalid MPCS Server; Exit; }

}

//MPCS Server side

Extract the PIN-no from the MPCS database;

SRES1 = compute SRES1(using RAND-no and PIN-no); SRES = decrypt (SRES using shared PIN-no);

IF SRES is decrypted successfully {

Institution Server is identified and authenticated initially; MPCS compares SRES and SRES1;

IF (IS:SRES = MPCS:SRES1) {

Institution Server and MPCS Server are authenticated; ISMPCSAuthN = Encrypt (AuthNMessage using PIN-no); Send ISMPCSAuthN to IS;

} ELSE

{

Invalid Institution Server (IS); Exit; }

} }

5.2. Algorithm for exchanging the public keys between IS and MPCS server Algorithm PuKExchange( )

{

//Institution Server side

ISMPCSAuthN = decrypt (ISMPCSAuthN using shared PIN-no); IF ISMPCSAuthN is valid then

{

ISPUK = IS’s Public key;

EISPUK = encrypt (ISPUK using shared PIN-no); Let M1 = EISPUK;

//Generate message digest for IS’s public key using SHA-1 algorithm;

MDK = hashing (EISPUK);

//Ensures the integrity of the data over-the-air. SMDK = sign (MDK using IS’s private key); //Let M2 = SMDK

ISPuK = concatenate (M1 & M2);

EISPuK = encrypt (ISPuK using session key); //IS sends EISPuK to the MPCS server. }

//MPCS Server side

MPCS receives the message from IS; ISPuK1 = decrypt (EISPuK using session key); ISPK = Split (ISPuK1); //Let ISPK = {M1, M2} M1PK = decrypt (ISPK{M1} using PIN-no); IF PIN-no is valid then

{

DSM2 = de-sign (ISPK{m2} using IS’s public key); MDM1PK = hashing (M1PK);

MPCS compares DSM2 and MDM1PK; IF (DSM2 = MDM1PK ISPUK1) then

{

IS’s public key (message) integrity is ensured; MPCS stores M1PK into MPCSDB;

<<MPCS sends its public key to the IS using the same method>>

} ELSE

{

Invalid IS’s public key; Exit; } } ELSE { Access denied; } }

5.3. Algorithm for Secure Data Transmission between IS and MPCS Server Algorithm SendUserProfile( )

{

//IS Server side

//Once the Public keys are exchanged between IS and MPCS, IS //encrypts the user’s profile using IS’s Public Key and sends it to the //MPCS.

IS extracts MPCSPKM1, UProfile from ISDB; EUProfile = encrypt (UProfile using MPCSPKM1); //Generate digest for encrypted user profile.

MDUProfile = hashing (EUProfile using SHA-1 algorithm); //Create digital signature for MDUProfile to ensure message integrity. SMDUProfile = Sign (MDUProfile using IS’s private key);

Send EUProfile and SMDUProfile to MPCS.

//MPCS Server side

MPCS receives EUProfile and SMDUProfile from IS; Extract MPCSPvtK, ISPKM1 from MPCSDB;

//MPCS de-signs the SMDUProfile using IS’s public key. MDUProfile1 = de-sign (SMDUProfile using ISPKM1); //MPCS decrypts user profile using MPCS’s private key. UProfile1 = decrypt (EUProfile using MPCSPvtK); //Generate digest for user profile

MDUProfile2 = hashing (UProfile1 using SHA-1 algorithm); //MPCS compares both the digest user profiles.

IF (IS:MDUProfile1 = MPCS:MDUProfile2) then {

User profile (message) integrity is ensured; MPCS stores MDUProfile1 into MPCSDB; }

ELSE {

Send error message for message integrity to IS; Exit;

} }

Figure 6. Algorithm for Secure Data Transmission between IS and MPCS Server.

6. CONCLUSION

The mobile payments will remain the de facto standard for personal payments in the near future. Most of the existing mobile payment systems focus only on transaction security such as authentication and integrity of the data. Only few

systems provide non-repudiation. Also most of the researchers attempted to provide security using symmetric key, whereas public key cryptography has not been used widely. Mobile Payment Consortia System (MPCS) is a novel model designed for payments through mobile phones with end-to-end security using PKI security scheme. The proposed security architecture is specifically designed for academic institution related payments and financial services in particular, payment of fees by students from the customer’s bank to the institution’s bank where they study using mobile device anytime and anywhere. This system provides convenience in the payment processes, reduces transactional cost and overhead time for both students and the educational institution. This model can be extended to all academic institutions so as to help the necessary payments by the students through mobile devices.

REFERENCES

[1] S.Britto R.Kumar, S.Albert Rabara, and J.Ronald Martin, MPCS: A Secure Mobile Payment Consortia System (MPCS) for Higher Educational Institutions, 4th ACM

International Conference on Computer Sciences and Convergence Information Technology. ACM, vol. 2, pp. 571–579, Seoul, South Korea, 2009.

