Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
The Researches on Safety Policies of Mobile-commerce Implemented by Small and Medium- sized Enterprises Yao Jiayi , Wang Hongying School of Economics and Management, Beijing Jiaotong University, P.R.China, 100044 Abstract The paper presents the security problems of M-commerce and relative safety policies based on small and medium-sized enterprises, after analysis of predominance in M-commerce implementation. Meanwhile, it also presents a safety solution for M-commerce based on WAP2.0. Key words Mobile-Commerce, WAP2.0, TLS, Security 1 Introduction Recently, mobile communications dramatically develop all over the world with an irreversible trend in digital and network. Mobile-commerce is burn in this situation. Mobile-Commerce is a digital business transaction activity which is implemented in Internet with mobile phone and other mobile devices. It can provide colorful mobile data Service for users. As for small and medium-sized enterprises in China, they must consider market global competition when they adjust their development policies, which will base on information platform and take advantages of innovation, flexible and personalized services. They introducing M-commerce will be new innovations in operational concepts and business models of enterprises. Small and medium-sized enterprises M-commerce implementation has several advantages as follows: 1) China mobile communication market has the biggest GSM network in the world, and 3G is ready with high popularization rate of mobile phone in China. 2) M-commerce has no limited in time, place to operate transactions for features of mobile devices. 3) GPS can identify where the phone is, which provides personal services for users. 4) Mobile phone can use the ID inside to support transactions. Services providers can identify users exactly by GPS to reduce the enterprises’ risk on business. However, M-commerce usage of wireless network is broadcast network where a great deal of security leak and hidden trouble exist. They are the principal problems which the small and medium-sized enterprises need to solve. 2 The safety problems of small and medium-sized enterprises implementation M-commerce It is sharply important for enterprises to remain operation and business information confidential. It also is faced with threat of security problems which are similar with E-commerce security problems, such as Identity Authentication, information security and privacy Protection and so on. The safety threats of M-commerce based on mobile communication can be divided into the following three categories: wireless link threats, server network threats and terminal threats. 2.1Wireless Link Threats 1) Wiretapping and Theft; 2) Faking legitimate users; 3) Replay Information 2.2 Server Network Threats 1) Non-authorized access to data; 2) Damage to the integrity of data; 3) Attack of denial of service; 4) Denial 2.3 Terminal threats 1) Attackers use mobile phone that is stolen to access system resource. 2) Attackers who know system inside work enough can get more accessing right. 3) Update, insert and delete data in mobile terminals or SIM card to destroy the integrity of data. 4) The data in mobile terminals is copied and transmitted illegally. 2.4 Security Requirement in M-commerce There are two aspects security requirement in network transaction currently. 1) User Identity Authentication in Two-way: Only the users who are checked the authenticity and Authorized can access control the data in rational range. 930 2) Protection in data and transaction safety: M-commerce need confidentiality, integrity of data and non-repudiation. 3 The safety policy of M-commerce implementation in small and medium-sized enterprises There are similar security problem in M-commerce with E-commerce. To the same questions, it can be used to dealing with the approach of addressing similar problems to E-commerce security. Furthermore, new safety policies are to be researched according to M-commerce problem that is different from E-commerce. Security policies in M-commerce as follows: 1) User identity authentication in two-way among the users and between users and mobile communication network: Need to confirm the identity of the parties to the transactions before M-commerce transactions to ensure that they are safe. It is very important for mobile communication security to identify between users and mobile communication network. 2) Encryption protection for data: A data transmission security channel needs to be founded in communication. The channel is based on encrypting data. And the algorithm for encryption and decryption must be efficient and safe because of limited in capability of mobile devices. 3) Verification of data integrity: Verification of data integrity adopts digital digest to check. 4) Denial of certification of data: Achieve non-repudiation with usage of Digital Signature 5) Demand in the identity and location of the hidden: To authentication hidden, users need a temporary status to hide, or hide by permanent status information encrypted. Taking into account the bandwidth-constrained in mobile communication system and limited resources of calculation of mobile terminal, all the safety policies would match the mobile situation and devises not only safety but also small resource consumption. 4 Security implementation model of M-commerce based on WAP2.0 4.1 WAP Introduction WAP, Wireless Application Protocol, is an open global standard of communication between wireless terminals and the Internet. It is composed of a series of protocols for standardization of wireless communications devices, defining the organizational format of users visit and communication protocols. WAP1.x can’t provide complete end-to-end security and identity authentication since data is decrypted in WAP gateway as result of not 100% effective protection for the large amount of transactions. However, WAP2.0 improves it. Figure 1 shows the WAP stack. Right side (with color) is WAP1.x stack, and left side is WAP2.0 stack. WP-TCP in WAP2.0 stack replaces WAP/WTP/WDP in WAP1.2. TCP* and HTTP* are streamlining and optimizing TCP and HTTP for mobile situation. WAE WSP WTP HTTP* WTLS WDP HTTP TLS TCP* TCP IP Bearers Wireless Transport Figure 1: WAP architecture The central feature of WAP2.0 is that introduce Internet protocols into WAP. It provides more efficient wireless transmission protocols than WAP1.x in 2.5G and 3G. WAP2.0 provides two methods of real end-to-end security: end-to-end security in transport layer and TLS channel. Therefore, WAP2.0 can suffice needs of all mobile e-business. 4.2 Safety solution for M-commerce based on WAP2.0 The security of M-commerce is to solve the safety of wireless communication and mobile terminal. 931 The implementation technology of wireless communication uses TLS channel which can suffice needs of all mobile e-business simple and is suitable for small and medium-sized enterprises. Safety of mobile terminal can be ensured by intelligent Agent or intelligent card. 4.2.1 Safety solution for wireless communication in M-commerce based on WAP2.0 4.2.1.1 TLS Channel WAP2.0 introduces IP with 3 new protocols that are WP-HTTP, TLS and WP-TCP as shown in figure 1. WP-TCP promotes the wireless situation and operates with standard TCP. Different from WAP1.x, WAP2.0 can cancel WAP proxy, but WAP proxy can improve the efficiency of network routing. WAP devises would use TLS protocol above the transport layer, therefore WAP proxy only transforms between WP-TCP and TCP in WAP proxy protocol stack when access Internet. Data in TLS layer can be preserved, so it is end-to-end security from WAP client to WEB server as shown in figure 2. Figure 2: Protocol stack in TLS channel WAP proxy can be set up by mobile operators as well as corporation themselves. WAP2.0 supports companies to found WAP proxy themselves in enterprises-end. 4.2.1.2 WAP2.0 combined with WPKI WPKI, Wireless Public Key Infrastructure, is a following the established standard platform system for the key and certificate management. It introduces the PKI (Public Key Infrastructure) into wireless network environment, and provides a variety of applications such as password encryption and digital signature security services in wireless networks for different mobile operators. Major steps of communication between WAP terminals and server after introduction of WPKI: 1) The user initiates the transaction, and sends messages to WAP proxy; 2) WAP proxy sends a request for certificate to PKI portal; 3) PKI portal validates WAP proxy’s ID and sends a request for certificate to CA; 4) CA sends a certificate to WAP proxy, and then WAP proxy returns it to WAP terminal; 5) Server sends a request for certificate to PKI portal; 6) PKI portal validates Server’s ID and sends a request for certificate to CA; 7) CA sends a certificate to Server; 8) TLS contact is established between terminal and Server; 9) Users can encrypt data by private key for non-repudiation when users transmit sensitive information. 932 Figure 3: Data communication process between WAP terminal and Server This scheme solves all the safety problems in M-commerce communication at present. Although WAP2.0 has not been applied widely, it possessing obvious advantages will be a major technology in mobile communication field especially the age of 3G coming. Couple with WPKI, WAP2.0 sets up a key management system to improve security and stability in transactions. 4.2.2 Safety solution for Mobile Terminals In M-commerce, it is also important for mobile terminals’ safety. Security of mobile terminals needs to ensure this information is not stolen, replicated and spread. To come true mobile phone safety, two aspects which are software and hardware can be considered. Usage of software, intelligent Agent can achieve this goal, and intelligent card can protect terminals from hardware aspect. 4.2.2.1 Intelligent Agent In this system, Agent is embedded into mobile terminals, and similar with safety controls in PC. The Agent can protect business data from stole, replicate and spread in mobile phones by encryption of important data. Agent makes classification of the data protection with intelligent analysis. Agent runs on mobile phones, so it needs high efficiency as well as low resource consumption. And the encryption algorithm or other algorithms have the same demand. It is necessary to be transparent for users. 4.2.2.2 Intelligent Card Intelligent card embeds security module into SIM card, such as users’ digital certificate, data encryption and decryption, identity authentication and so on. The computational speed of hardware is faster than software; therefore it owns high efficiency and can adopt relatively complex algorithms. In this way, not only is efficiency of system assured but also safety. 5 The End It is the live foundation for small and medium-sized enterprises in China to develop their advantages and search a new point of economic growth in economic globalization. With the development of mobile technology increasingly, M-commerce will become a major force in the business field. The problem of M-commerce development is security of transaction. Solving security problems, there will be limitless potentials for the development of mobile commerce. References [1] Lei fang. Security analysis of mobile commerce. Journal of Changsha Telecommunications and Technology Vocational,6(2005),p17 20 [2] Xiaofeng Fan. Research on Mobile Commerce Security. Master's thesis, Beijing University of Posts and Telecommunications,3(2004) [3] Ruijun Feng, Junde Song. WAP2.0 Safety Analysis. CTI world: the world of computer and telecommunications integration,2(2002),p35 38 [4] Huiyu Ma. The Study and Application of WAP2.0. Master's thesis, Northwestern Polytechnical University, 2(2004) [5] Marchany, R.C.,Tront, J.G. E-commerce security issues. System Sciences, 2002. HICSS. Proceedings of the 35th Annual Hawaii International Conference, 7(2002), p2500 2508 ~ ~ ~ 933