Mobile signature

Last updated

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Contents

Origins of the term

mSign

The term first appeared in articles introducing mSign (short for Mobile Electronic Signature Consortium). It was founded in 1999 and comprised 35 member companies. In October 2000, the consortium published an XML-interface defining a protocol allowing service providers to obtain a mobile (digital) signature from a mobile phone subscriber.

In 2001, mSign gained industry-wide coverage when it came apparent that Brokat (one of the founding companies) also obtained a process patent in Germany for using the mobile phone to generate digital signatures.

ETSI-MSS standardization

The term was then used by Paul Gibson (G&D) and Romary Dupuis (France Telecom) in their standardisation work at the European Telecommunications Standards Institute (ETSI) and published in ETSI Technical Report TR 102 203.

The ETSI-MSS specifications define a SOAP interface and mobile signature roaming for systems implementing mobile signature services. ETSI TS 102 204, and ETSI TS 102 207.

Today

The mobile signature can have the legal equivalent of your own wet signature, hence the term "Mobile Ink", commercial term coined by Swiss Sicap. Other terms include "Mobile ID", "Mobile Certificate" by a circle of trust of 3 Finnish mobile network operators implementing a roaming mobile signature framework Mobiilivarmenne, etc.

According to the EU directives for electronic signatures [1] the mobile signature can have the same level of protection as the handwritten signature if all components in the signature creation chain are appropriately certified. The governing standard for the mobile signature creation devices and equivalent of a handwritten signature is described in the Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with the Electronic Signatures Directive. [2] If the signature solution[ buzzword ] is Common Criteria evaluated by an independent party and given the EAL4+ designation, the solution[ buzzword ] can produce what the EU directive and consequent clarifications are calling a qualified electronic signature. The current standard dates back to the year 2002/2003 and is in the process being renewed and published by the end of 2012. [3] Most, if not all, mobile signature implementations to date generate what the EU Directive is calling advanced electronic signature.

The most successful mobile signature solutions[ buzzword ] can be found in Turkey, [4] Lithuania, [5] Estonia [6] and Finland [7] [8] with millions of users.

Technically the mobile signature is created by a security module when a request for it reaches the device (SIM card) and after introducing the request to the user with a few explanation prompts, the device asks for a secret code that only the correct user should know. Usually, this is in form of a PIN. If the access control secret was entered correctly, the device is approved with access to secret data containing for example RSA private key, which is then used to do the signature or other operations that the request wanted.

The PKI system associates the public key counterpart of the secret key held at the secure device with a set of attributes contained in a structure called digital certificate. The choice of the registration procedure details during the definition of the attributes included in this digital certificate can be used to produce different levels of identity assurance. Anything from anonymous but specific to high-standard real-word identity. By doing a signature, the secure device owner can claim that identity.

Thus, the mobile signature is a unique feature for:

Public services

Estonian Mobile-ID

See .

ParsMSS in Iran

Pars Mobile Signature Services Project (ParsMSS) has been designed and produced in Iran for the first time since 2011. Pars Mobile Signature Services (ParsMSS) can be provided in two ways: SIM-Based and SIM-less. Registration Authority (RA) connects to this service and issues the electronic certificate in person or remotely. With this service, financial transactions and documents can be signed digitally.

Mobile Ink (Finland)

Mobile Ink [9] unites high security and user-friendly access to digital services which require strong authentication and authorization. Subscribers can get mobile signature access to m-banking or corporate applications for example. Mobile Ink is a commercial term associated with the mobile signature solution[ buzzword ] of Sicap building on Kiuru MSSP platform [10] by Methics Oy. [11] [12]

The platform allows simultaneous existence of multiple keys and associated identities with distinct registration procedures. This is used for example as a replacement for RSA SecurID dongles with anonymous but specific identity in corporate access applications.

Mobiilivarmenne (Finland)

Mobile Certificate i.e. Mobiilivarmenne [13] in Finnish is a term used in the Finnish market space to describe the roaming mobile signature solution[ buzzword ] deployed by the three mobile network operators Elisa, Sonera, and DNA.

