A Secure Mobile Wallet Framework with Formal Verification

A Secure Mobile Wallet Framework with Formal Verification

Shaik Shakeel Ahamad (Department of Computer and Information Sciences, University of Hyderabad, Hyderabad, India & Institute for Development and Research in Banking Technology, Castle Hills, Masab Tank, Hyderabad, India), V. N. Sastry (Institute for Development and Research in Banking Technology, Castle Hills, Masab Tank, Hyderabad, India) and Siba K. Udgata (Department of Computer and Information Sciences, University of Hyderabad, Hyderabad, India)
DOI: 10.4018/japuc.2012040101
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

This paper proposes a Secure Mobile Wallet Framework (SMWF) using WPKI (Wireless Public Key Infrastructure) and UICC (Universal Integrated Circuit Card) by defining (a) a procedure of personalizing UICC by the client, (b) a procedure of provisioning and personalization (Mutual Authentication and Key Agreement Protocol) of Mobile Payments Application (which is on UICC) by the Bank and (c) our proposed mobile wallet is will have mobile wallet manager managed by CA (acting as TSM), every mobile application is independent, protected by firewalls and encrypted data is stored in the mobile wallet application. Their proposed Mobile Wallet ensures end to end security. The authors’ proposed SMWF is compared with recent works and found to be better in terms of generating client’s credentials, implementation of WPKI in UICC, personalization of mobile payment application by the bank and in ensuring end to end security (i.e., from Mobile Payments Application in UICC to the Bank Server). The proposed mobile payment protocol originating from Mobile Payment Application (which is on UICC) to the Bank Server realizes Fair Exchange ensures Confidentiality, Authentication, Integrity and Non Repudiation, prevents double spending, over spending and money laundering, and withstands replay, Man in the Middle (MITM) and Impersonation attacks. Proposed mobile payment protocol is formally verified using AVISPA and Scyther Tool and presented with results.
Article Preview

Introduction

A mobile wallet is a complete payment application for NFC-enabled mobile phone that enables consumers to pay at stores at the point of sale with a mobile phone. The digital wallet, which is associated with a credit card, integrates all payment-related services like the management and storage of receipts, coupons and offers, and loyalty cards. With the rapid evolution of mobile technology, and an expanding base of mobile phone users, the mobile wallet has been recognized as having growth potential in the mobile commerce industry (Au & Kauffman, 2007). The industry strives to develop and build robust mobile commerce applications and at the same time provide an environment for secure, convenient, cost saving and efficient business transactions. A mobile wallet can support various transactions, including consumer-to-consumer, consumer-to-business, consumer-to-machine (i.e., paying for small-value transactions at a device such as a parking meter), and consumer-to-online. In addition, consumers have greater flexibility for settling transactions at the point of sale with mobile phone payments. Our proposed mobile wallet is a much-advanced and versatile application that includes elements of mobile transactions, as well as other items one may find in a wallet, such as debit cards, credit cards, membership cards, loyalty cards and travel cards. It also stores personal and sensitive information like passports, credit card information, PIN codes, online shopping accounts, booking details and insurance policies that can be encrypted or password-protected. Our proposed mobile wallet is loaded inside the UICC (Universal Integrated Circuit Card) of the mobile phone called UICC Wallet, which stores data in a UICC. The UICC is the smart card used in mobile phone in GSM or UMTS networks. Since it is a smart card, it inherits all the security features of smart cards. It provides a secure storage of data.

The remainder of the article is as follows: First, we give a literature review of mobile wallets, gaps found in the literature and contributions made by us. Then we propose a Secure Mobile Wallet Framework SMWF based on NFC. Next we present Security analysis of our proposed mobile payment protocol in SMWF. Followed by a comparative analyses of the proposed framework with the literature review (Table 1). Afterwards we present Formal Verification of the Proposed Protocol‘s Security using AVISPA and SCYTHER TOOLS. Finally we then conclude our work. We provide some explanations of notations and abbreviations in the Appendix (Tables 2 and 3).

Table 1.
Comparative analysis of SMWF protocol with the literature
Protocols
Features
Google Wallet 2011NTT DoCoMo 2012Labrou et al., 2004Steffens et al., 2009Zhao & Muftic, 2011Our’s
AuthenticationYesYesYesYesYesYes
ConfidentialityYesYesYesYesYesYes
IntegrityYesYesYesYesYesYes
Non-RepudiationYesYesYesYesYesYes
Client’s credentials are generated using OBKG procedureNoNoNoNoNoYes
WPKI is implemented in the memory of Mobile PhoneNoNoNoNoNoYes
Ensures reliable and Secure end to end communicationNoNoNoNoNoYes
Ensures end to end Security at application levelNoNoNoNoNoYes
Proposed for Proximity (NFC) Mobile PaymentsNoNoNoNoNoYes
Identity Protection
from Eavesdropper
NoNoNoNoNoYes
Transaction Privacy
Protection
from Eavesdropper
NoNoNoNoNoYes
Transaction Privacy
Protection from PG
NoNoNoNoNoYes
Prevents
Double Spending
NrNrNrNrNrYes
Prevents Over
spending
NrNrNrNrNrYes
Prevents Money
Laundering
NrNrNrNrNrYes
Withstands Replay
Attack
YesYesNoNoNoYes
Withstands Impersonation
Attack
YesYesNoNoNoYes
Withstands MITM
Attack
YesYesNoNoNoYes
Prone to AttacksYesYesYesYesYesNo
Formal Verification using AVISPA & SCYTHER TOOLNoNoNoNoNoYes
Biometric Authentication is ensured at the client’s sideNoNoNoNoNoYes
Ensures Fair ExchangeNoNoNoNoNoYes
Biometric Solution is proposed in a separate smart cardNoNoNoNoNoYes

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 9: 4 Issues (2017)
Volume 8: 4 Issues (2016)
Volume 7: 4 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing