Oct 1, 2009

Mobile PKI

Mobile PKI, also known as Wireless PKI (and a lot of other names such as Mobile Secure Signature Service, Secure Signature Creation Device, ...) is a technology which allows users to place electronic signatures with their cell phone. This can be used for applications that run on the phone, but also for applications that run on other platforms (the user's computer connected to the Internet, for instance). One could use this, for example, as an authentication mechanism at a relying party. In the latter scenario your phone is a "something-you-have" token which provides extra security as an attacker would have to manipulate two separate channels to mount an attack. Before placing a signature, the cell phone will ask the user for his or her PIN.

The SIM card inside the cell phone plays a central role in Mobile PKI. Actually, the obvious way to implement Mobile PKI is through a so-called SIM Application Toolkit (SAT) applet installed on the SIM card. SAT has some really cool features that make things easy, both for the mobile operator and for the user:
  • They can be installed over the air (OTA) to an already deployed SIM by the mobile operator, without disturbing the user
  • They can add extra (basic menu-based) features to the GUI
  • They can react to events such as selection of menus by the user or incoming SMSs sent by the mobile operator
This makes Mobile PKI a pretty secure solution:
  • The application resides on a tamper resistant smart card
  • Most handset manufacturers will make sure that there's a trusted path from the phone's keyboard to SAT applications (the malware problem seems to still be small for the mobile platform)
  • The separate channel advantage was already mentioned above
It's also user-friendlier when compared to other authentication solutions such as smart cards, PKI tokens, and one-time-password SMSs:
  • The PIN is the same for each and every transaction
  • There's no need to install software on the user's PC
  • There's no need to read and type challenges or responses
  • Most users will not forget or leave their cell phone unattended, and most will notice and report a missing or stolen phone
Mobile PKI has been standardized by ETSI around 2002/2003. Also Common Criteria protection profiles for Secure Signature Creation Devices have existed since 2001. So the technology is pretty old. It has found its way to end-customers in some countries, most notably Turkey and more recently to the Nordic countries (in Finland you can apparently even add your government issued eID to a SIM card). Most of the SIM manufacturers and technology providers offer Mobile PKI as an option to their customers (the mobile operators). I wonder why this hasn't caught on here in the Netherlands.


  1. FYI: EMT (www.emt.ee) in Estonia started issuing mID SIM cards in May 2007. It is a bit different (www.wpki.eu) and is in fact a government endorsed eID.

  2. Thanks for that reference WHOIS. Estonia seems to be way ahead of most other European countries in terms of eID developments.

  3. Hi MartijnO,

    Thank you for your informative entry.

    I have a question: what kind of SIM can be implemented to be a PKI SIM? Is there any standard to follow?

    I've been searching for the answers but not found anything yet. I hope you can help me with that. Thank you very much.

  4. Great website to read meaningful comments, that will be useful.
    Buy Mobile Cases

  5. Car Detailing and Paint Protection film for Supercars, Classic Cars and Prestige Cars by Highly Skilled and Experienced Car Detailers. call us: 011-45129999
    best car paint protection

  6. Hey very nice web site!! Guy .. Beautiful .. Wonderful .. I’ll bookmark your website and take the feeds also¡KI’m happy to search out numerous useful info right here within the submit, we’d like develop extra strategies in this regard, thanks for sharing. . . . . . Rent a car kosova VoIP Service Near Me

  7. I really appreciate on your post.... and I got an usefull information about the matter... I just tried to write the same post...
    best hitachi tower fan in dubai

  8. I really like your take on the issue. I now have a clear idea on what this matter is all about.. cara mendownload video bokep

  9. Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job. aplicativos de compra e venda

  10. A debt of gratitude is in order for sharing the information, keep doing awesome... I truly delighted in investigating your site. great asset... Laptop Repair Dubai

  11. The next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought you have something interesting to say. All I hear is a bunch of whining about something that you could fix if you werent too busy looking for attention. control parental android

  12. Great Information. Thank You Author, for sharing your valuable information about iot with us. People who are reading this blog can continue your knowledge which you gained with us and know how to apply this practically along with our.http://www.privateproxiesreview.com/top-4-important-tips-enhance-security-android-device/

  13. Your online journal gave us profitable data to work with. Each and every tips of your post are marvelous. Much appreciated for sharing. Continue blogging, Pro Well Tech

  14. Hey, you made a genuine post for your readers here. Got through the entire efforts and pleased enriching my knowledge with some precious data on PKI thoug I knew it as mobile secure signature service. Ok. let it go. I was basically wanted to learn about mobile micro cash payment service and already got some of related like 소액결제현금화 but would like to be more equipped about it. Anyway, diving into your outstanding tech beneficial content, I was impressed so much for its educative information. Simply, like it and you can add a new member in your fans' list. Much oblige for the brilliant contribution.