Essential Mobile-Commerce Technology (part 2) - MOBILE COMMERCE SECURITY

3/12/2013 7:09:15 PM


Secure commercial information exchange and safe electronic financial transactions are essential for both service providers and potential customers. Various mobile security procedures have therefore been proposed and applied to mobile commerce. A secure mobile commerce system must have the following properties: (i) confidentiality, (ii) authentication, (iii) integrity, (iv) authorization, (v) availability, and (vi) non-repudiation. This section discusses the security issues related to the following three network paradigms: (i) wireless local area networks, (ii) wireless wide area networks, and (iii) WAP. The future of mobile commerce depends on its ability to securely and safely exchange information between mobile users and content providers. However, applying the security and payment technologies originally designed for electronic commerce to mobile commerce has been less than helpful because electronic commerce and mobile commerce are based on fundamentally different infrastructures (wired versus wireless). A wide variety of security procedures have therefore been developed specifically for mobile commerce. These technologies are extremely diverse and complicated and a comprehensive discussion concerning them is still awaited. Mobile commerce applications are built on top of the existing network infrastructure of wired networks, such as the Internet; wireless networks, such as wide area 3G cellular networks; and Wi-Fi wireless local area networks (WLAN). Therefore, security issues in mobile commerce are tightly coupled with network security.

Properties and Requirements of Mobile Commerce Security

First and foremost, the theme of this section, mobile commerce security, is defined as the technological and managerial procedures applied to mobile commerce transactions to provide the following functions for mobile commerce data and systems:

  • Confidentiality: The information and systems must not be disclosed to unauthorized persons, processes, or devices.

  • Authentication: This ensures that parties to a transaction are not impostors and are trustworthy.

  • Integrity: The information and systems have not been altered or corrupted by outside parties.

  • Authorization: Procedures must be provided to verify that the user can make the requested purchases.

  • Availability: An authorized user must have timely, reliable access to information in order to perform mobile commerce transactions.

  • Non-repudiation: Ensures a user cannot deny they performed a transaction; the user is provided with proof of the transaction and the recipient is assured of the user's identity.

These procedures involve a variety of policies and processes, along with the hardware and software tools necessary to protect the mobile commerce systems and transactions and the information processed, stored, and transmitted by them.

It is first necessary to examine what kind of features mobile commerce security and payment methods are expected to have in order to conduct effective and efficient mobile commerce transactions and what kind of challenges may be faced in the process of developing new mobile commerce security and payment methods. The requirements for mobile commerce security include:

  1. Confidentiality, authentication, integrity, authorization, availability, and non-repudiation must be rigorously enforced.

  2. They should be interoperable for most systems.

  3. They should be acceptable for both current and future systems at minimal cost.

  4. They should allow content providers to provide affordable, easy-to-use, efficient and interoperable payment methods to users.

  5. No mobile commerce transactions are deferred or deterred because of their deployment.

Security Basics

Without confidence in the security of the underlying networking technologies, mobile commerce will be unimaginable. Network security usually involves communications between two or more participating entities, but the term "security" covers many different aspects. In this section we will focus on those features that are most important to mobile commerce systems.

Security Services

A mobile commerce system needs to provide security services to its participating entities so that business can be conducted successfully in electronic form. These security services include:

  • Authentication. Before business transactions can be performed, the participating entities (usually the sender and receiver) must confirm each others' identities. This service prevents an unauthorized third-party from masquerading as one of the legitimate parties. Authentication is usually achieved using network-based authentication protocols.

  • Data confidentiality/secrecy. In an electronic business transaction, it is assumed that only the sender and intended receiver(s) will be able to read the transmitted messages in cleartext. Providing data confidentiality prevents eavesdroppers or interceptors from understanding the secret communication. This is usually accomplished using computer-based cryptographic encryption and decryption computation.

  • Data integrity. It should not be possible for a transmitted message to be altered, whether accidentally or maliciously, without this being detected at the receiver side of a mobile commerce system. With this security feature, an interceptor is not able to deceive the receiver by modifying the content of a message in transmission. Adding secure electronic signatures to messages provides data integrity.

  • Non-repudiation. Mobile commerce transactions are official business deals. Neither the sender nor receiver should be able to deny the existence of a legitimate transaction afterwards. That is, the sender must be able to prove that the specified receiver received the message and the receiver must be able to prove that the specified sender did in fact send the message. This is usually done using digital signature techniques.

