a wireless application protocol enabled …
TRANSCRIPT
i | P a g e
A WIRELESS APPLICATION PROTOCOL ENABLED CRYPTOGRAPHIC MODEL FOR
MOBILE COMMERCE SECURITY
by
KAGISO ONTLOTLILE MABOA
206183365
Submitted in fulfilment of the requirements for the degree
MASTER TECHNOLOGIAE
in
Computer Science: Information Networks (Structured)
(Qualification Code: MTINS0)
in the
FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY
at the
TSHWANE UNIVERSITY OF TECHNOLOGY
SUPERVISOR: Dr H.J.G. OBERHOLZER
AUGUST 2018
ii | P a g e
DECLARATION
I hereby declare that the dissertation submitted for the degree Master Technologiae in Computer
Science: Information Networks, at Tshwane University of Technology, is my own original work and
has not previously been submitted to any other institution of higher education. I further declare that all
sources cited or quoted are indicated and acknowledged by means of a comprehensive list of references.
K.O Maboa Date: August 2018
Copyright© Tshwane University of Technology 2018
iii | P a g e
DEDICATION
This study is dedicated to Almighty God, for His guidance and love; to my mother Emelda, grandmother
Finkie, and late grandfather Meshack Maboa; to Aunt Nkele Kobo, and my family and colleagues, with
thanks and appreciation for your love, support, sacrifice, and commitment.
iv | P a g e
ACKNOWLEDGEMENTS
I should like to thank the following people and institutions for their contribution to this study:
➢ First of all, I should like to thank Almighty God, who gave me the strength, the
courage, and the stamina to achieve this project.
➢ Secondly, I am truly thankful to Dr. H.J.G Oberholzer, my dissertation supervisor.
His commitment to excellence and dedication to research, have inspired me
throughout this project. Dr Hardus has also provided timely, informative comments
and evaluation at every stage of the dissertation process. With his guidance and
support, I was able to remain focused and motivated.
➢ I thank CSIR for their financial support: without it, this study would have been
difficult to complete.
➢ Thanks to Prof. N. Ruxwana of the department of Information Technology, for
encouraging me to complete this study.
➢ Grateful thanks to the Tshwane University of Technology, for affording me the
opportunity of studying at such a dynamic and future-orientated institution.
➢ Finally, thanks to my family, friends, and colleagues, for continued support and
encouragement.
v | P a g e
ABSTRACT
Since the introduction of E-commerce in 1995 and its associated global impact on the business
environment, another step has been taken in the evolution of networked computing. Mobile Commerce,
also known as M-commerce is providing commercial services that are accessible per mobile device.
With the rapid growth of mobile devices, many services are now offered, allowing users to purchase
goods and services on the move, anytime and anywhere, via their mobile devices. In today’s E-
commerce world, security has become a major issue that must be continuously monitored and enhanced.
In expanding E-commerce to mobile devices, it is also necessary to ensure that these devices are
protected against security threats such as eavesdropping on a wireless network. M-commerce faces the
same security as E-commerce, together with many others, owing to the mobile nature of the service.
Services offered by M-commerce deal with sensitive data that must be protected at all times. However,
the current security measures in place for M-commerce transactions are inadequate. The aim of the
study is to develop a WAP-enabled cryptographic model that is used to secure transmitted data on the
WAP gateway. To this end, the research question is as follows: How may a WAP-enabled cryptographic
model be used to enhance mobile commerce security? The research question is answered through an
experiment that determines that the shared secret keys between entities may be created and sent securely
over the network, using the ECDH algorithm to encrypt and decrypt data. Furthermore, messages
transmitted over the network are verified by signing a message using the ECDSA. Our model resolves
most security issues related to M-commerce, enabling customers to feel comfortable using mobile
devices to conduct online transactions. Further research may be conducted on reducing the size of the
encrypted and decrypted message when implemented in a mobile-commerce environment. Signature
verification is relatively slow and ways to enhance the speed can be looked at. Additionally, Future
research will focus on describing the architecture in more detail. The goal would be to have a complete
description of the system and to illustrate the use of it. The model, implemented in Visual Basic, serves
as a proof of concept. A prototype is developed and evaluated through an analysis of the results. At the
end of our dissertation, we are discussing some recommendations, the limitations of our study and some
future work.
vi | P a g e
Table of Contents
DECLARATION…………………………………………………………………………….……. ii
DEDICATION …………………………………………………………………………………..... iii
ACKNOWLEDGEMENTS ………………………………………………………………………. iv
ABSTRACT ………………………………………………………………………………….….... v
LIST OF FIGURES ……………………………………………………………………….…….. ix
LIST OF TABLES …………………………………………………………………………….…... x
ABBREVIATIONS………………………………………………………………………….…….. xi
GLOSSARY…………………………………………………………………………………….….. xiii
1. INTRODUCTION………………………………………………………………………… 1
1.1 PROBLEM…………………………………………………………………………..…….. 4
1.2 RESEARCH OBJECTIVES…………………………………………………….………… 5
1.3 SIGNIFICANCE………………………………………………………………….………... 5
1.4 CONTRIBUTIONS…………………………………………………………………..……. 6
1.5 METHODOLOGY………………………………………………………………….….….. 7
1.6 SYNOPSIS………………………………………………………………………….……... 8
1.7 ASSUMPTIONS OF RESEARCH………………………………………………….…….. 9
2. LITERATURE REVIEW…………………………………………………………………. 10
2.1 BACKGROUND OF CRYPTOGRAPHY…………………………………….………….. 10
2.2 CRYPTOGRAPHIC ALGORITHMS………………………………………….…………. 11
2.3 CRYPTOSYSTEMS USED FOR SECURED M-COMMERCE……………….………… 11
2.4 ELLIPTIC CURVE CRYPTOGRAPHY (ECC)…………………………………………... 12
2.4.1 Supported curves………………………………………………………………………..….. 13
2.4.2 Key-generation speed……………………………………………………………................ 14
vii | P a g e
2.4.3 Utilization of elliptic-curve cryptography…………………………………………………. 14
2.5 RIVEST-SHAMIR-ADLEMAN (RSA)…………………………………………………... 14
2.6 DIGITAL SIGNATURES ALGORITHM (DSA)………………………………………… 15
2.7 M-COMMERCE SECURITY MODELS………………………………………………….. 16
2.7.1 Biometric techniques………………………………………………………………………. 16
2.7.2 Advanced mobile security solution based on distributed key……………………………... 17
2.7.3 Improved double-encryption model……………………………………………………….. 18
2.7.4 LSB steganography and cryptography…………………………………………………….. 19
2.8 THE NEED FOR SECURING M-COMMERCE………………………………………… 20
2.9 SUMMARY………………………………………………………………………….……. 21
3. THE MODEL…………………………………………………………………….……….. 23
3.1 MODEL OVERVIEW……………………………………………………………..……… 23
3.2 AUTHENTICATION……………………………………………………………..………. 24
3.3 ENCRYPTION……………………………………………………………………..……... 27
3.4 ECDH KEY EXCHANGE ALGORITHM………………………………………...……… 28
3.5 PRIVACY……………………………………………………………………………...….. 30
3.6 INTEGRITY………………………………………………………………………………. 32
3.7 ELLIPTIC CURVE DIGITAL SIGNATURE (ECDSA)………………………………..... 33
3.7.1 Size and Performance Advantages of ECC Signature Algorithms………………………... 34
3.7.2 ECDSA Security……………………………………………………………………….….. 35
3.7.3 Signature computation……………………………………………………………….……. 36
3.7.4 Signature generation………………………………………………………………………. 36
3.7.5 Signature verification……………………………………………………………….…….. 37
3.8 THE PROCESS …………………………………………………………………………… 38
viii | P a g e
3.9 SUMMARY…………………………………………………………………………..…… 39
4. IMPLEMENTATION……………………………………………………………………... 41
4.1 PROGRAMMING LANGUAGE, ENVIRONMENT, AND TOOLS………………….… 41
4.2 PROTOTYPE ALGORITHMS……………………………………………………….…... 41
4.3 AUTHENTICATING THE CLIENT AND THE SERVER……………………………… 42
4.4 ECDH KEY EXCHANGE…………………………………………………………...…… 43
4.4.1 Elliptic Curve Digital Signature Algorithm (ECDSA)……………………………………. 47
4.4.2 Key and Signature Generation…………………………………………………………….. 47
4.4.3 Signature verification……………………………………………………………………… 48
4.5 SUMMARY……………………………………………………………………………….. 49
5. EXPERIMENTAL EVALUATION………………………………………………………. 50
5.1 TESTING AND EVALUATING THE PROTOTYPE……………………………………. 50
5.2 ELLIPTIC CURVE DIGITAL SIGNATURE ECDSA ALGORITHM…………………... 52
5.2.1 Case in which signature is either verified or invalid…………………………………….... 53
5.3 PERFORMANCE…………………………………………………………….…………… 53
5.4 SUMMARY………………………………………………………………………..……… 55
6. SUMMARY, CONCLUSION AND FUTURE WORK………………………….……….. 56
6.1 PROBLEM STATEMENT REVISITED …………………………………………………. 56
6.2 SUMMARY OF RESEARCH…………………………………..………………………… 57
6.3 CONCLUSION …………………………………………………….………………….….. 59
6.4 FUTURE WORK……………………………………………………………………...….. 59
7. REFERENCES………………………………………………………………………..…... 61
ix | P a g e
LIST OF FIGURES
Figure 1-1: WAP security model ............................................................................................................ 3
Figure 3-1: WAP-enabled cryptographic model overview .................................................................... 24
Figure 3-2: SSL authentication and certificate-based mutual authentication ....................................... 26
Figure 3-3: Encryption and decryption ................................................................................................. 26
Figure 3-4: ECDH key generation (Lederer et al., 2009). .................................................................... 29
Figure 3-5: Keypair generation process (www.maximintegrated.com, 2016) ...................................... 34
Figure 3-6: Signature computation process .......................................................................................... 35
Figure 3-7: Signature verification process ............................................................................................ 36
Figure 3-8: Security transmission process in the double-layer encryption scheme .............................. 38
Figure 4-1: Client public key ................................................................................................................ 42
Figure 4-2: Server public key ............................................................................................................... 43
Figure 4-3: Client private key value ..................................................................................................... 44
Figure 4-4: Shared keys ........................................................................................................................ 44
Figure 4-5: Signing message ................................................................................................................. 46
Figure 4-6: Signature verification ......................................................................................................... 47
Figure 5-1: Randomly generated private and public key for client....................................................... 49
Figure 5-2: Randomly generated private and public key for server ...................................................... 50
Figure 5-3: Shared key (derived key) ................................................................................................... 50
Figure 5-4: Elliptic-curve digital signature ........................................................................................... 51
Figure 5-5: Signature verification ......................................................................................................... 52
Figure 5-6: Signature verification not successful ................................................................................. 52
Figure 5-7: Algorithm comparison ....................................................................................................... 53
x | P a g e
LIST OF TABLES
Table 1-1 : Summary of Methodology Applied ...................................................................................... 9
Table 2-1: A Comparison of Public-key Cryptosystems (Vanstone, 2003) .......................................... 14
Table 3-1: Certificate Information (WTLS, 2008) ................................................................................ 25
Table 3-2: The Security Parameters of the Secure Connection (Jormalainen & Laine, 1999b) ........... 33
Table 4-1: Visual Basic Packages used ................................................................................................. 40
Table 5-1:Process of Creating Shared Keys ......................................................................................... 48
xi | P a g e
ABBREVIATIONS
A Algorithm
AES Advanced Encryption Standard
API Application Programming Interface
CMS Cryptography Message Syntax
DSA Digital Signature Algorithm
DH Diffie-Hellman
DoS Denial of Service
ECC Elliptic Curve Cryptography
GPRS General Packet Radio Service
GSM Global System for Radio Systems
HTTP Hypertext Transfer Protocol
IP Internet Protocol
IT Information Technology
KDF Key Derivation Function
NIST National Institute of Standards and Technology
P Performance
PDA Personal Digital Assistant
PGP Pretty Good Privacy
PKI Public Key Infrastructure
R Reliability
S Security
SMS Short Message Service
SSL Secure Socket Layer
TCP Transmission Control Protocol
TLS Transport Layer Security
TP Third Party
xii | P a g e
V Verification
VB Visual Basic
WAP Wireless Application Protocol
WIM Wireless Identity Module
WPKI Wireless Public Key Infrastructure
WSP Wireless Session Protocol
WTL Wireless Transport Layer
WTLS Wireless Transport Layer Security
WWW World Wide Web
XML Extensible Mark-up Language
xiii | P a g e
GLOSSARY
This study uses the following terms and concepts throughout:
COMPUTER SECURITY
A branch of information technology known as information security which is intended to protect
computers from theft of or damage to their hardware, software or electronic data.
CRYPTOGRAPHY
Cryptography is the science of protecting information by transforming it into a secure format.
EASY IMPLEMENTATION
There is no need to change the configuration of the hardware or add any devices to the WAP gateway,
application server or system reconfiguration.
HIGH CHANNEL UTILIZATION
The fraction of the transmission capacity of a communication channel that contains data (frames)
transmissions
HIGH EFFICIENCY
The ability to function better and faster under the same sources, especially fit for the low-calculating
mobile terminal
MOBILE COMMERCE OR M-COMMERCE
Mobile commerce, or m-commerce, refers to e-commerce conducted in a wireless environment over
the Internet using a mobile device such as a cell phone or personal digital assistant (PDA)
xiv | P a g e
SMALL STORING SPACE
Small storing size for storing the session key and parameters used in the solution
WAP FORUM
A leading technology for companies trying to unlock the value of the mobile Internet, or a technical
standard for accessing information over a mobile wireless network
WAP GATEWAY
A software system that helps WAP-enabled wireless devices to communicate with the Internet websites
and applications
WAP
A device that allows wireless devices to connect to a wired network and to each other
WEB APPLICATION
A client–server computer programme which the client runs in a web browser
1 | P a g e
1. INTRODUCTION
More and more people now own smartphones and tablets and are connected to the Internet using these
devices. There are many ways to describe mobile commerce. Yadav (2009) considers mobile commerce
as involving monetary value, whereas Gunasekaran, Angappa, & Mcgaughey (2009) state that it
functions to provide services. Generally, M-commerce may be described as a way of performing an
electronic transaction that has financial implications, using a mobile device such as a tablet or mobile
phone (Jansma & Arrendondo, 2004). In order to perform electronic transactions, the mobile device has
to be equipped with WAP (Koblitz, Menezes & Vanstone, 2000) that connects to the Internet.
Recently, M-commerce has been receiving considerable attention, which has led to a high growth
rate in the use of mobile devices. According to GSMA’s ‘Mobile Economy’ report (2016), record five
billion subscribers will be achieved by mid-year 2017, increasing to 5.7 billion by the end of the decade.
By that point, almost three-quarters of the world’s population will have subscribed to a mobile service.
With the increasing number of mobile devices being purchased every day, there is a strong increase of
services offered through mobile networks. These services include the buying of items online (including
the purchasing of high-value items such as cars and properties), information services, and online
banking services. These services have to be protected through reliable security protocols, because they
deal with sensitive and personal information.
The common worldwide standard for providing Internet communication on digital mobile
phones, tablets, or any other wireless terminals, is known as a wireless application protocol (WAP).
WAP was the only publicly available solution for wireless communication that enables M-commerce,
where data is transferred from and to wireless devices (Alliance, 2002). WAP was developed and
specified by the WAP forum, which released WAP 1.2 in 1999, its first specification with security
defaults. This version was greatly problematic in the implementation of an M-commerce structure; and
subsequently led to the release of WAP 2.0 in January 2002. WAP 2.0 had increased security features
by comparison with WAP 1.2, and it provided easy development of real M-commerce infrastructure.
When dealing with M-commerce, the most important aspect is security. For users to feel more
comfortable using M-commerce services, high levels of security must be provided. M-commerce will
2 | P a g e
become more convenient to use and will attract more customers (Grami & Schell, 2004). However, it
is crucial to ensure that all M-commerce transactions are secure, especially regarding security issues
relating to network technologies. Security on mobile platforms is difficult to implement, owing to the
following factors: technological limitations of mobile devices, provision of pervasive computing, and
the capability of location awareness.
There are several well-known methods that make wireless communication more secure. These
methods include “i-mode”, encryption, and WAP. I-Mode is a mobile Internet service which originated
in Japan, and was developed and launched by NTT DoCoMo in 1999 (Blake-Wilson, Moeller, Gupta,
Hawk & Bolyard, 2006). In 2001, NTT DoCoMo started “i-appli”, which is a Java-based service
through which subscribers may download and run small Java applets on their I-mode cellular handsets.
In 2001, NTT DoCoMo started the 3G mobile phone service, which accesses the Internet at up to 384
kbps, using packet transmission that allows for I-mode service.
Another method of securing M-commerce transactions is cryptography, which is the art of
achieving security by encoding messages, thereby making them non-readable (Saranya, Mohanapriya
& Udhayan, 2014). Cryptography is the practice and study of hiding information. In modern times,
cryptography is considered a branch of both mathematics and computer science, and is affiliated closely
with information theory, computer security, and engineering (Sohani & Sawant, 2016). When
authenticating, before the transaction may be performed by the participating entities (usually the client
and the server), each must confirm his or her identity to the other. This service prevents unauthorised
third parties from masquerading as a legitimate parties. Moreover, there are many software packages
available on the markets, allowing hackers to access accounts by cracking passwords. One can lose
personal data and valuable information as a result of the lack of security.
Authentication is usually achieved by using network-based authentication protocols
(Xiangdong, Qinfang, Wang, Xian, 2002). However, there is a need for data integrity so that messages
are not altered accidentally or maliciously, without being detected at the receiver side of the M-
commerce system. With this security feature, an interceptor will not be able to deceive the receiver by
modifying the content of the message in transmission. With regard to WAP security architecture, there
3 | P a g e
are three entities involved: a mobile network (Mobile Gateway), a mobile provider (Commerce Server),
and a mobile phone.
For illustrative purposes, consider a mobile online shopping service in which the M-commerce
provider is an online shop, and the end-user is the customer (i.e. the person buying online). The end-
user connects to the M-commerce service provider through a mobile-phone network. Internet
connectivity through an Internet Protocol gateway is provided by mobile-network operators supporting
M-commerce. The M-commerce provider connects to the mobile operator, and, in turn, the end-user,
through the Internet. Thus, the M-commerce provider does not need to provide the wireless connectivity
as illustrated in Figure 1.1. Instead, the main focus of the M-commerce provider is in the application
architecture that caters for the characteristics of the hand-held devices.
Figure 1-1: WAP security model
Several technologies are available to facilitate the transmitting of sensitive information to and
from the mobile devices during an M-commerce transaction. WAP Public Key Infrastructure (WPKI),
Wireless Identity Module (WIM), and WAP Script and Wireless Transport Layer Security, are
4 | P a g e
components of such a WAP security mechanism (Sharma, Kansal & Tomar, 2015). Communication
between a WAP device and WAP gateway run by the operator is protected by a built-in encryption
technology known as Wireless Transport Layer (Amadeo, Molinaro, Campolo, Sifalakis, & Tschudin,
2014).
The WTL is similar to the TLSP (Transport Layer Security Protocol), and has the ability to detect
and reject replay attacks, and to prevent the denial-of-service attack (Xiuling & Daxing, 2001). The
WAP identity module (WIM) is an independent hardware module used to store confidential information
and to execute some encryption and decryption algorithms (Alliance, 2002). WAP implements
undeniable services and protects denial-of-service besides confidentiality, integrity, and authentication.
WAP Script, similar to Java Script, can connect external encryption algorithms (Forum, 2002). Wireless
Public Key Infrastructure (WPKI) which is designed for the wireless environment, is mainly used to
manage user and server certificates in a WAP network.
1.1 PROBLEM
Communication between a WAP server and WAP handheld devices is protected by a built-in encryption
technology known as WTLS. The bridging of two secure connections at the WAP gateway, at which
the WAP gateway is run by the operator, is vulnerable in that the data at the WAP gateway is decrypted
for some period of time. Once data is on the Internet, a connection is usually protected by the SSL
(Secure Socket Layer), which is the standard for encrypting data between points on the network. Thus,
data that is in decrypted form is transferred from WTLS to SSL. The decrypted data travels over the
network, where the data is vulnerable to attacks such as man-in-the middle attacks. Therefore, the
following main research questions will be addressed in this study:
a) How may a WAP-enabled cryptographic model be used to enhance mobile
commerce security?
b) How may a suitable WAP-enabled cryptographic algorithm be chosen for M-
commerce security?
5 | P a g e
c) How may the WAP-enabled cryptographic algorithm be developed and
implemented effectively in M-commerce?
d) How may the WAP-enabled cryptographic algorithms be evaluated?
1.2 RESEARCH OBJECTIVES
M-commerce has become a new way of conducting business any day and anytime for both individuals
and enterprises. M-commerce commercial environment is still imperfect, and the existence of security
challenges has become a barrier to the rapid growth of M-commerce subscriptions.
When individuals use mobile commerce, their data, including sensitive information, are
transmitted through mobile Internet. Data transmitted over the network should be kept secret so that
unauthorised third parties do not have access to it. Therefore, the secure transmission of the data is an
important guarantee of a safe mobile-commerce environment.
The main goal of this thesis is to develop a WAP-enabled cryptographic model that will be used
to secure transmitted data on the WAP gateway. This cryptographic model provides appropriate
solutions to the research questions raised by this study. The study will achieve the objectives as listed
below:
a) To determine in which ways a WAP-enabled cryptographic model may be used to
enhance mobile-commerce security.
b) To choose a suitable WAP-enabled cryptographic algorithm for mobile commerce.
c) To develop and implement an effective WAP-enabled cryptographic algorithm for
M-commerce.
d) To evaluate the WAP-enabled cryptographic algorithms.
1.3 SIGNIFICANCE
M-commerce faces difficult security challenges such as eavesdropping, identity theft, phishing attacks
and spoofing attacks. Consumer trust in Internet technologies seems to be failing, owing to these attacks.
For M-commerce to be successful, the security vulnerabilities and concerns must be addressed and
6 | P a g e
solved. The key to widespread usage of M-commerce is to gain the trust of users so that they will be
willing to perform a transaction using their mobile devices. M-commerce systems will be utilised for
transferring data, therefore someone will try to exploit the system or gain unauthorised access to data.
For this reason, it is necessary to ensure that current and future mobile devices to be used within M-
commerce implement security mechanisms.
The significance of this study is to ensure that M-commerce data is protected against
unauthorised third parties. The study is necessary based on the loss of valuable information owing to
various security issues. Resolving these security challenges should lead to more people performing
transactions through M-commerce. M-commerce transactions must be absolutely secure, otherwise
businesses will lose customers. This research project will resolve security issues and enhance security
M-commerce through the efficient use of a cryptographic algorithm for securing information. An
essential requirement for M-commerce is that transactions take place in a secure environment.
1.4 CONTRIBUTIONS
The cryptographic model developed in this study implements an enhancement to the current security
models in M-commerce. This cryptographic model will be security conscious and optimised for speed.
The unencrypted data must be precipitately removed from the volatile internal memory of the WAP
gateway. Therefore, this study will focus only on the cryptographic aspects relating to M-commerce
security. The main contributions of this study are summarised as follows:
a) The development of a WAP-enabled cryptographic model for M-commerce which
ensures that data is transmitted in a secure manner over the network.
b) The formalization of a different cryptographic model which contributes to system
optimality and usability.
c) The formal specification of the cryptographic model using a conventional modelling
language such as Visual Basic studio. The specification provides a basis for
demonstrating the feasibility of the practical realization and application of the
model.
7 | P a g e
d) The development of a prototype of the WAP-enabled cryptographic as proof of a
concept that demonstrates the theoretical and empirical validity of the model.
e) The system will contribute by enhancing security, which will be useful for large
corporations and individuals in performing their transactions safely.
1.5 METHODOLOGY
In this section we describe the research methodology used to develop our work. We first define what
Design Science Research is, and then focus on how the methodology applies to this dissertation. Design
Science Research is a set of synthetic and analytical techniques and perceptions (complementing
positivist, interpretive, and critical perceptions) for performing research in Information Systems (IS).
The new model, which will augment the current M-commerce security on the wireless
application protocol (Forum) gateway, will use a WAP-enabled cryptographic algorithm that is security
sensitive and optimised for speed. This algorithm will ensure that the unencrypted content of data is
erased precipitately from the volatile internal memory of the WAP gateway. Furthermore, the algorithm
will use a double-encryption method so that decrypted data is always protected from the source device
through to the destination device. The cryptographic algorithm will be incorporated inside the WAP
gateway and application server, in order to achieve the security required to protect the WAP gateway.
The study will implement the WAP-enabled cryptographic algorithm using the Visual Basic
Studio programming language. This will reflect the prototype system as proof of a concept
demonstrating that the model is usable and effective in making mobile commerce secure. In particular,
in this dissertation, the prototype system will demonstrate the feasibility of the proposed WAP-enabled
cryptographic algorithm.
The table listed on the next page summarises the methodology that will be applied in this study.
1.6 SYNOPSIS
The synopsis of this dissertation follows.
8 | P a g e
Chapter 1 presents an overview of the research problem, together with set objectives for
reaching the goal of the study. The chapter concludes with the methodology that will be used in the
study.
Chapter 2 consists of a literature overview. The chapter briefly discusses problems encountered
regarding M-commerce and the WAP gateway. A detailed discussion of various cryptographic
algorithms follows, including a discussion of the advantages and limitations of these algorithms. The
chapter concludes by proposing preliminary concepts of WAP-enabled cryptography as an alternative
solution to the research problem; giving reasons for the solution being more appropriate.
Chapter 3 elaborates on the methodology of the study. The study models the algorithm using
Visual Basic Studio.
Chapter 4 discusses the implementation of the cryptographic prototype. The dissertation
introduces the prototype as a proof of concept and uses screenshots to demonstrate the main components
of the prototype.
Chapter 5 evaluates the prototype as an experiment performed to test the efficacy of the
cryptographic algorithms.
Chapter 6 concludes the study with a brief summary of the aim of the study, the findings, and
possible future research ideas based on the study; and finally, some remarks based on the study.
Research Questions Technical Objectives Methodology
a) How may a WAP-enabled
cryptographic model be used to
enhance mobile-commerce security?
a) To determine the way/s
in which a WAP-enabled
cryptographic model may be
used to enhance mobile-
commerce security.
Literature Review
b) How may a suitable WAP-
enabled cryptographic algorithm be
chosen for M-commerce security?
b) To choose a suitable
WAP-enabled cryptographic
algorithm for mobile commerce.
Design Science Research
(Modelling and Simulation)
9 | P a g e
c) How may the WAP-enabled
cryptographic algorithm be developed
and implemented effectively in M-
commerce?
c) To develop and
implement an effective WAP-
enabled cryptographic algorithm
for M-commerce.
Implementation
d) To evaluate the WAP-
enabled cryptographic algorithms.
d) To evaluate the WAP-
enabled cryptographic
algorithms.
Testing
Table 1-1 : Summary of methodology applied
1.7 ASSUMPTIONS OF RESEARCH
Based on this study, we formulate the following assumptions:
• Safety and security
Consumer acceptance of a technology is influenced by how consumers view the importance of
security and how willing they are to sacrifice security against the benefits derived from the use of
the technology. Regarding security concerns of m-commerce addressed by the study, users have the
ability and confidence using the m-commerce system.
• Connectivity
Users of m-commerce have challenges regarding slow and untestable connections due to the fact
that they fear to be cut off in the middle of an m-commerce transaction.
• Audience
With the rapid growth of m-commerce, more and more people are conducting their transactions
using mobile devices.
2. LITERATURE REVIEW
This chapter commences with a definition and background of cryptography when discussing mobile
commerce. The chapter elaborates on cryptographic techniques used in mobile commerce. Furthermore,
the chapter discusses cryptographic algorithms and various M-commerce solutions, elaborating on their
10 | P a g e
weaknesses. By understanding these, one may deduce the fundamentals that are required for applying
effective and secure cryptography. The chapter concludes by discussing recommendations that will be
used during the implementation for securing mobile-commerce transactions.
2.1 BACKGROUND OF CRYPTOGRAPHY
Cryptography is the study of mathematical techniques associated to aspects of information security such
as confidentiality, data integrity, entity authentication, and data-origin authentication (Hankerson,
Vanstone & Menezes, 2004). Over the years, cryptography has played an important role in securing
data communication over the Internet. Cryptography is not only used in security protocols, but is also
used in applications such as in diplomatic communications, for instance, correspondence exchanged by
private individuals regarding wartime battle plans. However, it is important when communicating over
the network to ensure secure and effective mobile-phone communication. Currently, a number of
cryptographic tools is available to provide data security, such as digital signatures, hash functions, and
encryption schemes. Generally, cryptography is used to accomplish the following goals:
a) Confidentiality/privacy ─ To protect the user’s identity and data, ensuring that no
one is able to read it save the person for whom it is intended.
b) Data integrity ─ To protect data from being tampered with or modified in any way.
c) Authentication ─ To determine whether someone is in fact whom he or she claims
to be.
d) Non-repudiation ─ To prove that the sender really has sent the message; or proof of
the integrity and origin of the data. Users may be held responsible for online
transactions, which they cannot dispute at a later stage.
2.2 CRYPTOGRAPHIC ALGORITHMS
Commonly, various types of cryptographic algorithms are used to achieve the goals mentioned in the
previous paragraph. These algorithms include symmetric cryptography and asymmetric cryptography.
With symmetric-key cryptography, both the sender and receiver share the same key; however, their
11 | P a g e
keys are different but associated in an easily computable way (Delfs & Knebl, 2007). Symmetric
encryption methods use mathematical operations that may be implemented into extremely fast
computing algorithms. Such algorithms will enable mobile and other computing devices, especially
those with minimal CPU power, to perform encryption and decryption processes efficiently. The
primary difficulty of the symmetric key is delivering the key to the receiver in a secure manner.
Contrary to symmetric-key cryptography, asymmetric-key cryptography requires two separate
but related keys (secret/private and public) in which either of them may encrypt or decrypt a message.
Although different, the two parts of this key pair are based on mathematical functions such as
logarithmic arithmetic and modulo, rather than operations on bit patterns.
Asymmetric key algorithms are one-way functions, meaning that they are simple to compute in
one direction, but difficult to compute in the opposite direction. Security mechanisms that are developed
for open-system environments are regularly based on public key cryptography because of the complex
key management problem in such an environment. However, these security mechanisms are central-
processing-unit (CPU) demanding. Therefore, there is a need to study these security mechanisms
carefully when applying them in mobile applications. In general, it is not considered cost-effective to
use public-key cryptography in mobile devices. The amount of computation needed for public-key
algorithms is typically more than the amount of computation needed for symmetric-key algorithms.
2.3 CRYPTOSYSTEMS USED FOR SECURED M-COMMERCE
As mobile devices become smaller and more ubiquitous in daily life, there is a need for computationally
cheap, but still very secure cryptosystems. A cryptosystem is a pair of algorithms that receives a key,
and converts plaintext to cipher text and back (Bellovin, 2006).
The use of ciphers in encrypting the message enhances the security of data. The data is usually
encrypted in blocks instead of in single characters at a time. These ciphers include Rivest-Shamir-
Adleman (RSA), Asymmetric key cryptography (AES) (Kumar, 2013), Data Encryption Standard
(DES) (Coppersmith, 1994), Elliptic Curve Cryptography (ECC) algorithms, and many others. In this
12 | P a g e
study, we focus on ECC, owing to the advantages it offers over other cryptographic algorithms. DSA
and RSA are discussed below.
2.4 ELLIPTIC CURVE CRYPTOGRAPHY (ECC)
The use of elliptic curves in cryptography was independently proposed by Neal Kobliz & Vicktor
Miller (Roy, Järvinen & Verbauwhede, 2015). From 2004 to 2005 elliptic-curve cryptography
algorithms were widely used in the computing world. Koblitz (1987) saw the application of the elliptic
curve discrete log problem (ECDLP) as a replacement for the conventional discrete log problem (DLP)
used in Digital Signature Algorithm (DSA), and the integer factorization problem found in RSA. For
both challenges, sub-exponential solutions have been generated, while the same cannot be said for
ECDLP.
In addition to offering improved security for a smaller key size, operations of adding and
doubling may best be used on a mobile platform (Kessler, 2012). Since ECC produces encryption keys
by using points on a curve to define the public/private key pair, it is difficult for hackers to break the
key using brute-force techniques. ECC offers a possible replacement for the most common public-key
cryptography algorithms on mobile devices, owing to the faster solution ECC offers with less
computing power. When key lengths are shorter, they require less computing power, which means that
faster and more secure connections are available to mobile devices. According to Eberle (2004), there
are several additional advantages of using ECC that include the following:
a) Greater security ─ ECC presents stronger protection against attacks than current
encryption methods. The ECC algorithm relies on a mathematical model that makes
it difficult for hackers to attack the system.
b) Better performance ─ ECC requires a shorter key length to provide a higher level of
security, meaning that a 256-bit ECC key provides the same level of protection as a
3072-bit RSA key.
c) Investment protection ─ ECC helps protect one’s infrastructure investment by
providing enhanced security that can handle the explosion in the growth of mobile
13 | P a g e
device connections. ECC key lengths increase at a slower rate than other encryption
key methods, potentially extending the life of the existing hardware and giving one
a greater return on investment.
d) Mobile advantage ─ ECC’s smaller key length means that smaller certificates are
required, consuming less bandwidth. As more customers move to smaller devices
for their online transactions, ECC offers a better customer experience. Currently, no
drawback of ECC has been reported.
2.4.1 Supported curves
Pretty Good Privacy (PGP) is a data encryption and decryption computer programme that provides
cryptographic security and privacy for data communication (Garfinkel, 1995). PGP is regularly utilised
for signing, encrypting and decrypting text, files, and disk partitions; and in securing sensitive files
when stored in vulnerable places such as mobile devices or in the cloud (Geier, 2014). EC keys are new
to the OpenPGP standard, and are defined by (Jivsov, 2012). Each EC OpenPGP key pair is based on
one of the three curves currently defined by the standard Elliptic curves:
a) NIST P-256 (DidiSoft.Pgp.EcCurve.P256);
b) NIST-384 (DidiSoft.Pgp.EcCurve.P384); and
c) NIST-521 (DidiSoft.Pgp.EcCurve.P521).
The strongest keys are the keys based on the NIST curve P-521, whereas the keys based on NIST curve
P-256 are the weakest.
2.4.2 Key-generation speed
The key generation of EC keys is much faster than the traditional RSA and DH/DSS keys ─ the key
generation takes less than ten seconds. Table 1 details a summary of three types of well-known public-
key cryptosystems. As shown in the last column listed as bits or minimum-size public keys, RSA,
Diffie-Hellman and DSA may all be attacked using sub-exponential algorithms. However, the best-
14 | P a g e
known attack on ECC requires exponential time. Based on this reason, ECC can offer equivalent
security with substantially smaller key sizes (Lenstra & Verheul, 2001).
Security (BITS) Symmetric encryption algorithm
Minimum size (bits) of public keys
DSA/DH RSA ECC
80 Skipjack 1024 1024 160
112 3DES 2048 2048 224
128 AES-128 3072 3072 256
192 AES-192 7680 7680 384
256 AES-256 15380 15360 512
Table 2-1: A comparison of public-key cryptosystems (Vanstone, 2003)
2.4.3 Utilization of elliptic-curve cryptography
The strength of elliptic-curve cryptography makes it most suitable for resource-constrained systems.
ECC provides greater security for a given key size and may be efficiently and compactly implemented.
These attributes make it well suited to systems with constraints on processor speed, security, heat
production, power consumption, bandwidth, and memory. Cellphones, PDAs, wireless devices,
laptops, and smart cards are applications that benefit from elliptic-curve cryptosystems.
2.5 RIVEST-SHAMIR-ADLEMAN (RSA)
RSA is one of the first practical public-key cryptosystems ever introduced; and probably the most
commonly used public-key cryptosystem in the world for securing data communication (Easttom,
2014). In such a cryptosystem, the encryption key is public; and the decryption key, which is kept a
secret, differs from the encryption key. The strength of RSA is based on the practical difficulty of
factoring the product of semi-prime numbers. This is also known as the factoring problem.
The RSA algorithm is a secure, high-quality, public-key algorithm (Zhang, Xu & Wu, 1997)
which may be used to exchange confidential information such as keys, and to produce digital signatures.
However, the RSA algorithm is computationally exacting, operating on very large numbers. A user of
15 | P a g e
RSA creates and then publishes a public key based on the two large prime numbers, along with a
secondary value. These two prime numbers must be kept secret.
Anyone can use the public key to encrypt a message, but with currently published methods, if
the public key is large enough, only someone with knowledge of the prime numbers can feasibly decode
the message (Robinson & Sara, 2003). Breaking RSA encryption is known as the RSA problem. An
interesting feature of the RSA algorithm is that it allows most of the components used in the encryption
process to be reused in the decryption process.
2.6 DIGITAL SIGNATURES ALGORITHM (DSA)
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the
authenticity of a digital message or document. A valid digital signature gives a recipient reason to
believe that the message was created by a known sender, and that it was not altered in transit (Abidi,
Bouallegue & Kahri, 2014). A digital signature is a number depending on some secret known only to
the signer (the signer’s private key) and, additionally, the contents of the message being signed.
DSA is a system that was proposed in August 1991 by the United States (US) National Institute
of Standards and Technology (NIST); and was specified in a US Government Federal Information
Processing Standard (FIPS 186). Digital signature schemes may be used to provide the following basic
cryptographic services: data integrity (the assurance that data has not been altered by unauthorised or
unknown means); data origin authentication (the assurance that the source of data is as claimed); and
non-repudiation (the assurance that an entity cannot deny previous actions or commitments) (Zhang et
al., 2015).
The Digital Signature Standard (DSS), as defined by NIST (FIPS 186) in 1994, specifies DSA as
an accepted algorithm for generating and verifying digital signatures. DSA is an asymmetric encryption
standard whose basic components are key generation, signature generation, and signature verification.
According to the DSS, the purpose of the Digital Signature Algorithm is to provide the capability of
generating and verifying signatures, to the extent that the identity of the signatory and the integrity of
the data may be verified.
16 | P a g e
2.7 M-COMMERCE SECURITY MODELS
This section discusses and analyses M-commerce security models that have been implemented to solve
the challenges of M-commerce. These security solutions have their benefits and limitations: these will
be discussed.
2.7.1 Biometric techniques
Biometrics is gaining attention as organisations look for more secure authentication strategies for user
access, E-commerce, and M-commerce, as well as other security systems. Biometric-based
authentication systems are becoming very popular because of their ability to differentiate between a
legitimate user and an imposter, by verifying their physiological or behavioural characteristics (Jivsov,
2012).
In Information Technology, biometrics usually refers to authentication techniques that depend
on measuring and analysing human body characteristics, for example, fingerprints, eye retinas and
irises, voice patterns, facial patterns, and hand measurements (Jain, Nandakumar & Ross, 2016).
However, fingerprint-based biometric authentication systems have attracted more attention, and mostly
deployed existing unique biometric techniques, utilised for user authentication (Pawar, Gawande &
Deotale, 2012).
User authentication in M-commerce is achieved by the use of mobile devices such as
smartphones, laptops and PDAs. The fundamental strategy of the biometric technique is that both the
user and service provider recognise each other without an additional device. The disadvantage of
biometric techniques is that they use only encryption methods for user and payment details for the
secure transfer of the data. By not using a security conversation mechanism such as WAP gateway, data
is not guaranteed to be secured. No merchant authentication is available in biometric techniques.
Other shortcomings of biometric techniques include tracking capacities. The biometrics
framework has many databases which contain individual information and data of general society,
contributing to numerous issues of maintaining every individual’s privacy. Many people fear that
approved individuals who take control of biometrics systems will have the capacity to track people
17 | P a g e
without their knowledge. An example of such a concern is the facial recognition system, whereby the
systems recognise and verify every individual wherever they go. This may be seen as an invasion of
privacy (States, 2001).
The proposed solution to be implemented in this dissertation will be the protection of
individual data, owing to authentication to the WAP gateway being required. Furthermore, individuals
who are authorised to have access to system devices will not be able to tamper with the data on the
systems.
2.7.2 Advanced mobile security solution based on distributed key
Current M-commerce security solutions are divided into software-only, hardware-based, or biometrics
solutions. Most financial institutions are using hardware encryption, such as electronic-key encryption
and alternative software encryption for the users. However, current M-commerce security techniques
still adopt software encryption, even the plaintext of the short message service (SMS), to protect the
commercial transaction, which is easily attacked by hacking or a virus.
The concern of M-commerce security is the place at which the encryption key is stored.
Sometimes it is stored in the internal mobile device or the Subscriber Identity Module (SIM). Should
the SIM be used to store the encryption key, this key may easily be stolen by third parties, in cases in
which the mobile device does not have a hard-drive protection mechanism. In addition, the SIM may
be attached to or copied by a SIM-cloning device.
COMP128 algorithms are implementations of the A3 and A8 algorithms, as defined in the GSM
standard. The A3 algorithm is used to authenticate the mobile device to the network, whereas the A8
algorithm is used to generate the session key used by A5 to encrypt the data transmitted between the
mobile station and the base transceiver station (BTS). The COMP128-1 hash function is considered
weak because there is insufficient diffusion of small changes in the input. Practical attacks have been
demonstrated that can recover the subscriber key from the SIM (Brumley, 2004). Therefore, neither the
GSM nor the COMP128 is sufficiently secure.
18 | P a g e
Tiejun & Leina (2012) acknowledge that there is a need to provide an eKey with Bluetooth,
IrDA, and a near-field communication (NFC) adapted interface to mobile devices, in particular one that
will allow the authors better to demonstrate the applicability of the solution to a wide variety of
application domains. However, this has not yet been tested nor implemented in an M-commerce
environment. Additionally, the use of an actuator ─ a type of motor responsible for moving or
controlling a system ─ will eventually improve the development of their mobile information security
solution, providing end-to-end security. What makes the solution unique is that, should the device used
to store the encryption key be lost, the encryption key would not be used to decrypt data. The algorithm
that is used to authenticate mobile devices to the network is weak, compared with the algorithm that we
are proposing. Furthermore, third-party individuals are not able to recover keys once the session has
expired.
2.7.3 Improved double-encryption model
Wang & Fan (2010) proposed an improved security solution for the WAP gateway based on the “double
encryption model”. With their solution, each symmetric-encryption algorithm, public-key encryption
algorithm, and message-digest algorithm owned by mobile terminals and content servers has a priority.
For instance, the most generally utilised algorithm has the highest priority; the second-most widely used
algorithm has second priority; the third-most widely used algorithm has third priority, and so on.
Initially, the mobile terminal will simply send a group of algorithms of the highest priority to the
application server, as opposed to sending all of its algorithms to the server.
Next, the application server will compare the algorithms sent by the mobile terminal with its own
algorithms, by organising them from the highest to the lowest priority. The algorithm with the highest
priority is chosen as it is the most generally utilised algorithm. The improved double-encryption model
of selecting the best matching algorithm between the mobile terminal and server is less demanding and
simpler than the double-encryption model, because the algorithm will be stored on the server and the
terminal. This solution has the capacity to decrease the complexity of the encryption process between
mobile terminals and servers, shortening the time interval of consultations, and increasing the
19 | P a g e
connection speed and degree of security during the mobile transaction. This solution has constructed a
secure channel between the mobile terminal and application server, because the data is protected during
the whole transmission process. Therefore, the solution has solved the weak point, in which the WAP
gateway is able to see the message in plaintext.
This solution simply needs to include encryption/decryption capabilities at the application layer
which do not require changes at the hardware level, making this easy to implement. However, the
solution of improved double encryption does not satisfy the concepts of mutual authentication, in which
parties are authenticating one another suitably. Furthermore, there is no maintaining and assuring of the
accuracy and consistency of sent and received data. The solution has been widely implemented on E-
commerce, and has been relatively successful, owing to the personal computer’s capacity for processing
algorithms that require a large amount of CPU power. Our approach must implement the solution in an
M-commerce environment, the transfer methodology of the Improved Double Encryption Model being
the same as that of the Double Encryption Model.
2.7.4 LSB steganography and cryptography
Least significant bit (LSB) insertion is a common and simple approach to embed information in an
image file. Pawar et al. (2012) introduced security systems using a random least significant bit (LSB)
steganography and cryptography method. Steganography is a technique of hiding secret messages
within innocent-looking information called cover data (e.g., text, audio, image, video, and more) from
eavesdroppers. Johnson & Jajodia (1998) state that steganography’s role in security is to implement
steganography into cryptography in order to enhance it, not to change it. In the event that a concealed
message is encrypted, the message should likewise be decrypted if it is found, which offers another
layer of security. The proposed framework is said to be safe and secure as opposed to separately using
either the steganography or cryptographic method.
The framework of steganography demonstrates secure and undetectable communication in M-
commerce as well as in E-commerce. In this framework, instead of directly sending data, the data is
first encrypted using an encryption algorithm; this encrypted data is processed to hide in an image, using
20 | P a g e
a password. The stego-image, which is the encrypted picture, contains a hidden encrypted message. In
addition, an encrypted message is hidden in an image using “Random LSB Steganography”. The
message is embedded in a non-sequential LSB insertion pattern. It is difficult to detect LSBs in which
the message is embedded. The stego-image is inserted into a website, and the URL of the website is
sent to the user. After receiving the URL, the user downloads the picture by means of a special
programme. The user can extract data from the picture only if the authentication details entered by the
user are correct. This data will be in encrypted form and the user will decrypt it using the decryption
key.
The shortcoming of this solution is the size and protection of the data. If someone only sends
small data packets, this system will be adequate. However, if a large amount of data must be hidden
using steganography, this will be difficult to achieve. In addition to this, there is the protection factor.
Typically, secrets that are protected by steganography are not protected by anything else. If no one sees
the secret, the secret is safe. If they see it, however, they will have the data. Applying this model to M-
commerce transactions would be suicidal for users of M-commerce.
With our solution, data is not only protected by cryptography. Secure algorithms and digital
certificates are also used to secure data and communication. Large amounts of data may be used and be
protected without challenges, during M-commerce transactions.
2.8 THE NEED FOR SECURING M-COMMERCE
Mobile commerce plays an important role in society. With the rapid growth in the number of mobile
devices, the number of Internet users has increased exponentially over the years. With M-commerce,
the progress has been slow, owing to security issues. An enhanced security will drive the usage of M-
commerce. As previously discussed in the literature, authors, including Wang & Fan (2010), use public
keys which are best suited for E-commerce rather than M-commerce, this being CPU-demanding.
Another aspect is that these models do not provide end-to-end security, focusing only on certain aspects
of security.
21 | P a g e
According to Fire, Goldschmidt & Elovici (2014), existing solutions offer insufficient security.
However, our solution, which focuses on enhancing security in an M-commerce environment, will
enhance end-to-end security.
2.9 SUMMARY
Our literature survey critically investigated various security solutions proposed for M-Commerce. Most
of the discussed security solutions have tried to repair security flaws in the WAP gateway. However,
the solutions discussed in the previous paragraphs do not satisfy the important security issues of mobile
commerce, such as data theft, data integrity, data confidentiality, and mutual authentication. These
important security issues of mobile commerce will be addressed by our proposed solution. The main
challenge is to enhance the security in M-commerce, using a WAP-enabled cryptography algorithm.
Since mobile devices have limitations such as low processing power and small storage space, it is very
difficult to implement cryptographic algorithms that will be processed by mobile devices. Our proposed
solution offers the following improvements:
a) The solution is compatible with many types of mobile terminals;
b) The encrypted information is encoded by double-layered encryption. Therefore, if
unauthorised devices and users manages to extract information from the gateway,
there won’t be able to decode the message without having the key; and
c) The possibility of disclosure of information is very low, because the information is
encrypted.
The adoption of double-layered encryption schemes solves the security problem thoroughly exposed in
the WAP gateway data-information decrypting and encrypting process. Secondly, the ECC public key
system is superior to RSA and DSA. The comparison between the decryption times of ECC, RSA, and
DSA/DH was shown in Table 2.1.
In the next chapter, we describe the model used in developing our WAP-enabled cryptographic
algorithms.
22 | P a g e
3. THE MODEL
This study has defined M-commerce as a way of using a mobile device, such as a personal digital
assistant (PDA) or mobile phone, to perform an electronic transaction that has financial implications.
Hence, this chapter will further discuss the enhancing of mobile-commerce security through a WAP-
enabled cryptographic algorithm. M-commerce is as yet an emerging market, security still of major
concern to all parties involved. Adequate security in M-commerce is needed, so that organisations may
be able to perform successful transactions over the network. Users do not yet fully trust M-commerce
to safeguard their data from unauthorised people.
The main question this dissertation attempts to answer was stated as a way or ways in which a
WAP-enabled cryptographic model can enhance mobile commerce security. Another closely related
question concerns how to select a suitable WAP-enabled cryptographic model in mobile commerce.
Mobile devices have several limitations, such as limited computing power, lack of storage, and
processor speed. Therefore, it is necessary to choose a cryptographic algorithm that will be compatible
with mobile devices. It is also important to produce an algorithm that can encrypt more speedily,
requiring fewer computing resources, while being more difficult to decrypt.
Our model deals with an improved double-encryption method incorporating the ECDH and
ECDSA algorithms, enabling more security, leading to one reliable solution.
The remainder of the chapter presents our proposed algorithm design and architecture.
Algorithm design is a specific method of creating a mathematical process for solving problems.
Architecture is a conceptual model that defines the structure, behaviour, and other views of a system.
An architectural description is a formal description and representation of a system, organised in such a
way that it supports reasoning about the structures and behaviour of the system.
