基于CPK的网上银行安全交易认证系统的研究
|
摘要
网上银行的发展支撑着整个电子商务的发展,网络世界的安全已经成为实现网上交易的关键。尽管诸如公开密钥体系PKI、身份识别与CA认证、SSL数据加密协议和HTTPS安全超文本传输协议等技术都已经很成熟,但是在无序的网络世界中,密钥管理问题始终是一大难题。采用基于标识的组合公钥算法CPK,可以用很小的资源生成数以万亿计的密钥,同时也能为认证系统的芯片化创造条件。
以网上银行的安全认证和交易系统为研究对象,结合U-Key认证技术,采用CPK体制下的基于标识的复合密钥技术,给出了一种基于CPK的网上银行安全交易系统。对比分析了目前的主流公开密钥体系PKI认证体系与CPK认证体系的主要特点和安全特征,结合椭圆曲线加密原理,设计出了一种基于CPK的网上交易认证系统的总体架构。介绍了基于CPK的认证系统中的密钥管理系统的结构设计,并给出了基于CPK的认证系统中主要用到的相关协议;采用标识密钥和随机密钥组成的复合密钥,解决了密钥间的线性相关性的问题,增强了抗共谋攻击的能力。阐述含有CPK智能安全芯片的U-Key以及其主要工作内容,并详细分析了基于CPK的网上安全交易认证系统的具体实现流程,对整个交易认证系统的安全性作了综合性分析,具有安全实用的特点。
The development of Internet-bank supports the whole development of e-commerce, the security of Internet has become the key to achieving online trading. Although these technologies are already very skillful, such as public key infrastructure (PKI), certificate authority (CA), Secure Socket Layer (SSL) protocol and Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) and so on, the key is still very important for authentication system in the disorder internet. CPK (Combined Public Key) algorithm generates trillions of keys just at the cost of few resources and creates the conditions for the authentication system transforms into chips.
The research objects of this paper are security authentication system and trading system based on Internet-bank, using U-Key authentication technology and composite key technology based on identity has proposed an Internet-bank security trading authentication system based on CPK. The major security features are comparatively analyzed the CPK authentication system and PKI authentication system which is the main authentication system at present, and a security trading authentication model of Internet-bank based on CPK is designed. The structure of the key management system in the whole authentication system is described and the main protocols used in authentication system in detail are analyzed. Using composite key that combined by identity key and random key in the system reduced the linear correlation that between the all private keys. The U-Key embed CPK security chip is introduced and specifically implementation process of the internet-bank security trading authentication system based on CPK is analyzed, and then a comprehensive analysis of the security for the whole trading authentication system is made, it has features of security and availability.
以网上银行的安全认证和交易系统为研究对象,结合U-Key认证技术,采用CPK体制下的基于标识的复合密钥技术,给出了一种基于CPK的网上银行安全交易系统。对比分析了目前的主流公开密钥体系PKI认证体系与CPK认证体系的主要特点和安全特征,结合椭圆曲线加密原理,设计出了一种基于CPK的网上交易认证系统的总体架构。介绍了基于CPK的认证系统中的密钥管理系统的结构设计,并给出了基于CPK的认证系统中主要用到的相关协议;采用标识密钥和随机密钥组成的复合密钥,解决了密钥间的线性相关性的问题,增强了抗共谋攻击的能力。阐述含有CPK智能安全芯片的U-Key以及其主要工作内容,并详细分析了基于CPK的网上安全交易认证系统的具体实现流程,对整个交易认证系统的安全性作了综合性分析,具有安全实用的特点。
The development of Internet-bank supports the whole development of e-commerce, the security of Internet has become the key to achieving online trading. Although these technologies are already very skillful, such as public key infrastructure (PKI), certificate authority (CA), Secure Socket Layer (SSL) protocol and Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) and so on, the key is still very important for authentication system in the disorder internet. CPK (Combined Public Key) algorithm generates trillions of keys just at the cost of few resources and creates the conditions for the authentication system transforms into chips.
The research objects of this paper are security authentication system and trading system based on Internet-bank, using U-Key authentication technology and composite key technology based on identity has proposed an Internet-bank security trading authentication system based on CPK. The major security features are comparatively analyzed the CPK authentication system and PKI authentication system which is the main authentication system at present, and a security trading authentication model of Internet-bank based on CPK is designed. The structure of the key management system in the whole authentication system is described and the main protocols used in authentication system in detail are analyzed. Using composite key that combined by identity key and random key in the system reduced the linear correlation that between the all private keys. The U-Key embed CPK security chip is introduced and specifically implementation process of the internet-bank security trading authentication system based on CPK is analyzed, and then a comprehensive analysis of the security for the whole trading authentication system is made, it has features of security and availability.
引文
[1] Gemmell P. An Introduction to Threshold Cryptography. CryptoBytes, 1997, 2(3):7-12.
[2] Wu T, Malkin M, Boneh D. Building Intrusion Tolerant Applications. Proceedings of the USENIX Security Symposium, 1999:79-91.
[3] Josang A. A logic for uncertain probabilities. International Journal of Uncertainty, Fuzziness and knowledge-Based System, 2001, 9(3):279-311.
[4]吴灏文,陈国斌,迟国泰.网络银行信用风险分析.大连理工大学学报,2009-2(30):40-45.
[5]马燕.网上银行交易安全的可用性研究与设计.硕士论文,大连海事大学,2010-6.
[6] Josang A. Prospectives for modeling trust in information security. Sydney, Australia:NSW,1997.
[7]梁杏桃,邓辉舫,田文春等.基于IBCPK的证书管理系统的设计与实现.计算机工程,2008-5:174-176.
[8]骆絮飞.银行卡网上支付安全认证模式分析.信息安全与通信保密,2005-7:23-25.
[9] Information economy report 2009: Trends and Outlook in Turbulent Times. United Nations Conference on Trade and Development. UNITED NATIONS, New York and Geneva, 2009.
[10]华勐慧.网上银行电子认证服务系统的研究和设计.硕士论文,上海交通大学,2008-9.
[11] Mohammed AlZomai, Bander AlFayyadh, Audun Josang et al. An Exprimental investigation of the usability of transaction authorization in online bank security, Australia, 2008:65-74.
[12] Stinson D R. Cryptography Theory and Practice (Second Edition). London:CRC Press,2003.
[13]刘辉,程亮,一种安全网络在线支付协议的设计与分析.计算机工程与科学,2008-7(28):1810-1811.
[14]周学广.信息安全学.北京:机械工业出版社,2008-1:58-67.
[15] AI-DalA’In Thair, Luo suhuai, Summons Peter. A review of current online payment systems related to security and trust solutions. e-Commerce 2008, MCCSIS’08-IADIS Multi Conference on Computer Science and InformationSystems. July 25,2008-July27,2008:244-249.
[16] Christina Braz, Jean-Marc Robert. Security and Usability: The Case of the User Authentication Methods. IHM 2006 Montreal,2006:199-203.
[17]安时.安全电子支付系统.计算机世界,2001.1.10(12).
[18]王尚平,牛鹏超,张亚玲等.基于XML Web服务的网上支付系统设计与实现,计算机应用与软件.2009-3(26) :35-37.
[19]彭双和.信息系统认证体系结构及相关技术研究.硕士论文,北京交通大学,2006-9:89-93.
[20]李伟,于华章.USB Key在CPK中的应用分析.中国计算机学会信息保密专业委员会论文集,2005:204-207.
[21]南湘浩.CPK标识认证.北京:国防工业出版社,2006.
[22] Jing J, Liu P, Feng D, et al. ARECA: A Highly Attack Resilient Certification Authority. Proceeding of the ACM Workshop on Survivable and Self-regenerative Systems, 2003: 53-63.
[23] Zhou L, Schneider F, Renesse R. COCA: A Secure On-line Certification Authority. ACM Transaction on Computer Systems,2002, 20(4):329-368.
[24] Malkhi D, Reiter M. Byzantine Quorum Systems. Journal of Distributed Computing, 1998,11(4):203-213.
[25]南湘浩,赵建国.一种基于CPK的电子银行安全认证系统和方法.中国, 200610076020.2[P]. 2006-09-13.
[26] W Diffie and Hellman M E. New Directions in Cryptography. IEEE Trans, Inform, Theory, IT-22(1976),644-654.
[27]邓文,邓辉舫,田文春等.组合公钥标识认证系统的设计及密钥生成的实现.计算机应用,2007-8:1939-1941.
