利用基于身份的密码算法+短信验证码的移动安全支付方案

doi:10.11896/jsjkx.181202414

摘要/Abstract

摘要： 针对移动支付过程中短信验证码被盗导致资金失窃,以及在基于证书的密码体制下建立移动支付系统时移动设备和移动网络面临巨大压力的问题,文中提出了利用基于身份的密码算法+短信验证码的移动安全支付方案。该方案中,用户和银行服务器加入一个基于身份的密码系统,它们不再需要基于数字证书的身份认证,这将大大减小移动设备以及移动网络的存储和计算开销。用户首先到银行柜台注册开通手机银行业务,设置用户名、密码,预留安全问题,在银行工作人员的帮助下完成手机银行APP的首次安装和初始化。登录时,银行服务器对用户进行身份认证,保证用户合法。支付时,手机银行APP利用用户的私钥生成对短信验证码的数字签名,并用银行服务器的公钥对数字签名和短信验证码的组合加密后发送给银行服务器以进行验证,只有银行服务器验证通过后才允许用户支付。在本方案中,短信验证码和数字签名将共同为用户提供安全保证,即使验证码泄露,攻击者也不可能根据验证码生成数字签名,从而保证了移动支付的安全。理论分析和实验结果表明,本方案不但能够大大提高移动支付的安全性,而且随着移动终端的增加,系统的平均响应时间也不会急剧增长,因此所提方案具有较好的健壮性和可行性。

关键词: 短信验证码, 基于身份的密码算法, 数字签名, 移动支付, 支付安全

Abstract: Aiming at the problem of stolen funds caused by stolen SMS verification code in mobile payment process,as well as the mobile device and the mobile network are under great pressure when establishing a mobile payment system under the certificate-based cryptosystem,a mobile secure payment scheme based on identity-based cryptographic algorithm＋SMS verification code was proposed.In this scheme,users and bank servers join an identity-based cryptosystem,so they no longer need digital certificate-based identity authentication,which will greatly reduce the storage and computational overhead of mobile devices and mobile networks.Users need to go to the bank counter to register and open mobile banking services,set the user name,password and reserved security issues,and complete the first installation and initialization of mobile banking APP with the help of bank staff.When logging in,the bank serverauthenticates the user’s identity to ensure that the user is legal.In payment,the user’s private key is used to generate the digital signature of SMS verification code,and the combination of digital signature and SMS verification code is encrypted with the bank server’s public key and sent to the bank server for verification,the bank server will not allow the user to pay until the verification is passed.In this scheme,the SMS verification code and the digital signature will jointly provide security guarantee for the user.Even if the verification code is leaked,the attacker cannot generate a digital signature accor-ding to the verification code,thus ensuring the security of the mobile payment.Theoretical analysis and experimental results show that this scheme not only can greatly improve the security of mobile payment,but also the average response time of the system will not increase sharply with the increase of mobile terminals,so it has better robustness and feasibility.

Key words: Digital signature, Identity-based cryptographic algorithm, Mobile payment, Payment security, SMS verification code

中图分类号:

TP399

刘亚强,李晓宇. 利用基于身份的密码算法+短信验证码的移动安全支付方案[J]. 计算机科学, 2020, 47(1): 293-301. https://doi.org/10.11896/jsjkx.181202414

LIU Ya-qiang,LI Xiao-yu. Mobile Secure Payment Scheme Using Identity-based Cryptographic Algorithm＋SMS Verification Code[J]. Computer Science, 2020, 47(1): 293-301. https://doi.org/10.11896/jsjkx.181202414

参考文献

[1]China Internet Network Information Center.The 42nd Statistical Report on Internet Development in China [R].Beijing:China Internet Network Information Center,2018.
[2]DAHLBERG T,GUO J,ONDRUS J.A critical review of mobile payment research[J].Electronic Commerce Research and Applications,2015,14(5):256-284.
[3]LIU Y L,JIN Z G,GAO T Y.Survey of Security Research in Mobile Payment System [J].Information Network Security,2017(2):1-5.
[4]ISAAC J T,SHERALI Z.Secure Mobile Payment Systems[J].IT Professional,2014,16(3):36-43.
[5]CAO W,ZHAO Y.Research on the Technology of Mobile Payment Security Based onTwo-Factor Authentication [J].Information Security and Technology,2014,5(2):10-12,15.
[6]MTAHO A B.Improving Mobile Money Security with Two- Factor Authentication[J].International Journal of Computer Applications,2015,109(7):9-15.
[7]FAN M,CHEN L.Research on Security Threats of SMS Verification Code Based on Mobile E-commerce[J].Journal of Hefei University of Technology (Social Science Edition),2017,31(5):37-41.
[8]ZHOU C Y,WANG J W,LI M.Research on Identity—Based Cryptography Application in Internet of Things [J].Information Security Research,2017,3(11):1040-1044.
[9]SHAMIR A.Identity-based Cryptosystems and Signature Sche- mes[M].Germany:Springer-Verlage,1984.
[10]中国密码学会组.中国密码学发展报告2008[M].北京:电子工业出版社,2009:1-32.
[11]RAY S,BISWAS G P,DASGUPTA M.Secure Multi-Purpose Mobile-Banking Using Elliptic Curve Cryptography[J].Wireless Personal Communications,2016,90(3):1331-1354.
[12]LAUTER K.The advantages of elliptic curve cryptography for wireless security[J].IEEE Wireless Communications,2004,11(1):62-67.
[13]JANA B,PORAY J.A performance analysis on elliptic curve cryptography in network security[C]∥International Conference on Computer.IEEE,2017.
[14]SINGH S R,KHAN A K,SINGH S R.Performance evaluation of RSA and Elliptic Curve Cryptography[C]∥International Conference on Contemporary Computing and Informatics.Noida:India:IEEE,2017:302-306.
[15]LI J F,CUI J S.Elliptic Curve Encryption Algorithm and Case Analysis[J].Network Security Technology and Application,2004(11):56-57.
[16]SHIM K A.An ID-based aggregate signature scheme with constant pairing computations[J].Journal of Systems & Software,2010,83(10):1873-1880.
[17]EKBERG J E,KOSTIAINEN K,ASOKAN N.The Untapped Potential of Trusted Execution Environments on Mobile Devices[J].IEEE Security & Privacy,2014,12(4):29-37.
[18]DAI W,JIN H,ZOU D,et al.TEE:A virtual DRTM based execution environment for secure cloud-end computing[J].Future Generation Computer Systems,2015,49:47-57.
[19]YONGKAI F,SHENGLE L,GANG T,et al.Fine-grained access control based on Trusted Execution Environment[J／OL].https://doi.org/10.1016/j.future.2018.05.062.
[20]ABDULWAHID A A,CLARKE N,STENGEL I,et al.The Current Use of Authentication Technologies:An Investigative Review[C]∥International Conference on Cloud Computing.Riyadh,Saudi Arabia:IEEE,2015.
[21]CRAWFORD H,RENAUD K. Understanding user perceptions of transparent authentication on a mobile device. Journal of Trust Management,2014,1(1).
[22]FAN J S,ZHANG J X.On Identity Authentication Technology in Network Security.Network Security Technology and Application,2018(1).
[23]LI L,LIU Y.Security analysis of mobile payment system .Journal of Electronic Measurement and Instrument,2017(3).
[24]China Communications Standards Association.Technical re-quirements for security capability of smart mobile terminal:YD/T 2407-2013 .Beijing:The People’s Posts and Telecommunications Press,2013.
[25]XU Y P,MA Z F,WANG Z H,et al.Survey of security for Android smart terminal.Journal on Communications,2016,37(6):169-184.
[26]LAUTER K E.The advantages of elliptic curve cryptography for wireless security.IEEE Wireless Communications,2004,11(1):62-67.
[27]ABDULLAH K.Comparison between the RSA cryptosystem and elliptic curve cryptography.Hamilton,New Zealand:The University of Waikato,2010.
[28]PAAR C,PELZL J.The RSA Cryptosystem.Understan- ding Cryptography.Berlin:Springer,2010.

