Research On Security In Mobile Commerce

Enterprise benefit a lot from e-commerce in recent years with its rapid progress. Hence the traditional business mode has been changed. With the prevalence of mobile telephone and the development of wireless technology, the prospect of e-commerce is magnificent.M-commerce depends on the wireless communication network whose security is not good, so security should be well considered in M-commerce. It is a question of common concern that how to ensure the security of the M-commerce in case of weak operational capability and storage capacity of mobile terminals.Two main modes of M-commerce are M-commerce based on WAP and M-commerce based on J2ME. These two modes are studied in this thesis. There are three main problems in existing security solutions for M-commerce based on WAP: (1) information wiretapping; (2) bottleneck problem in the gateway; (3) network traffic is burdened with key management cost. There are two editions of WAP: WAP1.X and WAP2.0. WAP1.X could not provide real end-to-end security while WAP2.0 could provide real end-to-end security.In this thesis, schemes are proposed for WAP1.X and WAP2.0 respectively. One scheme based on WAP1.X solves the problem of end-to-end security. Another scheme based on WAP2.0 mainly solves the problem of efficiency. To be concrete: based on WAP1.X , a new end-to-end safe model based on (t, n) threshold Scheme is proposed by use of Joint Secret Sharing technique and double encryption model; based on WAP2.0, a secure M-commerce framework is proposed based on ID-PKC and mobile agent in order to solve the M-commerce's security and efficiency problems.In the model of M-commerce based on J2ME, the protocol SSL always uses the same key-length to encrypt all information. A secure and efficient M-commerce model is proposed based on J2ME and XML such that it can choose which information to encrypt.Based on J2ME and XML, a M-commerce instance --mobile bank is designed by use of Java language, which can simulate simple operations such as account query.Key escrow is a method to provide trade-off between the rights of the user's privacy and the rights of the government's monitor. Hence key escrow is an effective way to ensure the security of M-commerce. A new key escrow scheme based on (t, n) threshold Scheme by use of Joint Secret Sharing technique is proposed. The system keys which are used to encrypt and decrypt the session key are constructed by every escrow agency, such that the possibility of the divulgence of secret keys will be negligible. Monitor agency can only reconstruct session key and can not reconstruct the private system key, so the problem of"once monitor, monitor for ever"is effectively solved. An agency can be easily added or deleted in this scheme; meanwhile the forward and backward security can be ensured. Burdens on key management center (KMC), user and Monitor agency are reduced, while escrow agency has to take more responsibility.