In terms of the security and efficiency of mobile e-commerce, the authors summarized the advantages and disadvantages of several related schemes, especially the self-verified mobile payment scheme based on the elliptic curve cryptosystem (ECC) and then proposed a new type of dynamic symmetric key mobile commerce scheme based on self-verified mechanism. The authors analyzed the basic algorithm based on self-verified mechanisms and detailed the complete transaction process of the proposed scheme. The authors analyzed the payment scheme based on the security and high efficiency index. The analysis shows that the proposed scheme not only meets the high efficiency of mobile electronic payment premise, but also takes the security into account. The user confirmation mechanism at the end of the proposed scheme further strengthens the security of the proposed scheme. In brief, the proposed scheme is more efficient and practical than most of the existing schemes.
1. Introduction
With the rapid development of mobile communication technology, more and more electronic trading has been introduced to the wireless network environment [1]. The wireless mobile network in the electronic trading model not only provides numerous merchants with a new way of promoting the sale of products and increases the profit, but also greatly enriches the network shopping environment of the consumers [1]. Mobile electronic commerce has achieved rapid development, since the mobile users and merchants traded anywhere and anytime [2]. However, compared with fixed networks, there are some factors that have restricted the development of mobile commerce, such as lower bandwidth, longer delay time, unstable connection, limited storage space, and restricted computing power [1]. In order to reduce the risk of these problems, the priority of all kinds of mobile payment schemes is the security and efficiency of the solution.
Recently, with the development of mobile commerce based on the characteristics of the mobile network, some researchers have successively put forward certificate-based public key cryptosystem scheme (CBCS) [3], ID-based cryptography scheme (IDBCS) [1, 4, 5], and self-verified digital signature scheme (SVDSS) [2, 6, 7]. CBCS is similar to the scheme based on the Secure Electronic Transaction protocol, in which user’s authentication requires the certificate preserved in the certificate authority (CA). When the node certificate is updated or canceled, each node directory needs to be updated synchronously. The requirements of this sort of certificate management for calculation, storage, and communication of the system are relatively high. In order to avoid the certificate management burden, IDBCS used key escrow (KE) features and key distribution center (KDC) unified manage public/private key pair of all trading entity, which can generate a symmetric key, and then improve the efficiency of system. However, once the KDC public/private key leaks, the system will lose the security barrier. In addition, with the increase of the number of users, the KDC needs to maintain a set of large user authentication tables, resulting in increasing the burden of the system [1]. SVDSS is more efficient and secure than CBCS and IDBCS. On the one hand, its authentication mechanism does not need to rely on complex certificate management, which reduces the amount of calculation and traffic and improves the execution efficiency; on the other hand, it does not set public/private key to KDC. Thus SVDSS has extensive application prospect in the field of mobile e-commerce.
The core work of SVDSS is generating the authentication key and digital signature which verifies the identity of transaction entity. At present, the mainstream generative mechanism of SVDSS is based on ECC. Compared with the public key cryptosystem (PKC), ECC uses smaller key length to meet the same level of security and has very low computational burden [7–9]. The specific performance comparison can be seen in Table 1. Therefore, the electronic payment scheme based on ECC is more effective than that based on PKC.
Comparison of performance of RSA and ECC.
Break time/MIPS
RSA key length/bit
ECC key length/bit
RSA/ECC key length ratio
10^{4}
512
106
5 : 1
10^{8}
768
132
6 : 1
10^{12}
1 024
160
7 : 1
10^{20}
2 048
210
10 : 1
10^{78}
21 000
600
35 : 1
The symmetric key encryption system has a simple encryption processing, encryption speed, shorter key, and so forth [9]. The authors summarize the theory and experience of predecessors and propose a new type of dynamic symmetric key mobile commerce scheme based on self-verified mechanism in this paper. This proposed scheme meets the requirements of both security and high efficiency because of the application of ECC. Based on the self-verified signature concept, each transaction entity holds the verification key and the digital signature for a later user authentication [2, 10]. The symmetric keys held by two entities are generated dynamically by the verification key and the digital signature. This contributes to security and efficient information interaction. A special key management mechanism is not necessary to reduce the cost of key management. In this way, the network operator only needs to provide users with a secure network and does not need to maintain redundancy authentication table. Therefore, the electronic payment scheme can not only meet the requirements of the large-scale mobile users, but also execute secure and efficient information interaction with generated symmetric key between the two entities after successful authentication. The environment of the electronic payment scheme is very suitable for large-scale mobile user environments, because the network operator does not need to maintain redundancy authentication table. In addition, the proposed scheme supports user anonymity mechanism and confidentiality, and it can prevent impersonation attack effectively. With our efforts, the system safeguards the rights and interests of users and ensures security. This scheme adopts ECC. Compared with other mechanisms such as the PKC and pairing function encryption mechanism, ECC obviously improves the operating efficiency of the system [11, 12]. To sum up, the proposed scheme is effective and practical in mobile commerce.
