International Journal of Emerging Trends in Engineering and Development Issue 3, Vol.

1 (January 2013)
Available online on http://www.rspublication.com/ijeted/ijeted_index.htm ISSN 2249-6149

Secure Ciphering based QR Pay System for

Mobile Devices
V.N.V.H Sudheer#1, J.Ranga Rajesh#2
#1 Student, Dvr & Dr. Hs Mic College Of Technology, Kanchikacherla,Krishna(dt)
#2 Assoc. professor, Dvr & Dr. Hs Mic College Of Technology, Kanchikacherla,Krishna(dt)
____________________________________________________________________________________________

Abstract: Mobile payment is very important and critical solution for mobile commerce. A user-friendly mobile
payment solution is strongly needed to support mobile users to conduct secure and reliable payment transactions
using mobile devices. Secure QR-Pay system based on QR-code by expressing 2 dimensional can pay things
between User and Shop while Offline. A shop shows payment information by expressing QR-code to display
window. A user shots a situation by using mobile Device attached a camera. If a user confirms payment information
and ask an approval, the payment system can be settled by itself. It's a very easy system. For this process, payment
gateway (PG) helps calculate process in connection with payment. This system we proposed provides non-
repudiation and confidentiality of payment information. Also, it offers mutual Authentication between user and
merchant to use public certificate. A QR Code is a barcode that can link to multiple kinds of data, including URL
links, addresses and text. QR stands for Quick Response. QR Codes became popular in Japan after Toyota
developed them as a new way to ID their cars.

____________________________________________________________________________________________

I INTRODUCTION

QR codes (ISO/IEC 18004) are the type of 2D barcode with the sharpest increase in utilization in the last years. Fig.
1 shows some examples of QR code symbols.

Fig. 1. Examples of QR code symbols.

Mobile payment is one of the important and hot subjects in mobile commerce and wireless application.
Recently, the emergence of wireless communications technology raises concerns about performance and securities
of payment systems. Such concerns come from limitations of wireless environments. Firstly, mobile devices are
considered to have lower power, storage, and computational capabilities compared to desktop computers. They
cannot efficiently perform high computational operations such as public-key encryptions. Secondly, wireless
networks have less bandwidth and reliability, and higher latencies. Therefore, mobile payments with existing
payment protocols are not acceptable by many users.

Page 662
 International Journal of Emerging Trends in Engineering and Development Issue 3, Vol.1 (January 2013)
Available online on http://www.rspublication.com/ijeted/ijeted_index.htm ISSN 2249-6149

A QR Code (short for Quick Response) is a specific matrix barcode (or two-dimensional code), readable by
dedicated QR barcode readers and camera phones. The code contains up to 7,089 numeric characters. A user-
friendly and convenient mobile payment solution is a key ingredient to support mobile users in conducting secure
and reliable payment transactions using mobile devices. As the fast increase of mobile phones with the touch-screen
feature and digital camera function, mobile users are looking for mobile solutions to provide rich mobile experience
and simple operations for mobile commerce. Mobile payment systems supporting QR codes are definitely needed by
mobile users and merchants.

The payment system in a mobile surrounding is spread with rapidity. But the payment system using an
existing mobile has trouble in interacting with each affiliate or payment gateway because of adopting each different
IrFM. The payment system using radio frequency signal of near field communication standards is used to solve
which is having difficulty in using an existing mobile phone

because the payment system carries out a role of RFID tag in mobile phone. And people have to be careful in using
mobiles because of the risk in payment system such as relay attack in RFID system.

In this paper, we propose to use an innovative mobile payment system based on QR codes for mobile users
to improve mobile experience in conducting mobile payment transactions. We find that information sent/received to
the Payment Gateway (PG) is not encrypted which is susceptible to relay or spoofing attacks. So we propose to
replace this plain message sharing with ciphered messages that use a robust secure ciphering technique such as
AES192 bit or DES algorithm. Unlike other existing mobile payment systems, the proposed payment solution
provides distinct advantages to support buy-and-sale products and services with QR codes. This system uses one
standard QR code (Data Matrix) as an example to demonstrate how to deal with underlying QR code-based mobile
payment workflow, mobile transactions and involved security mechanisms.

II BACK GROUND

QR code structure:

The ISO/IEC standard 18004 defines the QR code symbol as having a general structure that comprises, besides data,
version information, and error correction code words, the following regions:

 a quiet zone around the symbol

 3 finder patterns (FIP) in the corners
 2 timing patterns (TP) between the finder patterns
 N alignment patterns (AP) inside the data area as illustrated in Fig 2.
a) Finder Pattern

A pattern for detecting the position of the QR Code. By arranging this pattern at the three corners of a symbol,
the position, the size, and the angle of the symbol can be detected. This finder pattern consists of a structure which
can be detected in all directions.

