A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL

Transcription

1 A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL Wangjian, Xu Guoai, Zhangmiao National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications Beijing, PRC Abstract Mobile signature is a relatively new security authentication mechanism that a kind of special electric signature. It brings a great convenience for people and helps some enterprise save cost, such as bank. By introducing the concept of mobile signature I will analyze the limitation and deficiency of common electronic signature. The implement of mobile signature will also be introduced in this paper. Meanwhile some information, which mainly includes mobile signature service, mobile signature provider and the cryptographic techniques, involved in the implement will be described in detail. Keywords: Mobile Signature; MSSP; PKI; AP; CA 1 Introduction More and more people use electronic communications facilities and network communications equipment in daily lives. Sometimes people need use them to interact with the one who we have never met before. Usually people hope that there is a security mechanism to make sure they can carry on the interactions with different parties, such as consumers, businesses and government departments, with confidence. So electronic signature appears to solve this problem. But up to now, most electronic signatures are created by secure systems that usually called "secure signature creation devices". Typically, this contains a smartcard and a card reader with sufficient processing power and display capabilities to present some information that about signature. However, as far as consumers are concerned, citizens will not want to invest in such equipment, which for the most part may remain connected to personal computer equipment when they want to use the electric signature. An alternative approach is to capitalize on the fact that many citizens already possess a device which contains a smartcard and which itself is effectively a personal card reader- their mobile phone. By now mobile penetration rates are approaching 80 % of the population. As one of the most widely-owned electronic devices, the mobile phone represents a convenient choice for -1-

2 implementation of a socially-inclusive, electronic signature solution for the majority of citizens. Electronic signatures created in this way are called "Mobile Signatures". [1] The rest of this paper is organized as follows: section 2 introduces framework and core flows of mobile signature service. Section 3 will descript some advantages, some shortcomings and scope of application 2 Structure of mobile signature service system Mobile signatures are basically digital signatures that are created using your mobile terminal (SIM/java card or PDA); hence it can be used to provide legally binding and ultimately secured transactions. [4]It is not restricted to mobile services and will play a pivotal role in reaching an appropriate level of confidence, acceptance and interoperability to support implementation of the transaction - particularly for consumer markets. It not only helps to identify and authenticate users, but also can be used to sign, seal and secure the content of any transaction itself for any further changes, securing both parties of a transaction. By establishing a Public Key Infrastructure (PKI) and providing keys to end users on mobile phone SIM/java cards or PDA, the notion of mobile identity is established. Digital certificates issued to a reliably identified person secures mobile transactions, and also enables the delivery of new features and services, like allowing documents to be signed on the same legal footing as hand-signed paper documents in many countries. Hence a mobile signature can also provide a secure authentication mechanism for a service provider but authentication alone is insufficient to provide a secure transaction signing, in a legally binding way. Essentially, it can be applied to any service which requires a legal proof of identity or legally binding of parties involved. For example you can authenticate to access your financial records with assured privacy or you can sign a contract online, with the same effect as wet signature. Mobile signature service system is mainly composed of four parts. The four parts and their relationship are shown in the follow picture. Certificate Authority (CA) Application Provider (AP) Mobile Signature Service Provider (MSSP) Mobile Phone End Figure1. The mobile signature service system framework MSSP(Mobile signature service Provider) plays a key role in the Mobile Signature Services(MSS) system.mssp acts as Mobile Signature Service Provider (MSSP) platform which provides the core -2-

3 server-side functionality that mobile signature and mobile identity services for Application Providers (AP) and end-users. MSSP covers the entire signature transaction life cycle by managing signing requests, the signature verification and certificate validation process, and the transaction recording requirements. MSSP also works as a register agency, it is base B/S structure, when a use login the platform, he should register firstly. MSSP help to manage the use who has registered and apply for digit certification from CA. CA (Certificate Authority) can be Official Governmental CA,Mobile Operator CA,Corporate CA,3rd party CA and so on. It interoperates with MSSP and handles the request from MSSP..In mobile signature service system Certificates are not on SIM/UICC or mobile telephone, they are on CA s directory on the network So CA mainly takes charge of issuing certificates managing certificates and updating certificates. AP(Application Provider)can be person or organization who develops and/or sells and/or supports a service used by a citizen, AP can be banks, web shops, call center services, or on-line government services, providing services that require users to authenticate themselves or sign contracts with a mobile signature. Mobile Phone End is the entities on behalf of users Mobile signature user terminal is the core of the security mechanisms of the mobile signature service system. Public Key Infrastructure(PKI) is a ideal technical solution for our need. PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI. Mobile PKI is just an enabler to services. We can use asymmetric cryptography encryption technology and RSA algorithm, the public and private keys are generated by mobile phone terminals. [3] If the mobile phone terminals is PDA. Openssl or CryptoAPI can be used to generate public and private keys. The public key sent back to the MSSP then will be stored in the certificate which was managed by CA,while private key is stored in the phone in order to sign the information to be signed that comes from MSSP. If the security mechanism based on java card, we can take advantage of the jdk (java developer kits) and java virtual machine to generate public and private keys achieving the same goal, SIM card is also similar to them talked about above. 3 Implement of mobile signature service system When the user uses the mobile signature system for the first time, he should register at first. The registration service is based on B / S structure, integrated in the MSSP platform. The users need to fill out some necessary personal information which will be used when applying for a certificate from CA, then MSSP platform will send a random verification code to the user whose phone number is the same as the one just filled in the registration information. random verification code plays two roles, one can verify the Mobile Phone End whether or not to support mobile signature services; Second, in order to ensure that the current holder of the mobile phone is the person who are registering. Mobile phone holders should fill the verification code displayed on the phone in the specified location of web page, and then continue to the next steps in the implementation of the registration. Generally, there are the following steps: 1.Fill in some personal information such as: mobile phone number, user name, real name. After filling out personal information, MSSP will send a random code to mobile phone number just filled in the registration information. -3-

4 2. The holder of mobile phone fill the verification code displayed in the phone in the WEB page, and then continue to registering. After passing validation. MSSP platform will send generating key request to the mobile terminal. 3.Moblie phone holders have confirmed that request, if agreed to, then call the relevant API to generate public-private key of RSA algorithm, and the public key will be send back to the MSSP, the private key is stored in the mobile terminal with a view to subsequent use, such as signatures, decryption and so on. If refused to the request then send a message back to MSSP platform. 4. After receiving the public key, MSSP will apply for certificate from CA, and put the public key in the certificate. If a refusal have been received, then MSSP will jump out of the registration process and the users will be marked as not active user. 5. On the login page, user should fill in the mobile phone number or user name and password, then the MSSP will send some information to be signed to the mobile terminal. 6. Mobile terminal signs the information coming from MSSP, then send the signature back to MSSP. 7. MSSP uses public-key to verify the signature, if passing validation, then the uses come in users list page where they can do some transaction that they like. 4 Conclusion Mobile signature can effective resolve a series of hot problems in our life. It can reduce administrative costs and ID theft,offload the AP s liability,provide customers with strong authentication to overcome security problems,need fewer passwords as it is used for different applications and has other merit such as: low cost, fast implementation no extra hardware, faster and secure business processes bringing mobility. So it can be used as an important enabler within a number of different services for the consumer and enterprise market, such as: 1. Financial services, such as mobile banking, online credit applications, insurance applications, investment banking 2. Governmental services, such as online signing of official permit applications, signing of tax or customs declarations, intercommunity transactions, e-transactions 3. Healthcare services, providing proof of identity and permission of access to health services and medical records 4. Corporate services; secure document management and document exchange, secure s, VPN access. At the same time there is bound to be defects in mobile signature,such as : Implementation challenges for mobile signature revolve around the adoption of "portal" strategies by many mobile operators. This effectively requires applications developers and other service providers to realize solutions using different applications Programming Interfaces (APIs). For mobile signature, this has consequences in both the registration and usage phases. In a word, mobile signature will have a good future. References [1] Mobile Commerce(M-COMM); Mobile Signature; Business and Functional Requirements ETSI TR v1.1.1 [2] -4-

5 [3] 马臣云王彦.PKI 网络编程认证技术与编程实现人民邮电出版社,2008 [4] 林胜利路宗强王坤茹.java 智能卡开发关键技术与实例中国铁道出版社 [5] Author Brief Introduction: Wangjian Beijing University of Posts and Telecommunications Master of cryptography -5-