移动支付系统体系结构及安全分析

上海交通大学硕士学位论文移动支付系统体系结构及安全分析姓名：姜文婕申请学位级别：硕士专业：电子与通信工程指导教师：邱卫东20070901THEMOBILEPAYMENTSYSTEMARCHITECTUREANDITSSECURITYANALYSISABSTRACTAlongwiththerapiddevelopmentofInternetandmobilecommunication,theelectroniccommerceserviceshavebeengrowntobematured.Oneofthehottopicsintheelectronicpaymentfieldishowtocombinetechnologiesfromthemobilecommunication,theInternetandtheelectroniccommerce.Byresearchingthewirelessvalue-addedservicemarketandapplicationsofthemobilepaymentsatpresent,thisarticleproposesthat:first,themobilepaymentsystemarchitectureiscomposeofcommunicationnetwork,multi-accessplatform,securityauthenticationsystem,managementsystem,serviceprocessplatform,customersupportplatform,andcooperationsystem;second,itdesignsthemobilepaymentserviceprocedures;third,itanalyzesthemobilepaymentsystemsecurity.Finally,itdrawsaconclusioninthemobilepaymentsystem,andmakesaforecastonthemobilepaymentservicesandthenewtechnology.Keywords:electroniccommerce;mobilepayment;systemarchitecture;security.1511.1[1][2][3][4]1997IBMeCACFCACTCASHECACACA20048282000WTOBTBBTCCTC20023143001004020047.6CNNIC2005630120076303.32311522IT1.22511.2.110BREW31.2.22000STK200380[12]200331.2.3[7]GSMWAPUMTSRadicchioPKIWAP[8]WAPWAPBankingService[9]1.4451¾¾¾¾2.12.12.1FIG2.1:MobilePaymentRoleMobilePayment/551[6]2.1//zzzzzOnlineOfflinezzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz2.1:6512.2[6]2.22.2:FIG2.2:MobilePaymentSystemArchitecture7512.2.1GSM/GPRSCDMA1X2.5G3G2.2.22.2.3PBOC2.2.4zzz¾¾¾¾2.2.5z851¾¾¾¾zP2P¾¾SPCP¾¾P2P2.2.6/zz2.2.7zzSPCP2.3951[13]„„„3.1[14]3.2„2„„10A4„„110513.1:FIG3.1:MobilePaymentMethod3.2.1Billing0.1~30/BOSS3.2.223.2.33.2.411513.2.5/9,479,917120,652783,380,580121,522284,226,475555,9157.63.1„55%20%25%3.2:FIG3.2:TransactionLevelRatio„15%15%70%3.3:FIG3.3:TheNumberofPaymentTransactionsRatio1251„78287.60204060803.4:FIG3.4:Theaveragetransactionamount3.3SMS739,518IVR44,734WAP8,521USSD4,280K-JAVA1,0363.2:„135192%6%1%1%0%SMSIVRWAPUSSDK-JAVA3.5:FIG3.5:RatioofTheNumberofTransactionsMethod3.475%70%92%[15]14514.14.1:FIG4.1:SystemStructure[16][17][18]4.1.1z1551¾IVRIVR¾SMS70PUSH¾USSDUSSD20USSD¾WAPWAPWAPWAPPUSHWAP¾K-JAVAK-JAVA¾WEBz[19]4.24.2:FIG4.2:SystemRealizingStructurezIVRSMSUSSDWAPK-JAVADB/BOSSSP/CP16514.1.2z¾¾SP/CPAPI¾/BOSS„JAVA„/SP/CP/SP/CPAPIAPI[20]4.34.3:API/SP/CP1751FIG4.3:TenantsPaymentStructure¾¾¾¾¾„BOSSPBOCBOSS4.54.4:FIG4.4:PaymentGatewayStructure[21]¾¾¾¾¾z„IBMCAHP„BOSS/BOSS1851„¾¾¾¾¾¾¾zCRM„CallCenter„„4.24.2.1z„¾POS—4.519514.5:FIG4.5:OnlineBankingBusinessRegistrationProcess1.2.3.4.