Article Preview
Top1. Introduction
Abroad, the research point about identity authentication in mobile commerce is mainly focused on Wireless Public Key Infrastructure (WPKI). Public-key encryption, open and standard technology are used to construct a trustable and secure architecture in WPKI (Karl Felder, 2004). It could provide all sorts of secure services based on WPKI architecture for mobile users, realize real peer to peer security in data transmission process, secure user identity authentication and trustable trade, protecting data transmission integrity and confidentiality, and realize non-repudiation of transaction participants, so as to establishment secure mobile commerce environment effectively. However a study claims that is higher computation ability for mobile terminals in WPKI authentication mechanism, and it isn’t suitable for mobile commerce environment with limited computation ability (Zhao, W., & Dai, Z., 2005). At the same time, it has disadvantages such as high expenditure, complicated technology, lack of unified standard and better interoperability, especially it has no legal and authoritative third authentication institution - Certification Authority (CA). Because of these factors, WPKI hasn’t had a better application for domestic mobile commerce environment.
Presently, identity authentication in domestic mobile commerce is mainly implemented by static password mechanism based on UserID (user name)/UserPW (user password). The mechanism has some advantages, such as easier implementation and simpler operation. But its security is only depended on secrecy of UserPW (Zhang, Z., 2004). Once UserPW is lost, its security is completely lost. One-Time Password (OTP) authentication mechanism has higher security by one time padding. It is implemented simply, it costs less and needs no third-party notarization, and therefore it is more suitable for mobile commerce environment, but it couldn’t resist decimal attack and realize bidirectional authentication (Ye, X.-J., & Wu, G.-X, 2002). The main reason is that random number is generated one time password and authentication information are transmitted by plaintext, hence cryptosystem is used to encrypting these above information. Public-key cryptosystem has the higher security intensity, and Elliptic Curve Cryptosystem (ECC) has the best security, the fastest speed and needs no third-party notarization among all the public-key cryptosystems (Xiao, Y., 2006). It has some characteristics, including smaller storage space and taking-up bandwidth, lower computational complexity and faster processing speed, and thus more suitable for mobile commerce.
Combined OTP mechanism with ECC, it is presented a mobile commerce identity authentication (MCIA) protocol based on OTP. Bidirectional authentication and key agreement are realized in the mechanism, and simultaneously decimal attack and man-in-middle attack are resisted effectively.