through the types of mobile payment security issues, it is generally considered that the security of mobile payment can be ensured by means of wireless public key Infrastructure (WPK I), WAP Security and identity authentication.
1 , Wireless public Key Infrastructure (WPKI)
WPKI (Wireless PKI) is a kind of extension of the cable PKI , it introduces the security mechanism of PKI in Internet e-commerce into the process of mobile payment transaction. WPKI enhance the security of mobile e-commerce by managing certificates, keys, and relationships among various entities.
WPKI by adopting the public key infrastructure and certificate management strategy, a secure and effective wireless network communication environment is established effectively. based on the security mechanism of WAP, WPKI enhances the security of mobile payment by managing inter-entity relationships, keys and certificates. Wpki as a security infrastructure platform, all authentication-based applications need the support of WPKI technology, which can be combined with WTLS and TCP/IP to realize identity authentication, private key signature and other functions. The main components of the WPKI include: End-user entity applications (EE), PKI portals (PKI portal), authentication Centers (CAS), directory services (PKI directory), WAP gateways, and servers.
1.1 , WPKI Basic Working principle
1 ) The user submits a certificate request to RA;
2 R A reviews the user's application and passes it on to the CA when it is qualified; the CA generates a pair of keys for the user and creates a certificate, handing the certificate to RA;
3 The CA also publishes the certificate to the certificate directory for wired network users to inquire;
4 R A saves the user's certificate, generates a certificate URL for each certificate, and sends the URL to the mobile end user;
5 at the same time, the cable network server download certificate list standby;
6 the mobile terminal sends the document, the signature and the certificate URL to the WAP gateway to establish a secure wtls/tls connection;
7 ) The WAP Gateway establishes TLS/SSL connection with the wired network server;
8 ) mobile terminals and wired network servers for secure information transfer.
1.2 , The main technology of WPKI
in actual use, the traditional PKI is optimized for the wireless environment, which means that the key technologies such as PKI protocol, certificate format, encryption algorithm and key technology are WPKI and optimized by WPKI.
1.2.1 , WPKI protocol
The traditional method of processing PKI Service request relies on the Ber/der coding rules of ASN.1, but the Ber/der encoding method has higher processing power and is not suitable for WAP devices. The WPKI protocol is implemented with WML language, WML script encryption interface and script encryption library, which saves a lot of processing power than the Ber/der encoding method.
1.2.2 , WPKI certificate format
The wpki Certificate format specification is used to reduce the amount of storage space consumed by public key certificates. One mechanism is to define a new certificate format (that is, the WTLS certificate format) for the server-side certificate. This certificate significantly reduces the amount of storage space that is consumed compared to the standard certificate of the ". Another very important simplification on the WPKI certificate is the use of the Elliptic Curve encryption algorithm ECC,ECC the key used by the algorithm is shorter than the RSA algorithm, by using the ECC algorithm, the certificate can be stored in less than 100 bytes of the certificate using other algorithms. Wpki also limits the size of certain data domains in the IETF PKIX certificate format, because the WPKI certificate format is a subset of the PKIX certificate format, thus maintaining interoperability with the standard PKI.
1.2.3 , WPKI encryption algorithms and keys
In the WAP security Standard, although the traditional signature mechanism is optional, it has no practical value to realize the traditional signature mechanism in wireless environment because of the performance problems caused by the utilization of resources and the low processing ability of WAP devices. Compared with ECC cryptographic signature algorithm, traditional signature mechanism (such as RSA algorithm) requires more processing resources and more storage space. ECC Cryptographic Signature Algorithm is one of the most compact signature algorithms in the industry, and it is the most suitable choice to support the security mechanism in wireless environment. The typical ECC algorithm uses a key length of 163 bits, while the RSA algorithm key length in the same encryption strength is 1024 bits, that is, the ECC algorithm uses the key length of the same encryption strength of the RSA algorithm key length of 1/6. The above characteristics of ECC algorithm make key storage and certificate storage occupy large space, and the processing efficiency of digital signature is improved.
2 , WAP Protocol security mode
we can solve the security problem of mobile payment transaction protocol by WAP protocol, and the security of WAP is mainly realized by Wtls/tls and Wmlscriptsigntext.
1 ) Wtls/tls. The Wireless Secure Transport Layer WTLS (Wirelesstransport layer Security) is a safety protocol developed in accordance with industry standard Tlsprotocol, which is designed to use the security layer on top of the transport layer. WTLS's features are similar to the SSL encryption transfer technology used by global information websites to ensure that data is encoded and encrypted during transmission to prevent hackers from stealing confidential data during data transmission. WTLS is designed to provide privacy, data consistency, and authentication services between two communication applications.
WTL S supports different levels of security, each of which involves different handshake (hand-shake) requirements, and higher levels of security may require more complex handshake procedures and larger bandwidth. WTLS supports different encryption mechanisms and divides different security levels according to the length of the key.
2 ) WMLScript Signtext. Users can decide to accept or reject applications written by developers by typing in some text. WAP Browser provides a wmlscript function, Crypto.signtext is used to require the user to enter some strings. When calling the Signtext method, the user input string is displayed, requiring the user to confirm. For example, you must enter a PIN code when the user accepts it. After the data is signed, the signature and data will be sent back to the server, the server obtains the digital signature
After verifying the user identity.
3 , identity authentication method
In mobile payment, the most critical issue is the user's identity authentication, we propose the following five ways to provide different levels of security certification:
1 ) mobile phone number using real-name management;
2 ) mobile payment to add a fixed password;
3 in the mobile payment process, a common key is used, and the data exchange is carried out by symmetric encryption;
4 mobile payment can be used in dynamic password management method, the password is unique management;
5 Mobile PKI can be used for identity authentication, such as Wim.
in actual operation, different authentication methods will be determined according to different factors and security requirements. Small mobile payment authentication can use mobile phone number and fixed password authentication, large mobile payment authentication can use a fixed password and dynamic password to improve security. Moreover, the mobile PKI authentication method based on Wim can satisfy the above two requirements, and then can complete more mobile payment functions.
Analysis of different security technologies for mobile payment