基植於NFC系統之匿名行動付款協定之研究與改良 - 政大學術集成

全文

(1)國立政治大學資訊科學系 Department of Computer Science National Chengchi University 碩士論文政治大立Master’s Thesis. ‧ 國. 學 ‧. 基植於 NFC 系統之匿名行動付款協定之研究與改良 er. io. sit. y. Nat. n. An Improvement on an NFC-based al v i n Ch i U e n g c hPayment Anonymous Mobile Protocol. 研究生 : 陳尚文指導教授 : 左瑞麟中華民國一百零五年七月 July, 2016 1.

(2) 基植於 NFC 系統之匿名行動付款協定之研究與改良 An Improvement on an NFC-based Anonymous Mobile Payment Protocol 研究生 : 陳尚文. Student : Shang-Wen CHEN. 指導教授 : 左瑞麟. 國立政治大學. 學. ‧ 國. 立. : Raylin Tso 政治 Advisor 大. 資訊科學系. ‧. 碩士論文. n. er. io. sit. y. Nat. a. A Thesis. v. l to Submitted n i Science C Department of Computer. hengchi U. National Chengchi University in partial fulfillment of the requirements for the degree of Master in Computer Science. 中華民國一百零五年七月 July, 2016. 2.

(3) 摘要隨著無線上網和行動通訊的蓬勃發展，以及對應的智慧型手機及平板的普及化，使得行動商務越來越盛行，但是行動商務在線上交易中常忽略使用者的匿名性，使得使用者容易被追蹤，因此 2014 年羅等人提出了一個基於 NFC 系統的匿名行動付款系統，運用了有 NFC 技術的手機，以安全元件搭配可信賴執行環境架構出一個具有匿名性的行動付款服務，改良了以往在行動支付時，使用者身份有可能在傳輸過程中遭到竊聽洩漏的可能性。在其協定中，傳輸過程中全部以虛擬代號傳輸以達到匿名性。但. 治政其協定內容仍有著諸如將公開金鑰系統之密鑰對混用在加解密部份以及數位簽章部大立份，造成有可能偽造簽章之風險；傳輸過程冗餘部份過多造成傳輸效率不佳等數個問 ‧ 國. 學. 題存在。本論文透過將公開金鑰和對稱式金鑰用途區分開，公開金鑰對只用於數位簽. ‧. 章，而對稱式金鑰只用於加解密以防止偽造簽章；減少傳輸冗餘部份以提高傳輸效率；同時也提供使用者可以變更匿名交易帳號的選擇，藉此達到不可連結性；此外，. y. Nat. io. sit. 交易中完全沒有傳輸使用者真實資訊，只使用虛擬帳號以達到匿名性；傳輸之加密訊. n. al. er. 息內附有數位簽章可達成不可否認性；且協定和 EMV 標準相容，因此無需攜帶傳統現金等即可交易以達成便利性。. Ch. engchi. 關鍵字：NFC、EMV、匿名付款、行動支付. 3. i n U. v.

(4) Abstract Following the developments in wireless online and mobile communications, Mcommerce has become increasingly popular.. However, it ignores users’ anonymity in online. transactions such that users can easily to be traced.. In 2014, Luo et al. proposed an NFC-. based anonymous mobile payment protocol system.. It used an NFC-enabled cellphone and. combined a built-in secure element (SE) and trusted execution environment to build an anonymous mobile payment service.. It prevented the disclosure of the user’s identity by. 治政 using a virtual instead of the real identity during the transmission. But the protocol is 大立 problematic in several respects. For example, it mixes the use of the same key-pair of ‧ 國. 學. public-key cryptography for both encryption and digital signature.. Moreover, it could cause. Nat. We use a key-pair of public-key. io. er. the use of the key-pair to avoid signature forging.. y. In this research, we redesign the protocol by separating. sit. cause worse transmission efficiency.. ‧. the risk of signature forging; and it contains some redundant parts in the transmission that. cryptography for digital signature and a key of symmetric-key cryptography for encryption.. n. al. Ch. i n U. v. We reduce the redundant parts to improve transmission efficiency, and alter the virtual. engchi. transaction account to optionally achieve unlinkability.. Besides, we only use virtual. accounts in the process, thereby preventing attackers from obtaining users’ information even if the message is eavesdropped. repudiation.. In our message, we use a signature to achieve non-. Our protocol is compatible with the EMV standard, so the user only requires an. NFC-enabled cellphone instead of cash for transactions.. Keywords : NFC、EMV-compatible、Anonymous Payment、mobile payment. 4.

(5) Table of contents Chapter 1. Introduction……………………………………………………………………...8. Chapter 2. Background…………………………………………………………………….14. 2.1. NFC………………………………………………………………….…….....14 2.1.1. NFC working mode……………………………………….…………....14. 2.1.2. Communication mode….........................................................................15. 2.1.3. Comparison with other wireless techniques…........................................16. 2.4. Security definition………………………………………………………...….18 NFC-based anonymous mobile payment protocol……………………………..20. ‧. Chapter 3. ‧ 國. 2.2. 學. 2.3. 治政 EMV………………………………………………………………………….17 大立 TSM………………………………………………………………………….18. Symbol table…………………………………………………………………21. 3.2. Initial state……………………………………………………………………22. 3.3. Virtual bank account generation stage……………………………………….22. 3.4. Anonymous transaction account generation stage…………………………...23. 3.5. Issuing of virtual credit card stage…………………………………………...25. 3.6. Problems of the protocol……………………………………………………..27. n. al. er. io. sit. y. Nat. 3.1. Chapter 4. Ch. engchi. i n U. v. 3.6.1. The same key-pair using in encryption and signature generation ……..27. 3.6.2. Redundant parts in the transmission process…………………………..28. 3.6.3. Unlinkability not achieved……………………………..........................28. Our new NFC-based anonymous mobile payment protocol…………………...30. 4.1. Symbol table…………………………………………………………………31. 4.2. Initial stage…………………………………………………………………...33. 5.

(6) 4.3. Appling for virtual account stage…………………………………………….35. 4.4. Appling for virtual transaction account and issuing virtual credit card stage..37. 4.5. Updating virtual credit card and optional virtual transaction account stage…40. 4.6. The compatibility between protocol and EMV standard…………………….42. Chapter 5. Security analysis………………………………………………………………..50. 5.1. Anonymity…………………………………………………………………...50. 5.2. Unlinkability…………………………………………………………………50. 5.3. Non-repudiation……………………………………………………………...51. 5.4. Resistance to replay attack………….……………………………………......51. 5.5. Integrity………………………………………………………………………52. 5.6. Data confidentiality…………………………………………………………..52. 5.7. Comparison with related works………………………………………….…..53. 立. 政治大. ‧. ‧ 國. 學. y. Nat. Chapter 7. References……………………………………………………………………...58. n. al. er. sit. Conclusion……………………………………………………………………...56. io. Chapter 6. Ch. engchi. 6. i n U. v.

(7) List of Figures Figure 3.1 Virtual bank account generation stage…………………………………………….26 Figure 3.2 Anonymous transaction account generation stage………………………………...26 Figure 3.3 Issuing of virtual credit card stage………………………………………………...27 Figure 4.1 Initial stage………………………………………………………………………..34 Figure 4.2 Appling for virtual account stage………………………………………………….37 Figure 4.3 Appling for virtual transaction account and issued virtual credit card stage……...39. 治政 Figure 4.4 Updating virtual credit card and optional virtual 大transaction account stage……...41 立 Figure 4.5 Payment token provision overview……………………………………………….46 ‧ 國. 學. Figure 4.6 Payment token transaction overview……………………………………………...47. ‧. Figure 4.7 Comparison of token vaults between the original one and the new one…...……..47 Figure 4.8 Mutual authentication process…………………………………………..………...48. y. Nat. n. al. er. io. sit. Figure 4.9 Transaction process………………………………………………………………..49. i n U. Ch. v. e n gofcFigures Table hi. Table 2.1 The comparison of NFC、Bluetooth and Infrared....................................................17 Table 3.1 Symbol table………………………………………………………………………..21 Table 4.1 Symbol table………………………………………………………………………..31 Table 5.1 Security matrix with related works……………………………………………...…54 Table 5.2 Length of each transaction in each stage…………………………………………...55. 7.

