Mobile signature

From Wikipedia, the free encyclopedia
Jump to: navigation, search

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Origins of the term[edit]


The term first appeared in articles introducing mSign (short for Mobile Electronic Signature Consortium). It was founded in 1999 and comprised 35 member companies. In October 2000, the consortium published an XML-interface defining a protocol allowing service providers to obtain a mobile (digital) signature from a mobile phone subscriber.

In 2001, mSign gained industry-wide coverage when it came apparent that Brokat (one of the founding companies) also obtained a process patent in Germany for using the mobile phone to generate digital signatures.

ETSI-MSS standardization[edit]

The term was then used by Paul Gibson (G&D) and Romary Dupuis (France Telecom) in their standardisation work at the European Telecommunications Standards Institute (ETSI) and published in ETSI Technical Report TR 102 203.

The ETSI-MSS specifications define a SOAP interface and mobile signature roaming for systems implementing mobile signature services. ETSI TS 102 204, and ETSI TS 102 207.

Mobile signatures today[edit]

The mobile signature can have the legal equivalent of your own wet signature, hence the term "Mobile Ink", commercial term coined by Swiss Sicap. Other terms include "Mobile ID" by Valimo Wireless, "Mobile Certificate" by a circle of trust of 3 Finnish mobile network operators implementing a roaming mobile signature framework Mobiilivarmenne, etc.

According to the EU directives for electronic signatures[1] the mobile signature can have the same level of protection as the hand written signature if all components in the signature creation chain are appropriately certified. The governing standard for the mobile signature creation devices and equivalent of a hand written signature is described in the Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council Official Journal L 175, 15.7.2003.[2] If the signature solution is Common Criteria evaluated by an independent party and given the EAL4+ designation, the solution can produce what the EU directive and consequent clarifications are calling a qualified electronic signature. The current standard dates back to the year 2002/2003 and is in the process being renewed and published by the end of 2012.[3] Most, if not all, mobile signature implementations to date generate what the EU Directive is calling advanced electronic signature.

The most successful mobile signature solutions can be found in Turkey,[4] Lithuania,[5] Estonia[6] and Finland[7][8] with millions of users.

Technically the mobile signature is created by a security module when a request for it reaches the device (SIM card,) and after introducing the request to the user with a few explanation prompts, the device asks for a secret code that only the correct user should know. Usually this is in form of a PIN. If the access control secret was entered correctly, the device is approved with access to secret data containing for example RSA private key, which is then used to do the signature or other operations that the request wanted.

The PKI system associates the public key counterpart of the secret key held at the secure device with a set of attributes contained in a structure called digital certificate. The choice of the registration procedure details during the definition of the attributes included in this digital certificate can be used to produce different levels of identity assurance. Anything from anonymous but specific to high-standard real-word identity. By doing a signature, the secure device owner can claim that identity.

Thus, the mobile signature is a unique feature for:

  • Proving your real-world identity to third parties without face-to-face communications
  • Making a legally-binding commitment by sending a confirmed message to another party
  • Solve security problems of the online world with identity confirmation (an anonymous but specific identity is often equally good as a high-standards identity)

Public Services[edit]

Estonian Mobile-ID[edit]

See [2].

Mobile Ink (Finland)[edit]

Mobile Ink[9] unites high security and user-friendly access to digital services which require strong authentication and authorization. Subscribers can get mobile signature access to m-banking or corporate applications for example. Mobile Ink is a commercial term associated with the mobile signature solution of Sicap building on Kiuru MSSP platform[10] by Methics Oy.[11][12]

The platform allows simultaneous existence of multiple keys and associated identities with distinct registration procedures. This is used for example as a replacement for RSA SecureID dongles with anonymous but specific identity in corporate access applications.

Mobiilivarmenne (Finland)[edit]

Mobile Certificate i.e. Mobiilivarmenne[13] in Finnish is a term used in the Finnish market space to describe the roaming mobile signature solution deployed by the three mobile network operators Elisa, Sonera, and DNA.

This setup was developed in all three operators co-operation under national Telecom technology coordination group FiCom, and it is world's first system where a fully functional co-operating ETSI TS 102 207 roaming service mesh was established in multi-vendor software environment. Another national feature is that mobile phone numbers are portable across the operators, and thus the phone number prefix does not identify the operator. To make things easy for the Application Providers (see ETSI TS 102 204), they can purchase service from any one of the Acquiring Entity service providers (mobile network operators), and reach all users.

Part of the background was update of national laws allowing digital Person Identity Certificates (for Mobiilivarmenne use) to be issued also by other parties than official registration authorities via Police offices. Another part was co-operation agreement between the operators on the form of the certificates, and certification procedures and practices producing similar certificate contents with similar identity issuance traceability. All of these were reviewed and approved by the Finnish Communication Regulatory Authority which tasks include the oversight of the identity registration services also at government registries.

The MSSP software vendors in the service mesh are Methics Oy, and Valimo Wireless. Both Finnish companies.

Moldavian Mobile-ID[edit]

MPass [5]

Handy-Signatur in Austria[edit]

Austria started mobile signature by 2003, as a technology of Bürgerkarte (which includes electronic signing with SmartCards). It was provided bei mobilkom Austria, but ended in 2007. After a relaunch in 2009, named Handy-Signatur, it is well used, by 2014 over 300.000 people, 5% of the adult inhabitants, own a registered mobile signature. It is controlled by Austrian Government, National Bank and Graz University of Technology. It is based on a TAN sent bei SMS on request and confirmed with a private PIN.[14] According to 1999/93/EG signing by Handy-Signature is completely equivalent to a handwritten autograph.

Technology Providers[edit]

Mobile ID[edit]

Valimo Wireless, a Gemalto company, was the first company in the world to introduce mobile signature solutions into the market and creating the term Mobile ID. The initial mobile signature solution in Turkey by Turkcell used Valimo technology to implement the very successful mobile signature solution.[15][16] Currently Valimo Mobile ID is in use in several countries.

Kiuru MSSP[edit]

Methics Oy is a privately held Finnish technology company with strong expertise on PKI and MSSP services. The Kiuru MSSP product line is used directly and as OEM product by several service and solution providers.

G&D SmartTrust[edit]

G&D SmartTrust is the original supplier of SIM card embedded WAP browsers with encryption plugins developed in late 1990es, it is called WIB (Wireless Internet Browser.)[6] The WIB technology is licensed by the SmartTrust to many SIM card manufacturers, and the mobile network operators can choose to use cards with WIB capabilities in their normal user base immediately enabling them for use of the MSSP services. SmartTrust's MSSP offering is called SmartLicentio.

Security Issues[edit]

Authentication may still be vulnerable to man in the middle attacks and trojan horses, depending on the scheme employed.[17] Schemes like one-time-password-generators and two-factor authentication does not completely solve man in the middle attacks on an open network like the Internet. However, supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack. If application provider provides a detailed explanation of the transaction to be signed both on its Internet site and signing request to mobile operator, the attack can easily be recognized by the individual by comparing both screens. Since mobile operators do not let applications to send signing request for free, normally the cost and technicality of intrusion between the application provider and the mobile operator makes it an improbable attack target. Very least there are trace evidences in multiple places for the attack to have happened.

Mobile Signature with On Board Key Generation[edit]

When a mobile user creates their sPIN (Signing PIN) and secret key online within the secure SIM card during the registration process, this is known as "On Board Key Generation".[18] This requires a bit more interaction on user's behalf while registering, but on the other hand it makes the security mode interaction process familiar and lets them practice service usage. Also when the user forgets/locks the PIN associated with generated key, it is simple to generate a new key and assign it a new sPIN destroying the previous versions using same process as with original registration, and most importantly: without need for replacement of the SIM card. In these systems there is commonly no secondary signing PIN unblocking code (sPUK) at all, because revelation of such a code has identical requirements for the requesting person's identity verification as was with original person's identity registration.[19]

Compare this with older "factory generated keys" model for older technology SIM cards that had insufficient processing power to do the "On Board Key Generation". The SIM card factory ran key generation with special hardware accelerator and stored the key material on card along with initial sPIN and sPUK codes. Sometimes actual generation happened within the SIM card that was running in special manufacturing mode. After the generation the capability of doing it at all was usually disabled by blowing a special control fuse. Delivery of in particular the sPUK codes creates considerable security information logistics problems, which can entirely be avoided with the use of the "On Board Key Generation".

Turkcell was the first provider to roll out a mobile signature service with "On Board Key Generation" functionality, which enables customers to create their signing and validation key pair, after they get the simcard. In this way GSM operators do not need to distribute signing PINs to customers. Customers can create their sPIN anew, on their own.[20]

In introduction of the Finnish Mobiilivarmenne[21] service in 2010, only one out of three operators chose to use this "On Board Key Generation" capability with user interaction. Cited reasons claimed it to be too hard for the user. Actual experience did show that those without it created easily non-functional registrations without any online indication of the status, while usage of "On Board Key Generation" always resulted in positive indication of success when the service became fully functional for the user. Also if a mobile phone version had issues with SIM Application Toolkit protocol, that became evident immediately during a registration process using "On Board Key Generation."

Sources for the origins of the term[edit]

  • mSign: Announcement of MSign formation (in German only), 17.10.2000[22]
  • MoSign: Materna Monitor - company magazine, December 2004[23]
  • MoSign: International Herald Tribune tech brief, 26.3.2001[24]
  • MobilImza: Turkcell Mobil Imza 10.3.2008[25][26]