This paper is structured as follows. In Section 2, the authors summarize the main idea of the self-verified mechanism and basic steps. In Section 3, the paper presents detailed process of the proposed scheme. In Section 4, the authors analyze operational efficiency and security. Finally, conclusions are made in Section 5.
2. The Principle of Self-Verified Mechanism
Yang and Chang [2] proposed an authentication mechanism which is divided into three phases: the initialization phase, the registration phase, and the authentication phase.
2.1. The Initialization Phase
In this phase, the server S initializes the system parameters over an elliptic curve domain through the following steps. In order to facilitate subsequent statements, important parameters and explanations are listed in Table 2.
The parameter self-authentication scheme.
Parameter
Explanation
Fq
Finite field Fq over a large odd prime q
Eq(a,b)
Elliptic curve equation with the order n over Fq
Q
Public point over Eq(a,b)
H(⋅)
The one-way hash function
*
The point multiplication over Eq(a,b)
VX
A verification key that is generated by O for the entity X
(EX,SX)
The self-verified signature that is generated by O for the entity X
IDX
The unique identity of trading entity X
2.1.1. Elliptic Curve Equation
S chooses a finite field Fq over a large odd prime q and generates an elliptic curve equation Eqa,b:
(1)y2=x3+ax+bmodq,
where parameters satisfy the following conditions:
(2)a,b∈Fq,q>3,4a3+27b2≠0modq.
S selects a public point Q over Eqa,b and a public one-way hash function H(·), where Q is the finite point over Eqa,b.
2.1.2. Generating Public Key
S chooses its private key dS∈Zq to compute its public key by
(3)US=dS*Q.
2.2. The Registration Phase
Assume that user A wants to log in the server S. Prior to the logging, A must register to S.
2.2.1. Generating Verification Key and Self-Verified Signature
Firstly, A sends a registration request to S. S generates A′s verification key by
(4)VA=H(IDA∥wA),
where wA∈Zq* and IDA is A’s identity. S computes WA by
(5)WA=wA*Q=(x,y),
where x and y denote the x-coordinate and y-coordinate of WA, respectively. To generate the self-verified signature (EA,SA), S computes
(6)EA=Hx∥IDAmodn,SA=wA-d·EAmodn.
2.2.2. Confirming the Legitimacy of Information
S sends {VA,(EA,SA)} to A via a secure channel. A verifies the legitimacy of the message by computing
(7)WA′=SA*Q+EA*US=x′,y′,EA′=H(x′∥IDA).
Then, A checks if EA′ is equal to EA. If they are equal, then A confirms that {VA,(EA,SA)} is really generated by O.
2.3. The Authentication Phase
In this phase, A wants to log in S; S can verify the user’s legality [9].
2.3.1. Obtaining Data Set
A uses H(·) to compute
(8)C=HIDA∥VA∥TS,
where TS is the timestamp; A sends data set (IDA,C,EA,SA) to S.
2.3.2. Identity Authentication
After receiving (IDA,C,EA,SA), S computes
(9)wA′=SA-dS*EAmodn,VA′=HIDA∥wA′,C′=HIDA∥VA′∥TS.S checks if C′ is equal to C that is sent from A. If they are equal, then S can authenticate that A is a legal user.
3. Proposed Scheme
There are three transaction entities in the proposed e-payment scheme: the provider of electronic goods P, the mobile user U, and the network operator O that is a collection of financial institutions. O provides the wireless network bearer services to P and U, such as 3G services. Before being involved in trading officially, P and U must register to O and obtain the exclusive account. Only in this way can O provide service for user’s transaction. The trading model of the proposed scheme is shown in Figure 1.
Trading model.
The proposed electronic trading scheme is divided into four phases: the registration phase, the withdrawing phase, the paying phase, and the depositing phase. During the registration phase, P and U need to register to O for obtaining their verification keys and self-verified signatures. The function of withdrawing phase is that U not only obtains an electronic identification of account balance but also completes the identity authentication with P. In the paying phase, U and P perform authentication with each other; then U will obtain the electronic goods from P. During the depositing phase, U agrees on this transaction and then P redeems the price from the account of U.
3.1. The Registration Phase
Before the depositing phase, P and U need to register to O for obtaining their verification keys and self-verified signatures. The steps of this phase are demonstrated as follows.
U sends a registration request to O, and O generates the verification key VU and the self-verified signature (EU,SU). Through the secure way, O sends authentication information {VU,(EU,SU)} to U. Then U stores {VU,(EU,SU)} into its mobile device for subsequent authentications.
In a similar way, P gets the authentication information {VP,(EP,SP)} from O and stores it into its mobile device.
3.1.3. Storing Authentication Information
O stores the registration information of U and P to its database. The information provides the foundation of authentication, generating keys, information transfer, and payment in later transaction.
3.2. The Withdrawing Phase
According to the registration information in the registration phase, U obtains an electronic identification of account balance that the maximum value is VN. In the subsequent transactions, the value of electronic goods bought by U from P will not exceed VN. In this phase, U and P not only complete the identity authentication but also generate a pair of symmetric key between themselves, and the symmetric key will be applied during user confirmation mechanism in the depositing phase. The steps of this phase are shown as follows and the specific flow chart is shown in Figure 2.
Flow chat of withdrawing phase.
Step 1. U makes use of {VU,(EU,SU)} to compute
(10)CUO=hIDU∥IDP∥VU∥TS,
where TS is the timestamp and U sends IDU, IDP, (EU,SU), TS, and CAO to O.
Step 2. In order to verify the legitimacy of U, O uses its private key dO to compute
(11)wU′=SU-dO*EUmodn,VU′=HIDU∥wU′.
Then, O checks validity of TS. If TS is valid, O computes
(12)CUO′=hIDU∥IDP∥VU′∥TS.O confirms that U is legal and above withdrawing information is really sent from U when CUO′ equals CUO. Otherwise, O rejects the transaction.
Step 3. O generates an electronic identification of account balance that the maximum value is VN. In the subsequent transactions, the value of electronic goods bought by U from P will not exceed VN. Meanwhile, O generates a serial number SN of VN.
Step 4. O makes use of wU′, IDO, IDU to generate the symmetric key
(13)KsO_U=H(wU′∥IDO∥IDU).
Based on ECC, O generates the digital signature Sig(VN∥SN∥IDP) and computes
(14)COU=EVU′KsO_U,VN,SN,VU′,SigVN∥SN∥IDP,
and then it sends COU to U and stores (VN,SN) in the local database and deducts the cost of VN from mobile user’s account.
Step 5. U uses symmetric key to decrypt COU for KsO_U, VN, SN, VU′, SigVN∥SN∥IDP.
Then whether the equation VU′=VU is established is checked. If it is established, U confirms that COU is really sent by O, stores (VN,SN) into the users’ database, and obtains symmetric key KsO_U.
3.3. The Paying Phase
In this phase, U sends good information GI to P; then U and P perform authentication with each other. After the authentication is legalized, U will obtain the electronic goods encrypted by the symmetric key KsP_U generated between the two entities. The steps of this phase are shown as follows and the specific flow chart is shown in Figure 3.
Flow chart of paying phase.
Step 1.1. U browses P’s online shop and generates the good information GI1 that contains the descriptions and the prices defined by P1 of the electronic goods. Meanwhile, U arbitrarily selects an integer rU∈Zq and obtains the value kx by
(15)RU=rU*Q,KU=rU*UP=kx,ky.U generates the dynamic symmetric key KsP_U between P and U by
(16)KsP_U=HrU∥IDP∥IDU,
where IDP and IDU is the unique identification of P and U. U encrypts the payment message with the key kx(17)PI=EkxGI1,KsP_U,VN,SN,SigVN∥SN∥IDP.
