Modification of Mobile Web Shopping Protocol Using ...

Science Academy Transactions on Computer and Communication Networks (SATCCN) Vol. 1, No. 2, June 2011 ISSN: 2046-5157 Copyright © Science Academy Publisher, United Kingdom www.sciacademypublisher.com Science Academy Publisher

Modification of Mobile Web Shopping Protocol Using GAA and Analysis by Colored Petri Nets Mansour Sheikhan1, Ali Reza Sobhanie1,2, and Mohammad Esmail Kalantari 3,4 1

Department of Electrical Engineering, Islamic Azad University, South Tehran Branch, Tehran, Iran Development Studies Bureau of Telecom Company of Iran, Tehran, Iran 3 Department of Electrical Engineering, Islamic Azad University, Shahre-Rey Branch, Iran 4 Department of Electrical Engineering, Khaje Nasir Toosi University of Technology, Tehran, Iran 2

Email: [email protected], [email protected], [email protected]

Abstract – In this paper, a platform for Authentication and Key Agreement in value-added services is proposed which uses Universal Mobile Telecommunications System security infrastructure and Generic Authentication Architecture. The concentration is on mobile-commerce service and particularly in on-line shopping for the mobile users. For this purpose, Generic Authentication Architecture, as a trusted party, is proposed for bootstrapping mutual Authentication and Key Agreement. The advantage of this proposal is that mutual Authentication and Key Agreement between Mobile Equipment Providers, Shopping Service Providers, and Financial Service Providers will be performed without any entering Username and Password by the users. The performance of the proposed protocol is compared with a similar authentication mechanism which has used the mobile operator infrastructure as a trusted third party, Generic Bootstrapping Architecture of the 3rd Generation Partnership Project, and Security Assertion Markup Language for implementing a controlled shopping service for a mobile station from multiple domains. For this purpose, the concept of Colored Petri Networks modeling and the corresponding tool are used in this study. Simulation results, performed by Colored Petri Tools, show that the proposed protocol performs better in terms of employed a number of nodes and arcs, and consequently the delivery time of service when compared to a similar recent proposed protocol. In this way, the number of nodes and arcs is decreased by 48 and 58%, respectively. The service delivery time is also reduced by 10%. Keywords – Mobile, Web shopping, Authentication, Colored Petri net

1.

Introduction

In the recent decade, due to growing the technology of mobile phones and availability of Internet access, valueadded services like Electronic commerce (E-commerce) and particularly web shopping services have become more popular. In this way, a large population of web users is benefiting from various on-line services including product searches, product purchases and product comparison. In Ecommerce, the payment requests are generally considered more important than search or browse requests [1]. The mobile payment services are under transition with a history of numerous tried and failed solutions, and a future of promising but yet uncertain possibilities with potential new technology innovations [2]. The topic of Mobile commerce (M-commerce) is under development and offers potential opportunities for further research and applications [3]. In this way, the relevant literature regarding mobile payment services has been reviewed in [4], along with the analysis of M-payment system characteristics. Also, the literature on mobile marketing has been organized and classified in [5] based on a review that covers 255 peer-reviewed journal

articles from 82 journals published between 2000 and 2008. As the M-commerce has been developed, financial security associated with transactions such as authentication, integrity, privacy, encryption, and confidentiality of the users' financial accounts information such as their Personal Identification Number (PIN) codes (Username and Password) have regarded seriously. For example, serious user privacy concerns with the 3rd Generation Partnership Project (3GPP) Generic Bootstrapping Architecture protocol, when used as the basis of security for certain off-portal applications, has been identified in [6]. In this paper, a protocol for authentication and payment between a Universal Mobile Telecommunications System (UMTS) subscriber or a Mobile Equipment (ME), an on-line Shopping Service Provider (SSP), and a Financial Service Provider (FSP) is proposed. The UMTS security infrastructure has three characteristics that make it an attractive infrastructure to bootstrap security for E-commerce services. The first one is its wide spread, in other words the UMTS infrastructure consists of hundreds of participating mobile operators and many subscribers around the world. Most mobile operators

Science Academy Transactions on Computer and Communication Networks (SATCCN)

44

have roaming and billing agreement with together. Once a user registers as UMTS subscriber with a local operator in his country, he will be able to authenticate many mobile operators. The second characteristic is its ease-of-use, so that users do not perform any verification and do not need to understand technical security transactions. The third characteristic is the level of security. The UMTS security architecture is acknowledged as an example of the principle of „good enough‟ security, because of the right balance among cost-effectiveness, security, and usability [7]. The cornerstone of the proposed protocol is Generic Authentication Architecture (GAA). In fact, the GAA is a security service. This service consists of a set of specifications, which describe how the cellular security infrastructure can be used to provide a general-purpose authentication service for applications, and value-added services like on-line shopping services [8]. By applying GAA to the UMTS security infrastructure, and designing the associated protocols, the security of financial transactions and confidentiality of the users' financial accounts information will be satisfied. In this platform, the users will not use and memorize any Username and Password, or keep them safe, because they will not participate in the authentication transactions between ME, SSP and FSP by entering Username and Password. Analyzing of the proposed protocol has been performed by Colored Petri Net (CPN), which is an appropriate modeling language. The CPN has a graphical notation, and provide the capability of simulation and state space analysis. A major benefit of using CPNs is to obtain complete and unambiguous specifications of protocols. This paper is organized as follows. The actors in web shopping application are introduced in Section 2. The relations between the network entities that participate in UMTS clients' web shopping are discussed in Section 3. The UMTS security architecture and AKA procedure are detailed in Section 4. The GAA and its main procedures are reviewed in Section 5. The proposed protocol and its procedures (authentication, purchase and payment) for web shopping are introduced in Section 6. The CPN Tools analysis results are reported in Section 7, and the paper is concluded in Section 8.

For secure connection, the procedure that is known as Authentication and Key Agreement (AKA) initiates between Home Subscriber Server (HSS) and UE, via Serving GPRS Support Node (SGSN). The result of performing this procedure is mutual authentication between UE and the network (See Section 4). For providing web shopping authentication (or mutual authentication between UE, SSP, and FSP), the GAA functions and entities should be added to the operator and UE. The basic GAA has three different general network functions [9]:  Home Subscriber Server (HSS) that is the subscriber database, and contains the long-term subscriber key for each subscriber.  Bootstrapping Server Function (BSF) that facilitates the use of AKA to bootstrap a new GAA master session key.  Network Application Function (NAF) which is hosted in a network element. NAF retrieves the session key from BSF. The BSF client is a GAA entity in UE that participates in bootstrapping. It interacts with the BSF and SIM. Another GAA entity in the UE is NAF client, which obtains an application-specific bootstrapped key from the BSF client and uses it to secure the application protocol. The NAF client is an application-specific software element in the device. The web shopping service provider is a commercial web server which provides shopping mall service for the users. It is assumed that every UMTS client that is connected to the Internet can attach to these servers. It is evident that an agreement is existed between SSP and the mobile operator. The FSP is another commercial web server, for example a bank server, in which the user has an account, and the FSP can charge him to pay shopping service provider. For payment, there are two mechanisms. The first one is on-phone payment, and the other one is off-phone payment. The on-phone payment mechanism refers to the case when the subscriber uses the mobile operator as a FSP by charging the phone bills. The proposed protocol satisfies off-phone payment mechanism. Also, an agreement on using GAA is needed between Mobile Operator (MO), shopping service providers, and financial service providers.

2.

3.

Main Actors in Web Shopping

The main five parts in the structure of secure web shopping are User Equipment (UE), UMTS operator, functions and entities of GAA, web shopping service provider, and financial service provider. The user device, known as UE, contains the client functionality. The subscriber‟s smart card has been put in UE. This card in UMTS has been known as Universal Integrated Circuit Card (UICC). The Subscriber Identity Module (SIM) has been housed in UICC, and the long-term subscriber keys have been contained in SIM. The UEs that are capable of using GAA, have dedicated software in the operating system. This software facilitates the communication between UICC, Bootstrapping Server Function (BSF), and Network Application Function (NAF). The UMTS operators provide enough bandwidths for mobile stations to connect the network and using the service.

Plan of UMTS Clients' Web Shopping

In this section, a plan for relationship between the network entities that participate in UMTS users' web shopping procedure is designed. These entities are User Equipment (UICC, SIM, BSF client, NAF client), BSF, HSS, NAF, SSP and FSP. In this scenario, HSS extracts the identity of a particular user in UMTS network, and the user participates in this identification by his SIM card (AKA procedure [10]). The Generic Bootstrapping Architecture (GBA) of GAA, as described in [11], is used for mutual authentication and key agreement between the user, SSP and FSP. The BSF client at UE uses the BSF to create application layer credentials, and then Ks will be shared between the NAF client and NAF by BSF. The NAF uses Ks to encrypt messages that flow to the user and contains SSP and FSP profiles, for example ciphering key and lifetime over the Ua

Science Academy Transactions on Computer and Communication Networks (SATCCN) interface. Finally, UE uses the SSP and FSP profiles to do secure shopping and payment. In the proposed plan, we assume that UE has not been authenticated before, and Ks has been initiated between UE and NAF. In section 6, we will describe the details of protocol with the bootstrapping procedures. The processes of this scheme are shown in Figure 1 that consists of the following steps: GBA-U HSS

A K A

45

denoted by K. Another security parameter is the sequence number SQNAuC. The AKA algorithm generates UMTS Authentication Vector (AV). The AV contains a quintuple of: RAND: random 128-bit number generated by AuC. AUTN: an authentication token containing SQNAuC in encrypted form, an Administrative Field (AMF), and a Message Authentication Code (MAC) that protects the integrity of AV. XRES: derived by a one-way function from (K, RAND). CK: Cipher Key (CK) is a key that is derived by a oneway function from (K, RAND), and is used for confidentiality protection. IK: Integrity Key (IK) is a key that is derived by a oneway function from (K, RAND), and is used for integrity protection. HSS

BSF

Authentication Center (AuC) 9

A K A

4 3

AKA Algorithms

A K A

BSF Client (ext-Ks)

UE

SQNAuC

K

SSP

Authentication Vector (AV)

SIM (int-Ks)

1 2 5 6

NAF client (ext-Ks)

NAF

8

Visited network VLR/SGSN AV RAND 7

AUTN

FSP

XRES

IK

CK

XRES = RES

Figure 1. Plan of UMTS clients' web shopping.

