Mansour Al-Meaither (2004) Secure electronic payments for Islamic finance.
Full text access: Open
Secure electronic payment systems are of paramount importance in supporting the further development of electronic commerce. While an electronic payment system must meet the needs of both businesses and consumers, most of the current electronic payment schemes are based on the traditional methods of finance we are familiar with in the western world. The main aim of this thesis is to develop new secure electronic payment schemes that satisfy the requirements posed by Islamic finance principles, which forbid the payment or receipt of interest. After providing a generic model for an electronic payment system, a description of some of the properties that distinguish the various types of electronic payment systems is given. The thesis then reviews examples of electronic payment schemes that are relevant to this thesis. The main concepts underlying Islamic finance are also introduced. The main contribution of this thesis is to propose four protocols that can be used to conduct secure electronic commerce transactions in a way that is consistent with Islamic financial principles. In the theme of developing new schemes to enable new participants to benefit from electronic payments, we also propose a simple and secure interpersonal payment system. EMV compliant IC cards have been developed to secure traditional Point of Sale debit/credit transactions. In this thesis, we propose a way to use EMV-compliant cards to conduct an electronic Murabaha transaction with the goal of exploiting the widespread deployment of EMV cards. The Internet is the platform on which most electronic commerce transactions are performed. To build upon this base, this thesis presents a method for conducting a secure electronic Murabaha transaction using the Internet. The increase in ownership of mobile phones suggests that they can be an effective means of authorising payment in electronic commerce transactions, offering security and convenience advantages by comparison with on-line payments conducted using PCs only. Therefore, this thesis proposes a new GSM-based payment system that enhances the security of Internet Murabaha transactions. Although many charities have a web presence, almost all of them have been designed to accept credit cards as the only means for making donations. The anonymity requirements of many donors, however, make the existing means of donation inappropriate for them. A new scheme supporting anonymous donations and distribution of these donations is therefore proposed.
This is a Published version This version's date is: 15/12/2004 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/341f95d6-cd7c-246d-26ec-4e7f609b8017/1/
Deposited by () on 14-Jul-2010 in Royal Holloway Research Online.Last modified on 10-Dec-2010
[1] 3rd Generation Partnership Project (3GPP). 3GPP TS 33.102: Security architecture V6.0.0, 2003.[2] 3rd Generation Partnership Project (3GPP). 3GPP TS 31.111: USIM ApplicationToolkit (USAT) V6.1.0, March 2004.[3] J.L. Abad-Peiro, N. Asokan, M. Steiner, and M. Waidner. Designing a generic payment service. IBM Systems Journal, 37(1):72{88, January 1998.[4] Central Intelligence Agency. World Factbook, 2003. Available at http://www.cia.gov.[5] M. T. Al-Hilali and M. M. Khan. Interpretation of the meanings of the noble QURAN.Darussalam Publishers, Houston, USA, 1996.[6] M. A. Al-Meaither and C. J. Mitchell. A person-to-person Internet payment system. In Hanne Riis Nielson, editor, Proceedings of 6th Nordic Workshop on Secure IT Systems,pages 5{17. Technical University of Denmark, November 2001.[7] M. A. Al-Meaither and C. J. Mitchell. Extending EMV to support Murabaha transactions. In S. Knapskog, editor, Proceedings of Seventh Nordic Workshop on Secure IT Systems, pages 95{108. Department of Telematics, Norwegian University of Science and Technology, Norway, October 2003.[8] M. A. Al-Meaither and C. J. Mitchell. A secure electronic Murabaha transaction. In R. T. Wigand, Y.-H. Tan, J. Gricar, A. Pucihar, and T. Lunar, editors, Proceedings of eTransformation, 16th Bled eCommerce Conference, pages 662{674, Bled, Slovenia,University of Maribor, June 2003.[9] M. A. Al-Meaither and C. J. Mitchell. A secure electronic payment scheme for charity donations. In Kurt Bauknecht, A. Min Tjoa, and Gerald Quirchmayr, editors, Proceedings of EC-Web 2003, 4th International Conference E-Commerce and Web Technologies,volume 2738 of Lecture Notes in Computer Science, pages 50{61, Springer-Verlag, Berlin,September 2003.