This setup was developed in all three operators co-operation under national Telecom technology coordination group FiCom, and it is world's first system where a fully functional co-operating ETSI TS 102 207 roaming service mesh was established in multi-vendor software environment. Another national feature is that mobile phone numbers are portable across the operators, and thus the phone number prefix does not identify the operator. To make things easy for the Application Providers (see ETSI TS 102 204), they can purchase service from any one of the Acquiring Entity service providers (mobile network operators), and reach all users.

Part of the background was update of national laws allowing digital Person Identity Certificates (for Mobiilivarmenne use) to be issued also by other parties than official registration authorities via Police offices. Another part was co-operation agreement between the operators on the form of the certificates, and certification procedures and practices producing similar certificate contents with similar identity issuance traceability. All of these were reviewed and approved by the Finnish Communication Regulatory Authority which tasks include the oversight of the identity registration services also at government registries.

Mobile ID in Ukraine

In Ukraine, Mobile ID project started in 2015, and later declared as one of Government of Ukraine priorities supported by EU. At the beginning of 2018 Ukrainian cell operators are evaluating proposals and testing platforms from different local and foreign developers. Platform selection will be followed up by comprehensive certification process. List of cryptographic information protection tools [14] (and manufacturers), that are legally allowed for use in Ukraine (as of February 19, 2018).

Moldavian Mobile-ID

MPass

Handy-Signatur in Austria

Austria started mobile signature by 2003, as a technology of Bürgerkarte (which includes electronic signing with SmartCards). It was provided bei mobilkom Austria, but ended in 2007. After a relaunch in 2009, named Handy-Signatur, it is well used, by 2014 over 300.000 people, 5% of the adult inhabitants, own a registered mobile signature. It is controlled by Austrian Government, National Bank and Graz University of Technology. It is based on a TAN sent bei SMS on request and confirmed with a private PIN. [15] According to 1999/93/EG signing by Handy-Signature is completely equivalent to a handwritten autograph.

Technology providers

Mobile ID

Valimo Wireless, a Gemalto company, was the first company in the world to introduce mobile signature solutions [ buzzword ]into the market and creating the term Mobile ID. The initial mobile signature solution[ buzzword ] in Turkey by Turkcell used Valimo technology to implement the very successful mobile signature solution.[ buzzword ] [16] [17] Currently Valimo Mobile ID is in use in several countries.

Kiuru MSSP

Methics Oy is a privately held Finnish technology company with strong expertise on PKI and MSSP services. The Kiuru MSSP product line is used directly and as OEM product by several service and solution[ buzzword ] providers.

ID HUB – Mobile ID

Mobile ID platform by Innovation Development HUB LLC is the only electronic identification and mobile signature solution[ buzzword ], having already passed State certification in Ukraine. Uses both post-Soviet and European cryptography algorithms, which makes the platform suitable for CIS and EU PKI.

G&D SmartTrust

G&D SmartTrust is the original supplier of SIM card embedded WAP browsers with encryption plugins developed in late 1990es, it is called WIB (Wireless Internet Browser.) The WIB technology is licensed by the SmartTrust to many SIM card manufacturers, and the mobile network operators can choose to use cards with WIB capabilities in their normal user base immediately enabling them for use of the MSSP services. SmartTrust's MSSP offering is called SmartLicentio.

Security issues

Authentication may still be vulnerable to man-in-the-middle attacks and trojan horses, depending on the scheme employed. [18] Schemes like one-time-password-generators and two-factor authentication do not completely solve man-in-the-middle attacks on open networks like the Internet. [19] However, supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against this type of attack. If the application provider provides a detailed explanation of the transaction to be signed both on its Internet site and signing request to mobile operator, the attack can easily be recognized by the individual when comparing both screens. Since mobile operators do not let applications send signing requests for free, the cost and technicality of intrusion between the application provider and the mobile operator make it an improbable attack target. Nonetheless, there have been evidence in multiple places where an attack has occurred.

With on-board key generation

When a mobile user creates the sPIN (signing PIN) and secret key online within the secure SIM card during the registration process, this is known as "on-board key generation". [20] This requires a bit more interaction on user's behalf while registering, but on the other hand it makes the security mode interaction process familiar and lets them practice service usage. Also when the user forgets/locks the PIN associated with generated key, it is simple to generate a new key and assign it a new sPIN destroying the previous versions using same process as with original registration, and most importantly: without need for replacement of the SIM card. In these systems there is commonly no secondary signing PIN unblocking code (sPUK) at all, because revelation of such a code has identical requirements for the requesting person's identity verification as was with original person's identity registration. [21]

Compare this with older "factory generated keys" model for older technology SIM cards that had insufficient processing power to do on-board key generation. The SIM card factory ran key-generation with special hardware accelerator and stored the key material on card along with initial sPIN and sPUK codes. Sometimes actual generation happened within the SIM card that was running in special manufacturing mode. After the generation the capability of doing it at all was usually disabled by blowing a special control fuse. Delivery of in particular the sPUK codes creates considerable security information logistics problems, which can entirely be avoided with the use of on-board key generation.

Turkcell was the first provider to roll out a mobile signature service with "On Board Key Generation" functionality, which enables customers to create their signing and validation key pair, after they get the simcard. In this way GSM operators do not need to distribute signing PINs to customers. Customers can create their sPIN anew, on their own. [22]

In introduction of the Finnish Mobiilivarmenne [23] service in 2010, only one out of three operators chose to use this on-board key generation capability with user interaction. Cited reasons claimed it to be too hard for the user. Actual experience did show that those without it created easily non-functional registrations without any online indication of the status, while usage of on-board key generation always resulted in positive indication of success when the service became fully functional for the user. Also if a mobile phone version had issues with SIM Application Toolkit protocol, that became evident immediately during a registration process using on-board key generation.

Sources for the origins of the term

Related Research Articles

<span class="mw-page-title-main">GSM</span> Cellular telephone network standard

The Global System for Mobile Communications (GSM) is a standard developed by the European Telecommunications Standards Institute (ETSI) to describe the protocols for second-generation (2G) digital cellular networks used by mobile devices such as mobile phones and tablets. GSM is also a trade mark owned by the GSM Association. GSM may also refer to the Full Rate voice codec.

<span class="mw-page-title-main">Smart card</span> Pocket-sized card with embedded integrated circuits for identification or payment functions

A smart card, chip card, or integrated circuit card is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

<span class="mw-page-title-main">SIM card</span> Integrated circuit card for a mobile device

A SIM card is an integrated circuit (IC) intended to securely store the international mobile subscriber identity (IMSI) number and its related key, which are used to identify and authenticate subscribers on mobile telephony devices. Technically the actual physical card is known as a universal integrated circuit card (UICC); this smart card is usually made of PVC with embedded contacts and semiconductors, with the SIM as its primary component. In practice the term "SIM card" refers to the entire unit and not simply the IC.

<span class="mw-page-title-main">Personal identification number</span> PIN code

A personal identification number (PIN), or sometimes redundantly a PIN number or PIN code, is a numeric passcode used in the process of authenticating a user accessing a system.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place, of a password. It acts like an electronic key to access something. Examples of security tokens include wireless keycards used to open locked doors, or a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.

<span class="mw-page-title-main">Electronic identification</span> Digital proof of identity

An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

<span class="mw-page-title-main">Gemalto</span> International digital security company

Gemalto was an international digital security company providing software applications, secure personal devices such as smart cards and tokens, e-wallets and managed services. It was formed in June 2006 by the merger of two companies, Axalto and Gemplus International. Gemalto N.V.'s revenue in 2018 was €2.969 billion.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

SIM Application Toolkit (STK) is a standard of the GSM system which enables the subscriber identity module to initiate actions which can be used for various value-added services. Similar standards exist for other network and card systems, with the USIM Application Toolkit (USAT) for USIMs used by newer-generation networks being an example. A more general name for this class of Java Card-based applications running on UICC cards is the Card Application Toolkit (CAT).

Mobile identity is a development of online authentication and digital signatures, where the SIM card of one’s mobile phone works as an identity tool. Mobile identity enables legally binding authentication and transaction signing for online banking, payment confirmation, corporate services, and consuming online content. The user's certificates are maintained on the telecom operator's SIM card and in order to use them, the user has to enter a personal, secret PIN code. When using mobile identity, no separate card reader is needed, as the phone itself already performs both functions.

