A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography

详细信息    查看全文

• 作者：Shehzad Ashraf Chaudhry ; Mohammad Sabzinejad Farash…
• 关键词：Authenticated encryption ; E ; payment system ; Elliptic curve cryptography ; Digital signature ; Signcryption ; ProVerif
• 刊名：Electronic Commerce Research
• 出版年：2016
• 出版时间：March 2016
• 年：2016
• 卷：16
• 期：1
• 页码：113-139
• 全文大小：2,888 KB
• 参考文献：1.Chen, S., & Ning, J. (2002). Constraints on e-commerce in less developed countries: The case of china. Electronic Commerce Research, 2(1–2), 31–42. doi:10.​1023/​A:​1013331817147 .CrossRef
  2.Kshetri, N. (2013). Cybercrime and cyber-security issues associated with china: some economic and institutional considerations. Electronic Commerce Research, 13(1), 41–69. doi:10.​1007/​s10660-013-9105-4 .CrossRef
  3.Huang, X., Dai, X., & Liang, W. (2014). Bulapay: A novel web service based third-party payment system for e-commerce. Electronic Commerce Research, 14(4), 611–633. doi:10.​1007/​s10660-014-9172-1 .CrossRef
  4.Chaum, D. (2013). Blind signatures for untraceable payments. In Advances in cryptology—CRYPTO ’86 Proceedings (pp. 199–203). Berlin: Springer.
  5.Lysyanskaya, A., & Ramzan, Z. (1998). Group blind digital signatures: A scalable solution to electronic cash. In D. M. Goldschlag & S. G. Stubblebine (Eds.), Financial cryptography (pp. 184–197). Berlin: Springer.CrossRef
  6.Zhang, L., Zhang, F., Qin, B., & Liu, S. (2011). Provably-secure electronic cash based on certificateless partially-blind signatures. Electronic Commerce Research and Applications, 10(5), 545–552.CrossRef
  7.Xiaojun, W. (2010). An e-payment system based on quantum group signature. Physica Scripta, 82(6), 65403.CrossRef
  8.Eslami, Z., & Talebi, M. (2011). A new untraceable off-line electronic cash system. Electronic Commerce Research and Applications, 10(1), 59–66.CrossRef
  9.Yen, Y.-C., Wu, T.-C., Lo, N.-W., & Tsai, K.-Y. (2012). A fair-exchange e-payment protocol for digital products with customer unlinkability. KSII Transactions on Internet and Information Systems, 6(11), 2956–2979.
  10.Chen, X., Li, J., Ma, J., Lou, W., & Wong, D. S. (2014). New and efficient conditional e-payment systems with transferability. Future Generation Computer Systems, 37, 252–258.CrossRef
  11.Yang, J.-H., Chang, Y.-F., & Chen, Y.-H. (2013). An efficient authenticated encryption scheme based on ecc and its application for electronic payment. Information Technology And Control, 42(4), 315–324.CrossRef
  12.Farash, M. S., & Attari, M. A. (2014). A secure and efficient identity-based authenticated key exchange protocol for mobile client-server networks. The Journal of Supercomputing, 69(1), 395–411.CrossRef
  13.Irshad, A., Sher, M., Faisal, M. S., Ghani, A., Ul Hassan, M., & Ch, S. A. (2014). A secure authentication scheme for session initiation protocol by using ecc on the basis of the tang and liu scheme. Security and Communication Networks, 7(8), 1210–1218.CrossRef
  14.Irshad, A., Sher, M., Rehman, E., Ch, S. A., Ul Hassan, M., & Ghani, A. (2013). A single round-trip sip authentication scheme for voice over internet protocol using smart card. Multimedia Tools and Applications. doi:10.​1007/​s11042-013-1807-z .
  15.Farash, M. S., & Attari, M. A. (2013). An enhanced authenticated key agreement for session initiation protocol. Information Technology and Control, 42(4), 333–342.CrossRef
  16.Farash, M. S. (2014). Cryptanalysis and improvement of an efficient mutual authentication rfid scheme based on elliptic curve cryptography. The Journal of Supercomputing, 70(1), 987–1001.CrossRef
  17.Farash, M. S., & Attari, M. A. (2014). An anonymous and untraceable password-based authentication scheme for session initiation protocol using smart cards. International Journal of Communication Systems. doi:10.​1002/​dac.​2848 .
  18.Farash, M. S. (2014). Security analysis and enhancements of an improved authentication for session initiation protocol with provable security. Peer-to-Peer Networking and Applications. doi:10.​1007/​s12083-014-0315-x .
  19.Farash, M. S. (2015). Cryptanalysis and improvement of an improved authentication with key agreement scheme on elliptic curve cryptosystem for global mobility networks. International Journal of Network Management, 25(1), 31–51.CrossRef
  20.Farash, M. S., Kumari, S., & Bakhtiari, M. (2015). Cryptanalysis and improvement of a robust smart card secured authentication scheme on sip using elliptic curve cryptography. Multimedia Tools and Applications. doi:10.​1007/​s11042-015-2487-7 .
  21.Farash, M. S., Islam, S. H., & Mohammad, S. O. (2015). A provably secure and efficient two-party password-based explicit uthenticated key exchange protocol resistance to password guessing attacks. Concurrency and Computation: Practice and Experience. doi:10.​1002/​cpe.​3477 .
  22.Zheng, Y. (1997). Digital signcryption or how to achieve cost (signature & encryption)〈〈 cost (signature) + cost (encryption). In Advances in Cryptology-CRYPTO’97 (pp. 165–179). Berlin: Springer.
  23.He, D., Kumar, N., & Chilamkurti, N. (2015). A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks, Information Sciences. doi:10.​1016/​j.​ins.​2015.​02.​010
  24.He, D., & Zeadally, S. (2015). Authentication protocol for an ambient assisted living system. Communications Magazine, IEEE, 53(1), 71–77.CrossRef
  25.Chaudhry, S., Naqvi, H., Shon, T., Sher, M., & Farash, M. (2015). Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems. Journal of Medical Systems, 39(6), 1–11. doi:10.​1007/​s10916-015-0244-0 .CrossRef
  26.Abdalla, M., Benhamouda, F., & Pointcheval, D. (2015). Public-key encryption indistinguishable under plaintext-checkable attacks. In Public-Key Cryptography—PKC 2015 (pp. 332–352). Berlin: Springer.
  27.Ch, S. A., Nizamuddin, N., Sher, M., Ghani, A., Naqvi, H., & Irshad, A. (2014). An efficient signcryption scheme with forward secrecy and public verifiability based on hyper elliptic curve cryptography. Multimedia Tools and Applications. doi:10.​1007/​s11042-014-2283-9 .
  28.Ch, S. A., Nizamuddin, N., & Sher, M. (2012). Public verifiable signcryption schemes with forward secrecy based on hyperelliptic curve cryptosystem. In Information systems, technology and management (pp. 135–142). Springer.
  29.Nizamuddin, N., Ch, S. A., Nasar, W., & Javaid, Q. (2011. )Efficient signcryption schemes based on hyperelliptic curve cryptosystem. In 2011 7th IEEE international conference on emerging technologies (ICET) (pp. 1–4).
  30.Nizamuddin, N., Ch, S. A., & Amin, N. (2011). Signcryption schemes with forward secrecy based on hyperelliptic curve cryptosystem. In IEEE high capacity optical networks and enabling technologies (HONET), 2011 (pp. 244–247).
  31.Zheng, Y. (1997). Digital signcryption or how to achieve cost (signature & encryption) cost (signature) + cost (encryption). In Advances in cryptology-CRYPTO’97 (pp. 165–179). Santa Barbara: Springer.
  32.Li, C.-T. (2011). Secure smart card based password authentication scheme with user anonymity. Information Technology and Control, 40(2), 157–162.CrossRef
  33.Hong, J.-W., Yoon, S.-Y., Park, D.-I., Choi, M.-J., Yoon, E.-J., & Yoo, K.-Y. (2011). A new efficient key agreement scheme for vsat satellite communications based on elliptic curve cryptosystem. Information Technology and Control, 40(3), 252–259.
  34.Farash, M. S., & Attari, M. A. (2014). A provably secure and efficient authentication scheme for access control in mobile pay-tv systems. Multimedia Tools and Applications. doi:10.​1007/​s11042-014-2296-4 .
  35.Johnson, D., Menezes, A., & Vanstone, S. (2001). The elliptic curve digital signature algorithm (ecdsa). International Journal of Information Security, 1(1), 36–63.CrossRef
  36.Xie, Q., Dong, N., Tan, X., Wong, D. S., & Wang, G. (2013). Improvement of a three-party password-based key exchange protocol with formal verification. Information Technology And Control, 42(3), 231–237.CrossRef
  37.Xie, Q., Dong, N., Wong, D. S., & Hu, B. Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol. International Journal of Communication Systems. doi:10.​1002/​dac.​2858
  38.Hu, B., Xie, Q., & Li, Y. (2011). Automatic verification of password-based authentication protocols using smart card. In 2011 IEEE international conference on information technology, computer engineering and management sciences (ICM) (Vol. 1, pp. 34–39).
  39.Cheval, V., & Blanchet, B. (2013). Proving more observational equivalences with proverif. In D. Basin & J. C. Mitchell (Eds.), Principles of security and trust (pp. 226–246). Berlin: Springer.CrossRef
  
