Design of secure mobile payment protocols for restricted connectivity scenarios

The emergence of mobile and wireless networks made posible the extensión of electronic commerce to a new area of research: mobile commerce called m-commerce, which includes mobile payment), that refers to any e-commerce transaction made from a mobile device using wireless networks. Most of the mobile payment systems found in the literatura are based on the full connectivity scenario where all the entities are directly connected one to another but do not support business models with direct communication restrictions between the entities of the system is not a impediment to perform comercial transactions. It is for this reason that mobile payment systems that consider those situations where direct communications between entities of the system is not posible (temporarily or permanently) basically due to the impossibility of one of the entities connected to the Internet are required. In order to solve the current shortage in the scientific world of previous research works that address the problema of on-line payment from mobile devices in connectivity restricted scenarios, in this thesis we propose a set of secure payment protocols (that use both symmetric and non-traditional asymmetric cryptography), which have low computational power requirements, are fit for scenarios with communications restrictions (where at least two of the entities of the system cannot exchange information in a direct way and must do it through another entity) and offer the same security capabilities as those protocols designed for full connectivity scenarios. The proposed protocols are applicable to other types of networks, such as vehicular ad hoc network (VANETs), where services exist which require on-line payment and scenarios with communication restrictions.On the other hand, the implementation (in a multiplatform programming language) of the designed protocols shows that their performance is suitable for devices with limited computational power.Postprint (published version

A Comparative Study of Card Not Present E-commerce Architectures with Card Schemes: What About Privacy?

International audienceInternet is increasingly used for card not present e-commerce ar-chitectures. Several protocols, such as 3D-Secure, have been proposed in the literature by Card schemes or academics. Even if some of them are deployed in real life, these solutions are not perfect considering data security and user's privacy. In this paper, we present a comparative study of existing solutions for card not present e-commerce solutions. We consider the main security and privacy trends of e-payment in order to make an objective comparison of existing solutions. This comparative study illustrates the need to consider privacy in deployed e-commerce architectures. This has never been more urgent with the recent release of the new specifications of 3D-secure

A patient agent controlled customized blockchain based framework for internet of things

Although Blockchain implementations have emerged as revolutionary technologies for various industrial applications including cryptocurrencies, they have not been widely deployed to store data streaming from sensors to remote servers in architectures known as Internet of Things. New Blockchain for the Internet of Things models promise secure solutions for eHealth, smart cities, and other applications. These models pave the way for continuous monitoring of patient’s physiological signs with wearable sensors to augment traditional medical practice without recourse to storing data with a trusted authority. However, existing Blockchain algorithms cannot accommodate the huge volumes, security, and privacy requirements of health data. In this thesis, our first contribution is an End-to-End secure eHealth architecture that introduces an intelligent Patient Centric Agent. The Patient Centric Agent executing on dedicated hardware manages the storage and access of streams of sensors generated health data, into a customized Blockchain and other less secure repositories. As IoT devices cannot host Blockchain technology due to their limited memory, power, and computational resources, the Patient Centric Agent coordinates and communicates with a private customized Blockchain on behalf of the wearable devices. While the adoption of a Patient Centric Agent offers solutions for addressing continuous monitoring of patients’ health, dealing with storage, data privacy and network security issues, the architecture is vulnerable to Denial of Services(DoS) and single point of failure attacks. To address this issue, we advance a second contribution; a decentralised eHealth system in which the Patient Centric Agent is replicated at three levels: Sensing Layer, NEAR Processing Layer and FAR Processing Layer. The functionalities of the Patient Centric Agent are customized to manage the tasks of the three levels. Simulations confirm protection of the architecture against DoS attacks. Few patients require all their health data to be stored in Blockchain repositories but instead need to select an appropriate storage medium for each chunk of data by matching their personal needs and preferences with features of candidate storage mediums. Motivated by this context, we advance third contribution; a recommendation model for health data storage that can accommodate patient preferences and make storage decisions rapidly, in real-time, even with streamed data. The mapping between health data features and characteristics of each repository is learned using machine learning. The Blockchain’s capacity to make transactions and store records without central oversight enables its application for IoT networks outside health such as underwater IoT networks where the unattended nature of the nodes threatens their security and privacy. However, underwater IoT differs from ground IoT as acoustics signals are the communication media leading to high propagation delays, high error rates exacerbated by turbulent water currents. Our fourth contribution is a customized Blockchain leveraged framework with the model of Patient-Centric Agent renamed as Smart Agent for securely monitoring underwater IoT. Finally, the smart Agent has been investigated in developing an IoT smart home or cities monitoring framework. The key algorithms underpinning to each contribution have been implemented and analysed using simulators.Doctor of Philosoph

Understanding the corpus of mobile payment services research: an analysis of the literature using co-citation analysis and social network analysis