Step 1.2. After receiving the encrypted payment message PI, P obtains kx′ by
(18)KU′=dP*RU=kx′,ky′.P decrypts PI and obtains payment message DI by
(19)DI=Dkx′{PI}=GI1,KsP_U,VN,SN,SigVN∥SN∥IDP.P verifies the legitimacy of digital signature with computing Ver(Sig(VN∥SN∥IDP)). If the signature is legal, P can confirm PI is really sent by U. Therefore, P confirms that (KsP_U,VN,SN) is legal and obtains the dynamic symmetric key KsP_U.
Step 1.3. P obtains the good information GI and then determines whether inequality P1≤VN was established. If VN is greater than or equal to P1, P stores (GI1,IDU,VN,SN) in the database and sends EKsP_U(EG1) to U, where EG1 is the electronic goods. Then U obtains the EG1 encrypted by KsP_U. Otherwise, U rejects the transaction.
If user wants to execute subsequent transactions, the proposed scheme can make full use of symmetric key KsP_U, which is generated in the previous process. In the Jth transaction, both entities apply hash function HK(·), symmetric key KsP_U, and good information GIJ to complete the transaction. The steps of this phase are shown as follows.
Step J.1. U browses P’s online shop and generates the Jth good information GIJ. In the meantime U updates symmetric key KsP_UJ=HKJ(KsP_U), where HKJ(·) represents performing the hash operation J times.
Step J.2. U uses KsP_UJ to compute the payment message by
(20)PIJ=EKsP_UJGIJ,IDU,VN,SN,
where GIJ contains the price information PJ and sends PIJ to P. P updates the symmetric key KsP_UJ and obtains the payment message by
(21)DI=DKsP_UJPIJ=GIJ,IDU,VN,SN.
Step J.3. After receiving DI, P judges the condition
(22)I=P1+P2+⋯+PJ≤VN.
If the inequality is not established, P rejects the transaction. If the inequality is established, P stores (G1+G2+⋯+GJ,IDU,VN,SN) into the database and sends EKsP_UJ(EGJ) to U. Finally, U obtains electronic goods EGJ encrypted by KsP_UJ.
3.4. The Depositing Phase
After the paying phase, P obtains I=P1+P2+⋯+PJ from U and wants to redeem them from O in this phase. The steps of this phase are shown as follows and the specific flow chart is shown in Figure 4.
Flow chart of depositing phase.
Step 1. P makes use of VP to generate
(23)EPP_O=EVPIDP,IDU,SN,VP,GI.
Then it sends EPP_O, IDP, (EP,SP) to O, where is the collection of GI1,GI2,…,GIJ.
Step 2. In order to verify P, O uses private key dO to generate VP′ and compute EPP_O′ by
(24)wp′=Sp-dO·Epmodn,Vp′=HIDP∥wp′,EPP_O′=EVP′(IDP,IDU,SN,VP′,GI).O checks if the equation EPP_O′=EPP_O holds. If the equation holds, then O confirms that P is legal.
Step 3. O uses KsO_U to compute
(25)EPO_U=EKsO_U(IDP,IDU,GI,SN)
and sends EPO_U to U. U makes use of KsO_U and obtains IDP, IDU, GI, SN. If U agrees on this transaction and replies confirmation information to O, then O completes the deposit. Otherwise, O rejects this transaction.
4. The Performance and the Security Analyses
This scheme will be compared to the related schemes in terms of performance and security analysis in order to identify the characteristics and advantages of proposed scheme. Compared with previous trading models [1, 2], the proposed scheme further compresses the computation costs, and the dynamic symmetric key introduced improves the dynamic efficiency of the system. Considering the complexity and integration of current system, the proposed scheme adds the user confirmation mechanism which can maximize the protection of the rights of the user.
4.1. The Performance Analysis
Compared with authentication mechanism of CBCS and IDBCS, the efficiency SVDSS authentication is higher. The reason is that this scheme adopts the self-verified signature mechanism to implement authentication between transactions entities, eliminate the need for frequent transfer certificate and verification, and save communication cost. In the specific verification process, the proposed scheme adopts the mechanism based on ECC. Compared with the public key cryptosystem (PKC) [6], ECC uses smaller key length to meet the same level of security and bear very low computational burden [7]. After trading entity verifies that each side is legal object, it achieves symmetric encryption/decryption using the symmetric key. In the concrete scheme, it further improves the system efficiency from the following two aspects.
4.1.1. Payment Efficiency
In the previous mobile commerce, hash function was used to generate electronic money instead of cash. TH denotes the execution time for executing the hash function for token generation and verification. As for TH denotes 0.006 ms on 15 a Pentium IV 3.0 GHz with 2 GB. In the literature [1], in order to generate and verify N tokens, the total number of hash operation performed is 3 N in the entire transaction process (including the generating, using, and redeeming of electronic token). In the literature [2], when U obtains the tokens from O, U did not use hash function but did get the tokens directly. So the total number of hash operation performed is 2 N. According to literature [1, 2], the total execution time for token generation and verification is 3NTH and 2NTH. Usually, the number N is from 50 to 50,000. The total execution time of token generation and verification is illustrated in Figure 5, where the literature [1, 2] introduces the Lin et al.’s scheme and Yang and chang’s scheme, respectively. In the proposed scheme, U does not use hash function to generate the electronic tokens; the user directly obtains VN from O. The total price of the goods purchased keeps accumulating in P, as long as the price does not exceed VN. Therefore, compared with literature [1, 2], payment efficiency of proposed scheme has been greatly improved.
The analysis of payment efficiency.
4.1.2. Message Encryption and Decryption
Recently, in order to improve the efficiency of mobile commerce, symmetric key mechanisms have been applied actively. However, due to the difficulties of key management of symmetric key, the concrete scheme of mobile commerce is based on asymmetric keys, to generate a symmetric key between trading entity. According to literature [1], the system generates symmetric key between entities, but the public/private key that can generate symmetric key exists in the KDC. Once the KDC information leakage occurs, the security of the whole system will be under threat. And the generated symmetric keys in subsequent transactions are not continuously updated, which will result in the insecurity of the system. In the literature [2], both the symmetric keys are generated by executing three times point multiplication over Eqa,b during each paying phase. In the paying phase, assume U and P execute J times payment, the total execution time for generating the symmetric keys is 3JTECC.
TECC denotes the time of the multiplication on an elliptic curve Eqa,b. In this paper, the scheme generates the first pair symmetric key in the first process during the paying phase. In the subsequent transaction, only the hash function is used to update the symmetric key KsP_UJ=HKJ(KsP_U). The total execution time for generating the symmetric keys is 3TECC+(J-1)*2*TH. In fact, TECC is much larger than TH. This will further reduce the computing cost of the system and improve the execution efficiency. As is shown in Figure 6, the computational cost of generating symmetric key in the proposed scheme is higher than that in the literature [2].
The analysis of generating symmetric key.
4.2. The Security Analysis
The authors analyze the security of proposed scheme as follows.
4.2.1. Prevent Impersonation Attack
Assume that an attacker makes an attempt to modify the response information returned to O [13–15]. Obviously, the attacker needs to forge a set of data, including VU, (Eu,Su). After receiving the forged information, O will naturally enter into the verification mode by computing (11) and (12).
If CU_O is not equal to CU_O′, O discovers the user is illegal and then rejects the transaction. The same authentication mechanism also occurs between O user and P. The proposed scheme makes full use of this authentication mechanism to prevent impersonation attack.
4.2.2. User Anonymity
In electronic payment schemes, the vender (service provider) does not need to know the user’s real identity to protect the user’s privacy [16, 17]. Provider obtains the payment information (17).
It does not contain identity information about user; service providers’ judgment of the source information is based on the validity of Sig(VN∥SN∥IDP). Subsequent transactions are based on (KsP_U,VN,SN); as long as the total price of the purchased goods does not exceed VN, the entire transaction can continue proceeding. P redeems the I=P1+P2+⋯+PJ from O based on SN in the depositing phase. In the process of the whole system, vender has no access to the user’s identity information.
4.2.3. Confidentiality
Through the analysis of the concrete transaction process, information of the transaction between entities is held by pairwise symmetric key to encrypt/decrypt. Concrete example is as follows.
Equations (17) and (19) achieve the secure transfer of information between U and P.
