Download The Researches on Safety Policies of Mobile-commerce Implemented

The Researches on Safety Policies of Mobile-commerce Implemented
by Small and Medium- sized Enterprises
Yao Jiayi , Wang Hongying
School of Economics and Management, Beijing Jiaotong University, P.R.China, 100044
Abstract
The paper presents the security problems of M-commerce and relative safety policies
based on small and medium-sized enterprises, after analysis of predominance in M-commerce
implementation. Meanwhile, it also presents a safety solution for M-commerce based on WAP2.0.
Key words Mobile-Commerce, WAP2.0, TLS, Security
1 Introduction
Recently, mobile communications dramatically develop all over the world with an irreversible trend
in digital and network. Mobile-commerce is burn in this situation. Mobile-Commerce is a digital
business transaction activity which is implemented in Internet with mobile phone and other mobile
devices. It can provide colorful mobile data Service for users.
As for small and medium-sized enterprises in China, they must consider market global competition
when they adjust their development policies, which will base on information platform and take
advantages of innovation, flexible and personalized services. They introducing M-commerce will be
new innovations in operational concepts and business models of enterprises.
Small and medium-sized enterprises M-commerce implementation has several advantages as follows:
1) China mobile communication market has the biggest GSM network in the world, and 3G is ready
with high popularization rate of mobile phone in China. 2) M-commerce has no limited in time, place to
operate transactions for features of mobile devices. 3) GPS can identify where the phone is, which
provides personal services for users. 4) Mobile phone can use the ID inside to support transactions.
Services providers can identify users exactly by GPS to reduce the enterprises’ risk on business.
However, M-commerce usage of wireless network is broadcast network where a great deal of security
leak and hidden trouble exist. They are the principal problems which the small and medium-sized
enterprises need to solve.
2 The safety problems of small and medium-sized enterprises implementation
M-commerce
It is sharply important for enterprises to remain operation and business information confidential. It
also is faced with threat of security problems which are similar with E-commerce security problems,
such as Identity Authentication, information security and privacy Protection and so on. The safety
threats of M-commerce based on mobile communication can be divided into the following three
categories: wireless link threats, server network threats and terminal threats.
2.1Wireless Link Threats
1) Wiretapping and Theft; 2) Faking legitimate users; 3) Replay Information
2.2 Server Network Threats
1) Non-authorized access to data; 2) Damage to the integrity of data;
3) Attack of denial of service; 4) Denial
2.3 Terminal threats
1) Attackers use mobile phone that is stolen to access system resource.
2) Attackers who know system inside work enough can get more accessing right.
3) Update, insert and delete data in mobile terminals or SIM card to destroy the integrity of data.
4) The data in mobile terminals is copied and transmitted illegally.
2.4 Security Requirement in M-commerce
There are two aspects security requirement in network transaction currently.
1) User Identity Authentication in Two-way: Only the users who are checked the authenticity and
Authorized can access control the data in rational range.
930
2) Protection in data and transaction safety: M-commerce need confidentiality, integrity of data and
non-repudiation.
3 The safety policy of M-commerce implementation in small and medium-sized
enterprises
There are similar security problem in M-commerce with E-commerce. To the same questions, it can
be used to dealing with the approach of addressing similar problems to E-commerce security.
Furthermore, new safety policies are to be researched according to M-commerce problem that is
different from E-commerce.
Security policies in M-commerce as follows:
1) User identity authentication in two-way among the users and between users and mobile
communication network: Need to confirm the identity of the parties to the transactions before
M-commerce transactions to ensure that they are safe. It is very important for mobile
communication security to identify between users and mobile communication network.
2) Encryption protection for data: A data transmission security channel needs to be founded in
communication. The channel is based on encrypting data. And the algorithm for encryption and
decryption must be efficient and safe because of limited in capability of mobile devices.
3) Verification of data integrity: Verification of data integrity adopts digital digest to check.
4) Denial of certification of data: Achieve non-repudiation with usage of Digital Signature
5) Demand in the identity and location of the hidden: To authentication hidden, users need a
temporary status to hide, or hide by permanent status information encrypted.
Taking into account the bandwidth-constrained in mobile communication system and limited
resources of calculation of mobile terminal, all the safety policies would match the mobile situation and
devises not only safety but also small resource consumption.
4 Security implementation model of M-commerce based on WAP2.0
4.1 WAP Introduction
WAP, Wireless Application Protocol, is an open global standard of communication between wireless
terminals and the Internet. It is composed of a series of protocols for standardization of wireless
communications devices, defining the organizational format of users visit and communication protocols.
WAP1.x can’t provide complete end-to-end security and identity authentication since data is
decrypted in WAP gateway as result of not 100% effective protection for the large amount of
transactions. However, WAP2.0 improves it. Figure 1 shows the WAP stack. Right side (with color) is
WAP1.x stack, and left side is WAP2.0 stack. WP-TCP in WAP2.0 stack replaces WAP/WTP/WDP in
WAP1.2. TCP* and HTTP* are streamlining and optimizing TCP and HTTP for mobile situation.
WAE
WSP
WTP
HTTP*
WTLS
WDP
HTTP
TLS
TCP*
TCP
IP
Bearers
Wireless Transport
Figure 1: WAP architecture
The central feature of WAP2.0 is that introduce Internet protocols into WAP. It provides more
efficient wireless transmission protocols than WAP1.x in 2.5G and 3G. WAP2.0 provides two methods
of real end-to-end security: end-to-end security in transport layer and TLS channel. Therefore, WAP2.0
can suffice needs of all mobile e-business.
4.2 Safety solution for M-commerce based on WAP2.0
The security of M-commerce is to solve the safety of wireless communication and mobile terminal.
931
The implementation technology of wireless communication uses TLS channel which can suffice needs
of all mobile e-business simple and is suitable for small and medium-sized enterprises. Safety of mobile
terminal can be ensured by intelligent Agent or intelligent card.
4.2.1 Safety solution for wireless communication in M-commerce based on WAP2.0
4.2.1.1 TLS Channel
WAP2.0 introduces IP with 3 new protocols that are WP-HTTP, TLS and WP-TCP as shown in figure
1. WP-TCP promotes the wireless situation and operates with standard TCP.
Different from WAP1.x, WAP2.0 can cancel WAP proxy, but WAP proxy can improve the efficiency
of network routing. WAP devises would use TLS protocol above the transport layer, therefore WAP
proxy only transforms between WP-TCP and TCP in WAP proxy protocol stack when access Internet.
Data in TLS layer can be preserved, so it is end-to-end security from WAP client to WEB server as
shown in figure 2.
Figure 2: Protocol stack in TLS channel
WAP proxy can be set up by mobile operators as well as corporation themselves. WAP2.0 supports
companies to found WAP proxy themselves in enterprises-end.
4.2.1.2 WAP2.0 combined with WPKI
WPKI, Wireless Public Key Infrastructure, is a following the established standard platform system for
the key and certificate management. It introduces the PKI (Public Key Infrastructure) into wireless
network environment, and provides a variety of applications such as password encryption and digital
signature security services in wireless networks for different mobile operators.
Major steps of communication between WAP terminals and server after introduction of WPKI:
1) The user initiates the transaction, and sends messages to WAP proxy;
2) WAP proxy sends a request for certificate to PKI portal;
3) PKI portal validates WAP proxy’s ID and sends a request for certificate to CA;
4) CA sends a certificate to WAP proxy, and then WAP proxy returns it to WAP terminal;
5) Server sends a request for certificate to PKI portal;
6) PKI portal validates Server’s ID and sends a request for certificate to CA;
7) CA sends a certificate to Server;
8) TLS contact is established between terminal and Server;
9) Users can encrypt data by private key for non-repudiation when users transmit sensitive
information.
932
Figure 3: Data communication process between WAP terminal and Server
This scheme solves all the safety problems in M-commerce communication at present. Although
WAP2.0 has not been applied widely, it possessing obvious advantages will be a major technology in
mobile communication field especially the age of 3G coming. Couple with WPKI, WAP2.0 sets up a key
management system to improve security and stability in transactions.
4.2.2 Safety solution for Mobile Terminals
In M-commerce, it is also important for mobile terminals’ safety. Security of mobile terminals needs
to ensure this information is not stolen, replicated and spread. To come true mobile phone safety, two
aspects which are software and hardware can be considered. Usage of software, intelligent Agent can
achieve this goal, and intelligent card can protect terminals from hardware aspect.
4.2.2.1 Intelligent Agent
In this system, Agent is embedded into mobile terminals, and similar with safety controls in PC. The
Agent can protect business data from stole, replicate and spread in mobile phones by encryption of
important data. Agent makes classification of the data protection with intelligent analysis. Agent runs on
mobile phones, so it needs high efficiency as well as low resource consumption. And the encryption
algorithm or other algorithms have the same demand. It is necessary to be transparent for users.
4.2.2.2 Intelligent Card
Intelligent card embeds security module into SIM card, such as users’ digital certificate, data
encryption and decryption, identity authentication and so on. The computational speed of hardware is
faster than software; therefore it owns high efficiency and can adopt relatively complex algorithms. In
this way, not only is efficiency of system assured but also safety.
5 The End
It is the live foundation for small and medium-sized enterprises in China to develop their advantages
and search a new point of economic growth in economic globalization. With the development of mobile
technology increasingly, M-commerce will become a major force in the business field. The problem of
M-commerce development is security of transaction. Solving security problems, there will be limitless
potentials for the development of mobile commerce.
References
[1] Lei fang. Security analysis of mobile commerce. Journal of Changsha Telecommunications and
Technology Vocational,6(2005),p17 20
[2] Xiaofeng Fan. Research on Mobile Commerce Security. Master's thesis, Beijing University of Posts
and Telecommunications,3(2004)
[3] Ruijun Feng, Junde Song. WAP2.0 Safety Analysis. CTI world: the world of computer and
telecommunications integration,2(2002),p35 38
[4] Huiyu Ma. The Study and Application of WAP2.0. Master's thesis, Northwestern Polytechnical
University, 2(2004)
[5] Marchany, R.C.,Tront, J.G. E-commerce security issues. System Sciences, 2002. HICSS.
Proceedings of the 35th Annual Hawaii International Conference, 7(2002), p2500 2508
～
～
～
933