Abstract image of a woman sitting on books and studying on a laptop

Mb2420032007

IJERA Editor, profile picture
IJERA Editor

This document summarizes a research paper that proposes a two-factor authentication protocol for secure mobile payments. The protocol uses transaction identification codes (TICs) and SMS messages for authentication. TICs are one-time passwords issued by banks to users. The protocol encrypts and stores TIC lists on users' phones. During a transaction, the user selects a TIC which is verified by the bank. An SMS is also sent to the user for confirmation. The protocol aims to securely authenticate both the user and transaction using the user's mobile device and banking information.

1 of 5
Download to read offline
1
2
3
4
5
Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 Two Way Authentication Protocol For Mobile Payment System Anita Maheshwari Abstract In Two Way authentication technique use a best approach for secure web transaction. It uses a TIC code it is called transaction identification code and SMS it is called short message service both provide the higher security level. TIC is a OTP (one time password) technique and issued by bank or other financial institution to the user or person who is access to the web services. In this technique uses a encryption / decryption method. It is a very complicated algorithm. . This method keeps the TIC as a secret code on cell phone. Bank provides the TIC list to the user cell phone .The user can easily pick up the TIC form the stored list of TIC. . To keep the TICs secret we store our TICs list in an encrypted manner and decrypt it at the time of requirement. This code is used to initiate secure web transaction using cell phones. Then after two ways authentication technique is involved that authenticate both the user who involved in transaction. SET Based Transaction Protocol I. INTRODUCTION This diagram define working of the set protocol.- Set is secure electronic transaction .it design to protect credit card transaction through 1) Purchase request:-According to the diagram internet It provide the security and authentication In this step customer Agent visit the by registration. Set protocol permit user or Merchant website and select various items for customer who wants to make credit card payment purchasing and get total cost according to the to any of the web based services. It is a useful selected items. protocol for message exchanging between three 2) Merchant certificates & payment gateway parties: cardholder, merchant, payment gateway. certificates:-in this step merchant ask for . payment method & customer choose credit Some pseudo –code is used in this protocol- card through set protocol. 3) In this step digital wallet is invoke and give C M: initiate request list of credit card to customer for choosing M C: initiate response card. and customer select one credit card, 4) Customer selects the one credit card from the C M: purchase request list of credit card. After that merchant sends all payment information to the merchant bank M p: Authorization and capture for customer request 5) Merchant bank send all information to the P M: Authorization and capture customer bank for authentication purpose. response After that customer bank check all the information to own database. And also check M C: purchase response it is a valid user or not. 6) After completed all checking process customer bank send authorization response 7) Merchant bank send the message of authorization approval to the merchant Agent. 8) After that confirmation message received to the customer your order has been processed. 2003 | P a g e
Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 Some disadvantage of set protocol is:- 2. SMS Authentication 1) Set is only design for wired network. It not Bank stores the customer phone number to support fully wireless network. provide sms confirmation to user during transaction. 2) Set is end to end security mechanism which We assume that user will carry his cell phone or means it requiring traditional flow between receive sms. After getting sms user also send the customer and merchant. response (YES or NO) . when user send YES which 3) All the transaction is flow from the customer means he is a valid user and he want to access the to merchant so that it increases the risk of information & when user send NO or does not send middle attacker. So that at the middle all any response to web server which means it is not a information can be copied. valid user and transaction will be terminated.[1] 4) No one notification received from the customer bank to the customer after Architecture for secure web transaction successful transaction 5) Set protocol is only for card based not support account based payment system. So that we use a two way authentication protocol TWO WAY AUTHENTICATION APPROACH Introduction:- secure electronic transaction is a one way authentication technique so it increase lots of risk that way use one more approach is called multifactor authentication technique .it is a secure wed transaction it also include the cell phone in this transaction. Multifactor Authentication Technique:- This process use the two authentication techniques a) TIC (Transaction Identification code) b) SMS TIC Authentication Technique It is a Transaction Identification Code used to Figure describes the protocol which is start with the identify both the user which is involve in this money transaction by the user. We assume that all transaction. It is identify the transaction has been the information which is related to user is store in initiated by the valid user or right person. the wed server database like user cell number,  TIC codes are issued by the bank . account information etc.  