Mobile signature
A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.
Origins of the term
mSign
The term first appeared in articles introducing mSign. It was founded in 1999 and comprised 35 member companies. In October 2000, the consortium published an XML-interface defining a protocol allowing service providers to obtain a mobile signature from a mobile phone subscriber.In 2001, mSign gained industry-wide coverage when it came apparent that Brokat also obtained a process patent in Germany for using the mobile phone to generate digital signatures.
ETSI-MSS standardization
The term was then used by Paul Gibson and Romary Dupuis in their standardisation work at the European Telecommunications Standards Institute and published in ETSI Technical Report TR 102 203.The ETSI-MSS specifications define a SOAP interface and mobile signature roaming for systems implementing mobile signature services. ETSI TS 102 204, and ETSI TS 102 207.
Today
The mobile signature can have the legal equivalent of your own wet signature, hence the term "Mobile Ink", commercial term coined by Swiss . Other terms include "Mobile ID" by , "Mobile Certificate" by a circle of trust of 3 Finnish mobile network operators implementing a roaming mobile signature framework Mobiilivarmenne, etc.According to the EU directives for the mobile signature can have the same level of protection as the handwritten signature if all components in the signature creation chain are appropriately certified. The governing standard for the mobile signature creation devices and equivalent of a handwritten signature is described in the Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with the Electronic Signatures Directive. If the signature solution is Common Criteria evaluated by an independent party and given the EAL4+ designation, the solution can produce what the EU directive and consequent clarifications are calling a qualified electronic signature. The current standard dates back to the year 2002/2003 and is in the process being renewed and published by the end of 2012. Most, if not all, mobile signature implementations to date generate what the EU Directive is calling advanced electronic signature.
The most successful mobile signature solutions can be found in Turkey, Lithuania, Estonia and Finland with millions of users.
Technically the mobile signature is created by a security module when a request for it reaches the device and after introducing the request to the user with a few explanation prompts, the device asks for a secret code that only the correct user should know. Usually, this is in form of a PIN. If the access control secret was entered correctly, the device is approved with access to secret data containing for example RSA private key, which is then used to do the signature or other operations that the request wanted.
The PKI system associates the public key counterpart of the secret key held at the secure device with a set of attributes contained in a structure called digital certificate. The choice of the registration procedure details during the definition of the attributes included in this digital certificate can be used to produce different levels of identity assurance. Anything from anonymous but specific to high-standard real-word identity. By doing a signature, the secure device owner can claim that identity.
Thus, the mobile signature is a unique feature for:
- Proving your real-world identity to third parties without face-to-face communications
- Making a legally-binding commitment by sending a confirmed message to another party
- Solve security problems of the online world with identity confirmation
Public services
Estonian Mobile-ID
See .Mobile Ink (Finland)
unites high security and user-friendly access to digital services which require strong authentication and authorization. Subscribers can get mobile signature access to m-banking or corporate applications for example. Mobile Ink is a commercial term associated with the mobile signature solution of building on Kiuru MSSP platform by .The platform allows simultaneous existence of multiple keys and associated identities with distinct registration procedures.
This is used for example as a replacement for RSA SecureID dongles with anonymous but specific identity in corporate access applications.
Mobiilivarmenne (Finland)
Mobile Certificate i.e. Mobiilivarmenne in Finnish is a term used in the Finnish market space to describe the roaming mobile signature solution deployed by the three mobile network operators Elisa, Sonera, and DNA.This setup was developed in all three operators co-operation under national Telecom technology coordination group FiCom, and it is world's first system where a fully functional co-operating ETSI TS 102 207 roaming service mesh was established in multi-vendor software environment. Another national feature is that mobile phone numbers are portable across the operators, and thus the phone number prefix does not identify the operator. To make things easy for the Application Providers, they can purchase service from any one of the Acquiring Entity service providers, and reach all users.
Part of the background was update of national laws allowing digital Person Identity Certificates to be issued also by other parties than official registration authorities via Police offices. Another part was co-operation agreement between the operators on the form of the certificates, and certification procedures and practices producing similar certificate contents with similar identity issuance traceability. All of these were reviewed and approved by the Finnish Communication Regulatory Authority which tasks include the oversight of the identity registration services also at government registries.
The MSSP software vendors in the service mesh are , and . Both Finnish companies.
