Secure and Optimized Mobile Based Merchant Payment Protocol using Signcryption

The authors propose a Secure and Optimized Mobile based Merchant Payment (SOMMP) Protocol using Signcryption scheme with Forward Secrecy (SFS) based on elliptic curve which consumes less computational and communication cost. In SOMMP client sends message in the form of TransCertC (Transaction Certificate) which is a X.509 SLC (X.509 Short Lived Certificate) thereby reducing the client interactions with the engaging parties thereby reducing the consumption of resources (from Client’s perspective) which are very scarce in Resource Constrained Devices like Mobile Phones. In SOMMP protocol WSLC (WPKI Short Lived Certificate) eliminates the need of certificates validation and removes the hurdle of PKI thereby reducing storage space, communication cost and computational cost. Their proposed SOMMP ensures Authentication, Integrity, Confidentiality and Non Repudiation, achieves Identity protection from merchant and Eavesdropper, achieves Transaction privacy from Eavesdropper and Payment Gateway, achieves Payment Secrecy, Order Secrecy, forward secrecy, and prevents Double Spending, Overspending and Money laundering. In addition to these SOMMP withstands Replay, Man in the Middle and Impersonation attacks. The security properties of the proposed SOMMP protocol have been verified using BAN Logic, AVISPA and Scyther Tools and presented with results. DOI: 10.4018/jisp.2012040105 International Journal of Information Security and Privacy, 6(2), 64-94, April-June 2012 65 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. tions (Hwang et al., 2005). This scheme takes lower computation and communication cost to provide security functions. SFS not only provides message confidentiality, authentication, integrity, unforgeability, and non-repudiation, but also forward secrecy for message confidentiality and public verification. In this scheme, the judge can verify sender’s signature directly without the sender’s private key when dispute occurs. This scheme can be applied to mobile communication environment more efficiently because of the low computation and communication cost. We consider the following scenario in Mobile based Merchant payments. A Client tries to buy goods/services from merchant through a communication network i.e., internet and the client’s platform is mobile phone equipped with UICC as secure element which is tamper resistant. Client cannot tamper the inner working of UICC because of its tamper resistant nature of the UICC, the communication channel between UICC and mobile phone is secure and reliable. The communication channel among the engaged entities in our proposed protocol SOMMP is unreliable which is prone to attacks. In our proposed SOMMP protocol client sends message in the form of TransCertC (Transaction Certificate) which is a X.509 SLC (X.509 Short Lived Certificate) thereby reducing the number of client interactions among the engaging parties (i.e. reducing the consumption of resources from Client’s perspective which are very scarce in Resource Constrained Devices like Mobile Phones). Our proposed Mobile Payment protocol (SOMMP) can be used in both Remote mobile payments & Proximity Mobile Payments (i.e., at Point Of Sale). In SOMMP protocol WSLC (WPKI Short Lived Certificate) eliminates the need of certificates validation and removes the hurdle of PKI thereby reducing storage space, communication cost and computational cost.