Mobile PKI, also known as Wireless PKI (and a lot of other names such as Mobile Secure Signature Service, Secure Signature Creation Device, ...) is a technology which allows users to place electronic signatures with their cell phone. This can be used for applications that run on the phone, but also for applications that run on other platforms (the user's computer connected to the Internet, for instance). One could use this, for example, as an authentication mechanism at a relying party. In the latter scenario your phone is a "something-you-have" token which provides extra security as an attacker would have to manipulate two separate channels to mount an attack. Before placing a signature, the cell phone will ask the user for his or her PIN.
The SIM card inside the cell phone plays a central role in Mobile PKI. Actually, the obvious way to implement Mobile PKI is through a so-called SIM Application Toolkit (SAT) applet installed on the SIM card. SAT has some really cool features that make things easy, both for the mobile operator and for the user:
- They can be installed over the air (OTA) to an already deployed SIM by the mobile operator, without disturbing the user
- They can add extra (basic menu-based) features to the GUI
- They can react to events such as selection of menus by the user or incoming SMSs sent by the mobile operator
- The application resides on a tamper resistant smart card
- Most handset manufacturers will make sure that there's a trusted path from the phone's keyboard to SAT applications (the malware problem seems to still be small for the mobile platform)
- The separate channel advantage was already mentioned above
- The PIN is the same for each and every transaction
- There's no need to install software on the user's PC
- There's no need to read and type challenges or responses
- Most users will not forget or leave their cell phone unattended, and most will notice and report a missing or stolen phone
Posts
