Mobile Identity ManagementMobile Payments

Mobile Signatures

© Copyright Valimo Wireless Ltd, 2006

Valimo Wireless

…is a Finnish company specialized in developing software for performing and securing transactions in fixed and mobile networks

…main customer segments are telecom operators, large enterprises and service providers in finance, government, health care, betting and media

Topics

Need Key Drivers for Mobile

Signature Services - Bank - Mobile Operator - Government Short Overview of the ETSI —

MSS Concept How the SIM Card and Mobile

Network Operator's Infrastructure Plays a Key Role

User experience

Urgent need!

Industry has a demand to know the user and get his approval for actions.

We must be sure that the user is who he claims to be.

We must get user’s approval in a way that user can not claim afterwards that it did not happen.

Needs to support mass-market.

Key Stakeholders

Bank Internet Bank & ePayment Services Customer base

Mobile Operator Network Infrastucture Subscribers

Government More and more public services moving to Web. Strong authentication a must!

Consumer User of the value added services

Valimo

Need & Key DriversBanks

VISA & Mastercard fraud figures

40 million credit cards hacked in 2005 Breach at 3rd party payment processor affects

22 million VISA cards and 14 million MasterCards

70% of the losses caused by use of counterfeit cards

e-Commerce is the next target

Source: Jani Kallio, Security Manager, Luottokunta Eurocard Oy, Finland

Online fraud figures in UK

2004 frauds £5 million 2005 £30 million 2006 EMV launched, POS card frauds going rapidly down,

Online services on target

Latest news (BBC1 Nov. 7th): Online frauds already doubled comparing to 2005

What it will be at the end of 2006?

Source: FSA & BBC, UK

Source: Forrester UK Internet User Monitor, Q2 2005Base: British Net users

“What could your bank do to boost your confidence in online banking security?”

Net users want banks to do something

26%

25%

24%

20%

48%Guarantee to replacelosses that result from

fraud

Help me understandhow to secure myselfagainst these risks

Introduce new, moresecure, log-ontechnologies

Nothing -- I trust my bankand have confidence inits security measures

Nothing -- there's no wayI would trust online

banking

Online Banking Security Concerns

Key Drivers, Banks

The mobile phone is a trusted device that

provides anywhere, anytime access to

confidential, personal and business content

and guarantees integrity and non-repudiation

of electronic transactions

Key Drivers, Banks

Authentication through different channel than the service

Makes phishing and Man-in-the-Middle impossible

Key Drivers, Banks

Legally binding transactions and agreements by mobile phone.

(non-repudiation)

A = 1234 D=8273B = 2345 E=3554C = 5635 F=6455

  OTP via SMS Mobile Signature Hardware token PIN/TAN list

Device requiredGSM phonepeople has it already

GSM phone + PKI SIM people has it and operator manage SIM

Separate tokenBank has to manage

Separate list / mailingBank has to manage

Multi application and multi-service channel usage

YES- difficult in mobile channel and mobile applications

YES – all channelsall applications

Only for one bankor application limitation with usability of channels

Only for one bank or application, usability low – all channels

User experienceRequires retyping of a different password every time

Requires entering the same Authentication #PIN every time

Requires retyping of a different number every time

Requires retyping of a different number every time

Carry around requirement Mobile Phone Mobile PhoneThe token (single purpose)

The password-list(single purpose)

Customer Service Support

No Extra CostAll in operator’s responsibility

No Extra CostAll in operator’s responsibility

The issuing bank’s responsibility

The issuing bank’s responsibility

Limiting features

Function requires a mobile phone subscription and network availability

Function requires a mobile phone subscriptionWith PKI SIM and network availability

Battery expirySynchronize pinsDistribution / support issues

Can be copied, list need to be renewed. Phishing & man-in-middle – with users (?) of confidence

Distribution costs No Costs Existing SIM logisticsExpensive(single purpose)

Continuous Mailing Costs (single purpose)

Security Method Analyze

Authentication Methods Costs (annum)

AUTHENTICATION

METHOD

PIN/TAN

OTP/OTC

MSS HWToken

SW Token

SmartCard

COSTPER YEAR

PER USER €

13 € 15 € 12 € 35 € 50 € 100 €

USABILITY LOW MEDIUM HIGH LOW MEDIUM LOW

Source: Entrust and MSS business model security cost analyze, 10 000 users, 3 year period

Benefits for Bank

Increased security level Two factor security

Reduced cost No dedicated hardware tokens,

scratch-cards or lists Lower administration and

maintenance costs with one solution

Promote more self service, lower transaction costs

Potential for increased revenue Value-added services Authorization for 3. parties

Increased consumer convenience Leverages mobile device Simple user interaction

Cross channel Same authentication solution

for all access points (services) Internet, mobile, digital tv,

phone Cross transaction

Same solution for all types of transactions

Login, payment, workflow approval, digital signing

Security for all parties Customer identification Bank identification Confidentiality Non-repudiation of transaction

Summary of eBanking

eBanking is usually the most attempting application at starting point with Wireless PKI:

Banks have huge need for fraud prevention

Security level should be as high as possible

Security methods should be cost effective

Constant support work should be at minimum level

Easy to adopt and to use for customersAll above is pointing towards to WPKI

Valimo

Need & Key DriversMobile Operators

Need!

After recent years heavy investments to 3G licenses/network development and heavy price competition, operators are in deep need of new revenue streams

New innovative value added services are the only way to generate such streams

Services must support mass-market most widely, meaning corporate, governmental and financial market applications

At the same time, number transferability has become a big influencer around Western Countries, causing rising churn rate

Key Drivers, Mobile Operators

Mobile operator needs to offer many new high security services

Business and consumer customers

Key Drivers, Mobile Operators

SIM-card with digital keys linked to a mobile signature service may reduce frequent changes of a mobile operator

Mobile PKI

Public Key Infrastructure is a ideal technical solution for this need.

Everyone has Mobile Phone – implementing PKI on SIM/UICC card is the ideal solution.

PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI.

Mobile PKI is just an enabler to services.

Valimo

Need & Key DriversGovernment

Key Drivers, Government

All possible Governmental & Municipal services will be on Web Any service containing sensitive

information (financial, health, etc.) must have strong authentication in place

National level eID is/will be based on PKI solution

Key Drivers, Government

eIDM Roadmap for EU eIDM 2006 Manchester Declaration, setting objectives for a EU

eIDM interoperability and mutual recognition of national eIDM

2007 Common spesifications for interoperable EIDM and call for large scale pilots

2008 Large scale pilots of eIDM in cross-border services 2009 eSignatures in eGovernment, undertake review of

take-up in public services 2010 Review the uptake by the Member States,

interoperable eIDM at workCountries in piloting phase:Austria/Belgium (leading countries), UK, Germany, Italy,

Poland, Netherlands, Portugal, Malta, Estonia + possibly others

Valimo

Mobile PKIETSI MSS (Mobile Signature Service)

Mobile PKI

Public Key Infrastructure is a ideal technical solution for this need.

Everyone has Mobile Phone – implementing PKI on SIM/UICC card is the ideal solution.

PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI.

Mobile PKI is just an enabler to services.

Mobile PKI

In year 2000 Valimo started to develop Mobile Signing solution

By that time, no standards for interfaces were existing, solutions were only proprietary

First commercial deliveries 2002 2002 ETSI published MSS Standards ETSI 102 206 ETSI 102 207 ETSI 102 204 ETSI 102 203 Now all running systems are upgraded to ETSI Standards

based solution

Mobile PKI / MSS

SMSC

WAP/OMA

OTA Server

Client X

Client X

WIB VPN

Mobile Access

Web pages Content Signing

Customer Care and BillingDB

LDAPCertificates

CA

CA

Online Bank

Web Shops

3D Security Server

Mobile Operator’s PKI Servers

(MSSP)

Simplicity in Authentication

All You need for secure authentication is one SIM-card.

Insert your Authentication PIN code: ****

Legally Binding

Legally binding agreements by mobile phone.

