A Multifactor Security Protocol for Wireless Payment Secure Web Authentication Using Biometric Characteristics

licoricebedsSecurity

Feb 22, 2014 (3 years and 3 months ago)

60 views

IJCST V
ol
. 4, I
SSue
1, J
an
- M
arCh
2013
www.i j c s t.c o m
I nt e rnat I onal J ournal of Comput e r S CI e nCe and t e Chnol ogy
563
I S S N : 0 9 7 6 - 8 4 9 1 ( Onl i ne ) | I S S N : 2 2 2 9 - 4 3 3 3 ( Pr i nt )
A Mul t i f ac t or Secur i t y Pr ot ocol f or Wi r el es s Payment
Secur e Web Aut hent i c at i on Us i ng Bi omet r i c Char ac t er i s t i cs
1
Pawandeep Si ngh,
2
Har neet Ar or a
1,2
Dept. of CSE, Sri Guru Granth Sahib World University, Fatehgarh Sahib, Punjab, India
Abstract
This authentication technique uses a best approach for secure web
transaction. It uses a Biometric property of user for authentication
and SMS (Short Message Service) to enforce an extra security
level along with the traditional Login/password system. Biometric
properties are needed when a user wants a transaction then the
user gives their fingerprint information. In this technique uses a
encryption/decryption method. It is a very complicated algorithm.
This method keeps the biometric properties as a secret code. A
user creates the biometric properties on their Mobile device with
the help of fingerprint scanners. Then the pre-installed application
creates an image of the fingerprint and encrypt with the help of
public key cryptography. This technique is not a one time password
technique, it can be used as more as user’s want. This code is used
to initiate secure web transaction using cell phones. Finally we
extend the system for two way authentication which authenticates
both parties (user and e- service provider).
Keywords
Biometric Characteristics, Multifactor Security Protocol, Wireless
Payment
I. Introduction
Set is secure electronic transaction. It design to protect credit
card transaction through internet it provide the security and
authentication by registration. Set protocol permit user or customer
who wants to make credit card payment to any of the web based
services. It is a useful protocol for message exchanging between
three parties: cardholder, merchant, payment gateway.
Some pseudo –code is used in this protocol-
C---------M: initiate request
M---------C: initiate response
C---------M: purchase request
M-------MB: Authorization and capture request
MB------CB: Authorization request
CB------MB: Authorization response
MB-------M: Payment Ack.
M---------C: purchase response
Fig. 1: Transaction Flow in SET
A brief description of the SET protocol, as depicted fig. 1, is
described below:
The customers visit the merchant’s web site to select various •
goods for purchasing and get the total cost of all the selected
goods, including taxes and shipping costs.
The system asks for payment method and the consumer •
chooses to pay through a credit card using SET.
Special software on the consumer’s PC, called Digital Wallet, •
is invoked and it give choices to customer to select one credit
card from the list of credit cards issued to customer.
The consumer selects the card to make payment, and the •
electronic transaction take place based on SET protocol.
After getting details of customer payment the merchant •
contacts the merchant’s Bank for customer authorization
and payment.
Merchant Bank will contact the customer’s Bank for the same •
and get approval of payment.
Merchant will notify, if transaction is successful. •
A few seconds later, there is a confirmation to the customer •
that this order has been processed.
Some disadvantage of set protocol is:-
Set is only design for wired network. It not support fully •
wireless network.
Set is end to end security mechanism which means it requiring •
traditional flow between customer and merchant.
All the transaction is flow from the customer to merchant •
so that it increases the risk of middle attacker. So that at the
middle all information can be copied.
No one notification received from the customer bank to the •
customer after successful transaction.
Set protocol is only for card based not support account based •
payment system. So that we use a two way authentication
protocol.
II. Related Work
A. Multifactor Authentication
Single-factor authentication is inadequate for high-risk transactions
involving access to customer information or the movement of
funds to other parties. To provide secure web transactions using
cell phones multi factor authentication techniques have to be used.
In our system we are using multi factor authentication using two
different modes. The implementation is performed using Biometric
Properties and SMS. While SMS has been used in previous
approaches to the problem, we are introducing the new concept
of Biometric Properties as a novel method of authenticating a
transaction and the user.
B. Biometric Authentication
Biometric Authentication is the technique which is used to identify
both the user and the ongoing transaction. It certifies that the
current transaction has been initiated by the right person and it is
a valid user who is trying to access his/her account.
Biometric Identification is :-
IJCST V
ol
. 4, I
SSue
1, J
an
- M
arCh
2013 ISSN : 0976-8491 (Online) | ISSN : 2229-4333 (Print)
www.i j c s t.c o m