(8) Chapter 1. Introduction. Following the rapid developments in wireless online and mobile communications, and the corresponding universality of smart phones and tablets.. The mobile commerce (M-. commerce) [2] [11] has also become increasingly popular in recent years.. Users of M-. commerce [25] simply used the above devices, which are able to connect to the Internet. 治政 through wireless networks, to participate in commercial大 activities such as online shopping, 立 online auctions, and online payments. ‧ 國. 學. it.. ‧. The M-commerce is not only for the benefit of users, merchants can also benefit from For the users, the M-commerce is convenient, offers simplicity of operation and. y. Nat. io. sit. personalization to users during their daily lives, whereas for merchants, it can offer useful. n. al. er. information about consumers’ shopping habits such as the types of goods, buying intervals,. Ch. and the average amount of consumption.. i n U. v. This enables merchants to analyze these data to. engchi. speculate about the hobbies and preferences of individual users, and recommend goods that user would maybe have an interest in next time. In addition, it is helpful for merchants to increase user satisfication.. In M-commerce, how to generate a payment system that can replace traditional payment methods such as cash, credit card, ATM, and micropayments with a smartcard is an important key point.. In this regard, many scholars proposed online payment schemes [12]. [20] [25] [26] [32] [38]. The goals of which include the simplification of the operational. 8.

(9) steps on the application, and increased convenience of the payment process.. Besides, the. most important aim is to use these schemes to make payments instead of traditional ones.. Toorani et al. [38] proposed a secure short message service payment protocol, it allowed users to pay their bills by using the short message service (SMS), because SMS is a built-in service in every cellphone even if it is a smart phone. During the transaction process, the consumer enters his cellphone number, then merchant will send the amount of. 政治 But the money is not paid to merchant, it is 大. money indicated in the SMS to the consumer.. 立. SMS messages.. However, the weakness of this method is a replay-attack and forged. ‧. Nat. The concept of it is that it. sit. Molloy et al. [16] proposed a virtual credit card scheme.. y. credit card at that time.. This means that consumers neither need to use cash nor a. 學. ‧ 國. added to the monthly mobile bill.. al. n. credit card numbers.. er. io. produces virtual credit card numbers to execute the transactions instead of requiring real. i n U. v. They considered the risks of losing the real credit card numbers too. Ch. engchi. large to deliver these numbers during the transaction process.. Besides, there are too many. occasions to use the credit card in people’s daily lives, and this raises the probability of losing of credit card numbers.. Based on the above reason, they generate virtual credit numbers. instead of the real ones.. In addition, they not only allow user to generate many different. virtual credit card numbers but also provide options that enable the user to use a specific virtual credit card for a specific purpose or even use it as a one-time virtual credit card.. Martinez-Pelaez et al. [26] proposed a micropayment protocol.. It is based on the. anonymous electronic cash to provide anonymity and unlinkability for customers. 9. The.

(10) electronic cash, which is used in the transaction of the protocol, may be in different values and denominations.. Through the electronic cash and a specific private key signed by a bank,. the bank could save the relation between the value of electronic cash and the corresponding public key. attacks.. The advantage of the protocol is to avoid repeated consuming and forged. The customers could use the anonymous certificate to authenticate their identities. without revealing personal information through the WTLS protocol, and the bank owns customers’ billing information.. 立. 政治大. Kungpisdan et al. [23] proposed a secure account-based online payment protocol.. The. ‧ 國. 學. protocol adopted a symmetric-key cryptogram which involved less computation during the existing payment protocol.. ‧. SET and IKP.. It also satisfied symmetric-key-based payment protocols such as. sit. y. Nat. n. al. er. io. Liao [42] proposed a cross-domain anonymous online payment scheme.. i n U. It allowed. v. users to consume from different merchants in mobile communication and used electronic cash. Ch. engchi. which supported a divided selection technique to provide anonymity to users.. Because users. execute the transaction process into the mobile-domain and don’t need to store electronic cash on the users’ side, the telecommunication provider holds the distribution right of electronic cash such that the feasibility in the environment is raised. of payment steps are achieved offline.. The authentication and the tracing. Although only the telecommunication provider. knows the user’s payment records, the merchant can link the payment to the user by the analysis of transaction records.. Besides, following an increasing percentage of generalization of an NFC-enabled 10.

(11) cellphone, scholars [6] [13] [34] proposed the combination of an NFC-enabled cellphone and credit card.. The NFC-chip is in card simulation mode to simulate the credit card.. Besides,. the top three in the 3C field, i.e., Microsoft [27], Apple [1] and Google Inc. [10] also proposed the virtual credit card-enabled cellphone scheme to replace the traditional chip credit card. Users only needed to use an NFC-enabled cellphone, which stored a virtual credit card, to achieve the transaction instead of physical chip credit cards.. 政治大. For such a new technique, scholars researched the security of the virtual credit card in. 立. an NFC-enabled cellphone in the way of enhancement and analysis [17] [24] [28] [33], they. ‧ 國. 學. tried to combine a credit card that complies with the EMV standard and a NFC-enabled cellphone to achieve security and convenience.. ‧ y. Nat. sit. Urien and Piramuthu [33] proposed that they consider the user’s NFC-enabled. al. n. application.. er. io. cellphone to be an unworthy trust hardware device, including the built-in storage and installed. i n U. v. Therefore, they proposed the cloud security element which provides security. Ch. engchi. services instead of the built-in security element in NFC-enabled cellphones. can execute the EMV credit card protocol normally.. Moreover, it. The concept is very close to the Host. Card Emulation [14] technique.. Pasquet et al. [28] proposed an infrastructure, which is used to test the security of the credit card in the NFC-enabled cellphone, and it tried to use several testing tools to test the existing security risks.. For example : The protection of the user’s personal information, the. protection of important transaction data, the forging attack to the transaction, the security of the application which is used to execute the transaction, and a tamper-proof hardware scheme. 11.

(12) Pailles et al. [17] paid attention to the protection of private data in users’ accounts.. If. the private data is stolen, attackers can use it to carry out malicious attacks such as a replay attack, a collusion attack between the client and merchant in which attackers forged the credit card to execute a fake transaction.. Thus, they proposed that they separate the authenticated. message into two parts. One is authenticated by the merchant, and the other is authenticated by the bank.. Besides, the consumer’s identity is authenticated by the bank, rather than by. 政治大. the merchant because it doesn’t know the identity.. 立. ‧ 國. 學. Mainetti et al. [24] proposed a message exchanging scheme which used the peer to peer method to exchange the message between the NFC-enabled cellphone and the point of sale. ‧. (PoS) terminal, not the normal usage, i.e., card emulation mode of the NFC-enabled. y. Nat. io. confirmation messages that are customized by merchant.. n. al. sit. The advantage of this scheme is that the customer can store the transaction The scheme is already. er. cellphone.. i n U. v. implemented in NFC-enabled cellphones running the Android operation system.. Ch. engchi. Many scholars proposed methods to achieve a payment protocol instead of traditional ones, but there exists other issue.. Whether the payment method is traditional or not, the. user’s identity has to be transported to authenticate by a receiver.. The more transactions the. user carries out, the more the chances an attacker can eavesdrop it from message.. Users’ ID. and other personal information which is eavesdropped can be used to forge a transaction. Therefore, the anonymity of a user’s identity is also an important issue.. In our protocol, users use the virtual account to communicate with the bank and trusted 12.

(13) third party during transmission to achieve the anonymity. Although users can alter the virtual transaction account optionally, merchant or others cannot trace user by a virtual transaction account such that the unlinkability is complete.. In the transmission, the message. is encrypted by the session key which is owned by the user and bank or the user and a trusted third party.. Besides, the encrypted message contains the signature to ensure non-repudiation.. Moreover, integrity is ensured by the message which is encrypted by a session key that is generated from a Diffie-Hellman key exchange and the hash value.. 政治大. Finally, the session key. is generated by both sides separately, so the key owner should only be a participant in the. 立. Even if the attacker eavesdrops the parameters during the transmission, the. 學. ‧ 國. communication.. attacker cannot compute the session key because of the difficulty of the discrete logarithm such that confidentiality is achieved.. ‧ y. Nat. sit. In chapter 2, we will introduce the background knowledge of NFC and EMV standard.. n. al. proposed by Luo et al. in 2014. mobile payment protocol.. er. io. In chapter 3, we will describe a NFC-based anonymous mobile payment protocol which is. i n U. v. In chapter 4, we describe our new NFC-based anonymous. Ch. engchi. In chapter 5, we will describe the security analysis. In chapter 6,. we make a conclusion, and the reference is listed in chapter 7.. 13.

(14) Chapter 2. Background. In this chapter, we provide the background information about Near Field Communication (NFC) and the EMV standard.. Moreover, the reason for the necessity of the existence of the. trusted service manager (TSM) in the NFC system is discussed.. 2.1 NFC. Besides, the definition of. 政治大. 立. Near Field Communication (NFC) [5] [29] is a short-range high frequency wireless. ‧ 國. 學. communication technique.. Its effective transmission range is about 10 centimeters, but its. 106Kb/s, 212Kb/s, and 424Kb/s.. Besides, NFC has both an active and a passive reading. n. al. er. io. sit. y. Nat. mode.. It has three different transmission speeds,. ‧. real possibly arrival range is about 20 centimeters.. 2.1.1 NFC working mode. Ch. engchi. i n U. v. There are three working modes in NFC: (1) Card emulation mode (2) Peer to peer (P2P) mode (3) Reader/writer mode. (1) Card emulation mode Briefly, this mode operates similar to an RFID-enabled IC card.. However, this mode not. only corresponds to a specified card, it can correspond to many different cards on different. 14.

(15) occasions. There are too many occasions on which the IC card can be used in our daily lives, such as a membership card of the hypermarket, an IPASS, an e-ticket, and an access control card.. The only limit is that it can simulate one card at a time, but the capability of. simulating many different cards in only one card (mode) brings user the much more convenience.. If the NFC-enabled device applies this mode for other usage, it should have a. built-in secure element in the NFC-chip.. 政治大. (2) Peer to peer (P2P) mode. 立. The mode is used to exchange data.. Although its transmission distance is shorter than. ‧ 國. 學. average, the time required to establish the speed of transmission and the actual transmission speed are faster than average.. ‧. Bluetooth.. Besides, the power consumption is lower, similar to that of. If we link two NFC-enabled devices, they can transport data bi-directionally such. y. Nat. sit. as a downloaded music or graph or apk, even if the telephone address saved in the cellphone.. n. al. er. io. Therefore, many different devices such as personal computers, cell phones, personal digital. i n U. v. assistants (PDAs), and digital cameras can exchange data or services with other devices.. Ch. engchi. (3) Reader/Writer mode An NFC-enabled device in this mode is used as a contactless card reader to read the related information from the e-tags in posters or exhibitions.. 2.1.2 Communication mode The data communication mode of NFC has two modes: (1) Active mode (2) Passive mode 15.

(16) (1) Active mode In this mode, the NFC terminal functions as a card reader to send out its own radio frequency (RF) field actively to identify and read / write to other NFC-enabled devices. two sides of the communication have to set all in this mode.. Besides, the. The communication step. involves the message sender delivering the message to the other terminal, and then the receiver responds to the message according to the content.. 政治大. After this, the receiver produces. the response and sends it back to the sender.. 立. ‧ 國. 學. (2) Passive mode. In this mode, the initiator of the communication must be an NFC-enabled device with power. ‧. supply because the generation of an RF field needs the electricity.. Nat. y. The sender deliver the. sit. message to the other side, then the receiver, which uses the energy of the electronic field,. n. al. er. io. launches to transport the response to the sender.. i n U. Ch. v. e ntechniques 2.1.3 Comparison with other wireless gchi. NFC and Bluetooth are all short-range communication techniques. that it requires less time to enter the program setting.. The advantage of NFC is. Although the transmission range of. NFC is shorter than that of Bluetooth, the amount of unnecessary jamming is also less.. That. is, NFC is adapted to situations in which there are many devices around that complicate transmission. for comparison.. In addition to the above, there is another technique, Infrared communication, Table 2.1 provides a simple comparison of NFC, Bluetooth, and Infrared.. 16.

(17) Table 2.1 The comparison of NFC、Bluetooth and Infrared [30] NFC. Bluetooth. Infrared. Using distance. < 0.1m. < 10m. < 1m. Transmission speed. 106kbit/s,212kbit/s,424kbit/s. 2.1 Mbit/s. 1 Mbit/s. Communication mode. Active、Passive. Active. Active. Network type. Point to point. Point to. Point to point. multipoint. Time of Setting. < 1s. 立. Low. Medium. Low. ‧. 2.2 EMV. 0.5s. 學. Cost. ‧ 國. program. 政治大 6s. y. Nat. io. n. al. EMV is a standard for. er. name is composed from the prefix of the three organizations.. sit. The EMV [7] standard was formulated by Europay, MasterCard, and Visa in 1993, and the. i n U. v. Integrated circuit (IC) cards and PoS terminals, and is responsible for not only the transaction. Ch. engchi. and authentication between an IC card and a PoS terminal which has the ability to load the content in the IC card but also the formulation of the specification of the software and hardware of the EMV-chip card. authentication of specification.. Besides, it is also responsible for the standard and Moreover, EMV needs to supervise and maintain usability of. local payment environments and the interoperability of usable areas.. The detail of the EMV. standard is described on the website of the EMVCo [8], which is an organization formed by Europay, MasterCard, and Visa in 1999.. EMVCo is responsible for not only the update of. the EMV standard but also for testing new processes of the next possible version.. 17. The.

(18) membership of EMVCo has changed with time.. Europay is annexed by MasterCard, then. JCB, American ExpressPay, UnionPay and Discover Card have participated in the organization.. There are six entities in it and they decide the detail of the EMV standard.. For now, the latest version of which is 4.3.. 2.3 TSM (Trusted service manager) Trusted service manager (TSM) is a very important entity in the NFC payment system.. 政治大. Although there is an SE in an NFC-enabled cellphone, SE is not a one-to-one entity in the. 立. SE could save many kinds of security-related data, but some parts of these data do. 學. ‧ 國. system.. not necessarily have to be secret during different types of transmission. transmission targets, the secret items are changed.. With different. Therefore, we need a fairly trusted third. ‧. party to decide whether the data needs to be transported in each transmission.. Nat. y. TSM is used. n. al. In brief, it has the ability to respond to user. er. io. transports correct data to the correct target.. sit. to play the role of the trusted third party, and it is only responsible for data integration and. i n U. v. requests in the front end and communicate with service providers (SP) in the back end.. Ch. engchi. 2.4 Security definition In this section, we provide a definition for all security-related terms that we use in the following chapter.. There are six characteristics in the following description.. (1) Anonymity: No one can know the user’s real identity during the transaction process except the bank, which owns the user’s real account.. In other words, none of the entities,. (including malicious attackers), except the bank on the user’s side, can know the user’s real account during the process of protocol. (2) Unlinkability: No one in our protocol can obtain the relation among the user’s real 18.

(19) identity, the user’s virtual identity, and the user’s virtual transaction identity at the same time. Besides, any tracer cannot trace a user by collecting many transaction records. (3) Non-repudiation: To the receiving message from other entities, the original sender cannot deny the sending behavior after the sending process. (4) Resistance to replay attack: If there exists malicious attackers, and they fetch the message during every transmission.. Even if they send the original message to the receiver. again, there exists a method to find this resending message and deny the request from the message.. 立. 政治大. (5) Integrity: To ensure the correctness and non-modification of contents.. There exists. ‧ 國. 學. a method to verify that the content is not changed by others during transmission. (6) Data confidentiality: To ensure the accessible authority of data.. ‧. method to verify whether the user owns the accessible authority of data.. y. Nat. n. al. er. io. sit. the verification, the user can read the content of the data.. Ch. engchi. 19. i n U. v. There exists a If the user passes.

