Skip to main content
SpringerLink
Log in

A secure IoT-based micro-payment protocol for wearable devices

  • Published:
Peer-to-Peer Networking and Applications Aims and scope Submit manuscript

Abstract

Wearable devices are parts of the essential cost of goods sold (COGS) in the wheel of the Internet of things (IoT), contributing to a potential impact in the finance and banking sectors. There is a need for lightweight cryptography mechanisms for IoT devices because these are resource constraints. This paper introduces a novel approach to an IoT-based micro-payment protocol in a wearable devices environment. This payment model uses an “elliptic curve integrated encryption scheme (ECIES)” to encrypt and decrypt the communicating messages between various entities. The proposed protocol allows the customer to buy the goods using a wearable device and send the mobile application’s confidential payment information. The application creates a secure session between the customer, banks and merchant. The static security analysis and informal security methods indicate that the proposed protocol is withstanding the various security vulnerabilities involved in mobile payments. For logical verification of the correctness of security properties using the formal way of “Burrows-Abadi-Needham (BAN)” logic confirms the proposed protocol’s accuracy. The practical simulation and validation using the Scyther and Tamarin tool ensure that the absence of security attacks of our proposed framework. Finally, the performance analysis based on cryptography features and computational overhead of related approaches specify that the proposed micro-payment protocol for wearable devices is secure and efficient.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. https://tractica.omdia.com/wp-content/uploads/2015/07/WPAY-15-Brochure.pdf

  2. https://www.statista.com/statistics/302484/wearable-technology-market-value

  3. https://labs.f-secure.com/tools/drozer/

References

  1. Challa S, Wazid M, Das AK, Kumar N, Reddy AG, Yoon E-J, Yoo K-Y (2017) Secure signature-based authenticated key establishment scheme for future iot applications. IEEE Access 5:3028–3043

    Article  Google Scholar 

  2. Yeh KH (2016) A secure iot-based healthcare system with body sensor networks. IEEE Access 4:10288–10299

    Article  Google Scholar 

  3. Chen Y, Xu W, Peng L, Zhang H (2019) Light-weight and privacy-preserving authentication protocol for mobile payments in the context of iot. IEEE Access 7:15210–15221

    Article  Google Scholar 

  4. Guravaiah K, Thivyavignesh R, Velusamy RL (2017) Vehicle monitoring using internet of things. In Proceedings of the 1st International Conference on Internet of Things and Machine Learning pp.1–7. https://doi.org/10.1145/3109761.3109785

  5. Guravaiah K, Velusamy RL (2019) Prototype of home monitoring device using internet of things and river formation dynamics-based multi-hop routing protocol (rfdhm). IEEE Trans Consum Electron 65(3):329–338

    Article  Google Scholar 

  6. Tehrani K, Michael A (2020) http://www.wearabledevices.com/what-is-a-wearable-device/. Accessed 03 Jun 2020

  7. Finnegan M (2020) https://www.computerworld.com/article/3556753/banking-on-wearables-time-for-finance-sector-to-take.html. Accessed 20 May 2020

  8. Seneviratne S, Hu Y, Nguyen T, Lan G, Khalifa S, Thilakarathna K, Hassan M, Seneviratne A (2017) A survey of wearable devices and challenges. IEEE Commun Surv Tutorials 19(4):2573–2620

    Article  Google Scholar 

  9. Das AK, Wazid M, Kumar N, Khan MK, Choo KKR, Park Y (2017) Design of secure and lightweight authentication protocol for wearable devices environment. IEEE J Biomed Health Inform 22(4):1310–1322

    Article  Google Scholar 

  10. Online Available. https://www.opnessl.org/. Accessed 10 Jun2020

  11. Das AK, Zeadally S, Wazid M (2017) Lightweight authentication protocols for wearable devices. Comput Electr Eng 63:196–208

    Article  Google Scholar 

  12. Kumar D, Grover HS et al (2019) A secure authentication protocol for wearable devices environment using ecc. J Inf Secur Appl 47:8–15

    Google Scholar 

  13. Liu S, Hu S, Weng J, Zhu S, Chen Z (2016) A novel asymmetric three-party based authentication scheme in wearable devices environment. J Netw Comput Appl 60:144–154

    Article  Google Scholar 

  14. Yohan A, Lo NW, Randy V, Chen SJ, Hsu MY (2016) A novel authentication protocol for micropayment with wearable devices. In ACM Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication, Danang, Viet Nam pp. 1–7

  15. Online Available Github. https://github.com/sriramulub

  16. Sun DZ, Huai JP, Sun JZ, Zhang JW, Feng ZY (2008) A new design of wearable token system for mobile device security. IEEE Trans Consum Electron 54(4):1784–1789

    Article  Google Scholar 

  17. Corner MD, Noble BD (2005) Protecting file systems with transient authentication. Wireless Netw 11(1–2):7–19

    Article  Google Scholar 

  18. Saravanan K, Yuvaraj D (2010) An new secure mechanism for bluetooth network. In 2010 the 2nd international conference on computer and automation engineering (ICCAE). IEEE1:202–205

  19. Bojjagani S, Sastry V (2019) A secure end-to-end proximity nfc-based mobile payment protocol. Comput Stand Interfaces p 103348. https://doi.org/10.1016/j.csi.2019.04.007

  20. Patel R, Kunche A, Mishra N, Bhaiyat Z, Joshi R (2015) Paytooth-a cashless mobile payment system based on bluetooth. Int J Comput Appl 120:24

    Google Scholar 

  21. Liu W, Liu H, Wan Y, Kong H, Ning H (2016) The yoking-proof-based authentication protocol for cloud-assisted wearable devices. Pers Ubiquit Comput 20(3):469–479

    Article  Google Scholar 

  22. Wu F, Li X, Xu L, Kumari S, Karuppiah M, Shen J (2017) A lightweight and privacy-preserving mutual authentication scheme for wearable devices assisted by cloud server. Comput Electr Eng 63:168–181

    Article  Google Scholar 

  23. Gupta A, Tripathi M, Shaikh TJ, Sharma A (2019) A lightweight anonymous user authentication and key establishment scheme for wearable devices. Comput Netw 149:29–42

    Article  Google Scholar 

  24. Bojjagani S, Sastry V (2017) A secure end-to-end sms-based mobile banking protocol. Int J Commun Syst 30(15):1–19. https://doi.org/10.1002/dac.3302

    Article  Google Scholar 

  25. Bojjagani S, Sastry V (2017) Vaptai: A threat model for vulnerability assessment and penetration testing of android and ios mobile banking apps. In IEEE 3rd International Conference on Collaboration and Internet Computing (CIC), San Jose, California, USA, pp 77–86. https://doi.org/10.1109/CIC.2017.00022

  26. Bojjagani S, Sastry V (2016) Stamba: Security testing for android mobile banking apps. In Advances in Signal Processing and Intelligent Recognition Systems. Springer pp 671–683. https://doi.org/10.1007/978-3-319-28658-7_57

  27. Moonsamy V, Batten L (2014) Mitigating man-in-the-middle attacks on smartphones-a discussion of ssl pinning and dnssec. In Proceedings of the 12th Australian Information Security Management Conference.Edith Cowan University pp 5–13

  28. Bojjagani S, Brabin DD, Rao PV (2020) Phishpreventer: A secure authentication protocol for prevention of phishing attacks in mobile environment with formal verification. Procedia Comput Sci 171:1110–1119. https://doi.org/10.1016/j.procs.2020.04.119

    Article  Google Scholar 

  29. Bojjagani S, Sastry V, Chen CM, Kumari S, Khan MK (2021) Systematic survey of mobile payments, protocols, and security infrastructure. J Ambient Intell Humaniz Comput pp. 1–46. https://doi.org/10.1007/s12652-021-03316-4

  30. Fahl S, Harbach M, Muders T, Baumgärtner L, Freisleben B, Smith M (2012) Why eve and mallory love android: An analysis of android ssl (in) security. In Proceedings of the 2012 ACM conference on Computer and communications security pp 50–61

  31. Patel R, Borisaniya B, Patel A, Patel D, Rajarajan M, Zisman A (2010) Comparative analysis of formal model checking tools for security protocol verification. In International Conference on Network Security and Applications. Springer pp 152–163

  32. Pimentel JCL, Monroy R (2008) Formal support to security protocol development: A survey. Computación y Sistemas 12(1):89–108

    Google Scholar 

  33. Braghin C, Sharygina N, Barone-Adesi K (2011) A model checking-based approach for security policy verification of mobile systems. Form Asp Comput 23(5):627–648

    Article  Google Scholar 

  34. Shashidhara R, Bojjagani S, Maurya AK, Kumari S, Xiong H (2020) A robust user authentication protocol with privacy-preserving for roaming service in mobility environments. Peer Peer Netw Appl 13(6):1943–1966. https://doi.org/10.1007/s12083-020-00929-y 

