1.1 Overview
With the rapid progress of the Internet technologies, many new applications have been deployed. One of them is electronic payment ( E-payment ) [1] service which allows monetary value to be transferred between different accounts through the computer network.
The existing electronic payment systems include online credit card, electronic cash and smart card [10]. The online credit card scheme is based on the traditional credit card payment but all information is exchanged across the Internet. The electronic cash scheme usually links with the banks. The users must first have a bank account and install the dedicated electronic cash software on a PC or PDA. The software can manage the deposit and withdrawing of the user’s electronic cash from the user’s bank account for payment. A smart card has a storage memory that can be used to store the monetary value for payment. Some emerging smart card is also equipped with a microprocessor to support cryptographic computation in a transaction. The purpose of these payment tools is to provide a convenient, secure, low cost and robust transaction platform to human beings. Apart from these payment tools, there is still another channel for payment - mobile payment which is usually deployed by the PLMN (public land mobile network) operators.
Mobile payment can be convenient to pay for financial transactions in our day life.
However, current mobile payment systems almost rely on the services provided by GSM (global system for mobile communication) [6] networks, such as user authentication mechanism, IVR (interactive voice response) service and short message service. This raises the deployment cost of payment service provider because of the expensive core equipment of PLMN. To the consumer, each transaction usually involves a phone call or a short message transmission that would also increases per-transaction cost. To lower the cost described above, the whole payment platform should be extracted from the PLMN.
1.2 Related work
One of the most important issues of the mobile payment is security. As we mentioned before, the current mobile payment systems rely on GSM network. The security services in GSM include the user authentication and data confidentiality. User authentication prevents illegitimate MSs (mobile stations) from accessing the network resource. Data confidentiality reduces the risk of message intercepting at the access network. Each user has a secret key Ki to support these security services. Ki is stored on the network side and in the SIM (subscriber identity module) which is usually distributed at POS (point of sale) to the user.
To initiate the authentication procedure [6], the MS sends a request to the network. Then the network generates a random number and calculates a response value using the secret key Ki of the MS. After that, the network sends the random number to the MS as an authentication challenge. Finally, since no one except the legitimate MS and the network has Ki, the network could verify the response value calculated by the MS and determines if the MS identity is authentic. In addition, a secret key Kc would be derived from Ki and the random number to encrypt the transmission data to ensure the confidentiality. Since the Ki is only shared by SIM and PLMN operator, a third mobile payment service provider need to budget more cost for authentication and each payment transaction. However, if the mobile payment system is extracted from the PLMN and deployed in the Internet, the same security issues must be considered accordingly.
E.164 number defined by ITU can be used to identify user devices on the Internet.
However, to avoid masquerade, a device’s identifier (E.164) number must be authenticated on the Internet. An E.164-number-based user authentication method for VoIP [4] (voice over internet protocol) communications has been presented by Lin [6]. During the user authentication procedure, the user device is requested to make a GSM call to a caller-ID
receiver, and the caller-ID receiver decodes the caller-ID of the incoming call. After verifying the caller-ID received, the server and the user device perform a secret key agreement algorithm to establish a shared secret key for user authentication hereafter, and the client can use the E.164 number as its identifier in the Internet. However, such procedure involved a GSM call which raises the overhead of each transaction. To reduce the operation overhead, the Diffie-Hellman is used to establish a secret key between the client and the server to enable future authentication based on cryptographic scheme.
Various types of mobile payment system have been proposed in recent years.
Unfortunately, most of them were deployed by the PLMN operators which raise the deployment and transaction cost due to the reliance upon the GSM services. In addition, it is hard to provide multimedia session charging because of the limitation of the bandwidth in GSM/GPRS network.
1.3 Objectives
The thesis focuses on design and implementation of a mobile payment system that deployed over the IP network. It uses E.164 numbers as user’s identifier and supports multimedia session charging. Besides, it allows users to transfer credit from one account to another and supports an anonymous payment model where the user’s identifier is not released to the merchant. To take advantage of the system, the users just need to pass the E.164 authentication at the first time he uses the system. The users can pay to everyone that uses the system securely anywhere anytime. To deploy the system, the operators don’t have to own very expensive hardware equipment for authentication purpose.
We also try to reduce operation and maintenance overhead by using a Kerberos-like architecture. Since Kerberos [14] is designed to authenticate the clients in a distributed network, it can be used to provide a single authentication server for multiple services. The
mobile payment can be one of the services provided.
1.4 Summary
The remaining of thesis is organized as follows. Chapter 2 describes the essential
knowledge background of the security schemes of our system. Chapter 3 shows the details of our system design. Chapter 4 presents the implementation issues. Conclusion is given in Chapter 5.