1. The user decides to initiate a shopping application. This application is first processed by a NAF. The NAF client in UE sends a request message to the NAF with his identification number and the identification of SSP. 2. The NAF answers UE and sends the SSP profiles back like cipher key and lifetime. 3. The user connects to the shopping server, and purchases. 4. The SSP sends an invoice message to UE. 5. The UE sends a message to NAF and requests the FSP profiles. 6. The NAF answers the UE and sends the FSP profiles back. 7. The UE connects to the FSP and sends the bill. The FSP will charge him. 8. The FSP sends an invoice confirmation message to the SSP. 9. The SSP will deliver the shopping service.

4.

Overview of UMTS Security Architecture and AKA Procedure

Figure 2 shows a summary view of the UMTS access security. The Authentication Center (AuC) is an element which stores the secret cryptographic keys of users and computes the session keys and the authentication data. The AuC is a part of HSS. HSS is the main operator database, containing all subscriber data including the information about location of the user. In the AuC, the secret key for a user is

RNC Encryption and Integrity Algorithm

UE ME Encryption and Integrity Algorithm CK , IK

USIM

K

SQNUSIM

AKA Algorithim SQNAuc > SQNusim MAC = XMAC

Figure 2. Summary view of UMTS access security.

The Visitor Location Register (VLR) belongs to the Circuit-Switched (CS) domain, while the Serving GPRS Support Node (SGSN) belongs to the Packet-Switched (PS) domain. VLR and SGSN achieve authentication vectors from the HSS/AuC node. When the subscriber has been attached to VLR or SGSN, it is necessary to authenticate the subscriber. The VLR/SGSN transfers the CK and IK session keys to the Radio Network Controller (RNC). The RNC uses CK, IK, and encryption and integrity algorithms for secure

Science Academy Transactions on Computer and Communication Networks (SATCCN) communication. The confidentiality protocols are applied to user data and signaling, but the integrity protocols are only used for the signaling. The encryption and integrity protection algorithms are based on the same block cipher cryptographic algorithm called KASUMI. This algorithm uses 128-bit keys [12]. The secret key K is stored permanently in the UMTS Subscriber Identity Module (USIM) as well as in the AuC. If USIM resaves RAND and AUTN, as inputs, it will calculate CK, IK and RES. If everything has been done correctly, RES should be identical to XRES. Mobile Equipment (ME) is the user device. It is capable of interfacing with the UICC, and acts similar to RNC. The purpose of AKA procedure is to authenticate the user, and establish a new pair of cipher and integrity keys between the VLR/SGSN and the USIM. During the authentication, USIM verifies the freshness of AV by SQN. The VLR/SGSN invokes the procedure by selecting the next unused authentication vector from the ordered array of authentication vectors in the VLR/SGSN database. Authentication vectors in a particular node are used on a firstin/first-out (FIFO) basis. The VLR/SGSN sends the random challenge RAND and an authentication token (AUTN) to USIM for network authentication from the selected AV. Upon receipt of RAND and AUTN, the USIM first retrieves the sequence number SQN, then the USIM computes XMAC, and compares this with MAC included in AUTN. If MAC is equal to XMAC, the user can confide to the network. Next, the USIM verifies that the received sequence number SQN is in the correct range. If the sequence number is in the correct range, then the USIM computes RES and includes this parameter in a user authentication response back to the VLR/SGSN. Finally, the USIM computes the cipher key CK and the integrity key IK. Upon receipt of user authentication response, the VLR/SGSN compares RES with the expected response XRES from the selected authentication vector. If XRES equals RES, then the authentication of user has been passed. The VLR/SGSN also selects the appropriate cipher key CK and integrity key IK from the selected authentication vector.

5.

