Pages

Tuesday, January 5, 2010

Mobile PKI report published by dutch organization

A technology scouting for security and use of mobile authentication technologies
Above is a link to a report which is published by SURFNet, a dutch organization. This is a very good report that discusses technology, conceptual architecture, security and its usage in educational environment. This is definitely a good read for making an understanding of mobile PKI for authentication.
Following is conclusions and recommendations section reproduced here.
The question arises of how Mobile PKI compares to other solutions. What are the Unique Selling Points for Mobile PKI?
 Mobile PKI uses a “something you have” token, specifically the SIM card in the mobile phone. This overcomes many problems that are associated with, for instance, simple username/password authentication. Phishing attacks, for example, are made a thing of the past.
 As with a TAN list, Mobile PKI uses an external channel. Mobile PKI has many advantages with respect to user-friendliness because most users have a mobile phone with them but few carry a list of TAN codes.
 As with SMS-OTP, Mobile PKI uses an external channel, i.e., the user’s mobile phone. Mobile PKI has the advantage that it does not require the user to type in a code from the mobile phone on the PC. The PIN code the user must enter on the mobile phone is always the same.
 An ‘OTP token with display’ (for instance a banking token) also requires that the user types in codes from the handset on the PC. A user may forget such a token, but hardly ever forgets his mobile phone. The latter disadvantage does not hold if the OTP token is a SIM Toolkit application running on the SIM card, instead of a separate hardware token.
 Users are more likely to forget their USB PKI token or PKI smartcard than they are likely to forget their mobile phone. Also, some tokens require the user to enter a PIN code using the keyboard of a PC, which cannot be trusted to be secure (consider key loggers and other malware) and they require installed hardware (a card reader) and/or software (drivers, middleware).
This comparison only considers authentication solutions. Properly speaking, only the last solution, the USB PKI token, can be compared to Mobile PKI because it allows digital signing. Please note that the over-the-air capabilities of the SIM Toolkit API deliver additional advantages of Mobile PKI over traditional USB PKI tokens and smartcards, because this allows for a flexible migration path from simple (unqualified) certificates to qualified certificates. The mobile operator in fact provides a secure connection to the SIM card that allows updates to be performed post-issuance.
The fact that it depends on the MO is also the weakness of Mobile PKI. Introduction is possible only in collaboration with an MO. A heterogeneous group of users (with contracts with different MOs) can only make use of Mobile PKI if all MOs cooperate. Based on the preceding remarks and the conclusions in the various chapters (2.3, 3.6,4.4) we conclude:
 Mobile PKI technology is based on the standard components that have been around since 2001 and are technically mature and standardised. The use of open standards ensures that IdP/APs such as SURFnet can adopt the technology with relative ease. However, the technology requires quite advanced (and therefore expensive) SIMs. The mobile operators, who own the SIMs, play a key part in the implementation. The introduction of Mobile PKI at a national level is possible only with the support of all mobile operators. This report does not answer the question why mobile PKI has not yet been introduced on a large scale in the Netherlands. Some progress can be discerned in recent years (2007-2009). Many pilots have been announced or under taken. Mobile PKI has also been deployed for banking services, for instance in Turkey, Scandinavia and the Baltic states. Valimo, the provider of the technology employed in this pilot, features relatively often in press releases and has set up
partnerships with all large SIM manufacturers and many European mobile operators.
 The Mobile PKI architecture is very flexible as a result of standardisation. This allows for many variations in the configuration. The mobile operator plays an important part in every configuration variant because it manages the access to the SIM card.
 The security of Mobile PKI is quite sufficient. ETSI has formulated an exhaustive programme of requirements for Mobile PKI. The implementation by Valimo meets these requirements (as far as the authors of this report have been able to determine). Mobile PKI is a much stronger form of authentication than username/password combinations because it gives the SIM card (which adheres
to the stringent Common Criteria requirements) an essential task. The only threat scenario, a “mafia in the middle” attack executed by an untrusted application provider, or a “man in the browser”, is possible only if the users do not pay proper attention.
 Regarding the application of Mobile PKI for SURFnet, it seems that the security is unnecessarily strong for many of the current applications. Depending on the costs this does not need be an impediment, as the solution is user-friendly. The solution does have merits for some target groups (requiring a high level of security and involving a low number of employees). It seems advisable to experiment with the solution for these target groups and to delay further introduction until Mobile PKI technology is more widely adopted in the Netherlands and more insight is gained into the costs for support by all three mobile operators. In the meantime, a more extensive use of SMS one-time passwords may be considered for step-up authentication or password reset.

1 comment:

  1. Well written information! The security of Mobile PKI is quite sufficient. ETSI has formulated an exhaustive programme of requirements for Mobile PKI.
    digital signature

    ReplyDelete