Page 663
 International Journal of Emerging Trends in Engineering and Development Issue 3, Vol.1 (January 2013)
Available online on http://www.rspublication.com/ijeted/ijeted_index.htm ISSN 2249-6149

Fig. 2. QR code structure

b) Alignment Pattern

A pattern for correcting the distortion of the QR Code. It is highly effective for correcting nonlinear distortions.
The central coordinate of the alignment pattern will be identified to correct the distortion of the symbol. For this
purpose, a black isolated cell is placed in the alignment pattern to make it easier to detect the central coordinate of
the alignment pattern.

c) Timing Pattern

A pattern for identifying the central coordinate of each cell in the QR Code with black and white patterns
arranged alternately. It is used for correcting the central coordinate of the data cell when the symbol is distorted or
when there is an error for the cell pitch. It is arranged in both vertical and horizontal directions.

d) Data area

The QR Code data will be stored (encoded) into the data area. The grey part in Figure represents the data area.
The data will be encoded into the binary numbers of „0‟ and „1‟ based on the encoding rule. The binary numbers of
„0‟ and „1‟ will be converted into black and white cells and then will be arranged. The data area will have Reed-
Solomon codes incorporated for the stored data and the error correction functionality.

The finder patterns are specially designed to be found in any search direction as the sequence of black (b)
and white (w) pixels along any scan line that passes through its center preserve the special sequence and size ratio.

III RELATED WORK

In payment systems, each customer is associated with a specific account maintained by the Trusted Third Party
(TTP) like a bank (or a Telco). In pre-paid transactions, this account will be directly linked to the consumer‟s
savings account. The consumer maintains a positive balance of this account which is debited when a pre-paid
transaction is processed. If post-paid transactions are supported, the charges from a transaction are accrued in the
consumer‟s account. The consumer is then periodically billed and pays for the balance of the account to the TTP.
Account-based payment systems can be classified into three categories:

Mobile Phone-Based Payment Systems – They enables customers to purchase and pay for goods or services via
mobile phones. Here, each mobile phone is used as the personal payment tool in connection with the remote sales. A
phone card-based payment system has the advantage over the traditional card-based payment in that the mobile

Page 664
 International Journal of Emerging Trends in Engineering and Development Issue 3, Vol.1 (January 2013)
Available online on http://www.rspublication.com/ijeted/ijeted_index.htm ISSN 2249-6149

phone replaces both the physical card and the card terminal as well. Payments can take place anywhere far away
from both the recipient and the bank.

Smart Card Payment Systems – They use a smart card, an embedded microcircuit, which contains memory and a
microprocessor together with an operating system for memory control. These smart cards can be used for electronic
identification, electronic signature, encryption, payment, and data storage.

Credit-Card Mobile Payment Systems – This type of mobile payment systems allow customers to make payments
on mobile devices using their credit cards. These payment systems are developed based on the existing credit card-
based financial infrastructure by adding wireless payment capability for consumers on mobile devices.

IV SECURE QR CODE PAYMENT SYSTEM FRAMEWORK

To address the security issues, we build a mobile enabled security framework in the QR code payment
system. This security framework includes the following components.

• Authentication management – This component is built to support the required authentication functions for each
party, including mobile client, merchant, and the payment server. In this system each party must be authenticated
before any payment transaction.

• Mobile session management - This function component is designed to assure the security of a payment session
between involved parties.

• Certification management - This component is designed here to support the payment-oriented certification
generation, validation, and management.

• Mobile key management – This component is built to generate, distribute, check public and private key based on
the Elliptic Curve Cryptography (ECC) or Advanced Encryption Scheme.

Message and data integrity validation – This component is useful to check the message and data integrity for the
communications between mobile client and the payment server using encryption and decryption methods.

V SECURITY STEPS FOR QR CODE BASED PAYMENT SYSTEM

User Registration:

All users of mobile payment system must registered first before they access the payment services. Since the
system provides online website to support all of its user membership and accounts management, so its users (both
customers and merchants) can access the provided mobile user interface (or online interface) to register, access, and
update their profiles and account information. During user registration, each user will be assigned to a unique user
ID. In addition, a pair of public and private keys will be generated for the user. At the end of user registration, a user
certificate is issued to the mobile client.

