Trust center based digital signature system!

This model is based on one rule that each participant of the ecosystem does what it can do best. So a telecom operator is responsible in this model only for providing wpki enabled sim to its customers and then guaranteeing mobile network uptime for delivering messages. Banks and financial institutions deal with financial matters and payment techniques. And last but not the least the independent and already established certification authorities provide trust management systems in this model.

This is a many to many model and theoretically sees no restrictions on adding up more and more players in the ecosystem hence proving to be ultimately a global (or locally global) system.


Update: A closer and more description model is presented by Dr. Yaseen of PTA (Pakistan Telecommunication Authority) here. 

Telco led digital signature system!

A telecom operator led ecosystem enjoys the fact that telco is sim owner too which is the soul of this system. Due to this very reason the time to market reduces a lot. Turkcell is live example for such a system which is seeing huge success in turkish market.

Integrated certification authorities are needed within telco or with outside contracts. Financial institution can be acquired or a partnership can be established by telco. In case of partnership a trusted certification authority is a must by both parties.

The down side of this model is that telco comes itself into a different business which it knows very little. Furthermore taking banks and governments onboard is also a challenging task for someone not already working in the same area.

Bank led digital signature system!

A bank led digital signature ecosystem is normally fully sponsored by the bank itself. An outer certification authority may not be needed in this model and bank can use an inhouse ca instead. Since service is offered mainly to either already customer or new customers of the same bank hence a third party for trust management normally becomes redundant. Telecom operator takes part in this model as only mobile network provider which is its specialty.

Banks having this ecosystem built can offer unique services based on their existing systems like web and mobile banking. In addition to that bank can offer service platform to application providers who can offer innovative and exciting services to end users in the ecosystem.

Registration process in this model is such that user has to telecom operator franchise to get wpki enabled sim and then to bank branch to get registered in the system. Another approach could be to distribute sim at bank branch.
Bank led model is quick to start with technically but it is a common observation that banks take huge time in getting things going.

Signature ecosystem!

A mobile PKI system constitutes of many components and players to form an ecosystem and main stakeholders of the ecosystem are financial institutions, applications providers, certification authorities and mobile network operators.

Signature is actually done by an application in mobile SIM and private key is also stored in it so it is normally thought that the major player is the mobile network operator who owns the SIM. But it is very important to understand that only financial institutes have license to do financial transactions. This makes it clear that if we are talking about financial transactions using mobile then financial institutions and mobile network operator both are equally important in the ecosystem.

Although financial institutions and mobile network operator can themselves be certification authority but to make the system trusted by third parties it is very good practice to involve trusted and known certificate authorities in the region for managing digital certificates. Involving such certification authorities bring quality and specialization of service in the ecosystem too.

The presence of financial institutions, mobile network operator(s) and one or more certification authorities make it a complete system to run digital signature but fetching of business can not be done without introducing application providers to this ecosystem. These application providers are merchants or service providers who create value for customers by offering exciting products and services and use digital signature ecosystem to run their businesses effectively.

Mobile PKI report published by dutch organization

A technology scouting for security and use of mobile authentication technologies
Above is a link to a report which is published by SURFNet, a dutch organization. This is a very good report that discusses technology, conceptual architecture, security and its usage in educational environment. This is definitely a good read for making an understanding of mobile PKI for authentication.
Following is conclusions and recommendations section reproduced here.

The question arises of how Mobile PKI compares to other solutions. What are the Unique Selling Points for Mobile PKI?

 Mobile PKI uses a “something you have” token, specifically the SIM card in the mobile phone. This overcomes many problems that are associated with, for instance, simple username/password authentication. Phishing attacks, for example, are made a thing of the past.

 As with a TAN list, Mobile PKI uses an external channel. Mobile PKI has many advantages with respect to user-friendliness because most users have a mobile phone with them but few carry a list of TAN codes.

 As with SMS-OTP, Mobile PKI uses an external channel, i.e., the user’s mobile phone. Mobile PKI has the advantage that it does not require the user to type in a code from the mobile phone on the PC. The PIN code the user must enter on the mobile phone is always the same.

 An ‘OTP token with display’ (for instance a banking token) also requires that the user types in codes from the handset on the PC. A user may forget such a token, but hardly ever forgets his mobile phone. The latter disadvantage does not hold if the OTP token is a SIM Toolkit application running on the SIM card, instead of a separate hardware token.

 Users are more likely to forget their USB PKI token or PKI smartcard than they are likely to forget their mobile phone. Also, some tokens require the user to enter a PIN code using the keyboard of a PC, which cannot be trusted to be secure (consider key loggers and other malware) and they require installed hardware (a card reader) and/or software (drivers, middleware).

This comparison only considers authentication solutions. Properly speaking, only the last solution, the USB PKI token, can be compared to Mobile PKI because it allows digital signing. Please note that the over-the-air capabilities of the SIM Toolkit API deliver additional advantages of Mobile PKI over traditional USB PKI tokens and smartcards, because this allows for a flexible migration path from simple (unqualified) certificates to qualified certificates. The mobile operator in fact provides a secure connection to the SIM card that allows updates to be performed post-issuance.

The fact that it depends on the MO is also the weakness of Mobile PKI. Introduction is possible only in collaboration with an MO. A heterogeneous group of users (with contracts with different MOs) can only make use of Mobile PKI if all MOs cooperate. Based on the preceding remarks and the conclusions in the various chapters (2.3, 3.6,4.4) we conclude:

 Mobile PKI technology is based on the standard components that have been around since 2001 and are technically mature and standardised. The use of open standards ensures that IdP/APs such as SURFnet can adopt the technology with relative ease. However, the technology requires quite advanced (and therefore expensive) SIMs. The mobile operators, who own the SIMs, play a key part in the implementation. The introduction of Mobile PKI at a national level is possible only with the support of all mobile operators. This report does not answer the question why mobile PKI has not yet been introduced on a large scale in the Netherlands. Some progress can be discerned in recent years (2007-2009). Many pilots have been announced or under taken. Mobile PKI has also been deployed for banking services, for instance in Turkey, Scandinavia and the Baltic states. Valimo, the provider of the technology employed in this pilot, features relatively often in press releases and has set up

partnerships with all large SIM manufacturers and many European mobile operators.

 The Mobile PKI architecture is very flexible as a result of standardisation. This allows for many variations in the configuration. The mobile operator plays an important part in every configuration variant because it manages the access to the SIM card.

 The security of Mobile PKI is quite sufficient. ETSI has formulated an exhaustive programme of requirements for Mobile PKI. The implementation by Valimo meets these requirements (as far as the authors of this report have been able to determine). Mobile PKI is a much stronger form of authentication than username/password combinations because it gives the SIM card (which adheres

to the stringent Common Criteria requirements) an essential task. The only threat scenario, a “mafia in the middle” attack executed by an untrusted application provider, or a “man in the browser”, is possible only if the users do not pay proper attention.

 Regarding the application of Mobile PKI for SURFnet, it seems that the security is unnecessarily strong for many of the current applications. Depending on the costs this does not need be an impediment, as the solution is user-friendly. The solution does have merits for some target groups (requiring a high level of security and involving a low number of employees). It seems advisable to experiment with the solution for these target groups and to delay further introduction until Mobile PKI technology is more widely adopted in the Netherlands and more insight is gained into the costs for support by all three mobile operators. In the meantime, a more extensive use of SMS one-time passwords may be considered for step-up authentication or password reset.