GAA Overview

The GAA consists of two main procedures. The first one is GAA bootstrapping, and the second one is usage of bootstrapped keys. The issue of the first procedure is a temporary GAA master session key (Ks) and a transaction identifier (B-TID) which is an identifier for Ks. This key will be shared between UE and BSF. The second procedure implicates in secure exchanging in an application protocol between the UE and NAF and consequently the UE and service provider servers (i.e., SSP and FSP). 5.1. Bootstrapping procedure Bootstrapping procedure is known as authentication procedure. In this process, the AKA protocol is used to set up a GAA master session key between UE and BSF. The exchanges between UE and BSF during the bootstrapping procedure are specified by the Ub interface and exchanges between BSF and the Home Server (HS) are specified by the Zh interface. The bootstrapping procedure consists of the

46

following steps: 1. The BSF client in UE sends user identity to the BSF and initiates bootstrapping. 2. Authentication protocol (AKA) starts between UE and HS with the intermediate of BSF. At the end, UE and BSF obtain a set of shared session keys. The GAA master session key (Ks) is derived from the concatenation of IK and CK. 3. BSF constructs a transaction identifier B-TID and stores B-TID and Ks. It also chooses a key lifetime according to its policy. B-TID and Ks generation have been reported in [13]. 4. BSF sends B-TID and the key lifetime to the UE. 5. UE stores B-TID, Ks and key lifetime. At this point, the bootstrapping is complete. 5.2. Usage of bootstrapped keys procedure In this procedure, the NAF client in UE decides to engage in an application protocol which is first processed by a NAF, so the following steps are as follows: 1. UE starts the application protocol by sending a request which contains the key identifier, i.e., B-TID and an application-specific message (msg) over Ua interface. 2. NAF forwards B-TID and its own identifier NAF-Id to the BSF over Zn interface. 3. BSF looks up its database for the corresponding B-TID. It first verifies if the NAF is authorized to receive keys. This is done according to user profiles obtained from the HSS. 4. If the search is successful, then BSF derives Ks. 5. BSF sends Ks to the NAF over Zn interface. 6. NAF stores the received information. At this point, UE and NAF share a GAA application key. They can use it to protect subsequent exchanges in the application protocol, so NAF replies to UE and uses the session key Ks.

6.

Proposed Protocol for UMTS Clients' Web Shopping

The shopping protocol in this paper consists of three procedures: authentication, purchase and payment. To provide the security of transactions and protect the authentication and integrity, Digital Signature Standard [14]/Secure Hashing Algorithm [15] (DSS/SHA) signature algorithm, Rivest Cipher Four (RC4) [16] and Data Encryption Standard (DES) [17] symmetric cryptographic algorithms, and Elliptic Curve Cryptography (ECC) [18] asymmetric cryptographic algorithm should be used in this protocol [19]. In this way, we assume that the following provisions have been agreed between entities.  The entities have agreed on a particular signature algorithm and use a private key (K). The signature on data X which signed by Y entity is shown as sY:k(X).  All of the entities, except the UE, have asymmetric private keys for signature and a copy of other entities' public key.  The entities have agreed on a particular asymmetric encryption algorithm and use a public key (P). The encryption of data X which is encrypted by Y entity is shown as eY:P(X).  All of the entities, except the UE, have encryption keys and a copy of other entities' public key.

Science Academy Transactions on Computer and Communication Networks (SATCCN)  According to [20], we assume that an authenticated key establishment process has taken place between the MO, SSP and FSP. The detailed descriptions about the mentioned procedures are as follows: 6.1. Authentication procedure In this procedure, we assume that the user has not been authenticated before, and Ks has not been established between UE and NAF. The process of this phase consists of the following steps: 1. User sends his IP Multimedia Private Identity (IMPI) to NAF and requests access to SP. The NAF client gets the IMSI from SIM and converts the IMSI to the IMPI format so that it can be carried over the Ub reference point. 2. As we assumed that the user has not been authenticated, the NAF will send a request to the user to initiate a new bootstrapping procedure. 3. The BSF client gets IMSI from SIM and converts it to the IMPI. UE sends IMPI to BSF and starts the bootstrapping procedure. In this way, these two subjects are assumed: the user does not have a valid bootstrapping session key, or the lifetime has been come over. 4. The BSF generates B-TID. B-TID is a data string that is based on 64-bit random data and the BSF server domain name. At this part, BSF generates Ks which is the result of concatenating the Confidentiality Key (CK) and the Integrity Key (IK). CK and IK have been resulted from the AKA protocol. The details of B-TID and the Ks generation have been discussed in [13]. B-TID is used as the Username and the Ks as the Password to access the NAF. B-TID and key lifetime will be sent to the user via the Ub interface. The Ks will be generated by the user based on the KA protocol and it will be stored in UICC and used as a Password. 5. UE logs in to NAF by sending B-TID and service provider ID. B-TID is used as the Username. 6. NAF sends B-TID and its identity to the BSF via Zn interface. In fact, NAF verifies the user authentication, because it will obtain the Ks, which corresponds to B-TIB, as a Password. The details of this operation have been discussed in [13]. 7. BSF sends Ks and Key lifetime to the NAF. The security issues of this message have been described in [19]. Up to now the mutual authentication between UE and UMTS network has been performed, and UE and NAF have shared ciphering key (Ks). In the proposed protocol, unlike the traditional approaches for authentication, it is not necessary to enter Username and Password by the users. As mentioned above, B-TID is used as the Username and NAF verifies the user authentication instead of using Password. 6.2. Purchase procedure In the purchase procedure, the identity of the user is not important for service provider, but the user should be assured about the SSP identity. This assurance is satisfied by encrypted massages flow between UE and SSP. The ciphering key will be sent to UE by NAF. It should be noted that MO and SSP have agreed on ciphering keys. So, the purchase procedure will be started as follows: 1. NAF generates a specific user token for the user to be

