18-10-2016, 03:33 PM
1459699441-QRCopy.docx (Size: 84.39 KB / Downloads: 6)
Abstract- Mobile payment is very important and critical solution for mobile commerce. A user-friendly mobile payment solution is strongly needed to support mobile users to conduct secure and reliable payment transactions using mobile devices. This paper presents an innovative mobile payment system based on 2-Dimentional (2D) barcodes called QR-codes for mobile users to improve mobile user experience in mobile payment. Unlike other existing mobile payment systems, the proposed payment solution provides distinct advantages to support buy-and-sale products and services based on QR codes. Secure QR-Pay system based on QR-code by expressing 2 dimensional can pay things between User and Merchant while Offline. A merchant shows payment information by expressing QR-code to display window. A user shots a situation by using mobile Device attached a camera. If a user confirms payment information and ask an approval, the payment system can be settled by itself. Proposed system provides non-repudiation and confidentiality of payment information. Also, it offers mutual Authentication between user and merchant
I. INTRODUCTION
Mobile payment is one of the important and hot subjects in mobile commerce and wireless application. Recently, the emergence of wireless communications technology raises concerns about performance and securities of payment systems. Such concerns come from limitations of wireless environments. Firstly, mobile devices are considered to have lower power, storage, and computational capabilities compared to desktop computers. They cannot efficiently perform high computational operations such as public-key encryptions. Secondly, wireless networks have less bandwidth and reliability, and higher latencies. Therefore, mobile payments with existing payment protocols are not acceptable by many users.
Several payment protocols were proposed for fixed networks. Nevertheless, they are based on public key infrastructure (PKI) which is not efficiently applied to wireless networks, that is, a client needs to perform high computational operations, and her mobile device is required to have considerable storage to store public-key certificates. Moreover, during a transaction, each certificate sent to the client has to be verified by a Certificate Authority (CA) located in a fixed network which results in additional communication passes.
A QR Code (short for Quick Response) is a specific matrix barcode (or two-dimensional code), readable by dedicated QR barcode readers and camera phones. The code contains up to 7,089 numeric characters. A user-friendly and convenient mobile payment solution is a key ingredient to support mobile users in conducting secure and reliable payment transactions using mobile devices. As the fast increase of mobile phones with the touch-screen feature and digital camera function, mobile users are looking for mobile solutions to provide rich mobile experience and simple operations for mobile commerce. Mobile payment systems supporting QR codes are definitely needed by mobile users and merchants.
In this paper, we propose to use an innovative mobile payment system based on QR codes for mobile users to improve mobile experience in conducting mobile payment transactions. Unlike other existing mobile payment systems, the proposed payment solution provides distinct advantages to support buy-and-sale products and services with QR codes. This system uses one standard QR code (Data Matrix) as an example to demonstrate how to deal with underlying QR code-based mobile payment workflow, mobile transactions and involved security mechanisms.
RELATED WORK
A) Account-Based Payment Systems
In account-based payment systems, each customer is associated with a specific account maintained by the Trusted Third Party (TTP) like a bank (or a Telco). In pre-paid transactions, this account will be directly linked to the consumer’s savings account. The consumer maintains a positive balance of this account which is debited when a pre-paid transaction is processed. If post-paid transactions are supported, the charges from a transaction are accrued in the consumer’s account. The consumer is then periodically billed and pays for the balance of the account to the TTP. Account-based payment systems can be classified into three categories.
Mobile Phone-Based Payment Systems – They enables customers to purchase and pay for go ods or services via mobile phones. Here, each mobile phone is used as the personal payment tool in connection with the remote sales. A phone card-based payment system has the advantage over the traditional card-based payment in that the mobile phone replaces both the physical card and the card terminal as well. Payments can take place anywhere far away from both the recipient and the bank.
Smart Card Payment Systems – They use a smart card, an embedded microcircuit, which contains memory and a microprocessor together with an operating system for memory control. These smart cards can be used for electronic identification, electronic signature, encryption, payment, and data storage.
Credit-Card Mobile Payment Systems – This type of mobile payment systems allow custo mers to make payments on mobile devices using their credit cards. These payment systems are developed based on the existing credit card-based financial infrastructure by adding wireless payment capability for consumers on mobile devices.
B) Mobile Wallets
Mobile wallets are the most popular type of mobile payment option for transactions. Like e-wallets, they allow a user to store the billing and shopping information that the user can recall with one-click while shopping using a mobile device. The primary types of mobile wallet schemes in the market are client wallet and hosted wallet. Client wallets are stored on a user’s device in the form of a SIM Application Toolkit card that resides in a mobile phone. Since the wallet is based on hardware, it is difficult to update, and potentially the user’s sensitive financial information is compromised if the device is lost or stolen. Hosted wallets refer to digital wallets hosted on a server. This gives the service provider much greater control over the functionality it delivers and the security of the data and transactions. Hosted wallets can be self hosted wallets or third party hosted wallets. In addition, server based mobile e-wallets using SET technology are already being used, providing secure transaction capability for merchants and cardholders.
III .QR CODE BASED MOBILE PAYMENT SYTEM
This approach is to build QR code-based systems to allow mobile users to issue mobile payment transactions using their digital wallets based on mobile payment accounts in a mobile payment server. Comparing with the existing account-based mobile payment systems, this approach has five distinct advantages:
• It provides the buy-and-sale payment services for goods identified using QR codes.
• Mobile users can easily retrieve all related product information from QR codes.
• It easily supports product and customer verificat ion for post-sale services, such as delivery and pick-up.
• It increases the mobile security for payment transactions.
• It improves mobile user experience by reducing us er inputs.
