基于OTA技术的手机钱包的安全机制研究
发布时间:2018-12-10 14:14
【摘要】:21世纪,随着移动互联网的高速发展和智能手机的日渐普及,各种新型支付方式不断涌现,,NFC近场支付便是其中之一。目前电信运营商、手机厂商和金融机构的NFC布局正在加速,手机用户可以更换专用SIM卡,安装手机钱包客户端,将手机模拟成各类电子卡片,利用基于射频技术的近场通信完成刷卡消费。NFC近场支付的普及将引发一次电子设备使用方式革命,出门只需带上手机,就可以在公交车,地铁,超市,加油站,公司等地畅通无阻。NFC近场支付交易额占移动支付总比例虽然还很小,但潜在的市场空间巨大,业内人士都很看好NFC手机支付前景。决定近场支付产业兴衰的各种因素里,安全问题依然是非常重要的问题,因此本课题选取NFC近场支付领域的安全问题为研究对象,具有重要意义。 使用手机钱包进行近场支付之前,有两个步骤必不可少:一是下载卡片应用,二是给钱包充值,这两个步骤都可以在营业厅完成,但是对用户来说,每增加一项新应用,或每次充值都要在营业厅办理,非常不方便。因此运营商提出,将OTA空中下载技术应用到手机钱包中,OTA使用无线通信网络传输数据,一方面提供了便利,另一方面也带来各种安全问题。如果安装了手机钱包的手机落入他人手中,安全措施不可靠,则可能被盗刷钱包账号。OTA下载过程中,最受关注的安全问题是身份合法性和传输保密性。本课题的研究目的,是通过分析基于OTA技术的手机钱包业务所面临的安全威胁,指出目前采用的身份认证和加密方式的不足,并提出改进方案,为手机钱包的登录认证、卡片下载和空中充值提供必要的安全保障。 本课题完成工作包括以下几个方面:针对静态口令存在的易被窃取的安全风险,提出基于PIN码认证+静态口令的双保险身份认证,即使丢失手机,也不会被冒充身份;提出支付密码+动态验证码的支付认证模式,即使静态支付密码被窃取,依然能阻止非法用户操作;针对3DES密钥较短且有弱密钥的不足,改进适用于手机钱包的加密方案,利用MAC校验保证数据完整性,采用安全性更高的AES算法生成会话密钥Kc;对手机钱包客户端进行需求分析,利用AndroidSDK开发平台,采用Java语言开发设计实现了手机钱包客户端的核心功能,并对其进行安全分析。结果表明,本课题提出的基于OTA技术的手机钱包安全方案,能有效保障卡片下载和空中充值的安全性,大大降低了数据泄露和钱包被盗用的安全风险。本课题设计开发的手机钱包客户端是开放且模块化的,不针对某家具体的运营商,具有通用性和实用性,为运营商大规模发展近场支付业务提供了可靠的安全解决方案。
[Abstract]:In the 21st century, with the rapid development of mobile Internet and the increasing popularity of smart phones, a variety of new payment methods are emerging, NFC near field payment is one of them. At present, the NFC layout of telecom operators, mobile phone manufacturers and financial institutions is accelerating. Mobile phone users can replace special SIM cards, install mobile wallet clients, and simulate mobile phones into various electronic cards. The popularity of NFC near-field payment will lead to a revolution in the use of electronic equipment. When you go out with your mobile phone, you can use it on buses, subways, supermarkets, gas stations. Companies and other places unimpeded. NFC near field payment transactions as a percentage of the total mobile payment is still very small, but the potential market space is huge, industry people are very optimistic about the future of NFC mobile phone payment. Among the factors that determine the rise and fall of the near field payment industry, the security problem is still a very important issue. Therefore, it is of great significance to select the security problem in the field of NFC near field payment as the research object. There are two essential steps before using a mobile wallet for near-field payments: one is to download the card app, the other is to recharge the wallet, both of which can be done in the business hall, but for users, every new application is added. Or every recharge must be handled in the business hall, very inconvenient. Therefore, the operator proposes that the application of OTA aerial download technology to mobile phone wallet, OTA uses wireless communication network to transmit data, on the one hand, it provides convenience, on the other hand, it also brings various security problems. If a mobile phone with a mobile wallet falls into other people's hands and security measures are unreliable, it may be stolen and swiped into the wallet account. The most important security concerns in the OTA download process are identity legality and transmission confidentiality. The purpose of this paper is to analyze the security threats faced by the mobile wallet business based on OTA technology, point out the shortcomings of the current identity authentication and encryption methods, and propose an improved scheme for the login authentication of the mobile phone wallet. Card downloads and air recharges provide the necessary security. The work of this thesis includes the following aspects: aiming at the security risk of the static password which is easy to be stolen, the double insurance identity authentication based on the PIN code authentication static password is put forward, even if the mobile phone is lost, it will not be impersonated; The payment authentication mode of payment password dynamic verification code is proposed. Even if the static payment password is stolen, it can still prevent the illegal user from operating. In view of the shortage of short and weak 3DES key, the encryption scheme suitable for mobile phone wallet is improved. The data integrity is guaranteed by using MAC check, and the session key Kc; is generated by using a more secure AES algorithm. The requirement of mobile wallet client is analyzed and the core function of mobile wallet client is realized by using AndroidSDK development platform and Java language, and the security of the client is analyzed. The results show that the security scheme of mobile phone wallet based on OTA technology proposed in this paper can effectively guarantee the security of card downloading and air recharging and greatly reduce the security risk of data leakage and wallet embezzlement. The mobile wallet client designed and developed in this paper is open and modularized. It is universal and practical and provides a reliable security solution for the large-scale development of near-field payment services.
