A Secure E-Commerce Framework for Mobile Users

Abstract

With the continuing interest in wireless technology and the increasing availability of new wireless products, e-commerce service providers would like to expand their target markets to include mobile users. However, certain security challenges continue to hold back the widespread introduction of these services.

The objective of this research is to develop a security framework in which mobile users and e-commerce service providers can confidently accomplish e-commerce transactions. The research will include an assessment of privacy laws and security regulations relevant to mobile e- commerce applications under development.

Background

Although there has been considerable research directed towards various aspects of mobile security, such as secure routing, authentication, authorization and trust management, there is no complete solution available that covers all of the steps in a typical e-commerce transaction. And, while there exist wireless standards, such as Wired-Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA), they are not a sufficient security response for all aspects of a typical e-commerce transaction today or for those envisaged in the future.

The development of a security framework that engenders user confidence and trust cannot only consider technical requirements but must also consider the legal environment within which mobile e-commerce takes place.

One of the important roles of the law is the allocation of risk, which affects both the economic efficiency of a system as well as the willingness of users to participate. In addition, recent legal developments in the area of privacy and security have created a regulatory framework within which information and communications applications must comply, thus setting certain parameters on the extent to which an application can be brought to market or otherwise deployed.

Project Description

Many aspects of mobile commerce are the same as those associated with normal electronic commerce. However, the security challenges for mobile users, wireless devices and ad hoc networking go well beyond the issues encountered in traditional web-based distributed applications.

The goal of this project is to integrate several existing security techniques in order to develop a new framework in which mobile users and e-commerce service providers can confidently accomplish e-commerce transactions.

The research will be directed towards particular security issues in selected roaming scenarios. These scenarios require the identification of different standards based devices, used on an ad hoc basis, as well as user authentication by a foreign organization that provides network access facilities and other services, where the user temporarily resides.

The research will also include an assessment of the privacy laws and other regulations relevant to the new mobile e-commerce applications under development.

Project Significance

The development of a secure, access rights based framework that satisfies trust requirements for mobile transactions will significantly advance the knowledge required to address mobile user and e-commerce service provider, security concerns.

The research will also advance our knowledge with respect to how privacy and security laws and regulations relate to the technological approaches available for solving mobile security issues, in specific user scenarios.

Approach and Methodology

To frame our research, we will first develop a set of potential mobile e- commerce user transaction application scenarios. These scenarios will involve a “mobile user” accessing a wireless network from a foreign domain, using ad hoc devices, locally available for a variety of applications. The applications could include e- banking, IP telephony, m-commerce transactions etc. Access would be from devices reflecting a multiplicity of standards such as GSM, Bluetooth and Wi-Fi. Finally, applications would require authentication by a foreign organization providing the access facilities and services within the foreign domain.

We will then focus our activity on three levels of research: concept design, prototype development and regulatory environment analysis.

At the conceptual level, we will study how the authentication procedures, considered in our previous research work, could be used to develop an overall security framework for mobile users. In particular, we will examine how the procedures would be combined in a role-based access right management system that could be utilized for applications such as those defined above, easily adapted to the requirements of different e-commerce service providers, and combined with a management system for trust, reputation and risk.

At the implementation level, we will build on and extend the prototype system that we developed in earlier research. The new design will include an improved authentication protocol a well as certain elements of the conceptual security model described above. Tests will then be undertaken to validate the functionality and the effectiveness of the design.

Finally, with respect to the regulatory environment, we will assess privacy and security-related laws and regulations relevant to the mobile e-commerce applications under development. This assessment will not only seek to list rules, but also to consider improvements that would serve to develop a security framework that promotes trust and acceptance, by users of mobile e-commerce.

Research Team

The Research team assembled for this project includes Drs. Gregor v. Bochmann, Carlisle Adams and Jennifer Chandler, all of who bring unique and complementary expertise to this project. The team also includes graduate students: Jianqiang Shi, Zhen Eric Zhang, Khalil El-Khatib, Richard Qing and T.Nabbali

• Dr. Gregor v. Bochmann, Professor of Information Technology and Engineering, School of Information Technology and Engineering (SITE) at the University of Ottawa, brings expertise in the area of software engineering, communication protocols and distributed multimedia applications.

• Dr. Carlisle Adams, Associate Professor of Information Technology and Engineering, School of Information Technology and Engineering (SITE) at the University of Ottawa, brings expertise in the area computer and network security.

• Dr. Jennifer Chandler, Professor in the Faculty of Law at the University of Ottawa, brings expertise in the area of privacy law, in particular Internet law and policy, including the use of law to promote cyber security.