    Article  Google Scholar 

  35. Shi H, Ma W, Yang M, Zhang X (2012) A case study of model checking retail banking system with spin. JCP 7(10):2503–2510

    Google Scholar 

  36. Tobarra L, Cazorla D, Cuartero F, Díaz G, Cambronero E (2009) Model checking wireless sensor network security protocols: Tinysec+ leap+ tinypk. Telecommun Syst 40(3–4):91–99

    Article  Google Scholar 

  37. Burrows M, Abadi M (1989) A logic of authentication. In Proc R Soc Lond A.The Royal Society 426:233–271

  38. Dolev D, Yao A (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208

    Article  MathSciNet  Google Scholar 

  39. Kim M, Lee J, Yu S, Park K, Park Y, Park Y (2019) A secure authentication and key establishment scheme for wearable devices. In 2019 28th International Conference on Computer Communication and Networks (ICCCN).IEEE pp 1–2

  40. Santosa GB, Budiyanto S (2019) New design of lightweight authentication protocol in wearable technology. Telkomnika 17(2):561–572

    Article  Google Scholar 

  41. Gupta V, Gupta S, Chang S, Stebila D (2002) Performance analysis of elliptic curve cryptography for ssl. In Proceedings of the 1st ACM workshop on Wireless security, Atlanta, GA, USA pp. 87–94

  42. Lo NW, Yohan A (2020) Ble-based authentication protocol for micropayment using wearable device. Wirel Pers Commun pp. 1–22

  43. Alese BK, Philemon E, Falaki SO (2012) Comparative analysis of public-key encryption schemes. Int J Eng Technol 2(9):1552–1568

    Google Scholar 

  44. Mohit P, Amin R, Karati A, Biswas G, Khan MK (2017) A standard mutual authentication protocol for cloud computing based health care system. J Med Syst 41(4):50

    Article  Google Scholar 

  45. Yeh KH, Su C, Choo KKR, Chiu W (2017) A novel certificateless signature scheme for smart objects in the internet-of-things. Sensors 17(5):1001

    Article  Google Scholar 

  46. Gallagher P, Director A (1995) Secure hash standard (shs). FIPS PUB 180:183

    Google Scholar 

  47. The Network Simulator-ns-2, Online Available: URL: https://www.isi.edu/nsnam/ns/. Accessed on: 20 Oct 2020

  48. Castle Bouncy, "Bouncy castle crypto APIs", Online Available: https://www.bouncycastle.org/. Accessed on:10 Mar 2020

  49. GlobalPlatform for Wearables (2021) Online Available: https://globalplatform.org/use-case/wearables/. Accessed on:15 Apr 2021

  50. Cremers CJF (2008) The Scyther tool: Automatic verification of security protocols, Computer Aided Verification 5423:414-418

  51. Cremers CJF (2006) Scyther: Semantics and verification of security protocols. Eindhoven University of Technology Eindhoven, Netherlands

    Google Scholar 

  52. Cremers CJ (2008) The scyther tool: Verification, falsification, and analysis of security protocols. In International Conference on Computer Aided Verification. Springer pp 414–418

  53. Meier S, Schmidt B, Cremers C, Basin D (2013) The tamarin prover for the symbolic analysis of security protocols. In International Conference on Computer Aided Verification. Springer pp 696–701

  54. Team T et al (2020) Tamarin-prover manual. Accessed 14 Feb 2019

  55. Bojjagani S, Sastry VN (2015) "SSMBP: A secure SMS-based mobile banking protocol with formal verification," 2015 IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp. 252-259. https://doi.org/10.1109/WiMOB.2015.7347969

Download references

Acknowledgements

The authors would like to thank Dr. V. N. Sastry, Prof and Head in the Center for mobile banking (CMB), Institute for development and research in banking technology (IDRBT), Established by the Reserve Bank of India (RBI), for help and suggestions on this project. The authors also wish to thank the anonymous reviewers, the editor, and the editor-in-chief for their valuable suggestions.

