Symmetric Key Management for Mobile Financial Applications : A Key Hierarchy Approach

Azam, Junaid

January 2013

In recent times the usage of smart phones has significantly increased. Businesses are transforming to make more out of smart phones. As a consequence, there is an increasing demand to have more and more mobile applications. Among other areas, mobile applications are also being used to make financial transactions. Applications used for financial transactions need to be more reliable and have end-to-end security. To implement security we heavily depend on cryptography and the heart of cryptography is the keys which are used in cryptographic processes (encryption/decryption). Therefore, it is essential not only to protect, but also to properly manage these keys, so that a robust and secure system can be achieved. This research work provides a complete implementation of symmetric key management for mobile phone applications with a focus on financial data using a key hierarchy approach. We have developed a key management system which allows smart phones to download the cryptographic key hierarchy. This key hierarchy is used to encrypt and decrypt financial data, such as PIN and other transaction information. Using this application (key management system), we can achieve an end-to-end security between client (mobile phones) and payment server (banking server). This research work presents implementation of key management system for Android OS only.

Symmetric Key Management

Key Hierarchy

Key Security

Financial Transaction

Mobile Phone

Mobile Application Security

mCommerce.

Computer and Information Sciences

Data- och informationsvetenskap

Algoritmy shody v dynamických servisně orientovaných systémech / Compliance Algorithms in dynamic service oriented systems

Šabatová, Ivana

January 2009

Compliance achievement and assurance of processes and services with regulatory requirements, standards, and business requirements becomes an actual task that should be resolved already in the stage of information systems design and implementation. If the particular business process or business service is supported with an IT system, then the compliance assurance relates also to this supporting system. This dissertation thesis presents the concept of continual compliance management in service oriented systems with a special focus on application of advanced process automation tools. The aim of this thesis was design of methods and procedures for reliability and credibility of business processes both internally in single domain, and in case of business process outsourcing including iterated and/or dynamic outsourcing i.e. in multi-domain environment with a special emphasis on automation level maximization. Particular process and/or service is considered to be reliable and credible if we are able to prove its compliance with the defined requirements in a trusted way. The first part of this thesis is dedicated to traditional methods for compliance achievement and assurance as a basis and inspiration for methods based on high level of automation. The second part of this thesis presents the concept of design, implementation and verification of compliance in service oriented systems. It introduces the terms of ideal target process, Key Assurance Indicator (KAI) and Key Security Indicator (KSA). For multi-domain environment there is the concept of Protection Level Agreement (PLA). This part also covers a new method of business process analysis designed for their automation as well as a concept of business rules design, testing and automation integration. The third part named Conceptual Model of Compliance Assurance in BPMS and Service Oriented Systems Environment brings a method inspired by well-known Deming Cycle (Plan, Do, Check, Act), description of the notations selected for compliance algorithm and target process modelling, and first of all the compliance algorithm design. This concept is demonstrated on two case studies of real business processes analyzed in Hospital San Raffaele in Milan, Italy. First of them is an internal business process regulated by regional law, the second study is an example of compliance with business requirement achievement and assurance in multi-domain environment of iterated dynamic outsourcing. These case studies were verified by simulation with subject matter experts and business process activities performers of the hospital personnel.