1 A New Credit Card Payment Scheme Using Mobile Phones Based on Visual Cryptography Chao-Wen Chan and Chih-Hao Lin Graduate School of Computer Science and Information Technology, National Taichung Institute of Technology, 404 Taichung, Taiwan Abstract. With the increasing usage of credit cards, secure requirements for handling credit card payment have become more critical. Today, it is being deployed for a wide application services in mobile commerce over public networks. Based on the security of Naor-Shamir's visual cryptography, Diffie- Hellman key agreement scheme and symmetric cryptosystems, we propose a new credit card payment scheme using mobile phones based on visual cryptography. Compared with traditional credit card payment methods, the proposed scheme can provide more secure communication for many electronic commerce transactions. Keywords: payment, secret sharing, visual cryptography, key agreement. 1 Introduction In the last decade, many advances have been made in the technology of mobile commerce, such as hardware of mobile devices, qualities of application services, etc. With the increasing usage of mobile commerce applications over public networks, it is more and more important to have reliable security. In recent years, identity theft has surged and led to serious damage for both cardholders and payment companies. Traditional credit card payment schemes in Taiwan require cardholders show credit card information to merchants, allowing strangers access to private business operations. The issuer only provides verification for a payment request from a credible requester, for instance a phone call or an SMS (Short Message Service) is needed to check the cardholder s credit limit and currently charged amount. This method does not ensure a secure credit card payment. The verification process is only performed according to the parameters of a cardholder s available credit. In the past, the above security problem has attracted little attention from researchers . Observe that leakage of private information stored in a credit card is the attraction. To prevent the leakage of cardholder s information, a new secure credit card payment scheme should satisfy the following requirements. C.C. Yang et al. (Eds.): ISI 2008 Workshops, LNCS 5075, pp , Springer-Verlag Berlin Heidelberg 2008
2 468 C.-W. Chan and C.-H. Lin 1. The merchant learns nothing about the private information stored in a credit card during a credit card payment. 2. No one else can use the secret information about a credit card payment to perform any other credit card payments. 3. Both cardholder and issuer bank need to authenticate each other at beginning of a credit card payment. 4. The credit card payment scheme may support the electronic cash or coin-like application. Owing to it is being deployed for a wide application services in mobile commerce over public networks. Based on Diffie-Hellman key agreement method , Naor- Shamir's Visual Cryptography , and symmetric cryptosystems, we propose a novel secure credit card payment scheme which could provide the above requirements. The proposed scheme is different from traditional credit card payment methods. We briefly describe the new idea of our method. In general, credit cards include private information about users, such as card numbers, validity dates, expiration dates and identifications etc. To prevent a card user from sharing the credit card with others, the user must get an authorization code from the bank before making purchases. The bank checks the quota of the cardholder and confirms the identification of the user from the database. If the information of the user is correct, the bank generates an authorization code and transfers it to the user over mobile communication networks. The user must input the authorization code to accomplish the payment without giving his credit card to the merchant. Compared with traditional credit card payment methods, the proposed scheme can provide more secure communication for many electronic commerce transactions. The rest of the paper is organized as follows. In the next section, we present the necessary related works of our scheme. In Section 3, a new credit card payment scheme is proposed. Discussions are presented in Section 4. Finally, we give some conclusions in Section 5. 2 Preliminaries Before a new credit card payment scheme is proposed, we first introduce the properties of Diffie-Hellman key agreement method , Naor-Shamir's Visual Cryptography , and symmetric cryptosystems that will allow us to discuss our scheme s security in Section Diffie-Hellman Key Agreement Scheme The famous key agreement scheme was proposed by Diffie and Hellman in If Alice and Bob want to transfer a secret by Diffie-Hellman key agreement scheme, then Alice selects a random secret and sends to Bob, where is a large prime number. Then, Bob selects another random secret and sends to
3 A New Credit Card Payment Scheme Using Mobile Phones 469 Alice. Finally, Alice and Bob compute a common session key. Thus, Alice and Bob can use the common key for encryption and decryption in the session. No one can derive the session key from the public information and. The security is based on the computational Diffie-Hellman problem. In addition, neither of these two parties computes anything about the random secret value selected by another provided Discrete Logarithm Problem [1,8]. 2.2 Visual Cryptography (VC) In 1995, Naor and Shamir  proposed a secret sharing scheme in which secrets and shadows are represented in binary image format. This scheme opened the research on Visual Cryptography (VC); in fact it was the first paper about VC. Visual cryptography is a secret sharing method for digital images without cryptographic computations for decryption. In their scheme, a dealer wants to break a secret image into shared images and sends shared images to other participants, such that any or more participants can recover the secret image by stacking or more shared images. However, the secret image cannot be recovered by shadows. The above method is defined as -threshold visual cryptography. For example, a -threshold VC is depicted below. We set up three pairs of pixel blocks as shown in Fig. 1. The pixel block consists of four sub-pixels. If a pixel of the secret image is black, we can randomly select a pair of pixel blocks, then, randomly assign one of the pair to the corresponding pixel block of share 1, and the other of the pair is assigned the corresponding pixel block of share 2. If the pixel of the secret image is white, we randomly select one of the three pairs, and randomly assign one of the pair to the corresponding pixel block of share 1. And, randomly select one pixel block of the other two pairs to the corresponding pixel block of share 2. As shown in Fig. 2, the pixel is white when stacked with one horizontal share and the other vertical share. In addition, the pixel is black when stacked with two horizontal shares. Now, taking a digital image as another example, as shown in Fig. 3, we break a secret image into two shares, share 1 and share 2, respectively. Based on -threshold VC, we can recover the secret image by stacking share 1 and share 2. Still today, much research of visual cryptography for gray-level images is proposed in [3,6,7]. Fig. 1. Three Pairs of 2 2 Pixel Blocks
4 470 C.-W. Chan and C.-H. Lin Fig. 2. Example 1 of -Threshold VC (a)secret image (b)share 1 (c)share 2 (d)recovered image Fig. 3. Example 2 of -Threshold VC 2.3 Symmetric Cryptosystems Symmetric cryptosystems are used to encrypt or decrypt messages by the same secret key to provide authorized securities. It can provide more efficient than asymmetric cryptosystem for message encrypting and decrypting. One of the most popular symmetric cryptosystems is the Advanced Encryption Standard (AES) . AES is an encryption standard provided by National Institute of Standards and Technology in However, the encryption method of images may be different from text. In 2001, Chang et al.  proposed an encryption algorithm for image cryptosystems based on vector quantization. It reduces the computational complexity of the encryption and decryption schemes. 3 The Proposed Scheme In this section, we elaborate on our proposed credit card payment scheme. Our method is based on DH key agreement scheme and -threshold VC scheme to generate the authorization code. In order to confirm data integrity of the shared image, we use technologies of symmetric cryptosystems to transform the shared image. The proposed scheme consists of three parties: a user, a bank, and merchants. 1. : The uer who makes a purchase with his credit card. 2. : The bank issues credit cards for the user. To easily present the method, we assume that the bank is the issuer and acquirer, and the bank is a trusted third party. 3. : Merchants which sell commodities to users.
5 A New Credit Card Payment Scheme Using Mobile Phones 471 Table 1. Notations A user s identification number is defined as. A user s password is defined as. A purchase order is a commercial document issued by a buyer to a seller, including information for products or services. is a large prime integer. is a public primitive integer in modular, where is not equal to 1. are meaningful words or signs made by stacking two shared images for making a purchase, called authorization code. A party sends a message to a party. A message is encrypted by the symmetric key. A message is decrypted by the symmetric key. A cryptographic pseudo random number generator is defined as. The formula denotes using -threshold VC to generate the other shared image by a shared image and, where. The formula denotes using -threshold VC to get by stacking two shared images and according to human visual system, where. The basic notations are used in the description which is defined as Tab.1. When makes a purchase with his credit card, must get the authorization code for accomplishing a transaction. Hence, the proposed scheme consists of registration phase and transaction phase. The details of two phases will be described as follows: 3.1 Registration Phase 1. sends his identification number and password to the bank through a secure channel. 2. Upon receiving the messages and, generates the shared image and stores the information in the database. Next, computes and stores into the user s mobile phone through a secure channel. 3.2 Transaction Phase 1. User(mobile phone) Bank: selects and computes. Then, sends the payment request,, and to.
6 472 C.-W. Chan and C.-H. Lin 2. Bank User(mobile phone): Upon receiving the request messages,, and, can find out the user information according to in the database. Then, selects and computes and. Next, can use the integer to get the initial coordinate for displacing vectors of the shared image. Using as a seed in a function, we can get a set of random integers. Then, two parties negotiate for two integers to be the initial coordinate. We define this formula as, where is the initial coordinate vector (point). Thus, displaces vectors of from to to get the small shared image, after getting the initial coordinate. The schematic diagram is shown as Fig. 4. Next, generates a secret image for the user making a purchase, called authorization code. According to - threshold VC, another shared image can be computed by and as shown below.. (1) Finally, computes, where is used as a session key, and sends and to the user. 3. User(mobile phone) Merchant: When receives the messages, computes and. Then, inputs the random integer into a function to get the initial coordinate vector. Next, is required to input his password for decryption of the shared image by computing. Therefore, can use the initial coordinate to displace vectors of the shared image and get the smaller shared image. Hence, can recover the secret image by stacking the shared images and to get the authorization code. The recovered formula is defined as follows:. (2) In the above steps, sends and for payment without giving his credit card to the merchant. Then, forwards the messages to. verifies the messages in the database. If the records are valid, then responses with a message of acceptance to and updates the financial information in their system. Fig. 4. Displace coordinates of S 1 to get the shared image S 2
7 A New Credit Card Payment Scheme Using Mobile Phones 473 User Bank Merchant (1) Select R and compute a g mod p 1 PWU 1 * p (5) Compute r b g mod p S3 Dr ( R) PRNG() r ( X, Y ) S D ( S ) Displace vectors of S to get S 1 2 VC (2,2) S2 AuthC D ( S ) (2) PO, UID, a 3 (4) br, (3) Select VC (2,2) S2 * p and compute b g mod p r a g mod p PRNG() r ( X, Y ) Displace vectors of S to get S Generate AuthC and compute S E ( AuthC) R Er ( S3) (6) PO, UID, AuthC R (7) PO, UID, AuthC (8)accept/reject Fig. 5. The proposed scheme of the transaction procedure Moreover, if performs a new transaction in the next session, and can use the shared image to generate the other small shared image by implementing the DH key agreement scheme repeatedly. Then, and accomplish each payment according to our transaction phase. The above transaction procedure is briefly illustrated in Fig Discussions In this section, we are going to analyze the securities and performances of the proposed scheme. 4.1 Security Analysis In the proposed scheme, the security is based on DH scheme, VC, and symmetric cryptosystems. Therefore, we consider some possible attacks. Suppose that an adversary attempts to impersonate the user. Without knowing the random integer generated by DH key agreement scheme, the adversary cannot get to perform a transaction. The adversary only knows and on insecure public networks, and he learns nothing about the random integer to get the initial coordinate. The adversary must achieve the computational DH problem. However, an adversary may
8 474 C.-W. Chan and C.-H. Lin try to compute from or from to get the integer. This means that the adversary still has to solve the discrete logarithm problem. The discrete logarithm problem is hard to solve in polynomial time. Hence, the proposed scheme can resist an illegal transaction by an impersonation attack. Even if an adversary knows the random integer by man-inthe-middle attacks, he still cannot get without the shared image which is shared by and. The shared image is protected by symmetric cryptosystems with the user s password. Therefore, our scheme can prevent an illegal transaction by man-in-the-middle attacks. Next, we consider a replaying attack. A replaying attack is a method where an active adversary stores old intercepted messages and retransmits them at a later time. In our scheme, the authorization code is generated by a trusted third party. Suppose that an adversary will attempt to impersonate a legal user by replaying old messages and, he still cannot get without knowing the shared image. Hence, the proposed scheme can withstand an illegal transaction from replaying attacks. For each transaction, the bank records the information which is used in the database. When a new transaction request is performed, the user will get a new different from the above session. Therefore, the proposed scheme can prevent a double spending problem. In addition, both and need to authenticate each other by using -threshold visual cryptography. A valid can only be recovered through the shared image which is shared by and. Hence, our scheme can provide the mutual authentication property. Moreover, the proposed method is based on -threshold visual cryptography. The user (mobile phone) must stack two shared images and and use the human visual system to obtain the authorization code. According to decryption by human visual system, it is difficult to design a malicious program to get for an adversary, such as brute force attacks. In the worst situation, suppose that a user s mobile phone is lost, the important information is still protected by a secure symmetric cryptosystem with the user s password. This reduces the threat of a lost or stolen mobile phone for the user before the emergency event happens. 