The non-repudiation Official Identity (issued by

Government with Mobile Operators)

Or Corporate Identity (issued by Corporate with Mobile Operator)

Insert your Signature PIN code: ******

Hiding Mobile PKI Complexity

Simultaneous support for multiple Certificate Authorities

No technology or policy constraints

ETSI MSS

ETSI MSSP (Mobile Signature Service Provider) is based on four entities:

- Home Entity (has connection to individual clients) - Acquiring Entity (acquires signatures) - Routing Entity (handles roaming in multiple operator environments) - Verification Entity may be as part of first two.All above may be combined together or alternatively be

separate entities (like for example a bank having Acquiring Entity which connects to operator’s Home Entity) ETSI Standards include interfaces between entities and

for integrating any application to use mobile signature service

Roles in ETSI 102 specification

ETSI 102 – Specification for Mobile Signature Services

RelyingParty

Service ProviderETSI 102 204 WEB interface

ETSI 102 207 Roaming

MSSAcquiring

Entity

RelyingParty

Service Provider

MSSAcquiring

Entity

MSSRoaming

Entity

MSSRoaming

Entity

CA Registration processes

CA Registration processes

MSSHOMEEntity

MSSHOMEEntity

SIM

SIM

CA Registration processes

CA Registration processes

GW

DPOTA

WAPgateway

PPG

GW

OTADP

WAPgateway

PPG

MSSP Signature Roaming

Mobile Network

MSS Mesh

Mobile Network

Home MSSP

Acquiring Entity

Routing Entity

Application Provider

Verification Entity

Verification Entity

Acquiring Entity

102 204

Routing Entity

102 207

Home MSSP

Acquiring Entity

Routing Entity

Verification Entity

CA/RA/DB/LDAP

LDAP, CRL/OSCP

CA/RA/DB/LDAP

CA/RA/DB/LDAP

102 207

Valimo

Mobile Operator’sKey Role

Solution infrastructure

SMSC

WAP/OMA

OTA ServerVMAC

VMAC

WIB

VPNMobile Access

Web pages

Content Signing

Customer Care and BillingDB

LDAPCertificates

CA

CA

Online Bank

Web Shops

3D Security Server

Valimo Validator

Valimo Messaging

Server

Valimo Registration

Server

Valimo iD Server

Valimo MSSP SDK

Operator’s Key Role

Everything starts from SIM-card where key-pairs are in tamper-proof storage and signature hash is generated

Operator owns SIM-cards and have access to them

No third party direct access to SIM-card will be allowed by any operator

It would be possible for phone manufacturers to include as tamper-proof key storage as SIM-card by having a chip on their phone’s chipset, but for guite obvious business reasons it will most unlikely happen

Issuing

SIM/UICC card containing Private Keys are normally issued by Mobile Operators

Identity is based on Certificates issued by CAs. CA can be

Official Governmental CA Mobile Operator CA Corporate CA 3rd party CA

Certificates are not on SIM/UICC, they are on CA’s directory on the network.

Valimo

User experienceeBanking

eBanking, Authentication

1. End user is accessing bank website with his UserID

2. Bank system sends authentication request to Operator’s

WPKI service, based on user credentials (phone number)

3. User enters his authentication PIN

4. Access to the bank service is allowed

eBanking, Transaction Validation

1. Bank sends validation request through Operator’s WPKI service

2. The signature process is WYSIWYS (what you see is what you sign)

Allows 160 character messagesAll messages can be customised

An infrastructure setup : Bank scenario

Mobile Network

PKI-enabled Mobile Phone

Mobile Operator Domain

Valimo Validator - MSSP

(Acquiring)

End UserNotebook

Valimo iD Server Financial

MSS XML-messages using SOAP over HTTP

Bank Network

Valimo Validator - MSSP(Home)

MSS XML-messages using SOAP over HTTP

(SSL-secured)

Internet Bank System

Application Provider in ETSI terminology

Mobile Phone Subscriber

eBanking, Entities & Action Flow

Entities involved

END USER

BANK

Valimo iD Server

Validator - MSSP

OPERATOR

Web Bank

Certificate Repository

CA

Messaging Server

Action Flow Authentication

User Database

Bank’s own or Trusted Third Party

Registration Server

Action Flow Registration

Our Mobile Vision

mobile phone is a trusted device,

providing anywhere, anytime

access to confidential personal and business content, and easily

performs secure transactions.

THANK YOU!Erkki Saharanta, Valimo Wireless Ltd +358 44 344 5564 erkki.saharanta@valimo.com www.valimo.com