IV SECURE QR CODE PAYMENT SYSTEM FRAMEWORK
To address the security issues, we build a mobile enabled security framework in the QR code payment system. This security framework includes the following components.
• Authentication management – This component is built to support the required a uthentication functions for each party, including mobile client, merchant, and the payment server. In this system each party must be authenticated before any payment transaction.
• Mobile session management - This function component is designed to assure the security of a payment session between involved parties.
• Certification management - This component is designed here to support the payment-oriented certification generation, validation, and management.
• Mobile key management – This component is built to generate, distribute, check public and private key based on the Elliptic Curve Cryptography (ECC) or Advanced Encryption Scheme.
Message and data integrity validation – This component is useful to check the message and data integrity for the communications between mobile client and the payment server using encryption and decryption methods.
SECURE QR-PAY SYSTEM WITH CIPHERING TECHNIQUES IN MOBILE DEVICES
• In a payment invoice, a code is used to carry mob ile user’s selected purchasing information as well as security data, including secured session ID, client ID, PIN and private key, mobile client for authentication by the merchant.
• In a payment transaction, a code is used to contain the detailed payment information for a mobile user, including the credit card, PIN, private key, and secured session ID for mobile client.
• In a payment confirmation, a code is used to hold the secured transaction ID and conformation code as well as validation ID.
The mobile enabled security solution consists of three parts, which supports the security functions and needs in mobile client software, the mobile payment server, and the merchant server. Unlike other existing electronic payment systems, the major security solutions in the proposed payment system used the Elliptic Curve Cryptography technique to deal with different security issues.
User Registration
All users of mobile payment system must registered first before they access the payment services. Since the system provides online website to support all of its user membership and accounts management, so its users (both customers and merchants) can access the provided mobile user interface (or online interface) to register, access, and update their profiles and account information. During user registration, each user will be assigned to a unique user ID. In addition, a pair of public and private keys will be generated for the user. At the end of user registration, a user certificate is issued to the mobile client.
Public and Private Key Generation
Each mobile user with a unique user ID will be assigned a generated public and private key pair based on the Advanced Encryption Scheme (AES) technique, which provides the public key infrastructure using 256 bit keys to provide confidentiality, integrity, and authenticity. The optional random seed is used to ensure that the public key generated for the user will be unique in the system. It must be derived from some unique characteristics of the handset such as network host name of the mobile device. This key pair is used in generating secret session keys and digital signatures to achieve secured sessions and data integrity checking.
User and Merchant Certification
A certificate request is generated for each user (including merchant user and customer user) during user registration based on a generated key pair. All user certificates are stored in the data store in the Base 64 DER encoded format and indexed against the user’s ID. During the payment communications between parties, the public key is derived from the certificate. In the first release of this payment system implementation, the payment server is used as a certificate authority, the most trusted and central entity in the system. For the real practice, we can use a third party certification server to work as the certification authority agency.
Private Key and Certificate Key Management
Since each user’s private key and certificate key is stored on mobile devices, it is important to protect their security. To achieve this goal, mobile client software encrypts a user’s PIN and certificate key (or private key) are based on the Advanced Encryption Scheme (AES) and hashed using HMAC before they are stored as a file on a mobile device by the mobile client software.
Message and Data Integrity Checking
To ensure the data integrity of mo bile payment processing, the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for two purposes:
• To ensure the data integrity of generated certificates in the communications.
• To ensure the data integrity of signed transaction messages from mobile users and merchants to maintain non-repudiation.
V .PERFORMANCE
An QR Code payment system should be quicker, safer and just as easy as using normal cash. The proposed system satisfy the following requirements
Security
The system should be as secure as traditional cash if not more secure. This is one of the most important characteristics in all financial transactions.
Mutual Authentication
Secure QR-Pay System is based on mutual authentication between a user and shop. Mutual authentication offers public certificate of public CA. That is, the shop certifies digital signature by using private key. Also, the user certifies oneself by using private key with approval of payment information. Mutual authentication is possible to get payment information through a safe channel with a middle of PG.
Anonymity
The merchant should not be able to access the clients bank account they should also not be able to get personal details about the client. The bank should also not be able to track what the client is buying. They should only know the amount and the merchant’s details. A bank or merchant should not be able to track or monitor the spending habits of a customer and be able to build a profile for that client.
Confidentiality
All communication between a user and PG, PG and each merchant can transmit SSL/TLS protocol through secure channel. Even if a hacker sniffed the message, he can't confirm the contents of transmitted message. Also, QR-Code transmitting visual channel can't confirm direct payment information because of only transmitting shop numbers, information numbers and digital signature in value.
Offline availability
A payment needs to be able to be made even if the 3rd party server is unavailable. If this were not possible it would not be better than traditional cash.
Scalability
There should be no reliance on a central component. The reason for this is that it could cause a bottleneck and can become a point of failure. The whole system needs to be distributed and be able to be run from a variety of locations. This would eliminate the threat of the whole system failing if one server goes down.
SECURE QR-PAY SYSTEM WITH CIPHERING TECHNIQUES IN MOBILE DEVICES
VI. CONCLUSION
As more and more products and goods are identified using QR codes in commerce, there is a clear need to build new mobile payment systems for mobile users to support mobile transactions based on QR codes and We find that information sent/received to the Payment Gateway(PG) is not encrypted in existing payment system. To address this need, this paper introduces an innovate mobile payment system, which supports and delivers secure and easy operating mobile payment transactions based on QR codes. In proposed system, replace these plain message sharing with ciphered messages that uses a robust secure ciphering technique such as AES or DES algorithm. Proposed system enable mobile payment transactions for all goods and products identified by QR codes at anywhere and anytime. Support code-based security solutions for mobile payment and Improve mobile user experience by reducing user inputs in mobile payment.