On the identity authentication Technology of e-commerce website

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

E-commerce originates from English electronic COMMERCE, which refers to the use of simple, fast, low-cost electronic communication methods, buyers and sellers do not meet a variety of business activities. With the popularization of electronic commerce, people have been accustomed to online shopping, online banking and electronic payment and other emerging things, however, network security has always been a major bottleneck restricting the development of e-commerce.

I. E-commerce identity authentication

In E-commerce activities, because all personal and transaction information to be in an open network (such as the Internet) for transmission and exchange, we need identity authentication technology to authenticate the identity of customers. Identity authentication is generally based on what the customer has (such as tokens, smart cards, or ID cards), what the customer knows (such as static passwords), what characteristics the customer has (such as fingerprints, iris, brain waves, etc.). Common identity authentication technologies at home and abroad include: username/password mode, IC card authentication, USB key authentication and biometric authentication. With the development of network and hacker technology, user name/password authentication has been proved unsafe. Because the static password scheme can not resist replay attack, dictionary attack and password is easy to forget, so its security is very low, can not meet the requirements of e-commerce identity authentication. At present, some mature identity authentication technology at home and abroad is basically realized by hardware (such as IC card and USB key authentication technology).

Comparison of various identity authentication technologies

1. Static username and password scheme. In many authentication schemes, the static username and password scheme is still the most widely used scheme, especially for those applications where the security requirements are not strong, such as forum, BBS and email. The main reason why companies and individuals are being attacked by Internet is that the static password policy is poorly managed. Most users use passwords that are common words, names, or other simple passwords that can be found in a dictionary. 86% of users use the same password or a limited number of passwords on all sites. The latest nationwide security incident occurred in December 2011. CSDN's security system was hacked and 6 million of users ' logins, passwords and mailboxes were compromised. The hacker obtains the CSDN user login name and the password, then uses this password to attempt to log in the registered mailbox, if succeeds uses many websites commonly used the password to retrieve the function to obtain the user's other related website's account and the password. In a word, the advantage of static password identity authentication scheme is low implementation cost, no need to purchase special equipment, user experience is good, but its security is low.

2. Customer Certificate USB (U shield) program. From a technical point of view, the customer certificate USB is used for online banking electronic signature and digital authentication tool, it built-in micro Smart card processor, using 1024-bit asymmetric key algorithm to encrypt, decrypt and digitally sign online data, to ensure the confidentiality, authenticity, integrity and non-repudiation of online transactions. At present, several major commercial banks in China, such as ICBC, ABC and Bank of communications, have adopted the USB scheme. Internet hackers even know the customer's login password and payment password, but if there is no USB in hand, hackers still can not from your account to transfer a penny. So this kind of identity authentication method can be very good to avoid the account, password stolen and other possible risks. The advantage of the USB scheme is that it is highly secure, but it costs more because of the hardware involved, and the driver needs to be installed before USB can be used. For customers who are often on business trips or need to use USB on different machines, because of the diversity of the computer's various operating systems (such as Windows and Linux) and hardware (a variety of different brand machines), some compatibility issues may be encountered during installation, which greatly reduces the user's experience satisfaction.

3. SMS authentication scheme. At present, some large-scale e-commerce sites often take the "Static password + SMS Authentication" program. The system uses a digital physical noise source to produce a dynamic (authenticated) password that is completely random, and sends the dynamic password to the user's wireless communication terminal (pager or mobile phone, etc.) by means of wireless communication. For example, the Alipay website only needs to enter the payment password when the user pays the small amount however, if more than a certain amount of money (such as 200 yuan), the Alipay site to the user's mobile phone (registration number) to send a verification message, and then users on the site input 6-bit phone verification code and payment password to complete payment. The advantage of adopting this kind of identity authentication method is to guarantee the fast of small payment and guarantee the security of large payment. However, because the real-time and stability of the authentication system depends on the status of the wireless communication network to a great extent, when the network congestion will result in the verification of password transmission will have a large delay, and even the system will not be able to complete the process of identity authentication, and because the message sent will generate a large number of SMS costs, For small and medium-sized e-commerce sites is still a small cost.

4. Dynamic Password Authentication scheme. Dynamic password is also known as one-time password OTP (One-time-password), which is characterized by the user based on the dynamic password token provided by the display number to enter a dynamic password, and each login server password only use once, the eavesdroppers can not use the eavesdropping password to do the next login, Meanwhile, the irreversibility of one-way hash function (such as Sha-1 algorithm) is used to prevent the eavesdroppers from tapping the login password. The Bank of China uses the dynamic password authentication scheme. The features of the scheme are simple, the user does not need to install any drivers, the operation can only enter the current display of the 6-bit dynamic password. The disadvantage is that security is not USB strong, such as in the first half of 2011, there have been many Chinese bank dynamic password leakage security incidents. Hackers first designed a number of phishing sites, and then lured the BOC user to enter the login password and dynamic password. A dynamic password is a one-time password, but it can be reused within 60 seconds. So hackers get the user's login password and dynamic password, as long as within 1 minutes to login into the real BOC system can be completed after the transfer of money and other users to steal the operation of funds.

Iii. concluding remarks

As a business process, E-commerce will bring an unprecedented revolution, and E-commerce site security issues are more and more attention, and its identity certification from the original logic certification to physical certification will eventually reach the biological certification, It is hoped that in the near future safe and reliable electronic commerce will bring humanity into the information society.

This article originates from Jiangcheng paper: http://www.xoock.com/reprint Please specify the source, thank you!