Mobile Payment Services have advanced in the last two decades, gaining the attention of experts and researchers from around the world. A number of reviews and literature analysis studies have been carried out, aimed at analysing the numerous dimensions of mobile payment services; however, no researcher has attempted a co-citation analysis to scrutinise and comprehend the core knowledge structures that are integral parts of mobile payment services studies. Therefore, in order to fill this research gap, this research article aims to interpret the corpus of mobile payment services research, which was published during the period of 1997 to June 2017. Bibliometric and Social Network Analysis (SNA) methods were employed to formulate the core intellectual structure of research targeting mobile payment services. The Web of Knowledge (WoK) database was the key source from where 406 articles and 3,424 citations were obtained. These documents were analysed using co-citation analysis. UCINET was used to enlist the keynote research papers in the realm of mobile payment services as per factor analysis, citation and co-citation analysis, multidimensional scaling and centrality measurement. Seven core clusters of mobile payment services research emerged as a critical finding of this study; these clusters include (1) Adoption and usage; (2) Trust, risk and security; (3) Application; (4) Scheme; (5) Protocol; (6) Architecture; (7) Mobile payment corporation. The findings of this research study provide crucial guidelines for practitioners and researchers involved in this field.Mobile Payment Services have advanced in the last two decades, gaining the attention of experts and researchers from around the world. A number of reviews and literature analysis studies have been carried out, aimed at analysing the numerous dimensions of mobile payment services; however, no researcher has attempted a co-citation analysis to scrutinise and comprehend the core knowledge structures that are integral parts of mobile payment services studies. Therefore, in order to fill this research gap, this research article aims to interpret the corpus of mobile payment services research, which was published during the period of 1997 to June 2017. Bibliometric and Social Network Analysis (SNA) methods were employed to formulate the core intellectual structure of research targeting mobile payment services. The Web of Knowledge (WoK) database was the key source from where 406 articles and 3,424 citations were obtained. These documents were analysed using co-citation analysis. UCINET was used to enlist the keynote research papers in the realm of mobile payment services as per factor analysis, citation and co-citation analysis, multidimensional scaling and centrality measurement. Seven core clusters of mobile payment services research emerged as a critical finding of this study; these clusters include (1) Adoption and usage; (2) Trust, risk and security; (3) Application; (4) Scheme; (5) Protocol; (6) Architecture; (7) Mobile payment corporation. The findings of this research study provide crucial guidelines for practitioners and researchers involved in this field

Security in Context-aware Mobile Business Applications

The support of location computation on mobile devices (e.g. mobile phones, PDAs) has enabled the development of context-aware and especially location-aware applications (e.g. Restaurant Finder, Friend Finder) which are becoming the new trend for future software applications. However, fears regarding security and privacy are the biggest barriers against their success. Especially, mobile users are afraid of the possible threats against their private identity and personal data. Within the M-Business research group at the University of Mannheim, various security and privacy aspects of context-aware mobile business applications are examined in this thesis. After providing a detailed introduction to context-aware applications, the security challenges of context-aware applications from the perspectives of different principals (i.e. mobile users, the broker, service providers) are analyzed. The privacy aspects, the challenges, the threats and legal directives regarding user privacy are explained and illustrated by real-life examples. The user-centric security architectures integrated within context-aware applications are introduced as anonymity and mobile identity management solutions. The M-Business security architecture providing security components for communication security, dynamic policy-based anonymity, secure storage on mobile devices, identity management for mobile users and cryptography libraries is explained in detail. The LaCoDa compiler which automatically generates final Java code from high level specifications of security protocols is introduced as a software-centric solution for preventing developer-specific security bugs in applications

A user-centric privacy-preserving authentication protocol for IoT-AmI environments

Ambient Intelligence (AmI) in Internet of Things (IoT) has empowered healthcare professionals to monitor, diagnose, and treat patients remotely. Besides, the AmI-IoT has improved patient engagement and gratification as doctors’ interactions have become more comfortable and efficient. However, the benefits of the AmI-IoT-based healthcare applications are not availed entirely due to the adversarial threats. IoT networks are prone to cyber attacks due to vulnerable wireless mediums and the absentia of lightweight and robust security protocols. This paper introduces computationally-inexpensive privacy-assuring authentication protocol for AmI-IoT healthcare applications. The use of blockchain & fog computing in the protocol guarantees unforgeability, non-repudiation, transparency, low latency, and efficient bandwidth utilization. The protocol uses physically unclonable functions (PUF), biometrics, and Ethereum powered smart contracts to prevent replay, impersonation, and cloning attacks. Results prove the resource efficiency of the protocol as the smart contract incurs very minimal gas and transaction fees. The Scyther results validate the robustness of the proposed protocol against cyber-attacks. The protocol applies lightweight cryptography primitives (Hash, PUF) instead of conventional public-key cryptography and scalar multiplications. Consequently, the proposed protocol is better than centralized infrastructure-based authentication approaches