(20) Chapter 3. NFC-based anonymous mobile payment protocol. To solve the problem of fraud and forged attack based on the eavesdropped user’s identity and other private personal information, the anonymity of user’s identity during the transmission is an important issue in the field of mobile payment protocol.. In 2014, Luo et al. [43] proposed. Their protocol used the virtual 治政 account instead of the real identity to achieve anonymity. 大The concept is that user applied 立 for the virtual account to the bank and it will record the relation between the real identity and the virtual account into its storage.. 學. ‧ 國. an NFC-based anonymous mobile payment protocol.. Then if the message is sent to the bank, it can check the. ‧. identity by the virtual account and the other authentication-related parameters.. Because the. ID during the transmission is virtual, even if the attacker eavesdrops it and he can’t gain. n. al. er. io. sit. y. Nat. useful information.. Ch. Their protocol has three stages:. engchi. i n U. v. (1) Virtual bank account generation stage. (2) Anonymous transaction account generation stage (3) Issuing of virtual credit card stage Each step of stages will describe in the following sections.. There are four entities in the protocol: the bank B, the user U, the trust service manager TSM and the secure element SE. First, we will show the symbol table about the symbol which is used in their protocol in table 3.1.. 20.

(21) 3.1 Symbol table Table 3.1 Symbol table [43] IDn. The identity of n. AIDi. Virtual account from bank to user. TIDi. Virtual account from user to TSM. SID. Session identity. 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐵𝐵𝐴𝐴. B’s Certification which is issued by A. PKn. 立. SKn. Encrypt function that uses key to encrypt message M. y. sit. Decrypt function that uses key to decrypt message M. n. al. Signature which uses the private key of n. er. io. SIGN(SKn, M). Random number. Nat. D(key, M). The session key between m and n. ‧. E(key, M). ‧ 國. Noncek. The private key of n. 學. Km,n. 治key of n 政The public 大. A_Exptime A_Limit. Ch. i n U. v. The expired time of A. i eThe ng c hlimit credit of A. BINFO. Payment message from SE to bank. TSMINFO. Transaction message from user to TSM. TSMBINFO. Transaction authentication message from TSM to bank. Authdata. Authentication message. Status. Response of authentication message. TIDiList. Credit authentication list of anonymous account. 21.

(22) which is recorded by TSM TIDi_CreditINFO. Related-information of virtual credit card which is issued and obeyed EMV standard. 3.2 Initial state. In the initial setting, each entity has its own identity and an asymmetric key pair (PKID ,. 政治大. SKID). Besides, the key pair is signed by the CA and stores in the PKI infrastructure.. 立. In the. beginning, user has to own a physical account in bank and register his NFC-enable cellphone. ‧ 國. 學. to bank.. Bank will save the user’s public key PKU into its server through security channel,. ‧. then it will sign a certification 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑈𝑈𝐵𝐵 for PKU and establish the session key KB, U.. n. al. Ch. engchi. er. io. 3.3 Virtual bank account generation stage. sit. y. Nat. Moreover, TSM own the certification 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐵𝐵𝐶𝐶𝐶𝐶 which is signed by bank.. i n U. v. The detail is show as the Figure 3.1, user request bank to establish a virtual account AIDi. The SE in the user’s NFC-enable cellphone will generate a public key pair (PKAIDi , SKAIDi), and uses the SKAIDi to signed the PKAIDi.. Then it delivers the signature to bank.. authentication, bank will issue the corresponding certification of AIDi to user.. After. The detailed. description is listed as below: (1) User uses his own ID to request a virtual account to bank. (2) Bank generates a virtual account AIDi and a session key KAIDi ,B, and sends virtual account AIDi to user (3) User receives AIDi and requests SE to generate a new public key pair about AIDi 22.

(23) (4) SE establishes a key pair (PKAIDi , SKAIDi) and does the self-signed signature by the SKAIDi ,then SE sends it back to user. (5) User will encrypt the message which is signed by SKAIDi and the virtual account AIDi with session key KB,U and deliver it to bank. (6) After bank decrypts the message and gets the PKAIDi, it will generate the certification of AIDi.. Then it will return the certification, AIDi_ExpTime, and AIDi_Limit to user.. Bank. uses the public key PKAIDi to encrypt the session key KAIDi ,B and send the ciphertext to SE.. 政治大. (7) User will deliver the encrypted session key KAIDi , B and other information to SE.. 立. (8) SE uses the private key SKAIDi to decrypt the message and get the session key KAIDi ,B and. ‧ 國. 學. the certification which is issued by bank of AIDi to achieve the application.. ‧. 3.4 Anonymous transaction account generation stage. sit. y. Nat. n. al. After the registration from user to bank, user also. er. io. The detail is shown as the Figure 3.2.. i n U. v. needs to register user’s identity to TSM to get the virtual credit card which is used in the actual transactions.. Ch. engchi. User will establish a pre-store credit account in TSM and user can. decide an upper limit for this account. This account will link to the virtual account AIDi in bank to execute the electronic payment.. For payment security, user generates a payment. information BINFO and it is composed of virtual account AIDi, account expiry date AIDi_ExpTime, account limit AIDi_Limit, and the session key KAIDi ,B. will be signed by SKAIDi , then send it to bank through TSM.. Those parameters. Besides, user will encrypt the. payment message with session key KTIDi ,TSM, and signed the cipher text by SKTIDi.. The. signature and TSMINFO are sent to TSM, then TSM decrypt it and encrypt the content with PKB.. Then TSM re-sign the cipher text with SKTSM, the signature is called TSMBINFO. 23.

(24) TSM delivers the BINFO and TSMBINFO to bank, and bank owns the keys to decrypt BINFO and TSMBINFO.. After comparing the information inside the BINFO and. TSMBINFO, bank authenticates the identities and transport the credit information of the virtual account to TSM.. The detailed description is listed as below:. (1) User establishes virtual transaction account TIDi and generate a key pair (PKTIDi , SKTIDi), then signs PKTIDi with SKTIDi and encrypt it with PKTSM . Then user deliver cipher text to TSM.. The encrypted message is E (PKTSM, SIGN (SKTIDi, TIDi||PKTIDi||Timestamp)). 政治大. (2) After receiving the request, TSM establishes session key KTIDi ,TSM and returns it to user.. 立. User will generate an identifier SID and delivers AIDi, IDB and random number Nonce1 to SE.. ‧ 國. 學. (3) SE generates the payment message BINFO and send it with Nonce1 to user.. The. composition of BINFO is SIGN (SKAIDi, E (KAIDi, B, SID||AIDi||IDTSM||IDB|. ‧. |AIDi_ExpTime||AIDi_Limit||Nonce2)). y. Nat. n. al. er. After signing the cipher text, user will deliver signature to TSM. The. io. Nonce1 with PKTIDi .. sit. (4) User generates transaction message TSMINFO and encrypts the BINFO, TSMINFO and. i n U. v. detailed information of TSMINFO is SIGN (SKTIDi, E (KTIDi, TSM, SID||AIDi||IDTSM||IDB||. Ch. Nonce2||AIDi_ExpTime||AIDi_Limit)). engchi. (5) After decryption of TSMINFO, TSM will generate the authentication message TSMBINFO and transports the encrypted message of AIDi, BINFO, and TSMBINFO to bank for confirmation.. The content of TSMBINFO is SIGN (SKTSM, E (PKB, SID||AIDi||Nonce2. ||AIDi_ExpTime||AIDi_Limit||KTSM, B)). (6) Bank uses its corresponding keys to decrypt the BINFO and TSMBINFO to compare the information in them.. If the contents are identical, bank will deliver the credit information of. AIDi to TSM. (7) After receiving the information, TSM will deliver the expiry date TIDi_ExpTime and the 24.

(25) limit TIDi_Limit to user.. 3.5 Issuing of virtual credit card stage. The detail is shown as the Figure 3.3, user can apply to TSM for a virtual credit card after the anonymous transaction account generation stage. owns shorter expiry date and lower credit limit.. TSM will issue a virtual credit card which Besides, the credit card should be complied. 治expiry date is coming or remained limit is 政When the 大. with EMV standard and stores in SE.. 立. exhausted, user should repeat this stage to get other virtual credit card.. The detailed. ‧ 國. 學. description is listed as below:. (1) User requests the key pair (PKTIDi ,SKTIDi) which is stored in SE from SE.. ‧. (2) After receiving the request, SE will search the key pair and send it back to user.. y. Nat. sit. (3) User delivers the request which includes the TID and encrypted signature for issuing a. n. al. er. io. new virtual credit card from TSM.. i n U. v. (4) TSM will issue a new virtual credit card and generate a certification, and delivers the. Ch. engchi. encrypted message which contains the above ones to user.. After receiving the message, user. decrypts cipher text and transport the certification and new credit card information to SE. (5) The remaining transaction process complies with EMV standard. card emulation mode to execute the transaction process.. 25. The EMV-chip is set to.

(26) 立. 政治大. ‧ 國. 學 ‧. Figure 3.1 Virtual bank account generation stage [43]. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 3.2 Anonymous transaction account generation stage [43]. 26.

(27) 立. 政治大. ‧. ‧ 國. 學 er. io. sit. y. Nat. Figure 3.3 Issuing of virtual credit card stage [43]. n. a 3.6 Problems of the protocol. iv l C n hengchi U. We research and discuss the influence of known attacks, and we find some problems.. The. detail about problems and the derived risks are listed below.. 3.6.1 The same key-pair using in encryption and signature generation. In the protocol, Luo et al. use the same key-pair of public-key cryptography to achieve the goals of encryption, decryption and digital signature.. In other words, the same key-pair can. be used to encrypt and decrypt the message and sign the other message at the same time, and 27.

(28) it will cause the unexpected weakness.. For example, if the encryption method is RSA and an. attacker eavesdrops some cipher text from others to user, then attacker uses some method to cheat the sender to encrypt the cipher text and the attacker will get the original message in the cipher text.. The reason for the happening of the case is that the key-pair of encryption and. decryption and the key-pair of signature is the same one.. 3.6.2 Redundant parts in the transmission process. 立. 政治大. In the protocol, we can find that some parameters during the process are not necessary.. In. ‧ 國. 學. many transmissions, the sender just uses the similar format to compose the message, but there are some parameters not necessary for the receiver to use or verify identity.. Those. ‧. parameters may cause the lower transmission efficiency and higher transmission cost during. y. Nat. The cost or the lost time is very much in total.. sit. each transmission.. For some cases, the. n. al. er. io. efficiency or the total execution time is important to finish the transaction.. i n U. Following the. v. increasingly busy life people lived in, the above cases will increase rapidly in the future.. Ch. engchi. 3.6.3 Unlinkability not achieved. In the paper, Luo et al. claim that the protocol they proposed achieves unlinkability.. That is,. merchant or any other people cannot trace the identity of user by the virtual account AID and TID.. But this is not correctly completely.. Even if user uses the virtual account to execute. the transaction, the virtual account AID or TID is not changed during each transaction.. The. corresponding part of cipher text which is generated by virtual account is the same, and the merchant or any other people just eavesdropped many transactions. 28. Then they can speculate.

(29) the identity of user in future transactions by the same part of cipher text.. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 29. i n U. v.

(30) Chapter 4. Our new NFC-based anonymous mobile payment protocol. In this chapter, we will introduce a new NFC-based anonymous mobile payment protocol. In the beginning, we make a brief description to state our process.. In our protocol, users. 政治大 Besides, user, bank, and the trusted third party Trusted Service Manager 立. have to own a physical account in bank at first, and users set the password (pw) along with this account.. ‧ 國. First, users need to request the bank. 學. (TSM) own their own identity (ID) in the initial stage.. Bank will generate AID and the. expiry date and credit limit of AID and return them to user.. Second, users will generate a. ‧. to generate a virtual account AID by using his real identity.. io. al. After authentication, TSM will generate the expiry. er. credit card to the TSM with his AID.. sit. y. Nat. virtual transaction account TID and send request of registering TID and applying a virtual. v ni. n. date and credit limit of TID and a virtual credit card to return them to user.. Ch. engchi U. Finally, user can. request the TSM to reissue the credit card when the expiry date is coming or the balance isn’t enough to pay for transaction. the step.. Besides, users can optionally choose to alter the TID during. For the security of the message required during the transmission, the message is. encrypted by a session key which is generated by the Diffie-Hellman key exchange [4]. Besides, the parameters which used in Diffie-Hellman key exchange are protected by the difficulty of the discrete logarithm during the transmission.. Our new protocol improves the problems we mentioned in the above chapter. protocol consists of four stages: 30. Our.

(31) (1) Initial stage (2) Appling for virtual account stage (3) Appling for virtual transaction account and issuing virtual credit card stage (4) Updating virtual credit card and optional virtual transaction account stage. 4.1 Symbol table. 政治大. As the same step with Chapter 3.1, we introduce the symbol which we use in the each stage of. Table 4.1 Symbol table. ‧. The password that user sets when user apply. y. Nat. sit. for physical account to bank The virtual account applying request which. n. al. er. io. VA-request. 學. pw. 立. If the same symbol appears in table 3.1, we will not list in table 4.1.. ‧ 國. our protocol at first.. VTA-request. Ch. i n U. v. is transported from user to bank. e n g cThe h ivirtual transaction account registration and issuing a virtual credit card request which is transported from user to TSM. Update-request. The virtual credit card update request which is transported from user to TSM. AIDU. The anonymous virtual account which is generated by bank. TIDU. The anonymous virtual transaction account. 31.

(32) which is generated by user and register it to TSM A_Extime. The expiry date of account A. A_Limit. The credit limit of account A. Credit_INFO. The corresponding information about virtual credit card. TS. Timestamp. Nj. ‧ 國. generated by bank and verified by TSM Hash function. sit. Encryption function which uses the session. n. al. key K to encrypt a message m. er. io. 𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝐴𝐴 (m). y. Nat. Ek(m). The authentication certification which is. ‧. H(). to the value of Nj-1 + 1. 學. TicketB,TSM. 立. 政治 The j-th random number whose value equals 大. Ch. i n U. v. The signature which uses A’s private key to. e n g cencrypt h i message m. C. The cipher text which is used to generate a Diffie-Hellman key. g. The generator of Zp*. h. The generator of Zp*. p. A prime whose length is 1024-bit. x. The random number which is used to generate a Diffie-Hellman session key. 32.

(33) y. The random number which is used to generate a Diffie-Hellman key. XU. The random number which is used to generate a Diffie-Hellman key and generated by user. YTSM. The random number which is used to generate a Diffie-Hellman key and. 立. Lifetime. ‧ 國. The session key which is generated by H(k’). ‧. io. sit. y. Nat. 4.2 Initial stage. The value equals to gxy mod p. n. al. er. K. The expiry date of Ticket. 學. k’. 政治 generated by TSM 大. i n U. v. In this section, we will describe the state of each entity in the beginning of our protocol.. Ch. engchi. Besides, the other corresponding assumptions will also describe in here.. Each entity (i.e.,. user, TSM, bank) in the process has its own identity (i.e., IDU, IDTSM, IDB).. A user should. has a physical account in bank at first, and we assume the password pw knowing by the user and the bank has already been set when user apply for this account. saved in SE at the start of protocol.. The password pw 1 is. Besides, TSM and bank are organizations with high. computation power which own their key pairs about public-key cryptography (i.e., public key. 1. If pw is high entropy, then it will saved in SE. Otherwise, it will be entered by user itself when needed. According the plan of bank to the credit card, pw will change to the one used to verify user’s identity saved in the bank. 33.

(34) PK and secret key SK).. Moreover, we assume the two organizations have already. communication before the beginning of our protocol and they already establish a session key KB, TSM through secure channel. entities.. Finally, we assume that the bank and TSM are half-honest. In other words, they will follow our scheme to work as we designed.. exists weakness in protocol, they will also try to get private personal data.. But if there. In brief, there. exists the pw in SE; An identity IDU in user; An identity IDTSM、a private key SKTSM、a public key PKTSM and a session key KB,TSM in TSM; An identity IDB、a private key SKB、a. 政治大 The detail can refer to Figure. public key PKB、a session key KB,TSM and the pw in bank.. 立. 4.1.. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. Figure 4.1 Initial stage. 34. v.