3.1 MODEL OVERVIEW
Our model deals with an improved-double-encryption method incorporating the ECDH and ECDSA
algorithms, making it more secure, therefore leading to one reliable solution. ECDH and ECDSA
technologies have been implemented separately, however, integrating them will greatly strengthen the
23 | P a g e
security in M-Commerce. In order to establish an end-to-end secure channel between mobile users and
mobile commerce service providers, we propose the TLS protocol based on PKI and the CA
architecture. ECC as the public-key algorithm will be used to realise the CA certificate, rather than the
traditional RSA public-key algorithms. By using ECC, we gain security equivalent to RSA; however,
with less memory usage, less CPU consumption, and at increased speed (Jansma & Arrendondo, 2004).
3.2 AUTHENTICATION
According to Schneider (2013), authentication is defined as follows:
“It should be possible for the receiver of a message to ascertain its origin; an intruder should not be
able to masquerade as someone else”.
The authentication technique ensures that the specified identity of the user is correct. In the beginning,
the first party introduces itself and claims to have some identity. This is not enough. The contacted party
also needs to know for sure that the contacting party is who it claims to be. The contacting party has to
present some verification to prove its identity. This may be as simple as using a password, or as
complicated as using a digital signature or certificate. In addition, the contacting party wishes to be
assured of the contacted party’s validity.
The contacted party has to present some identification of itself. After the authentication, the
service provider may be sure that the service is available to the user who has legitimate rights to use the
service. Equally, the user may place confidence in the service provider.
Authentication in the WTLS is carried out using certificates. Authentication may occur between
the client and the server, or the client may authenticate the server only. The latter procedure can obtain
only if the server allows authentication to occur. The server may require the client to authenticate him-
or herself to the server. However, the WTLS specification defines that authentication is an optional
procedure. Currently, X.509v3 [X509], X9.68 and WTLS certificates are supported. The WTLS
certificate is optimised for size. Authentication immediately follows after the client and server Hello
messages are exchanged. Hello messages are methods that a device uses to communicate with other
24 | P a g e
devices. The server sends a Server Certificate message to the client. The certified information given by
the server is listed in Table 3.1.
Figure 3-1: WAP-enabled cryptographic Model Overview
25 | P a g e
When the process of mutual authentication by means of a certificate is initiated, the sequence
of steps used is listed below:
1. A client requests access to a protected resource.
2. The server presents its certificate to the client.
3. The client verifies the server’s certificate.
4. If successful, the client sends its certificate to the server.
5. The server verifies the client’s credentials.
6. If successful, the server grants access to the protected resource requested by the
client.
Item Description
Certificate version Version of the certificate
Signature algorithm The algorithm used to sign the certificate
Issuer Defines the party who has signed the certificate, usually some certificate authority
(CA)
Valid not before The beginning of the validity period
Valid not after The end of the validity period
Subject Owner of the key, associated with the public key being certified
Public-key type Type (algorithm) of the public key
Parameter specifier Specifies parameters relevant to the public key
Public key The public key being certified
Table 3-1: Certificate Information (WTLS, 2008)
Figure 3.2 listed on the next page shows the process of SSL authentication and certificate-based mutual
authentication. Furthermore, it describes the sequence of steps that are performed during the
authentication of certificates by the client and the server. This process is successfully completed when
the client is able to verify the authenticity of the server, and the server is reciprocally able to verify the
authenticity of the client.
26 | P a g e
Figure 3-2: SSL authentication and certificate-based mutual authentication
(www.codeproject.com)
3.3 ENCRYPTION
This section demonstrates the process by which two separate strings are either encrypted or decrypted.
Figure 3.3 demonstrates the point at which two separate strings are combined into one full string before
being encrypted and decrypted. The encryption algorithm uses the ASCI method.
8 a b 4 e z 6 t y 7 m o 2 d s 1
Figure 3-3: Encryption and decryption
String -1:846721 Interval: 1
String-2: abezytomsd Size: 2
The above full string is a combination of two different strings named string-1 and string-2, in
which the two strings are arbitrarily chosen. Both strings have an equal length blank-padded to 32
27 | P a g e
characters. There are two other parameters, namely, interval and size. String-1 is separated into discrete
parts, in which the length of every part is equal to the interval (which is one); while string-2 is separated
into parts in which the length of every part is equal to the size (which is two) to form the full string. The
two strings are inserted interchangeably, starting with string-1 at index zero. Possible values for the
variable named sizes are 2, 4, 8, and 16, and possible values for the variable named interval are any
value from 1 up to the value of the variable named size.
A requirement is to formulate a mathematical equation known as fetch_index of the full string,
finding the nth character of string-1 without separating the full string into its two original strings. It must
be noted that the indexes are numbered from zero onwards; while the nth character is counted from one
to n. For example, the 5th character of string-1 is the character ‘2’ of which the index in the full string
is 12. The 6th character in string-1 is the character ‘1’ of which the index in the full string is 15.
3.4 ECDH KEY EXCHANGE ALGORITHM
The Diffie-Hellman key-exchange algorithm is a secure elliptic-curve algorithm that uses numbers
raised to specific powers to produce encryption/decryption keys, thus making the task of breaking the
code mathematically, difficult.
Based on this, using the Diffie-Hellman algorithm will enhance the security of the data that must
be securely transmitted over the network. The cryptosystem we aim to deliver is one in which the
sender and receiver exchange data by means of an unreliable network system. Should the shared secret
key between the sender and receiver be intercepted by the third party, the third party would not be able
to discover the shared secret key. This shared secret-key method is used in conventional cryptosystems.
The basic flow of an ECDH key exchange is as follows:
1. Client and server create a key pair to use for the Diffie-Hellman key-exchange
operation.
2. Client and server configure the key derivation function (KDF), which derives one
or more secret keys from a secret value, such as a master key, using parameters
agreed on by the client and the server.
28 | P a g e
3. The client sends its public key to the server.
4. The server sends its public key to the client.
5. Client and server use each other's public keys to generate the secret agreement.
We use an ECC Diffie-Hellman key (ECC-DH) for key agreement. The client generates an
ECC Diffie-Hellman public key and sends it to the server in a ClientKeyExchange message. To develop
the pre-master secret, the client multiplies the server’s public key by the Diffie-Hellman private key.
The pre-master secret is an initial value which is used to calculate the master secret. The server develops
the pre-master secret by multiplying the EC Diffie-Hellman public key by its private key. To guarantee
a secure communication channel, encryption keys or initial values for calculating keys must be
exchanged in a secure method. The certified exchange of public keys was described in the previous
section.
However, it is possible that the Server Certificate Message has not contained sufficient data to
allow the client to exchange the pre-master secret. In this case, a Server Key Exchange message is used
to provide such data. The key exchange mechanism of the WTLS specification also provides an
anonymous way of exchanging keys. In this process, the server sends a Server Key Exchange message
which contains the public key of the server. The key-exchange algorithm is the Elliptic Curve Diffie-
Hellman (ECDH). The message does not contain any certified information.
With the Diffie-Hellman-based algorithms, the client and the server calculate the pre-master
secret based on each other’s private keys and the public key of the counterpart. This message is omitted
if some Diffie-Hellman-based algorithm was used and the client certificate was requested, so that the
client was able to respond to it. If the client has listed the cryptographic key exchange methods that he
or she supports, the server may choose whether it is going to use an exchange method based on the
client's suggestions, or define another method. If the client has not proposed any method, the server has
to indicate the key exchange method (Lauter, 2004). Figure 3.4 lists below the process of ECDH key
generation.
29 | P a g e
Figure 3-4: ECDH key generation (Lederer et al., 2009).
3.5 PRIVACY
Privacy of data means that individuals have the ability to determine the data in computer systems that
may be shared with authorised individuals, where unauthorised individuals cannot have access to this
data (Bygrave, 2014). When users are on the network, they tend to send data to other networks. When
data is transmitted over the network, it may be intercepted by third parties. We need privacy to
determine the data in a computer system that may be shared with third parties. Privacy in the WTLS
specification is implemented by means of encrypting the communication channel.
The encryption methods used, and all the necessary values for calculating the shared secret key
are exchanged during the handshake, which is where communication is initiated. The first messages to
be exchanged, namely the Client Hello and the Server Hello messages, exchange random values. The
client generates a pre-master key from random data from itself and also from the server. It then encrypts
this with the server's public key, sending it to the server. From this data both client and server generate
30 | P a g e
a master key. During later phases, the client and the server exchange the pre-master secret. The master
secret is a 20-byte sequence that is calculated using the following formula:
𝑚𝑎𝑠𝑡𝑒𝑟𝑠𝑒𝑐𝑟𝑒𝑡 = 𝑃𝑅𝐹(𝑝𝑟𝑒𝑚𝑎𝑠𝑡𝑒𝑟𝑠𝑒𝑐𝑟𝑒𝑡, master secret, 𝐶𝑙𝑖𝑒𝑛𝑡𝐻𝑒𝑙𝑙𝑜. 𝑟𝑎𝑛𝑑𝑜𝑚
+ 𝑠𝑒𝑟𝑣𝑒𝑟𝐻𝑒𝑙𝑙𝑜. 𝑟𝑎𝑛𝑑𝑜𝑚)[0. .19] … … … … … … … … … … … … … … … . Equation 3.1
PRF stands for Pseudo-Random Function, which takes as input a secret, a seed and an
identifying label to produce an output of arbitrary length. Furthermore, [0..19] indicates a 20-byte
sequence used to determine the user authority and its location. The encryption algorithm used is chosen
during a handshake process. During this process, the server provides the client with a single cipher suite
chosen by the server. The client provides the server with a list of cipher suites. The cipher suites
comprise a bulk encryption algorithm and a MAC algorithm. A MAC algorithm is a symmetric key
cryptographic technique to provide message authentication, to confirm that the message has indeed
originated from the stated sender (its authenticity) and has not been changed during transmission.
The first item on the list of cipher suites is the preference of the client. If the server does not
find an acceptable cipher suite the handshake fails, and the connection is closed. Currently, the most
common bulk encryption algorithms supported are RC5 [RC5] with 40, 56 and 128-bit keys; DES
[DES] with 40 and 56-bit keys; and 3DES [3DES] and IDEA [IDEA] with 40, 56 and 128-bit keys. All
these algorithms are block-cipher algorithms. Block ciphering is a method of encrypting text in which
a cryptographic key and algorithm are applied to a block of data at once as a group rather than one bit
at a time (Luyster, 2001). No stream ciphers except NULLs are supported. Stream ciphering is a method
of encrypting text, in which a cryptographic key and algorithm are applied to each binary digit in a data
stream, one bit at a time (Pelzl & Paar, 2010).
However, this method is not much used in modern cryptography. Encryption keys are indicated
based on a key block. The key block is calculated from the initial values transferred during the
handshake, using the following formula:
31 | P a g e
𝑘𝑒𝑦 𝑏𝑙𝑜𝑐𝑘 = 𝑃𝑅𝐹 (𝑚𝑎𝑠𝑡𝑒𝑟𝑠𝑒𝑐𝑟𝑒𝑡 + 𝑒𝑥𝑝𝑎𝑛𝑠𝑖𝑜𝑛𝑙𝑎𝑏𝑒𝑙 + 𝑠𝑒𝑞𝑛𝑢𝑚 + 𝑠𝑒𝑟𝑣𝑒𝑟𝑟𝑎𝑛𝑑𝑜𝑚
+ 𝑐𝑙𝑖𝑒𝑛𝑡𝑟𝑎𝑛𝑑𝑜𝑚) … … … … … … … … … … … … … … … … … … … … … … … Equation 3.2
The key block variable is dependent on a sequence number that is recalculated in certain intervals
based on the key-refresh frequency. The key-refresh frequency is negotiated in the Client Hello and the
Server Hello messages. The expansion label is merely a string expression for calculation. The client
uses the string “client expansion” and the server uses the string “server expansion”. The encryption key,
the initial vector, and the MAC secret, are made up from the key block, based on the key lengths required
by the chosen algorithms (Boudriga, 2009). Client_random and server_random are values that allow
other key agreement algorithms to be registered by both the client and the server, whereby these values
will be changed randomly.
3.6 INTEGRITY
Data integrity is the assurance that information may only be accessed or modified by those authorised
to do so. Compromised data, after all, is of little use to organisations or individuals, not to mention the
dangers presented by sensitive data loss. For this reason, maintaining data integrity is a core focus of
many organisations’ security solutions. Data integrity is guaranteed using Message Authentication
Codes (MAC). The MAC algorithm used is selected by the server when the encryption algorithm is
decided on. As stated before, the client sends a list of supported MAC algorithms in which the preferred
algorithm is the first in the list. The server returns the selected algorithm in the Server Hello message.
