1. Security issues in mobile payment

The payment participants involved in the entire mobile payment process include: consumer users, merchant users, mobile operators, and third-party services Providers, banks. Consumer users and merchant users are the service objects of the system. Mobile operators provide network support, banks provide bank-related services, and third-party service providers provide payment platform services. Businesses are realized through the combination of all parties. Mobile payment needs to consider the following security issues: (1) The security of mobile terminal access to the payment platform, including the safe transmission of contract information when users register, as well as users logging into the system through mobile terminals, and the data transferred during this process such as contract user name and contract password etc. security. (2) The security of data transmission within the payment platform, that is, the security of data transmission between various modules within the payment platform. (3) The security of data storage on the payment platform involves the security of the confidentiality of the contracted user’s bank card account, password, contracted username, contracted password, etc.

2. Security Authentication Technology for Mobile Payment

Currently, the massive popularity of mobile devices has provided necessary conditions for the realization of mobile payment, but there are also many problems that restrict the implementation of mobile payment. For example, the computing environment and communication environment of mobile terminals are very limited, which requires some special requirements for corresponding security authentication.

1. Overview of WPKI security standards

WPKI (WirelessPKI) is an extension of wired PKI, which introduces the security mechanism of PKI in Internet e-commerce into mobile e-commerce. WPKI uses technologies such as public key infrastructure, certificate management strategies, software and hardware to effectively establish a secure and trustworthy wireless network communication environment. WPKI is based on the security mechanism of WAP and enhances e-commerce security by managing relationships, keys and certificates between entities. The WAP security mechanism includes four parts: WIM (WAPIdentityModule, wireless application protocol identification module), WMLSCrypt (WMLScriptCryptoAPI, WML script encryption interface), WTLS (WirelessTransportLayerSecurity, wireless transmission security layer) and WPKI. Each of the above parts plays a different role in realizing the security of wireless network applications. As a security infrastructure platform, WPKI requires the support of WPKI technology for all applications based on identity authentication. It can be combined with WTLS and TCP/IP to implement identity authentication, private key signature and other functions. The main components of WPKI include: terminal entity application (EE), PKI portal (PKIPortal), certification center (CA), directory service (PKIDirectory), WAP gateway, and the application model also involves data providing servers and other equipment. The basics of WPKI The structure and data flow are shown in the figure.

In WPKI, the functional component that replaces RA (RegistrationAuthority) is PKI Portal (PKIPortal), which is a network server responsible for forwarding WAP client requirements to RA and CA (CertificationAuthority) in PKI. CA is mainly responsible for generating certificates, issuing certificates and refreshing certificates. WAPGateway is responsible for handling protocol conversion between the client and the source server. WTLS is derived from the improvement and optimization of the TLS protocol of traditional networks. It mainly ensures the security of the transport layer. WPKI is also an optimization of the IETFPKIX standard, making it more suitable for wireless environments.

2. WPKI encryption algorithm and key

WPKI enhances e-commerce security by managing relationships, keys and certificates between entities. Compared with WAP security standards, WPKI The adopted ECC (EllipticCurveCryptography, Elliptic Curve Cryptography) cryptography system is more suitable for use in wireless devices.

For keys of the same strength, the key length of ECC (163 bit) is only one-sixth (1024 bit) of other schemes, but the key length of 163 bit is almost absolutely safe against exhaustive key attacks, because the key length of 163 bit is exhausted. The number of keys is 1.156×1049. Calculated by testing 100 million keys per second, it will take 3.6×1032 years!