Mobile signature

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card.

Origins of the term

mSign

The term first appeared in articles introducing mSign (short for Mobile Electronic Signature Consortium). It was founded in 1999 and comprised 35 member companies. In October 2000, the consortium published an XML-interface defining a protocol allowing service providers to obtain a mobile (digital) signature from a mobile phone subscriber.

In 2001, mSign gained industry-wide coverage when it came apparent that Brokat (one of the founding companies) also obtained a process patent in Germany for using the mobile phone to generate digital signatures.

MoSign project and standardization attempt

The MoSign project (short for mobile signature) initiated by the companies Deutsche Bank, Ericsson, Materna, Microsoft, Sema Group, Siemens and TC TrustCenter was meant to demonstrate the deployment of electronic signatures using a "mobile signing device".

The mobile signing device comprised a Siemens IC35 organizer with an integrated WAP browser and a smart card reader. The user was meant to connect the IC35 via the IrDA interface to an internet-enabled mobile device, that would enable the IC 35's WAP browser to view WAP pages from a remote server. To generate a mobile signature the user inserted a smart card into the IC35's card slot. The digital keys are stored on the smart card and the signing application was based on the WAP 1.2 Crypto SignText implementation in the WAP browser stack.

In March 2001, four German banks - Deutsche Bank, Commerzbank, Dresdner Bank and HypoVereinsbank announced that they would use the findings from the MoSign project and would develop it into a single standard for electronic signatures used in conjunction with mobile devices and financial services.

ETSI-MSS standardization

The term was then used by Paul Gibson (G&D) and Romary Dupuis (France Telecom) in their standardisation work at the European Telecommunications Standards Institute (ETSI) and published in ETSI Technical Report TR 102 203.

The ETSI-MSS specifications define an XML interface and mobile signature roaming for systems implementing mobile signature services.

Mobile signatures today

The mobile signature can have the legal equivalent of your own wet signature, hence the term "Mobile Ink", commercial term coined by Sicap. Other terms include "Mobile ID" by Valimo, "Mobile Certificate" by a circle of trust of 3 Finnish mobile network operators implementing a roaming mobile signature framework mobiilivarmenne etc.

According to the EU directives for electronic signatures^[1] the mobile signature can have the same level of protection as the hand written signature if all components in the signature creation chain are appropriately certified. The governing standard for the mobile signature creation devices and equivalent of a hand written signature is described in the Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council Official Journal L 175, 15.7.2003.^[2] If the signature solution is Common Criteria evaluated by an independent party and given the EAL4+ designation, the solution can produce what the EU directive and consequent clarifications are calling a Qualified Electronic Signature. The current standard dates back to the year 2002/2003 and is in the process being renewed and published by the end of 2012.^[3] Most, if not all, mobile signature implementations to date generate what the EU Directive is calling Advanced Electronic Signature.

The most successful mobile signature solutions can be found in Turkey,^[4] Estonia^[5] and Finland^[6][7] with millions of users.

The mobile signature is created by typing a secret code (i.e. your signing PIN) into the signing device (for example: your mobile phone). This secret code in combination with your key storage token (for example: RSA private key stored in the secure environment such as a SIM card) and a chosen text triggers a cryptographic algorithm to generate the (digital) signature.

Each of your mobile/digital signatures can be linked to a digital certificate (an electronic record) that vouches for your real-world identity.

Thus, the mobile signature is a unique feature for:

• Proving your real-world identity to third parties without face-to-face communications

• Making a legally-binding commitment by sending a confirmed message to another party

• Solve security problems of the online world with identity confirmation.

Mobile Ink

Mobile Ink unites high security and user-friendly access to digital services which require strong authentication and authorisation. Subscribers can get mobile signature access to m-banking or corporate applications for example. Mobile Ink is a commercial term associated with the mobile signature solution of sicap.

Mobile ID

Valimo Wireless a Gemalto company was the first company in the world to introduce mobile signature solutions into the market and creating the term Mobile ID. The initial mobile signature solution in Turkey by Turkcell used Valimo technology to implement the very successful mobile signature solution.^[8][9] Currently Valimo Mobile ID is in use in several countries.

Mobiilivarmenne

Mobile Certificate i.e. Mobiilivarmenne in Finnish is a term used in the Finnish market space to describe the roaming mobile signature solution deployed by the three mobile network operators Elisa, Sonera, and DNA.

Security Issues

Authentication may still be vulnerable to man in the middle attacks and trojan horses, depending on the scheme employed.^[10] Schemes like one-time-password-generators and two-factor authentication does not completely solve man in the middle attacks on an open network like the Internet. However, supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack. If application provider provides a detailed explanation of the transaction to be signed both on its Internet site and signing request to mobile operator, the attack can easily be recognized by the individual by comparing both screens. Since operators do not let anonymous third parties to send signing request, normally the cost and technicality of intrusion between the application provider and the mobile operator, makes it an improbable attack target.

Mobile Signature with On Board Key Generation

Turkcell is the first provider of a mobile signature service with "On Board Key Generation" functionality, which enables customers to create their signing and validation key pair, after they get the simcard. In this way GSM operators do not need to distribute signing PINs to customers. Customers can create their PIN anew, on their own.^[11]

Sources for the origins of the term

• mSign: Announcement of MSign formation (in German only), 17.10.2000^[12]
• MoSign: Materna Monitor - company magazine, December 2004^[13]
• MoSign: International Herald Tribune tech brief, 26.3.2001^[14]
• MobilImza: Turkcell Mobil Imza 10.3.2008^[15][16]

References

1. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:EN:NOT
2. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32003D0511:EN:NOT
3. http://ec.europa.eu/information_society/policy/esignature/docs/standardisation/CEN_grant/cen_2010_31.pdf
4. http://www.valimo.com/news_and_events/15-10-2008/valimo-boosts-mobile-signature-usage-turkey
5. http://e-estonia.com/components/mobile-id
6. http://www.mobiilivarmenne.fi/fi/
7. http://www.suomi.fi/suomifi/tyohuone/ajankohtaista/uutisarkisto/vetuma-palveluun_tulossa_mobiilitunnistautuminen/index.html
8. http://www.valimo.com/news_and_events/15-10-2008/valimo-boosts-mobile-signature-usage-turkey
9. http://www.gemalto.com/php/pr_view.php?id=164
10. http://www.schneier.com/essay-083.html
11. (Turkish) Turkcell.com
12. Golem.de
13. Materna-tmt.de
14. IHT.com
15. (Turkish) Turkcell.com
16. (English) Turkcellmobilesignature.com