Secure hash algorithms (SHA) and Message-Digest-5 (MD5) are common MAC algorithms
supported by WTLS. There are several different versions of both algorithms; for example, SHA exists
with 0, 40 and 80bit MAC sizes. The keyed MACs are calculated using the secure hash algorithm-1
(SHA-1). The modified algorithms are based on the SHA-1, however, only part of the output is used.
Similar versions of the MD5 algorithm exist.
A special MAC algorithm is the SHA_Exclusive OR (XOR) _40 which uses a 5-byte checksum.
First, the input data is divided into 5-byte blocks. Then all blocks are XORed one after the other. It is
32 | P a g e
required by the client that the XOR MAC be encrypted, and only be used for cipher-block-chaining
(CBC) mode. The algorithm is intended for devices with limited CPU resources. The MAC algorithm
is generated over the compressed WTLS data. The following values are used to calculate the MAC:
The HMAC_Hash equation illustrates the keyed MAC algorithm used, for example, SHA-1 or
MD5. The MAC_Secret value is one of the key block values. After the HMAC_Hash value is generated,
the determined length of the MAC value is set to the WTLS cipher text-structure (Lam et al., 2003).
The previous sections explained how the secure session is negotiated between the client and the
server. After these negotiations, both communicating parties have a uniform secure state which contains
the security parameters described in Table 3.2.
The current status of the client and the server is completed by means of the security parameters
and is continuously updated. Each connection state includes elements such as the current encryption
keys, MAC keys, initiation vectors, and sequence numbers. Both the server and the client have separate
secret keys for encryption, MACs, and more (Dierks & Rescorla, 2008).
3.7 ELLIPTIC CURVE DIGITAL SIGNATURE (ECDSA)
A digital signature is a mathematical scheme for exhibiting the authenticity of a digital message or
record. A valid digital signature gives a recipient grounds to believe that the message was written by a
known sender, that the sender cannot deny having sent the message (authentication and non-
repudiation), and that the message was not altered in transit (integrity).
Digital signatures are normally utilised for software distribution, financial transactions, and in
various situations in which it is critical to detect forgery or tampering (Hankerson, Menezes &
Vanstone, 2006).
33 | P a g e
Item Description
Connection End Indicates whether the entity considered is a client, or a server.
Bulk Encryption Algorithm An algorithm used for bulk encryption.
MAC Algorithm The algorithm to be used for guaranteeing the message
integrity/authentication.
Compression Algorithm The algorithm used to compress data before encryption.
Master Secret A 20-byte secret between the two peers in the secure connection.
Client Random A 16-byte value provided by the client.
Server Random A 16-byte value provided by the server.
Key Refresh The time interval specifying how often some connection state
parameters are updated (encryption key, MAC secret, and Initiation
Vector (IV).
Sequence Number Mode The scheme used to produce sequence numbers in the secure
connection. Options are implicit/explicit sequence numbering (ON
or OFF)
Table 3-2: The security parameters of the secure connection (Jormalainen & Laine, 1999b)
3.7.1 Size and Performance Advantages of ECC Signature Algorithms
The benefits of ECC-based certificates are normally two-pronged. Firstly, ECC-based signatures on a
certificate are smaller and faster to create; and the public key held by the certificate is smaller and also
more agile. Secondly, when at higher key strengths, verification becomes faster using ECC-based
certificates. The reason may be found in the basic mathematics behind elliptic curves (Hankerson et al.,
2006).
As highlighted in other issues by Lauter (2004), the security of ECC systems is based on the
elliptic-curve-discrete logarithm problem rather than the integer-factorization problem. This
difference allows ECC systems to start out smaller, and scales more efficiently as the bit size of the
matching symmetrical key increases. Ultimately, this allows for faster computations and smaller key
sizes for comparable security.
34 | P a g e
3.7.2 ECDSA Security
Computations required for ECDSA authentication are the generation of a key pair (private key, public
key), the computation of a signature, and the verification of a signature. The equivalent equations are
found in public literature (Khalique, Singh & Sood, 2010). Before an ECDSA authenticator can
function, it must know its private key. The public key is derived from the private key and the domain
parameters. This would assist by ensuring that the correct public key is generated by the authenticator
values. The key pair must reside in the authenticator’s memory. In this context, it means that the key
pair would not be exposed to the network. Thus, it becomes difficult to generate a key for unauthorised
users. The private key is not accessible from the outside world; but the public key must be openly read
and accessible. Without the private key, which resides in the authenticator, it becomes impossible to
generate the key pair. A random number generator is started; and when its operation is completed, it
delivers the numerical value that becomes the private key d (a scalar). Next, the public key Q (x,y) is
computed according to Equation 3.3 through point multiplication:
𝑄(𝑥, 𝑦) = 𝑑 ∗ 𝐺(𝑥, 𝑦) … … … … … … … … … … … … … … … … 𝐸𝑞𝑢𝑎𝑡𝑖𝑜𝑛 3.3
Figure 3-5: Keypair generation process (www.maximintegrated.com, 2016)
3.7.3 Signature computation
Both the elliptic-curve private keys and elliptic-curve public keys are generated randomly. The unique
identifier, which is only known to the client, will be randomly generated as a private key. The public
key will be publicly available on the site and will be listed under this identifier. In addition, the private
key of the client will be saved in a file on both the client and server side.
35 | P a g e
For example, if the client ID is 206183365, the private key of the user will be saved on the local
filing system under the name 206183365.private Key. The client then generates his or her public key.
The client public key will be saved on the server. This will enable the prototype to store the client
public key and make it available to everyone. To retrieve the client public key, the client ID is required.
3.7.4 Signature generation
A digital signature allows the receiver of a message to verify the message authenticity, using the
authenticator’s public key. First, the variable-length message is converted to a fixed-length message
digest h(m) using a secure hash algorithm (PUB, 2012) in which h(m) represents hash function. A secure
hash has the following characteristics:
a) Irreversibility—it is computationally unfeasible to determine the message from its
digest.
b) Collision resistance—it is impractical to find more than one message that produces
a given digest.
c) High avalanche effect—any change in the message produces a significant change in
the digest. After the message digest is computed, a random number generator is
activated to provide a value k for the elliptic-curve computations (see Figure 3.6).
Figure 3-6: Signature computation process
36 | P a g e
The digital signature consists of two integer numbers, namely, r and s. Equation 3.4 shows the
computation of r from the random number k and the base point G (x , y):
(𝑥1 , 𝑦1) = 𝑘 ∗ 𝐺 (𝑥 , 𝑦) 𝑚𝑜𝑑 𝑝
𝑟 = 𝑥1 𝑚𝑜𝑑 𝑛 … … … … … … … … … … … … … … … . 𝐸𝑞𝑢𝑎𝑡𝑖𝑜𝑛 3.4
To be valid, r must not be equal to zero. In the rare case in which r has been computed with a value
of 0, a new random number, k, must be generated; r must then be computed again. After r is successfully
computed, s is computed according to Equation 3.5 using scalar operations. Inputs are the
message_digest h (m); the private key d; r, and the random number k.
𝑠 = (𝑘 − 1(ℎ(𝑚) + 𝑑 ∗ 𝑟)𝑚𝑜𝑑 𝑛 … … … … … … … … … … … … . 𝐸𝑞𝑢𝑎𝑡𝑖𝑜𝑛 3.5
To be valid, s must not be equal to zero. If s is zero, a new random number k must be generated
and both r and s must be computed again.
3.7.5 Signature verification
Signature verification is the counterpart of the signature computation. The role of signature verification
is to verify the message authenticity using the authenticator’s public key. Using the same secure hash
algorithm as in the signature step, the message digest signed by the authenticator is computed which,
together with the public key Q (x, y) and the digital signature components r and s, leads to the result
(see Figure 3.7).
Figure 3-7: Signature verification process
37 | P a g e
Equation 3.4 shows the individual steps of the verification process. The inputs are the message digest h
(m), the public key Q (x, y), the signature components r and s, and the base point
G (x, y):
W = s -1 mod n
U1 = (h (m)*w) mod n
U2 = mod n
(x2, y2) = (U1*G (x, y) +U2*Q (x, y)) mod n
The verification is successful (“passes”) if x2 is equal to r, thus confirming that the signature was indeed
computed using the private key.
3.8 THE PROCESS
Double encryption is the process of encrypting an already encrypted message with the aim of enhancing
security. In Figure 3.8, we explain the security transmission process of how data is encrypted twice and
decrypted with different keys, before being sent across various network channels. The plaintext is
encrypted and then re-encrypted once again. This process ensures that data is never in plaintext when it
is transmitted over the network. Data privacy and data integrity are ensured by performing double
encryption. Furthermore, when data travels across the network, measures that are in place check if data
has not been tampered with. When data reaches its intended destination, it has been decrypted twice.
Listed next is a description of the steps on how the encryption and decryption process starts and how it
ends.
1. The mobile commerce security system adopts a double-layer-encryption technique
in its data transmission, and it provides secure transmission of data. Elliptic Curve
Cryptography is used in order to encrypt data. The mobile terminal encrypts data
message Msg0 to obtain Msg1 with key1 of the application server, before encrypting
Msg1 with key2 to obtain Msg2.
2. Msg2 is sent to the WAP gateway. The WAP gateway decrypts Msg2 with key2 to
obtain Msg1.
38 | P a g e
3. The WAP gateway encrypts Msg1 with TLS/SSLkey, key3 to obtain Msg3, before
sending it to the application server.
4. The application server decrypts Msg3 with key3 to obtain Msg1, then decrypts Msg1
with its own private key, key1, therefore it obtains the plain-text Msg0.
Figure 3-8: Security transmission process in the double-layer encryption scheme
3.9 SUMMARY
This section described ways in which mobile commerce security may be enhanced using cryptographic
algorithms. We discussed the need for and the importance of having the authentication process.
Furthermore, we elaborated on ECDH key generation, specifying ways in which keys will be generated
in our system. Digital signatures were used for exhibiting the authenticity of digital messages. The
privacy and integrity of data will not be compromised, owing to the algorithm developed to assist in
detecting modified data.
The next chapter describes the implementation of our cryptographic algorithms and the tools
and technologies used to accomplish the solution.
39 | P a g e
4. IMPLEMENTATION
The previous chapter dealt with the description of the model and its associated key algorithms. Based
on the model, we have designed a graphically driven prototype as a proof of concept to demonstrate the
applicability of the model. This chapter also demonstrates the efficiency of the prototype by describing
and explaining the system, using screenshots. Furthermore, this chapter concludes the methodology
used in achieving this study.
The prototype was implemented in the Visual Basic dot Net as the programming language. The
reason we have chosen to use the language is the benefits offered by the language, such as a drag and
drop interface. The prototype consists of the ECDH key generation algorithm, ECDSA signature key
generation, and the signing process and signature verification algorithm that will be used by the system.
In addition to this, algorithms which handle privacy and integrity issues are also implemented in this
chapter.
4.1 PROGRAMMING LANGUAGE, ENVIRONMENT, AND TOOLS
The environment used to implement the prototype of the ECDH algorithm and ECDSA algorithm is the
Windows 8.1 operating system; and the programming language used was Visual Basic dot net. Visual
Basic Studio Express 2013 is the version of Visual Basic dot net launched by Microsoft in 2013 (Sharp,
2013). Visual Basic Express 2013 has many new features compared with Visual Basic Studio 2012.
Similar to Visual Basic Express 2012, Visual Basic Studio Express 2013 is now integrated in a package
with other Microsoft Programming languages such as C# and C++.
4.2 PROTOTYPE ALGORITHMS
Two built-in functions, namely, Imports System.text and Imports System.Security.Cryptography
provide the cryptography functions that we use to secure encoding and decoding of data, as well as
hashing, random-number generation, and message authentication. System.text namespace contains
classes that represent ASCII and Unicode character encodings. The ECDSA class performs all
40 | P a g e
arithmetical computations and functionalities, such as generating a signature, signing, and verification.
ECDH is responsible for creating both private and public keys.
The System.Security.Cryptography package creates the secure hash of a message, specifically
the Message Digest functions (MD). SHA-1with ECDSA is the only hash function set for use with
ECDSA by NIST. However, SHA-256 with ECDSA is selected for our implementation, SHA256 with
ECDSA not compromising the protection of the ECDSA implementation.
Table 4.1 below represents the list of packages used when designing the prototype.