47

used only with the SSP requested by the SPID. This user token is known as Service Provider User Token (SPUT). The SPUT can be built by a Particular Session Key (PSK). It is noted that MO and SSP have agreed on PSK and also on a Time Stamp (TS). These data then will be encrypted with the Ks and is sent by the NAF: SPUT= eKs (SPID|| PSK|| TS)

(1)

In which || stands for concatenation. Since the user has received the SPUT, he can request access to shopping service provider. 2. User decrypts SPUT by the Ks and emits the PSK from this message. The user will send his request message to SSP and uses any services that SSP has provided. This message will be encrypted, and the encryption key is PSK. 3. When the SSP receives the request message, it decrypts the massage using its encryption private key PSK. The SSP will answer UE with a “Payroll” that is a confirmation of the user request which contains price, and a method of payment (on-phone or off-phone). The payroll will be signed by the SSP digital signature private key and is encrypted with PSK: Payroll= eSSP:PSK (sSSPds:SK ([UserRequest|| Price || Method of Payment|| TS])) (2) 6.3. Payment procedure The payment procedure of shopping protocol has its special security cogency, because it directly relates to the user account. For this purpose, we will send the user ID to the FSP for mutual authentication and cryptography and digital signature between external entities of the UMTS network (SSP, FSP). The steps of payment procedure are as follows: 1. UE decrypts the payroll by PSK and checks the signature of the payroll and consequently the identity of SSP and the content of payroll. If the UE accepts the payroll, it will start the payment procedure. It is assumed that the client has an account with a FSP, which will charge the user and pay the SSP. For the UE connection with the FSP, the UE must have a SPUT for a particular FSP. So, UE will send an encrypted message to NAF. This message will be encrypted by a symmetric key (Ks) and contains FSP ID and B-TID: Request Message= eKs (FSPID|| B-TID)

(3)

2. Like the first step, NAF will send FSP User Token to UE in the purchase procedure. This message contains FSP Key (FSPK), TS, FSPID and a User ID (UID). FSP knows its customer by this ID and this ID corresponds to B-TID. This message will be signed by NAF private key and encrypted by Ks: FSP UT= eKs (sNAFds:SK([UID||FSPID||FSPK||TS]))

(4)

3. UE decrypts FSP UT and checks the signature, then emits FSPK. For charging, user sends his request message to FSP. This message contains decrypted payroll which has been signed by SSP, the decrypted FSP UT which has been signed by NAF, and the message encrypted by FSPK: Request Message= eFSPK (Payroll||FSP UT)

(5)

4. FSP saves the request message again and decrypts the message by FSPK, then verifies the signature of both SSP

Science Academy Transactions on Computer and Communication Networks (SATCCN) and NAF. If the verification is successful, FSP will check the user account and compares his financial credit with the price. FSP charges the user with the amount of price in payroll and generates a confirmation message. This message consists of a Status Flag. This flag shows the success of E-payoff. The cause of an unsuccessful procedure is also shown by this flag, for example not enough financial credit, or not restoring the signature of SSP or NAF. At the end, FSP generates a confirmation payment message and sends it to SSP. This message will be signed with the FSP signature private key and will be encrypted by SSP public key: Confirmation Payment Message= ([Payroll||FSPID||Status Flag]))

eFSP:PK

(sFSPds:SK (6)

5. When SSP receives the confirmation payment message, it decrypts the message with its private key and verifies message signature, then checks the Status Flag. If the flag shows a successful procedure, the SSP will deliver the service to UE and a message will be sent to FSP to confirm the service delivery. It is noted that the mentioned message is optional. If the flag represents an unsuccessful procedure, its cause will be sent back to UE.

7.

Protocol Analysis by Colored Petri Net

For modeling and validation of the proposed protocol, we use Colored Petri Net (CPN) language. The theory of Petri nets is based on the concepts of asynchronous and concurrent operation by the parts of a system. The realization of relationships between the parts could be represented by a graph or net [21]. Petri nets are formal model of information flow in a protocol. Modeling of system events is the major use of Petri nets. The Petri net graph contains two types of nodes: circles (places) and rectangular (transitions). Places and transitions are connected by directed arcs from places to transitions and from transitions to places. The relationships between the places and the transitions are specified by two functions: the input function (I), and the output function (O). The input function I(t j) defines the set of input places for each transition tj. The output function O(tj) defines the set of output places for each transition tj [22]. The execution of Petri nets is controlled by the position and movement of markers (tokens). Tokens are indicated by green dots in the figures depicted in annexes A and B of this paper. A marked Petri net has five items. The formal definition of a five-tuple Petri net is shown in Table 1. Table 1. Formal Definition of a Petri Net [21] A Petri net is 5-tuple, where C=(P, T, I, O, µ): P= {p1, p2, p3, …, pn}: a finite set of places T= {t1, t2, t3, …, tm}: a finite set of transitions I: input function O: output function µ = { µ1, µ2, µ3, …, µn} and µi = µ (pi), the number of tokens in place i P ∩ T= and P T ≠

Colored Petri Net (CPN) is a modeling language, combining Petri nets with the Standard Markup Language (SML). Standard ML describes the definition of data types and data manipulation of models [23].

48

CPN model of a protocol represents the states of the protocol and the events (transitions) that can cause the state changes of protocol and includes a time concept for representation the time taken to execute events in the modeled protocol. For analyzing the CPN model of proposed protocol and performing a comparison with proposed protocol in [24], we have used CPN Tool [25] for constructing, analyzing and investigating the behavior of the modeled protocol and verification the properties of the protocol by means of the state space methods and timed CPN [26-29]. In the comparison of proposed protocol and the related one reported in [24], we conclude that the number of transactions in the proposed protocol is decreased. In this way, after the termination of authentication procedure, the user token (UT) is generated as reported in [24]. In the proposed protocol, IMPI is used as the user token when it is sent to NAF. In the purchase procedure, the subscriber uses the token generated by NAF in communication with the service provider. In the payment procedure, the B-TID is used instead of user token. So, the authentication system does not employ an extra procedure to generate user token. In this way, the temporal tokens generated by the NAF are used to identify the user to the service providers. The number of transactions in authentication procedure is decreased to 7 steps in the proposed protocol. It is noted that there was 8 steps for this procedure in [24]. The number of transactions in purchase procedure is decreased to 3 steps in the proposed protocol, too. This number was 4 for the reported protocol in [24]. Also, the computational load is decreased significantly as can be seen in the state space report of CPN Tools (detailed in the following). The CPN model of the proposed protocol in this study is depicted in Figure A1 of Appendix A. As mentioned earlier, the places and transitions are shown by circles and rectangular, respectively. The set of places for reported protocol in [24] has 22 members and this set of places for the proposed protocol has 20 members. Also, the set of transitions for the reported protocol in [24] has 19 members and this set for the proposed protocol has 17 members. If we assume that place “a” is used to show all of the tokens participated in the protocol execution, then the simulation results show that the number of tokens in place “a” in the mentioned protocols is 6 and 5, respectively. Also, place "b" is defined between the "Attach Ks" and "Store BTID and Ks" for the analysis of transactions. The finite set of places for the proposed protocol is as follows: P={Access Request, IMPI or BTID Receive, Bootstrapping Initiation, B-TID and Ks Generation, Ks Verification, Data Base, Ks Verification, b, SPUT Generation, SPUT Receive, Shopping Mall, Payment, FSP UT Request, FS Request, FSP UT Generation, FSP UT Receive, Payroll and FSP UT Receive, Delivered Service Message Submission, Service Termination, a}. However, the finite set of places for the reported protocol in [24] includes two additional members: UT Generation and UT Receive. The basic information about the size of the state space and standard behavioral properties of the CPN model can be found in the state space report. For the CPN model of the proposed protocol in this study, the state space report is

Science Academy Transactions on Computer and Communication Networks (SATCCN) shown in Figure 3. As shown in Figure 3, we have data about "State Space statistics (Strongly-connected-component/Scc graph)", "Home Properties (Home Markings)", "Liveness Properties (Dead Markings, Dead Transition Instances, and Live Transition Instances)".

Statistics --------------------------------State Space Nodes: 80 Arcs: 167 Status: Full Scc Graph Nodes: Arcs:

80 167

Home Properties --------------------------------Home Markings [80] Liveness Properties --------------------------------Dead Markings [80] Dead Transition Instances None Live Transition Instances None Fairness Properties --------------------------------No infinite occurrence sequences.

Figure 3. State space report of proposed protocol in this study.

The state space statistics inform about the size of the state space. For the model of proposed protocol in [24], there are 153 nodes and 397 arcs. However, for the model of proposed protocol in this paper the number of nodes and arcs is reduced to 80 and 167, respectively. If the nodes and arcs in the state space and Scc graph are equal, it means that there are no cycles in the model. The number of nodes and arcs in the state space and Scc graph of two protocols are equal. It means that the token will not fall in a loop, and we have finite-occurrence sequences. Another part of the state space report includes the home properties. The home properties inform that there exists a single home marking. The home marking (Mhome) is a mark which shows that the protocol has successfully finished the transitions. The number of nodes and home markings are the same in two protocols that show the correctness of both protocols. A dead marking is a mark in which no element is enabled. This means that the marking corresponding to node 80 in Figure 3 is both a home marking and a dead marking. A transition is live if from any reachable marking we can always find an occurrence sequence containing the transition. As shown in Figure 3, there are no live transitions. Two protocols have a dead marking. So, they have not "live transitions". It is noted that no transition could be enabled from the dead marking. Also, there are no dead

