Professional Documents
Culture Documents
net/publication/224085982
CITATIONS READS
12 288
2 authors, including:
R. Moona
Indian Institute of Technology Bhilai
41 PUBLICATIONS 177 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by R. Moona on 11 June 2014.
A Thesis Submitted
in Partial Fulfillment of the Requirements
for the Degree of
Bachelor - Master of Technology (Dual Degree)
by
Nitin Munjal
to the
July 2009
Abstract
At a time when e-commerce applications are fast emerging as an efficient and pop-
ular delivery channel for financial services, security risk is also enhanced which can
transform the lives of many for the worse. With the advent of the e-commerce, it has
become much easier for a ‘data bandit’ to sit in non descriptive location and quietly
siphon away money from the service users. The financial service outlets (e.g. auto-
mated teller machine (ATM), Point of Sale (PoS) terminals) have been a soft target
for these bandits since long. In the existing model, the users are forced to trust a
service outlet to be authentic. A spoofed outlet can collect the account information
and misuse it in some way later. Installing an outlet is also an expensive affair due
In this work, we propose a model that addresses these security and cost related is-
sues of the conventional Financial Service Model. The use of public key infrastructure
(PKI) based authentication scheme enables offline mutual trust establishment and re-
Introduction of smart cards provides a tamper-proof storage for the user’s sensitive
information and ensures that PKI keys are not exposed to the external world.
We designed and implemented a secure protocol for the model and also present
various implementation scenarios for the same. Attributed to the lower equipment
and running costs, this implementation is ideal for installing outlets in rural areas. In
developing economies, where two-third of the population still lives in rural areas with
limited or no network connectivity, this model can help the banks reach the masses
Acknowledgments
I would take this opportunity to express my gratitude towards my advisor, friends and
family. First, I would like to thank my advisor Prof. Rajat Moona for his continuous
define my research goal and towards achieving it. His clarity of thought, dedication
to work and impeccable knowledge inspired me to learn and work hard. It would
not have been possible to complete this work without his inspiration and invaluable
suggestions.
Labs - CS108 and CS109 for their help and constant support.
I am indebted to my family for their unconditional love and for the toughest times
they have stood by me in. Their motivation and affection helped me achieve my goals.
Nitin Munjal
i
Dedicated to
Contents
List of Figures iv
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Organization of Report . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Financial Services 8
2.1 Electronic Payment Systems . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 Instruments of e-commerce . . . . . . . . . . . . . . . . . . . . 9
2.2 Attacks on Financial Service Outlets . . . . . . . . . . . . . . . . . . 10
2.2.1 Bogus outlet attack. . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.2 Use of skimming devices. . . . . . . . . . . . . . . . . . . . . . 10
2.2.3 Shoulder surfing. . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.4 Fake keypad overlay attack. . . . . . . . . . . . . . . . . . . . 12
2.3 Problem Classification . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.1 Security Issue. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.2 Network Issue. . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.3 Cost Issue. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.4 User Inconvenience . . . . . . . . . . . . . . . . . . . . . . . . 14
Bibliography 54
iv
List of Figures
Chapter 1
Introduction
Electronic Commerce has gradually seized the role of processing transactions from
the physical walls of bank branches. The swiftness and convenience that it offers has
resulted in it becoming an indispensable part of our day to day life. Financial orga-
nizations have shown great interest towards pushing the new technologies to the end
are commercial banks, credit card companies, insurance companies, investment funds,
stock brokerages etc. and by ‘services’, we refer to the financial services such as an
automatic teller machine (ATM), credit cards, electronic fund transfer etc. These or-
ganizations compete amongst each other to introduce newer and better services since
these services save working cost and/or lure more users by providing them more com-
fort. However, with most good things, there are always sore points. This also makes
these services popular target amongst the fraudsters. These services should therefore
try to cover up possible inroads and ensure that security is not compromised.
Over 2 billion people [34] in the developing world have no access to financial ser-
vices which constrains the economic growth.“A lack of access to finance in some parts
2
of the developing world stifles entrepreneurship, stunts development and leaves people
that concerns with the provision of financial services like credit, savings, insurance,
fund transfers etc. to low-income clients [26]. Most of the rural population consti-
tutes the poor and low-income clients. An easy access to the financial services would
encourage savings amongst the poor whilst, at the same time, discourage them from
it is often asserted that microfinance has the capacity to deal with poverty single
handedly. For all these reasons every now and then, numerous theories are often
1.1 Motivation
Financial services can play an important role in rural development as they increase
money flow and boost economy. “Rural finance is about providing financial services
- secure savings, credit, money transfer and insurance - in rural areas” [18]. Though
there is a substantial demand for rural financial services, financial institutions such as
lower utilization of the service outlet. Banks have an incentive of saving upon
the cost of human resource by installing a financial service outlet like an ATM.
the service outlet. So, these areas are left out for economic reasons.
3
time installation costs for hardware such as I/O devices, networking device and
cooling machine. Besides this, it incurs the run time cost for the persistent
querying a central server and authenticating the user. Two, updating the trans-
action information that took place with the user. It is estimated that an ATM
In the present transaction model for financial services, the user is constrained to
trust the service outlet. The user is provided no means to lay down the authenticity
of the service outlet. There could arise scenarios where an attacker installs a fake
outlet and records the information stored in the user’s card along with the private
information (such as PIN) entered by the user and use it for a replay attack later.
