| With popularization and development of mobile commerce, the security of mobile commerce has drawn more and more attentions. Identity authentication is the first safety barrier, as communication security almost starts from the handshake process of it. Authentication protocol based on ciper technology is the most safety method to realize identity authentication, so identity authentication protocol is necessary to ensure communication security in mobile commerce.Presently, identity authentication in domestic mobile commerce is mainly implemented by static password mechanism based on UserID/UserPW. The mechanism has some advantages, such as easier implementation and simpler operation. But its security is only depended on secrecy of UserPW. OTP (One-Time Password) authentication mechanism has higher security by one time padding. It is implemented simply, cost less and needed no third-party notarization, and so it is more suitable for mobile commerce environment, but it couldn't resist decimal attack and realize bidirectional authentication. The main reason is that random number generated one-time password and authentication information are transmitted by plaintext, so cryptosystem is used to encrypting these aboved information. Public-key cryptosystem has the higher security intensity, and ECC (Elliptic Curve Cryptosystem) has the best security, the fastest speed and needs no third-party notarization among all the public-key cryptosystems. It has some characteristics, including smaller storage space and taking-up bandwidth, lower computational complexity and faster processing speed, and so more suitable for authentication environment in mobile commerce.Combined OTP mechanism with ECC, it is presented an identity authentication protocol in mobile commerce based on OTP, named by MCIA (Mobile Commerce Identity Authentication) protocol. Bidirectional authentication and ciper key agreement are realized in MCIA protocol, and simultaneously decimal attack and man-in-middle attack are resisted effectively.Formal analysis method is the effective method to analyze security attribute of authentication protocol, and Strand space method is the most simple, intuitive, strict and effective. Through authentication test method based on Strand space, MCIA protocol is proved to be able to attain the goal of data security, identity authentication and data assurance. In order to testify the protocol operation efficiency in the actual mobile environment, the simulation model of MCIA protocol is set up through Opnet. The protocol performance is analyzed from the statistics variables, including authentication time, queuing delay, channel utilization and throughput. Then compared with static password authentication mechanism named by EasyUID, OTP authentication mechanism based on Challenge/Response, MCIA protocol is validated to have better performance and more suitable for mobile commerce.
|
PDF Full Text Request