49

transitions in two protocols. A transition is dead, if there is no reachable marking in which it is enabled. There is no dead transition, which means that each transition in the protocol has the possibility to occur at least once. If a model has a dead transition, then it corresponds to parts of the model that can never be activated. Hence, we can remove dead transitions from the model without changing the behavior of it [26]. To compare the service delivery time of two protocols, we assume that each transition in two protocols takes 5 time units. As shown in Figure A1 of Appendix A, the service is delivered after 95 time units by using the proposed protocol in this paper. Our simulations show that by using the reported protocol in [24], the service is delivered after 105 time units. The specifications of two mentioned protocols are summarized in Table 2. Table 2: Specifications of Proposed Protocol in Comparison to Reported Protocol in [24] Reported Protocol in Proposed Protocol in Specification [24] This Study Number of places 22 20 Number of transitions 19 17 Number of nodes 153 80 Number of arcs 397 167 Home marking node 153 80 Service delivery time 105 95 units Dead marking node 153 80 Number of transactions 18 16 Number of tokens in 6 5 reference point Mutual authentication   between entities Encryption algorithms NR* RC4, DES, ECC Digital signature NR* DSS/SHA algorithm *NR: Not-Reported

The main advantage of the proposed protocol is the decrement of transactions which results in a reduced number of nodes and arcs, also reduction of execution time. It is noted that in [24], the User Token is generated but in the proposed protocol, encrypted B-TID is used instead of the user token. So, no user token is needed in the proposed protocol.

8.

Conclusion

In this paper, we have introduced a platform for the direct using of online services by UMTS client. The proposed protocol has used a security service that is known as GAA. This service is based on the UMTS security architecture and AKA protocol. This protocol provides mutual authentication, ciphering and integrity keys between user and UMTS network, so the probability of some threats such as eavesdropping, destruction, corruption or modification of information and decries is reduced. Similarly, GAA provides mutual authentication, ciphering and integrity keys between user and web servers. It has been shown that for authentication in the proposed protocol, unlike the traditional solution, Username and Password have not been used. So, some of the web threats such as Trojan horses and key loggers will not obtain any secret keys, and all information will be sent encrypted. Also, we have compared the performance of proposed

Science Academy Transactions on Computer and Communication Networks (SATCCN) protocol with a competitive protocol reported in [24] by using CPN Tools. It has been shown that by omission of some transactions, the number of nodes and arcs is reduced. Also, the execution time is reduced significantly, and the network resources are reserved. The foundation and main

50

idea of this protocol can be applied to the other value-added services. So, researchers and developers can rethink about current structures and business models for securing services.

Appendix

Figure A1. CPN model of the proposed protocol in this study.

References [1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

D. R. W. Holton, I. Nafea, M. Younas, and I. Awan, "A class-based scheme for E-commerce web servers: Formal specification and performance evaluation," Journal of Network and Computer Applications, vol. 32, no. 2, pp. 455-460, 2009. T. Dahlberg, N. Mallat, J. Ondrus, and A. Zmijewska, "Past, present and future of mobile payments research: A literature review," Electronic Commerce Research and Applications, vol. 7, no. 2, pp. 165-181, 2008. E. W. T. Ngai, and A. Gunasekaran, "A review for mobile commerce research and applications," Decision Support Systems, vol. 43, no.1, pp. 3-15, 2007. C. Kim, M. Mirusmonov, and I. Lee, "An empirical examination of factors influencing the intention to use mobile payment," Computers in Human Behavior, vol. 26, no. 3, pp. 310-322, 2010. K. Varnali, and A. Toker, "Mobile marketing research: The-state-ofthe-art," International Journal of Information Management, vol. 30, no. 2, pp. 144-151, 2010. J. A. MacDonald, "Authentication & key agreement for off-portal mobile applications," Information Security Technical Report, vol. 13, no. 3, pp. 127-135, 2008. R. S. Sandhu, "Good-enough security: Toward a pragmatic businessdriven discipline," IEEE Internet Computing, vol. 7, no. 1, pp. 66-68, 2003. P. Laitinen, P. Ginzboorg, N. Asokan, S. Holtmanns, and V. Niemi, "Extending cellular authentication as a service," in Proc. IEE Int. Conf. Commercialising Technology and Innovation, Sept. 2005, pp. D2/1D2/4.

