TeAM YYePG Digitally signed by TeAM YYePG DN: cn=TeAM YYePG, c=US, o=TeAM YYePG, ou=TeAM YYePG, pot







 

 

 

  

Wen-Chen Hu

University of North Dakota, USA

Chung-wei Lee

Auburn University, USA

Weidong Kou

Chinese State Key Lab. of Integrated Service Networks, China

Hershey • London • Melbourne • Singapore


  !"#

Acquisitions Editor: Mehdi Khosrow-Pour

Senior Managing Editor: Jan Travers

Managing Editor: Amanda Appicello

Development Editor: Michele Rossi

Copy Editor: Ingrid Widitz

Typesetter: Jennifer Wetzel

Cover Design: Lisa Tosheff

Printed at: Yurchak Printing Inc.

Published in the United States of America by

Idea Group Publishing (an imprint of Idea Group Inc.)

701 E. Chocolate Avenue, Suite 200

Hershey PA 17033

Tel: 717-533-8845

Fax: 717-533-8661

E-mail: [email protected]

Web site: http://www.idea-group.com

and in the United Kingdom by

Idea Group Publishing (an imprint of Idea Group Inc.)

3 Henrietta Street

Covent Garden

London WC2E 8LU

Tel: 44 20 7240 0856

Fax: 44 20 7379 3313

Web site: http://www.eurospan.co.uk

Copyright © 2005 by Idea Group Inc. All rights reserved. No part of this book may be repro￾duced in any form or by any means, electronic or mechanical, including photocopying, without

written permission from the publisher.

Library of Congress Cataloging-in-Publication Data

Advances in security and payment methods for mobile commerce / Wen Chen Hu,

Chung-Wei Lee and Weidong Kou, editors.

p. cm.

Includes bibliographical references and index.

ISBN 1-59140-345-6 (h/c) -- ISBN 1-59140-346-4 (s/c) -- ISBN 1-59140-347-2 (eisbn)

1. Mobile commerce--Security measures. 2. Business enterprises--Computer

networks--Security measures. I. Hu, Wen Chen, 1960- II. Lee, Chung-Wei, 1965- III.

Kou, Weidong.

HF5548.34.A37 2004

658.4'78--dc22

2004016285

British Cataloguing in Publication Data

A Cataloguing in Publication record for this book is available from the British Library.

All work contributed to this book is new, previously-unpublished material. The views expressed in

this book are those of the authors, but not necessarily of the publisher.



 



  

 

  

$  

Preface .......................................................................................................................... vi

Section I: Fundamentals of Mobile Commerce Security and Payment Methods

Chapter I

Mobile Commerce Security and Payment Methods .......................................................1

Chung-wei Lee, Auburn University, USA

Weidong Kou, Chinese State Key Lab. of Integrated Service Networks, China

Wen-Chen Hu, University of North Dakota, USA

Chapter II

Reputation and Trust................................................................................................... 19

Li Xiong, Georgia Institute of Technology, USA

Ling Liu, Georgia Institute of Technology, USA

Chapter III

Intrusion Detection and Vulnerability Analysis of Mobile Commerce Platform ....... 36

Changhua Zhu, Xidian University, China

Changxing Pei, Xidian University, China

Chapter IV

A Secure Authentication Infrastructure for Mobile Users ........................................ 56

Gregor v. Bochmann, University of Ottawa, Canada

Eric Zhen Zhang, University of Ottawa, Canada

Section II: Mobile Commerce Security

Chapter V

Policy-Based Access Control for Context-Aware Services over the Wireless

Internet ........................................................................................................................ 81

Paolo Bellavista, University of Bologna, Italy

Antonio Corradi, University of Bologna, Italy

Cesare Stefanelli, University of Ferrara, Italy

Chapter VI

A Comprehensive XML Based Approach to Trust Negotiations .............................. 109

Elisa Bertino, Purdue University, USA

Elena Ferrari, Università degli Studi dell’Insubria, Italy

Anna Cinzia Squicciarini, Università degli Studi di Milano, Italy

Chapter VII

Security Issues and Possible Countermeasures for a Mobile Agent Based

M-Commerce Application ......................................................................................... 140

Jyh-haw Yeh, Boise State University, USA

Wen-Chen Hu, University of North Dakota, USA

Chung-wei Lee, Auburn University, USA

Chapter VIII

Secure Multicast for Mobile Commerce Applications: Issues and Challenges....... 164

Mohamed Eltoweissy, Virginia Tech, USA

Sushil Jajodia, George Mason University, USA

Ravi Mukkamala, Old Dominion University, USA

Section III: Mobile Commerce Payment Methods

Chapter IX

M-Payment Solutions and M-Commerce Fraud Management .................................. 192

Seema Nambiar, Virginia Tech, USA

Chang-Tien Lu, Virginia Tech, USA

Chapter X

Multi-Party Micro-Payment for Mobile Commerce ................................................. 214

Jianming Zhu, Xidian University, China

Jianfeng Ma, Xidian University, China

Chapter XI

SeMoPS: A Global Secure Mobile Payment Service ................................................ 236

Stamatis Karnouskos, Fraunhofer Institute FOKUS, Germany

András Vilmos, SafePay Systems Ltd., Hungary

Antonis Ramfos, Instrasoft International, Greece

Balázs Csik, ProfiTrade 90 Ltd., Hungary

Petra Hoepner, Fraunhofer Institute FOKUS, Germany

Section IV: Ad Hoc Mobile Commerce Security and Payment Methods

Chapter XII

Remote Digital Signing for Mobile Commerce ........................................................ 263

Oguz Kaan Onbilger, University of Florida, USA

Randy Chow, University of Florida, USA

Richard Newman, University of Florida, USA

Chapter XIII

A Mobile Coalition Key-Evolving Digital Signature Scheme for Wireless/Mobile

Networks ................................................................................................................... 285

Quanxing Zhang, Auburn University, USA

Chwan-Hwa “John” Wu, Auburn University, USA

J. David Irwin, Auburn University, USA

Chapter XIV

Smart Card Based Protocol for Secure and Controlled Access of Mobile Host in

IPv6 Compatible Foreign Network ............................................................................ 312

R. K. Ghosh, Indian Institute of Technology, Kanpur, India

Abhinav Arora, Indian Institute of Technology, Guwahati, India

Gautam Barua, Indian Institute of Technology, Guwahati, India

About the Authors ..................................................................................................... 338

Index ........................................................................................................................ 347

vi

 

Introduction

With the introduction of the World Wide Web, electronic commerce has revolutionized

traditional commerce and boosted sales and exchanges of merchandise and informa￾tion. Recently, the emergence of wireless and mobile networks has made possible the

admission of electronic commerce to a new application and research subject: mobile

commerce, which is defined as the exchange or buying and selling of commodities,

services, or information on the Internet through the use of mobile handheld devices. In

just a few years, mobile commerce has emerged from nowhere to become the hottest

new trend in business transactions. In fact, the growth of mobile handheld devices has

been more rapid than the growth in any previous technology.

Yet, one of the biggest impediments to the growth of mobile commerce has been a lack

of consistency in security and payment methods and an absence of consensus on

technology standards. Various wired or electronic commerce security and payment

methods have been modified and applied to mobile commerce, but experience shows

that simply adapting those solutions to mobile commerce is not feasible. Different

methods and approaches must be taken to enforce mobile commerce security and se￾cure payment methods. Many novel security and payment technologies, therefore,

have been proposed and applied to mobile commerce and they are highly diverse and

broad in application. This book attempts to provide a comprehensive study of mobile

commerce security and payment methods and address the complex challenges facing

the mobile commerce industry.

This book contains high-quality research, and industrial and practical articles in the

areas of mobile commerce security and payment methods from both academics and

industrialists. It includes research and development results of lasting significance in

the theory, design, implementation, analysis, and application of mobile commerce secu￾rity and payment methods. It could be used for a textbook of an advanced computer

science (or related disciplines) course and would be a highly useful reference book for

IT professionals.

vii

Organization

The issues related to mobile commerce security and payment methods are wide and

varied, and this book has benefited from contributions by authors with a range of

backgrounds. To help readers better understand this book, it is divided into four major

sections and a brief overview of each chapter is given below.

Section I

This section describes the fundamentals of mobile commerce security and payment

methods and includes four chapters on the general concepts, reputation and trust,

intrusion detection, and a secure authentication infrastructure.

Chapter I, Mobile Commerce Security and Payment Methods, is by Chung-wei Lee,

Weidong Kou, and Wen-Chen Hu. This chapter provides a comprehensive overview of

mobile commerce security and payment methods. A secure mobile commerce system

must have the following properties: (i) confidentiality, (ii) authentication, (iii) integrity,

(iv) authorization, (v) availability, and (vi) non-repudiation. It discusses the security

issues related to the following three network infrastructures: (i) wireless local area

networks, (ii) wireless wide area networks, and (iii) WAP. Among the many themes of

mobile commerce security, mobile payment methods are probably the most important. A

typical mobile payment process includes: (i) registration, (ii) payment submission, (iii)

authentication and authorization by a content provider, and (iv) confirmation. This

chapter also describes a set of standards for mobile payments.

Chapter II, Reputation and Trust, is authored by Li Xiong and Ling Liu. The authors

introduce reputation systems as a means of facilitating trust and minimizing risks in m￾commerce and e-commerce in general. They presents PeerTrust, an adaptive and dy￾namic reputation based trust model that helps participants or peers to evaluate the

trustworthiness of each other based on the community feedback about participants’

past behavior.

Chapter III, Intrusion Detection and Vulnerability Analysis of Mobile Commerce Plat￾form, is authored by Changhua Zhu and Changxing Pei. Intrusion detection and vulner￾ability analysis play the same important roles in wireless infrastructure as in wired

infrastructure. This chapter first gives the methods and technologies of intrusion de￾tection and vulnerability analysis. It then gives the security issues in various wireless

networking technologies, analyzes the vulnerability of the enabling technologies for

the mobile commerce platform, and proposes a distributed wireless intrusion detection

& vulnerability analysis (WID&VA) system that can help to address the identified

security issues.

Chapter IV, A Secure Authentication Infrastructure for Mobile Users, is authored by

Gregor v. Bochmann and Eric Zhen Zhang. This chapter first explains the requirements

for an authentication infrastructure for electronic commerce, identifying the partners

involved in e-commerce transactions and the trust relationships required. An improved

authentication protocol, which provides trust relationships for mobile e-commerce us￾ers, is then presented. Its analysis and comparison with other proposed authentication

protocols indicate that it is a good candidate for use in the context of mobile e-com￾merce.

viii

Section II

This section discusses issues related to mobile commerce security and includes four

chapters on policy-based access control, XML-based trust negotiations, mobile agents,

and secure multicast.

Chapter V, Policy-Based Access Control for Context-Aware Services over the Wireless

Internet, is authored by Paolo Bellavista, Antonio Corradi, and Cesare Stefanelli. The

spreading wireless accessibility to the Internet stimulates the provisioning of mobile

commercial services to a wide set of heterogeneous and limited client terminals. This

requires novel programming methodologies to support and simplify the development

of innovative service classes. In these novel services, results and offered quality levels

should depend on both client location and locally available resources (context). Within

this perspective, this chapter motivates the need for novel access control solutions to

flexibly control the resource access of mobile clients depending on the currently appli￾cable context. In particular, it discusses and exemplifies how innovative middlewares

for access control should support the determination of the client context on the basis

of high-level declarative directives (profiles and policies) and distributed online moni￾toring.

Chapter VI, A Comprehensive XML Based Approach to Trust Negotiations, is authored

by Elisa Bertino, Elena Ferrari, and Anna Cinzia Squicciarini. Trust negotiation is a

promising approach for establishing trust in open systems like the Internet, where

sensitive interactions may often occur between entities at first contact, with no prior

knowledge of each other. This chapter presents Trust-X, a comprehensive XML-based

XML framework for trust negotiations, specifically conceived for a peer-to-peer envi￾ronment. It also discusses the applicability of trust negotiation principles to mobile

commerce, and introduces a variety of possible approaches to extend and improve

Trust-X in order to fully support mobile commerce transactions and payments.

Chapter VII, Security Issues and Possible Countermeasures for a Mobile Agent Based

M-Commerce Application, is authored by Jyh-haw Yeh, Wen-Chen Hu, and Chung-wei

Lee. With the advent of wireless and mobile networks, the Internet is rapidly evolving

from a set of connected stationary machines to include mobile handheld devices. This

creates new opportunities for customers to conduct business from any location at any

time. However, the electronic commerce technologies currently used cannot be applied

directly since most were developed based on fixed, wired networks. As a result, a new

research area, mobile commerce, is now being developed to supplement existing elec￾tronic commerce capabilities. This chapter discusses the security issues related to this

new field, along with possible countermeasures, and introduces a mobile agent based

solution for mobile commerce.

Chapter VIII, Secure Multicast for Mobile Commerce Applications: Issues and Chal￾lenges, is authored by Mohamed Eltoweissy, Sushil Jajodia, and Ravi Mukkamala. This

chapter identifies system parameters and subsequent security requirements for secure

multicast in m-commerce. Attacks on m-commerce environments may undermine satis￾fying these security requirements, resulting, at most times, in major losses. A set of

common attacks and the core services needed to mitigate these attacks are discussed

first. It then provides efficient solutions for secure multicast in m-commerce. Among

ix

these services, authentication and key management play a major role. Given the vary￾ing requirements of m-commerce applications and the large number of current key man￾agement schemes, it also provides a set of performance metrics to aid m-commerce

system designers in the evaluation and selection of key management schemes.

Section III

Section III covers the issues related to mobile commerce payment methods and in￾cludes three chapters on the subjects of mobile payment introduction and overview,

micro-payments, and a mobile payment service SeMoPS, respectively.

Chapter IX, M-Payment Solutions and M-Commerce Fraud Management, is by Seema

Nambiar and Chang-Tien Lu. The shift from physical to virtual payments has brought

enormous benefits to consumers and merchants. For consumers it means ease of use.

For mobile operators, mobile payment presents a unique opportunity to consolidate

their central role in the m-commerce value chain. Financial organizations view mobile

payment and mobile banking as a way of providing added convenience to their custom￾ers along with an opportunity to reduce their operating costs. This chapter starts by

giving a general introduction to m-payment by providing an overview of the m-pay￾ment value chain, life cycle and characteristics. The second section reviews competing

mobile payment solutions that are found in the marketplace. Different types of mobile

frauds in the m-commerce environment and solutions to prevent such frauds are dis￾cussed in the last section.

Chapter X, Multi-Party Micro-Payment for Mobile Commerce, is authored by Jianming

Zhu and Jianfeng Ma. This chapter introduces a new micro-payment scheme that is

able to apply to multi-party for mobile commerce, which allows a mobile user to pay

every party involved in providing services. The micro-payment, which refers to low￾value financial transactions ranging from several cents to a few dollars, is an important

technique in m-commerce. Their scheme is based on the hash function and without any

additional communication and expensive public key cryptography in order to achieve

good efficiency and low transaction costs. In the scheme, the mobile user releases an

ongoing stream of low-valued micro-payment tokens into the network in exchange for

the requested services.

Chapter XI, SeMoPS: A Global Secure Mobile Payment Service, is authored by Stamatis

Karnouskos, András Vilmos, Antonis Ramfos, Balázs Csik, and Petra Hoepner. Many

experts consider that efficient and effective mobile payment solutions will empower

existing e- and m-commerce efforts and unleash the true potential of mobile business.

Recently, different mobile payment approaches appear to the market addressing par￾ticular needs, but up to now no global mobile payment solution exists. SEMOPS is a

secure mobile payment service with an innovative technology and business concept

that aims to fully address the challenges the mobile payment domain poses and become

a global mobile payment service. They present a detailed description of the approach,

its implementation, and features that diversify it from other systems. They also discuss

on its business model and try to predict its future impact.

x

Section IV

The issues related to mobile commerce security and payment methods are wide and

disparate. This section consists of three chapters on digital signatures and smart cards.

Chapter XII, Remote Digital Signing for Mobile Commerce, is authored by Oguz Kaan

Onbilger, Randy Chow, and Richard Newman. Mobile agents (MAs) are a promising

technology, which directly address physical limitations of mobile devices such as lim￾ited battery life, intermittent and low-bandwidth connections, with their capability of

providing disconnected operation. This chapter addresses the problem of digital con￾tract signing with MAs, which is an important part of any mobile commerce activity and

one special challenging case of computing with secrets remotely in public. The authors

use a multi-agent model together with simple secret splitting schemes for signing with

shares of a secret key carried by MAs, cooperating to accomplish a trading task.

Chapter XIII, A Mobile Coalition Key-Evolving Digital Signature Scheme for Wire￾less/Mobile Networks, is authored by Quanxing Zhang, Chwan-Hwa “John” Wu, and J.

David Irwin. A scheme is proposed in this chapter to apply a secure digital signature

scheme in a mobile-IP environment and treats the three entities in a dynamic path as

either foreign agents (FA), home agents (HA) or mobile agents (MA), such that a

coalition is formed containing each of the individual agents. Each agent has a pair of

keys: one private and one public. The private key is evolving with time, and the public

key is signed by a certification authority (CA). All the private keys of the three agents

in the coalition are needed to sign a signature. Furthermore, all the messages are signed

and verified. The signature is verified against a public key, computed as the product of

the public keys of all three agents, and readily generated when a new dynamic path is

formed.

Chapter XIV, Smart Card Based Protocol for Secure and Controlled Access of Mobile

Host in IPv6 Compatible Foreign Network, is authored by R.K. Ghosh, Abhinav Arora,

and Gautam Barua. This chapter presents a proposal to combine the advantages of

IPSec and smart cards in order to design a new protocol for secure bi-directional access

of mobile hosts in an IPv6 foreign network using smart cards. The protocol, called

mobile authentication protocol (MAP), builds a security association needed for IPsec.

An access router in a foreign network contacts an AAA (authentication, authorization

and accounting) server in order to authenticate and authorize a mobile host that ap￾proaches the router to access services. The access router then acts as a gateway for all

subsequent service requirements of the mobile host.

xi

%&'

The successful accomplishment of this book is a credit to all chapter au￾thors’ excellent contributions. Also, the chapter authors did considerable

reviewing of each other’s work. Other reviewers who helped review and

comment on chapters also have our thanks. Special thanks go to the staff

at Idea Group Publishing, especially to Mehdi Khosrow-Pour, Jan Travers,

and Michele Rossi. The biggest thanks go to our family members for their

love and support throughout this project. Finally, this work is supported

by the NSFC Grant 90304008.

Wen-Chen Hu

Chung-wei Lee

Weidong Kou

April 17, 2004

Section I

Fundamentals of

Mobile Commerce Security

and

Payment Methods

Mobile Commerce Security and Payment Methods 1

Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written

permission of Idea Group Inc. is prohibited.

Chapter I

Mobile Commerce

Security and Payment

Methods

Chung-wei Lee, Auburn University, USA

Weidong Kou, Chinese State Key Lab. of Integrated Service Networks, China

Wen-Chen Hu, University of North Dakota, USA

Abstract

Without secure commercial information exchange and safe electronic financial

transactions over mobile networks, neither service providers nor potential customers

will trust mobile commerce. Various mobile security procedures and payment methods

have been proposed and applied to mobile commerce, and this chapter attempts to

provide a comprehensive overview of them. A secure mobile commerce system must have

the following properties: (i) confidentiality, (ii) authentication, (iii) integrity, (iv)

authorization, (v) availability, and (vi) non-repudiation. This chapter discusses the

security issues related to the following three network paradigms: (i) wireless local

area networks, (ii) wireless wide area networks, and (iii) WAP. Among the many themes

of mobile commerce security, mobile payment methods are probably the most important.