There are two aspects of the problem that need to be addressed. One is the
be authentic. In this regard, some questions can be raised like “What if the outlet
is fake? ” or “What if the outlet is meant to collect your card information and use
against you later? ”. The current transaction model fails to give an answer to these
concerns.
High installation and working cost of a financial service outlet is another issue
information. The requirement of network along with hardware cost increases the cost
4
of installing an outlet so much that commercial banks are reluctant to install them
in rural areas. Hence the question, “Can network component be eliminated from the
current transaction model for financial services so that costs are brought down? ”
Low penetration of banking services in rural areas has been a deterrent to the
development of rural economy. Many attempts have been made by various researchers
Mobile banking has emerged as one of the feasible solution to this problem. A pilot
program in this respect was launched in Andhra Pradesh, India in 2008 by “A Little
World” (ALW [3]) in association with NXP semiconductors and a non-profit agency,
Zero micro-finance. The initiative has registered 250,000 people in Andhra Pradesh
for mobile banking services [9]. The users have been issued a contactless RFID smart
card which biometrically stores the identity of the customer such as name, address,
photograph, fingerprint templates and details of savings or loan accounts held by the
issuing bank [33]. The users can use their card for doing transactions at Customer
Service Points (CSPs [7]). The transactions take place in a secure environment using
NFC enabled mobile phones. Currently, it is estimated that the government incurs
Rs. 13 on every Rs. 100 it shells out for the poor. It is claimed [33] that this mobile
The problem of low penetration of ATM in rural areas has been extensively stud-
ied by many researchers and organizations. Amila et al. [24] propose a system called
Mobile-ATM to address the problem of low financial and banking services in rural
areas by incorporating the mobile technology. The system introduces a new entity
5
M-ATM transactions. In this system, the customer, the M-ATM agent and the bank
communicate with each other through a sequence of secure SMS messages. After re-
ceiving the money withdrawal request from the customer and establishing his identity,
the bank instructs the M-ATM agent to hand in the money to the customer. The
M-ATM agent is trusted to pay the customer the money after establishing customer’s
identity using a unique confirmation number. The bank deducts money from the
customer’s account and sends him a transaction confirmation SMS in response. The
concept relies on the fact that the spread of M-commerce is much larger than of in-
ternet connectivity. The introduction of M-ATM agents and cellular network service
provider provides a ubiquitous solution with reasonably high cost per transaction.
Han et al. [17] came up with a novel hybrid concept of Biometric Authentication
scheme for ATM based banking applications. They proposed two levels of authen-
tication, first using PKI based authentication and second using biometric trait like
a fingerprint. This scheme prevents card forgery and phishing attacks but the bio-
metric information is stored in the databases of the banks and requires online secure
channel of communication between the ATM and the server for biometric verification.
Moreover, the biometric devices are expensive and encrypting biometric images takes
for transferring money from one account to another, view bank statements, pay bills
[37] etc. by means of sending SMSs over the network. The merchant in this scheme,
Jhunjhunwala [23] proposes to set up a low cost ATM in rural areas. The ATM
6
called Gramateller which eliminates the need for personal identification numbers and
magnetic-stripe cards. Smart cards and fingerprints are used instead. The Gra-
mateller plugs into the PC of a village Internet kiosk to communicate with the bank
server. This model claims to bring down the installation cost of an ATM to approxi-
mately one-tenth of the current cost. The use of Internet kiosk, however, introduces
Moona et al. [14], [15] propose a solution which uses personal mobile devices held
by the user to interact with the service outlets. This model does away with the need
In this thesis, we mainly focus on explaining the work done by us, Munjal et al.
[30] [29]. We propose a Financial Service Model which aims to address the various
shortcomings of the current model. For this model, we also design and give imple-
mentation details of a secure protocol. The security of the working of the protocol
does not rely on the security architecture of the underlying communication channel.
Smart cards provide a tamper-proof storage media and protect data against unau-
thorized reading or copying. The use of public key infrastructure (PKI) removes the
Various aspects of financial service model have been elaborated in this thesis.
The thesis is divided into six chapters and a brief outline of each of the chapter is
enumerated below.
• Chapter 1. This chapter gives an introduction into financial services, their role
7
in economic development and the security issues concerning these services. The
chapter also gives a brief overview of the efforts being put up for the same.
• Chapter 2. This chapter gives an insight into the current financial services
offered by the commercial banks. The chapter also talks about instruments
• Chapter 3. Proposes a new financial service model which is low cost and secure.
• Chapter 4. This chapter deals with the design of a protocol for the transaction
protocol. The chapter also gives an overview of the design and implementation
of the work. The chapter further briefs on how the new model addresses the
• Chapter 6. This chapter summarizes the work and outlines future work.
