Oct 1, 2009

Mobile PKI


Mobile PKI, also known as Wireless PKI (and a lot of other names such as Mobile Secure Signature Service, Secure Signature Creation Device, ...) is a technology which allows users to place electronic signatures with their cell phone. This can be used for applications that run on the phone, but also for applications that run on other platforms (the user's computer connected to the Internet, for instance). One could use this, for example, as an authentication mechanism at a relying party. In the latter scenario your phone is a "something-you-have" token which provides extra security as an attacker would have to manipulate two separate channels to mount an attack. Before placing a signature, the cell phone will ask the user for his or her PIN.

The SIM card inside the cell phone plays a central role in Mobile PKI. Actually, the obvious way to implement Mobile PKI is through a so-called SIM Application Toolkit (SAT) applet installed on the SIM card. SAT has some really cool features that make things easy, both for the mobile operator and for the user:
  • They can be installed over the air (OTA) to an already deployed SIM by the mobile operator, without disturbing the user
  • They can add extra (basic menu-based) features to the GUI
  • They can react to events such as selection of menus by the user or incoming SMSs sent by the mobile operator
This makes Mobile PKI a pretty secure solution:
  • The application resides on a tamper resistant smart card
  • Most handset manufacturers will make sure that there's a trusted path from the phone's keyboard to SAT applications (the malware problem seems to still be small for the mobile platform)
  • The separate channel advantage was already mentioned above
It's also user-friendlier when compared to other authentication solutions such as smart cards, PKI tokens, and one-time-password SMSs:
  • The PIN is the same for each and every transaction
  • There's no need to install software on the user's PC
  • There's no need to read and type challenges or responses
  • Most users will not forget or leave their cell phone unattended, and most will notice and report a missing or stolen phone
Mobile PKI has been standardized by ETSI around 2002/2003. Also Common Criteria protection profiles for Secure Signature Creation Devices have existed since 2001. So the technology is pretty old. It has found its way to end-customers in some countries, most notably Turkey and more recently to the Nordic countries (in Finland you can apparently even add your government issued eID to a SIM card). Most of the SIM manufacturers and technology providers offer Mobile PKI as an option to their customers (the mobile operators). I wonder why this hasn't caught on here in the Netherlands.

3 comments:

  1. FYI: EMT (www.emt.ee) in Estonia started issuing mID SIM cards in May 2007. It is a bit different (www.wpki.eu) and is in fact a government endorsed eID.

    ReplyDelete
  2. Thanks for that reference WHOIS. Estonia seems to be way ahead of most other European countries in terms of eID developments.

    ReplyDelete
  3. Hi MartijnO,

    Thank you for your informative entry.

    I have a question: what kind of SIM can be implemented to be a PKI SIM? Is there any standard to follow?

    I've been searching for the answers but not found anything yet. I hope you can help me with that. Thank you very much.

    ReplyDelete