In mobile telecommunications technology, the concept of mobile signature roaming means an access point (AP) should be able to get a mobile signature from any end-user, even if the AP and the end-user have not contracted a commercial relationship with the same MSSP. Otherwise, an AP would have to build commercial terms with as many MSSPs as possible, and this might be a cost burden.

<span class="mw-page-title-main">Estonian identity card</span> National identity card of Estonia

The Estonian identity card is a mandatory identity document for citizens of Estonia. In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. Within Europe as well as French overseas territories and Georgia, the Estonian ID Card can be used by the citizens of Estonia as a travel document.

<span class="mw-page-title-main">Generic Bootstrapping Architecture</span>

Generic Bootstrapping Architecture (GBA) is a technology that enables the authentication of a user. This authentication is possible if the user owns a valid identity on an HLR or on an HSS.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence. MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

IMS is a set of specifications to offer multimedia services through IP protocol. This makes it possible to incorporate all kinds of services, such as voice, multimedia and data, on an accessible platform through any Internet connection.

<span class="mw-page-title-main">DigiDoc</span> File format family

DigiDoc is a family of digital signature- and cryptographic computing file formats utilizing a public key infrastructure. It currently has three generations of sub formats, DDOC-, a later binary based BDOC and currently used ASiC-E format that is supposed to replace the previous generation formats. DigiDoc was created and is developed and maintained by RIA.

Mobile Signature Service (MSS) is a high-level service specified by the European Telecommunications Standards Institute that defines the roles participating in mobile identity management and mobile signature transactions, as well as functional and business-related requirements and interfaces. The specification is the governing standard for PKI and enables cross-compatible mobile signature solutions.

Smart-ID is an electronic authentication tool developed by SK ID Solutions, an Estonian company. Users can log in to various electronic services and sign documents with an electronic signature.

<span class="mw-page-title-main">BankID (Norway)</span>

BankID is a personal electronic identification system in Norway, that is used for identification and signing. The service is provided by the banks in Norway.

References

  1. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures
  2. 2003/511/EC: Commission Decision of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council (Text with EEA relevance) (notified under document number C(2003) 2439)
  3. "Trust Services and Electronic identification (eID)" (PDF).
  4. "Gemalto's website has moved to Thales".
  5. "Elektroninis.lt".
  6. "Mobile-ID — e-Estonia". e-estonia.com.
  7. "ENG - Mobiilivarmenne".
  8. "Suomi.fi". www.suomi.fi.
  9. "Mobile Ink".
  10. "Kiuru MSSP products". Methics Oy. 9 February 2016.
  11. Methics Oy
  12. "Sicap and Methics Partner". Sicap.
  13. "News in English". Mobiilivarmenne portal. Retrieved 30 June 2013.
  14. "Державна служба спеціального зв'язку та захисту інформації України". www.dsszzi.gov.ua. Retrieved 2018-02-19.
  15. Das kann die Handy-Signatur , www.buergerkarte.at; Die Bürgerkarte , digitales.oesterreich.gv.at
  16. "Gemalto's website has moved to Thales".
  17. "Turkcell Selects Gemalto for World's Largest Mobile Signature Rollout". www.gemalto.com.
  18. "Essays: Two-Factor Authentication: Too Little, Too Late - Schneier on Security". www.schneier.com.
  19. Bicakci, Kemal; Unal, Devrim; Ascioglu, Nadir; Adalier, Oktay (2014). "Mobile Authentication Secure Against Man-In-The-Middle Attacks". Procedia Computer Science. 34: 323–329. doi: 10.1016/j.procs.2014.07.031 . ISSN   1877-0509.
  20. "Support of SmartTrust OBKG function at Kiuru MSSP". Methics Oy.
  21. "Key and PIN Life Cycle at Alauda WPKI Applet". Methics Oy.
  22. (in Turkish) Turkcell.com
  23. "News in English". Mobiilivarmenne portal.
  24. "mSign stellt Schnittstelle für mobilen E-Commerce vor - Golem.de".
  25. "Materna-tmt.de".
  26. "Tech Brief: German Mobile Signature". www.iht.com. Archived from the original on 4 June 2011 via The New York Times.
  27. (in Turkish) Turkcell.com
  28. (in English) Turkcellmobilesignature.com
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.