Mobile ID in Ukraine
In Ukraine, Mobile ID project started in 2015, and later declared as one of Government of Ukraine priorities supported by EU. At the beginning of 2018 Ukrainian cell operators are evaluating proposals and testing platforms from different local and foreign developers. Platform selection will be followed up by comprehensive certification process. List of cryptographic information protection tools, that are legally allowed for use in Ukraine.Moldavian Mobile-ID
MPassHandy-Signatur in Austria
started mobile signature by 2003, as a technology of Bürgerkarte. It was provided bei mobilkom Austria, but ended in 2007. After a relaunch in 2009, named Handy-Signatur, it is well used, by 2014 over 300.000 people, 5% of the adult inhabitants, own a registered mobile signature. It is controlled by Austrian Government, National Bank and Graz University of Technology. It is based on a TAN sent bei SMS on request and confirmed with a private PIN. According to 1999/93/EG signing by Handy-Signature is completely equivalent to a handwritten autograph.Technology providers
Mobile ID
, a Gemalto company, was the first company in the world to introduce mobile signature solutions into the market and creating the term Mobile ID. The initial mobile signature solution in Turkey by Turkcell used Valimo technology to implement . Currently Valimo Mobile ID is in use in several countries.Kiuru MSSP
is a privately held Finnish technology company with strong expertise on PKI and MSSP services. The Kiuru MSSP product line is used directly and as OEM product by several service and solution providers.ID HUB – Mobile ID
by Innovation Development HUB LLC is the only electronic identification and mobile signature solution, having already passed State certification in Ukraine. Uses both post-Soviet and European cryptography algorithms, which makes the platform suitable for CIS and EU PKI.G&D SmartTrust
is the original supplier of SIM card embedded WAP browsers with encryption plugins developed in late 1990es, it is called WIB The WIB technology is licensed by the SmartTrust to many SIM card manufacturers, and the mobile network operators can choose to use cards with WIB capabilities in their normal user base immediately enabling them for use of the MSSP services.SmartTrust's MSSP offering is called SmartLicentio.
Security issues
Authentication may still be vulnerable to man-in-the-middle attacks and trojan horses, depending on the scheme employed. Schemes like one-time-password-generators and two-factor authentication does not completely solve man in the middle attacks on an open network like the Internet. However, supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack. If application provider provides a detailed explanation of the transaction to be signed both on its Internet site and signing request to mobile operator, the attack can easily be recognized by the individual by comparing both screens. Since mobile operators do not let applications to send signing request for free, normally the cost and technicality of intrusion between the application provider and the mobile operator makes it an improbable attack target. Very least there are trace evidences in multiple places for the attack to have happened.With on-board key generation
When a mobile user creates the sPIN and secret key online within the secure SIM card during the registration process, this is known as "on-board key generation". This requires a bit more interaction on user's behalf while registering, but on the other hand it makes the security mode interaction process familiar and lets them practice service usage. Also when the user forgets/locks the PIN associated with generated key, it is simple to generate a new key and assign it a new sPIN destroying the previous versions using same process as with original registration, and most importantly: without need for replacement of the SIM card. In these systems there is commonly no secondary signing PIN unblocking code at all, because revelation of such a code has identical requirements for the requesting person's identity verification as was with original person's identity registration.Compare this with older "factory generated keys" model for older technology SIM cards that had insufficient processing power to do on-board key generation. The SIM card factory ran key-generation with special hardware accelerator and stored the key material on card along with initial sPIN and sPUK codes. Sometimes actual generation happened within the SIM card that was running in special manufacturing mode. After the generation the capability of doing it at all was usually disabled by blowing a special control fuse. Delivery of in particular the sPUK codes creates considerable security information logistics problems, which can entirely be avoided with the use of on-board key generation.
Turkcell was the first provider to roll out a mobile signature service with "On Board Key Generation" functionality, which enables customers to create their signing and validation key pair, after they get the simcard. In this way GSM operators do not need to distribute signing PINs to customers. Customers can create their sPIN anew, on their own.
In introduction of the Finnish Mobiilivarmenne service in 2010, only one out of three operators chose to use this on-board key generation capability with user interaction. Cited reasons claimed it to be too hard for the user. Actual experience did show that those without it created easily non-functional registrations without any online indication of the status, while usage of on-board key generation always resulted in positive indication of success when the service became fully functional for the user. Also if a mobile phone version had issues with SIM Application Toolkit protocol, that became evident immediately during a registration process using on-board key generation.