(35) 4.3 Appling for virtual account stage. The detail is shown as Figure 4.2, the goal of this stage is that user sends a virtual account request to bank, bank generates a virtual account AIDU.. Then bank will record the relation. between user’s ID and virtual account AIDU, and generates a TicketB, TSM which is used in the next stage for authentication of TSM. AIDU and Ticket to user.. Bank will return the necessary information about. The detailed description is listed as below:. 政治大. (1) IDU → IDB: (IDU、IDTSM、VA-request). 立. User sends his identity (IDU), the identity of trusted third party (IDTSM) which user. ‧ 國. 學. communicates with next stage and the virtual account generation request (VA-request) to bank.. ‧ y. Nat. (2) IDB → IDU: (C, g, h, p, 𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝐵𝐵 (C, g, h, p)). Our session. sit. Bank receives the VA-request, then it will prepare to generate the session key.. n. al. er. io. key is generated by Diffie-Hellman key exchange [4], so both sides need to transport the necessary parameters in the process first.. Ch. i n U. v. Bank chooses a random number x∈Zp* and. e Then h idelivers the parameters C、g、h、p and n g cbank. computes cipher text C= gx hpw mod p.. the signature of the above parameters (𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝐵𝐵 (C, g, h, p)) to user.. (3) IDU: (y, K). User chooses the random number y∈Zp* and decrypt the cipher text C. the k’= gxy mod p by the receiving parameters. hash function.. Then user computes. User computes the session key K=H (k’) by. Besides, user sends K to SE.. (4) IDU → IDB: (IDU, IDB, N1, TS1, Y) User computes the other necessary parameter Y= gy mod p, and delivers Y and the encrypted message EK (IDU||IDB||N1||TS1||H (IDU||IDB||N1||TS1)) to bank. 35.

(36) (5) IDB: (K, AIDU, AIDU_Extime, AIDU_Limit, TicketB, TSM) Bank computes the session key K from the parameter Y, and the uses session key to decrypt the encrypted message.. Then bank will generate a virtual account AIDU.. After comparing. the value of hash and the value of our computing, if the values are equal and bank will record the relation between IDU and AIDU.. Besides, bank will generate the corresponding expiry. date (AIDU_Extime) and credit limit (AIDU_Limit).. Moreover, bank will also generate the. session key KU, TSM for the first communication between user and TSM in the next stage, and. 政治大. the TicketB, TSM which is used to authenticate that the information from user is the same as the. 立. information from bank in the next stage.. ‧ 國. 學. The content of TicketB, TSM is 𝐸𝐸𝐾𝐾𝐵𝐵,𝑇𝑇𝑇𝑇𝑇𝑇 (IDB||AIDU. ||AIDU_Extime||AIDU_Limit||TS2||Lifetime||KU,TSM||𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝐵𝐵 (IDB||AIDU||AIDU_Extime||AIDU_ Limit||TS2||Lifetime||KU,TSM)).. The Lifetime indicates the expiry date of the ticket, and TSM. ‧. can check the validity by the Lifetime in the next stage.. Nat. sit. y. (6) IDB → IDU: (IDB, AIDU, AIDU_Extime, AIDU_Limit, TicketB, TSM, KU, TSM). n. al. er. io. Bank delivers its own ID (IDB) and the encrypted message EK (AIDU||AIDU_Extime|| AIDU_Limit||N2||TicketB, TSM||KU, TSM) to user.. Ch. engchi. (7) IDU → SE: (KU, TSM, AIDU_Extime, AIDU_Limit) User receives the message and decrypts it.. i n U. v. Then user will send the necessary security. information which includes the expiry date of AIDU (AIDU_Extime)、the credit limit of AIDU (AIDU_Limit) and session key KU,TSM to SE.. 36.

(37) 學. Figure 4.2 Appling for virtual account stage. ‧. ‧ 國. 立. 政治大. y. sit. io. n. al. er. stage. Nat. 4.4 Appling for virtual transaction account and issuing virtual credit card. Ch. i n U. v. The detail is shown as Figure 4.3, the goal of this stage is that user generates a virtual transaction account TIDU. TicketB,TSM to the TSM.. engchi. Then user encrypts necessary information and sends it with After receiving it, TSM will decrypt the ticket which is sent with. TIDU by user, and TSM gets the session key KU, TSM from the ticket.. TSM uses the session. key to decrypt the encrypted message which is sent by user, then it will compare the content in the encrypted message from user and the content in the ticket from bank. same, TSM can ensure the correctness of content.. Then TSM will generate corresponding. limit (TIDU_Limit) and expiry time (TIDU_Extime). credit card via TIDU.. If they are the. Besides, TSM will issue a virtual. The virtual credit card and its corresponding information are called. 37.

(38) Credit_INFO. user.. Then TSM will send the virtual credit card, the expiry date, and credit limit to. The detailed description is listed as below:. (1) IDU → IDTSM: (IDB, AIDU, TIDU,𝑔𝑔 𝑋𝑋𝑈𝑈 , TicketB, TSM, VTA-request) User generates a virtual transaction account TIDU and the random number XU for DiffieHellman key exchange.. Then user computes the hash value of TicketB, TSM for the. verification of correctness in after steps.. User also generates the encrypted message. 𝐸𝐸𝐾𝐾𝑈𝑈,𝑇𝑇𝑇𝑇𝑇𝑇 (VTA-request||IDB||AIDU||TIDU||𝑔𝑔 𝑋𝑋𝑈𝑈 ||H (TicketB, TSM)), then sends it with IDB and. TicketB, TSM to TSM.. 政治大. The VTA-request is that user requests to register his virtual transaction. 立. 學. ‧ 國. account TIDU to TSM.. (2) IDTSM: (KU, TSM, IDB, AIDU, TIDU). TSM decrypts the TicketB, TSM according to the session key which is communicated with. ‧. bank.. TSM will get the session key KU, TSM from ticket and decrypts the encrypted message.. y. Nat. sit. Then TSM will compare the content in the ticket and the content in the encrypted message.. al. n. Ticket.. er. io. If they are the same, the authentication is complete and TSM can confirm the source of. i n U. v. Moreover, if the hash value of Ticket that we compute is the same as the one in. Ch. i TSM will record the relation between e n g c hThen. message, we can confirm the integrity of Ticket. AIDU and TIDU.. (3) IDTSM: (YTSM, KTSM’U’, TIDU_Extime, TIDU_Limit, Credit_INFO) TSM generates the random number YTSM for Diffie-Hellman key exchange, and computes session key KTSM’, U’= H (𝑔𝑔 𝑋𝑋𝑈𝑈𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 mod p).. TSM also generates the corresponding expiry. date (TIDU_Extime) and credit limit (TIDU_Limit). Moreover, TSM will generate a virtual credit card, the card and its corresponding information are called Credit_INFO.. Besides,. TSM will record the relation between TIDU and the primary account number (PAN) of virtual credit card. 38.

(39) (4) IDTSM → IDU: (𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 , TIDU_Extime, TIDU_Limit, Credit_INFO) TSM receives a Credit_INFO.. TSM generates the encrypted message. 𝐸𝐸𝐾𝐾𝑇𝑇𝑇𝑇𝑀𝑀′𝑈𝑈′ (IDTSM||AIDU||TIDU||TIDU_Extime||TIDU_Limit||𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 ||Credit_INFO||TS3||𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑇𝑇𝑇𝑇𝑇𝑇 ( IDTSM||AIDU||TIDU||TIDU_Extime||TIDU_Limit||𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 ||Credit_INFO||TS3)), and delivers it. with parameter 𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 to user.. (5) IDU → SE: (KTSM’U’, TIDU_Extime, TIDU_Limit, Credit_INFO) User computes the session key KTSM’U’ by the parameter 𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 , and uses it to decrypt the. encrypted message.. 政治大. User delivers the necessary security information which includes the. 立. expiry date of TIDU (TIDU_Extime), the credit limit of TIDU (TIDU_Limit), the information. ‧ 國. 學. about virtual credit card (Credit_INFO) and session key KTSM’U’ to SE.. ‧. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 4.3 Appling for virtual transaction account and issuing virtual credit card stage 39.

