What is Mobile ID?
Mobile ID is a generic name for a number of different user authentication technologies.
We mean here Mobile Signature Service, where user identity is bound to their public key signing keypair and that keypair is securely on user’s mobile phone SIM card.
What is Two-Channel Communication?
The general assumption is that your browser is far more likely to be compromised, than the application provider’s servers. A quite big problem in service security aspects is “what do I do when my web browser is compromised and I have been using my health care, my company and home banking services?”
Having a secondary communication channel may help on the issue. A Two-Channel communication means that while you have been using a compromised browser, the service have communicated with your mobile phone via other communication channel (authentication channel) that has no part in common with your browser’s communication path (service channel).
First benefit: Your credentials are still safe and there is no reason to revoke them. Clean up your browser and computer and check what information may be compromised.
You can also check your MobileID usage records.
Second benefit: Your Mobile Signature Service Provider can keep track of your transactions whatever service you use.
Check your accounts in those services you have been using with the compromised browser. Change passwords in those services.
Third benefit: You can use your MobileID when you change your password in the service. It the most secure way to do it.
Fourth benefit: The service provider may use how clever authentication method he wants and backup user’s credential maintenance with MobileID.
There are still more security aspects you achieve by using two-channel communication.
Fifth benefit: MobileID provides you a consistent user experience. It is the same with all services you use.
Sixth benefit: If your mobile phone has been stolen, you inform your operator and your certificate will be revoked and the authentication channel closed. Application providers do not need to maintain 24/7 identity management service, and you don’t need to call dozens of them to revoke your compromised identity from each one.
A much more worrying thing is that your fancy feature mobile phone becomes compromised. Even though it has a trusted execution environment, that stuff is in the end done with software, and as such it could be circumvented. The best answer available today for widest possible repertoire of mobile devices uses network operator’s SIM as platform for the trusted execution environment, and using a phone with least possible features — non-existence of software upload is good start.
What is this PKI you talk about?
It is an acronym of Public Key Infrastructure, and it associates a Public Key with Identity. When the PKI is implemented using X.509 certificates as identity carriers, it is commonly called PKIX to emphasize that identity implementation aspect. When the PKI is implemented on top of wireless network service (as mobile phone network), it is often called WPKI to emphasize that communication aspect.
This all refers to applied mathematics where we can have a data set and computation rules by which we can do signatures (computation results) in a way that are extremely difficult to repeat without access to full data set, but very easy to verify with access to small “public” part of it. That full data set is called “private key“, and managing access to it is the core of the practical PKI based identity service. That is why it is kept in a trust module (SIM card,) and doing those computations with it are always asking “What is your Signing PIN?”
The “Identity” is commonly taken to mean X.509 Certificate’s Subject element, but it may contain many other elements out of that certificate as well, up to all of it. If it happens that user is re-registering their identity, and thus re-creating their key, then several components at the certificate will change, while usually the Subject will stay the same. The procedures around the first and repeated registration are the central part in establishing identity in the first place, and of its continuance.
Also while something is “extremely difficult”, it is not the same as “impossible”, and therefore practical PKI systems have limited lifetime on those keys. To ensure continued key security, it is considered best to replace the key by every few years and/or to have bigger keys that are even more difficult to break. Nevertheless practical system aspects try keep the key sizes smallest acceptable to enable quicker communication over the WPKI channel, and registration procedures try to keep the identity valid for longest allowable time.
For a deeper theory look of the PKI keys and their security, see Signature Security article.
What is this identity registration?
The most important thing in your identity is that it is stable. Your identity can be completely anonymous (still unique or distinguished) or it can be a certificate telling your real world identity. It is also very handy that applications asking for your authentication can do so by sending a challenge to you, which you then sign and the response contains that signature which the asking application can verify: “yes, she really used PKI system to sign it.”
Why should I need to re-register my identity?
Or: “Oops, I gave my PIN wrong 3 times in a row, and now it refuses to work, please unlock it!”
The access management to the private key has been designed so that entering the secret “Signing PIN” wrong too many times will cause access to protected data to be irrevocably unavailable. (The SIM card can have multiple keys, and each can have its own Signing PIN with individual access control.)
Because replacing the SIM card is rather cumbersome operation, it is better if this situation can be recovered from without a new card.
Classical mobile network systems have SIM cards with PIN code, and PIN Unblocking Code (PUK), and the operators are asking you to somehow prove your identity when you call their service center for the PUK to access your network subscription.
If the “Signing PIN” is associated with “Signing PUK”, that code becomes as sensitive as user’s most sensitive service authorization on a key that it unblocks, and therefore it requires same level of identity verification as the most stringent verification done during the registration and authorization processes. It becomes easier to be able to re-generate a new key on blocked slot unblocking it at the same time, and do new identity registration on it. Then depending on how each service authorization relates to identity, either those authorizations need to be re-applied, or they just work because a particular service provider has chosen to trust PKI providers re-registration procedures.
But I hear that these SIMs are broken!
Yes and no. Security researchers at SRLABS reported a way to break in SIM OTA management protocol, and through it to trust platforms running at that SIM, like Java Card services.
The central thing is that still a large number of SIMs are being deployed with woefully bad security algorithm at the OTA management protocol.
There are a few easy ways to counter the issues raised by this observation. For starters the mobile operator needs to upgrade the SIM management platform and SIMs to use up to date encryption keying even if having to use old algorithms. It is probably as simple as adding correct tick on the order form of next batch of the SIM cards.
The mobile network security protocols are being regularly updated, and network operators should be aware of their updates too. Nevertheless plain single key DES was declared unsafe back in 2000. Its more secure variation 3DES has been considered as “better to use something else” since 2006-2008. Now at 2013 researchers observe that large number of networks has not done the first phase-out, or it has been done incompletely and is still working.
The attack has been possible, because SIM card resident software has not been written with first security practitioners rule in mind: Upon receiving a message failing security check (bad key, bad content), give absolutely no answer. This is because practically any answer is telling something that the attacker can use to break the system security. Replying only when all checks are successful does render the present attack unable to figure out even the most simple DES access key.
What is the Mobile Signature Service?
The Mobile Signature Service is a managed identity service for application providers and mobile users. Commonly this service is called as “MobileID”. Essential core communication parts of the Mobile Signature Service are provided by Mobile Network Operators (MNO.)
Managed identity service means that Mobile Signature Service Provider (MSSP) takes care of a secure device (SIM card), user registration and certification, and 24/7 customer care with certificate revocation, or very least of mobile service suspension so that a lost phone can not be misused. (Usually service suspension is much quicker than certificate revocation.)
When the MNO enrolls a user to service, they do identity verification for their own purposes, and that identity may be of sufficient quality that it can be used by other application providers without them doing their own key slot assignments, key generations, and all those base parts of the registration.
It is also possible that the MNO sells key slot resources at the SIM card to third parties, who then in co-operation with the MNO as their service carrier do the identity registration, control key generation, etc. Even have the associated certificate only in their possession.
For wide-spread usability it is better to be able to share single stable identity at multiple services, and locally at each service to choose to associate that identity with specific authorizations.
What are the Mobile Signature Services used for?
Technically it always does a PKI Signature using internally and securely stored private key to sign some request data. When such a key is given particular meanings (in the X.509 certificate data,) then the Mobile Signature Services are getting business meanings, like these:
- Authenticate a mobile user
- Get mobile user’s consent
- Get mobile user’s signature
In addition to these basic functions there are large varieties of so called Additional Services, which can be used for Application Provider’s or mobile user’s convenience. These Additional Services can provide additional information like person identity attributes: home address, date of birth etc.
Where can Mobile Signature Services be used?
Application Providers (APs) use Mobile Signature Service when
- An application needs to authenticate a new mobile user
– user is previously not known, user logs in to the service rarely, or a strong authentication is required
- An Application needs mobile user’s consent
– Approve transaction, approve service authorization
– Consent is a well-defined message signed by the mobile user
– Does not have the same formal legal requirements as the electronic signature
- Business needs mobile user’s signature.
– When business needs to represent the contract to a third party
– When special legal requirements must be filled
The Application can locate in Internet or it can be completely mobile. Mobile Signature Service uses its own mobile authentication channel and therefore it does not require any specific application environment or service channel.
Who sells the Mobile Signature Service?
Nowadays some MNOs are selling the MSSP service to Application Providers and Mobile Signature Service subscriptions (MobileID) to mobile users. Most of these Mobile Signature Services are still “isolated islands” and do not provide roaming. But we believe that this will be changed very soon.
The Application Providers connect to service element called Acquiring Entity (AE,) which are usually provided by each MNO, but there could be service providers specialized on operating AE + Roaming.
The MSS business model enables roaming from these Acquiring Entities to MNOs.
What is MSS Roaming?
Sometimes a bit of co-operation can breed business and customers, while each trying alone gets nothing.
In “isolated islands” (or “walled gardens”) model an Application Provider (AP) wanting to use Mobile Signature Service (MSS) will need to:
- Communicate with each of the MNOs separately doing separate service contracts with each of them, and
- Have particular request protocol details set up correctly for each MNO in their particular ways.
- Additional challenges may appear especially in Europe as mobile operators are required to have “number portability” at least inside a country so that simply looking at the target MSISDN does not resolve knowledge at which MNO that number is; instead a separate database lookup is needed.
Mobile Signature Roaming connects all Mobile Signature Service Providers into a Mesh, and the Mesh is taking care of all the hard mobile network parts, like number portability.