8
Chapter 2
Financial Services
Financial services refer to services offered by the finance industry. We limit our
focus to services provided by the banking industry such as ATM outlets, credit card
outlets at shops, gas stations, malls etc. These services are often known as electronic
payment systems.
that offer most banking services almost any time. To withdraw money, make currency
deposits, transfer funds from one account to another or to make balance enquiries, a
customer is usually required to insert an ATM card and enter a personal identification
number (PIN) at an ATM outlet. Some commercial banks may charge a fee (per
Point of sale (PoS) allows the customers to make purchases by presenting their
charge card, credit card, debit card etc. The device, in this system, comprises of
9
a compact counter top terminal which is connected to a network. These days, PoS
systems are being used extensively in supermarkets, malls, restaurants, gas stations,
hotels, casinos, retail shops etc. The system follows the universal ISO 8583 standard
[20] which defines the message format and the message flow sequence.
Electronic purse or e-purse systems have been developed as an alternative for cash
payments. The system is based on ‘pay-first’ concept [38] and uses a card with an
integrated chip such as a smart card. The card contains a stored value which denotes
the buying power in the card. The funds in the card can increase as well as decrease.
To increase funds in the card, the service provider loads the card with some monetary
value and a decrease in the stored value takes place upon payment of purchases. The
process is fast and easy and is appropriate for deployment at railway stations (for
payment of ticket charges), at shops, at vending machines (soft drink, fast food) or
at public pay phones. The cardholder is himself responsible for safety of the card as
there is no added safety mechanism (like PIN etc.) to prevent unauthorized use.
A debit card follows the ‘pay-now’ [38] or direct debit payment concept and em-
ploys either signature or PIN based safety measure. The card is usually a magnetic
stripe card and the magnetic stripe stores the cardholder’s account information. It
allows the user to make a purchase directly charged to funds on his bank account
Credit cards, on the other hand, offer a ’pay-later’ system [38]. The card entitles
the cardholder to buy goods and services within a predefined monetary limit on the
popular delivery channel for financial services, the security risk associated with them
is also enhanced. The current transaction model for financial services offers easy
inroads for an attacker. In the upcoming sections we discuss some common attacks
This attack refers to the condition when an attacker installs a fake outlet which
imitates a genuine outlet. The user is, currently, provided with no way to trust the
outlet. So, in a way, he is compelled to use the outlet without establishing the identity
of the outlet. The outlet reads the user information from the card presented by the
user, takes the user PIN that is supplied by the user and stores it. This information
The first ever recorded instance of using a fake outlet (ATM) occurred in 1993
[11], when a gang of criminals put a bogus ATM at a shopping mall in Connecticut,
Manchester. The users didn’t know that the ATM was fake and won’t dispense any
service. It was used to counterfeit ATM cards and swindle money from user accounts.
Skimmers are the devices that are used by swindlers to capture data from the
magnetic stripe of the card issued by the bank. These devices are small, easy to
carry and are often clamped together with the reader of a service outlet. The de-
vices are inexpensive, commercially-available and can capture and retain the account
11
information of upto 200 ATM cards [11] before being reused. Some bold swindlers
have gone to the extent of placing a sign saying “Swipe Here First” before doing any
transaction. Other bold moves include portraying the skimming device as a “card
These devices are very successful at places where the user cares more about conve-
nience and ease of transactions rather than security such as petrol dispensing stations
Shoulder surfing refers to the act of direct observation as a person enters his PIN or
other private information at a financial service outlet. The modes of this observation
are that an attacker could either be looking directly (in close proximity), using device
such as a binocular or has placed some sophisticated equipment like miniature video
In case of credit cards, this can be used as means of recording the secret credit card
number and hence is very dangerous. This technique is usually used in conjunction
12
with the use of skimming devices to obtain full information so that a new card can
keypad overlay over the top of an existing keypad at a service outlet. The fake keypad
overlay is very thin, often transparent and cannot be detected by a naked eye.
The overlay pad stores each keypad button press along with the timestamp. This
information can later be downloaded from the equipment. The button press is relayed
to the original keypad and the transaction takes place normally without the user’s
We now present and classify the issues related to the current financial transaction
model. In the following chapters, we shall try to address these issues by proposing a
Security, by and large, remains the prime issue of concern in any kind of financial
service transaction model. All the shortcomings discussed in Section 2.2 constitute
the security issues related to the current financial service transaction model.
tion material, usually a magnetic stripe card or a smart card, to the customer.
access a service, the customer presents his authentication card to the service
the customer. The service outlet extracts customer information from the card
and sends this information (including the entered password) to a central server
anisms which are usually matched at the service outlet. After authentication,
the outlet sends the transaction information back to the central server. Thus,
and usually take unpredictable amount to time to reach their destination. The
for input and output such as keyboard and display. This swells up the cost of
the outlet.
thentication token such as a magnetic stripe card, smart card, RF card etc. for
15
multiple services like credit account, debit account etc. and for each of the financial
Chapter 3
Model
claim, is secure and cost effective. We rely on public key infrastructure for authenti-
cation and key generation. This chapter also explains the security features involved.
All the transaction that take place between the financial service outlet and the
3. Confidentiality. Ensure data privacy; all the data carried in the transaction can
transaction.
Based on these requirements, we propose a model whose steps are outlined in Figure
3.1.
