Trust center based digital signature system!

This model is based on one rule that each participant of the ecosystem does what it can do best. So a telecom operator is responsible in this model only for providing wpki enabled sim to its customers and then guaranteeing mobile network uptime for delivering messages. Banks and financial institutions deal with financial matters and payment techniques. And last but not the least the independent and already established certification authorities provide trust management systems in this model.

This is a many to many model and theoretically sees no restrictions on adding up more and more players in the ecosystem hence proving to be ultimately a global (or locally global) system.


Update: A closer and more description model is presented by Dr. Yaseen of PTA (Pakistan Telecommunication Authority) here. 

Telco led digital signature system!

A telecom operator led ecosystem enjoys the fact that telco is sim owner too which is the soul of this system. Due to this very reason the time to market reduces a lot. Turkcell is live example for such a system which is seeing huge success in turkish market.

Integrated certification authorities are needed within telco or with outside contracts. Financial institution can be acquired or a partnership can be established by telco. In case of partnership a trusted certification authority is a must by both parties.

The down side of this model is that telco comes itself into a different business which it knows very little. Furthermore taking banks and governments onboard is also a challenging task for someone not already working in the same area.

Bank led digital signature system!

A bank led digital signature ecosystem is normally fully sponsored by the bank itself. An outer certification authority may not be needed in this model and bank can use an inhouse ca instead. Since service is offered mainly to either already customer or new customers of the same bank hence a third party for trust management normally becomes redundant. Telecom operator takes part in this model as only mobile network provider which is its specialty.

Banks having this ecosystem built can offer unique services based on their existing systems like web and mobile banking. In addition to that bank can offer service platform to application providers who can offer innovative and exciting services to end users in the ecosystem.

Registration process in this model is such that user has to telecom operator franchise to get wpki enabled sim and then to bank branch to get registered in the system. Another approach could be to distribute sim at bank branch.
Bank led model is quick to start with technically but it is a common observation that banks take huge time in getting things going.

Signature ecosystem!

A mobile PKI system constitutes of many components and players to form an ecosystem and main stakeholders of the ecosystem are financial institutions, applications providers, certification authorities and mobile network operators.

Signature is actually done by an application in mobile SIM and private key is also stored in it so it is normally thought that the major player is the mobile network operator who owns the SIM. But it is very important to understand that only financial institutes have license to do financial transactions. This makes it clear that if we are talking about financial transactions using mobile then financial institutions and mobile network operator both are equally important in the ecosystem.

Although financial institutions and mobile network operator can themselves be certification authority but to make the system trusted by third parties it is very good practice to involve trusted and known certificate authorities in the region for managing digital certificates. Involving such certification authorities bring quality and specialization of service in the ecosystem too.

The presence of financial institutions, mobile network operator(s) and one or more certification authorities make it a complete system to run digital signature but fetching of business can not be done without introducing application providers to this ecosystem. These application providers are merchants or service providers who create value for customers by offering exciting products and services and use digital signature ecosystem to run their businesses effectively.

Mobile PKI report published by dutch organization

A technology scouting for security and use of mobile authentication technologies
Above is a link to a report which is published by SURFNet, a dutch organization. This is a very good report that discusses technology, conceptual architecture, security and its usage in educational environment. This is definitely a good read for making an understanding of mobile PKI for authentication.
Following is conclusions and recommendations section reproduced here.

The question arises of how Mobile PKI compares to other solutions. What are the Unique Selling Points for Mobile PKI?

 Mobile PKI uses a “something you have” token, specifically the SIM card in the mobile phone. This overcomes many problems that are associated with, for instance, simple username/password authentication. Phishing attacks, for example, are made a thing of the past.

 As with a TAN list, Mobile PKI uses an external channel. Mobile PKI has many advantages with respect to user-friendliness because most users have a mobile phone with them but few carry a list of TAN codes.

 As with SMS-OTP, Mobile PKI uses an external channel, i.e., the user’s mobile phone. Mobile PKI has the advantage that it does not require the user to type in a code from the mobile phone on the PC. The PIN code the user must enter on the mobile phone is always the same.

 An ‘OTP token with display’ (for instance a banking token) also requires that the user types in codes from the handset on the PC. A user may forget such a token, but hardly ever forgets his mobile phone. The latter disadvantage does not hold if the OTP token is a SIM Toolkit application running on the SIM card, instead of a separate hardware token.

 Users are more likely to forget their USB PKI token or PKI smartcard than they are likely to forget their mobile phone. Also, some tokens require the user to enter a PIN code using the keyboard of a PC, which cannot be trusted to be secure (consider key loggers and other malware) and they require installed hardware (a card reader) and/or software (drivers, middleware).

This comparison only considers authentication solutions. Properly speaking, only the last solution, the USB PKI token, can be compared to Mobile PKI because it allows digital signing. Please note that the over-the-air capabilities of the SIM Toolkit API deliver additional advantages of Mobile PKI over traditional USB PKI tokens and smartcards, because this allows for a flexible migration path from simple (unqualified) certificates to qualified certificates. The mobile operator in fact provides a secure connection to the SIM card that allows updates to be performed post-issuance.

The fact that it depends on the MO is also the weakness of Mobile PKI. Introduction is possible only in collaboration with an MO. A heterogeneous group of users (with contracts with different MOs) can only make use of Mobile PKI if all MOs cooperate. Based on the preceding remarks and the conclusions in the various chapters (2.3, 3.6,4.4) we conclude:

 Mobile PKI technology is based on the standard components that have been around since 2001 and are technically mature and standardised. The use of open standards ensures that IdP/APs such as SURFnet can adopt the technology with relative ease. However, the technology requires quite advanced (and therefore expensive) SIMs. The mobile operators, who own the SIMs, play a key part in the implementation. The introduction of Mobile PKI at a national level is possible only with the support of all mobile operators. This report does not answer the question why mobile PKI has not yet been introduced on a large scale in the Netherlands. Some progress can be discerned in recent years (2007-2009). Many pilots have been announced or under taken. Mobile PKI has also been deployed for banking services, for instance in Turkey, Scandinavia and the Baltic states. Valimo, the provider of the technology employed in this pilot, features relatively often in press releases and has set up

partnerships with all large SIM manufacturers and many European mobile operators.

 The Mobile PKI architecture is very flexible as a result of standardisation. This allows for many variations in the configuration. The mobile operator plays an important part in every configuration variant because it manages the access to the SIM card.

 The security of Mobile PKI is quite sufficient. ETSI has formulated an exhaustive programme of requirements for Mobile PKI. The implementation by Valimo meets these requirements (as far as the authors of this report have been able to determine). Mobile PKI is a much stronger form of authentication than username/password combinations because it gives the SIM card (which adheres

to the stringent Common Criteria requirements) an essential task. The only threat scenario, a “mafia in the middle” attack executed by an untrusted application provider, or a “man in the browser”, is possible only if the users do not pay proper attention.

 Regarding the application of Mobile PKI for SURFnet, it seems that the security is unnecessarily strong for many of the current applications. Depending on the costs this does not need be an impediment, as the solution is user-friendly. The solution does have merits for some target groups (requiring a high level of security and involving a low number of employees). It seems advisable to experiment with the solution for these target groups and to delay further introduction until Mobile PKI technology is more widely adopted in the Netherlands and more insight is gained into the costs for support by all three mobile operators. In the meantime, a more extensive use of SMS one-time passwords may be considered for step-up authentication or password reset.

A login case

There are a lot of methods to authenticate a user before he or she can use online banking services. In Pakistan, banks commonly use user name and password to authenticate web users. This method has quite weak security and so banks are unable to offer many services online which if they offer will definitely help them growing their business. Other methods that are being used across the globe in this sector include PIN/TAN list, OTP, EMV card reader, Mobile One Time Password, and Smart Cards etc. These all have their drawbacks of being expensive, not much secure or difficult to maintain by businesses and by end users. Mobile PKI in comparison offers a very easy to use and highly secure mechanism for digital authentication. It gives a user or service provider security, ease of use, mobility, low usage cost, low maintenance and the most important legally qualified way of authentication.

Digital authentication with Mobile PKI is a very simplistic case to understand how wireless public key infrastructure works for user.

A mobile PKI authentication system involves mobile signature service provider and certification authority in addition to cellular service to convey short messages to user.

Following is a typical flow that completes a authentication for web bank login,

Web bank login

1. User opens web bank page
2. User enters its mobile number as id and submits
3. Bank receives the message, confirms that user is registered to its system and sends the message to MSSP to authenticate using mobile PKI
4. MSSP prepares an authentication message and sends it SMSC to deliver it to end user
5. SMSC sends the message to end user mobile
6. Mobile PKI client receives the message and asks user for confirmation
7. Mobile PKI client generates an authentication response signed by the private key and sends it back to SMSC
8. MSSP receives response from SMSC
9. MSSP validates the signed content with the help of certification authority
10. MSSP returns response with authentication result to web bank application
11. Web bank authorizes access or block it as per authentication result

The user sees following screens during this process to authenticate itself with mobile,

Authentication message at mobile client

The benefit for users and service providers are ample in mobile PKI system which include but not limited to,

1. No need to have long PIN/TAN list or complicated passwords for user
2. Perfect mobility as mobile phone is 24 hour companion now a days
3. Fully secure transaction
4. Cost effective for banks in comparison to other mechanisms
5. New business channel for telecom operator

The above case is for web bank login scenario but it is similar for almost all types of login requirements e.g. VPN access, mobile banking etc.

Mobile financial services!

Mobile financial services are very hot topic in Pakistan these days and there are many initiatives already thriving or trying to grab the initial market share in this sector. Telenor's easypaisa, UBL orion, Mobilink's Genie and similar services are trying to attract consumers attention. These services are mainly relying on their internal secure mechanism to deliver these services in collaboration with the financial institutes they have partnered with. The very basic deficiency in such a service is lack of openness for other parties and it creates unnecessary fierce competition among market players to grab their share. In case of telecom operators, it is already established that Pakistani market can not afford presence of five operators and ideas of mergers are not far fetched anymore. These mergers occur or not it is clear that at least these financial services need to be merged or work together as having one or more services per telecom operator would not support any business. 

Integration of financial services is only possible with the help of digital signature which invites public key infrastructure to play its part. PKI is now an established standard and legally valid signatures in EU and many part of the world. The draft released by State bank of Pakistan also recommends PKI to be core part of financial isntrument. Mobile PKI is also not a new concept anymore and successful commercial launch of Turkcell mPKI has removed any doubts about its complexities whatsoever. Consumers need mPKI enabled SIM to carry out digital signing in presence of supporting software at service provider's domain. These mPKI enabled SIM are not expensive to afford and their price becomes negligible when we talk about millions of users. And last but not the least, the whole signing experience is very simple and appealing to consumer. The initial cost of having such an eco-system can be a bit higher but rate of return is not that bad. Additionally, revenue sharing schemes can also simplify costs for everyone.

A typical mPKI system consists of apart from end users 1) telecom operator(s) 2) a trusted service provider 3) financial institution(s) and finally 4) application providers which make interesting applications available.

The mPKI system is good for everyone and creates a real supporting business environment where all of stakeholders receive benefits of its existence,

1)    End users find an exciting service that gives a secure and convenient way of completing transactions

2)    Telco gets business from this model as its somewhat leveraged network service is being used and mainly by the users who actually mean business

3)    Banks suddenly find a huge number of new customers who can use their financial services

4)    Application providers find a platform to sell through their exciting and innovative applications

Some example applications include but not limited to mobile payment, mobile money transfer, branchless banking, corporate login, stock trading, submitting tax returns, and many more. Actually, the number of applications for such a service is only bound by the imagination.

In conclusion, this is the right time for financial institutions across Pakistan to sit together along with cellular operators and trust centers to carve out a transaction integrity and security model based on mPKI system. This will not only help boost local economy by promoting businesses but also give international investor a confidence that is needed to increase their participation in business development in Pakistan.