Mobile signature

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Origins of the term

mSign

The term first appeared in articles introducing mSign (short for Mobile Electronic Signature Consortium). It was founded in 1999 and comprised 35 member companies. In October 2000, the consortium published an XML-interface defining a protocol allowing service providers to obtain a mobile (digital) signature from a mobile phone subscriber.

In 2001, mSign gained industry-wide coverage when it came apparent that Brokat (one of the founding companies) also obtained a process patent in Germany for using the mobile phone to generate digital signatures.

ETSI-MSS standardization

The term was then used by Paul Gibson (G&D) and Romary Dupuis (France Telecom) in their standardisation work at the European Telecommunications Standards Institute (ETSI) and published in ETSI Technical Report TR 102 203.

The ETSI-MSS specifications define a SOAP interface and mobile signature roaming for systems implementing mobile signature services. ETSI TS 102 204, and ETSI TS 102 207.

Today

The mobile signature can have the legal equivalent of your own wet signature, hence the term "Mobile Ink", commercial term coined by Swiss Sicap. Other terms include "Mobile ID", "Mobile Certificate" by a circle of trust of 3 Finnish mobile network operators implementing a roaming mobile signature framework Mobiilivarmenne, etc.

According to the EU directives for electronic signatures^[1] the mobile signature can have the same level of protection as the handwritten signature if all components in the signature creation chain are appropriately certified. The governing standard for the mobile signature creation devices and equivalent of a handwritten signature is described in the Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with the Electronic Signatures Directive.^[2] If the signature solution^[buzzword] is Common Criteria evaluated by an independent party and given the EAL4+ designation, the solution^[buzzword] can produce what the EU directive and consequent clarifications are calling a qualified electronic signature. The current standard dates back to the year 2002/2003 and is in the process being renewed and published by the end of 2012.^[3] Most, if not all, mobile signature implementations to date generate what the EU Directive is calling advanced electronic signature.

The most successful mobile signature solutions^[buzzword] can be found in Turkey,^[4] Lithuania,^[5] Estonia^[6] and Finland^[7][8] with millions of users.

Technically the mobile signature is created by a security module when a request for it reaches the device (SIM card) and after introducing the request to the user with a few explanation prompts, the device asks for a secret code that only the correct user should know. Usually, this is in form of a PIN. If the access control secret was entered correctly, the device is approved with access to secret data containing for example RSA private key, which is then used to do the signature or other operations that the request wanted.

The PKI system associates the public key counterpart of the secret key held at the secure device with a set of attributes contained in a structure called digital certificate. The choice of the registration procedure details during the definition of the attributes included in this digital certificate can be used to produce different levels of identity assurance. Anything from anonymous but specific to high-standard real-word identity. By doing a signature, the secure device owner can claim that identity.

Thus, the mobile signature is a unique feature for:

• Proving your real-world identity to third parties without face-to-face communications
• Making a legally-binding commitment by sending a confirmed message to another party
• Solve security problems of the online world with identity confirmation (an anonymous but specific identity is often equally good as a high-standards identity)

Public services

Estonian Mobile-ID

See [1].

ParsMSS in Iran

Pars Mobile Signature Services Project (ParsMSS) has been designed and produced in Iran for the first time since 2011. Pars Mobile Signature Services (ParsMSS) can be provided in two ways: SIM-Based and SIM-less. Registration Authority (RA) connects to this service and issues the electronic certificate in person or remotely. With this service, financial transactions and documents can be signed digitally.

Mobile Ink (Finland)

Mobile Ink^[9] unites high security and user-friendly access to digital services which require strong authentication and authorization. Subscribers can get mobile signature access to m-banking or corporate applications for example. Mobile Ink is a commercial term associated with the mobile signature solution^[buzzword] of Sicap building on Kiuru MSSP platform^[10] by Methics Oy.^[11][12]

The platform allows simultaneous existence of multiple keys and associated identities with distinct registration procedures. This is used for example as a replacement for RSA SecurID dongles with anonymous but specific identity in corporate access applications.

Mobiilivarmenne (Finland)

Mobile Certificate i.e. Mobiilivarmenne^[13] in Finnish is a term used in the Finnish market space to describe the roaming mobile signature solution^[buzzword] deployed by the three mobile network operators Elisa, Sonera, and DNA.

This setup was developed in all three operators co-operation under national Telecom technology coordination group FiCom, and it is world's first system where a fully functional co-operating ETSI TS 102 207 roaming service mesh was established in multi-vendor software environment. Another national feature is that mobile phone numbers are portable across the operators, and thus the phone number prefix does not identify the operator. To make things easy for the Application Providers (see ETSI TS 102 204), they can purchase service from any one of the Acquiring Entity service providers (mobile network operators), and reach all users.

Part of the background was update of national laws allowing digital Person Identity Certificates (for Mobiilivarmenne use) to be issued also by other parties than official registration authorities via Police offices. Another part was co-operation agreement between the operators on the form of the certificates, and certification procedures and practices producing similar certificate contents with similar identity issuance traceability. All of these were reviewed and approved by the Finnish Communication Regulatory Authority which tasks include the oversight of the identity registration services also at government registries.

Mobile ID in Ukraine

In Ukraine, Mobile ID project started in 2015, and later declared as one of Government of Ukraine priorities supported by EU. At the beginning of 2018 Ukrainian cell operators are evaluating proposals and testing platforms from different local and foreign developers. Platform selection will be followed up by comprehensive certification process. List of cryptographic information protection tools^[14] (and manufacturers), that are legally allowed for use in Ukraine (as of February 19, 2018).

Moldavian Mobile-ID

• Moldcell
• Orange Moldova

MPass

Handy-Signatur in Austria

Austria started mobile signature by 2003, as a technology of Bürgerkarte (which includes electronic signing with SmartCards). It was provided bei mobilkom Austria, but ended in 2007. After a relaunch in 2009, named Handy-Signatur, it is well used, by 2014 over 300.000 people, 5% of the adult inhabitants, own a registered mobile signature. It is controlled by Austrian Government, National Bank and Graz University of Technology. It is based on a TAN sent bei SMS on request and confirmed with a private PIN.^[15] According to 1999/93/EG signing by Handy-Signature is completely equivalent to a handwritten autograph.

Technology providers

Mobile ID

Valimo Wireless, a Gemalto company, was the first company in the world to introduce mobile signature solutions ^[buzzword]into the market and creating the term Mobile ID. The initial mobile signature solution^[buzzword] in Turkey by Turkcell used Valimo technology to implement the very successful mobile signature solution.^{[buzzword][16][17]} Currently Valimo Mobile ID is in use in several countries.

Kiuru MSSP

Methics Oy is a privately held Finnish technology company with strong expertise on PKI and MSSP services. The Kiuru MSSP product line is used directly and as OEM product by several service and solution^[buzzword] providers.

ID HUB – Mobile ID

Mobile ID platform by Innovation Development HUB LLC is the only electronic identification and mobile signature solution^[buzzword], having already passed State certification in Ukraine. Uses both post-Soviet and European cryptography algorithms, which makes the platform suitable for CIS and EU PKI.

G&D SmartTrust

G&D SmartTrust is the original supplier of SIM card embedded WAP browsers with encryption plugins developed in late 1990es, it is called WIB (Wireless Internet Browser.) The WIB technology is licensed by the SmartTrust to many SIM card manufacturers, and the mobile network operators can choose to use cards with WIB capabilities in their normal user base immediately enabling them for use of the MSSP services. SmartTrust's MSSP offering is called SmartLicentio.

Security issues

Authentication may still be vulnerable to man-in-the-middle attacks and trojan horses, depending on the scheme employed.^[18] Schemes like one-time-password-generators and two-factor authentication do not completely solve man-in-the-middle attacks on open networks like the Internet.^[19] However, supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against this type of attack. If the application provider provides a detailed explanation of the transaction to be signed both on its Internet site and signing request to mobile operator, the attack can easily be recognized by the individual when comparing both screens. Since mobile operators do not let applications send signing requests for free, the cost and technicality of intrusion between the application provider and the mobile operator make it an improbable attack target. Nonetheless, there have been evidence in multiple places where an attack has occurred.

With on-board key generation

When a mobile user creates the sPIN (signing PIN) and secret key online within the secure SIM card during the registration process, this is known as "on-board key generation".^[20] This requires a bit more interaction on user's behalf while registering, but on the other hand it makes the security mode interaction process familiar and lets them practice service usage. Also when the user forgets/locks the PIN associated with generated key, it is simple to generate a new key and assign it a new sPIN destroying the previous versions using same process as with original registration, and most importantly: without need for replacement of the SIM card. In these systems there is commonly no secondary signing PIN unblocking code (sPUK) at all, because revelation of such a code has identical requirements for the requesting person's identity verification as was with original person's identity registration.^[21]

Compare this with older "factory generated keys" model for older technology SIM cards that had insufficient processing power to do on-board key generation. The SIM card factory ran key-generation with special hardware accelerator and stored the key material on card along with initial sPIN and sPUK codes. Sometimes actual generation happened within the SIM card that was running in special manufacturing mode. After the generation the capability of doing it at all was usually disabled by blowing a special control fuse. Delivery of in particular the sPUK codes creates considerable security information logistics problems, which can entirely be avoided with the use of on-board key generation.

Turkcell was the first provider to roll out a mobile signature service with "On Board Key Generation" functionality, which enables customers to create their signing and validation key pair, after they get the simcard. In this way GSM operators do not need to distribute signing PINs to customers. Customers can create their sPIN anew, on their own.^[22]

In introduction of the Finnish Mobiilivarmenne^[23] service in 2010, only one out of three operators chose to use this on-board key generation capability with user interaction. Cited reasons claimed it to be too hard for the user. Actual experience did show that those without it created easily non-functional registrations without any online indication of the status, while usage of on-board key generation always resulted in positive indication of success when the service became fully functional for the user. Also if a mobile phone version had issues with SIM Application Toolkit protocol, that became evident immediately during a registration process using on-board key generation.

Sources for the origins of the term

• mSign: Announcement of MSign formation (in German only), 17.10.2000^[24]
• MoSign: Materna Monitor - company magazine, December 2004^[25]
• MoSign: International Herald Tribune tech brief, 26 March 2001^[26]
• MobilImza: Turkcell Mobil Imza 10.3.2008^[27][28]

References

1. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures
2. 2003/511/EC: Commission Decision of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council (Text with EEA relevance) (notified under document number C(2003) 2439)
3. "Trust Services and Electronic identification (eID)" (PDF).
4. "Gemalto's website has moved to Thales".
5. "Elektroninis.lt".
6. "Mobile-ID — e-Estonia". e-estonia.com.
7. "ENG - Mobiilivarmenne".
8. "Suomi.fi". www.suomi.fi.
9. "Mobile Ink".
10. "Kiuru MSSP products". Methics Oy. 9 February 2016.
11. Methics Oy
12. "Sicap and Methics Partner". Sicap.
13. "News in English". Mobiilivarmenne portal. Retrieved 30 June 2013.
14. "Державна служба спеціального зв'язку та захисту інформації України". www.dsszzi.gov.ua. Retrieved 2018-02-19.
15. Das kann die Handy-Signatur, www.buergerkarte.at; Die Bürgerkarte, digitales.oesterreich.gv.at
16. "Gemalto's website has moved to Thales".
17. "Turkcell Selects Gemalto for World's Largest Mobile Signature Rollout". www.gemalto.com.
18. "Essays: Two-Factor Authentication: Too Little, Too Late - Schneier on Security". www.schneier.com.
19. Bicakci, Kemal; Unal, Devrim; Ascioglu, Nadir; Adalier, Oktay (2014). "Mobile Authentication Secure Against Man-In-The-Middle Attacks". Procedia Computer Science. 34: 323–329. doi:10.1016/j.procs.2014.07.031. ISSN 1877-0509.
20. "Support of SmartTrust OBKG function at Kiuru MSSP". Methics Oy.
21. "Key and PIN Life Cycle at Alauda WPKI Applet". Methics Oy.
22. (in Turkish) Turkcell.com
23. "News in English". Mobiilivarmenne portal.
24. "mSign stellt Schnittstelle für mobilen E-Commerce vor - Golem.de".
25. "Materna-tmt.de".
26. "Tech Brief: German Mobile Signature". www.iht.com. Archived from the original on 4 June 2011 – via The New York Times.
27. (in Turkish) Turkcell.com
28. (in English) Turkcellmobilesignature.com