An Efficient and Flexible Mobile Payment Protocol

Chin-Chen Chang Department of Information

Engineering and Computer Science Feng Chia University

Taichung, Taiwan E-mail: ccc@cs.ccu.edu.tw

Jen-Ho Yang Department of Multimedia and

Mobile Commerce Kainan University

Taoyuan County, Taiwan e-mail: jenhoyang@mail.knu.edu.tw

Kai-Jie Chang Department of Computer Science

and Information Engineering National Chung Cheng University

Chia-Yi, Taiwan e-mail: ckch94@cs.ccu.edu.tw

Abstract—With the development of the mobile networks, mobile payment provides a convenient way for the transactions in e-commerce. In this paper, we propose an efficient mobile payment model and its two applications. In the proposed model, mobile operator provides the mutual authentication and anonymity between a merchant and a customer. Because mobile operator is a credible center on mobile networks, the merchant and the customer can authenticate with each other through mobile operator. Based upon the proposed model, the customer can securely and efficiently complete the payments in the mobile environments. Unlike the previous protocols, the proposed protocol does not require a trusted third-party center for transactions. It makes the mobile payments easier to implement. Furthermore, the communications between the customer and the merchant can be also greatly reduced.

Keywords-mobile payment; electronic cash; anonymity; user privacy; authentication

I. INTRODUCTION

As the growth of the Internet and mobile networks, more and more businesses are developed on internet, which is called e-commerce. E-commerce transfers the commercial activities such as buying, selling and marketing into an electronic system on Internet. In e-commerce, the payment mechanism becomes a key point, which not only protects transactions but also provides personal privacy of customers. In 1983, Chaum [2] proposed the first payment protocol for e-commerce. Chaum used the blind signature to generate an untraceable payment. Since then, many related works [1, 3, 6, 9, 12, 13] are proposed to implement the electronic payment.

Existing e-payment protocols can be divided into two categories on-line and off-line. In an on-line protocol, the merchant verifies the authentication message and the customer transfers the fund from his deposit account to the merchant’s bank account through a third party. This also means that the bank requires verifying the customer’s authority at the same time. The on-line payment protocol protects the merchant against certain malicious customer who has a bad debt. The point is that the customer needs to negotiate synchronously with both the merchant and the bank. However, synchronous communications are hard to be implemented on the Internet. In some protocols [10], the customer needs to communicate with the merchant’s banks

while the merchant needs to communicate with the customer’s bank. If the merchant’s bank is different from the customer’s bank, they have to record a lot of bank information for communications. If some countries have hundred even thousand banks, the merchant or customer must record a lot of contact information of these banks. This is not efficient and practical.

On the other hand, the off-line protocol provides a convenient way that the merchant does not need to verify e-cash paid by a trusted third party. This method makes the e-payment simpler and faster. The customer deposits some money to the bank and gets e-cash in advance, and he can use e-cash to complete the payment process. However, the off-line protocol requires additional computations to verify e-cash or authentication messages. Besides, the cryptography has to be employed to calculate the amount of money in some protocols [9, 12, 16].

Also, there are some protocols [8] that use the smart card to record e-cash. As the growth of the mobile networks, mobile devices, rather than smart cards, becomes a common equipment. Thus, many mobile payment (m-payment) protocols [10, 16] are proposed. Now, the most popular mobile system is GSM [4]. In the GSM system, short message service is used to transfer the authentication message and payment request passed through the SMS gateway [5]. In the next generation, third generation (3G) mobile network provides the high transmission rate for mobile communications and the mobile device’s functionalities, which is more powerful than before. The 3G mobile system further develops the m-payment. In 2002, Vershney [14] refers to “the mobile payment helps the user to have the flexibility to make purchases and obtain credit quickly and easily almost everywhere in the world”. Besides, it is mentioned that there are some important factors but also the security challenges in the m-payment, including confidentiality, authentication, integrity, authorization and non repudiation.

In order to satisfy the above requirements, we propose an efficient and flexible mobile payment protocol in this paper. The proposed protocol provides the properties of integrity, authentication, confidentiality, authorization, and non- repudiation. In addition, the proposed protocol has low

2012 Sixth International Conference on Genetic and Evolutionary Computing

978-0-7695-4763-3/12 $26.00 © 2012 IEEE

DOI 10.1109/ICGEC.2012.43

63

2012 Sixth International Conference on Genetic and Evolutionary Computing

978-0-7695-4763-3/12 $26.00 © 2012 IEEE

DOI 10.1109/ICGEC.2012.43

63

2012 Sixth International Conference on Genetic and Evolutionary Computing

978-0-7695-4763-3/12 $26.00 © 2012 IEEE

DOI 10.1109/ICGEC.2012.43

63

2012 Sixth International Conference on Genetic and Evolutionary Computing

978-0-7695-4763-3/12 $26.00 © 2012 IEEE

DOI 10.1109/ICGEC.2012.43

63

computation costs so it is very suitable for mobile environments.

II. RELATED WORKS

In this section, Hashemi and Soroush’s m-payment protocol [10] is described as follow. The flowchart of their protocol is shown in Figure 1.

Figure 1. Hashemi and Soroush’s m-payment protocol

Step 1. The customer generates a purchase request to the merchant.

Step 2. The merchant generates and sends a customer authorization request to the customer’s bank.

Step 3. The customer’s bank also generates and sends out an authentication request to the customer.

Step 4. The customer uses the pre-shared password PWU to generate an authentication response and sends it back to customer’s bank.

Step 5. The customer’s bank generates an authentication result and delivers it to the merchant.

Step 6. The merchant generates and sends a settlement request to the merchant’s bank.

Step 7. The customer’s bank starts transferring payment to the merchant’s bank.

This protocol has several drawbacks shown as follows. The mobile communicates with customer’s bank and then, the customer’ bank sends the authorization request to the merchant. Thus, the bank has to record all merchants’ information while the merchant also needs to keep the record of banks’ information. Besides, if this protocol is applied to an e-cash system, the merchant must be able to identify various e-cashes. Furthermore, the transmission messages are not described clearly, the security of this protocol cannot be ensured. Thus, we propose a new m-payment model in the next section.

III. THE PROPOSED METHOD

A. The Communication Model The notations of the proposed protocol are listed in the

following table.

TABLE I. NOTATIONS USED IN THE PROPOSED PROTOCOL

Notations Descriptions MO Mobile Operator SID Merchant Identity UID User Identity (Customer)

Money The money that customer buys SNO The serial number of pay check T1, T2 The two timestamps r1, r2 The two random numbers PWU The user password for payment

PWSThe merchant’s password for sign authentication

K The pre-shared key between MO and merchant

SKAThe session key is generated in EAP-AKA [7]

SKBThe session key between the merchant and MO

H(.) A secure one-way hash function EK(.) A symmetric encryption using key K

Auth_X The authentication message of the entity X

OK Acknowledgement for success authentication

� User and MO: The mobile device executes the EAP-AKA [7] when it is power on. The EAP-AKA process would check the user’s identity and share a session key SKA between the user and MO. The message is encrypted by SKA.

� Merchant and User: Communication between the merchant and the user can be carried out either through the infrared ray, Bluetooth, or WLAN.

� MO and Merchant: The MO and the merchant generate a new session key ),_( KAAuthHSKB � .Then, the following message is encrypted by the AES algorithm where the secret key is SKB.

The communication model is shown in Figure 2. And, the explanation is presented as follows.

64646464

Figure 2. The communication model

B. The proposed m-payment protocol The proposed protocol is divided into two phases:

registration phase and payment phase.

Registration Phase: In the e-payment registration phase, the customer pre-shares a payment password SPW with MO. The merchant registers an encryption key K and a password

SPW at MO. Both of them have a post-payment contract with MO.

Payment Phase: In this phase, the customer has to execute the EAP-AKA for login the mobile networks. The session key is generated in the EAP-AKA. Besides, the MO and merchant also establish a secure channel by using the session key BSK . The flowchart is shown in Figure 3. The process is depicted as follows.

Step 1. The merchant generates an authentication message ),,(_ 11 TrMoneyHAAuth UPW� and sends it to the

customer with SID, Money, r1 and T1.Step 2. The customer generates the authentication message

as ),,(_ 22 TrMoneyHBAuth UPW� and computes ),,,,_,_,,,( 2121 rrTTBAuthAAuthMoneySIDUIDE

ASK

.Step 3. MO decrypts the message and checks T1 and T2. If

they exceed the time limit, MO will disable this payment. Otherwise, MO further checks Auth_A and Auth_B. MO generates a payment record which contains the serial number SNO, SID, UID and Money. If the above verifications are correct, MO generates ),,,(_ 31 TSNOrMoneyHCAuth SPW� and

),,(_ 32 TrMoneyHDAuth UPW� to compute ),,_,_,( 3TSNOCAuthCAuthMoneyE

BSK .Step 4. If T3 and Auth_C are invalid, the merchant terminates

the payment. Otherwise, the merchant sends the Auth_D to customer and OK to MO.

Step 5.The customer receives Auth_D and checks its validity. If Auth_D is valid, customer sends OK acknowledgement to MO and the merchant as well. Otherwise, the customer terminates the payment. The payment phase is accomplished if both Auth_C and Auth_D are valid.

Step 6. After receiving the OK messages from customer and merchant, MO adds the payment record to the month bill.

Figure 3. The e-cash payment flowchart

IV. SECURITY ANALYSES

In this section, we analyze the security of the proposed

protocol.

