Mobile signature

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card.

Contents 1 Origins of the term 2 Mobile signatures today 3 Mobile Signature with On Board Key Generation 4 Sources for the origins of the term 5 References

Origins of the term

mSign

The term first appeared in articles introducing mSign (short for Mobile Electronic Signature Consortium). It was founded in 1999 and comprised 35 member companies. In October 2000, the consortium published an XML-interface defining a protocol allowing service providers to obtain a mobile (digital) signature from a mobile phone subscriber.

In 2001, mSign gained industry-wide coverage when it came apparent that Brokat (one of the founders company) also obtained a process patent in Germany for using the mobile phone to generate digital signatures.

MoSign project and standardization attempt

The MoSign project (short for Mobile Signature) initiated by the companies Deutsche Bank, Ericsson, Materna, Microsoft, Sema Group, Siemens and TC TrustCenter was meant to demonstrate the deployment of electronic signatures using a "mobile signing device".

The mobile signing device comprised a Siemens IC35 organizer with an integrated WAP browser and a Smart card reader. The user was meant to connect the IC35 via the IrDA interface to an internet-enabled mobile device, that would enable the IC 35's WAP browser to view WAP pages from a remote server. To generate a mobile signature the user inserted a Smart card into the IC35's card slot. The digital keys are stored on the Smart card and the signing application was based on the WAP 1.2 Crypto SignText implementation in the WAP browser stack.

In March 2001, four German banks - Deutsche Bank, Commerzbank, Dresdner Bank and HypoVereinsbank announced that they would use the findings from the MoSign project and would develop it into a single standard for electronic signatures used in conjunction with mobile devices and financial services.

ETSI-MSS standardization

The term was then used by Paul Gibson (G&D) and Romary Dupuis (France Telecom) in their standardisation work at the European Telecommunications Standards Institute (ETSI) and published in ETSI Technical Report TR 102 203.

The ETSI-MSS specifications define an XML interface and Mobile Signature Roaming for systems implementing mobile signature services.

Mobile signatures today

Currently, GSM phones and WAP phones are mostly supporting this technology. Those mobile signature services on sim cards can be supported by almost all GSM phones, regardless of their capacity. In the near future, 3 G-phones and other portable devices will feature a similar mobile signature application.

The mobile signature is the legal equivalent of your own wet signature. The mobile signature is created by typing a secret code (i.e. your signing PIN) into the signing device (for example: your mobile phone). This secret code in combination with your key storage token (for example: SIM card) and a chosen text triggers a cryptographic algorithm to generate the (digital) signature.

Each of your mobile/digital signatures can be linked to a digital certificate (an electronic record) that vouches for your real-world identity.

Thus, the mobile signature is a unique feature for:

• Proving your real-world identity to third parties without face-to-face communications

• Making a legally-binding commitment by sending a confirmed message to another party

• Solve security problems of the online world with identity confirmation.

Authentication may still be vulnerable to man in the middle attacks and trojan horses, depending on the scheme employed.^[1] Schemes like one-time-password-generators and two-factor authentication does not completely solve man in the middle attacks on an open network like the Internet. However, supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack. If application provider provides a detailed explanation of the transaction to be signed both on its Internet site and signing request to mobile operator, the attack can easily be recognized by the individual by comparing both screens. Since operators do not let anonymous third parties to send signing request, normally the cost and technicality of intrusion between the application provider and the mobile operator, makes it an improbable attack target.

Mobile Signature with On Board Key Generation

Turkcell is the first provider of a mobile signature service with "On Board Key Generation" functionality, which enables customers to create their signing and validation key pair, after they get the simcard. In this way GSM operators do not need to distribute signing PINs to customers. Customers can create their PIN anew, on their own.^[2]

Sources for the origins of the term

• mSign: Announcement of MSign formation (in German only), 17.10.2000^[3]
• MoSign: Materna Monitor - company magazine, December 2004^[4]
• MoSign: International Herald Tribune tech brief, 26.3.2001^[5]
• MobilImza: Turkcell Mobil Imza 10.3.2008^[6][7]

References

1. ^ http://www.schneier.com/essay-083.html
2. ^ (Turkish) Turkcell.com
3. ^ Golem.de
4. ^ Materna-tmt.de
5. ^ IHT.com
6. ^ (Turkish) Turkcell.com
7. ^ (English) Turkcellmobilesignature.com