基于OTA技術(shù)的手機(jī)錢包的安全機(jī)制研究
發(fā)布時(shí)間:2018-12-10 14:14
【摘要】:21世紀(jì),隨著移動(dòng)互聯(lián)網(wǎng)的高速發(fā)展和智能手機(jī)的日漸普及,各種新型支付方式不斷涌現(xiàn),,NFC近場(chǎng)支付便是其中之一。目前電信運(yùn)營(yíng)商、手機(jī)廠商和金融機(jī)構(gòu)的NFC布局正在加速,手機(jī)用戶可以更換專用SIM卡,安裝手機(jī)錢包客戶端,將手機(jī)模擬成各類電子卡片,利用基于射頻技術(shù)的近場(chǎng)通信完成刷卡消費(fèi)。NFC近場(chǎng)支付的普及將引發(fā)一次電子設(shè)備使用方式革命,出門只需帶上手機(jī),就可以在公交車,地鐵,超市,加油站,公司等地暢通無(wú)阻。NFC近場(chǎng)支付交易額占移動(dòng)支付總比例雖然還很小,但潛在的市場(chǎng)空間巨大,業(yè)內(nèi)人士都很看好NFC手機(jī)支付前景。決定近場(chǎng)支付產(chǎn)業(yè)興衰的各種因素里,安全問(wèn)題依然是非常重要的問(wèn)題,因此本課題選取NFC近場(chǎng)支付領(lǐng)域的安全問(wèn)題為研究對(duì)象,具有重要意義。 使用手機(jī)錢包進(jìn)行近場(chǎng)支付之前,有兩個(gè)步驟必不可少:一是下載卡片應(yīng)用,二是給錢包充值,這兩個(gè)步驟都可以在營(yíng)業(yè)廳完成,但是對(duì)用戶來(lái)說(shuō),每增加一項(xiàng)新應(yīng)用,或每次充值都要在營(yíng)業(yè)廳辦理,非常不方便。因此運(yùn)營(yíng)商提出,將OTA空中下載技術(shù)應(yīng)用到手機(jī)錢包中,OTA使用無(wú)線通信網(wǎng)絡(luò)傳輸數(shù)據(jù),一方面提供了便利,另一方面也帶來(lái)各種安全問(wèn)題。如果安裝了手機(jī)錢包的手機(jī)落入他人手中,安全措施不可靠,則可能被盜刷錢包賬號(hào)。OTA下載過(guò)程中,最受關(guān)注的安全問(wèn)題是身份合法性和傳輸保密性。本課題的研究目的,是通過(guò)分析基于OTA技術(shù)的手機(jī)錢包業(yè)務(wù)所面臨的安全威脅,指出目前采用的身份認(rèn)證和加密方式的不足,并提出改進(jìn)方案,為手機(jī)錢包的登錄認(rèn)證、卡片下載和空中充值提供必要的安全保障。 本課題完成工作包括以下幾個(gè)方面:針對(duì)靜態(tài)口令存在的易被竊取的安全風(fēng)險(xiǎn),提出基于PIN碼認(rèn)證+靜態(tài)口令的雙保險(xiǎn)身份認(rèn)證,即使丟失手機(jī),也不會(huì)被冒充身份;提出支付密碼+動(dòng)態(tài)驗(yàn)證碼的支付認(rèn)證模式,即使靜態(tài)支付密碼被竊取,依然能阻止非法用戶操作;針對(duì)3DES密鑰較短且有弱密鑰的不足,改進(jìn)適用于手機(jī)錢包的加密方案,利用MAC校驗(yàn)保證數(shù)據(jù)完整性,采用安全性更高的AES算法生成會(huì)話密鑰Kc;對(duì)手機(jī)錢包客戶端進(jìn)行需求分析,利用AndroidSDK開(kāi)發(fā)平臺(tái),采用Java語(yǔ)言開(kāi)發(fā)設(shè)計(jì)實(shí)現(xiàn)了手機(jī)錢包客戶端的核心功能,并對(duì)其進(jìn)行安全分析。結(jié)果表明,本課題提出的基于OTA技術(shù)的手機(jī)錢包安全方案,能有效保障卡片下載和空中充值的安全性,大大降低了數(shù)據(jù)泄露和錢包被盜用的安全風(fēng)險(xiǎn)。本課題設(shè)計(jì)開(kāi)發(fā)的手機(jī)錢包客戶端是開(kāi)放且模塊化的,不針對(duì)某家具體的運(yùn)營(yíng)商,具有通用性和實(shí)用性,為運(yùn)營(yíng)商大規(guī)模發(fā)展近場(chǎng)支付業(yè)務(wù)提供了可靠的安全解決方案。
[Abstract]:In the 21st century, with the rapid development of mobile Internet and the increasing popularity of smart phones, a variety of new payment methods are emerging, NFC near field payment is one of them. At present, the NFC layout of telecom operators, mobile phone manufacturers and financial institutions is accelerating. Mobile phone users can replace special SIM cards, install mobile wallet clients, and simulate mobile phones into various electronic cards. The popularity of NFC near-field payment will lead to a revolution in the use of electronic equipment. When you go out with your mobile phone, you can use it on buses, subways, supermarkets, gas stations. Companies and other places unimpeded. NFC near field payment transactions as a percentage of the total mobile payment is still very small, but the potential market space is huge, industry people are very optimistic about the future of NFC mobile phone payment. Among the factors that determine the rise and fall of the near field payment industry, the security problem is still a very important issue. Therefore, it is of great significance to select the security problem in the field of NFC near field payment as the research object. There are two essential steps before using a mobile wallet for near-field payments: one is to download the card app, the other is to recharge the wallet, both of which can be done in the business hall, but for users, every new application is added. Or every recharge must be handled in the business hall, very inconvenient. Therefore, the operator proposes that the application of OTA aerial download technology to mobile phone wallet, OTA uses wireless communication network to transmit data, on the one hand, it provides convenience, on the other hand, it also brings various security problems. If a mobile phone with a mobile wallet falls into other people's hands and security measures are unreliable, it may be stolen and swiped into the wallet account. The most important security concerns in the OTA download process are identity legality and transmission confidentiality. The purpose of this paper is to analyze the security threats faced by the mobile wallet business based on OTA technology, point out the shortcomings of the current identity authentication and encryption methods, and propose an improved scheme for the login authentication of the mobile phone wallet. Card downloads and air recharges provide the necessary security. The work of this thesis includes the following aspects: aiming at the security risk of the static password which is easy to be stolen, the double insurance identity authentication based on the PIN code authentication static password is put forward, even if the mobile phone is lost, it will not be impersonated; The payment authentication mode of payment password dynamic verification code is proposed. Even if the static payment password is stolen, it can still prevent the illegal user from operating. In view of the shortage of short and weak 3DES key, the encryption scheme suitable for mobile phone wallet is improved. The data integrity is guaranteed by using MAC check, and the session key Kc; is generated by using a more secure AES algorithm. The requirement of mobile wallet client is analyzed and the core function of mobile wallet client is realized by using AndroidSDK development platform and Java language, and the security of the client is analyzed. The results show that the security scheme of mobile phone wallet based on OTA technology proposed in this paper can effectively guarantee the security of card downloading and air recharging and greatly reduce the security risk of data leakage and wallet embezzlement. The mobile wallet client designed and developed in this paper is open and modularized. It is universal and practical and provides a reliable security solution for the large-scale development of near-field payment services.