Packages Description
System.Security.Cryptography
System.security.text
Provides cryptographic services, including secure encoding and
decoding of data, as well as many other operations, such as
hashing, random number generation, and message authentication
ECDiffie-HellmanCng Provides a Cryptography Next Generation (CNG)
implementation of the Elliptic Curve Diffie-Hellman (ECDH)
algorithm. This class is used to perform cryptographic operations
ECDiffie-HellmanCngPublicKey Specifies an Elliptic Curve Diffie-Hellman (ECDH) public key
for use with the ECDiffie-HellmanCng class
SHA256 Computes the SHA256 hash for the input data
System.Net Uses SSL to encrypt the connection for several network protocols
Table 4-1: Visual Basic Packages used
4.3 AUTHENTICATING THE CLIENT AND THE SERVER
In mutual SSL authentication, both the client and the server authenticate each other through the digital
certificate so that both parties are assured of each other’s identity. With regard to this aspect, both client
and server use six handshake messages to establish the encrypted channel priorities for exchange of
messages. The sequence of steps was listed in Chapter 3 (see Section 3.2). After all six steps mentioned
in Chapter 3 (Section 3.2) are performed by client and server, both client and server are connected
41 | P a g e
successfully. The digital certificate of the server has been signed and verified. The message that is sent
through the network is securely encrypted. Transport Layer Security (TLS) is used as the protocol which
ensures secure transmissions of server and client messages. The dates and times determine when the
certificate was issued, and when the certificate is going to expire. Localhost is the device from which
the certificate was issued. The client and server will now be ready and able to exchange data securely
over the network. In concluding the authentication process, the server has authenticated the client using
digital certificates; the client will now connect securely to the network.
4.4 ECDH KEY EXCHANGE
For two peers to exchange a shared secret, they need first to agree on the parameters to be used. In
Elliptic Curve Cryptography, this is typically done through the use of named curves. A named curve is
simply a well-defined and well-known set of parameters that define an elliptic curve (Blake-Wilson et
al., 2006).
The details of how to obtain the other party’s key (the peer key) are omitted, as this is specific
to the particular situation. Note that one does not necessarily need to generate a new private/public key
pair for every exchange (although one may choose to do so). Also, note that the derived shared secret
is not suitable for use directly as a shared key. Typically, the shared secret is first passed through some
hash function, to generate a key.
In the ECDH key exchange algorithm, the client and the server first choose the public key that
both agree on. The client chooses a random private value. The server follows suit, also choosing a
random private value. The server and the client both use the public key agreed upon, together with their
private keys known only to them, to generate a public key. Next, the server sends the client the generated
public key. The client reciprocates accordingly. The server uses the client public key and its own private
key to generate a secret key agreement. The client uses the server’s public key and his or her own private
key to generate a secret key agreement. The generated value is calculated using the programming
algorithm code showed in Figure 4.1 below. The Do function ensures that the generated value will
continue to change whenever the public key value is requested.
42 | P a g e
The client starts by generating a public key randomly, producing it as follows:
Client public key value (m) = 3919f720331100c
The client public key value (m) is the value that the client will be publicly sharing with the
server on the network.
The generated value is calculated using the programming algorithm code depicted below.
Figure 4-1: Client public key
The server also generates its own random public key in which the server’s public key value =
1d19f7207b5f9bb.
The public key value of the server will be shared with the client publicly over the network. The server
public key is generated using the programming algorithm code depicted on the next page (see Figure
4.2). The advantage of choosing numbers randomly (above) proves that each device can produce a
different key each time it goes through the process. Both the server and client public values are made
public.
43 | P a g e
Both the client and server private values are generated randomly:
Client private key value=19f71f5e660be19f71f5e93427
Server Private Key Value= b5c1db37848719f5e660be
Client and server calculate the shared key as follows:
Client shared key = 1c19f7207b5f9bb
Server Shared key=1c19f7207b5f9bb
Figures 4.3 and 4.4 illustrate that the client receives the public key from the server, before using
his or her own private key and public key to calculate the shared key. Additionally, the server receives
the randomly generated public key from the client, using it and its own private and public key to
calculate its shared key. Thus, the server and the client both have the same key.
Figure 4-2: Server public key
44 | P a g e
Figure 4-3: Client private key value
Figure 4-4: Shared keys
45 | P a g e
Now that the client and the server have obtained the shared secret key, they use the shared keys
to view the encrypted message.
4.4.1 Elliptic Curve Digital Signature Algorithm (ECDSA)
The ECDSA applet contains three parts, namely, the key generation, signature generation, and signature
verification. The prototype has two entities, namely the client and the server. Firstly, a random Elliptic
Curve (EC) key pair (private key and public key) that was created in the ECDH is used to generate an
ECDSA signature. Next, the generated signature is used to sign the message verification being
conducted, to assure the accuracy of the process.
4.4.2 Key and Signature Generation
The ECDSA signature generation functions on numerous domain parameters, namely, a private key d
and a message m. The outputs are the signature (r, s), where the signature components r and s are
integers.
Message is txtmessage = “Testing Prototype”
The signature is generated using the client private key that was randomly generated. The
message is signed using a build-in function provided by visual basic. The algorithm ensures that there
is a string to sign.
The txtmessage is signed, and yields the following value:
JF2mqVnquTiocQn2cL4FGc0QV+hV5x8sH+Au8+yR6B6HZ1dts09zMYliFh7+VtzK4m9i0LpaOBH
dLWF5emRZdGSWwEiboTimY9RSvQtdZ1z6hGx9gxU2P+vErNnE1YAihuBb242bY68B2qks7y1D
aqzxdymhjBqri290QHN2wzA
The message has been signed.
46 | P a g e
Figure 4-5: Signing message
4.4.3 Signature verification
Depending on whether the server knows the ID of the client, the server will be able to verify the
signature of the client as soon as the signature has been created. Knowing the client’s ID, the server can
select the ID from the list of public keys stored in the server’s memory. The server can determine
whether the signature is valid, given the client public key. The signature value is sent to the server to
verify its validity or otherwise. The server accepts the message if the signature is valid, and allows for
authentication. Otherwise, the signature is invalid.
The test is performed for verification purposes, ascertaining whether the signature has been
tampered with. The client and server values must be the same to ensure that the signature message is
valid. Figure 4.6 listed on the next page illustrates the programming sense behind the testing.
Client =05d8ec67f64d6c96ab2f1d236370237d9176f28517fc912b62ce3b7242bb6e08
Server=05d8ec67f64d6c96ab2f1d236370237d9176f28517fc912b62ce3b7242bb6e08
If the message produces a different value, it means that the signature is not valid.
47 | P a g e
Figure 4-6: Signature verification
4.5 SUMMARY
This chapter described the tools and technologies needed to develop our prototype. The prototype
describes ways in which data will be secured over the Internet by the use of WAP-enabled cryptographic
algorithms defined in our model. The chapter demonstrated and explained our prototype using actual
sample inputs that were selected randomly. The Visual Basic language offered the platform to deliver
the functionality of our prototype, enabling the graphic-driven prototype to clearly demonstrate the
capability of our system. The prototype demonstrated the ability to provide a high level of security for
data transfer in a public interface through the Visual Basic application.
The next chapter discusses the experimental evaluation of our prototype.
48 | P a g e
5. EXPERIMENTAL EVALUATION
This chapter covers the tests that were performed on our system in the present study. It comprises the
procedures that were used in carrying out the testing process. Various tests were applied. The first test
is to determine that the shared secret keys between entities may be created and sent securely over the
network, using the ECDH algorithm to encrypt and decrypt data. The other test is to determine whether
the message transmitted over the network may be verified as valid by signing a message using the
ECDSA.
5.1 TESTING AND EVALUATING THE PROTOTYPE
In this section, we are testing and evaluating the implementation of our prototype. The aim of this
section is to prove that we have implemented the proposed algorithm effectively. VB.net socket layer
programming has been used to connect the client and the server. Messages are transmitted from the
client to the server when the socket is created. As soon as the client and the server are connected to each
other, a number of different steps take place. The process of creating the shared key is tabled below (see
Table 5.1)
Client Server
Step 1: Client chooses a random number to
compute the public key.
Step 2: Server chooses a random number to
compute the public key
Step 3: Client chooses a random number and
keeps it to compute the private key.
y = a ^ m mod v
(value of y is sent to the server)
Step 4: Client chooses a random number and
keeps it to compute the private key
Z= a ^ c mod v
(value of z is sent to the client)
Step 5: Client computes the shared key.
K1= z ^ m mod a
Step 6: Server computes the shared key
K2= y ^ c mod q
Table 5-1:Process of Creating Shared Keys
49 | P a g e
The screenshot listed in the figure below indicates that the client has generated a random public
value and a client private value to be used. The private value is stored by the client and not shared. The
public random value is shared with the server. The server will also perform the same process of
generating both random public and private value. Furthermore, the public value of the server is shared
with the client over a network.
Figure 5-1: Randomly generated private and public key for client
Figure 5.2 listed below illustrates the actual values.
The server uses its keys as well as the client public key to compute a derived key. The client
also uses his or her own keys and a server private key to compute the derived key (see Figure 5.3). The
client and the server can now send each other their encrypted texts; however, they can only view the
message if they both have the same key (derived key).
50 | P a g e
Figure 5-2: Randomly generated private and public key for server
Figure 5-3: Shared key (derived key)
5.2 ELLIPTIC CURVE DIGITAL SIGNATURE ECDSA ALGORITHM
This section introduces the ECDSA algorithm which is used to sign the message, before verifying that
message has not been tampered with by a third party. Figure 5-4 illustrates how this verification is
achieved.
51 | P a g e
Figure 5-4: Elliptic-curved digital signature
The plaintext entered as “Testing prototype” is entered and encrypted using the receiver public key. The
SHA256 with ECDSA is used to hash the message. The results of the text are displayed as shown in
Figure 5.4. Furthermore, the signature is generated using the sender’s private key. The verification of
the signature is conducted using the public key. If the sender or the receiver wishes to view the encrypted
message, they must also know the shared key (derived key).
5.2.1 Case in which signature is either verified or invalid
The prototype now tests whether or not the signature has been modified. Performing this test will
determine whether the security on the system has been tampered with. As demonstrated in Figure 5.5,
the signature has not been modified.
In Figure 5.6 the signature was modified for testing purposes, which resulted in the system
alerting the user of the invalidity of the signature.
5.3 PERFORMANCE
Figure 5.7 listed on the next page demonstrates an alternative approach to examining the performance
of ECC, comparing it with RSA/DSA. This approach compares the key lengths of each algorithm that
will provide a level of security measured in a million instructions per second (MIPS) to break the
52 | P a g e
security. The graph further illustrates why ECC algorithms are chosen as preferred algorithms over RSA
and DSA in enhancing the security of M-commerce. Based on these results, we conclude that ECC is
the superlative system, taking into account RSA and DSA.
Figure 5-5: Signature verification
Figure 5-6: Signature verification not successful
The smaller key sizes of ECC possibly allow for less computationally able mobile devices to
use cryptography for securing data transmissions, message encryption/decryption and message
verification.
53 | P a g e
Figure 5-7: Algorithm comparison
5.4 SUMMARY
This chapter dealt with the experimental evaluation of the results of our prototype by using ECDH and
ECDSA algorithms. Furthermore, the discussion of the reason for choosing this ECC over other
cryptographic algorithms is supported by the results listed on the graph in Figure 5.7. In conclusion, by
evaluating and testing the prototype, we were able to demonstrate that the prototype has managed to
achieve its intended use of enhancing M-commerce security through cryptography.
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
Skipjack 3DES AES-128 AES-192 AES-256
80 112 128 192 256
Size
of
Pu
blic
Ke
ys
Symmetriv Encryption Algorithm
Algorithm Comparison
DSA/DH RSA ECC
54 | P a g e
6. SUMMARY, CONCLUSION AND FUTURE WORK
This chapter presents the overall summary, future work, and finally, a brief conclusion of the study.
This study has addressed security challenges faced in a mobile commerce environment, affording ways
in which mobile commerce security may be enhanced by means of cryptographic algorithms.
In Section 6.1, the chapter revisits the problem as stated in Section 1.1. Section 6.2 furnishes a brief
summary of the main issues addressed in the dissertation, while Section 6.3 concludes the thesis,
followed by some future research issues discussed in Section 6.4.
6.1 PROBLEM STATEMENT REVISITED
The main aim of the dissertation was to develop and implement cryptographic algorithms that could
enhance security in a mobile commerce environment. The view expressed in this study is that users of
M-commerce must be able to perform mobile transactions securely over networks without their
information being compromised.
We worked from the assumption that when data is not encrypted while it travels over the network,
it becomes vulnerable to various attacks such as man-in-the middle attacks, eavesdropping, and more.
The following research questions were therefore raised at the beginning of this study. The primary
question asked how a WAP-enabled cryptographic model may be used to enhance mobile commerce
security. The follow-up questions were: How may a suitable WAP-enabled cryptographic algorithm be
chosen in mobile commerce? How may the WAP-enabled cryptographic algorithm be developed and
implemented effectively in M-commerce? and lastly, How may the WAP-enabled cryptographic
algorithms be evaluated?
To answer these research questions, the following objectives were set: firstly, to determine ways
in which a WAP-enabled cryptographic model may be used to enhance mobile commerce security. The
second objective was to choose a suitable WAP-enabled cryptographic algorithm for mobile commerce.
The third objective was to develop and implement an effective WAP-enabled cryptographic algorithm
for M-commerce. Lastly, the WAP-enabled cryptographic algorithms had to be evaluated.
55 | P a g e
In an attempt to evaluate the contribution of the study the remaining sections of this chapter
present a summary and conclusion of the study, based on how the research questions were answered,
and the set objectives realised.
6.2 SUMMARY OF RESEARCH
The main goal of the study was to enhance mobile commerce security through cryptographic algorithms
suitable for mobile devices. To achieve that goal, various cryptographic algorithm techniques were
studied, exposing their strengths and weaknesses, to determine which are more suitable for security in
mobile commerce. Additionally, we discovered that ECC algorithms are more secure and easily
compatible with M-commerce devices, owing to their utilising less computational power. Furthermore,
we demonstrated why ECDSA and ECDH are more secure than DSA and Diffie-Hellman (DH) key
exchanges, respectively. The features of ECDSA enabled us to generate, sign, and verify a signature,
while ECDH allowed us to secure messages by encrypting and decrypting them.
The study further investigated ways in which ECDSA and ECDH algorithms may be effectively
implemented in an M-commerce environment. With the limitations of mobile devices, we cautiously
studied the cryptographic algorithms in order to implement them effectively. Choosing the most
appropriate cryptographic algorithm is not a simple task. A number of factors pose a challenge, such as
the difficulty of breaking the algorithm, speed of processing the algorithm, power consumption, and
memory requirements of the algorithm. All these factors had to be taken into consideration. We studied
the strength of individual cryptographic algorithms; and we realised that combining various algorithms
usually produces better results than when using individual algorithms.
On the design and implementation of the algorithms, we used the Visual Basic Studio
programming language to design the prototype. The use of Visual Basic enabled us to use cryptographic
built-in functions to enhance security. The design was split into two parts: the ECDH algorithm design,
and the ECDSA algorithm design. In the ECDH algorithm, the system creates randomly generated
private and public keys that are used to produce a shared key. The shared key is used to encrypt and
56 | P a g e
decrypt the message. In the ECDSA, the algorithm generates a signature, signs the message, and lastly,
verifies the signature.
Finally, as detailed in Chapter 5, the study compared RSA, DSA, and ECC in terms of speed and
performance. Furthermore, an experimental evaluation of ECDSA and ECDH was conducted to
demonstrate its applicability, usefulness, and the efficacy of the prototype. The study used ECC
cryptography as a solution to enhance security on mobile commerce.
The summary of the study clearly illustrates that the dissertation answered the primary goal and
its enumerated objectives, as measured against the intended contributions.
The main contributions of this study are summarised as follows.
a) The development of a formal WAP-enabled cryptographic model for M-commerce,
which ensures that data is transmitted in a secure manner over the network.
b) The development of a novel, cryptographic model, which contributes to system
optimality and usability.
c) The development of a formal specification of the cryptographic model using a
conventional modelling language such as Visual Basic Studio. The specification
provides a basis for demonstrating the feasibility of the practical realization and
application of the model.
d) The development of a prototype of the WAP-enabled cryptographic algorithm as a
proof of concept that demonstrates the theoretical and empirical validity of the
model.
e) The development of a system that will help in enhancing security which will be
useful for large corporations and individuals to perform their transactions safely.
57 | P a g e
6.3 CONCLUSION
An ideal solution to mobile-commerce security challenges is to develop an end-to-end security model,
which ensures that data from the transfer point to the destination point is entirely secured. According to
(Winkler, 2013), “always there is no perfect secure system”, especially in M-commerce, since the
mobile communication system and all its applications are still growing.
In this study we have shown that security of M-commerce has been improved greatly by using
various cryptographic algorithms. ECC algorithms are suitable in an M-commerce environment thanks
to their advantages over other cryptographic algorithms. The model proposed in this study has several
advantages. These are:
• The prototype is compatible with many types of mobile devices;
• The encrypted information is encoded by double-layered encryption. Therefore, if someone
manages to extract information from the gateway, he or she will not be able to decode it without
having the key;
• The use of ECDH makes it nearly impossible for unauthorised people to decrypt the message;
• The algorithm provides end-to-end security. The possibility of disclosure of information is very
low, because the information is encrypted.
Based on experimental results of this study, the following conclusion is presumed. Firstly, it may
be said that the use of integrated cryptographic algorithms in enhancing the security of M-commerce
was successful. ECDSA and ECDH were evaluated against other cryptographic algorithms in terms of
key size, speed, and compatibility. Secondly, the proposed algorithms enhanced the current security
issues regarding confidentiality, privacy, and integrity. Thirdly, the use of Visual Studio made it easy
to implement our cryptographic algorithms, and to integrate them fully.
6.4 FUTURE WORK
M-commerce security is an issue of paramount importance, requiring further research to introduce
efficient and effective solutions. The findings in this dissertation have exposed many problems that still
exist in mobile-commerce security. We proposed a model that combines various cryptographic
58 | P a g e
algorithms that were discussed in the study. Furthermore, we designed a prototype that represents our
model.
ECC increases the size of the encrypted message significantly more than RSA encryption. Further
research may be conducted on reducing the size of the encrypted message when implemented in a
mobile-commerce environment. This will also improve the performance of ECC, thus making ECC
reliable for wider adoption. In our literature review we discovered that the solutions implemented do
not provide end-to-end security. With the integration of cryptographic algorithms, we managed to
provide end-to-end security measures for an M-commerce environment.
59 | P a g e
7. REFERENCES
Abidi A, Bouallegue B, Kahri F (2014) Implementation of elliptic curve digital signature algorithm
(ecdsa). Paper presented at the Computer & information technology (gscit), 2014 Global summit.
Alliance OM (2002). Wireless application protocol public key infrastructure definition. Technical
report, OMA.
Amadeo M, Molinaro A, Campolo C, Sifalakis M, Tschudin C (2014) Transport layer design for
named data wireless networking. Paper presented at the computer communications workshops (Infocom
wkshps), 2014 IEEE conference.
Bellovin SM (2006) Cryptography.
Blake-Wilson S, Moeller B, Gupta V, Hawk C, Bolyard N (2006) Elliptic curve cryptography (ecc)
cipher suites for transport layer security (tls).
Boudriga N (2009) Security of mobile communications. Us: Taylor & Francis group, LLC.
Brumley B (2004) A3/a8 & comp128. T-79.514 special course on cryptology.
Bygrave LA (2014) Data privacy law: an international perspective. Oxford University Press.
Coppersmith D (1994) The data encryption standard (des) and its strength against attacks. IBM journal
of research and development, 38(3):243-250.
Delfs & Nebl H (2007) Introduction to cryptography: principles and applications. Springer science &
business media.
Dierks T & Rescorla E (2008) The transport layer security (tls) protocol version 1.2.
Easttom C (2014) The RSA algorithm explored.
Eberle HG, Nils S, Sheueling CG, Vipul R, Sundaram L (2004) A public-key cryptographic processor
for RSA and ECC. Paper presented at the application-specific systems, architectures and processors,
2004. Proceedings. 15th IEEE international conference.
Fire M, Goldschmidt R, Elovici Y (2014) Online social networks: threats and solutions. IEEE
Communications surveys & tutorials, 16(4):2019-2036.
Forum W (2002) WAP 2.0 Technical WAP white paper. WAP forum [online]. Available from:
http://www.wapforum.org. [accessed: 25 July 2016].
Garfinkel S (1995) PGP: Pretty good privacy. " O'reilly media, inc.".
60 | P a g e
Geier E (2014) How to use Openpgp to encrypt your email messages and files in the cloud. August 22,
2014: Pcworld.
Grami A & Schell B (2004) Future trends in mobile commerce: service offerings, technological
advances and security challenges. Paper presented at the PST.
Hankerson D, Menezes AJ, Vanstone S (2006) Guide to elliptic curve cryptography. Springer science
& business media.
Jain AK, Nandakumar K, Ross A (2016) 50 Years of biometric research: accomplishments, challenges,
and opportunities. Pattern recognition letters.
Jansma N & Arrendondo B (2004) Performance comparison of elliptic curve and RSA digital
signatures. Nicj. Net/files.
Jivsov A (2012) Elliptic curve cryptography (ecc) in Openpgp.
Johnson NF & Jajodia S (1998) Exploring steganography: seeing the unseen. Computer, 31(2):26-34.
Khalique A, Singh K, Sood S (2010). Implementation of elliptic curve digital signature algorithm.
International journal of computer applications, 2(2):21-27.
Kessler GC (2012). An overview of cryptography. Published by Auerbach, 22.
Koblitz N (1987) Elliptic curve cryptosystems. Mathematics of computation, 48(177):203-209.
Koblitz N, Menezes A, Vanstone S (2000) The state of elliptic curve cryptography. In: Towards a
quarter-century of public key cryptography. Springer:103-123.
Kumar A (2013) Asymmetric key cryptography. Available at SSRN 2372882.
Lam KY, Chung SL, Gu M, Sun JG 2003. Lightweight security for mobile commerce transactions.
Computer communications, 26(18):2052-2060.
Lauter K (2004) The advantages of elliptic curve cryptography for wireless security. IEEE wireless
communications, 11(1):62-67.
Lederer C, Mader R, Koschuch M, Großschädl J, Szekely A, Tillich S (2009) Energy-efficient
implementation of ECDH key exchange for wireless sensor networks. In: Information security theory
and practice. Smart devices, pervasive systems, and ubiquitous networks. Springer:112-127.
Lenstra A & Verheul E (2001) Selecting cryptographic key sizes. Journal of Cryptology:255-293.
Luyster FC (2001) Block cipher method. Google patents.
61 | P a g e
Pawar PY, Gawande SH, Deotale DG (2012) M-commerce security using random LSB steganography
and cryptography. International journal of machine learning and computing, vol. 2(no. 4):427-430.
Pelzl J & Paar C (2010) Understanding cryptography. 1 ed.: Springer-Verlag Berlin Heidelberg.
Pub F (2012) Secure hash standard (SHS). Fips pub 180, 4.
Robinson, S (2003) Still guarding secrets after years of attacks, RSA earns accolades for its founders.
Siam news 36.
Roy SS, Järvinen K, Verbauwhede I (2015) Lightweight coprocessor for Koblitz curves: 283-bit ECC
including scalar conversion with only 4300 gates. Paper presented at the International workshop on
cryptographic hardware and embedded systems.
Saranya K, Mohanapriya R, Udhayan J (2014) A review on symmetric key encryption techniques in
cryptography. International journal of science, engineering and technology research (ijsetr), 3(3):539-
544.
Schneider B (2013) Applied cryptography: protocols, algorithms, and source code in c. John Wiley &
sons.
Sharma A, Kansal V, Tomar R (2015) Location based services in m-commerce: customer trust and
transaction security issues. International journal of computer science and security (ijcss), 9(2):11.
Sohani A & Sawant K (2016) PSDS: privacy preserving system for data security implementation and
countermeasures. International journal of computer applications, 156(4).
States JDWJU (2001) What concerns do biometrics raise and how do they differ from concerns about
other identification methods?" Army biometric applications: identifying and addressing sociocultural
concerns. Army, Arroyo center.
Tiejun P & Leina Z (2012) New mobile commerce security solution based on WPKI. Communication
systems and network technologies (CSNT), 2012 International conference on (pp. 485-488). IEEE.
Wang S & Fan L (2010) A solution of mobile e-commerce security problems. Paper presented at the
Education technology and computer (icetc), 2010 2nd International conference.
Winkler I (2013) Electronic privacy? There's no such thing [online]. Available from:
https://www.computerworld.com/article/2485219/security0/electronic-privacy--there-s-no-such-
thing.html. [accessed: 30 November 2017].
Xiangdong H, Qinfang W, Wang P, Xian J (2002) WAP security implementation of new type of
crypographic algorithm. Computer applications:22.
62 | P a g e
Xiuling J & Daxing L (2001) The security scheme of WAP. Computer applications, 21:2.
Yadav S (2009) M-commerce and its security issues in International journal of scientific research
engineering & technology (ijsret), 3(4).
Zhang CN, Xu Y, Wu CC (1997). A bit-serial systolic algorithm and VLSI implementation for RSA.
IEEE.
Zhang X, Ma S, Shi W, Han D (2015) Implementation of elliptic curve digital signature algorithm on
iris nodes. Paper presented at the Estimation, detection and information fusion (icedif), 2015
International conference.