Financial Service
User Outlet
Certificate Exchange
1. Verify 1. Verify
2. Get Public 2. Get Public
Key Mutual Authentication and Key
Key Establishment
Secure Channel
Account Information
Transactions
Initially, the financial service outlet and the user each have their own digital cer-
a binding between the identity and the public key of the remote entity. For each en-
tity, the entity’s identity, the public key, their binding, validity conditions and other
18
attributes are made unforgeable in digital certificates issued by the common root CA
(CCA) [28].
Root CA Certificate
(e.g. Reserve Bank of Trusted Authority
India)
Untrusted Untrusted
Figure 3.2 gives an example of a certificate chain hierarchy and gives an abstraction
on how a mutual trust is developed between the two participating entities, the ATM
outlet and the user. This hierarchy could be extended to involve many other banks.
This would enable a user to take advantage of services of an other banks too.
After certificate exchange, each entity needs to verify the digital certificates thus
received to trust the identity-public key binding. Once this binding has been estab-
lished, the entity only needs to ensure that the remote entity has a private key that
corresponds to the public key acquired from the certificate to prevent fake role play.
If these steps are completed successfully, the entity is said to have authenticated the
remote entity.
19
participating party, both sides exchange the certificates along with the certifi-
issue a challenge in order to verify that the intended recipient is the one with
nection using some other user’s public key, then he won’t be able to respond
The Session Key for establishing a secure channel is also derived in the Mutual
and other for MAC computation [28]. Encryption helps in maintaining the
the message then he won’t be able to decipher the message. Attaching MAC
with message is necessary to ensure integrity and authenticity of the data. New
ment of a secure channel between the user and the outlet, the confidential
account information can be safely transmitted by the user over this channel.
All messages will be encrypted using the encryption key and a MAC will be
computed using the MAC key and attached to it to maintain the confidentiality
The account information that is sent by the user is first signed [25] by the user
20
and then counter signed by the bank. If the outlet verifies that the account
information provided by the user is authentic, it lets the user to perform the
transaction. The details of each transaction is stored in logs in the financial ser-
vice outlet. This information can be updated to the central server periodically
The session keys for confidentiality and MAC are generated for establishing the
secure channel to communicate. The session keys are for the symmetric key operation,
since these operations are computationally much cheaper as compared to the PKI
operations. In our model, the account information is signed first by the user and then
by the bank. The user signature is added to make sure that the account information
provided is indeed of the user with whom the communication is taking place. In this
way, a person cannot use someone else’s account information. This user signature
21
needs to be counter signed by the bank. This would prevent a user from forging
the account information. This signature sequence can not be reversed (i.e. bank’s
signature and then counter signed by the user) because in that case, a malicious user
can use his signature over someone else’s account information that is signed by the
bank.
In this model, mutual authentication and session key establishment are done in the
same stage. Separate stages for mutual authentication and session key establishment
could pose a security threat if same algorithm is used. For example, if a malicious
user wants to get the session key for some ongoing transaction then he can send the
other entity, on reception of this challenge, will decrypt it and send it back to the
malicious user thus giving him the session key of the current transaction. Besides
Chapter 4
Transaction Model
The goal of our effort is to develop a secure transaction protocol [36] at the applica-
tion layer. The protocol should be secure and should not rely on security architecture
of lower layers. This would enable it to be used in conjunction with a variety of lower
layer protocols. The protocol should work under the following worst case assumptions.
4.1 Terminology
The Client: In the context that follows, the client is the machine, such as mobile
phone, smart card etc., using which one wants to do a transaction. A transaction
could be any of the following: withdraw money, transfer money, payment or balance
check.
The Server: The role of the server is to accept and serve requests from the client.
In this context, the server refers to the machine providing the ATM service or PoS
terminals.
We now present the details of the protocol for the transaction model proposed
The protocol involves a sequence of stages, where none of the later stages shall
take place without the successful completion of the previous stage. The stages in
1. Handshake stage.
5. Transaction stage.
24
The protocol to be followed by the client and the server is shown in Figures 4.1 and
4.2 respectively.
Most protocols (TLS, SSL, SSH etc.) are dependent on cryptographic algorithms
that they use. However our proposed protocol does away with this necessity by using
A protocol defines the sequence and flow of messages that takes place between
two communicating entities and the content of these messages. In context of this
The aim of this stage is to negotiate the Protocol version and the Algorithm suite.
The Handshake is carried out using the following message exchanges between the
1. Hello message
2. Welcome message
When a client first connects to the server, it is required to send Hello message as
its first message. Hello message is a request for the server to start the negotiation
25
Ready
wait for
user action
Received:
send ProtocolNotSupported /
Hello AlgorithmNotSupported
Received:
Welcome
Received:
ExpiredCertificate / Y N send
RevokedCertificate / send Is message
ProtocolNotSupported /
InvalidCertificate Certificates okay? AlgorithmNotSupported
Received:
Certificates
send ExpiredCertificate / Y
N Certificate
RevokedCertificate / send
InvalidCertificate Verification Challenge
successful?
Received:
Response
At any state, if the receiver receives
any invalid command or any unexpected
N send
command, it sends InvalidCommand and Is message
ResponseVerificationFailed /
UnexpectedCommand message respectively okay? InvalidResponse
and goes back to the ready state.
Received: Okay
Y
Do more
Transaction?
send
CloseConnection
Ready
Listening
Received:
Hello
send N Is Protocol /
ProtocolNotSupported / Algorithm
AlgorithmNotSupported supported?
Y
Received:
ProtocolNotSupported / Received:
AlgorithmNotSupported Certificates Certificates N send ExpiredCertificate /
send
Welcome verification RevokedCertificate /
successful? InvalidCertificates
Y
Received:
ResponseVerificationFailed / Received:
InvalidResponse Challenge send
send Response
Certificates
Received:
Response
send N Is message
ResponseVerificationFailed /
InvalidResponse okay?
send
Okay
Received:
At any state, if the receiver receives AccountInformation
any invalid command or any unexpected
command, it sends InvalidCommand and
UnexpectedCommand message respectively
and goes back to the ready state. Is N
AccountInformation send
InvalidAccountInformation
Upon reception of InvalidCommand or correct?
UnexpectedCommand message, the receiver
goes back to the ready state.
Y
Greyed area denotes that information is
transmitted over a secure channel.
send
Okay
On a secure channel, if the message is
incorrect (wrong MAC or bad encryption),
the session is aborted and the server Received:
Transaction
goes back to ready state.
Is N
Transaction send InvalidTransaction /
Received: ImpermissibleTransaction
Transaction valid?
send Y
Okay
Received:
CloseConnection
process anew. In response, the server should send Welcome message when convenient.
ProtocolVersionList carries the list of versions of the protocol that the client
03 31 2E 30.
(Encryption-MAC pair) algorithms that the client supports. The server should choose
a pair of hash and encMAC algorithm that is supported by the server and is the most
The server should send this message in response to Hello message from the
it cannot find such a match, it should respond with an appropriate error message
ProtocolNotSupported or AlgorithmNotSupported.
Welcome message means that the server has agreed upon a pair of hash and enc-
MAC algorithm. The pair of algorithm that the server has agreed upon is included
in this message.
The server also specifies in this message, the server’s preferred protocol that is usu-
ally the highest version provided by the client that is also supported by the server.
SelectedProtocolVersion contains the protocol version that the server has agreed
rithm selected by the server. The server must select one of the hash and encMAC
algorithms present in AlgorithmSuite (in Hello message) with the following condi-
tions.
2. Each of the selected hash and encMAC algorithms is the most favored amongst
sent by the server are not among those sent by the client during the Hello message
Otherwise, the client should start the Certificate Exchange stage after receiving this
message.
Certificate exchange serves two purposes - one, exchange of public key; two, veri-
fication that the public key is signed by the common root CA.
The sender presents the list of certificates in the certificate chain to let receiver
know the sender’s public key and to allow the receiver verify the sender’s public key
in order of their hierarchy. The former certificates are closer to the root CA than the
In particular,
- Each certificate in the certificate chain is verified by the public key in the cer-
a. Certificates message - If the received certificates are verified then the receiver
b. Mutual Authentication stage is started - If the receiver has verified that the
received certificates are okay and the receiver’s certificates are also verified,
In order to ensure that the other side has private key as claimed, each side needs
keys for encryption and MAC operations [28] are also derived in this stage.
This message carries the challenge issued by the client in order to authenticate the
other party, i.e the server. The server, in response must send the Response message
to the client which would enable the client to authenticate the server.
The challenge is a random number, say R1, generated by the sender of this
message. For this version of the specification, the random number chosen is 8 bytes
long.
2. The server then concatenates the random number generated, the random num-
4. The server computes the hash of the message H1 = Hash(M1) using the Hash
vateKey, H1).
= C1kS1.
For this version of specification, R2 and K2 are chosen to be 8-byte and 16-byte
SIGN operations are the standard RSA operations as defined in PKCS #1 v2.1 [35].
In reply to Response message sent by the server, the client sends another Response
1. The client verifies Response message sent by the server. Let M be the message
(ServerPublicKey, M, S1). If the verification fails, the client responds with the
3. The client extracts the random number R1 and checks if it has the same value
5. The client then concatenates the random number received, R2, and the key
C2).
8. The response sent by the client is the concatenation of the cryptogram and its
For this version of specification, R1 and K1 are chosen to be 8-byte and 16-
In response to Response message sent by the client, the server responds according
to the following.
1. The server verifies the Response message sent by the client. Let M be the
message received, M = C2kS2. Then, the client verifies the signature using
34
3. The server extracts the random number R2 and checks if it has the same value
message.
After the successful completion of the Mutual Authentication stage, the session keys
0 0
1. Compute KEN C = HASH((K1 ⊕ K2)k0x00 00 00 01) and KM AC = HASH((K1
0 0 0
⊕ K2)k0x00 00 00 02). Let KEN C and KM AC be l bytes long.
2. Let lKenc bytes and lKmac bytes be the lengths of the keys required for encryp-
tion and MAC algorithms respectively which were negotiated in the Handshake
for encryption, KEN C , such that length (in bytes) of KEN C equals lKenc .
0
KEN C = KEN C k1...1
|{z}.