[9]

[10]

[11]

[12]

[13] [14]

[15] [16]

[17]

[18]

S. Holtmanns, V. Niemi, P. Ginzboorg, P. Laitinen, and N. Asokan, Cellular Authentication for Mobile and Internet Services. John Wiley & Sons, 2008. 3rd Generation Partnership Project: Technical Specification Group Services and System Aspects; 3G Security; Security architecture, 3GPP TS 33.102, 2009 (Available at http://www.3gpp.org/). 3rd Generation Partnership Project: Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA), 3GPP TS 33.220, 2009 (Available at http://www.3gpp.org/). 3rd Generation Partnership Project: Technical Specification TS 55.202, Specification of the 3GPP confidentiality and integrity algorithms; Document 2: Kasumi specification, Version 7.0.0, 2007 (Available at http://www.3gpp.org/). ETSI European Telecommunications Standards Institution: Generic bootstrapping architecture, 2005. Digital Signature Standard (DSS), Federal Information Processing Standards Publication (FIPS PUB) 186-1, National Institute of Standards and Technology, 1998. R. C. Merkle, "Secrecy, authentication, and public key systems," Ph.D. dissertation, Dept. Elec. Eng., Stanford Univ., pp. 13-15, 1979. W. Stallings, Cryptography and Network Security: Principles and Practice. Prentice Hall, Upper Saddle River, New Jersey, 2003, pp. 5460. Data Encryption Standard (DES), Federal Information Processing Standards Publication (FIPS PUB) 46, National Bureau of Standards, 1977. J. H. Silverman, The Arithmetic of Elliptic Curves (Graduate Texts of Mathematics). Springer-Verlag, 1986.

Science Academy Transactions on Computer and Communication Networks (SATCCN) [19] 3rd Generation Partnership Project: Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS), 3GPP TS 33.222, 2008 (Available at http://www.3gpp.org/). [20] J. A. MacDonald, W. G. Sirett, and C. J. Mitchell, "Overcoming channel bandwidth constraints in secure SIM applications," in Security and Privacy in the Age of Ubiquitous Computing, Springer Science and Business Media, 2005, pp. 539-549. [21] J. L. Peterson, "Petri Nets," Computing Surveys, vol. 9, no. 3, pp. 223252, 1977. [22] T. Murata, " Petri nets: properties, analysis and applications," Proceedings of the IEEE, vol. 77, no. 4, pp. 541-580, 1989. [23] K. Jensen, and L. M. Kristensen, Colored Petri Nets Modeling and Validation of Concurrent Systems. Springer-Verlag, 2009. [24] K. Elmufti, D. Weerasinghe, M. Rajarajan, V. Rakocevic, S. Khan, and J. A. MacDonald, "Mobile web services authentication using SAML and 3GPP generic bootstrapping architecture," International Journal of Information Security, vol. 8, no. 2, pp. 77-87, 2009. [25] CPN Tools, Version 3.0 (Available at http://www.CPNTools.org/). [26] K. Jensen, L. M. Kristensen, and L. Wells, "Colored Petri nets and CPN tools for modeling and validation of concurrent systems," International Journal on Software Tools for Technology Transfer, vol. 9, no. 3-4, pp. 213-254, 2007. [27] M. A. Azgomi, and A. Khalili, "Performance evaluation of sensor medium access control protocol using colored Petri nets," Electronic Notes in Theoretical Computer Science, vol. 242, no. 2, pp. 31-42, 2009. [28] D. A. Zaitse, "Switched LAN simulation by colored Petri nets," Mathematics and Computers in Simulation, vol. 65, no. 3, pp. 245249, 2004. [29] V. Valero, M. E. Cambronero, G. Díaz, and H. Macia, "A Petri net approach for the design and analysis of web services choreographies," Journal of Logic and Algebraic Programming, vol. 78, no. 5, pp. 359380, 2009.

Mansour Sheikhan was born in Tehran, Iran, in 1966. He received the B.S. degree in electronic engineering from Ferdowsi University, Meshed, Iran, in 1988 and M.S. and Ph.D. degrees in communication engineering from Islamic Azad University, Tehran, Iran, in 1991 and 1997, respectively. He is currently an Associate Professor in Electrical Engineering Department of Islamic Azad University-South Tehran Branch. His research interests include security in communication networks, intelligent systems, signal processing, and neural networks. He has been the Head of Post-Graduate Center of IAU-South Tehran Branch since 2004. Dr. Sheikhan has published more than 40 journal papers and more than 90 conference papers. He has published two books and has been selected as the outstanding researcher of IAU in 2003, 2008, and 2010.

Ali Reza Sobhanie received the B.S. degree in communication engineering from Islamic Azad University, Shahre-Rey Branch, Iran, in 2006 and M.S. degree in communication engineering from Islamic Azad University, South Tehran Branch, Iran, in 2011. He is currently with the Development Studies Bureau of Telecom Company of Iran, Tehran, Iran. His research interests include security in communication networks, next generation networks, and mobile communication systems.

Mohammad Esmail Kalantari received the B.S. degree in communication engineering from Communication Technical Faculty, Tehran, Iran in 1972 and M.S. and Ph.D. degrees in communication engineering from Ecole National Superieur des Telecommunications (ENST), Paris, France, in 1979 and 1982, respectively. He has been an Assistant Professor in Electrical Engineering Department of Khaje Nasir Toosi University of Technology for 30 years. Now, he is an academic member of Islamic Azad University, Shahre-Rey Branch, Iran. His research interests include security in communication networks, next generation networks, and mobile communication systems.

51