(40) 4.5 Updating virtual credit card and optional virtual transaction account stage. The detail is shown as Figure 4.4, the goal of the stage is that user will request a new virtual credit card to bank through TSM when the expiry date is coming or the remained limit is exhausted.. Besides, if user desires, user can change the virtual transaction account TID in. this stage.. Through the change of TID, merchants or the others cannot trace the user’s. identity.. 政治大. The detailed description is listed as below:. 立. User generates a new random number XU´.. 學. ‧ 國. (1) IDU: (XU´, TIDU´). If user wants to change his virtual transaction. account, he will also generate a new virtual transaction account TIDU´.. ‧. Nat. (2) IDU → IDTSM: (Update-request, TIDU´,𝑔𝑔 𝑋𝑋𝑈𝑈′ ). al. n. and 𝑔𝑔 𝑋𝑋𝑈𝑈′ to TSM.. Then user sends the encrypted message with TIDU. er. io. (Update-request||𝑔𝑔 𝑋𝑋𝑈𝑈′ ||TIDU|| (TIDU´))).. sit. y. User generates the encrypted message 𝐸𝐸𝑇𝑇𝑆𝑆𝑆𝑆′𝑈𝑈′ (Update-request||𝑔𝑔 𝑋𝑋𝑈𝑈′ ||TIDU|| (TIDU´) ||H. Ch. engchi. i n U. v. (3) IDTSM: (YTSM´, KTSM´Ú´´, TIDU_Extime´, TIDU_Limit´, Credit_INFO') TSM generates a new random YTSM´ and computes a new session key KTSM´Ú´´= H (𝑔𝑔 𝑋𝑋𝑈𝑈′𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 ′ mod p).. If user also desires to change a new virtual transaction account, TSM will also. generate a new expiry date (TIDU_Extime´) and a new credit limit (TIDU_Limit´).. Besides,. TSM will re-issue a virtual credit card, it and its corresponding information are called Credit_INFO'.. TSM will also record the relation between TIDU and PAN of new card.. (4) IDTSM → IDU: (𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 ′, Credit_INFO´, TIDU_Extime´, TIDU_Limit´) After receiving the new credit card.. TSM delivers the encrypted message 𝐸𝐸𝐾𝐾𝑇𝑇𝑇𝑇𝑇𝑇"𝑈𝑈" (IDTSM||. AIDU||(TIDU´||TIDU_Extime´||TIDU_Limit´)||𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 ′ ||Credit_INFO´||𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑇𝑇𝑇𝑇𝑇𝑇 (IDTSM||AIDU||(T 40.

(41) IDU´||TIDU_Extime´||TIDU_Limit´)||𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 ′ ||Credit_INFO´)) and 𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 ′ to user. (7) IDU: (𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 ′, Credit_INFO´, TIDU_Extime´, TIDU_Limit´) User computes the session key KTSM´Ú´´ by parameter 𝑔𝑔𝑌𝑌𝑇𝑇𝑇𝑇𝑇𝑇 ′ .. User uses the session key to. decrypt the encrypted message and obtains the content inside the message.. (8) IDU → SE: (KTSM´Ú´´, Credit_INFO´, TIDU_Extime´, TIDU_Limit´) User delivers the necessary security parameters which includes new virtual credit card (Credit_INFO´), new session key (KTSM´Ú´´), new expiry date (TIDU_Extime´) and new credit. 政治大. limit (TIDU_Limit´) to SE.. 立. (7) The following transaction processes comply with the EMV standard and the NFC-chip has. ‧ 國. 學. to be set to card emulation mode.. ‧. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 4.4 Updating virtual credit card and optional virtual transaction account stage 41.

(42) 4.6 The compatibility between protocol and EMV standard. In this section, we describe the related process which is relevant to our protocol in brief. Each credit card has its own card number, we call it personal account number (PAN).. In the. transaction process which uses the virtual credit card, the user (cardholder) will deliver the PAN or token to merchant in different situations. the beginning of transaction.. Therefore, user needs to get token before. The other role of merchant is the token requestor which is. 政治大. responsible for applying for the token to the token service provider (TSP), and token requestor. 立. asks TSP to issue the token to replace the PAN.. TSP is an entity which is responsible for. ‧ 國. 學. providing tokens to registered token requestors, it also records the related information about the token requestor and PAN.. For confirming the data which is sent with the request from. ‧. Nat. After verifying successfully, TSP will generate a token. sit. card to verify the correctness of data.. y. token requestor to TSP, TSP will send a request to the bank which is related to user’s credit. n. al. er. io. and the corresponding token requestor ID, and sends them to token requestor.. i n U. Besides, TSP. v. will also record the relation between PAN and the token in the table which is called token vault.. Ch. engchi. Moreover, we assume the entity TSM to be the TSP in our protocol. What we have to pay attention to that PAN doesn’t always need to return to the user. (cardholder), it is decided by the type of transaction. protocol. the token.. But we assume it is sent to user in our. So far, the payment token provision step is done.. In other words, user has own. The detail is shown as Figure 4.5.. According to the content of EMV standard [8], the data which is used during credit card transaction is listed in the parameter Dataemv = {PAN, EX_DATE, CDOL1, CDOL2…} [18]. EX_DATE (Expiry date) and CDOL (Card risk management Data Object List) are the necessary parameters which we can’t discuss here, but our key parameter is PAN. 42. In our.

(43) protocol, we assume our PAN of virtual credit card to be the role of token and TIDU to be the role of PAN before transforming.. The diagram is shown as Figure 4.7.. When user uses the virtual credit card, merchant will verify the information of credit card.. The PAN of virtual credit card (=token) will be delivered to merchant, and it will be. pass through Acquirer (the bank of merchant’s side) into local financial network. enters the payment network, network will pass it to TSP (=TSM).. Then it. TSP (=TSM) will search. the token vault and return the corresponding TIDU to payment network if token existed in the. 政治大. table.. If there are other information which needs to verify from the issuer (the bank of user’s. side).. TSP (=TSM) will send the information to issuer for verifying.. 立. After the. ‧ 國. 學. authentication of issuer, payment network will return the result about this transaction through Acquirer to merchant and user (cardholder). The detail is shown as Figure 4.6.. ‧. finish.. Then the verification step of merchant will Then the transaction is finished.. y. Nat. sit. The detailed instruction step and parameters transmission describe below:. n. al. er. io. (1) At the beginning of the transaction, user’s cellphone and a reader of merchant have to authenticate and communicate with each other.. Ch. i n U. v. The diagram is shown as Figure 4.8.. engchi. First, merchant will send the SELECT instruction to user to request the chosen type of credit card. User will return the chosen type of credit card and the File Control Information (FCI) for continued message.. The content of FCI= {type}.. The parameter. type shows the chosen type of credit and the format of message of FCI, and it is also the mandatory parameter in FCI in EMV standard. (2) After receiving the FCI, merchant will use a GET PROCESSING OPTIONS instruction to send the certification of merchant (𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚𝑎𝑎𝑎𝑎𝑎𝑎 ) to user. (PKacq) to verify the certification (𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚𝑎𝑎𝑎𝑎𝑎𝑎 ). cellphone will do the following steps:. 43. Then, user uses the public key. If certification is correctly, then user’s.

