Performance Evaluation on End-to-End Security Architecture for Mobile Banking System C.Narendiran, S.Albert Rabara Department of Computer Science St.Joseph’s College(Autonomous) Tiruchirappalli – 620 002. India. cnarendiran@yahoo.co.in, a_rabara@yahoo.com N.Rajendran Tata Telecommunication Mumbai – 602052. India. nrajendran_98@yahoo.com Abstract— The advantage of mobile penetration enables mobile operators to provide value added service such as secured mobile banking, mobile commerce and provide enhanced security for internet banking. Mobile banking is attractive because it is a convenient approach to perform banking from any where any time, but there are security concerns in the implementation, which include problems with GSM, network, SMS, GPRS protocols. In this paper an end-to-end security framework using PKI for mobile banking is proposed. Performance of the proposed model is presented in this paper. Keywords- PKI, Mobile Banking, Digital Certificate, J2ME, Midlet I. INTRODUCTION The rapid pace of advancement in mobile commerce applications makes a revolutionary change in the banking services by offering anytime anywhere banking. Mobile banking is the service that allows a mobile client to request and receive information about a personal account, or to transfer funds between accounts using the personal mobile phone. In m- banking, the customer not only carries out banking transactions but also interacts with the bank databases, files, records etc. to get relevant details. Since data at customer end and databases at server end is very sensitive and the mobile devices are vulnerable to threats and attacks, security is a major area of concern [1]. The mobile telecommunication industry has shown much interest in their core telecom business and given less attention to these kind of value added services [2,3]. The WAP architecture is well-suited for operations in restricted wireless environments however, the in-compatibility with standard internet protocols and the need for using a gateway to perform protocol conversion raises some security concerns and prevents WAP from providing end-to-end security. This is due to the fact that the protocol conversion mechanism leaves data not an encrypted form at the gateway during the protocol switching process, which risks the confidentiality of data in the gateway. Any intruder who can access this gateway can intercept the data after it is decrypted and before it is encrypted again by SSL [4,5]. Moreover, the gateway represents a single-point of failure and a major performance bottleneck by being the only entry point to the Internet for a large number of wireless clients. In this paper, it is proposed security architecture for mobile banking and a prototype solution for securing sensitive data over the wireless network through a Mobile Information Device Profile (MIDP)-enabled device. The paper is organized as follows. Section 2 briefs the review of work done by researchers and the current scenario in mobile banking. The proposed PKI-based Security framework for mobile banking is presented in Section 3. Section 4 shows performance evaluation of cryptographic algorithms for mobile banking. Section 5 concludes the paper. II. REVIEW OF LITERATURE Mobile banking is becoming an increasingly popular tool for the wireless mobile client. After telephone banking and Internet banking, the traditional banking services, today many banks are started to build banking services via mobile devices. Providing complete security to their invaluable information assets and protecting from unauthorized users is a difficult task in different wireless networks. A study has been made on SMS/GPRS protocols and issues identified on SMS, USSD and WAP banking solutions are discussed below. A. SMS Banking Services The security shortfalls of the current mobile banking solution using the short message service (SMS) are discussed. Currently South African banks namely Standard Bank and ABSA use the Wireless Internet Gateway (WIG) for mobile banking. First National Bank (FNB) uses the Unstructured Supplementary Services Data (USSD) with SMS approach. FNB requires the user to first send a USSD string with the user’s PIN to the banking server. Then the server returns a message to notify the user that the server is ready to accept banking SMS message [6,7]. This approach is not secure because every user’s detail is transmitted in plaintext. The mobile network operator has full access into the banking detail sent by the user. The initial idea for SMS usage was intended for the subscribers to send non-sensitive messages across the open GSM network. Mutual authentication, text encryption, end-to- end security, non-repudiation were omitted during the design of GSM architecture [8,9]. Several banks using SMS based services with limited security. 978-1-4244-2829-8/08/$25.00 ©2008 IEEE