564

I nt e rnat I onal J ournal of Comput e r S CI e nCe and t e Chnol ogy
I ma ge of finge r - pr i nt i s c r e a t e d by us e r i t s e l f.•
I ma g e i s g e n e r a t e d wi t h t h e h e l p o f i n b u i l t fin g e r - p r i n t •
s c a nne r s on t he de vi c e s whi c h a r e us e d by us e r s.
Thi s i mage i s encr ypt ed us i ng publ i c key cr ypt ogr aphy bef or e •
s e nd t hr ough t he wi r e l e s s me di a.
The Bank or Financial institution will keep a record of users finger-
print and match the same during the online web transaction.
C. SMS Authentication
Another method to validate user transaction is an SMS confirmation.
The Bank or financial institution stores user cell phone number to
provide multifactor authentication. We believe that users will carry
their cell phone and can receive and send the short message. As a
result, only valid users who have account will receive confirmation
SMS from the authentication server.
After getting an SMS the user can acknowledge the choices. When
authentication server receives “YES” it knows that the user is
valid and the user has approved their initiated transaction. On the
other hand, if the user sends a “NO” or the user does not send any
response within a specified time period then the transaction will
be rolled back and terminated [1]
D. Secure Web Authentication Protocol
This shows the Protocol for secure web authentication using
Mobile devices. This protocol starts with the action of money
transfer decided by user. Here we assume that the user information
is available at server which includes user’s cell phone number. A
separate authentication server is recommended to maintain strong
security to authenticate users and their transactions with regular
web and database servers of user information.
Fig. 2: Multifactor Secure Web Authentication Protocol Using
Mobile
Below we describe each step of the above protocol.
User gets username & password from the Bank. Each user 1.
has only one username/password to their account.
A Web-based username/password basic authentication is used 2.
to identify the user to the Web server.
The username and password will be verified by the Bank 3.
Authentication Server. After user recognition the user will
get option screen to proceed further.
The user will get a notification of a successful logging with 4.
welcome message. This step also generates a session key.
The user will select mode of payment. We have considered 5.
two modes of payment: Credit Card based system & Account
based Electronic transfer. It is straightforward to add other
modes to our system.
User will insert the details of payment by filling in a simple 6.
form with details such as merchant’s bank and branch code
information, invoice number and account number to which
an amount has to be transferred.
The user generate a image of finger-print using finger-print 7.
scanners which is inbuilt in the mobile device. All details
of the transaction, with attached image, will be further
encrypted by AES encryption technique and submitted to
the bank web server. The bank web server would pass it on
to the authentication server where it would be decrypted and
matched with the finger-print image which is stored in the
users information on server side.
The bank authorization server decrypts the received message. 8.
It then verifies the image received from the user by comparing
it with the stored image in the user account information at
