Gouffouin Electronic Commerce Security Certification company Senior Technical Advisor Hu Yongliang
News and information from November 30, 2012 to December 1, the 2012 third annual China Mobile Payment Industry conference held in Beijing Ambassador Hotel. This conference focuses on mobile payment innovation and practice, and focuses on the global development trend of mobile payment in depth. Gouffouin, Senior technical advisor Hu Yongliang of e-commerce security certification company, delivered keynote speech.
Hu Yongliang said that now electronic authentication services in mobile payment face many problems, first certificate integration issues. Now more and more clients and different terminals to join the overall mobile payment industry, we have to consider the future integration issues.
The following is a transcript of the speech:
Hu Yongliang: Distinguished leaders, ladies and gentlemen, good morning. I am from Gouffouin's Hu Yongliang, I from our company professional, from the electronic authentication This angle explains some security application problem of mobile service. Today we share content from 4 aspects.
From the status of mobile payments, including the classification of mobile payments, mobile payment current market situation as well as the payment of mobile payment statistics. After the above analysis, we have an in-depth analysis of the existing security in the mobile payment industry. The third part from the professional advantages of our units to address these security issues how to do the work and direction. Finally, it is a challenge and opportunity for the electronic authentication service in the whole mobile industry.
Mobile payment classification is roughly divided into two categories, one is to enter the payment, a remote payment, entry payment, including POS machine payment, this payment is the most widely used by everyone most familiar with the card method, as well as mobile phone payments and mobile phone messages. Use the phone itself to download ringtones and SMS when the fee is deducted. SMS is a customized mobile phone to support the phone purse to make small payments.
The next three items are remote payments, and there is a way for laptops to be paid for using laptops into mobile networks, which is a mature form of payment. The latter two are now the new favorites of mobile payments, based on Android and Apple's smartphone, which is the fastest-growing and potentially significant way. Today we say that the point of the authentication application is mainly based on the latter two applications.
For mobile phones, in addition to the level of intelligence is higher, we can do some corresponding development on this system to do some function. Use has a great advantage over other forms of payment. We can use three key words annotation, time space and convenience. Mobile phones are not limited by time and space and can be paid more. The next more than 10 years is the development direction of mobile terminals.
The following is a set of data to look at the current mobile terminal market development. The data are presented through the Analysys International data show, 2011-2012 and the subsequent two years of related forecasts. The current number of mobile phone users, each mobile phone user 2011 through the mobile phone to pay 57 yuan, to 2012 to 96 yuan. With the improvement of the mobile payment environment, there is more room for development of this figure in the future.
This is the situation of the mobile terminal market. Payment behavior for users I found some statistical data through an online investigation agency. Mobile end user This method of payment mostly stays in the entrance payment, this kind of entry small amount pays more. Just mentioned some bank transfer through the mobile phone, remote payment is relatively small. What problems lead to less of this approach? A survey shows that mobile phone payments are small payments, remote involved relatively few.
Let's take a look at some of the security issues in this phone payment. First of all, when analyzing security issues, we need to understand the various roles involved in mobile payment and the corresponding processes. It's about three parts. Mobile end users, service providers, including banks, third party agencies, and mobile service providers, as well as the final payments of these merchants, merchants, including public fee agencies, retailers, which is the most important part of the intermediary service providers, play a role in the past. To the end user to provide the appropriate functional services, but also to the back end of the user to provide the corresponding settlement services.
In the whole link, the largest user, the most complex environment, the existence of security risks are at most in mobile terminals this block, if you want to ensure the security of the entire system, to ensure the security of mobile terminals, take some measures to ensure system security.
With the above analysis, let's look at what the problem is with mobile payments. Since mobile payment becomes a mainstream or development direction, it is unavoidable to attract a large group of users, which will produce some instability related factors. Including, for example, mobile terminal security. Mobile terminal security as a mobile phone payment tool, his security directly affects the entire mobile payment security. The security of this pile of terminals comes from several aspects. First comes from the system because there are so many versions of Android and the iphone. In addition to the system and application, there is no corresponding application of the relevant specifications, we download some applications, often backstage some loopholes. There are phishing sites, Trojan programs, seriously affecting the mobile terminal security environment problems.
In the mobile payment process, the most important point is that the user identification of this piece, the entire mobile payment link needs to involve users, banks, businesses, involving some funds, in response to this guarantee the identity of the user's legitimacy is the entire information security this piece of the entire foundation. How to safeguard the legitimacy of the parties involved in the transaction, users, merchants, banks, third party institutions This is our focus to solve the problem.
Transaction information security This piece is particularly important, users through the terminal in the input account, landing payment system, information security, through the mobile network payment transactions in the middle of the data has not been modified or intercepted, to ensure that the entire information in the transaction process of inviolability.