Author information

Authors and Affiliations

  1. Department of Computer Science & Engineering, School of Engineering and Applied Sciences, SRM University-AP, Andhra Pradesh, 522502, India

    Sriramulu Bojjagani, Dinesh Reddy Vemula, B Ramachandra Reddy & T. Jaya Lakshmi

  2. Department of Computer Science & Engineering, Madanapalle Institute of Technology & Science, Andhra Pradesh, Madanapalle, 517325, India

    P. V. Venkateswara Rao

Authors
  1. Sriramulu Bojjagani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. P. V. Venkateswara Rao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dinesh Reddy Vemula
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. B Ramachandra Reddy
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. T. Jaya Lakshmi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sriramulu Bojjagani.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix

In this section, the proposed protocol is simulated using the Scyther, BAN logic and Tamarin tool are considered. How the proposed protocol is modelled in terms of public key infrastructure and security properties are discussed.

A Scyther

Scyther [50] is a tool for the formal analysis of security protocols under the perfect cryptography assumption. It is assumed that all cryptographic functions are excellent: the adversary learns nothing from an encrypted message unless he knows the decryption key. The tool can be used to find problems that arise from how the protocol is constructed. Scyther supports an input language known as “software protocol description language (SPDL)” [51] which is based on a C or Java-like syntax. The language’s primary purpose is to describe protocols, which are defined by a set of roles. Roles, in turn, are characterized by a sequence of events, most of which are events that denote the sending or receiving of terms. The simulation of the proposed protocol is written in SPDL, and results are available in the GitHub repository [15].

1.1 A.1 Verification of claims

Scyther accepts the input language of “SPDL”. The language allows declarations of security features in terms of claim events. In scyther, participating entities called roles are defined. In a role specification, any entity claim that a definite value is secret (confidential) or particular characteristics [52] should hold for the communication entities authentication. The scyther tool can be used to verify these characteristics or falsify them. The results of the Scyther “Verification Claim” procedure available in GitHub repository [15].

1.2 A.2 Automatic claims

The scyther also automatically generate claims, but the protocol itself does not specify these claims. The results of the Scyther “Automatic Claim” procedure available in GitHub repository [15]. In SPDL, at the end of every participant, the authentication claims to be added, claiming that the required communication entities should have performed the protocol as expected and goals are achieved as shown in Table 17.

Table 17 The security goals described to analyze the proposed protocol (Wearable) using Scyther
Full size table

B TAMARIN

The Tamarin prover is one of the symbolic analysis of network security protocols, and it supports the unbounded and automated tool for verifying the essential features of security. The tamarin contains adversary models, equational reasoning, and supports expressive languages for specifying protocols for an efficient deduction [53]. The tool is efficient, supports heuristics to guide proof search. The tools automated theorem search executed, it returns either proof of correctness (new values and an unbounded number of threads) or a counterexample (e.g., an attack). The notations of the Haskell codes of the proposed protocol which is given as Appendix in Sect. B.1.

To prove the security goals of our Wearable-protocol specification via Tamarin, we define three types of goals: secrecy, non-injective agreement and injective agreement. We also add executability lemmas to verify that the model can run to completion. The designed protocol is written in the Haskell programming language, and the tool accepts the file as (.spthy). Tamarin contains two types of execution: one is in interactive mode, and another is in terminal mode. The tool interactive mode is implemented as a web server, provides HTML pages with embedded JavaSript. A detailed code of Tamarin-Haskell which is written in lemmas, proofs in Haskell, and results, is presented and available in GitHub repository [15].

Table 18 Notations for Tamarin used in our proposed framework
Full size table

1.1 B.1 Modeling a public key infrastructure

To simulate protocol and its environment using the tamarin tool using multiset rewriting rules [54]. The notations for writing Haskell in Tamarin is shown in Table 18. These rules work on the system’s state, represented as a multiset (i.e., a bag) of facts. The facts are shown as predicates storing state information. Now consider the first rule, modelling the registration of a public key is:

rule WD_1:

[Frkw)

\(, !Pkw(\$C, pkw)\)

\([ WD\_1( \$C, ~kw)\)

Out(aenckpkC) )

]

“First, generate a fresh name kw (of sort fresh), which is the new private key, and non-deterministically choose a public name C for the agent for whom we are generating the key-pair. Afterwards, create the fact \(!Pkw(\$C, pkw)\) (the exclamation mark ! denotes that the fact is persistent, i.e., it can be consumed arbitrarily often), which indicates the association between agent WD and its private key kw”.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bojjagani, S., Rao, P.V.V., Vemula, D.R. et al. A secure IoT-based micro-payment protocol for wearable devices. Peer-to-Peer Netw. Appl. 15, 1163–1188 (2022). https://doi.org/10.1007/s12083-021-01242-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12083-021-01242-y

Keywords

Search

Navigation