利用基于身份的密码算法+短信验证码的移动安全支付方案

Mobile Secure Payment Scheme Using Identity-based Cryptographic Algorithm+SMS Verification Code

针对移动支付过程中短信验证码被盗导致资金失窃,以及在基于证书的密码体制下建立移动支付系统时移动设备和移动网络面临巨大压力的问题,文中提出了利用基于身份的密码算法+短信验证码的移动安全支付方案。该方案中,用户和银行服务器加入一个基于身份的密码系统,它们不再需要基于数字证书的身份认证,这将大大减小移动设备以及移动网络的存储和计算开销。用户首先到银行柜台注册开通手机银行业务,设置用户名、密码,预留安全问题,在银行工作人员的帮助下完成手机银行APP的首次安装和初始化。登录时,银行服务器对用户进行身份认证,保证用户合法。支付时,手机银行APP利用用户的私钥生成对短信验证码的数字签名,并用银行服务器的公钥对数字签名和短信验证码的组合加密后发送给银行服务器以进行验证,只有银行服务器验证通过后才允许用户支付。在本方案中,短信验证码和数字签名将共同为用户提供安全保证,即使验证码泄露,攻击者也不可能根据验证码生成数字签名,从而保证了移动支付的安全。理论分析和实验结果表明,本方案不但能够大大提高移动支付的安全性,而且随着移动终端的增加,系统的平均响应时间也不会急剧增长,因此所提方案具有较好的健壮性和可行性。

Aiming at the problem of stolen funds caused by stolen SMS verification code in mobile payment process,as well as the mobile device and the mobile network are under great pressure when establishing a mobile payment system under the certificate-based cryptosystem,a mobile secure payment scheme based on identity-based cryptographic algorithm+SMS verification code was proposed.In this scheme,users and bank servers join an identity-based cryptosystem,so they no longer need digital certificate-based identity authentication,which will greatly reduce the storage and computational overhead of mobile devices and mobile networks.Users need to go to the bank counter to register and open mobile banking services,set the user name,password and reserved security issues,and complete the first installation and initialization of mobile banking APP with the help of bank staff.When logging in,the bank server authenticates the user’s identity to ensure that the user is legal.In payment,the user’s private key is used to generate the digital signature of SMS verification code,and the combination of digital signature and SMS verification code is encrypted with the bank server’s public key and sent to the bank server for verification,the bank server will not allow the user to pay until the verification is passed.In this scheme,the SMS verification code and the digital signature will jointly provide security guarantee for the user.Even if the verification code is leaked,the attacker cannot generate a digital signature accor-ding to the verification code,thus ensuring the security of the mobile payment.Theoretical analysis and experimental results show that this scheme not only can greatly improve the security of mobile payment,but also the average response time of the system will not increase sharply with the increase of mobile terminals,so it has better robustness and feasibility.