相关文章 15

[1]	任畅, 赵洪, 蒋华. 一种量子安全拜占庭容错共识机制 Quantum Secured-Byzantine Fault Tolerance Blockchain Consensus Mechanism 计算机科学, 2022, 49(5): 333-340. https://doi.org/10.11896/jsjkx.210400154
[2]	姜昊堃, 董学东, 张成. 改进的具有前向安全性的无证书代理盲签名方案 Improved Certificateless Proxy Blind Signature Scheme with Forward Security 计算机科学, 2021, 48(6A): 529-532. https://doi.org/10.11896/jsjkx.200700049
[3]	代闯闯, 栾海晶, 杨雪莹, 过晓冰, 陆忠华, 牛北方. 区块链技术研究综述 Overview of Blockchain Technology 计算机科学, 2021, 48(11A): 500-508. https://doi.org/10.11896/jsjkx.201200163
[4]	张君何, 周清雷, 韩英杰. 一种基于环签名和短签名的可净化签名方案 Sanitizable Signature Scheme Based on Ring Signature and Short Signature 计算机科学, 2020, 47(6A): 386-390. https://doi.org/10.11896/JsJkx.190500061
[5]	左黎明,陈兰兰. 基于身份标识的特殊数字签名方案及其应用 Special Digital Signature Scheme Based on Identity Identification and Its Application 计算机科学, 2020, 47(1): 309-314. https://doi.org/10.11896/jsjkx.181202416
[6]	王兴威, 侯书会. 一种改进的高效的代理盲签名方案 Improved Efficient Proxy Blind Signature Scheme 计算机科学, 2019, 46(6A): 358-361.
[7]	李磊,贾惠文,班学华,何宇帆. 基于混淆的广播多重签名方案 Obfuscation-based Broadcasting Multi-signature Scheme 计算机科学, 2017, 44(Z11): 329-333. https://doi.org/10.11896/j.issn.1002-137X.2017.11A.069
[8]	叶君耀,郑东,任方. 改进的具有轻量级结构的Veron身份认证及数字签名方案 Improved Veron’s Identification with Lightweight Structure and Digital Signature Scheme 计算机科学, 2017, 44(3): 168-174. https://doi.org/10.11896/j.issn.1002-137X.2017.03.037
[9]	任燕. 无随机预言模型下可否认的基于属性的指定证实人签名方案 Deniable Attribute-based Designated Confirmer Signature without Random Oracles 计算机科学, 2016, 43(7): 162-165. https://doi.org/10.11896/j.issn.1002-137X.2016.07.029
[10]	汪胡青,孙知信. ONS安全机制研究 Research on ONS Security 计算机科学, 2016, 43(1): 1-7. https://doi.org/10.11896/j.issn.1002-137X.2016.01.001
[11]	单美静. 基于AHP法的移动支付安全风险评估 Analytic Hierarchy Process-based Assessment Method on Mobile Payment Security 计算机科学, 2015, 42(Z11): 368-371.
[12]	刘亚丽,秦小麟,赵向军,郝国生,董永权. 基于数字签名的轻量级RFID认证协议 Lightweight RFID Authentication Protocol Based on Digital Signature 计算机科学, 2015, 42(2): 95-99. https://doi.org/10.11896/j.issn.1002-137X.2015.02.020
[13]	周克元. 基于椭圆曲线和因子分解双难题的数字签名方案 Digital Signature Scheme Based on Elliptic Curve and Factoring 计算机科学, 2014, 41(Z6): 366-368.
[14]	曹帅,王淑营. 产业链协同SaaS平台业务流程定制安全技术研究 Research on Security Technology of Workflow Customization for Collaborative SaaS Platform of Industrial Chains 计算机科学, 2014, 41(1): 230-234.
[15]	吴洁明,史建宜,李硕征. 基于CAPICOM和IAIK的信息安全传输系统 Information Secure Transmission System Based on CAPICOM and IAIK 计算机科学, 2013, 40(Z11): 184-187.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed