A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL

Similar documents
Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

WIRELESS PUBLIC KEY INFRASTRUCTURE FOR MOBILE PHONES

10 Secure Electronic Transactions: Overview, Capabilities, and Current Status

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

PrivateServer HSM Integration with Microsoft IIS

Using etoken for SSL Web Authentication. SSL V3.0 Overview

National Certification Authority Framework in Sri Lanka

Applying Cryptography as a Service to Mobile Applications

Neutralus Certification Practices Statement

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Introducing etoken. What is etoken?

How To Manage A Password Protected Digital Id On A Microsoft Pc Or Macbook (Windows) With A Password Safehouse (Windows 7) On A Pc Or Ipad (Windows 8) On An Ipad Or Macintosh (Windows 9)

Securing your Online Data Transfer with SSL

Security Digital Certificate Manager

Security Digital Certificate Manager

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University


Savitribai Phule Pune University

CRYPTOGRAPHY AS A SERVICE

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

How To Understand And Understand The Security Of A Key Infrastructure

A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Managed Services PKI 60-day Trial Quick Start Guide

Research Article. Research of network payment system based on multi-factor authentication

Encryption-based 2FA for Server-side Qualified Signature Creation

Understanding digital certificates

SecureStore I.CA. User manual. Version 2.16 and higher

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Certification Practice Statement

Public-Key Infrastructure

eid Security Frank Cornelis Architect eid fedict All rights reserved

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

DVS DCI Signing Certificate Tool

REGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

CERTIFICATION PRACTICE STATEMENT UPDATE

DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES

Multifactor authentication systems Jiří Sobotka, Radek Doležel

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Cornerstones of Security

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

CS 356 Lecture 28 Internet Authentication. Spring 2013

The Concept of Trust in Network Security

CoSign for 21CFR Part 11 Compliance

IBM Client Security Solutions. Client Security User's Guide

Danske Bank Group Certificate Policy

Public Key Encryption and Digital Signature: How do they work?

OOo Digital Signatures. Malte Timmermann Technical Architect Sun Microsystems GmbH

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate on Aladdin etoken (Personal eid)

TELSTRA RSS CA Subscriber Agreement (SA)

End User Encryption Key Protection Policy

New York State Electronic Signatures and Records Act

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

Understanding Digital Certificates and Secure Sockets Layer (SSL)

White Paper. Enhancing Website Security with Algorithm Agility

esign Online Digital Signature Service

Certum QCA PKI Disclosure Statement

RELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release corrections. ADYTON Release 2.12.

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

HKUST CA. Certification Practice Statement

Secure Authentication for the Development of Mobile Internet Services Critical Considerations

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

An Introduction to Entrust PKI. Last updated: September 14, 2004

M-Shield mobile security technology

Information Security

Journal of Electronic Banking Systems

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Longmai Mobile PKI Solution

m Commerce Working Group

DRAFT Standard Statement Encryption

IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

SSL A discussion of the Secure Socket Layer

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Business Issues in the implementation of Digital signatures

Network Security Protocols

How To Encrypt Data With Encryption

Keywords Cloud Computing, CRC, RC4, RSA, Windows Microsoft Azure

Introduction to Network Security Key Management and Distribution

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

Key Management Best Practices

MOBILE CHIP ELECTRONIC COMMERCE: ENABLING CREDIT CARD PAYMENT FOR MOBILE DEVICES

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.

Using etoken for Securing s Using Outlook and Outlook Express

ING Public Key Infrastructure Certificate Practice Statement. Version June 2015

[SMO-SFO-ICO-PE-046-GU-

Digital identity: Toward more convenient, more secure online authentication

Transcription:

A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL Wangjian, Xu Guoai, Zhangmiao National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications Beijing, PRC 100876 wangjian_fly@hotmail.com xuguoai@bupt.edu.cn zhangmiao@bupt.edu.cn Abstract Mobile signature is a relatively new security authentication mechanism that a kind of special electric signature. It brings a great convenience for people and helps some enterprise save cost, such as bank. By introducing the concept of mobile signature I will analyze the limitation and deficiency of common electronic signature. The implement of mobile signature will also be introduced in this paper. Meanwhile some information, which mainly includes mobile signature service, mobile signature provider and the cryptographic techniques, involved in the implement will be described in detail. Keywords: Mobile Signature; MSSP; PKI; AP; CA 1 Introduction More and more people use electronic communications facilities and network communications equipment in daily lives. Sometimes people need use them to interact with the one who we have never met before. Usually people hope that there is a security mechanism to make sure they can carry on the interactions with different parties, such as consumers, businesses and government departments, with confidence. So electronic signature appears to solve this problem. But up to now, most electronic signatures are created by secure systems that usually called "secure signature creation devices". Typically, this contains a smartcard and a card reader with sufficient processing power and display capabilities to present some information that about signature. However, as far as consumers are concerned, citizens will not want to invest in such equipment, which for the most part may remain connected to personal computer equipment when they want to use the electric signature. An alternative approach is to capitalize on the fact that many citizens already possess a device which contains a smartcard and which itself is effectively a personal card reader- their mobile phone. By now mobile penetration rates are approaching 80 % of the population. As one of the most widely-owned electronic devices, the mobile phone represents a convenient choice for -1-

implementation of a socially-inclusive, electronic signature solution for the majority of citizens. Electronic signatures created in this way are called "Mobile Signatures". [1] The rest of this paper is organized as follows: section 2 introduces framework and core flows of mobile signature service. Section 3 will descript some advantages, some shortcomings and scope of application 2 Structure of mobile signature service system Mobile signatures are basically digital signatures that are created using your mobile terminal (SIM/java card or PDA); hence it can be used to provide legally binding and ultimately secured transactions. [4]It is not restricted to mobile services and will play a pivotal role in reaching an appropriate level of confidence, acceptance and interoperability to support implementation of the transaction - particularly for consumer markets. It not only helps to identify and authenticate users, but also can be used to sign, seal and secure the content of any transaction itself for any further changes, securing both parties of a transaction. By establishing a Public Key Infrastructure (PKI) and providing keys to end users on mobile phone SIM/java cards or PDA, the notion of mobile identity is established. Digital certificates issued to a reliably identified person secures mobile transactions, and also enables the delivery of new features and services, like allowing documents to be signed on the same legal footing as hand-signed paper documents in many countries. Hence a mobile signature can also provide a secure authentication mechanism for a service provider but authentication alone is insufficient to provide a secure transaction signing, in a legally binding way. Essentially, it can be applied to any service which requires a legal proof of identity or legally binding of parties involved. For example you can authenticate to access your financial records with assured privacy or you can sign a contract online, with the same effect as wet signature. Mobile signature service system is mainly composed of four parts. The four parts and their relationship are shown in the follow picture. Certificate Authority (CA) Application Provider (AP) Mobile Signature Service Provider (MSSP) Mobile Phone End Figure1. The mobile signature service system framework MSSP(Mobile signature service Provider) plays a key role in the Mobile Signature Services(MSS) system.mssp acts as Mobile Signature Service Provider (MSSP) platform which provides the core -2-

server-side functionality that mobile signature and mobile identity services for Application Providers (AP) and end-users. MSSP covers the entire signature transaction life cycle by managing signing requests, the signature verification and certificate validation process, and the transaction recording requirements. MSSP also works as a register agency, it is base B/S structure, when a use login the platform, he should register firstly. MSSP help to manage the use who has registered and apply for digit certification from CA. CA (Certificate Authority) can be Official Governmental CA,Mobile Operator CA,Corporate CA,3rd party CA and so on. It interoperates with MSSP and handles the request from MSSP..In mobile signature service system Certificates are not on SIM/UICC or mobile telephone, they are on CA s directory on the network So CA mainly takes charge of issuing certificates managing certificates and updating certificates. AP(Application Provider)can be person or organization who develops and/or sells and/or supports a service used by a citizen, AP can be banks, web shops, call center services, or on-line government services, providing services that require users to authenticate themselves or sign contracts with a mobile signature. Mobile Phone End is the entities on behalf of users Mobile signature user terminal is the core of the security mechanisms of the mobile signature service system. Public Key Infrastructure(PKI) is a ideal technical solution for our need. PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI. Mobile PKI is just an enabler to services. We can use asymmetric cryptography encryption technology and RSA algorithm, the public and private keys are generated by mobile phone terminals. [3] If the mobile phone terminals is PDA. Openssl or CryptoAPI can be used to generate public and private keys. The public key sent back to the MSSP then will be stored in the certificate which was managed by CA,while private key is stored in the phone in order to sign the information to be signed that comes from MSSP. If the security mechanism based on java card, we can take advantage of the jdk (java developer kits) and java virtual machine to generate public and private keys achieving the same goal, SIM card is also similar to them talked about above. 3 Implement of mobile signature service system When the user uses the mobile signature system for the first time, he should register at first. The registration service is based on B / S structure, integrated in the MSSP platform. The users need to fill out some necessary personal information which will be used when applying for a certificate from CA, then MSSP platform will send a random verification code to the user whose phone number is the same as the one just filled in the registration information. random verification code plays two roles, one can verify the Mobile Phone End whether or not to support mobile signature services; Second, in order to ensure that the current holder of the mobile phone is the person who are registering. Mobile phone holders should fill the verification code displayed on the phone in the specified location of web page, and then continue to the next steps in the implementation of the registration. Generally, there are the following steps: 1.Fill in some personal information such as: mobile phone number, user name, real name. After filling out personal information, MSSP will send a random code to mobile phone number just filled in the registration information. -3-

2. The holder of mobile phone fill the verification code displayed in the phone in the WEB page, and then continue to registering. After passing validation. MSSP platform will send generating key request to the mobile terminal. 3.Moblie phone holders have confirmed that request, if agreed to, then call the relevant API to generate public-private key of RSA algorithm, and the public key will be send back to the MSSP, the private key is stored in the mobile terminal with a view to subsequent use, such as signatures, decryption and so on. If refused to the request then send a message back to MSSP platform. 4. After receiving the public key, MSSP will apply for certificate from CA, and put the public key in the certificate. If a refusal have been received, then MSSP will jump out of the registration process and the users will be marked as not active user. 5. On the login page, user should fill in the mobile phone number or user name and password, then the MSSP will send some information to be signed to the mobile terminal. 6. Mobile terminal signs the information coming from MSSP, then send the signature back to MSSP. 7. MSSP uses public-key to verify the signature, if passing validation, then the uses come in users list page where they can do some transaction that they like. 4 Conclusion Mobile signature can effective resolve a series of hot problems in our life. It can reduce administrative costs and ID theft,offload the AP s liability,provide customers with strong authentication to overcome security problems,need fewer passwords as it is used for different applications and has other merit such as: low cost, fast implementation no extra hardware, faster and secure business processes bringing mobility. So it can be used as an important enabler within a number of different services for the consumer and enterprise market, such as: 1. Financial services, such as mobile banking, online credit applications, insurance applications, investment banking 2. Governmental services, such as online signing of official permit applications, signing of tax or customs declarations, intercommunity transactions, e-transactions 3. Healthcare services, providing proof of identity and permission of access to health services and medical records 4. Corporate services; secure document management and document exchange, secure emails, VPN access. At the same time there is bound to be defects in mobile signature,such as : Implementation challenges for mobile signature revolve around the adoption of "portal" strategies by many mobile operators. This effectively requires applications developers and other service providers to realize solutions using different applications Programming Interfaces (APIs). For mobile signature, this has consequences in both the registration and usage phases. In a word, mobile signature will have a good future. References [1] Mobile Commerce(M-COMM); Mobile Signature; Business and Functional Requirements ETSI TR 102 203 v1.1.1 [2] http://www.caihuanet.com/english/xinhuaprchina/200810/t20081015_335226.shtml -4-

[3] 马 臣 云 王 彦.PKI 网 络 编 程 认 证 技 术 与 编 程 实 现 人 民 邮 电 出 版 社,2008 [4] 林 胜 利 路 宗 强 王 坤 茹.java 智 能 卡 开 发 关 键 技 术 与 实 例 中 国 铁 道 出 版 社 [5] http://usstock.jrj.com.cn/2008-01-25/000003229483.shtml Author Brief Introduction: Wangjian Beijing University of Posts and Telecommunications Master of cryptography -5-

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information