[10] M. A. Al-Meaither and C. J. Mitchell. A secure GSM-based Murabaha transaction.In Proceedings of the 1st International Conference on Information and Communication Technologies from Theory to Applications, pages 77{78. IEEE Press, April 2004.[11] A. Al-tyar. Islamic Banks between theory and application. Dar alwtan, Riyadh, Saudi Arabia, 1994.[12] M. Anderson. Architectural overview of the FSTC eCheck system. Available athttp://www.echeck.org/.[13] N. Asokan, P. Janson, M. Steiner, and M. Waidner. The state of the art in electronic payment systems. IEEE Computer, 30(9):28{35, September 1997.[14] N. Barnett, S. Hodges, and M. J. Wilshire. M-commerce: An operators manual. McKinsey Quarterly, 3:162{173, 2000.[15] A. Bhati and S. Sahai. Dial M for money. In Proceedings of the Second ACM International Workshop on Mobile Commerce (WMC-02), pages 95{99. ACM Press, New York, NY,USA, 2002.[16] D. Birch. The ABC of EMV, 1999. Available at http://www.hyperion.co.uk.[17] C. W. Blanchard. Security for the third generation 3G mobile system. Information Security Technical Report, 5(3):55{65, 2000.[18] M. I. Bukhari. Sahih Bukhari, volume 1. Dar al-Kotob al-ilmiyah Publishers, Beirut,Lebanon, 2003.[19] H. Chan, R. Lee, T. Dillon, and E. Chang. E-Commerce Fundamentals and Applications.John Wiley & Sons, Chichester, West Sussex, U.K., 2001.[20] D. Chaum. Blind signatures for untraceable payments. In David Chaum, Ronald L.Rivest, and Alan T. Sherman, editors, Advances in Cryptology | CRYPTO '82, pages199{203. Plenum Press, 1983.[21] J. Claessens, B. Preneel, and J. Vandewalle. Combining world wide web and wireless security. In B. De Decker, F. Piessens, J. Smits, and E. Van Herreweghen, editors, Advances in Network and Distributed Systems Security, Proceedings of IFIP TC11 WG11.4 First Annual Working Conference on Network Security, pages 153{171. Kluwer Academic Publishers, 2001.[22] Mandate II Consortium. Mandate ¯nal report. European Communities DGXIII Electronic Trusted Services Programme, February 1998.[23] Craver, Mathews, Smith, and Company. Socially engaged internet users:Prospects for online philanthropy and activism, September 1999. Available athttp://www.craveronline.com/.[24] T. Dierks and E. Rescorla. The TLS Protocol Version 1.0. Certicom, January 1999.Internet RFC 2246.[25] W. Di±e and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644{654, 1976.[26] M. A. El-Gamal. A Basic Guide to Contemporary Islamic Banking and Finance. Islamic Society of North America, Plain¯eld, Indiana, USA, 2000.[27] EMVCo. EMV2000: Integrated Circuit Card Speci¯cation for Payment Systems: Book 1 | Application Independent IC Card to Terminal Interface Requirements, 2000.[28] EMVCo. EMV2000: Integrated Circuit Card Speci¯cation for Payment Systems: Book 2 | Security and Key Management, 2000.[29] EMVCo. EMV2000: Integrated Circuit Card Speci¯cation for Payment Systems: Book 3 | Application Speci¯cation, 2000.[30] EMVCo. EMV2000: Integrated Circuit Card Speci¯cation for Payment Systems: Book 4 | Cardholder, Attendant, and Acquirer Interface Requirements, 2000.[31] European Committee for Banking Standards (ECBS), Brussel. EBS204, IBAN: International Bank Account Number Version 3.2, 2003.[32] European Telecommunications Standards Institution (ETSI). Digital cellular telecommunications system (Phase 2+); Technical Realization of the Short Message Service (SMS,version 7.4.0), 1999.[33] European Telecommunications Standards Institution (ETSI). Digital cellular telecommunications system (Phase 2+); Speci¯cation of the SIM Application Toolkit for the Subscriber Identity Module | Mobile Equipment (SIM-ME) Interface, August 2000.[34] European Telecommunications Standards Institution (ETSI). Digital cellular telecommunications system (Phase 2+); GSM Security Aspects (GSM 02.09 version 8.0.1), June 2001.[35] L. Ferreira and R. Dahab. A scheme for analyzing electronic payment systems. In Proceedings of 14th Annual Computer Security Applications Conference, pages 137{146.IEEE Computer Society Press, December 1998.[36] Mobile Payment Forum. Enabling secure, interoperable, and user-friendly mobile payments. Mobile Payment Forum White Paper, December 2002. Available athttp://www.mobilepaymentforum.org/.[37] Y. Frankel, Y. Tsiounnis, and M. Yung. Fair o®-line e-cash made easy. In K. Ohta and D. Pei, editors, Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology, volume 1514 of Lecture Notes in Computer Science, pages 257 { 270, Springer-Verlag, Berlin, October 1998.