Research On Mobile Financial Authentication Scheme Based On White Box Cryptography

With the rapid development of information technology and the gradual popularization of the Internet,smart phone terminals are used more and more frequently in daily life.The Internet with the feature of fast and convenient information acquisition has deeply permeated into various fields of people's production and life.Especially the combination of mobile Internet and financial,mobile financial form,such as mobile banking and We Chat bank is accepted by the public.Thanks to close-fitting and functional features of mobile terminal,now people can handle transaction transfer,money purchase,information query,etc at anytime and anywhere on their mobile phones.The emergence of the mobile banking has greatly promoted the convenience and flexibility to deal with financial business.However,due to the direct link with the security of user funds,the security issues faced by mobile finance are also of great concern.Considering the inherent characteristics of mobile terminals,traditional protection schemes based on hardware security equipment,such as U shield used in online banking,do not have proper interfaces with mobile terminals.Although the protection method of adopting electronic password device and dynamic password card is reliable and effective,it requires users to carry an additional security hardware at anytime and anywhere.Therefore,the transaction mode of U shield is still not convenient and does not meet the convenience requirements of financial mobility.However,some existing security schemes based on smart SD card encryption proposed for mobile terminals cannot be compatible with devices such as apple mobile phones and xiaomi mobile phones that cannot use SD card,and the schemes are not universal.Therefore,it is an urgent problem to work out a security authentication scheme which is suitable for the mobile financial environment.This thesis studies and analyzes the security risks in the mobile terminal environment,combining the white box cryptography technology with the fingerprint technology of active device,and puts forward a security authentication scheme that meets the requirements of mobile finance.Mobile financial security consists of three parts,namely security of transaction data transmission,security of client identity authentication and anti-denying of transaction data.The scheme protects the security of mobile financial system through digital signature technology,and solves the inconveniences of traditional security devices of carrying hardware and compatibility problems of smart SD cards by means of software implementation.At the same time,it cancels the authentication method of SMS verification code and realizes online transaction authentication by using mobile phone instead of hardware token.Realizes the triple binding of users,equipment and accounts through the participation of the counter,which improves the ability of the whole system to resist risks and realizes good results in the practical application of mobile banking terminal software.The specific work is as follows:(1)The analysis on security issues and demands faced by mobile finance.Conducts the analysis on the security of mobile financial services in the context of Internet,so as to conclude that the key problems to be solved in the context of mobile financial services are to ensure the security of data transmission,identity authentication of clients and antirepudiation.After detailed analysis on solving these problems,this thesis adopts the digital signature technology to ensure the security of mobile financial services in the process of transaction.Meanwhile,realize both the two-way authentication of client and server data based on digital signature technology,to ensure that the data of mobile financial services cannot be tampered in the process of transaction,so as to effectively realize the anti-denying of trading data.(2)Design an improved SM2 signature algorithm based on the idea of white box cipher.As the mobile terminal is in uncontrolled risk environment,software implementation of a digital signature protection scheme are prone to be threatened by the attack of white box.The attacker can obtain the signature algorithm or user's private key through reading memory information,analyzing memory instructions,etc.,and as a result,the algorithm and key can not be controlled,which threatens the whole security system.Therefore,the improved signature algorithm based on the idea of white box cipher is used in the scheme design.The private key of user signature is hidden through the design of look-up table to ensure that the mobile terminal will not be breached by attackers.(3)Design and implement the mobile terminal security module.Design the mobile terminal security module through the combination of white-box password and fingerprint technology of active devices,which realizes the binding of the security modules and equipment and the binding of cryptographic algorithms and equipment.It also improves the capacity of code's transplantation and attack under the environment that the system is against the white box,so as to ensure that an attacker could not forge the signature even if he gets the main program of algorithm and look-up table.The implantation of security module provides the mobile financial platform with device fingerprint acquisition,digital signature generation and verification and other functions to improve the security of the system.(4)Implementation and testing of the scheme.During the implementation and test of the scheme,the security of mobile terminal data is guaranteed through the design of security module and cryptographic algorithm.Meanwhile,after conducting the analysis on the experimental results,the test results of experiments are the same as the expected analysis results,which verifies the functions of the mobile financial authentication scheme based on white-box cipher.