(44) • Get the public key of merchant (PKm) from certification 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚𝑎𝑎𝑎𝑎𝑎𝑎. • Add 1 to the value of application transaction counter (ATC). • Generate a random number SU and compute a session key TK=H (SU) • Put the cipher text 𝐸𝐸𝑃𝑃𝑃𝑃𝑚𝑚 (SU) and ETK (IDTSP||𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN)||H (IDTSP||. 𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN))) into the first location which is pointed by the AFL (Application File Locator).. • User will return parameters AFL and AIP (Application Interchange Profile) to merchant.. 政治大. AFL is a list which is recorded needed files and records used in the. 立. authentication and transaction process.. AIP is also a list which specifies the. ‧ 國. 學. application functions which are available in the transaction.. If verification of certifications is wrong, then it terminates the process.. ‧. (3) Merchant uses a GET DATA instruction to get the value ATC from user. y. Nat. n. al. User will fetch the parameters which is. er. io. the first reading address in AFL to user.. sit. (4) When merchant received ATC, it will send an READ RECORD instruction which includes. i n U. computed in the above step, and return it to merchant.. Ch. engchi. decrypt 𝐸𝐸𝑃𝑃𝑃𝑃𝑚𝑚 (SU) and compute a session key TK.. v. After receiving it, merchant will. Then, merchant uses it to decrypt the. ETK (IDTSP||𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN)||H (IDTSP||𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN))) and send the cipher text inside it to. TSP (=TSM) through IDTSP. the result of verification.. TSP (=TSM) will verify PAN and return ResTSP to represent. If verification fails, then it terminates the process. Otherwise,. merchant computes the response Resm= 𝐸𝐸𝑆𝑆𝑆𝑆𝑚𝑚 (𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚𝑎𝑎𝑎𝑎𝑎𝑎 ||ResTSP||SU||ATC). (5) Merchant sends the response Resm to user by a VERIFY instruction. user verifies the content of response. terminate the process. ResTSP+1||ATC).. After receiving it,. If verification failed, user will set ACK=fail and. Otherwise, user will compute response ResU=ETK (𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚𝑎𝑎𝑎𝑎𝑎𝑎 ||SU||. Then, user will put ResU into the second location which is pointed by 44.

(45) the AFL and ETK (Dataemv) into the third location pointed by the AFL. ACK=success and return ACK to merchant.. Finally, user sets. ACK is a parameter represent the result of. verification (6) If ACK is equal to success, merchant sends a READ RECORD instruction which includes the second reading address in AFL to user. merchant will verify the content of ResU. process.. Then user returns ResU to merchant, and If verification fails, then it terminates the. Otherwise, merchant will send a READ RECORD instruction which includes. 政治 Afterwards, user returns E 大. the third reading address in AFL to user.. 立. to. Merchant decrypts message to get needed information (PAN) inside Dataemv.. 學. ‧ 國. merchant.. TK (Dataemv). (7) Following the above flow, one who needs the token into Dataemv uses a READ RECORD instruction to request the front one who owns the parameter Dataemv to return it.. Besides,. ‧. Nat. n. al. The detail of transaction process is shown as Figure 4.9.. er. io. directly without encryption.. Therefore, we return a parameter Dataemv. sit. network which has the highly secure property.. y. these transmissions which are located after the merchant in the flow are inside financial. i n U. v. In this figure, we only change the original verification parameter SDAD (Signed Dynamic. Ch. engchi. Application Data), because there is no key-pair in user’s side in our assumption.. We use. a session key TK to encrypt verification message for the use in process. According to [9], there are many possible entities to be the role of TSP (=TSM) in different situations.. Therefore, we discuss the situations about (TSP=TSM) and (TSP≠. TSM) separately. If TSP is equal to TSM as we assumed.. In the transaction process, when merchant. requests TSM (the issuer of virtual credit card) to pay the bill that user consumed.. TSM will. transform the PAN of virtual credit card to TIDU according to token vault.. Then it sends the. corresponding AIDU and payment request to Issuer (bank of user’s side).. Issuer will execute. 45.

(46) the money moving from user’s account to the account of bank. If TSP is not equal to TSM. to pay the bill that user consumed.. In the transaction process, when merchant requests TSM TSM will send the PAN of virtual credit card to TSP,. then TSP will transform PAN to TIDU and return it to TSM. corresponding AIDU and payment request to Issuer.. Then TSM sends the. Issuer will execute the money moving. from user’s account to the account of bank.. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 4.5 Payment token provision overview [9]. 46.

(47) 立. 政治大. ‧ 國. 學 ‧. Figure 4.6 Payment token transaction overview [9]. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 4.7 Comparison of token vaults between the original one and the new one 47.

(48) User. Merchant 𝑎𝑎𝑎𝑎𝑎𝑎. Dataemv. SKm,𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚. EMV commands. 1. Merchant select the application. 2. FCI= {type}. SELECT. 𝑎𝑎𝑎𝑎𝑎𝑎. 𝑎𝑎𝑎𝑎𝑎𝑎. GET PROCESSING OPTIONS. 𝑓𝑓𝑓𝑓𝑓𝑓. 3.𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚 , 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑎𝑎𝑎𝑎𝑎𝑎. Check 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚 . If failure happens, then abort the session 𝑎𝑎𝑎𝑎𝑎𝑎. Get PKm from 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚 ATC = ATC+1 Generate SU TK=H (SU). 立. 政治大. Set 𝐸𝐸𝑃𝑃𝑃𝑃𝑚𝑚 (SU), ETK (IDTSP||𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN)||H (IDTSP||𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN))) in expected file location. ‧ 國. 學. 4. AIP, AFL. 6. 𝐸𝐸𝑃𝑃𝑃𝑃𝑚𝑚 (SU), ETK (IDTSP||𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN)||H (IDTSP||𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN))). ‧. y. Nat. 𝐷𝐷𝑆𝑆𝑆𝑆𝑚𝑚 (𝐸𝐸𝑃𝑃𝑃𝑃𝑚𝑚 (SU)) TK=H (SU). io. n. al. sit. READ RECORD. 5. ATC. DTK (ETK (IDTSP||𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN)||H (IDTSP||𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN)))). er. GET DATA. Send 𝐸𝐸𝑃𝑃𝑃𝑃𝑇𝑇𝑇𝑇𝑇𝑇 (PAN) to TSP via IDTSP. Ch. i n U. Receive the result ResTSP from TSP. engchi. v. If ResTSP fails, then abort the session 𝑎𝑎𝑐𝑐𝑞𝑞. Resm=𝐸𝐸𝑆𝑆𝑆𝑆𝑚𝑚 (𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚 ||ResTSP||SU||ATC). VERIFY. 7. Resm. If Resm fails, then set ACK=fail; abort the session; 𝑎𝑎𝑎𝑎𝑎𝑎. ResU=ETK (𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚 ||SU||ResTSP +1||ATC). Set ResU and ETK (Dataemv) in expected file locations Set ACK=success. 8. ACK. READ RECORD. 9. ResU. If ResU fails, then abort the session READ RECORD. 10. ETK (Dataemv). Figure 4.8 Mutual authentication process [44] 48.

(49) User. Merchant. Issuer 𝑎𝑎𝑎𝑎𝑎𝑎. TK, SKm, ATC,𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑚𝑚. Dataemv, TK, K, PKm. K. Req = ARQC. EMV commands 10. Req, ETK (Datacdol1) DTK (ETK (Datacdol1)) GENERATE AC. If user check amount in Datacdol1 fail, then abort the session AC1= MACK (Datacdol1||ATC) ResData= ETK (Req||AC1||H (Req||AC1||Datacdol1||ATC)). 政治大. 11. ETK (Req||ATC||ResData). 立. DTK (ETK (Req||ATC||ResData)). ‧ 國. 學. DTK (ETK (ResData)). If check H (Req||AC1||Datacdol1||ATC) fail, then abort the session 12. Req, Datacdol1, ATC, AC1. ‧. If AC1! = MACK (Datacdol1||ATC), set ARC=fail. sit. y. Nat. Else set ARC=success. 13. MACK (AC1⊕ARC),ARC. er. io. 14. ETK (MACK (AC1⊕ARC)||ARC). al. v i n Ch if checking MAC (AC1⊕ARC)||ARC e n g c hfail,i setUACK=fail n. EXTERNAL AUTHENTICATE. DTK (ETK (MACK (AC1⊕ARC)||ARC)) K. Else set ACK=success 15. ETK (ACK). If ARC =success and ACK=success, Req=TC. 16. Req, ETK (Datacdol2). Else Req= AAC. AC2= MACK (Datacdol1||Datacdol2||ATC) GENERATE AC. 17. ETK (Req||ATC|AC2) DTK (ETK (Req||ATC||AC2)) 18. Request, ATC, AC2, Datacdol1, Datacdol2. Figure 4.9 Transaction process [44]. 49.