The last point is that the user to pass, into electronic transactions and traditional transactions are not the same, but we have to legally guarantee the legal efficiency of the entire transaction, we guarantee that the transaction to prevent their repudiation, to ensure that the trading link has not been tampered with. This is the entire mobile payment security analysis, after analysis we concluded that how to create a mobile payment security environment. To meet the following key points.
First of all, because the user experience is the most important, there is a point, we do this mobile payment security technology to consider the user's approval of this technology, this is a very critical point. Just a little bit. This payment link should ensure that the end users, service providers and merchants all participate in the effective authentication mechanism of the dealer, this is the mobile payment link to provide protection. The 3rd guarantee the mobile terminal delivers the platform data transmission function, finally is the denial must have the mechanism.
Through to the above analysis and the mobile security environment key point, WPKI can effectively solve the current mobile payment to face the related security problem, may put the user, the terminal, the Operation service, the security application and so on unifies together, provides the omni-directional according to the solution. For user Wpki is the most widely used user, the overall management mode and application mode and encryption and so on to move to the mobile terminal this block. Future mobile terminals a development direction, each manufacturer can not ignore a point.
What are the advantages of WPKI in the entire mobile payment? We can introduce it by three.
First of all can provide a very rigorous authentication mechanism, compared to the traditional user registration some information, digital certificates require users to submit and their identity related user information mechanism. After receiving a large user request for user authentication, user submissions can be defined through the RA Center, users submit the application of RA data, through the background of the center of the certificate issued to the user's client, this RA center in the user client this piece produced based on terminal mode. After the mobile payment platform is based on the Digital authentication Mode interface, the end user can use digital certificate to access the background mobile payment. We can provide authentication guarantees throughout the process.
Transmission encryption Services, you know why the password is not the same, the most important is to provide user authentication, in addition to digital certificates can provide signature and encryption services, this move to pay this piece how we guarantee the security of the communication channel? We use a mechanism in WPKI to WTLS encrypted transmissions. This guarantees overall information.
The last point of data integrity mechanism is digital signature to achieve, the entire process end users in their own terminal to produce a document, to carry out some related payment services when some documents produced. You can sign by using the private key of your own end user. After the signature is finally formed, the signature data is submitted to the background mobile payment system. Mobile payment system This can be done through the center of the background to verify the user's signature, whether the middle has been modified. and the payment platform to ensure the signature after the document, the other side to deny the provision of a repudiation mechanism and evidence.
Once the payment system has verified the user information, the intermediate data integrity has not been tampered with and the user can be issued a payment receipt. This is the overall data security piece.
Next, introduce some of the WPKI technology, divided into several levels, the bottom is the mobile network environment. This is the most basic thing. The top is WPKI based on WAP protocol, Global network communication protocol and so on.
What do we do for current mobile payments? Our country Fu An company was established in 98, to now do the third party operating agencies, our unit is located in Beijing also Zhuang, relying on China's E-commerce center in the country has more than 100 technical service agencies. Our unit is a pan-Asian e-commerce creation staff. This piece is for third-party payment operations. There are also ways to store certificate data, and we provide facilities. We have a backup center in the same city, there is a remote center in Guangzhou, the left side of our computer room shooting.
In addition, our unit in the Product Operations center this piece has its own platform, to provide unified user management. Your own VPN is based on a server such as a signature. We focus on research units, each year to undertake research projects. Including identity authentication signature this piece, some security applications and so on.
Say so much, what do we do in the mobile payment job and content? We have our own products in Wpki, can support different terminals, in addition, because now intelligent terminals and ordinary PC way, we have to open their own products for intelligent terminals. We provide certificate management tools for different clients, and users can manage their own certificates. Certificate application In this regard, we have a third party mobile payment license with our brother company and we have cooperated. We provide corresponding virtualization products for mobile terminals. Let Android and Apple be as powerful as PCs.
In technical research, we set up our own Wpki applied Research Center. We applied a Sdkey approach to certificate application. For mobile platform Construction This piece, we also do the corresponding work, including electronic certification platform and mobile payment business integration, WPKI related technology applications, SIM card digital certificate integration applications.
The final conclusion, in fact, now electronic authentication services in mobile payment face many problems, first certificate integration issues. Now more and more clients and different terminals to join the overall mobile payment industry, we have to consider the future integration issues. There is also an electronic certification service, and now the payment environment is very complex and diverse, and we have to consider how to provide reliable electronic authentication service for this kind of mobile payment. Marketing issues, how to let users accept this approach is also our research content.
Finally, this policy adaptability problem, can establish the mobile payment environment business Electronic authentication Service system, this is in the future our electronic authentication in the mobile payment faces the challenge. In fact, the application of digital certificates is also a cliché, for us how to give end users to create a fast and convenient environment, is the direction of our work. Thank you.