It is combination of numeric or alphanumeric characters. According to this diagram many steps are done  It is randomly generated number. it is 8 bit or during transaction:- 16 bit number which is assign to user or customer. 1) Firstly User gets the username, Id, list of TIC  It is like a one time password which means one from the bank. Each user has one account which TIC code used only one time during transaction is receive from the bank authority and receive  It is unique code. TIC list from the bank authority. This list is encrypted through proper encryption algorithm. In this process we are assuming bank are After that user select one TIC code from this responsible to store TIC generation logic and they list. This TIC code is unique in each transaction. are also responsible the complexity of TIC code 2) User gives username and password to bank .bank are responsible for keep TIC as a secret. Bank website for authentication. It is a login process also provide the list of TIC code to the customer or 3) User information sends to the bank user. The Bank or Financial institution will keep a authorization server for verification. When user record of issued TIC codes to its customers and is a valid user then he receives the message match the same code during the online web from the server side. transaction. A TIC code is cancelled after each 4) User receive the login authentication success successful transaction. message from web server and web server also generate the session key and send to the user 2004 | P a g e
Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 5) The user will select mode of payment. We have consider two modes of payment: Credit Card based system & Account based Electronic transfer. 6) User will insert the details of payment by filling in a simple form with details such as merchant’s bank and branch code information, invoice number and account number to which an amount has to be transferred. . 7) The user will insert a TIC code by choosing a TIC code from the stored list of TICs. This TIC are stored with encrypted manner after that user will decrypt and send the TIC to the bank through the transaction after that this TIC code send to the bank authentication server. This TIC match to the list of TIC which is issued TIC the user/customer. AES encryption method is used in TIC encryption process. 8) Bank authentication server decrypt the message and receive the TIC code and match to the list of TIC which is issued to the user when both TICs match bank cancel the user TIC from database. If no TIC matches then send error message to the user. 9) Bank server generates an acknowledgement to the user, which makes use free to logout from CRYPTOGRAPHY AND KEY AND the web portal and wait for a confirmation SMS or to initiate another financial web transaction. SESSION MANAGEMENT Encryption is the process for translating 10) After complete this process the authentication plaintext into codable form which is called cipher server will send an SMS to the user’s cell phone text to make it unreadable form to anyone. So that it to verify the transaction is used to provide secret information. Cryptography 11) The user would confirm their initiated is very essential aspect for secure communication. transaction by choosing “YES” or deny it by choosing “NO” by replying confirmation SMS[1] ENCRYPTION ALGORITHM 12) The server will notify the user by a Message to we use AES algorithm it is a advanced acknowledge the successful completion of encryption standard. It is used for encryption of transaction or declination of the transaction. electronic data. It supports variable-length block using variable-length keys. A key size of 128, 192, or 256-bit can be used in encryption of data blocks TWO WAY AUTHENTICATION SYSTEMS that are 128, 192, or 256 bits. The main advantage of It is a system for two way authentication it describes this algorithm is block length and/or key bits can the five major components:- easily be expanded. We have considered a simple 1) User : user is a valid account holding customer example which shows the AES key expansion of the bank technique. In this technique 16 keys are used 2) Customer Agent (CA): it is software which is randomly and four words are used initially. Each installed into user mobile device. new word depends on the previous word. And one 3) Merchant Agent (MA): it is a online service special type of function is used in this process so provider so that user can perform online that key is randomly changed through this complex transaction and purchasing through merchant function.[4] agent. 4) Customer bank : this is the bank at which the user has a valid account 5) Merchant bank : this is the bank at which merchant has valid account [1] 2005 | P a g e
Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 According to this diagram key is generated from the server side and one shared secret key is also generate for encrypt this key and apply the AES algorithm and encrypt shared secret key is generated and it is send to the user cell phone. This key is a 128 bits. Whenever user cell phone is lost then no one can use this key because this key is store in the encrypt format so this key is very useful and this key is only decrypt when valid user login the bank website. One TIC list is send to the user cell phone. List is stored into encrypted manner user select the one TIC from the list he use the local password for this selection when TIC is selected it authomatically According to the diagram 4 keys are decrypt . and the selected TIC will also remove from provided to the 4 word w0 word is very first word it the TIC list. So that encryption and decryption of XOR with complex function and generate w4 word TIC is also based on the AES key algorithm which is then after this word is XOR with the w1 word and define