  • Availability. The availability of a mobile commerce system ensures that legitimate users can access the business service reliably and securely. The system should be designed to minimize the impact of events such as malicious denial-of-service (DoS) attacks, which can cause mobile commerce services to become unstable or unusable for long periods of time. Deploying network security devices such as firewalls and configuring them along with associated protocols properly is the key to ensuring service availability.

Security Mechanisms

Security services in the modern world must take advantage of the latest advances in computation technology, both hardware and software. To achieve these security goals, digital data are encrypted and decrypted based on cryptographic algorithms. There are two categories of cryptographic algorithms: symmetric key systems and asymmetric key systems.

  • Symmetric key systems. In this category, the sender and receiver participating in a secure session both own the same digital key. The sender encrypts messages using this key and then sends it to the receiver through the public network. The receiver then decrypts the messages received using the same key. This digital key, however, is never transmitted over the network in cleartext, thus preventing a third-party from obtaining it and thus compromising the secure communication. To agree upon this symmetric key requires both sides to use outside channels, such as a telephone conversation, or a specially designed key distribution center (KDC). The data encryption standard (DES), triple-DES (3DES), and advanced encryption standard (AES) are symmetric key systems.

  • Asymmetric key systems. These are also called "public key systems." Unlike in symmetric key systems, a participating entity in an asymmetric key system uses two keys-a public key that is accessible to everyone in the world and a private key known only to itself. Applying one or both of these two keys in different orders to data messages provides security services such as authentication and digital signature. The famous RSA algorithm is an example of an asymmetric key system.

Mobile Security

As discussed earlier, mobile security is a crucial issue for mobile commerce. From a technical point of view, mobile commerce over wireless networks is inherently insecure compared to electronic commerce over wired networks. The reasons are as follows:

  • Reliability and integrity: Interference and fading make the wireless channel inherently error prone. Frequent handoffs and disconnections also degrade the security of wireless services.

  • Confidentiality/Privacy: The broadcast nature of the radio channel makes it easier for an outsider to tap into. Thus, communication can be intercepted and interpreted without difficulty if security mechanisms such as cryptographic encryption are not employed.

  • Identification and authentication: The mobility of wireless devices introduces an additional difficulty in identifying and authenticating mobile terminals.

  • Capability: Wireless devices usually have limited computation capability, memory size, communication bandwidth, and battery power. This makes it difficult to utilize high-level security schemes such as 256-bit encryption.

Security issues span the whole mobile commerce system, from one end to the other, from the top to the bottom network protocol stack, from machines to humans. We will focus only on issues exclusively related to mobile/wireless technologies. Lacking a unified wireless security standard, different wireless technologies support different aspects and levels of security features. We will thus discuss some well-known wireless network standards and their corresponding security issues.

Network Infrastructure and Security

Network infrastructure provides essential voice and data communication capability for consumers and vendors in cyberspace. When progressing from electronic commerce (EC) to mobile commerce (MC), it is necessary for a wired network infrastructure such as the Internet to be augmented by wireless networks that support mobility for end users. Mobile commerce is possible mainly because of the availability of wireless networks. User requests are delivered to either the closest wireless access point (in a wireless local area network environment) or abase station (in a cellular network environment). Although the wired network is not essential in a mobile commerce system, most mobile commerce servers reside on wired networks and user requests are frequently routed to these servers using transport and/or security mechanisms provided by wired networks. However our focus in this section is on the unique aspects of the mobile commerce network infrastructure, which is by definition a wireless mobile network, therefore we have chosen to omit any discussion of wired networks.

Wireless communication capability supports mobility for end users in mobile commerce systems. Wireless LAN and WAN are major components used to provide radio communication channels so that mobile service is possible. In the WLAN category, the Wi-Fi standard with 11 Mbps throughput dominates the current market, although it is expected that standards with much higher transmission speeds, such as IEEE 802.11a and 802.11g, will replace Wi-Fi in the near future. Cellular networking technologies are advancing at a tremendous pace and each represents a solution for a certain phase, such as 1G, 2G, and 3G, in a particular geographical area, such as the United States, Europe, or Japan. Compared to WLANs, cellular systems can provide longer transmission distances and greater radio coverage, but suffer from the drawback of much lower bandwidth (less than 1 Mbps). In the latest trend for cellular systems, 3G standards supporting wireless multimedia and high-bandwidth services are beginning to be deployed. WCDMA and CDMA2000 are likely to dominate the market in the future.

