移动支付安全问题研究

发布时间：2018-03-22 17:04

本文选题：移动支付　切入点：Android　出处：《东南大学》2016年硕士论文　论文类型：学位论文

【摘要】：随着移动手机的普及以及移动网络基础设施的大力发展,电子商务和互联网经济日益活跃。人们已经培养成了在手机上进行在线交易的习惯,即移动支付。通过移动支付,人们可以随时随地的进行网络支付,包括订机票、订酒店、订电影票等一系列的消费业务以及各种支付场景。这种随时随地的方式极大地方便了人们的生活日常,节省了大量的时间和精力。虽然这种方式极大地丰富了我们的生活,使得我们可以足不出户的购买到喜欢的物品。但对于司法机关来讲：由于移动支付的网络性使得其具有隐蔽性,使得在对某些案件的侦破过程中带来了一些麻烦。更由于移动互联网是在短短几年间普及,所以针对于此的研究相对比较少,这方面的研究具有紧迫性和实用性。对于普通大众来说：虽然移动支付便利了我们的生活,可是由于数据的传输以及现有系统的局限使得我们的信息不断被泄露,这一方面可能被不法分子利用,另一方面可能被一些正规公司收集作为大数据时代的一个数据进行分析。虽然大数据时代可以极大地方便资源的对接和资源的更佳利用,但是其对于我们普通用户的行为数据化越来越引起恐慌。尤其支付数据由于其特殊的敏感性,我们一方面既不希望自己的订单被泄露,自己的消费习惯被预测然后每天面对数之不尽的推销电话,另一方面我们不希望自己的账号甚至密码被泄露造成财产的损失。针对上面两方面即司法和普通人群的需求,本文主要解决了这两个问题：(1)针对司法机构,我们设计了智能手机取证系统,描述了其主要的子模块。首先通过UML建模工具着重分析了取证系统的需求,然后对其基本的通讯录、短信、通话记录进行了提取分析,而后针对支付宝8.0版本进行了锁屏密码的逆向分析。并针对结果编写了该模块的代码,并且做了MFC模块的测试程序。最后我们提出了仿真登陆模块。它是建立在已经获得类似锁屏密码的关键信息的基础上。登录仿真模块后就可以对应用的其他关键信息学如银行卡号,交易细节等进行司法取证和分析。(2)针对普通用户的安全隐私需求,我们设计了针对移动第三方支付的安全协议。由于目前主流的第三方支付是基于SSL (Secure Sockets Layer,安全套接层)协议的,故其存在依赖第三方保密承诺的问题。而可能是代表未来的SET (Secure Electronic Transaction)协议,却由于基础设施的不满足以及我国还未构建完善的信用支付体系而得不到推广。本协议正是基于前两者,提出基于身份的拉格朗日插值密钥管理协议的安全支付协议。结果表明我们不但满足了信息传输的机密性、完整性、不可否认性而且满足了交易各方的信息隔离。商家只能获得订单信息,而对其隔离持卡人的账号及密码信息。银行可以获得账号及密码信息,但是隔离订单的具体信息。第三方平台只是负责中转信息的支付平台,具有面对消费者的统一前台界面,又具有集成了各个银行支付网关的后台,但对其隔离订单信息以及账号密码信息,与此同时它又负责了交易双方冲突时候的仲裁。本文的贡献在于对于当前研究较少但是具备高实用性的手机取证进行研究并且设计了针对移动的第三方支付协议。取证系统根据实际的司法需求,着重对支付宝8.0版本进行了关键信息提取,具有很高的实用性。支付协议很好地解决了移动支付过程中的信息隔离问题,并且在安全前提下大大提高了支付效率。
[Abstract]:With the vigorous development of the popularity of mobile mobile phone and mobile network infrastructure, e-commerce and the Internet economy has become increasingly active. People have been trained to conduct online transactions on the mobile phone habits, namely mobile payment through mobile payment, the people can whenever and wherever possible the payment network, including tickets, hotel booking, booking tickets etc. a series of consumer business as well as a variety of payment scenarios. This way whenever and wherever possible great convenience to people's daily life, save a lot of time and energy. Although this way greatly enrich our lives, so we can stay at home to buy love items. But for the judiciary: due to a network of mobile payment because of its concealment, so in the process of solving some of the cases brought some trouble. Because the mobile Internet is in short A few years of popularity, so research in this relatively little research in this area, it is urgent and practical. For the general public: Although the mobile payment convenience to our life, but because of the data transmission and the existing system because of the limitation of our information has been leaked, this may be illegal use, on the other hand may be some formal company to collect the data as a big data era were analyzed. Although the use of the era of big data can greatly facilitate the docking and resource resources better, but for us ordinary user behavior data is more and more panic. Especially the payment data because of its special sensitivity on the one hand, we can not hope that their orders were leaked, their spending habits are predicted and then face the countless calls every day, on the other hand we Don't want your account or password is compromised by the loss of property. According to the above two aspects namely the demand of justice and the general population, this paper mainly solve the two problems: (1) according to the judiciary, we designed an intelligent mobile phone forensics system, describes its main sub modules. Firstly, through the UML modeling tools on analysis of the evidence system, then the basic communication book, text messages, call records are extracted and analyzed, and then the reverse analysis of the lock screen password for Alipay version 8. And write the code according to the results, and the MFC module test procedures. Finally, we propose a simulation landing module it is built in. Have basic similar key information on the lock screen password. You can login module and other key information on the application of science such as bank card transaction details, etc. Judicial Forensics and analysis. (2) aiming at security and privacy needs of ordinary users, we design a security protocol for mobile payment by the third party. Because of the main third party payment is based on SSL (Secure Sockets Layer, SSL) protocol, so its existence depends on third party security and may commit to. Represent the future of the SET (Secure Electronic Transaction) protocol, but because the infrastructure does not meet and our country has not constructed a perfect credit payment system rather than promotion. This protocol is based on the first two, Lagrange put forward the interpolation key management protocol of secure payment protocol based on identity. The results show that we not only meet the transmission of information confidentiality, integrity, non repudiation and meet the information isolation trading parties. Businesses can obtain the order information, and the isolation of the cardholder's account and The password information can be obtained. The bank account number and password information, but the specific information isolation order. The third party platform is responsible for the transfer of information of the payment platform, with a unified interface of consumers, but also has integrated various bank payment gateway in the background, but the isolation order information and account password information on it, at the same time it is responsible for. When both parties conflict arbitration. The contribution of this paper is to study the less but with high practicability of the mobile phone Forensics Research and design for mobile third party payment protocol. According to the actual needs of the judicial forensic system, focusing on the Alipay 8 version of the key information extraction, has very high practicability. The payment protocol a good solution to the information isolation problem of mobile payment process, under the premise of safety and greatly improve the efficiency of the payment.

【学位授予单位】：东南大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP309

【参考文献】