4.2 Performance Analysis To the best of our knowledge, the traditional -threshold VC scheme can only be used once. It is similar to a one-time pad (OTP). When the secret image is recovered by stacking any shares, the shared images cannot reuse the information in the next session. A dealer has to break a secret image into shared images and retransfers shared images to other participants. Therefore, with regard to efficiency, we generate a random seed into a by using DH scheme to reuse the shared image which is stored in the user s mobile phone. The user does not need to update the shared image in each session. Next, we consider the proposed scheme s computations to accomplish a transaction. For convenience, we define related notations to analyze the computational complexity. The notation means the time for one multiplication over a prime
9 A New Credit Card Payment Scheme Using Mobile Phones 475 integer, denotes the time for one symmetric encryption or decryption, and denotes the time for stacking two shares by -threshold VC scheme. We summarize the computational complexity and communication in Tab. 2. As shown in Tab. 2, the proposed scheme only requires one symmetric encryption computation for the bank in the registration phase. In the transaction phase, our scheme performs two multiplication operations over a prime integer, two symmetric decryption computation, and one stacking shares operation for a user in the transaction phase. For a bank, our scheme performs two multiplication operations over a prime integer, one symmetric decryption computation, and one stacking shares operation. Therefore, in the fast progress of wireless communication, the proposed new credit card payment scheme using mobile phones based on visual cryptography would easily be implemented for electronic commerce transactions. Table 2. Computational complexity and communication of the proposed scheme User Bank Number of communications 6 3 Number of rounds Computation of the registration phase 2 No 2 Computation of the transaction phase Conclusions In this article, we propose a new credit card payment scheme by using DH scheme, VC, and symmetric cryptosystems for transferring secrets in insecure mobile communication networks. The security analyses show that the proposed scheme is more secure than traditional credit card payment methods. Our scheme can prevent impersonation attacks, man-in-the-middle attacks, replaying attacks, double spending problems, malicious program attacks and provides a mutual authentication property. In the future, our scheme has potential for application services in mobile commerce. We can perform similar application services, such as an electronic ticket system or an electronic auction market, etc. References 1. Blake-Wilson, S., Menezes, A.: Authenticated Diffie-Hellman Key Agreement Schemes. In: Tavares, S., Meijer, H. (eds.) SAC LNCS, vol. 1556, pp Springer, Heidelberg (1999) 2. Bottoni, A., Dini, G.: Improving Authentication of Remote Card Transactions with Mobile Personal Trusted Devices. Computer Communications 30, (2007) 3. Blundo, C., De Santis, A., Naor, M.: Visual Cryptography for Grey Level Images. Information Processing Letters 75(6), (2000) 4. Chang, C.C., Hwang, M.S., Cheng, T.S.: A New Encryption Algorithm for Image Cryptosystems. The Journal of Systems and Software 58, (2001)
10 476 C.-W. Chan and C.-H. Lin 5. Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory 22(6), (1976) 6. Lin, C.C., Tsai, W.H.: Visual Cryptography for Gray-level Images by Dithering Techniques. Pattern Recognition Letters 24(1-3), (2003) 7. Lukac, R., Plataniotis, K.N.: Bit-level Based Secret Sharing for Image Encryption. Pattern Recognition 38(5), (2005) 8. Maurer, U.: Towards the Equivalence of Breaking the Diffie-Hellman Scheme and Computing Discrete Logarithms. In: Desmedt, Y.G. (ed.) CRYPTO LNCS, vol. 839, pp Springer, Heidelberg (1994) 9. Naor, M., Shamir, A.: Visual Cryptography. In: De Santis, A. (ed.) EUROCRYPT LNCS, vol. 950, pp Springer, Heidelberg (1995) 10. National Institute of Standards and Technology: Advanced Encryption Standard, FIPS 197 (2001)