Secure mobile payment framework based on uicc with formal verification

Abstract

In this paper, we propose a secure mobile payments framework based on universal integrated circuit card (UICC) by defining: a) a procedure of personalising UICC by the client; b) a procedure of provisioning and personalisation (mutual authentication and key agreement protocol) of mobile payments application (which is on UICC) by the bank; and c) a mobile payment protocol between the personalised mobile payment application on UICC and the bank server. Our provisioning and personalisation procedure is compared with recent works and found to be better in terms of generating client's credentials, implementation of WPKI in UICC, personalisation of mobile payment application by the bank and end to end security. Our mobile payment protocol originating from mobile payment application to the bank is also compared with recent works and found to be better in terms of confidentiality, authentication, integrity and nonrepudiation, preventing double spending, over spending and money laundering, and withstands replay, man in the middle (MITM) and impersonation attacks. Proposed protocols are experimentally verified using BAN logic and scyther tool. © 2014 Inderscience Enterprises Ltd.