[38] A. O. Freier, P. Karlton, and P. C. Kocher. The SSL protocol, version 3.0, November 1996. Internet Draft.[39] K. Fu, E. Sit, K. Smith, and N. Feamster. The Dos and Don'ts of Client Authentication on the Web. In Dan S. Wallach, editor, Proceedings of the 10th USENIX Security Symposium, pages 251{270, Washington, D.C., August 2001.[40] N. Haller. The S/KEY one-time password system. Bellcore, February 1995. InternetRFC 1760.[41] B. Hamwi and A. Aylward. Islamic ¯nance: a growing international market. Thunderbird International Business Review, 41(4{5):407{420, 1999.[42] S. Haron. Islamic Banking: Rules and Regulations. Pelanduk Publications, Selangor Darul Ehsan, Malaysia, 1997.[43] S. Haron and B. Shanmugam. Islamic Banking System Concepts & Applications.Pelanduk Publications, Selangor Darul Ehsan, Malaysia, 2001.[44] F. Hasanin. Murabaha Sale in Islamic Banks. The International Institute of Islamic Thought, Herndon, VA, USA, 1996.[45] V. Hassler. Security Fundamentals for E-commerce. Artech House, Norwood, MA, USA,2001.[46] D. L. Ho®man, T. P. Novak, and M. Peralta. Building Consumer Trust Online. Communications of the ACM, 42(4):80{85, April 1999.[47] D. Humphrey, M. Kim, and B. Vale. Realizing the gains form electronic payments: Costs, pricing and payment choice. Journal of Money, Credit, and Banking, 33(2):216{234, 2001.[48] I.A. Ibrahim. A brief illustrated guide to understanding Islam. Darussalam Publishers,Houston, USA, 2nd edition, 1997.[49] The International Association of Islamic Banks, Jeddah, Saudi Arabia. Directory of Islamic Banks and ¯nancial Institutions, 1997.[50] International Organization for Standardization (ISO), Geneva. ISO 7498-2, Information processing systems | Open Systems Interconnection | Basic Reference Model | Part 2: Security Architecture, 1989.[51] International Organization for Standardization (ISO), Geneva. ISO 9564-1, Banking {PIN management and security { Part 1: PIN protection principles and techniques, 1991.[52] International Organization for Standardization (ISO), Geneva. ISO/IEC 9798-3, Information technology | Security techniques | Entity authentication mechanisms | Part 3: Mechanisms using digital signature techniques, 2nd edition, 1998.[53] International Organization for Standardization (ISO), Geneva. ISO/IEC 9797-1, Information technology | Security techniques | Message Authentication Codes (MACs) |Part 1: Mechanisms using a block cipher, 1999.[54] International Organization for Standardization (ISO), Geneva. ISO/IEC 9797-2, Information technology | Security techniques | Message Authentication Codes (MACs) |Part 2: Mechanisms using a hash function, 2000.[55] International Organization for Standardization (ISO), Geneva. ISO/IEC 9594-8, Information technology { Open Systems Interconnection { The Directory: Public-key and attribute certi¯cate frameworks, 2001.[56] Z. Iqbal and A. Mirakhor. Progress and challenges of Islamic banking. Thunderbird International Business Review, 41(4{5):381{405, 1999.[57] ITU-T Recommendation X.509. Information technology | Open Systems Interconnection | The Directory: Public-key and attribute certi¯cate frameworks, 4th edition, 2000.Geneva.[58] ITU-T Recommendation X.800. Security Architecture for Open Systems Interconnectionfor CCITT Applications, 1991. Geneva.[59] M. Jakobsson, D. MRaihi, Y. Tsiounis, and M. Yung. Electronic payments: Where do we go from here? In Rainer Baumgart, editor, Secure Networking | CQRE [Secure] '99, volume 1740 of Lecture Notes in Computer Science, pages 34{63, Springer-Verlag,Berlin, 1999.[60] M. Kahf and T. Khan. Principles of Islamic Financing (A Survey). Islamic Development Bank | Islamic Research and Training Institute, Jeddah, Saudi Arabia, 1993.http://www.irti.org/.[61] R. Kalakota and A.B. Whinston. Electronic Commerce: A Manager's Guide. Addison-Wesley, Reading, MA, 1997.[62] V. Khu-smith and C.J. Mitchell. Using GSM to enhance e-commerce security. In In Proceedings of the Second ACM International Workshop on Mobile Commerce (WMC 02), pages 75{81. ACM Press, 2002.[63] L. Lamport. Password authentication with insecure communication. Communications of the ACM, 24(11):770{772, 1981.[64] J. K. MacKie-Mason and K. White. Evaluating and selecting digital payment mechanisms. In G. Rosston and D. Waterman, editors, Interconnection and the Internet,Lawrence Erlbaum, pages 113{134, 1997.[65] Ibn Mandoor. Lesan Al Arab Dictionary. Dar Al Fikr Publishing, Damascus, Syria,1997.[66] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography.CRC Press, Boca Raton, FL, USA, 1997.[67] C. J. Mitchell and L. Chen. Comments on the S/KEY user authentication scheme. ACM Operating Systems Review, 30(4):12{16, 1996.[68] Mobile Electronic Transactions. MeT Account-Based Payment, 2001. Available at http://www.mobiletransaction.org.[69] National Institute of Standards and Technology (NIST). Federal Information Processing Standards Publication 197 (FIPS PUB 197): Speci¯cation for the Advanced Encryption Standard (AES), November 2001.[70] National Institute of Standards and Technology (NIST). Federal Information Processing Standards Publication 180-2 (FIPS PUB 180-2): Secure Hash Standard, August 2002.[71] B.C. Neuman and G. Medvinsky. Requirements for Network Payment: The NetCheque Perspective. In Proceedings of IEEE Compcon '95, pages 32{36. IEEE-CS Press, March 1995.[72] K. Oishi, M. Mambo, and E. Okamoto. Anonymous public key certi¯cates and their applications. IEICE Transactions on Fundamentals of Electronics, Communications,and Computer Sciences, E81-A(1):56{64, January 1998.[73] D. O'Mahony, M. Peirce, and H. Tewari. Electronic Payment Systems for E-Commerce.Artech House, Norwood, MA, USA, 2nd edition, 2001.[74] B. P¯tzmann and M. Waidner. Properties of payment systems | General de¯nition sketch and classi¯cation. Technical Report RZ 2823, IBM Zurich Research Laboratory,May 1996.[75] S. M. Redl, M. K. Weber, and M. W. Oliphant. An Introduction to GSM. Artech House,Norwood, MA, USA, 1995.[76] R. L. Rivest and A. Shamir. Payword and MicroMint: Two simple micropaymentschemes. CryptoBytes, 2(1):7{11, 1996.[77] R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120{126, 1978.[78] A. D. Rubin and R. N. Wright. O®-line generation of limited use credit card numbers. In Yair Frankel, editor, Proceedings of the 4th International Conference on Financial Cryptography, volume 1962 of Lecture Notes in Computer Science, pages 196{209,Springer-Verlag, Berlin, 2001.[79] B. Schoenmakers. Basic security of the ecash payment system. In Bart Preneel and Vincent Rijmen, editors, Computer Security and Industrial Cryptography: State of the Art and Evolution, volume 1528 of Lecture Notes in Computer Science, pages 342{356,Springer-Verlag, Berlin, 1998.[80] SETCo. Secure Electronic Transaction Standard: Book 1 | Business Description, 1997.Available at http://www.setco.org.[81] SETCo. Secure Electronic Transaction Standard: Book 2 | Programmers guide, 1997.Available at http://www.setco.org.[82] SETCo. Secure Electronic Transaction Standard: Book 3 | Formal Protocol De¯nition,1997. Available at http://www.setco.org.[83] A. Shamir. Secureclick: A web payment system with disposable credit card numbers.In Paul F. Syverson, editor, Proceedings of the 5th International Conference on Financial Cryptography, volume 2339 of Lecture Notes in Computer Science, pages 232{242,Springer-Verlag, Berlin, 2001.[84] M. H. Sherif. Protocols for Secure Electronic Commerce. CRC Press, Boca Raton, FL,USA, 2nd edition, 2003.[85] M. Sirbu and J. D. Tygar. Netbill: An Internet commerce system optimized for net-worked delivered services. In G. Rosston and D. Waterman, editors, Proceedings of IEEE Compcon '95, pages 20{25. IEEE-CS Press, 1995.[86] M. Stadler, J. Piveteau, and J. Camenisch. Fair blind signatures. In Louis C. Guillou and Jean-Jacques Quisquater, editors, Advances in Cryptology { EUROCRYPT '95 Proceed-ings, volume 921 of Lecture Notes in Computer Science, pages 209{19, Springer-Verlag,Berlin, 1995.[87] J. Stavins. E®ect of Consumer Characteristics on the Use of Payment Instruments. New England Economic Review, 3(4{5):19{31, Summer 2001.[88] VISA. 3-D Secure Protocol Speci¯cation: Core functions Version 1.0.2, January 2003.Available at http://www.international.visa.com/.[89] S. von Solms and D. Naccache. On blind signatures and perfect crimes. Computers and Security, 11(6):581{583, 1992.[90] D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In Doug Tygar, editor,the Second USENIX Workshop on Electronic Commerce, pages 29{40. USENIX Press, 1996.[91] M. Walker and T. Wright. Security. In F. Hillebrand, editor, GSM and UMTS: The creation of global mobile communication, chapter 14, pages 385{406. John Wiley & Sons,2002.[92] M. Ward. EMV | The ICC speci¯cations for Payment Systems. Information Security Technical Report, 4(2):51{57, 1999.[93] R. Wilson. Banking and Finance in the Arab Middle-East. Palgrave Macmillan, New York, USA, 1983.