【学位授予单位】:成都理工大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2370716
[Abstract]:In the 21st century, with the rapid development of mobile Internet and the increasing popularity of smart phones, a variety of new payment methods are emerging, NFC near field payment is one of them. At present, the NFC layout of telecom operators, mobile phone manufacturers and financial institutions is accelerating. Mobile phone users can replace special SIM cards, install mobile wallet clients, and simulate mobile phones into various electronic cards. The popularity of NFC near-field payment will lead to a revolution in the use of electronic equipment. When you go out with your mobile phone, you can use it on buses, subways, supermarkets, gas stations. Companies and other places unimpeded. NFC near field payment transactions as a percentage of the total mobile payment is still very small, but the potential market space is huge, industry people are very optimistic about the future of NFC mobile phone payment. Among the factors that determine the rise and fall of the near field payment industry, the security problem is still a very important issue. Therefore, it is of great significance to select the security problem in the field of NFC near field payment as the research object. There are two essential steps before using a mobile wallet for near-field payments: one is to download the card app, the other is to recharge the wallet, both of which can be done in the business hall, but for users, every new application is added. Or every recharge must be handled in the business hall, very inconvenient. Therefore, the operator proposes that the application of OTA aerial download technology to mobile phone wallet, OTA uses wireless communication network to transmit data, on the one hand, it provides convenience, on the other hand, it also brings various security problems. If a mobile phone with a mobile wallet falls into other people's hands and security measures are unreliable, it may be stolen and swiped into the wallet account. The most important security concerns in the OTA download process are identity legality and transmission confidentiality. The purpose of this paper is to analyze the security threats faced by the mobile wallet business based on OTA technology, point out the shortcomings of the current identity authentication and encryption methods, and propose an improved scheme for the login authentication of the mobile phone wallet. Card downloads and air recharges provide the necessary security. The work of this thesis includes the following aspects: aiming at the security risk of the static password which is easy to be stolen, the double insurance identity authentication based on the PIN code authentication static password is put forward, even if the mobile phone is lost, it will not be impersonated; The payment authentication mode of payment password dynamic verification code is proposed. Even if the static payment password is stolen, it can still prevent the illegal user from operating. In view of the shortage of short and weak 3DES key, the encryption scheme suitable for mobile phone wallet is improved. The data integrity is guaranteed by using MAC check, and the session key Kc; is generated by using a more secure AES algorithm. The requirement of mobile wallet client is analyzed and the core function of mobile wallet client is realized by using AndroidSDK development platform and Java language, and the security of the client is analyzed. The results show that the security scheme of mobile phone wallet based on OTA technology proposed in this paper can effectively guarantee the security of card downloading and air recharging and greatly reduce the security risk of data leakage and wallet embezzlement. The mobile wallet client designed and developed in this paper is open and modularized. It is universal and practical and provides a reliable security solution for the large-scale development of near-field payment services.
【学位授予单位】:成都理工大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 王莹;何大军;;AES加密算法的改进与实现[J];电脑编程技巧与维护;2010年17期
2 李宏;成战刚;胡志维;贾辉;;基于OTA技术的A-Key算法及其数据生成[J];大庆石油学院学报;2007年02期
3 崔乐;;全球手机支付业务发展及跨行业清算前景分析[J];电信技术;2009年12期
4 李菁;;手机支付在我国移动电子商务中的应用[J];电脑与电信;2010年05期
5 周慧峰;;3G时代的移动支付产业链模式探讨[J];信息通信;2010年01期
6 陈剑;冀京秋;陈宝国;;我国射频识别(RFID)技术发展战略研究[J];科学决策;2010年01期
7 李沌风;;手机支付的两种方式——NFC与RFID[J];射频世界;2010年02期
8 张洁;朱丽娟;;DES加密算法分析与实现[J];软件导刊;2007年03期
9 陈晓峰,王育民;公钥密码体制研究与进展[J];通信学报;2004年08期
10 肖珊;郎为民;胡东华;;射频识别(RFID)安全解决方案研究[J];微计算机信息;2008年14期
相关博士学位论文 前1条
1 李曦;基于身份的密码体制研究及其在移动支付业务中的应用[D];华中科技大学;2009年
本文编号:2370716
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2370716.html