0
Else KEN C equals first lKenc bytes of KEN C
(b) If l0 ≤ lKmac , KM
0
AC is padded with ones in the end to get session key
Here HASH operation uses the hash algorithm negotiated in the Handshake stage.
This stage is initiated only after the Mutual Authentication stage. All the mes-
sages in this stage shall be carried using the encryption and MAC algorithm negotiated
during the Handshake stage and the session keys derived in Mutual Authentication
This message carries the bank account information of the client and is sent using
the secure channel. The information contained is the Track 2 information according
to ISO/IEC 7813 [21] standard. This information is further signed by the user and
SU = RSASSA-PSS-SIGN(UserPrivateKey, I).
SIGN(BankPrivateKey, S 0 ).
the certificate in the chain can be verified using the certificate immediately preceding
it in the chain. The first certificate in the certificate chain is the certificate of the entity
next to root CA. The last certificate in the certificate chain is the certificate of user.
UserPrivateKey and BankPrivateKey are the user’s private key (corresponding to the
user’s public key in the certificateList) and the bank’s private key (corresponding
One of the following messages must be sent by the server using the secure channel
Only after the client receives the Okay message in response to AccountInformation
message sent, the transaction details are sent. All the messages in this stage are sent
The amount is the amount of money that the user wants to withdraw from the
code, the bank branch’s IFSC code, the bank branch’s SWIFT code and the user’s
The message in this stage is also sent over the secure channel.
This message is sent by the client when the user does not want to do any more
transactions.
Okay: This message is sent by the server to the client to denote the successful
completion of the Mutual Authentication stage, Account Information stage and the
Transaction stage.
in the Handshake stage, it sends this message in response to the Hello message.
If the client doesn’t find the algorithm acceptable in the Welcome message, it sends
39
a certificate in the certificate chain is an expired one, it sends this error message.
message, if the user’s or bank’s signature on the account information could not be
verified.
InvalidAccountInformation::= SEQUENCE {
command IA5String("AINV"),
...
}
a certificate in the certificate fails in certificate verification, it sends this error message.
InvalidCommand: This message is sent when the last message received does not rep-
InvalidResponse: This message is sent when the received Response message does
the Handshake stage it sends this message in response to the Hello message.
one or more of the certificates in the certificate chain have been revoked, it sends this
41
message.
message, if the random number received in the Response message does not match
UnexpectedCommand: This message is sent when some valid but unexpected com-
mand is received.
Chapter 5
There can be three scenarios possible as shown in Figure 5.1. We shall discuss
these scenarios in reverse order, i.e. from the least preferred to the most preferred
scenario.
ATM
Mobile
Card
I II III
In the Third case, the user has a personal electronic device (e.g. a mobile phone)
which is capable of communicating with the financial service outlet via bluetooth [1]
43
or USB [2] or Infra Red technology. All the user’s personal information, the user’s
digital certificate chain, account information is stored in the device. The session keys
used in secure communication are derived between the device and the outlet. In this
scenario the confidentiality of the session keys cannot be ensured since the session
keys reside in the memory of the device. An attacker can possibly install a malware
program (e.g. Spyware) that resides in the device’s memory and leaks the session key
In the Second case, the user is only provided a smart card. The user’s digital
certificate chain, the private key corresponding to the user’s digital certificate and
account information are stored securely in the smart card. The smart card uses PKI
with the outlet. This case is more secure compared to the third case as smart cards
are known to store the information securely. However, the only downside of this
scenario is that the cryptographic computation cost is incurred by the smart card.
This would increase the per transaction time and thus is not very favorable. Also
this scenario is still susceptible to fake keypad overlay attack and shoulder surfing
(Chapter 2).
First case takes the best of both worlds. Introduction of electronic device ensures
faster transaction and smart card ensures data protection. This scheme prevents
attacks like skimming device attack, shoulder surfing and fake keypad overlay attack.
The user enters the confidential information (PIN) on his personal device which he
can safely trust. As we saw that the account information and the transaction details
between the personal device and the outlet are exchanged over a secure channel,
Choosing the smart card as storage device for private information and certificates,
mobile phone as the personal electronic device, and ATM as the service provider, the
1. Registration of the user with the bank. During the registration, the user is
issued a smart card which carries a certificate chain, account details, PIN and
the private key of the user. Only after the user enters the correct PIN can he
2. The user authenticates himself to the smart card using his PIN.
3. The mobile phone reads the certificate chain from the smart card and an ex-
change of certificates between the mobile phone and the ATM takes place.
4. ATM and the mobile phone do mutual authentication to ensure that the other
side possesses the private key as claimed. The session key is also established in
this process. This stage requires PKI operations to be done by the smart card.
5. The mobile phone sends the bank account information of the user, signed by
the user and counter signed by the bank to the ATM over a secure channel.
6. The user now does multiple transactions with the ATM over the secure channel
The outlet-phone communication can be established using either Bluetooth [1], USB
[2] or Infra Red technologies and the phone-card communication using NFC technol-
ogy [5] [6]. A contactless ISO 14443 [22] compatible smart card stores the certificate
chain, user’s private key, the user’s account information and user’s PIN. Optionally
45
the account balance and transaction log can also be stored in the card. The card com-
municates [31] with the phone using NFC. The need of using a smart card arises from
the fact that the data stored in the smart card can be protected against unauthorized
The ATM keeps the log of the transaction details and periodically updates it to
a centralized location.
