Volume 8, Issue 6, June 2019, ISSN: 2278 -7798
Implementation of Secure Electronic Payment System
Using RFID and ECC Digital Signature
Nilar Soe, Than Htike Aung
Abstract–Electronic payment systems have become increasingly
popular due to the widespread use of the internet-based shopping and banking. Also online merchants have to comply with stringent rules stipulated by the credit and debit card. But the procedures in place to ensure transactions are more secure using PKI (public-key infrastructure) for securing credit and debit card transactions. The proposed system implements the secure electronic payment system using RFID and Elliptic Curve Cryptography (ECC) digital signature. This system secures as digital signature are generated using ECC method for electronic payment system. The main objective is to get the access control and overcome inaccurate payment system. ECC digital signature provides effective and compact implementations requiring smaller chips. Due to smaller chips, there are less heat generation and less power consumption. The whole system is implemented with C# programming language for ensuring PKI infrastructure.
Keywords–C# Programming Language, Elliptic Curve
Cryptography, Public Key Infrastructure, RFID
I. INTRODUCTION
As the world advances with technology development, the rise of electronic payment systems and payment processing devices can be seen. As these increases, improvements, and provide ever more secure online payment transactions the percentage of check and cash transactions will decrease. One of the most popular payment forms online is credit and debit cards. Besides them, there are also alternative payment methods, such as bank transfers, electronic wallets, smart cards or bitcoin wallet (bitcoin is the most popular cryptocurrency). E-payment methods could be classified into two areas, credit payment systems and cash payment systems [1].
The proposed system is to generate digital signature using ECC method for secure electronic payment system. This system is to design and implement a secure electronic payment system based on RFID especially for playgrounds in the case of easy and accurate paying bill. The system consists of two main parts such as card creation and card verification. The whole idea behind the solution is to develop a system which can cut costs and make the playgrounds run more efficiently because there may sometimes be lack of miscalculations such as usage time and cost estimation.
II. LITERATUREREVIEW
The history of e-payment can be traced back to 1918 the time when currency was first moved in United States (U.S) by the Federal Reserve Bank with aid of telegraph. However, that technology has not been widely used in US until the time when their Automated Clearing House (ACH) was incorporated in 1972. Since from that time, the electronic currency became widespread. This enabled U.S commercial banks and its central treasury with an alternative to cheque payment (Graham, 2003) [2].
The author in proposes Digital signature schemes based on public-key cryptosystem are vulnerable to existential forgery attack which can be prevented by use of one-way hash function and message redundancy. In this paper the authors have proposed forgery attack over the digital signature scheme proposed by Chang and Chang in 2004. The authors have also shown improved scheme using new key agreement protocol over the Chang and Chang model which actually lacks the use of one-way hash function and redundancy padding.
Since Ying Qin, et al. Elliptic Curve Digital Signature Algorithm (ECDSA) is one of the hottest topic in the field of information security, in this paper the authors have proposed a variable window mechanism method thereby combining NAF and variable-length sliding window to reduce the computational complexity of point multiplication of ECC .
The author, Guilin Wang, have proposed a new digital contract signing protocol based on RSA digital signature scheme. In this proposed model the trusted third party is only involved when one party is cheating the other or the communication channel is interrupted. Furthermore, this protocol emphasizes on the new property i.e abuse freeness which denotes that in case of unsuccessful execution of the protocol, neither the party can show the validity of the intermediate result to the other.
With the widespread application of E-mechanisms, the use of secure crypto-systems has become the most important factor for information security. These demanding requirements can be achieved by integrating the cryptosystems into designs based on System-on-Chip (SoC). In this paper, the authors have designed and implemented a crypto hash SHA-2 logic core in reconfigurable hardware and also discussed a public-key crypto SoC, which uses the SHA-2 hash core in conjunction with a 2048-bit RSA co- processor to perform a digital signature security scheme [3].
III. BACKGROUNDTHEORY
This section introduces some basic principles of RFID techniques, digital signature among cryptographic techniques, advantages of ECC digital signature over others, and presents the working principles of ECC digital signature and MD-5 hash function to get authentication service for a secure digital personal identification system.
A. Radio Frequency Identification
RFID technology enables the optimization of multiple business process through the improvement, the automation or even the elimination of existing processes, and the emergence of new processes called intelligent processes or smart processes, which are automatically triggering actions or events.
The major areas that have driven the commercial deployment of RFID technology are logistics, supply chain management, library item tracking, medical implants, road tolling (e.g., E-Z Pass), building access control, aviation security, and homeland security applications. These systems
Volume 8, Issue 6, June 2019, ISSN: 2278 -7798 are used for a wide range of applications that track, monitor,
report, and manage items as they move between different physical locations. From inventory management to theft detection, RFID has been applied in many areas such as in the automotive industry and logistics, as well as in warehouses and retail stores. Most cars are equipped with a remote control to open and lock a door. Money cards are used for public transportation payments. Although there is no RFID association in their names, both a car remote control and money cards are RFID applications. RFID technology has become more and more widely used in real-world applications without people realizing it.
Although current state-of-the-art receiving systems are highly optimized by using bar coding and wireless communications to a central computer, the process is error-prone and time-consuming because of human intervention. RFID presents security and privacy risks that must be carefully mitigated through management, operational, and technical controls in order to realize the numerous benefits the technology has to offer [4].
B. Working Flow of RFID
RFID is a genetic term for technologies that use radio waves to automatically identify people or objects. Unlike bar codes, no clear line of sight is required to obtain an accurate read. The basic RFID system comprises a transponder, a reader and an antenna. Data is stored in a transponder device called a tag. Current tags, depending on application, can hold up to 2k bits of data. Tags can be read-only or read/ write.
A radio frequency signal is transmitted from the reader to a transponder that passes within range of the reader’s antenna. The signal triggers RF emissions from the tag. The transponder holds bits of data, which is either reflected or sent back to the reader, depending on whether the tag is passive or active. Transponder data includes information such as the transaction record type, the unique transponder ID number, the reader ID number, the transaction status code, and the error detection code. Customer data can be specified as well.
One of the main hurdles for the widespread adoption of RFID systems is privacy concerns. The concerns become particularly salient as the retail industry contemplates moving from pallet and crate tagging to individual item tagging. RFID use substantially differs from that of other systems. The tag has a close association with the item it identifies. Moreover, the sensitive information usually does not pertain to the tag itself but to the item. This close association between the tag and the item that it identifies gives rise to novel threats such as tracking that are not usually addressed in conventional security systems.
To be economically viable for most applications, the tag is not allowed to posses sophisticated data processing capabilities. Thus, the design of security protection for RFID systems is challenging. For example, extensive cryptosystems such as AES, DES, ECC, or high-quality random number generators may not be available on the tag. Hence, a substantial amount of recent research effort has been dedicated to design security techniques with sufficiently low overhead to be feasible on RFID systems [4].
Fig. 1 Working Flow within RFID System
C. Digital Signature Algorithm
Rather than a written signature that can be used by an individual to authenticate the identity of the sender of a message or of the signer of a document; a digital signature is an electronic one. E-check technology also allows digital signatures to be applied to document blocks, rather than to the entire document. This lets part of a document to be separated from the original, without compromising the integrity of the digital signature. This technology would also be very useful for business contracts and other legal documents transferred over the Web.
A digital signature includes any type of electronic message encrypted with a private key that is able to identify the origin of the message. The followings are some functions of digital signature.
• The authentication function: The term digital signature in general is relevant to the practice of adding a string of characters to an electronic message that serves to identify the sender or the originator of a message.
• The seal function: Some digital signature techniques also serve to provide a check against any alteration of the text of the message after the digital signature was appended.
• The integrity function: This function is of great interest in cases where legal documents are created using such digital signatures.
• The privacy function: Privacy and confidentiality are of significant concerns in many instances where the sender wishes to keep the contents of the message private from all hut the intended recipient [5].
D. ECC Digital Signature
Elliptic Curve Cryptography (ECC) was discovered in 1985 by Victor Miller and Neil Koblitz as an alternative mechanism for implementing public key cryptography. Unlike RSA, ECC is based on the problem of finding discrete logarithms over a finite field. Due to its small key size and conventional mechanism, ECC has been commercially accepted. ECC is based on elliptic curves that are typically defined over either the integers modulo a prime number (GF(p)) or over binary polynomials. When referring to the key size, it means the size of the prime number or binary polynomials in bits. Because of the much smaller key sizes involved, ECC algorithms can be implemented on smart cards without mathematical coprocessors. Contactless smart cards work only with ECC because other systems require too much induction energy. Since shorter key lengths translate into faster handshaking protocols, ECC is also becoming increasingly important for wireless communications.
The elliptic curve analogues of the older discrete algorithm (DL) cryptosystems are replaced by the group of points on an
Volume 8, Issue 6, June 2019, ISSN: 2278 -7798 security of elliptic curve cryptosystems is the computational
intractability of the elliptic curve discrete logarithm problem (ECDLP). ECC is a relative of discrete logarithm cryptography. An elliptic curve E over Zp as in Fig 2 is defined in the
Cartesian coordinate system by an equation of the form. ECC digital signature schemes can be used to provide the following basic cryptographic services:
data integrity (the assurance that data has not been altered by unauthorized or unknown means)
data origin authentication (the assurance that the source of data is as claimed)
non-repudiation (the assurance that an entity cannot deny previous actions or commitments)
y2= x3+ ax+ b
Each value of a and b gives a different elliptic curve. The public key is a point on the curve and the private key is a random number. The public key is obtained by multiplying the private key with a generator point G in the curve.
Fig. 2 An Elliptic Curve
In cryptography, the Elliptic Curve Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. As with elliptic curve cryptography in general, the bit size of the public key believed to be needed for ECDSA is about twice the size of the security level, in bits. ECC is such an excellent choice for doing asymmetric cryptography in portable devices right now. The smaller ECC keys can be embedded into considerably smaller hardware, so that software applications may complete cryptographic operations with faster transaction times, less space while still retaining equivalent security.
Before implementing ECDSA, several basic choices have to be made including:
• Type of underlying finite field Fp(Fpor F2m)
• Elliptic curve point representation (Point Addition) 1. Point Generation over Random Elliptic Curve
• Choose an arbitrary bit string seedE of length g<161 bits
• Compute H = MD5(seedE)
• Choose arbitrary integers a,b € Fp ,not both 0
• The elliptic curve chosen over Fpis E: y2= x3+ ax +b
• Output (seedE, a, b)
2. Key Generation
• Select random integer d with the range of [1, n-1]. • Compute Q = d. G (G is a point G (Fp))
• Private Key: d • Public Key: Q 3. Signature Generation
(used private key d and point G for generation) Select a random integer K with 1<K<n-1 Compute K.G = (x1, y1) and r = x1mod n
If r = 0, go to step 1. Compute e = HASH (m) Compute s = K-1(e + dr) mod n
If s = 0, go to step 1
Generate Signature for message (r,s)
Fig. 3 Signature Generation
4. Signature Verification
(used public key Q and point G for verification) Verify r and s with the range of [1, n-1] Compute e = HASH (m)
Compute w = s-1mod n
Compute u1= ew mod n and u2= rw mod n
Compute u1. G + u2.Q = (x1, y1)
v= x1mod n
If v= r, accept the signature [6]
Digital signature
Signature Generation
Private Key Message Digest Signature Operation MD-5 MessageVolume 8, Issue 6, June 2019, ISSN: 2278 -7798
Fig. 4 Signature Verification
E. MD5 Message Digest
MD5 was designed to be somewhat more “conservative” than MD4 in terms of being less concerned with speed and more concerned with security. It is very similar to MD4. The major differences are:
MD4 makes three passes over each 16-byte chunk of the message. MD5 makes four passes over each 16-byte chunk. The functions are slightly different, as are the number of bits in the shifts.
MD4 has one constant which is used for each message word in pass 2, and a different constant used for the entire 16 message words in pass 3. No constant is used in pass 1.
MD5 uses a different constant for each message word on each pass. Since there are 4 passes, each of which deals with 16 message words, there are 64 32-bit constants used in MD5. The 64 values (in hex) are as follows:
MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks (sixteen 32-bit words); the message is padded so that its length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512. The remaining bits are filled up with 64 bits representing the length of the original message, modulo 264.
The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B, C, and D. These are initialized to certain fixed constants. The main algorithm then uses each 512-bit message block in turn to modify the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation [7].