[2] Natali Delic, and Ana Vukasinovic, Mobile Payment Solution-Symbiosis between banks, application service providers and mobile network operators, Proceedings of

the 3rd _{International Conference on Information Technology: New Generations} (ITNG’06), IEEE, 2006.

[3] Jun Liu, J.Liao, and X.Zhu, A System Model and Protocol for Mobile Payment,

Proceedings of the International Conference on E-Business Engineering (ICEBE’05),

IEEE, 2005.

[4] Xiaolin Zheng and Deren Chen, Study of Mobile Payments System, Proceedings of

the IEEE International Conference on E-Commerce (CEC’03), 2003.

[5] Jesus Tellez Isaac and J.S.Camara, An Anonymous Account-Based Mobile Payment Protocol for a Restricted Connectivity Scenario, Proceedings of the 18th _{International} Workshop on Database and Expert Systems Applications, DOI 10.1109/DEXA.

2007.132, IEEE, 2007.

[6] S. Karnouskos, A. Vilmos, P.Hoepner, A. Ramfos, N. Venetakis, Secure Mobile Payment Architecture and Business Model of SEMOPS, EURESCOM summit,

Evolution of Broadband Service, Satisfying user and market needs, Heidelberg,

Germany, 2003.

[7] Natali Delic, Ana Vukasinovic, Mobile Payment Solution – Symbiosis between banks, application service providers and mobile network operators, Proceedings of the Third International Conference on Information Technology: New Generations, 2006.

[8] Ge Zhang, Feng Cheng, and Christoph Meinel, SIMPA: A SIP-based Mobile Payment Architecture, IEEE/ACS Proceedings of 7th International Conference on Computer

and Information Science, 2008.

[9] Elena Trichina, Konstantin Hypponen and Marko Hassinen, SIM-enabled Open Mobile Payment System Based on Nation-wide PKI, Securing Electronic Business

Processes, Vieweg, 355–366, 2007.

[10] Tan Soo Fun, Leau Yu Beng, Jonathan Likoh, and Rozaini Roslan, A lightweight and Private Mobile Payment Protocol by Using Mobile Network Operator, IEEE

Proceedings of International Conference on Computer and Communication Engineering, Kuala Lumpur, Malasia, 2008.

[11] C. Wang & H-f. Leung, A Private and Efficient Mobile Payment Protocol,

Springer-Verlag, LNAI, pages 1030–1035, 2005.

[12] S.Britto Ramesh Kumar, S.Albert Rabara and J.Ronald Martin, A System Model and Protocol for Mobile Payment Consortia System, IEEE International Conference on

Test and Measurement (ICTM 2009), ISBN: 978-1-4244-4699-5, DOI:10.1109/

ICTM.2009. 5413011, Dec. 5–6, Hongkong, 2009.

[13] Supakorn Kungpisdan, Bala Srinivasan and Phu Dung Le. A Secure Account-Based Mobile Payment Protocol. IEEE Proceedings of International Conference on

Information Technology: Coding and Computing, 2004.

[14] S.Britto R.Kumar, A.Arun Gnana Raj and S.Albert Rabara, A Framework for Mobile Payment Consortia System (MPCS), IEEE Proceedings of the International

Conference on Computer Science and Software Engineering (CSSE’08), China,

2008.

[15] Marko Hassinen and Konstantin Hypponen, Strong Mobile Authentication, In IEEE of

2nd_{International Symposium on Wireless Communication Systems, 2005.}

[16] Ayu Tiwari, S.Sanyal, A.Abraham, S.J.Knapskog and Sugata Sanyal, A Multi-Factor Security Protocol for Wireless Payment-Secure Web Authentication using Mobile Devices, IADIS, ISBN: 978-972-8924-30-0, 2007.

[17] Jesus Tellez Isaac, Jose Sierra Camara, An Anonymous Account-Based Mobile Payment Protocol for a Restricted Connectivity Scenario, 18th_{International Workshop} on Database and Expert Systems Applications, 2007.

[18] Ren-Junn Hwang, Sheng-Hua Shiau and Ding-Far Jan, A new mobile payment scheme for roaming services, Electronic Commerce Research and Applications, Volume 6, Issue 2, pages 184–191, Ninth Pacific Asia Conference on Information Systems, 2005.

[19] Xueming Wang and Nan Cui, Research of Security Mobile Payment Protocol in Communication Restrictions Scenarios, CIS, vol. 2, pp. 213–217, Proceedings of

[20] Chung-Ming Ou and C.R.Ou, Non-repudiation Mechanism of Agent-Based Mobile Payment Systems: Perspectives on Wireless PKI, Springer-Verlag Berlin, Heidelberg, LNAI 4496, pages 298–307, 2007.

[21] Sattur J Aboud and Mohammed Ahmed AL-Fayoumi, Anonymous and Non-Reudiation E-Payment Protocol, American Journal of Applied Sciences, pages 4(8): 538–542, 2007.