Page 665
 International Journal of Emerging Trends in Engineering and Development Issue 3, Vol.1 (January 2013)
Available online on http://www.rspublication.com/ijeted/ijeted_index.htm ISSN 2249-6149

Public and Private Key Generation:

Each mobile user with a unique user ID will be assigned a generated public and private key pair based on
the Advanced Encryption Scheme (AES) technique, which provides the public key infrastructure using 256 bit keys
to provide confidentiality, integrity, and authenticity. The optional random seed is used to ensure that the public key
generated for the user will be unique in the system. It must be derived from some unique characteristics of the
handset such as network host name of the mobile device. This key pair is used in generating secret session keys and
digital signatures to achieve secured sessions and data integrity checking.

User and Merchant Certification:

A certificate request is generated for each user (including merchant user and customer user) during user
registration based on a generated key pair. All user certificates are stored in the data store in the Base 64 DER
encoded format and indexed against the user‟s ID. During the payment communications between parties, the public
key is derived from the certificate. In the first release of this payment system implementation, the payment server is
used as a certificate authority, the most trusted and central entity in the system. For the real practice, we can use a
third party certification server to work as the certification authority agency.

Private Key and Certificate Key Management:

Since each user‟s private key and certificate key is stored on mobile devices, it is important to protect their
security. To achieve this goal, mobile client software encrypts a user‟s PIN and certificate key (or private key) are
based on the Advanced Encryption Scheme (AES) and hashed using HMAC before they are stored as a file on a
mobile device by the mobile client software.

VI QR CODE BASED MOBILE PAYMENT SYSTEM

This approach is to build QR code-based systems to allow mobile users to issue mobile payment
transactions using their digital wallets based on mobile payment accounts in a mobile payment server. Comparing
with the existing account-based mobile payment systems, this approach has five distinct advantages:

• It provides the buy-and-sale payment services for goods identified using QR codes.

• Mobile users can easily retrieve all related product information from QR codes.

• It easily supports product and customer verification for post-sale services, such as delivery and pick-up.

• It increases the mobile security for payment transactions.

• It improves mobile user experience by reducing user inputs.

- A registered mobile user uses his/her user account to login the mobile payment system by sending a request for
login to the mobile payment server. The mobile server processes request and mobile client authentication and sends
a login response with the server certificate ID, and secured session ID, as well as a public key for the
communications.

Page 666
 International Journal of Emerging Trends in Engineering and Development Issue 3, Vol.1 (January 2013)
Available online on http://www.rspublication.com/ijeted/ijeted_index.htm ISSN 2249-6149

Fig 3: QR code based mobile payment process

The Figure 3 displays its underlying payment process, which consists of the following steps:

- The mobile client authenticates the mobile server with received public and server‟s certificate.

- The mobile client captures or receives a QR code for an interested product from its advertisement. There are two
scenarios in which a mobile user can get a QR code. In the first case, a mobile user may use a mobile camera on the
mobile device to capture the image of a QR code from a posted product. In the second case, a mobile user may
receive a mobile ad on a mobile device from a merchant. Meanwhile, the mobile client decodes the received QR
code, which includes product and maker‟s information, marketing data, merchant‟s mobile URL information.

- The mobile use clicks the given QR code to switch the target merchant‟s mobile site using the provided URL in the
received QR code.

- The mobile use prepares and submits a purchasing request with a digital signature as a QR code to the merchant
server.

- The merchant server authenticates the mobile client based on the provided the secured session ID from the mobile
client, as well as the public key. Meanwhile, the received signed request is validated by the merchant using the
private key.

- The merchant server generates and sends a signed purchase invoice with a transaction ID to the mobile client.

- The mobile client prepares and sends a payment request with the same transaction ID and a digital signature to
initiate a payment request. The digital signature is made using the client private key. The entire message is encoded
as a QR code.

- A secure session is established between the payment server and the mobile client. In this step, the payment server
validates the given security information, including the certificate from mobile client, session ID, public key, and
received digital signature. The mobile payment server processes the payment transaction.

Page 667
 International Journal of Emerging Trends in Engineering and Development Issue 3, Vol.1 (January 2013)
Available online on http://www.rspublication.com/ijeted/ijeted_index.htm ISSN 2249-6149

- The payment server prepares and sends a payment confirmation with a QR code receipt to the mobile client. The
mobile client displays the received confirmed message to the mobile user.

- The mobile server also sends a payment transaction completion notice with a QR code to the merchant server. This
code will be useful for the merchant to carry out the post-sale operations, such as pick-up validation or product
delivery.