[28]王同洋,李敏等.基于多因素的身份认证.计算机应用与软件, 2005, 22(6): 100-103.
[29]南湘浩,陈钟.网络安全技术概论.北京:国防工业出版社,2003.
[30]李益发,韩臻,赵亚群等.CPK的安全性分析及其与PKI的比较.武汉大学学报,2004-10:197-200.
[31] K.G. Paterson and G. Price A Comparison between Traditional Public Key Infrastructures and Identity-based Cryptography. Information Security Technical Report, 2003,8(3):57-72.
[32]马宇驰,赵远.浅谈基于CPK的可信认证.信息工程大学学报,2009.3(10): 309-312.
[33] C.L. Dai, X.H. Yang and J.X. Dong. Designated-Receiver Proxy Signature Scheme for Electronic Commerce. InP: Proc. of IEEE International Conference on SyStems, Man and Cybernetics, 2003:384-389.
[34]南湘浩.CPK密码体制与网际安全.北京:国防工业出版社,2008.
[35] Standard for Efficient Cryptography, SET1: Elliptic Curve Cryptography, Certicom Research, version 1.0, sep 2000.
[36] Darrel Hankerson, Alfred Menezes, Scott Vanstone, Guide to Elliptic Curve Cryptography, New York, Springer-Verlag New York, Inc., 2004.
[37]刘辉,申小飞.基于公钥组合算法的电子银行认证系统的研究.计算机工程,2011-4.
[38]关志.CPK的ID证书.网络与计算机安全,2006-8:29-31.
[39]唐文,南湘浩,陈钟.基于椭圆曲线密码系统的组合公钥技术.计算机工程与应用,2003.21:1-3.
[40] Cheng Chang Yu, Seman Kamaruzzaman, Yunus Jasmy. Cryptographic protocol for payment transaction.2000TENCON Proceedings. September 24,2000-September 27,2000:III-1-III-5.
[41] Wang haiyan, Wang ruchuan. CPK-based grid authentication: a step forward. The Journal of China Universities of Posts and Telecommunications. 2007-3.1(14):26-31.
[42]李姜.基于ECC的组合公钥技术的研究与实现.硕士论文.太原理工大学,2007-5.
[43]汪宇光.CPK认证体系的技术特点及应用.电子科学技术评论,2005-2:5-10.
[44]汪国安,杨立身.USBKey身份认证系统的设计与实现,河南理工大学学报,2005-8,24(4):311-313.
[2] Wu T, Malkin M, Boneh D. Building Intrusion Tolerant Applications. Proceedings of the USENIX Security Symposium, 1999:79-91.
[3] Josang A. A logic for uncertain probabilities. International Journal of Uncertainty, Fuzziness and knowledge-Based System, 2001, 9(3):279-311.
[4]吴灏文,陈国斌,迟国泰.网络银行信用风险分析.大连理工大学学报,2009-2(30):40-45.
[5]马燕.网上银行交易安全的可用性研究与设计.硕士论文,大连海事大学,2010-6.
[6] Josang A. Prospectives for modeling trust in information security. Sydney, Australia:NSW,1997.
[7]梁杏桃,邓辉舫,田文春等.基于IBCPK的证书管理系统的设计与实现.计算机工程,2008-5:174-176.
[8]骆絮飞.银行卡网上支付安全认证模式分析.信息安全与通信保密,2005-7:23-25.
[9] Information economy report 2009: Trends and Outlook in Turbulent Times. United Nations Conference on Trade and Development. UNITED NATIONS, New York and Geneva, 2009.
[10]华勐慧.网上银行电子认证服务系统的研究和设计.硕士论文,上海交通大学,2008-9.
[11] Mohammed AlZomai, Bander AlFayyadh, Audun Josang et al. An Exprimental investigation of the usability of transaction authorization in online bank security, Australia, 2008:65-74.
[12] Stinson D R. Cryptography Theory and Practice (Second Edition). London:CRC Press,2003.
[13]刘辉,程亮,一种安全网络在线支付协议的设计与分析.计算机工程与科学,2008-7(28):1810-1811.
[14]周学广.信息安全学.北京:机械工业出版社,2008-1:58-67.
