1 / 21

Secure Mobile Commerce

Secure Mobile Commerce. Source: Electronics & Communication Engineering Journal, Vol. 14, No. 5, pp. 228-238, Oct. 2002 Author: S. Schwiderski-Grosche & H. Knospe Presenter: Jung-wen Lo( 駱榮問 ) Date: 2004/12/16. Outline. Introduction M-commerce

suelita-ypina
Télécharger la présentation

Secure Mobile Commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Mobile Commerce Source: Electronics & Communication Engineering Journal, Vol. 14, No. 5, pp. 228-238, Oct. 2002 Author: S. Schwiderski-Grosche & H. KnospePresenter: Jung-wen Lo(駱榮問) Date: 2004/12/16

  2. Outline • Introduction • M-commerce • Security of Network Technologies • M-payment • Conclusion • Comment

  3. Introduction • M-commerce • Mobile devices are used to do business on the Internet • Goal • Identify the special characteristics of m-commerce • Consider some important security issues • Main area to discuss • Network technology • M-payment

  4. Mobile Device • Kinds of devices • Mobile phone • Personal Digital Assistant • Smart phone • Laptop computer • Earpiece • Characteristics • Size & colour of display • Input device • Memory & CPU processing power • Network connectivity, bandwidth capacity • Support operating system • Availability of internal smartcard reader

  5. Advantages of M-commerce • Ubiquity • Accessibility • Security • Localisation • Convenience • Personalisation

  6. Disadvantages of M-commerce • Limited capability • The heterogeneity of devices, operating systems, and network technologies is a challenge for a uniform end user platform. • Mobile devices are more prone to theft and destruction. • Communication over the air interface introduces additional security threats

  7. Security Challenges • Mobile device • Confidential user data • Radio interface • Protection of transmitted data • Network operator infrastructure • Security mechanism • M-commerce application • Payment system

  8. Security of Network Technologies (1/2) • GSM (Global System for Mobile Communication) • Authentication is one way • Encryption is optional • False base station perform a “man-in-middle” attack • UMTS (Universal Mobile Telecommunication System) • Authentication is mutual • Encryption is mandatory unless the mobile station and the network agree on an unciphered connection. • Integrity protection is always mandatory and protects against replay or modification of signaling messages.

  9. Security of Network Technologies (2/2) • WLAN (Wireless Local Area Network) • Not provide any security in default • Attacker can modify data and CRC • WEP (Wired Equivalent Privacy) key can be recovery • 802.1x port-based adopted • Bluetooth • Provide link layer security • No privacy requirement • Unique Bluetooth device address allows the tracing of personal devices

  10. Transport Layer Security • SSL/TLS (Secure Socket Layer) • HTTPS (HTTP over SSL) • KSSL by Sun • Not offer client-side authentication • Only implements certain commonly used cipher suites • Has a very small footprint and runs on small devices • WTLS (WAP Transport Layer Security) • No real end-to-end security is provided • WAP gateway needs to be trusted

  11. Service Security (1/2) • Intelligent network • CAMEL (Customised Application for Mobile Enhanced network Logic1) • The IN architecture for GSM • Porlay/OSA (Open service Access) • Provides gateway functionality • M-commerce applications can then access network functionality • Offers authentication and encryption on the application layer • The security depends on the underlying network architecture • SMS (Short Message Service) • No end-to-end security, and the network operator • Its infrastructure (e.g. SMSC, Short Message Service Centre) must be trusted

  12. Service Security (2/2) • USSD (GSM Unstructured Supplementary Service Data) • No separate security property • Relies on GSM/UMTS security mechanisms • SIM/USIM application toolkit (Subscriber Identity Module) • security mechanisms • Authentication • Message integrity • Replay detection and sequence integrity • Proof of receipt and proof of execution • Message confidentiality • Indication of the security mechanisms used

  13. M-payment • Background on payment systems • Categorisation of e-payment systems • Categorisation of m-payment systems • Examples of m-payment systems

  14. Time of payment Relation between initial payment and actual payment Prepaid payment system Pay-now payment system post-payment system Payment amount Micropayments: Up to about 1 € Small payments: about 1 to 10 € Macropayment: more tha 10 € Anonymity issues Complete Paritial Security requirements Different on system Consider issues Integrity Authentication Authorisation Confidentiality Availability Reliability Online or offline validation Online Background payment servers Trusted third party Double spending Offline No trusted third party Additional communication overhead Background on Payment Systems

  15. Categorisation of E-payment Systems • Direct cash • Cheque • Credit card • Bank transfer • Debit advice

  16. E-payment Systems Direct-cash-like Cheque-like Issuer Acquirer Issuer Acquirer Settlement Settlement 2.Authorisation and capture 1.Withdrawal 3.Deposit Indication Customer Merchant Customer Merchant 2.Payment 1.Payment Bank Transfer Issuer Acquirer 2.Settlement 1Transfer request Indication Customer Merchant

  17. Categorisation of M-payment Systems • Software electronic coins • $ stored on a mobile deviceex. electronic coin • Hardware electronic coins • $ stored on a secure hardware token in the mobile deviceex. smartcard • Background account • $ stored remotely on an account at a trusted third party

  18. Software electronic coins Potentially remain completely anonymous Example eCash E-commerce NetCash MilliCent Hardware electronic coins Implement an e-purse Electronic cash on a smartcard Example GeldKarte Mondex Background account Hold at a network operator The charged amount is transferred to the existmg billing solution and included in the customer bill. E. M-pay Bill service from Vodafone and Mobilepay Hold at a credit card institution The payment mechanism is secure transmission of credit card data to the credit card company Ex. Electronic Mobile Payment System by MeritaNordbanken, Nokia and Visa Hold at a bank The existing banking infrastructure and technology can be reused. Ex. Paybox and MobiPay by BBVA and Telefonica Examples of m-payment systems

  19. Standardisation and forums • PayCircle (http://www.paycircle.org) • MoSign (http://www.mosign.de) • Mobile Payment Forum (http://www.mobilepayment forum.org) • mSign (www.msign.org • mwif (http://www.mwif.org): • Radicchio (http://www.radicchio.org) • Encorus (http://www.encorus.com) • Mobile electronic Transactions MeT (http://www.mobiletransaction.org

  20. Conclusion • Discussed security issues relating to network and service technologies and m-payment • Regarding m-payment, some systems are under development or already operational • One of the main future challenges will be to unify payment solutions and provide the highest possible level of security

  21. Comment • Survey型paper

More Related