Equations (20) and (21) achieve the secure transfer of information between U and O. However, compared to the asymmetric keys, symmetric keys are easy to crack [18, 19]. Thus during the transaction phase, the symmetric key between the user and the service provider is continuously updated, which can also prevent the Man-in-the-Middle attack.
4.2.4. User Confirmation Mechanism
In fact, the operation of a whole system is not isolated, and the attack also exists. In order to improve the system security and protect the lawful rights and interests of customers, the proposed scheme particularly introduces this mechanism. First of all, symmetric key is generated between U and O in the withdrawing phase. In the depositing phase, O obtains IDP, IDU, SN, and GI and computes (25).
After receiving EPO_U from O, U can decrypt it and generate a feedback (agree on or reject the transaction). Finally, according to the user’s feedback information, O completes/terminates the depositing process.
5. Conclusions
This scheme is based on the self-verified mechanism, the application of ECC, key agreement mechanism, prepayment mechanism, and other technologies to guarantee security and high efficiency of this proposed scheme. The proposed scheme does not need certificate management, which avoids the burden of network node storage certificate in CBCS and the communication overhead due to transferring certificate at the same time. The use of the self-verified mechanism avoids the defects of key escrow of IDBCS and no longer requires KDC to maintain a set of large user authentication tables, which can greatly reduce the system burden. The proposed scheme also takes advantage of updated symmetric key and user confirmation mechanism to guarantee the security. In a word, this scheme possesses the advantages of the current trading system which ensures the real time and user anonymity and further improves efficiency and security of system.
Conflict of Interests
The authors declare that they have no conflict of interests regarding the publication of this paper.
Acknowledgments
This research is partially supported by the National Natural Science Foundation of China (no. 61101224) and Natural Science Foundation of Tianjin (no. 12jcqnjc00500) and supported by Program for New Century Excellent Talents in University (NCET-12-0400) and Postdoctoral Fund in China (2012M520574).
LinP.ChenH.-Y.FangY.JengJ.-Y.LuF.-S.A secure mobile electronic payment architecture platform for wireless mobile networksYangJ.-H.ChangC.-C.A low computational-cost electronic payment scheme for mobile commerce with large-scale mobile usersChenY.-J.HsiehW.-C.ChenW.MengZ.-Y.An efficient and secure micro-payment protocol for mobile commerceProceedings of the 9th World Multi-Conference on Systemics, Cybernetics and Informatics (WMSCI '05)July 2005Orlando, Fla, USA7122-s2.0-84867347513HeD.ChenY.ChenJ.An id-based three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environmentsZhuX.ShangX.WangC.ZhangR.MOTP: an identity authentication scheme for M-commerceTsaurW.-J.Several security schemes constructed using ECC-based self-certified public key cryptosystemsLiaoY.-P.HsiaoC.-M.A novel multi-server remote user authentication scheme using self-certified public keys for mobile clientsYangJ.-H.ChangY.-F.ChenY.-H.An efficient authenticated encryption scheme based on ECC and its application for electronic paymentZakerolhosseiniA.NikooghadamM.Secure transmission of mobile agent in dynamic distributed environmentsLiZ.ZhuangY.ZhangB.ZhangC.Novel frequency hopping sequences generator based on AES algorithmChouC.-H.TsaiK.-Y.WuT.-C.YehK.-H.Efficient and secure three-party authenticated key exchange protocol for mobile environmentsChatterjeeS.DasA. K.SingJ. K.An enhanced access control scheme in wireless sensor networksWeiJ.LiuW.HuX.Cryptanalysis and improvement of a robust smart card authentication scheme for multi-server architectureWenF.GuoD.LiX.Cryptanalysis of a new dynamic ID-based user authentication scheme to resist smart-card-theft attackRehmanS. U.SowerbyK. W.CoghillC.Analysis of impersonation attacks on systems using RF fingerprinting and low-end receiversChoiY.LeeD.KimJ.Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptographyHsiehW.-B.LeuJ.-S.Anonymous authentication protocol based on elliptic curve Diffie-Hellman for wireless access networksLiuW.-J.LiuC.WangH.-B.LiuJ.-F.WangF.YuanX.-M.Secure quantum private comparison of equality based on asymmetric W stateLinC.-Y.HwangT.CNOT extraction attack on ‘quantum asymmetric cryptography with symmetric keys’