[15] AI-DalA’In Thair, Luo suhuai, Summons Peter. A review of current online payment systems related to security and trust solutions. e-Commerce 2008, MCCSIS’08-IADIS Multi Conference on Computer Science and InformationSystems. July 25,2008-July27,2008:244-249.
[16] Christina Braz, Jean-Marc Robert. Security and Usability: The Case of the User Authentication Methods. IHM 2006 Montreal,2006:199-203.
[17]安时.安全电子支付系统.计算机世界,2001.1.10(12).
[18]王尚平,牛鹏超,张亚玲等.基于XML Web服务的网上支付系统设计与实现,计算机应用与软件.2009-3(26) :35-37.
[19]彭双和.信息系统认证体系结构及相关技术研究.硕士论文,北京交通大学,2006-9:89-93.
[20]李伟,于华章.USB Key在CPK中的应用分析.中国计算机学会信息保密专业委员会论文集,2005:204-207.
[21]南湘浩.CPK标识认证.北京:国防工业出版社,2006.
[22] Jing J, Liu P, Feng D, et al. ARECA: A Highly Attack Resilient Certification Authority. Proceeding of the ACM Workshop on Survivable and Self-regenerative Systems, 2003: 53-63.
[23] Zhou L, Schneider F, Renesse R. COCA: A Secure On-line Certification Authority. ACM Transaction on Computer Systems,2002, 20(4):329-368.
[24] Malkhi D, Reiter M. Byzantine Quorum Systems. Journal of Distributed Computing, 1998,11(4):203-213.
[25]南湘浩,赵建国.一种基于CPK的电子银行安全认证系统和方法.中国, 200610076020.2[P]. 2006-09-13.
[26] W Diffie and Hellman M E. New Directions in Cryptography. IEEE Trans, Inform, Theory, IT-22(1976),644-654.
[27]邓文,邓辉舫,田文春等.组合公钥标识认证系统的设计及密钥生成的实现.计算机应用,2007-8:1939-1941.
[28]王同洋,李敏等.基于多因素的身份认证.计算机应用与软件, 2005, 22(6): 100-103.
[29]南湘浩,陈钟.网络安全技术概论.北京:国防工业出版社,2003.
[30]李益发,韩臻,赵亚群等.CPK的安全性分析及其与PKI的比较.武汉大学学报,2004-10:197-200.
[31] K.G. Paterson and G. Price A Comparison between Traditional Public Key Infrastructures and Identity-based Cryptography. Information Security Technical Report, 2003,8(3):57-72.
[32]马宇驰,赵远.浅谈基于CPK的可信认证.信息工程大学学报,2009.3(10): 309-312.
[33] C.L. Dai, X.H. Yang and J.X. Dong. Designated-Receiver Proxy Signature Scheme for Electronic Commerce. InP: Proc. of IEEE International Conference on SyStems, Man and Cybernetics, 2003:384-389.
[34]南湘浩.CPK密码体制与网际安全.北京:国防工业出版社,2008.
[35] Standard for Efficient Cryptography, SET1: Elliptic Curve Cryptography, Certicom Research, version 1.0, sep 2000.
[36] Darrel Hankerson, Alfred Menezes, Scott Vanstone, Guide to Elliptic Curve Cryptography, New York, Springer-Verlag New York, Inc., 2004.
[37]刘辉,申小飞.基于公钥组合算法的电子银行认证系统的研究.计算机工程,2011-4.
[38]关志.CPK的ID证书.网络与计算机安全,2006-8:29-31.
[39]唐文,南湘浩,陈钟.基于椭圆曲线密码系统的组合公钥技术.计算机工程与应用,2003.21:1-3.
[40] Cheng Chang Yu, Seman Kamaruzzaman, Yunus Jasmy. Cryptographic protocol for payment transaction.2000TENCON Proceedings. September 24,2000-September 27,2000:III-1-III-5.
[41] Wang haiyan, Wang ruchuan. CPK-based grid authentication: a step forward. The Journal of China Universities of Posts and Telecommunications. 2007-3.1(14):26-31.
[42]李姜.基于ECC的组合公钥技术的研究与实现.硕士论文.太原理工大学,2007-5.
[43]汪宇光.CPK认证体系的技术特点及应用.电子科学技术评论,2005-2:5-10.
[44]汪国安,杨立身.USBKey身份认证系统的设计与实现,河南理工大学学报,2005-8,24(4):311-313.