【學(xué)位授予單位】:成都理工大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
本文編號(hào):2370716
[Abstract]:In the 21st century, with the rapid development of mobile Internet and the increasing popularity of smart phones, a variety of new payment methods are emerging, NFC near field payment is one of them. At present, the NFC layout of telecom operators, mobile phone manufacturers and financial institutions is accelerating. Mobile phone users can replace special SIM cards, install mobile wallet clients, and simulate mobile phones into various electronic cards. The popularity of NFC near-field payment will lead to a revolution in the use of electronic equipment. When you go out with your mobile phone, you can use it on buses, subways, supermarkets, gas stations. Companies and other places unimpeded. NFC near field payment transactions as a percentage of the total mobile payment is still very small, but the potential market space is huge, industry people are very optimistic about the future of NFC mobile phone payment. Among the factors that determine the rise and fall of the near field payment industry, the security problem is still a very important issue. Therefore, it is of great significance to select the security problem in the field of NFC near field payment as the research object. There are two essential steps before using a mobile wallet for near-field payments: one is to download the card app, the other is to recharge the wallet, both of which can be done in the business hall, but for users, every new application is added. Or every recharge must be handled in the business hall, very inconvenient. Therefore, the operator proposes that the application of OTA aerial download technology to mobile phone wallet, OTA uses wireless communication network to transmit data, on the one hand, it provides convenience, on the other hand, it also brings various security problems. If a mobile phone with a mobile wallet falls into other people's hands and security measures are unreliable, it may be stolen and swiped into the wallet account. The most important security concerns in the OTA download process are identity legality and transmission confidentiality. The purpose of this paper is to analyze the security threats faced by the mobile wallet business based on OTA technology, point out the shortcomings of the current identity authentication and encryption methods, and propose an improved scheme for the login authentication of the mobile phone wallet. Card downloads and air recharges provide the necessary security. The work of this thesis includes the following aspects: aiming at the security risk of the static password which is easy to be stolen, the double insurance identity authentication based on the PIN code authentication static password is put forward, even if the mobile phone is lost, it will not be impersonated; The payment authentication mode of payment password dynamic verification code is proposed. Even if the static payment password is stolen, it can still prevent the illegal user from operating. In view of the shortage of short and weak 3DES key, the encryption scheme suitable for mobile phone wallet is improved. The data integrity is guaranteed by using MAC check, and the session key Kc; is generated by using a more secure AES algorithm. The requirement of mobile wallet client is analyzed and the core function of mobile wallet client is realized by using AndroidSDK development platform and Java language, and the security of the client is analyzed. The results show that the security scheme of mobile phone wallet based on OTA technology proposed in this paper can effectively guarantee the security of card downloading and air recharging and greatly reduce the security risk of data leakage and wallet embezzlement. The mobile wallet client designed and developed in this paper is open and modularized. It is universal and practical and provides a reliable security solution for the large-scale development of near-field payment services.
【學(xué)位授予單位】:成都理工大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前10條
1 王瑩;何大軍;;AES加密算法的改進(jìn)與實(shí)現(xiàn)[J];電腦編程技巧與維護(hù);2010年17期
2 李宏;成戰(zhàn)剛;胡志維;賈輝;;基于OTA技術(shù)的A-Key算法及其數(shù)據(jù)生成[J];大慶石油學(xué)院學(xué)報(bào);2007年02期
3 崔樂(lè);;全球手機(jī)支付業(yè)務(wù)發(fā)展及跨行業(yè)清算前景分析[J];電信技術(shù);2009年12期
4 李菁;;手機(jī)支付在我國(guó)移動(dòng)電子商務(wù)中的應(yīng)用[J];電腦與電信;2010年05期
5 周慧峰;;3G時(shí)代的移動(dòng)支付產(chǎn)業(yè)鏈模式探討[J];信息通信;2010年01期
6 陳劍;冀京秋;陳寶國(guó);;我國(guó)射頻識(shí)別(RFID)技術(shù)發(fā)展戰(zhàn)略研究[J];科學(xué)決策;2010年01期
7 李沌風(fēng);;手機(jī)支付的兩種方式——NFC與RFID[J];射頻世界;2010年02期
8 張潔;朱麗娟;;DES加密算法分析與實(shí)現(xiàn)[J];軟件導(dǎo)刊;2007年03期
9 陳曉峰,王育民;公鑰密碼體制研究與進(jìn)展[J];通信學(xué)報(bào);2004年08期
10 肖珊;郎為民;胡東華;;射頻識(shí)別(RFID)安全解決方案研究[J];微計(jì)算機(jī)信息;2008年14期
相關(guān)博士學(xué)位論文 前1條
1 李曦;基于身份的密碼體制研究及其在移動(dòng)支付業(yè)務(wù)中的應(yīng)用[D];華中科技大學(xué);2009年
本文編號(hào):2370716
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2370716.html
最近更新
教材專著