� Replay Attack: Assume that an attacker wants to replay the messages Auth_A, Auth_B, Auth_C, and Auth_D in the payment phase. A point is that the payment will be terminated if the timestamp is invalid. Moreover, the communications are protected by ASK and BSK .Thus, the attacker cannot send the message without

ASK and BSK , and the replay attack is infeasible in our protocol.

� Impersonation and Forgery Attack: Assume that an attacker wants to complete the payment by impersonating a customer to purchase from a merchant. The condition is that before sending the forged message, the attacker must have

65656565

the customer’s mobile device and pass the EAP-AKA. However, he cannot access the mobile device without the PIN. Also, he does not have the pre-shared key SPW between the merchant and MO. Thus, he cannot generate the messages Auth_C and Auth_D to the merchant without the key. Besides, an attacker cannot only change the UID in the message ),,_,( 3TSNOCAuthMoneyE

BSK because the person, who has the corresponding SPW , can generate the correct Auth_B. Base on the above mentioned reasons, impersonation and forgery attack cannot work in our protocol.

� Password Guessing Attack: Assume that an attacker intercepts the authentication messages Auth_A and Auth_B and tries to analyze it. The attacker may guess a password PW’ and compute ),,( 1

'1 TrMoneyH PW to check if it is equal to

Auth_A. However, it is a time-consuming process to compute ),,( 1

'1 TrMoneyH PW due to the need of

performing modular exponentiation. Thus, password guessing attack is impossible to occur in the proposed protocol.

V. CONCLUSIONS

In this paper, we propose an efficient and flexible m-payment protocol. A customer can use their mobile device to purchase without paying by cash and his/her personal information will not be revealed to the merchant. On the other hand, the merchant also can authenticate the customer through MO. In conclusion, our protocol provides two efficient on-line mobile payment mechanisms for e-commerce.

REFERENCES

[1] B. Cox, J. D. Tygar, and M. Sirbu, “NetBill Security and Transaction Protocol,” Proceedings of First USENIX Workshop Electronic Commerce , New York, USA, pp. 77-88, 1995.

[2] D. Chaum, “Blind Signature for Untraceable Payments,” Proceedings of Advances in Cryptology–Crypto ’82, New York, USA, pp. 199-203, 1983.

[3] D. Chaum, A. Fiat, and M. Naor, “Untraceable Electronic cash,” Proceedings of Advances in Cryptology–Crypto’88 , California, USA, pp. 319-327, 1990.

[4] Digital Cellular Telecommunications System (Phase 2), “Physical Layer on the Radio Path. General Description,” ETSI Recommend, GSM 05.01 (ETS 300 573), 1994.

[5] G. Peersman and S. Cvetkovic, “The Global System for Mobile Communications Short Message Service,” IEEE Personal Communication, pp. 15-23, 2000.

[6] H. Wang and Y. Zhang, “Untraceable Off-Line Electronic Cash Flow in E-Commerce,” Proceedings of 24th Australian Computer Science Conference , Australia, pp. 191-198, 2001.

[7] J. Arkko and H. Haverinen “EAP AKA authentication,” IETF draft,2003.

[8] L. Zhang, J. P. Yin, and Y. B. Zhan, “An Anonymous Digital Cash and Fair Payment Protocol Utilizing Smart Card in Mobile Environments ,” Proceedings of Grid and Cooperative Computing Workshops , Changsha, Hunan, China, pp. 335-340, 2006.

[9] M. Franklin and M. Yung, “Secure and Efficient Off-Line Digital Money,” Proceedings of 20th Int’l Colloquium Automata, Languages, and Programming , Lund, Sweden, pp. 265-276, 1993.

[10] M. R. Hashemi and E. Soroush, “A Secure M-Payment Protocol for Mobile Devices,” Proceedings of Electrical and Computer Engineering, Canada, pp. 294-297, 2006.

[11] N. Kreyer, K. Pousttchi,and K. Turowski, “Characteristics of Mobile Payment Procedures,” Proceedings of the ISMIS Workshop on M-Services , Lyon, France, 2002.

[12] T. Okamoto, “An Efficient Divisible Electronic Cash Scheme,” Proceedings of Advances in Cryptology–Crypto ’95 , California, USA, pp. 438-451, 1995.

[13] T. Poutanen, H. Hinton, and M. Stumm, “NetCents: A Lightweight Protocol for Secure Micropayments,” Proceedings of Third USENIX Workshop Electronic Commerce , Boston, USA, pp. 36-58, 1998.

[14] U. Varshney , “Mobile payments,” Computers , Vol. 35, No. 12, pp. 120-121, 2002.

[15] X. Dai, O. Ayoade, and J.Grundy, “Off-Line Micro-Payment Protocol for Multiple Vendors in Mobile Commerce,” Proceedings of Parallel and Distributed Computing, Applications and Technologies,Taichung, Taiwan, pp. 197-202, 2006.

66666666