—4.64.6:FIG4.6:TelephoneBankingBusinessRegistrationProcess1.2.3.4.—4.74.7:FIG4.7:BankCountersRegisteredBusinessProcesses1.2.3.—POSPOS4.820514.8:POSFIG4.8:UnionPayRegisteredBusinessProcesses1/2POS34POS¾4.94.9:FIG4.9:VoiceSelf-registrationBusinessProcesses1.2.3.4.5.6.„1.2.zSMS4.10/POS21514.10:FIG4.10:SMSCancellationofBusinessProcesses1.2.3.z„4.11:[22]FIG4.11:Bankcardpaymentprocess1.2.3.4.5.6.7.„22514.12:FIG4.12:SmallPaymentProcess1.2.3.4.5.6.7.„11.12.8.9.3.4.14.5.6.7.10.14.4.13:FIG4.13:TheCollectionProcess1.2.SP3.SP4.5.6.7.8.23519.10.11.12.13.14.SP4.2.2[23]z4.14:FIG4.14:ReconciliationModelzz4.3[29]24514.3.1¾USSDCUSSDCUSSDUSSD¾SMSCSMSCISMGISMGCMPP2.0CMPPCMPP2.0¾IVRIVRIVR12588TechnicalSpecificationofISUPforDigitalPLMNMSCIVRISUP¾WAPGPRSWAPHTTPHTTPx-up-calling-line-idRFC2068HypertextTransferProtocolHTTP/1.14.3.2¾-¾-BOSS¾-4.425515.1„,„5.2„SIMDEA„WAPWAPWTLSWAPWAPSSL„IVR„K-javaBREWGPRSCDMA5.2.1z[24]GSM2651123SIMGSMGPRS1GPRS23zWAPGPRS123USSD5.1:FIG5.1:MobilePaymentPlatformNetworkSecurityDiagram31.GSM2.CMNETVPNIPSec3.WEBz[25]TCP/IP(ISMG)SS7MSCSMPPSMPPCMPPTCP/IPTCP/IPTCP/IPSS7TCP/IPMSSS7BSS27515.2:FIG5.2:SMSAgreementSIM5.2.2IVRIVR5.3:IVRFIG5.3:IVRSystemConnectionDiagramIVRLANIVRDESIVR5.2.3WAPWAPMSMSCTMSCIVRBSSSS7SS7SS7TCP/IPLAN28515.4:WAPFIG5.4:WAPSystemConnectionDiagramWAPWAP2.0WAPWAP1.2WAP1.2SSLWAPHTTPSWAPSSLWAPWAP[26][27]5.2.4K-JAVAJ2ME[28]5.5:J2MEFIG5.5:J2MEStructureJ2MEID1.HuserPswdcInitKey2.cRaninitKeyloginReqcRancSessionKeyWAPGPRSWAPWAPWAP/SSLWAP/SSLJ2MEclientMIDPCLDCJ2MEruntimeenvironmentJ2MEserverPortletAPIJ2SEruntimeenvironment29513.sInitKeycInitKey==sInitKeysInitKeyloginReqsSessionKeysSessionKey=cSessionKey4.timestampcSessionKeytimestampcInitKeyserverJ2MEclientcInitKey=H(cUserPswd)cRan=getRandom()loginReq=enc(initKey,cRan)challenge=timestampsSessionKey=dec(sInitKey,loginReq)sInitKey=H(sUserPswd)challengeRsp=enc(cSessionKey,timestamp+cInitKey)loginRsp=succeed|failvalidate(sSessionKey,challengeRsp,timestamp,sUserPswd)getSUserPswd()5.6:K-JAVAFIG5.6:K-JAVAEncryptionAlgorithmRealization30515.2.5USSDUSSDGSM(HLR)USSDUSSDUSSDGSMSIMWAPUSSDUSSDPLMNUSSDUSSDPLMNUSSDUSSDUSSDUSSD[29]5.7:USSDFIG5.7:USSDCommunicationsSystemStructureUSSD5.8:USSDFIG5.8:USSDSystemConnectionDiagramUSSDSMS20MSMSCTMSCUSSDCBSSSS7SS7SS7TCP/IPLAN31515.3zz5.4SIM[31]RSA1024bitSIMPKIPKIPKIRSASIMRSA1024bitSTKSIMIVR1SIM,SIMPKI23J2EEWeb43251563351N2NNNGPRSSMSIVRWAPGWUSSDGSMISMGCMNET/VPN/1DSMPCBOSS()DSMPBOSSD