The session keys are always to be derived between the end entities (between the
outlet and the card in Scenario I and II and outlet and electronic device in Scenario
III, Figure 5.1). The protocol is designed keeping client side cryptography in mind.
By the virtue of the mutual authentication stage of the protocol, we can easily use the
protocol in conjugation with a smart card. In such cases (Scenario I and II respec-
tively, Figure 5.1), the personal device, outlet respectively can issue commands like
5.3 Implementation
We implemented the protocol to work over the connection oriented TCP (Trans-
mission Control Protocol) protocol. In our implementation, the outlet and the client
both are personal computers which can run Java Runtime Environment. We chose
2. Bouncy Castle Crypto APIs [39]. Bouncy Castle, Release 1.43 for Java SE
6.
rithms. Our motivation for using Bouncy Castle API from the fact that this library
can be used as JCE provider, implements over 400 cryptographic algorithms and
below.
import org.bouncycastle.asn1.*;
public class ASN1Object extends ASN1Encodable {
// class fields
/* create object from parameters */
public ASN1Object(...) {}
/* create object from ASN.1 stream */
public ASN1Object(ASN1Sequence seq) {}
/* converts the class object to ASN.1 stream */
@Override
public DERObject toASN1Object() {}
}
By virtue of this structure, the same class can be used to encode and decode
ASN.1 Objects.
47
Each transaction is stored (in a fixed length format) with the outlet and optionally
5.3.2 Testing
implementation for errors and exceptions. Test cases were designed which include
message dropping, message modification, message not following the protocol order,
algorithms not implemented, etc. We tested the code for race conditions.
5.4.1 NFC
NFC stands for Near Field Communication. It is a short range, high frequency
wireless communication technology which enables the exchange of data between two
devices over a few centimeters distance. NFC relies on the principle of inductive
coupling and is globally available in 13.56 MHz range with data transfer speed upto
424 kbps [5]. The technology extends ISO 14443 [22] proximity card standard which
48
ensures that it can interface with a smart card. This technology is primarily targeted
to be used in mobile phones coupled with an embedded smart card so that it would
5.4.2 Bluetooth
lets two devices communicate within a Personal Area Network (PAN) at distances
spread spectrum which enables it to hop the communication over 79 frequencies. The
SIG [1]. Some of the widely used are L2CAP (Logical Link Control and Adaptation
5.5 Discussions
The following section describes how our model addresses the critiques of the cur-
In Section 2.3, we discussed and classified the various shortcomings of the current
model in four major issues. In this section, we explain one by one how the proposed
In the new model, a mutual trust is established between the user and the outlet.
Both the user and the outlet authenticate each other using PKI. If the outlet is fake,
the user will get to know about it and will not reveal his personal and confidential
information to the fake outlet. In this way Bogus outlet attack (Section 2.2.1) cannot
take place.
Attacks like Shoulder surfing and Fake keypad overlay attack (Section 2.2.3, 2.2.4)
are also precluded. This happens because now the user does not need to type his PIN
at non-trusted locations. He can use the trusted keypad hardware of his personal
Addition of smart card as means of storing data securely renders the use of skim-
able to authenticate the user using the user’s PIN and his account information. Since
in the proposed model, the outlet authenticates the user using PKI, it does not
require persistent network connectivity for authenticating the user. This saves a lot
Most financial services which use the network, claim round the clock availability.
Typically an outlet would require a display device (e.g. Monitor) and an input
device (e.g. Keyboard). For a service outlet like an ATM, more hardware also implies
additional cooling costs. This swells up the cost of the outlet. The proposed model
would do away with the need of either of the above, since, the user can make use of
One single smart card can store a number of applications, each for the service the
user has access to. This eliminates the need to carry different card for each of the
service.
In places like gas (petrol) dispensing stations, the user can still sit in his car and
use the smart card and a personal device (e.g. a phone with bluetooth) to do the
transaction without physically having to get off the car. This way the model is more
A few things that are left out and out of the scope of this thesis but are important
How to prevent money overdrawing? A user can withdraw more money than his
account balance and the outlet won’t know of this because it is not connected to any
network. To prevent this, a counter denoting the current account balance is securely
Need to carry multiple cards? One single smart card can store a number of appli-
51
cations, each for the service the user has access to. This eliminates the need to carry
How soon to update transaction log? This depends on the policy of the outlet
owner. It could vary from few hours to a couple of days. The account information at
the central server is stale between two consecutive updates to the server.
How to update? Updating the transaction log can be done manually (a person
Security of the outlet? Mischievous users can possible try to break/destroy the
outlet after withdrawing money and before the outlet updates data to the central
server. The outlet owner is responsible for providing security to the outlet.