In a successful Mesh, the MNOs running Mobile Signature Service Providers agree on:
- Basic policies — Certification Policy, Certificate Practice Statements — registration details, key details, certificate content details
- MSS protocol parameters — SignatureProfiles, request formats, interaction flows shown to users during requests
- Roaming billing — Application Provider client of MNO A calling mobile user of MNO B does get a bill on it at fair price.
And the result is that the Application Providers have unified service behaving the same way independent of at what MNO a particular mobile user is at. In successfully co-operating Mesh all parties use same Signature Profiles, and similar registration procedures producing similar certificates, and Application Providers can do the service development just once, instead of separately for each MNO.
For the Application Providers the mesh entry points are called Acquiring Entities, and they can be operated by an MNO, or a third party. An Application Provider can choose any of the Acquiring Entities as entry point to the roaming Mesh.
You can consider the Mesh as similar technology which connects all the e-mail servers in the internet together and you can send e-mail to anyone regardless who is the receiver’s e-mail provider. The mesh knows — has the necessary lookup and routing mechanisms.
What is SignatureProfile?
Businesses using the Mobile Signature Service should be able to trust on mobile user’s identity. And at the same time mobile users should have many ways to acquire their identity or many identities. The Mobile Signature Service handles these requirements a concept of SignatureProfile and SignatureProfileComparison.
Process starts when a mobile user registers MobileID identity. The registration authority requests certificate for the identity from a CA and MNO binds mobile user and the certificate to the SignatureProfile. Now the SignatureProfile corresponds with an assurance level of the registration and the assurance level is linked with the SignatureProfile and printed into the certificate.
Application provider can request that preferred SignatureProfile (equal) or better is used for mobile user authentication.
Generally this trusting feature is called as a Level of Assurance (LoA). LoA is achieved by creating a registration process which verifies the mobile user’s identity and keys before it requests a certificate. These elements are managed by entities known as Registration and Certification Authorities, respectively.
What does MSSP stand for?
In the ETSI standards the term MSSP stands for Mobile Signature Service Provider. Mobile Signature Service Provider is a software that can connect to wireless network (mobile) and can connect Application Providers into the Mesh.
There are two kinds of MSSPs: Mesh end-points and Mesh intermediaries. Mesh end-points connect Application Providers and mobile users, and intermediaries connect these end-point MSSPs together.
- Acquiring Entity: connects Application Providers to the Mesh
- Home MSSP: connects mobile users to the Mesh
- Routing Entity: connects End-points together
More common MSSP term stands for a term Managed Security Service Provider. Although the ETSI MSSP term fits also with the later explanation, the only correct is the ETSI one. Managed Security Services covers all aspects of security including secure VPN, secure monitoring, secure back-ups etc.
Mobile Signature Service is for whom?
MSS is a managed identity service for application providers and mobile users.
What kind of customers application providers target to?
- New customers – no previously established contract is needed
- Internet users – once application provider reach a customer, it can start serving
- Old customers – 24/7 managed identity, user friendly and secure authentication
Authentication, Authorization, Accounting and Auditability – What’s the difference?
Authentication tells who you are (your identity), authorization tells what you can do. You can have same authentication in many places, but the question of what you can do at those places is entirely different thing.
The most important thing in your identity is that it is stable. Authorization is based on it.
Most identity services are acting as an oracle “yes, this user is NN”, and other applications can not validate that answer in any way. Sometimes these systems are called as “walled gardens”. Actually the most of systems behave as walled gardens. They are also commonly built for single application, meaning that if you have authentication for that service, you have also authorization to use it. But this differs immediately when your account is given specific set of things you can do with it — the authorization stuff.
The Mobile Signature Service provides authenticated identity, and many applications can request the same thing, and then see themselves if provided user identity is really authorized to use the application.
Accounting is something how you track how much an entity uses of a service. Nowadays each service implements the usage recording and corresponding reporting. In the Mobile Signature Service there are two different entities which need accounting: Application Providers and mobile users. Mobile Signature Service keeps track of both in a distributed manner. Acquiring Entity logs Application Provider requests and Home MSSP logs mobile user records.
Auditability is something how you can prove that something has really happened. For auditability it is useful to agree at first how a proof is created. In plain old telecom systems the proof is based on two entities: your telecom operator (calling party) and a remote telecom operator (receiving party). If you make a local call the proof is on your own telecom operator’s hands. This is one of the reasons why the telecom business is heavily regulated.
We do not want to need the same regulations in the Mobile Signature Services. It is much better to build a system which collects accounting information in a post-auditable way. Once again people in ETSI have been clever. They have split the architecture into two pieces: Acquiring Entity and Home MSSP. Even when the traffic is local, there are two separate systems which produce accounting details and the proof can be based on those logs. One step further is the telecom regulations. When a telecom operator runs an accounting, the operator must store and use initial accounting details recorded by the system itself. No modifications are allowed. In a court there can be independent experts who will analyze these accounting records.