server database. If both images match then it goes to the
next step. If no image matched with those in database then
the authentication server will deny the user transaction and
display appropriate error message to the user.
Bank server generates an acknowledgement to the user, 9.
which makes user free to logout from the web portal and
wait for a confirmation SMS or to initiate another financial
web transaction.[1]
After completing the database updation with respect to the 10.
ongoing transaction, the authentication server will send an
SMS to the user’s cell phone to verify the initiated web
transaction. The cell phone number of the user is available
on authentication server.
The user would confirm their initiated transaction by choosing 11.
“YES” or deny it by choosing “NO” by replying confirmation
SMS.
The server will notify the user by a Message to acknowledge 12.
the successful completion of transaction or declination of
the transaction.
III. Cryptography and Key and Session Management
Encryption is the process for translating plaintext into codable form
which is called cipher text to make it unreadable form to anyone.
So that it is used to provide secret information. Cryptography is
very essential aspect for secure communication.
A. Encryption Algorithm
we use AES algorithm it is a advanced encryption standard. It is
used for encryption of electronic data. It supports variable-length
block using variable-length keys. A key size of 128, 192, or 256-
bit can be used in encryption of data blocks that are 128, 192, or
256 bits. The main advantage of this algorithm is block length
and/or key bits can easily be expanded. We have considered a
simple example which shows the AES key expansion technique.
In this technique 16 keys are used randomly and four words are
used initially. Each new word depends on the previous word. And
one special type of function is used in this process so that key is
randomly changed through this complex function [4].
IJCST V
ol
. 4, I
SSue
1, J
an
- M
arCh
2013
www.i j c s t.c o m
I nt e rnat I onal J ournal of Comput e r S CI e nCe and t e Chnol ogy
565
I S S N : 0 9 7 6 - 8 4 9 1 ( Onl i ne ) | I S S N : 2 2 2 9 - 4 3 3 3 ( Pr i nt )
Fi g. 3: AES Ke y Expa ns i on
Ac c or di ng t o t he di a gr a m 4 ke ys a r e pr ovi de d t o t he 4 wor d w0
wor d i s ver y fir s t wor d i t XOR wi t h compl ex f unct i on and gener at e
w4 wor d t he n a f t e r t hi s wor d i s XOR wi t h t he w1 wor d a nd
w5 wor d i s ge ne r a t e d t hi s pr oc e s s i s r unni ng t i l l w7 wor d i s not
ge ne r a t e d .t hr ough t hi s pr oc e s s i ma ge c ode i s ge ne r a t e d .
The f ol l owi ng a r e t he s ub- f unc t i ons of f unc t i on g:
One byt e l e f t s hi f t i s done by t hi s a l gor i t hm. By t hi s ope r a t i on
i nput i s [ a 0,a 1,a 2,a 3 ] i s t r a ns f or me d i nt o [ a 1,a 2,a 3,a 0].
For e a c h byt e of i nput wor ds, t he Byt e s ubs t i t ut i on i s done by
SubWor d,us i ng t he S- box.
The out put of t he a bove t wo s t e ps ( i.e.,s t e p 1 a nd 2) i s XORe d.
B. Ci pher Key Management
Our ma i n obj e c t i ve i s pr ovi di ng t he s e c ur e t r a ns a c t i on be t we e n
c l i e nt a nd s e r ve r. So t ha t pr oduc e a s e c r e t ke y a nd t hi s ke y i s us e d
f or e nc r ypt i on a nd de c r ypt i on of i nf or ma t i on.
Fi g.4. St or i ng of Sha r e d Logi c on c l i e nt