to upper portion. So that this TIC is used by w5 word is generated this process is running till w7 the user for the use of one time password word is not generated .through this process TIC code mechanism. is generated . The following are the sub-functions of Authentication protocol over the internet;- function g: 1) Firstly mobile device start the protocol through One byte left shift is done by this algorithm. By this sending its ID to the server . operation input is [a0,a1,a2,a3 ] is transformed into 2) Server create a session for this client and [a1,a2,a3,a0]. generate a random request it is a matrix request For each byte of input words, the Byte substitution 3) Client generate a challenge with his ID is done by SubWord,using the ENCRYPTED with the combination of the S-box. matrix key or internal key The output of the above two steps ( i.e.,step 1 and 2) 4) Server send a challenge received with the is XORed previous message and randomly generate Cipher Key Management:-our main session key objective is provide the secure transaction between 5) Client decrypt the message through the session client and server. So that produce a secret key and key when this challenge match the previous this key is used for encryption and decryption of challenge which is send to the server then client information. So that when start the transaction from consider it is a Valid server[4] the user side server generate the secret key and also generate the shared secret logic for encrypt the secret key and send to the user side user decrypt the key and use in the later stage .this same secret key is also store in the server side which decrypt the detail and TIC code and match this TIC with the store TIC which is issue to the user when it is match then transaction is start Factors of authentication:- Online banking fraud- The Internet is a medium which allows large number of people or organizations to communicate with each others in a few seconds, without much efforts and charges. . 2006 | P a g e
Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 payments or with very less addition to the current charge of online payment. Basically, the cost model of the proposed protocol depends mostly on the policies that financial institutions adopt for implementing this protocol Future work will focus on developing a new and efficient way for TIC code generation at the financial institutions. TIC code installation on the user’s cell phone must also be an easy task to avoid repeated visits by the customers to the bank or financial institution. Server side TIC maintenance, management mechanism and distribution to satisfy the demand from a large number of users are also part of future work Now online fraud is very popular all over the world, it has become a major source of revenue for criminals. The banks or financial institutions are Referances:- very attentive in detecting and preventing online 1) Ayu Tiwari, Sudip Sanyal, Ajith frauds Abraham, Sugata Sanyal and Svein Key types of online fraud- Knapskog, ”A Multifactor Security The Online fraud has been categorized broadly into Protocol For Wireless Payment-Secure Web two categories as mentioned in Authentication using Mobile Devices”, User identity theft:- IADIS International Conference, Applied  Phishing attacks which trick the user Computing 2007, Salamanca, Spain, pp. 160- into providing access information. 167, February 2007.  Key-loggers and “spyware” which clearly 2) Lawton G., “Moving Java into Mobile capture access information. Phones”, IEEE Computer, Volume 35 Issue User Session Hijacking 6, pp. 17- 20, June 2002 Attacker gets control over the active user session 3) M. Debbabi, M. Saleh, C. Talhi and S. and monitors all user activities. Zhioua, “ Security Evaluation of J2ME  Local malware session hijacking attack CLDC Embedded Java Platform “, In Journal performs host file redirection. of Object Technology, volume.5, Issue 2,  Remote malware session hijacking attacks pages 125-154, March-April 2006. performs // (http://www.jot.fm/issues/issues 2006 Authentication Methodologies :- 3/article2) Existing authentication methodologies have basic three 4) Jablon David P., Integrity, Sciences, Inc. “factors Westboro, MA, ACM SIGCOMM, “Strong Password -Only Authenticated  Know: The user knows (password, PIN); Keyexchange”,Computer Communication  Has: The user has (ATM card, smart card); Review, Vol. 26, pp. 5 - 26, September and 2005.  Is: The user is (biometric characteristic such 5) J. Daemen and V. Rijmen, “Rijndael, the as a fingerprint). [2] advanced encryption standard,” In Dr. Conclution And Future Work:- Dobb's Journal, Volume 26 Issue 3, pp. 137- In online payment security is a major part. 139, March 2001. There are many internet threats that affect the 6) Pointcheval D. and Zimmer S., “Multi- security system of internet. single factor Factor Authenticated Key Exchange,” in authentication increases risk in communication Proceedings of Applied Cryptography and because it require only username and password so Network Security, pp.277-295, 2011 that any attacker hank this information and treat as a Author:- valid user that’s way use the multifactor authentication like a two way authentication technique is used for this purpose so that it reduce fraud and provide strong security application for online transaction. The implementation of this protocol will not Anita Maheshwari- she has completed her increase expenses of users significantly. This B.Tech.(I.T.) form Rajasthan University and protocol can be easily implemented and executed on M.Tech.(CSE) from Mewar University Chittorgrah the current expenses charged by financial (Raj.). Areas of interest is- Two way authentication institution from the users to perform online protocol for Mobile payment system 2007 | P a g e

More Related Content

PDF
An ATM Multi-Protocol Emulation Network
dbpublications
 
PDF
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...
CSCJournals
 
PDF
The 3-D Secure Protocol
Vlad Petre
 
PPTX
Account kit and internet banking
pragya garg
 
PPTX
EMV chip cards
Dilip Kumar
 
PDF
Ijcsi 9-4-2-457-462
Hai Nguyen
 
PDF
Secure PIN Management How to Issue and Change PINs Securely over the Web
SafeNet
 
PDF
Chip and Skim: cloning EMV cards with the pre-play attack
- Mark - Fullbright
 
An ATM Multi-Protocol Emulation Network
dbpublications
 
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...
CSCJournals
 
The 3-D Secure Protocol
Vlad Petre
 
Account kit and internet banking
pragya garg
 
EMV chip cards
Dilip Kumar
 
Ijcsi 9-4-2-457-462
Hai Nguyen
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
SafeNet
 
Chip and Skim: cloning EMV cards with the pre-play attack
- Mark - Fullbright
 

What's hot (19)

PDF
Gresham Publication
Gresham Jnr Muradzikwa
 
PDF
D0351022026
inventionjournals
 
PDF
Sploitego
London School of Cyber Security
 
PDF
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...
IRJET Journal
 
PDF
IRJET - A Paper on Enhanced PIN Security for SBI ATM through Aadhaar Linked O...
IRJET Journal
 
PDF
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
International Journal of Technical Research & Application
 
PPTX
INTERNET BANKING & SECURITY ANALYSIS
RAHUL KUMAR
 
PDF
E Authentication System with QR Code and OTP
ijtsrd
 
PPT
Money pad the future wallet
Leelakh Sachdeva
 
PDF
Payment Tokenization
Hamid Ghorbani
 
PDF
Application to Quickly and Safely Store and Recover Credit Card’s Information...
IRJET Journal
 
DOC
Atm theft
Apurva Sharma
 
DOCX
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
Pankaj Rane
 
PPTX
E banking security
Iman Rahmanian
 
PDF
Key Things to Know About EMV
Corral Solutions
 
PDF
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ijcsit
 
PPTX
Electronic payment system
Sheetal goel
 
PDF
An Improvement To The Set Protocol Based On Signcryption
ijcisjournal
 
PDF
Analysis of Spending Pattern on Credit Card Fraud Detection
IOSR Journals
 
Gresham Publication
Gresham Jnr Muradzikwa
 
D0351022026
inventionjournals
 
Sploitego
London School of Cyber Security
 
IRJET- Credit Card Transaction using Fingerprint Recognisation and Two St...
IRJET Journal
 
IRJET - A Paper on Enhanced PIN Security for SBI ATM through Aadhaar Linked O...
IRJET Journal
 
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
International Journal of Technical Research & Application
 
INTERNET BANKING & SECURITY ANALYSIS
RAHUL KUMAR
 
E Authentication System with QR Code and OTP
ijtsrd
 
Money pad the future wallet
Leelakh Sachdeva
 
Payment Tokenization
Hamid Ghorbani
 
Application to Quickly and Safely Store and Recover Credit Card’s Information...
IRJET Journal
 
Atm theft
Apurva Sharma
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
Pankaj Rane
 
E banking security
Iman Rahmanian
 
Key Things to Know About EMV
Corral Solutions
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ijcsit
 
Electronic payment system
Sheetal goel
 
An Improvement To The Set Protocol Based On Signcryption
ijcisjournal
 
Analysis of Spending Pattern on Credit Card Fraud Detection
IOSR Journals
 
Ad

Viewers also liked (20)

PDF
Hu2413771381
IJERA Editor
 
PDF
Es24906911
IJERA Editor
 
PDF
Fk2410001003
IJERA Editor
 
PDF
Fe24972976
IJERA Editor
 
PDF
Ia2414161420
IJERA Editor
 
PDF
Ho2413421346
IJERA Editor
 
PDF
J24077086
IJERA Editor
 
PDF
Gv2412201226
IJERA Editor
 
PDF
Gj2411521157
IJERA Editor
 
PDF
He2412821285
IJERA Editor
 
PDF
H24051055
IJERA Editor
 
PDF
Gs2412041207
IJERA Editor
 
PDF
Fz2410881090
IJERA Editor
 
PDF
Hh2412981302
IJERA Editor
 
PDF
Gx2412321236
IJERA Editor
 
PDF
Gn2411721180
IJERA Editor
 
PDF
Enredate Castellon 2014 Programa
Soluciona Facil
 
PPS
Ror jerusalem
Igal Assaf
 
PDF
Nimble, CRM Social Media, nueva App para #iOS
Soluciona Facil
 
PPTX
Puddles hunting in haast
dukelyer
 
Hu2413771381
IJERA Editor
 
Es24906911
IJERA Editor
 
Fk2410001003
IJERA Editor
 
Fe24972976
IJERA Editor
 
Ia2414161420
IJERA Editor
 
Ho2413421346
IJERA Editor
 
J24077086
IJERA Editor
 
Gv2412201226
IJERA Editor
 
Gj2411521157
IJERA Editor
 
He2412821285
IJERA Editor
 
H24051055
IJERA Editor
 
Gs2412041207
IJERA Editor
 
Fz2410881090
IJERA Editor
 
Hh2412981302
IJERA Editor
 
Gx2412321236
IJERA Editor
 
Gn2411721180
IJERA Editor
 
Enredate Castellon 2014 Programa
Soluciona Facil
 
Ror jerusalem
Igal Assaf
 
Nimble, CRM Social Media, nueva App para #iOS
Soluciona Facil
 
Puddles hunting in haast
dukelyer
 
Ad

Similar to Mb2420032007 (20)

PDF
Analysis of Security Algorithms used in E-Commerce and ATM Transactions
IJERD Editor
 
PPTX
NETWORK SECURITY-SET.pptx
Dr.Florence Dayana
 
PPT
Secure electronic transactions (SET)
Omar Ghazi
 
PDF
Card payment evolution v1.0
Nugroho Gito
 
PDF
QR BASED CARD-LESS ATM TRANSACTIONS
Journal For Research
 
PPTX
E banking of axis bank
Sitaram Saini
 
PPT
E Payment
Ankit Saxena
 
PPTX
Cyber cash
Chitra Lekha
 
PDF
Online Payment Solutions UK
Noirepay
 
PPTX
Online payment system
myangel27
 
PDF
Paper id 2320146
IJRAT
 
PDF
Securing Online Card Transactions
Shaillender (Bob) Mittal, CPSP
 
PDF
Transactions Using Bio-Metric Authentication
IRJET Journal
 
PPT
secure electronics transaction
Harsh Mehta
 
PPTX
Electronic Payment Protocol
Aju Thomas
 
PPT
Web services security_in_wse_3_ppt
Harshavardhan Achrekar
 
PDF
A Secure Account-Based Mobile Payment Protocol with Public Key Cryptography
IDES Editor
 
PDF
Bg24375379
IJERA Editor
 
PPTX
Payment gateway/payment service providers and future trends in mobile payment...
Danail Yotov
 
PPTX
Ch 2
Muhammad Hijab
 
Analysis of Security Algorithms used in E-Commerce and ATM Transactions
IJERD Editor
 
NETWORK SECURITY-SET.pptx
Dr.Florence Dayana
 
Secure electronic transactions (SET)
Omar Ghazi
 
Card payment evolution v1.0
Nugroho Gito
 
QR BASED CARD-LESS ATM TRANSACTIONS
Journal For Research
 
E banking of axis bank
Sitaram Saini
 
E Payment
Ankit Saxena
 
Cyber cash
Chitra Lekha
 
Online Payment Solutions UK
Noirepay
 
Online payment system
myangel27
 
Paper id 2320146
IJRAT
 
Securing Online Card Transactions
Shaillender (Bob) Mittal, CPSP
 
Transactions Using Bio-Metric Authentication
IRJET Journal
 
secure electronics transaction
Harsh Mehta
 
Electronic Payment Protocol
Aju Thomas
 
Web services security_in_wse_3_ppt
Harshavardhan Achrekar
 
A Secure Account-Based Mobile Payment Protocol with Public Key Cryptography
IDES Editor
 
Bg24375379
IJERA Editor
 
Payment gateway/payment service providers and future trends in mobile payment...
Danail Yotov
 
Ch 2
Muhammad Hijab
 

Mb2420032007

  • 1. Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 Two Way Authentication Protocol For Mobile Payment System Anita Maheshwari Abstract In Two Way authentication technique use a best approach for secure web transaction. It uses a TIC code it is called transaction identification code and SMS it is called short message service both provide the higher security level. TIC is a OTP (one time password) technique and issued by bank or other financial institution to the user or person who is access to the web services. In this technique uses a encryption / decryption method. It is a very complicated algorithm. . This method keeps the TIC as a secret code on cell phone. Bank provides the TIC list to the user cell phone .The user can easily pick up the TIC form the stored list of TIC. . To keep the TICs secret we store our TICs list in an encrypted manner and decrypt it at the time of requirement. This code is used to initiate secure web transaction using cell phones. Then after two ways authentication technique is involved that authenticate both the user who involved in transaction. SET Based Transaction Protocol I. INTRODUCTION This diagram define working of the set protocol.- Set is secure electronic transaction .it design to protect credit card transaction through 1) Purchase request:-According to the diagram internet It provide the security and authentication In this step customer Agent visit the by registration. Set protocol permit user or Merchant website and select various items for customer who wants to make credit card payment purchasing and get total cost according to the to any of the web based services. It is a useful selected items. protocol for message exchanging between three 2) Merchant certificates & payment gateway parties: cardholder, merchant, payment gateway. certificates:-in this step merchant ask for . payment method & customer choose credit Some pseudo –code is used in this protocol- card through set protocol. 3) In this step digital wallet is invoke and give C M: initiate request list of credit card to customer for choosing M C: initiate response card. and customer select one credit card, 4) Customer selects the one credit card from the C M: purchase request list of credit card. After that merchant sends all payment information to the merchant bank M p: Authorization and capture for customer request 5) Merchant bank send all information to the P M: Authorization and capture customer bank for authentication purpose. response After that customer bank check all the information to own database. And also check M C: purchase response it is a valid user or not. 6) After completed all checking process customer bank send authorization response 7) Merchant bank send the message of authorization approval to the merchant Agent. 8) After that confirmation message received to the customer your order has been processed. 2003 | P a g e
  • 2. Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 Some disadvantage of set protocol is:- 2. SMS Authentication 1) Set is only design for wired network. It not Bank stores the customer phone number to support fully wireless network. provide sms confirmation to user during transaction. 2) Set is end to end security mechanism which We assume that user will carry his cell phone or means it requiring traditional flow between receive sms. After getting sms user also send the customer and merchant. response (YES or NO) . when user send YES which 3) All the transaction is flow from the customer means he is a valid user and he want to access the to merchant so that it increases the risk of information & when user send NO or does not send middle attacker. So that at the middle all any response to web server which means it is not a information can be copied. valid user and transaction will be terminated.[1] 4) No one notification received from the customer bank to the customer after Architecture for secure web transaction successful transaction 5) Set protocol is only for card based not support account based payment system. So that we use a two way authentication protocol TWO WAY AUTHENTICATION APPROACH Introduction:- secure electronic transaction is a one way authentication technique so it increase lots of risk that way use one more approach is called multifactor authentication technique .it is a secure wed transaction it also include the cell phone in this transaction. Multifactor Authentication Technique:- This process use the two authentication techniques a) TIC (Transaction Identification code) b) SMS TIC Authentication Technique It is a Transaction Identification Code used to Figure describes the protocol which is start with the identify both the user which is involve in this money transaction by the user. We assume that all transaction. It is identify the transaction has been the information which is related to user is store in initiated by the valid user or right person. the wed server database like user cell number,  TIC codes are issued by the bank . account information etc.  It is combination of numeric or alphanumeric characters. According to this diagram many steps are done  It is randomly generated number. it is 8 bit or during transaction:- 16 bit number which is assign to user or customer. 1) Firstly User gets the username, Id, list of TIC  It is like a one time password which means one from the bank. Each user has one account which TIC code used only one time during transaction is receive from the bank authority and receive  It is unique code. TIC list from the bank authority. This list is encrypted through proper encryption algorithm. In this process we are assuming bank are After that user select one TIC code from this responsible to store TIC generation logic and they list. This TIC code is unique in each transaction. are also responsible the complexity of TIC code 2) User gives username and password to bank .bank are responsible for keep TIC as a secret. Bank website for authentication. It is a login process also provide the list of TIC code to the customer or 3) User information sends to the bank user. The Bank or Financial institution will keep a authorization server for verification. When user record of issued TIC codes to its customers and is a valid user then he receives the message match the same code during the online web from the server side. transaction. A TIC code is cancelled after each 4) User receive the login authentication success successful transaction. message from web server and web server also generate the session key and send to the user 2004 | P a g e
  • 3. Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 5) The user will select mode of payment. We have consider two modes of payment: Credit Card based system & Account based Electronic transfer. 6) User will insert the details of payment by filling in a simple form with details such as merchant’s bank and branch code information, invoice number and account number to which an amount has to be transferred. . 7) The user will insert a TIC code by choosing a TIC code from the stored list of TICs. This TIC are stored with encrypted manner after that user will decrypt and send the TIC to the bank through the transaction after that this TIC code send to the bank authentication server. This TIC match to the list of TIC which is issued TIC the user/customer. AES encryption method is used in TIC encryption process. 8) Bank authentication server decrypt the message and receive the TIC code and match to the list of TIC which is issued to the user when both TICs match bank cancel the user TIC from database. If no TIC matches then send error message to the user. 9) Bank server generates an acknowledgement to the user, which makes use free to logout from CRYPTOGRAPHY AND KEY AND the web portal and wait for a confirmation SMS or to initiate another financial web transaction. SESSION MANAGEMENT Encryption is the process for translating 10) After complete this process the authentication plaintext into codable form which is called cipher server will send an SMS to the user’s cell phone text to make it unreadable form to anyone. So that it to verify the transaction is used to provide secret information. Cryptography 11) The user would confirm their initiated is very essential aspect for secure communication. transaction by choosing “YES” or deny it by choosing “NO” by replying confirmation SMS[1] ENCRYPTION ALGORITHM 12) The server will notify the user by a Message to we use AES algorithm it is a advanced acknowledge the successful completion of encryption standard. It is used for encryption of transaction or declination of the transaction. electronic data. It supports variable-length block using variable-length keys. A key size of 128, 192, or 256-bit can be used in encryption of data blocks TWO WAY AUTHENTICATION SYSTEMS that are 128, 192, or 256 bits. The main advantage of It is a system for two way authentication it describes this algorithm is block length and/or key bits can the five major components:- easily be expanded. We have considered a simple 1) User : user is a valid account holding customer example which shows the AES key expansion of the bank technique. In this technique 16 keys are used 2) Customer Agent (CA): it is software which is randomly and four words are used initially. Each installed into user mobile device. new word depends on the previous word. And one 3) Merchant Agent (MA): it is a online service special type of function is used in this process so provider so that user can perform online that key is randomly changed through this complex transaction and purchasing through merchant function.[4] agent. 4) Customer bank : this is the bank at which the user has a valid account 5) Merchant bank : this is the bank at which merchant has valid account [1] 2005 | P a g e
  • 4. Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 According to this diagram key is generated from the server side and one shared secret key is also generate for encrypt this key and apply the AES algorithm and encrypt shared secret key is generated and it is send to the user cell phone. This key is a 128 bits. Whenever user cell phone is lost then no one can use this key because this key is store in the encrypt format so this key is very useful and this key is only decrypt when valid user login the bank website. One TIC list is send to the user cell phone. List is stored into encrypted manner user select the one TIC from the list he use the local password for this selection when TIC is selected it authomatically According to the diagram 4 keys are decrypt . and the selected TIC will also remove from provided to the 4 word w0 word is very first word it the TIC list. So that encryption and decryption of XOR with complex function and generate w4 word TIC is also based on the AES key algorithm which is then after this word is XOR with the w1 word and define to upper portion. So that this TIC is used by w5 word is generated this process is running till w7 the user for the use of one time password word is not generated .through this process TIC code mechanism. is generated . The following are the sub-functions of Authentication protocol over the internet;- function g: 1) Firstly mobile device start the protocol through One byte left shift is done by this algorithm. By this sending its ID to the server . operation input is [a0,a1,a2,a3 ] is transformed into 2) Server create a session for this client and [a1,a2,a3,a0]. generate a random request it is a matrix request For each byte of input words, the Byte substitution 3) Client generate a challenge with his ID is done by SubWord,using the ENCRYPTED with the combination of the S-box. matrix key or internal key The output of the above two steps ( i.e.,step 1 and 2) 4) Server send a challenge received with the is XORed previous message and randomly generate Cipher Key Management:-our main session key objective is provide the secure transaction between 5) Client decrypt the message through the session client and server. So that produce a secret key and key when this challenge match the previous this key is used for encryption and decryption of challenge which is send to the server then client information. So that when start the transaction from consider it is a Valid server[4] the user side server generate the secret key and also generate the shared secret logic for encrypt the secret key and send to the user side user decrypt the key and use in the later stage .this same secret key is also store in the server side which decrypt the detail and TIC code and match this TIC with the store TIC which is issue to the user when it is match then transaction is start Factors of authentication:- Online banking fraud- The Internet is a medium which allows large number of people or organizations to communicate with each others in a few seconds, without much efforts and charges. . 2006 | P a g e
  • 5. Anita Maheshwari / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-August 2012, pp.2003-2007 payments or with very less addition to the current charge of online payment. Basically, the cost model of the proposed protocol depends mostly on the policies that financial institutions adopt for implementing this protocol Future work will focus on developing a new and efficient way for TIC code generation at the financial institutions. TIC code installation on the user’s cell phone must also be an easy task to avoid repeated visits by the customers to the bank or financial institution. Server side TIC maintenance, management mechanism and distribution to satisfy the demand from a large number of users are also part of future work Now online fraud is very popular all over the world, it has become a major source of revenue for criminals. The banks or financial institutions are Referances:- very attentive in detecting and preventing online 1) Ayu Tiwari, Sudip Sanyal, Ajith frauds Abraham, Sugata Sanyal and Svein Key types of online fraud- Knapskog, ”A Multifactor Security The Online fraud has been categorized broadly into Protocol For Wireless Payment-Secure Web two categories as mentioned in Authentication using Mobile Devices”, User identity theft:- IADIS International Conference, Applied  Phishing attacks which trick the user Computing 2007, Salamanca, Spain, pp. 160- into providing access information. 167, February 2007.  Key-loggers and “spyware” which clearly 2) Lawton G., “Moving Java into Mobile capture access information. Phones”, IEEE Computer, Volume 35 Issue User Session Hijacking 6, pp. 17- 20, June 2002 Attacker gets control over the active user session 3) M. Debbabi, M. Saleh, C. Talhi and S. and monitors all user activities. Zhioua, “ Security Evaluation of J2ME  Local malware session hijacking attack CLDC Embedded Java Platform “, In Journal performs host file redirection. of Object Technology, volume.5, Issue 2,  Remote malware session hijacking attacks pages 125-154, March-April 2006. performs // (http://www.jot.fm/issues/issues 2006 Authentication Methodologies :- 3/article2) Existing authentication methodologies have basic three 4) Jablon David P., Integrity, Sciences, Inc. “factors Westboro, MA, ACM SIGCOMM, “Strong Password -Only Authenticated  Know: The user knows (password, PIN); Keyexchange”,Computer Communication  Has: The user has (ATM card, smart card); Review, Vol. 26, pp. 5 - 26, September and 2005.  Is: The user is (biometric characteristic such 5) J. Daemen and V. Rijmen, “Rijndael, the as a fingerprint). [2] advanced encryption standard,” In Dr. Conclution And Future Work:- Dobb's Journal, Volume 26 Issue 3, pp. 137- In online payment security is a major part. 139, March 2001. There are many internet threats that affect the 6) Pointcheval D. and Zimmer S., “Multi- security system of internet. single factor Factor Authenticated Key Exchange,” in authentication increases risk in communication Proceedings of Applied Cryptography and because it require only username and password so Network Security, pp.277-295, 2011 that any attacker hank this information and treat as a Author:- valid user that’s way use the multifactor authentication like a two way authentication technique is used for this purpose so that it reduce fraud and provide strong security application for online transaction. The implementation of this protocol will not Anita Maheshwari- she has completed her increase expenses of users significantly. This B.Tech.(I.T.) form Rajasthan University and protocol can be easily implemented and executed on M.Tech.(CSE) from Mewar University Chittorgrah the current expenses charged by financial (Raj.). Areas of interest is- Two way authentication institution from the users to perform online protocol for Mobile payment system 2007 | P a g e