Wireless Local Area Networks and Security

The major WLAN standards are shown in Table 2. Security issues specific to WLANs can be dealt with in two ways:

Wi-Fi security. The security provisions in the IEEE 802.11 WLAN standard are based on the use of a data link level protocol called Wired Equivalent Privacy (WEP). When it is enabled, each mobile host has a secret key that is shared with the base station. The encryption algorithm used in WEP is a stream cipher based on RC4. The ciphertext is generated by XORing the plaintext with a RC4 generated keystream. However, recently published literature has discovered methods for breaking this approach . The next version, 802.11i, is expected to have better security.

Bluetooth security. Bluetooth provides security by using frequency hopping in the physical layer, sharing secret keys (called passkeys) between the slave and the master, encrypting communication channels, and controlling integrity. Encryption in Bluetooth is a stream cipher called "E0", while for integrity control a block cipher called "SAFER+" is used. However, "E0" has potential weaknesses and "SAFER+" is slower than the other similar symmetric-key block ciphers.

Wireless Wide Area Network and Security

As discussed earlier, the most important technology in this category is the cellular wireless network. GSM and UTMS systems use different approaches to deal with security issues.

GSM security. The Subscriber Identity Module (SIM) in the GSM contains the subscriber's authentication information, such as cryptographic keys, and a unique identifier called international mobile subscriber identity (IMSI). The SIM is usually implemented as a smart card consisting of microprocessors and memory chips. The same authentication key and IMSI are stored on GSM's network side in the authentication center (AuC) and home location register (HLR), respectively. In GSM, short messages are stored in the SIM and calls are directed to the SIM rather than the mobile terminal. This feature allows GSM subscribers to share a terminal with different SIM cards. The security features provided between GSM network and mobile station include IMSI confidentiality and authentication, user data confidentiality, and signaling information element confidentiality. One of the security weaknesses identified in GSM is the one-way authentication utilized, where only the mobile station is authenticated and the network is not. This can pose a security threat, as a compromised base station can launch a "man-in-the-middle" attack without being detected by mobile stations.

UMTS security. UMTS is designed to reuse and evolve from existing core network components of the GSM/GPRS and fix known GSM security weaknesses such as the one-way authentication scheme and optional encryption. Authentication in UMTS is mutual and encryption is mandatory (unless specified otherwise) in order to prevent message replay and modification. In addition, UMTS employs longer cryptographic keys and newer cipher algorithms, which make it inherently more secure than GSM/GPRS.

WAP and Security

Beyond the link-layer communication mechanisms provided by WLANs and cellular networks, the Wireless Application Protocol (WAP) is designed to work with all wireless networks. The most important technology applied by WAP is probably the WAP Gateway, which translates requests from the WAP protocol stack to the WWW stack so they can be submitted to Web servers. For example, requests from mobile stations are sent as a URL through the network to the WAP Gateway; responses are sent from the Web server to the WAP Gateway in HTML and are then translated to WML and sent to the mobile stations. Although WAP supports HTML and XML, its host language is WML (Wireless Markup Language), which is a markup language based on XML that is intended for use in specifying content and user interfaces for mobile stations. WAP also supports WMLScript, which is similar to JavaScript but makes minimal demands on memory and CPU power because it does not contain many of the unnecessary functions found in other scripting languages.

WAP security is provided through the Wireless Transport Layer Security (WTLS) protocol (in WAP 1.0) and IETF standard Transport Layer Security (TLS) protocol (in WAP 2.0). They provide data integrity, privacy, and authentication. One security problem, known as the "WAP Gap" is caused by the inclusion of the WAP gateway in a security session. That is, encrypted messages sent by end systems might temporarily become clear text on the WAP gateway when messages are processed. One solution is to make the WAP gateway resident within the enterprise (server) network , where heavyweight security mechanisms can be enforced.
Top 10
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
3 Tips for Maintaining Your Cell Phone Battery (part 1) - Charge Smart
OPEL MERIVA : Making a grand entrance
FORD MONDEO 2.0 ECOBOOST : Modern Mondeo
BMW 650i COUPE : Sexy retooling of BMW's 6-series
BMW 120d; M135i - Finely tuned
PHP Tutorials : Storing Images in MySQL with PHP (part 2) - Creating the HTML, Inserting the Image into MySQL
PHP Tutorials : Storing Images in MySQL with PHP (part 1) - Why store binary files in MySQL using PHP?
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS