Abstract
Today, a web transaction is typically protected by using SSL/TLS. SSL/TLS without compulsion for a client’s public key certificate, which is the typical usage, is not able to fulfill the security requirements for web transactions. The main remaining threats for this use are client authentication and non-repudiation. This paper presents a scheme to address SSL/TLS security holes, when it is used for web transaction security. The focus is only on transaction that is carried out by using credit/debit cards. The scheme uses wireless public key infrastructure (WPKI) in the client’s mobile phone to generate a digital signature for the client. Thus we obtain client authentication and non-repudiation. At the same time, no overhead is imposed on the client, there is no need for any change to the actual system when performing the transaction, and no connection, by using the mobile phone, is required to perform the transaction.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Borenstein, N., Freed, N.: MIME (Multipurpose Internet Mail Extensions), Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies. RFC 1521, IETF (1993)
Dierks, T., Allen, C.: The TLS protocol. ver. 1.0. RFC 2246, IETF (1999)
Freier, A.O., Karlton, P., Kocher, P.C.: The SSL protocol. ver. 3.0. Netscape (1996)
Ferguson, N., Schneier, B.: Practical cryptography. Wiley, Indian (2003)
Hassler, V.: Security Fundamentals for E-Commerce. Artech House, Massachusetts (2000)
Hiltgen, A., Kramp, T., Weigold, T.: Secure Internet Banking Authentication. IEEE Security and Privacy 4(2), 21–29 (2006)
Klingsheim, A.: JABWT and SATSA. NoWires Research Group, Department of Informatics, University of Bergen (2006)
Nokia 6170 user guide, http://nds1.nokia.com/phones/files/guides/Nokia_6170_UG_en.pdf
O’Mahony, D., Peirce, M., Tewari, H.: Electronic payment system for E-Commerce, 2nd edn. Artech House Publishing, Massachusetts (2001)
SETCo: Secure Electronic Transaction Standard- Book, pp. 1–3 (1997)
Stallings, W.: Cryptography and network security principle and practice, 4th edn. Prentice Hall, New Jersey (2006)
Valimo LTD: Mobile Signature services-improving eID, http://www.Valimo.com
Visa International Service Association: 3-D Secure Mobile authentication scenario. ver. 1.0 (2002)
Weigold, T.: Java-Based Wireless Identity Module. University of Westminster, London, UK, IBM Research Laboratory, Zürich, Switzerland (2002)
Wireless Application Protocol Architecture Specification, http://www.openmobilealliance.org/tech/affiliates/wap/wapindex.html
Wireless Transport Layer Security Specification, http://www.openmobilealliance.org/tech/affiliates/wap/wapindex.html
WMLScript Crypto API Library: WAP-161-WMLScriptCrypto-20010620, http://www.openmobilealliance.org/tech/affiliates/wap/wapindex.html
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Assora, M., Kadirire, J., Shirvani, A. (2007). Using WPKI for Security of Web Transaction. In: Psaila, G., Wagner, R. (eds) E-Commerce and Web Technologies. EC-Web 2007. Lecture Notes in Computer Science, vol 4655. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74563-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-540-74563-1_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74562-4
Online ISBN: 978-3-540-74563-1
eBook Packages: Computer ScienceComputer Science (R0)