52
Chapter 6
6.1 Conclusion
In this work, we have proposed a new transaction model for financial services
which addresses the various concerns related to the existing transaction model. As is
evident from the discussion in the various chapters, there is a requirement to provide
lower cost and more secure model for financial services. Lower cost financial services
would enable the financial institutions to reach the rural population and contribute
to rural development. Also, amidst the sharp rise in the cases of identity theft such
as credit card identity theft and credit card frauds, we learnt the lesson not to trust
the hardware of a public financial service outlet. The model utilizes public key infras-
tructure (PKI) to ensure that both these requirements are met. PKI allows offline
mutual authentication is also possible, implying that users are no longer forced to
We have also made an attempt to design a secure protocol for this model. The
53
protocol does not rely on the security architecture of the underlying communication
channel (bluetooth etc.) used for its working. Cracking this protocol is equivalent to
the problem of breaking the algorithms used by it (here RSA). Smart cards provide a
tamper-proof storage media and protect data against unauthorized reading or copying
[32]. This renders the use of skimming devices ineffective. The client-server protocol
do the transaction. SCOSTA now supports PKI [16] operations. The Java code
create MIDP (Java ME) application to run on the mobile device supporting JSR257
(for NFC). The application can then communicate with the SCOSTA-PKI smart card
Bibliography
[8] ATM Scam. Bank ATMs converted to steal bank customer IDs. Online:
http://www.utexas.edu/police/alerts/atm scam/.
[11] Diebold, Incorporated. ATM Fraud and Security - White Paper, September 2006.
Online: http://www.diebold.com/atmsecurity/resources.htm.
[12] Olivier Dubuisson and Philippe Fouquart. ASN.1: communication between het-
erogeneous systems. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA,
2001.
[13] Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern.
RSA-OAEP Is Secure under the RSA Assumption. J. Cryptol., 17(2):81–104,
2004.
55
[15] Abhishek Gaurav, Ankit Sharma, Vikas Gelara, and Rajat Moona. Using mobile
device for authentication and service-access. Indian Patent Office, April 2008.
Patent application number 1018/Del/2008.
[16] Aditi Gupta. Design and Implementation of Public Key Infrastructure on Smart
Card Operating System. Master’s thesis, Department of Computer Science, IIT
Kanpur, June 2008.
[17] Fengling Han, Jiankun Hu, Xinghuo Yu, Yong Feng, and Jie Zhou. A Novel
Hybrid Crypto-Biometric Authentication Scheme for ATM Based Banking Ap-
plications. In David Zhang and Anil K. Jain, editors, ICB, volume 3832 of Lecture
Notes in Computer Science, pages 675–681. Springer, 2006.
[24] Amila Karunanayake, Kasun De Zoysa, and Sead Muftic. Mobile ATM for devel-
oping countries. In MobiArch ’08: Proceedings of the 3rd international workshop
on Mobility in the evolving internet architecture, pages 25–30, New York, NY,
USA, 2008. ACM.
[25] Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptography. CRC
Press, 2007.
56
[26] Joanna. Ledgerwood and Sustainable Banking with the Poor (Project). Microfi-
nance handbook : an institutional and financial perspective / Joanna Ledgerwood.
World Bank, Washington, D.C. :, 1999.
[27] London Evening Standard. Fraudsters use Tube machines to clone bank
cards. Online: http://www.thisislondon.co.uk/standard/article-23421006-
details/Fraudsters+use+Tube+machines+to+clone+bank+cards/article.do.
[28] Alfred J. Menezes, Scott A. Vanstone, and Paul C. Van Oorschot. Handbook of
Applied Cryptography. CRC Press, Inc., Boca Raton, FL, USA, 1996.
[29] Nitin Munjal and Rajat Moona. Secure and Cost Effective Transaction Model
for Financial Services. OPNTDS - 2009, 2009.
[30] Nitin Munjal, Ashish Paliwal, and Rajat Moona. Low Cost Secure Transac-
tion Model for Financial Services. In International Conference on Security and
Identity Management (SIM)-09, IIM Ahmedabad, India, May 2009.
[31] National Informatics Centre, Government of India, Indian Institute of Technol-
ogy Kanpur. SCOSTA-CL: Specifications for the Smart-Card Operating System
with Contact-less Interface, Version 1.2, July 2007.
[32] Wolfgang Rankl and Wolfganf Effing. Smart Card Handbook. Wiley, third edition,
June 2002.
[33] Rediff News. Mobile banking, boon for rural India. News Article, February 2008.
Online: http://in.rediff.com/money/2008/feb/20mob.htm.
[34] Research for Development. Improving access to fi-
nancial services through new technologies. Online:
http://www.research4development.info/news.asp?ArticleID=50373.
[35] RSA Laboratories. PKCS #1 v2.1: RSA Cryptography Standard, February 2003.
[36] Robin Sharp. Principles of Protocol Design. Prentice-Hall, Inc., Upper Saddle
River, NJ, USA, 1994.
[37] Standard Chartered. Cardless Cash, Mobile Banking.
[38] Margaret. Tan. E-payment : The Digital Exchange. Ridge Books, Singapore,
2004.
[39] The Legion of the Bouncy Castle. Bouncy Castle Crypto APIs. Online:
http://www.bouncycastle.org/.
[40] The Network World. Credit Card Skimming. Online:
http://www.networkworld.com/community/node/33210?page=0%2C0.