• 作者单位：Shehzad Ashraf Chaudhry (1)
  Mohammad Sabzinejad Farash (2)
  Husnain Naqvi (1)
  Muhammad Sher (1)
  
  1. Department of Computer Science & Software Engineering, International Islamic University, Islamabad, Pakistan
  2. Faculty of Mathematics and Computer Sciences, Kharazmi University, Tehran, Iran
  
• 刊物主题：Business Information Systems; Data Structures, Cryptology and Information Theory; Operations Research/Decision Theory; Computer Communication Networks; Business/Management Science, general; e-Commerce/e-business;
• 出版者：Springer US
• ISSN：1572-9362

文摘

The use of e-payment system for electronic trade is on its way to make daily life more easy and convenient. Contrarily, there are a number of security issues to be addressed, user anonymity and fair exchange have become important concerns along with authentication, confidentiality, integrity and non-repudiation. In a number of existing e-payment schemes, the customer pays for the product before acquiring it. Furthermore, many such schemes require very high computation and communication costs. To address such issues recently Yang et al. proposed an authenticated encryption scheme and an e-payment scheme based on their authenticated encryption. They excluded the need of digital signatures for authentication. Further they claimed their schemes to resist replay, man-in-middle, impersonation and identity theft attack while providing confidentiality, authenticity, integrity and privacy protection. However our analysis exposed that Yang et al.’s both authenticated encryption scheme and e-payment system are vulnerable to impersonation attack. An adversary just having knowledge of public parameters can easily masquerade as a legal user. Furthermore, we proposed improved authenticated encryption and e-payment schemes to overcome weaknesses of Yang et al.’s schemes. We prove the security of our schemes using automated tool ProVerif. The improved schemes are more robust and more lightweight than Yang et al.’s schemes which is evident from security and performance analysis. Keywords Authenticated encryption E-payment system Elliptic curve cryptography Digital signature Signcryption ProVerif