A typical mobile payment process includes: (i) registration, (ii) payment submission,

(iii) authentication and authorization by a content provider, and (iv) confirmation.

This chapter also describes a set of standards for mobile payments.

2 Lee, Kou & Hu

Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written

permission of Idea Group Inc. is prohibited.

Introduction

With the introduction of the World Wide Web, electronic commerce has revolutionized

traditional commerce and boosted sales and exchanges of merchandise and information.

Recently, the emergence of wireless and mobile networks has made possible the

extension of electronic commerce to a new application and research area: mobile

commerce, which is defined as the exchange or buying and selling of commodities,

services, or information on the Internet through the use of mobile handheld devices. In

just a few years, mobile commerce has emerged from nowhere to become the hottest new

trend in business transactions. Despite a weak economy, the future of mobile commerce

is bright according to the latest predictions:

• Figure 1 shows the growth in demand for handheld computing devices (not

including smart cellular phones) through 2007, as predicted by the research firm In￾Stat/MDR (PalmInfocenter.com, 2003).

• It is estimated that 50 million wireless phone users in the United States will use their

handheld devices to authorize payment for premium content and physical goods

at some point during the year 2006. This represents 17% of the projected total

population and 26% of all wireless users (Reuters, 2001).

• Mobile commerce is an effective and convenient way of delivering electronic

commerce to consumers from anywhere and at any time. Realizing the advantages

to be gained from mobile commerce, companies have begun to offer mobile

commerce options for their customers in addition to the electronic commerce they

already provide (The Yankee Group, 2002).

Regardless of the bright future of mobile commerce, its prosperity and popularity will be

brought to a higher level only if information can be securely and safely exchanged among

end systems (mobile users and content providers). Applying the security and payment

technologies for electronic commerce to mobile commerce has been proven to be a futile

Figure 1. Forecast of demand for mobile handheld computing devices (not including

smart cellular phones)

Mobile Commerce Security and Payment Methods 3

Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written

permission of Idea Group Inc. is prohibited.

effort because electronic commerce and mobile commerce are based on different infra￾structures (wired vs. wireless). A wide variety of security procedures and payment

methods, therefore, have been developed and applied to mobile commerce. These

technologies are extremely diverse and complicated and a comprehensive discussion on

them is still absent. This chapter attempts to provide a comprehensive overview of mobile

commerce security and payment methods. It is organized into four sections. The first

section introduces the fundamentals of mobile commerce security and payment methods.

Mobile commerce security and payment methods are detailed in the second and third

sections, respectively. The last section summarizes the discussions in this chapter.

Security and Payment Methods

Foremost, the theme of this chapter, mobile commerce security, is defined as the

technological and managerial procedures applied to mobile commerce to provide the

following properties of mobile commerce information and systems:

• Confidentiality: The information and systems must not be disclosed to unautho￾rized persons, processes, or devices.

• Authentication: Ensures parties to a transaction are not impostors and are trusted.

• Integrity: The information and systems have not been altered or corrupted by

outside parties.

• Authorization: Procedures must be provided to verify that the user can make the

requested purchases.

• Availability: An authorized user must have timely, reliable access to information

in order to perform mobile commerce transactions.

• Non-repudiation: Ensures a user cannot deny they performed a transaction; the

user is provided with proof of the transaction and the recipient is assured of the

user’s identity.

These procedures involve a variety of policies and processes, along with the hardware

and software tools necessary to protect the mobile commerce systems and transactions

and the information processed, stored, and transmitted by them.

Among the many issues that arise with mobile commerce security, mobile payment

methods are probably the most important. They are the methods used to pay for goods

or services with a mobile handheld device, such as a smart cellular phone or an Internet￾enabled PDA. A typical payment scenario is as follows:

1. A user registers for the services via an Internet-enabled mobile handheld device.

2. The user submits his/her payment.