IV. DEVELOPMENTOFTHESYSTEM
Fig. 5 Flow diagram of card creation process
When the user wants to do the proposed contactless payment system, the user first registers for getting the contactless card used by RFID technology. In the creation of card phase, the user gives the name, NRC and address to the administrator of the playground. After getting the required data, the proposed system makes the digestion process unable to detect the original message. Then, the system generates the digital signature using Elliptic Curve Cryptography (ECC). Finally, the system writes the signature to the RFID card and also save the signature together with the data to the Microsoft Access Database. Received Message MD-5 Message Digest Signature Operation Digital
signature Public Key
Yes- Signature verified or No- Signature verification failed
Signature Verification
User Information -Name -NRC -Address RFID Card Generate Digital Signature Digest Message with MD5 DatabaseVolume 8, Issue 6, June 2019, ISSN: 2278 -7798
New User
Registered User
No Yes
Fig. 6 Flow chart of card verification process
The next step is the card verification phase. In this phase, system checks the user if the user wants to do the contactless payment system. The system uses the RFID reader with passive tag to check the user is registered or not. If the user is the registered user, the system then checks the signature to make sure the card verification using ECC cryptography. If the signature is verified, the user gets the permission access. Otherwise, the user goes to the card creation phase.
V. EXPERIMENTALRESULTS
In this proposed system, the digital signature is generated using ECC method. The results are shown below.
Fig. 7 Card registration section
In fig. 7, firstly the user registers the information for getting the contactless card used by RFID technology. The above form is to fill the user’s data such as photo, name, national register of citizens (NRC), date of birth, address, blood type and father name for the contactless card. The data from the user is stored in database by pressing save data button.
Fig. 8 Viewing the information stored in database
In fig. 8, after entering the user’s information, the system will check validity against that stored in the database. The user can update and delete the information by pressing the corresponding button in this section. The user’s information that the operator wants can be easily found among various infromations.
Fig. 8 Generation of digital signature and ECC key pair
Fig. 8 is the signature generation section. Firstly the user information of photo, address, date of birth, NRC and name are digested. Then public key and private key are generated using ECC method. The user data is encrypted using the digested message and private key. After encrypting the user data, the digital signature generates. The generated digital signature is written into RFID card.
In the signature verification section, firstly the encrypted message is digested. Then the user data is decrypted by using the digested message and public key and the digital signature generates. If the digital signature from decryption section is verified with the digital signature in RFID, the user is authorized. Start Registered User or New User ? RFID Card Data base End Go to card creation Get Permission Read Signature and Digested Message
Verify Signature?
Volume 8, Issue 6, June 2019, ISSN: 2278 -7798
Fig. 13 Reading and Writing Digital Signature into RFID card using NFC Reader
Fig. 13 show the NFC reader and mifare 1K card. NFC reader is used to read and write the digital signature into RFID card. This system uses mifare 1K card as contactless payment card. The generated digital signature using ECC method is written into contactless payment card using NFC reader. NFC reader reads the signature in RFID card to verify that is authorized or not.
VI. CONCLUSION
This paper shows secure electronic payment system based on Elliptic Curve Cryptography. This system is to generate the digital signature using Elliptic Curve Cryptography for access control and ticketing problems. Elliptic curve cryptography is an excellent choice for this system to do asymmetric curve cryptography and it requires small key size comparing to RSA cryptosystem with the same security level. The system makes up the card confidentiality and impossible to forge using ECC digital signature
.
ECC method is used for encryption to make secure payment system.ACKNOWLEDGMENT
F.A.Author thanks to Dr.Than Htike Aung, Associate Professor, Department of Electronic Engineering, Mandalay Technological University
,
for kind permission to prepare for this paper, for his close supervision, helpful advice, encouragement and numerous invaluable guidance. The author would also thank to all teachers and friends who willingly helped the author throughout the preparation of the paper.REFERENCES
[1] https://securionpay.com/blog/e-payment-system
[2] Mohammad Auwal Kabir, “Adoption of e-payment System”, International Conference of E-commerence, October 2015, Malaysia.
[3] Dr. Abhishek Roy, “A survey on Digital Signatures and its applications”, www.researchgate .net/publication
[4] Syed Ahson and Mohammand Ilyas, “RFID handbook: applications, technology, security, and privacy”, www.crcpress.com
[5] http://ocw.metu.edu.tr/pluginfile.php/354/mod_resource/ content/0/Lecture_4.pdf
[6] Aqeel Khalique, Kuldip Singh, Sandeep Sood, “Implementation of Elliptic Curve Digital Signature Algorithm”, International Journal of Computer Applications (0975-8887), Vol. 2, No. 2, May 2010