VII PERFORMANCE

An QR Code payment system should be quicker, safer and just as easy as using normal cash. The proposed
system satisfies the following requirements:

Security:

The system should be as secure as traditional cash if not more secure. This is one of the most important
characteristics in all financial transactions.

Mutual Authentication

Secure QR-Pay System is based on mutual authentication between a user and shop. Mutual authentication offers
public certificate of public CA. That is, the shop certifies digital signature by using private key. Also, the user
certifies oneself by using private key with approval of payment information. Mutual authentication is possible to get
payment information through a safe channel with a middle of PG.

Anonymity:

The merchant should not be able to access the clients bank account they should also not be able to get
personal details about the client. The bank should also not be able to track what the client is buying. They should
only know the amount and the merchant‟s details. A bank or merchant should not be able to track or monitor the
spending habits of a customer and be able to build a profile for that client.

Confidentiality

All communication between a user and PG, PG and each merchant can transmit SSL/TLS protocol through
secure channel. Even if a hacker sniffed the message, he can't confirm the contents of transmitted message. Also,
QR-Code transmitting visual channel can't confirm direct payment information because of only transmitting shop
numbers, information numbers and digital signature in value.

Scalability:

There should be no reliance on a central component. The reason for this is that it could cause a bottleneck and can
become a point of failure. The whole system needs to be distributed and be able to be run from a variety of
locations. This would eliminate the threat of the whole system failing if one server goes down.

Page 668
 International Journal of Emerging Trends in Engineering and Development Issue 3, Vol.1 (January 2013)
Available online on http://www.rspublication.com/ijeted/ijeted_index.htm ISSN 2249-6149

VIII CONCLUSION

As more and more products and goods are identified using QR codes in commerce, there is a clear need to
build new mobile payment systems for mobile users to support mobile transactions based on QR codes. In this
paper, we propose to use an innovative mobile payment system based on QR codes for mobile users to improve
mobile experience in conducting mobile payment transactions. We find that information sent/received to the
Payment Gateway (PG) is not encrypted which is susceptible to relay or spoofing attacks. So we propose to replace
this plain message sharing with ciphered messages that use a robust secure ciphering technique such as AES192 bit
or DES algorithm. Unlike other existing mobile payment systems, the proposed payment solution provides distinct
advantages to support buy-and-sale products and services with QR codes. Also, it offers mutual Authentication
between user and merchant to use public certificate. A QR Code is a barcode that can link to multiple kinds of data,
including URL links, addresses and text.

IX REFERENCES

[1] Michael Silbermann, "Security Analysis of Contactless Payment Systems in Practice", Diplomarbeit, Ruhr-
Universität-Bochum,
November 2009.
[2] Jerry Zeyu Gao., Jacky Cai, Min Li, and Sunitha Magadi Venkateshi, “Wireless Payment – Opportunities,
Challenges, and
Solutions”, Published by High Technology Letters, Vol. 12, ISSN 1006-6748, 2006.
[3] S. Kungpisdan, B. Srivnivasan, and P.D. Le, “A Secure Account-Based Mobile Payment Protocol”, Proceedings
of the International Conference on Information Technology: Coding and Computing, 2004 (ITCC‟04).
[4] X. Zheng, and D. Chen, “Study of Mobile Payments System”, Proceedings of the IEEE International Conference
on ECommerce, 2003 (CEC‟03).
[5] Q. Zhang, J. N. B. Moita, K. Mayes and K. Markantonakis, "The Secure and Multiple Payment System Based on
the Mobile
Phone Platform," Smart Card Centre, Information Security Group, Royal Holloway, University of London.
[6] R. C. Palmer, The Bar Code book: Reading, Printing, and Specification of Bar Code Symbols (3rd ed.), Helmers
Publishing, 1995.
[7] A. Fourati, H.K.B. Ayed, F. Kamoun, and A. Benzekri, “A SET Based Approach to Secure the Payment in
Mobile Commerce”, In Proceedings of 27th Annual IEEE Conference on Tampa, Florida.
[8] Z. Huang, and K. Chen, “Electronic Payment in Mobile Environment”, In Proceedings of 13th International
Workshop on
Database and Expert Systems Applications (DEXA'02) September 02 - 06, 2002. Aix-en-Provence, France.
[9] Jerry Gao, Jacky Cai, Kiran Patel, and Simon Shim, “A Wireless Payment System”, Proceedings of the Second
International Conference on Embedded Software and Systems (ICESS'05).

Page 669