So t hat when s t ar t t he t r ans act i on f r om t he us er s i de s er ver gener at e
t he s e c r e t ke y a nd a l s o ge ne r a t e t he s ha r e d s e c r e t l ogi c f or e nc r ypt
t he s e c r e t ke y a nd s e nd t o t he us e r s i de us e r de c r ypt t he ke y a nd
us e i n t he l a t e r s t a ge .t hi s s a me s e c r e t ke y i s a l s o s t or e i n t he
s e r ve r s i de whi c h de c r ypt t he de t a i l a nd i ma ge c ode a nd ma t c h
t hi s i ma ge wi t h t he s t or e i ma ge whi c h i s i s s ue t o t he us e r,whe n
i t i s ma t c h t he n t r a ns a c t i on i s s t a r t.
Fi g. 5: Fi nge r - Pr i nt I ma ge Pr ot e c t i on a t Cl i e nt Envi r onme nt
Ac c or di ng t o t hi s di a gr a m ke y i s ge ne r a t e d f r om t he s e r ve r s i de
a nd one s ha r e d s e c r e t ke y i s a l s o ge ne r a t e f or e nc r ypt t hi s ke y
a nd a ppl y t he AES a l gor i t hm a nd e nc r ypt s ha r e d s e c r e t ke y i s
ge ne r a t e d a nd i t i s s e nd t o t he us e r c e l l phone. Thi s ke y i s a 128
bi t s. Whe ne ve r us e r c e l l phone i s l os t t he n no one c a n us e t hi s
ke y be c a us e t hi s ke y i s s t or e i n t he e nc r ypt f or ma t s o t hi s ke y i s
ve r y us e f ul a nd t hi s ke y i s onl y de c r ypt whe n va l i d us e r l ogi n
t he ba nk we bs i t e.
Aut he nt i c a t i on pr ot oc ol ove r t he i nt e r ne t:-
Fi r s t l y mobi l e de vi c e s t a r t t he pr ot oc ol t hr ough s e ndi ng i t s •
I D t o t he s e r ve r.
Se r ve r c r e a t e a s e s s i on f or t hi s c l i e nt a nd ge ne r a t e a r a ndom •
r e que s t i t i s a ma t r i x r e que s t.
Cl i e nt ge ne r a t e a c ha l l e nge wi t h hi s I D ENCRYPTED wi t h •
t he c ombi na t i on of t he ma t r i x ke y or i nt e r na l ke y.
Se r ve r s e nd a c ha l l e nge r e c e i ve d wi t h t he pr e vi ous me s s a ge •
a nd r a ndoml y ge ne r a t e s e s s i on ke y.
Cl i e nt de c r ypt t he me s s a ge t hr ough t he s e s s i on ke y whe n t hi s •
c ha l l e nge ma t c h t he pr e vi ous c ha l l e nge whi c h i s s e nd t o t he
s e r ve r t he n c l i e nt c ons i de r i t i s a Va l i d s e r ve r [ 4].
I V. Fact or s of Aut hent i cat i on
Onl i ne ba nki ng f r a ud- The I nt e r ne t i s a me di um whi c h a l l ows
l ar ge number of peopl e or or gani zat i ons t o communi cat e wi t h each
ot he r s i n a f e w s e c onds, wi t hout muc h e f f or t s a nd c ha r ge s.
Now onl i ne f r a ud i s ve r y popul a r a l l ove r t he wor l d, i t ha s be c ome
a ma j or s our c e of r e ve nue f or c r i mi na l s. The ba nks or fina nc i a l
i ns t i t ut i ons a r e ve r y a t t e nt i ve i n de t e c t i ng a nd pr e ve nt i ng onl i ne
f r a uds.
A. Key Types of Onl i ne Fr aud
The Onl i ne f r aud has been cat egor i zed br oadl y i nt o t wo cat egor i es
a s me nt i one d i n Us e r i de nt i t y t he f t:-
Phi s hi ng a t t a c ks whi c h t r i c k t he us e r i nt o pr ovi di ng a c c e s s •
i nf or ma t i on.
Ke y- l ogge r s a nd “ s pywa r e ” whi c h c l e a r l y c a pt ur e a c c e s s •
i nf or ma t i on.
Us e r Se s s i on Hi j a c ki ng:-
At t a c ke r ge t s c ont r ol ove r t he a c t i ve us e r s e s s i on a nd moni t or s
a l l us e r a c t i vi t i e s.
Loc a l ma l wa r e s e s s i on hi j a c ki ng a t t a c k pe r f or ms hos t fil e •
r e di r e c t i on.
Re mot e ma l wa r e s e s s i on hi j a c ki ng a t t a c ks pe r f or ms. •
IJCST V
ol
. 4, I
SSue
1, J
an
- M
arCh
2013 ISSN : 0976-8491 (Online) | ISSN : 2229-4333 (Print)
www.i j c s t.c o m

566

I nt e rnat I onal J ournal of Comput e r S CI e nCe and t e Chnol ogy
Aut he nt i c a t i on Me t hodol ogi e s :-
Exi s t i ng a ut he nt i c a t i on me t hodol ogi e s ha ve ba s i c t hr e e “ f a c t or s
Know: The us e r knows ( pa s s wor d, PI N); •
Ha s: The us e r ha s ( ATM c a r d, s ma r t c a r d); a nd •
I s: The us e r i s ( bi ome t r i c c ha r a c t e r i s t i c s uc h a s a finge r pr i nt ).•
[ 2]
V. Concl usi on
I n onl i ne pa yme nt s e c ur i t y i s a ma j or pa r t. The r e a r e ma ny
i nt e r ne t t hr e a t s t ha t a f f e c t t he s e c ur i t y s ys t e m of i nt e r ne t. s i ngl e
f a c t or a ut he nt i c a t i on i nc r e a s e s r i s k i n c ommuni c a t i on be c a us e i t
r equi r e onl y us e r name and pas s wor d s o t hat a ny a t t a c ke r ha nk t hi s
i nf or ma t i on a nd t r e a t a s a va l i d us e r t ha t ’s wa y us e t he mul t i f a c t or
a ut he nt i c a t i on l i ke a t wo wa y a ut he nt i c a t i on t e c hni que i s us e d f or
t hi s pur pos e s o t ha t i t r e duc e f r a ud a nd pr ovi de s t r ong s e c ur i t y
a ppl i c a t i on f or onl i ne t r a ns a c t i on. The i mpl e me nt a t i on of t hi s
pr ot oc ol wi l l not i nc r e a s e e xpe ns e s of us e r s s i gni fic a nt l y. Thi s
pr ot oc ol c a n be e a s i l y i mpl e me nt e d a nd e xe c ut e d on t he c ur r e nt
expens es char ged by financi al i ns t i t ut i on f r om t he us er s t o per f or m
onl i ne pa yme nt s or wi t h ve r y l e s s a ddi t i on t o t he c ur r e nt c ha r ge
of onl i ne pa yme nt. Ba s i c a l l y, t he c os t mode l of t he pr opos e d
pr ot oc ol de pe nds mos t l y on t he pol i c i e s t ha t fina nc i a l i ns t i t ut i ons
a dopt f or i mpl e me nt i ng t hi s pr ot oc ol.
VI. Fut ur e Wor k
Fut ur e wor k wi l l f oc us on de ve l opi ng a ne w a nd e f fic i e nt wa y of
us i ng bi ome t r i c s c ha r a c t e r i s t i c s us i ng c e l l phone s/PDA . Fi nge r -
pr i nt s c a nni ng i s e f fic i e nt on t he us e r ’s de vi c e wi t h t he he l p of
a ppr opr i a t e s c a nne r s o t ha t us e r s e nd c or r e c t i nf or ma t i on t o t he
bank or financi al i ns t i t ut i on. Ser ver s i de mai nt enance, management
me c ha ni s m a nd di s t r i but i on t o s a t i s f y t he de ma nd f r om a l a r ge
numbe r of us e r s a r e a l s o pa r t of f ut ur e wor k.
Ref er ances
[ 1] Ayu Ti wa r i, Sudi p Sa nya l, Aj i t h Abr a ha m, Suga t a Sa nya l,
Kna ps kog,"A Mul t i f a c t or Se c ur i t y Pr ot oc ol For Wi r e l e s s
Payment - Secur e Web Aut hent i cat i on us i ng Mobi l e Devi ces ”,
I ADI S I nt e r na t i ona l Conf e r e nc e, Appl i e d Comput i ng 2007,
Sa l a ma nc a, Spa i n, pp. 160- 167, Fe br ua r y 2007.
[ 2] La wt o n G.,“ Mo v i n g J a v a i n t o Mo b i l e Ph o n e s ”, I EEE
Comput e r, Vol ume 35 I s s ue 6, pp. 17- 20, J une 2002.
[ 3] J a bl on Da vi d P., I nt e gr i t y, Sc i e nc e s, I nc. We s t bor o, MA,
ACM SI GCOMM,“ St r ong Pa s s wor d –Onl y Aut he nt i c a t e d
Ke ye xc ha nge ”, Comput e r Communi c a t i on Re vi e w, Vol. 26,
pp. 5 - 26, Se pt e mbe r 2005.
[ 4] Poi nt cheval D., Zi mmer S.,“Mul t i - Fact or Aut hent i cat ed Key
Exc ha nge ”, I n Pr oc e e di ngs of Appl i e d Cr ypt ogr a phy a nd
Ne t wor kSe c ur i t y, pp. 277.