Skip to content

Kiuru MSSP – Mobile PKI Platform

The Kiuru platform comprises of several components which together enable and digital signing for citizens.


  • Advanced Electronic Signatures (AdES) support 
  • Enables LoA4 compliance
  • Supports high availability and high performance clustering
  • Geo-redundancy Support
  • Multi-tenancy support
  • Includes robust service administration and monitoring tools
  • Supported platforms: Linux (Fedora based distros), on Bare metal, VMWare, KVM and/or Docker


Kiuru AE (Acquiring Entity) MSSP is a server that links the Application Provider’s service to the Mobile User’s HomeMSSP. Kiuru AE MSSP offers a unified interface for Application Providers to integrate Mobile Signature Services into their service.

AE provides an isolated public ETSI TS 102 204 compliant interface for APs, filters and validates all incoming request before they are allowed into the MSSP Mesh. The AE MSSP may reach the HomeMSSP directly or through the Mesh, an interconnected system of MSSP servers.

For more details, see Kiuru AE MSSP Product Factsheet


Kiuru ME (Management Entity) MSSP is a server that centralizes the registration and administration interfaces for an MSSP system. ME can be used e.g. by Registration Authorities to register and manage user data in the databases that the AE MSSP and HomeMSSP use in request processing. ME allows the shut-down and maintenance of registration processes without interrupting signature services. Additionally, the ME MSSP forwards client management requests to the User’s HomeMSSP for onward delivery to the PKI client.

Kiuru ME MSSP includes a suite of tools for managing a Kiuru MSSP system. The Kiuru Admin CLI (Command Line Interface) provides powerful command line tools that experienced users can use in order to have as few restrictions as possible, while Kiuru Admin GUI (Graphical User Interface) provides a more user-friendly operational environment with configurations for different use-cases.

For more details, see Kiuru ME MSSP Product Factsheet

Kiuru HomeMSSP

Kiuru HomeMSSP is a server that provides mobile signature service functionality for trusted service providers. It is used to establish an open, standard based and secure channel between end users and the AE/Mesh.

Kiuru HomeMSSP receives signature requests from the AE/Mesh, converts them into a form that’s usable by the PKI client and sends them to a resident Mobile User’s phone. Additionally, Kiuru HomeMSSP processes client management requests from Kiuru ME MSSP.

Kiuru HomeMSSP comes with the integrated Alauda OTA (Over the Air) server.

The OTA server is used to transmit Applet client requests to the SIM card without being physically connected to the card. The OTA server segments the request received from the Mobile User’s HomeMSSP and transmits it to an SMSC (Short Message Service Center). The server also manages OTA and Alauda encryption keys, which ensure end-to-end encryption between the OTA server and the SIM card. 

Similarly, the Kiuru HomeMSSP provides an HTTPS interface to the Kiuru AFE server for transmitting app client requests to the smartphone app.

​Kiuru AFE provides a secure communication link between the Kiuru SAM and the app client. Kiuru AFE connects to app platform push notification services (including APNS and FCM) to deliver messages to the app client. It also receives app originated HTTPS calls, authorizes and redirects those messages to web sockets connected to the HomeMSSP.

Optimized for fast low latency communication, all communication through the AFE is protected using TLS and Alauda transport encryption which ensures end-to-end confidentiality of all messages between the Kiuru SAM and the app.

For more details, see Kiuru HomeMSSP Product Factsheet

Kiuru SAM

The Kiuru SAM product is a Trustworthy System Supporting Server Signing (TW4S) that offers remote digital signature services. It ensures that the Signer’s signing keys are only used under the sole control of the Signer and only used for the intended purpose. Compliant with the SAM-PP as defined in EN 419 241-2, Kiuru SAM exists in a dedicated tamper protected environment. All communications are via a secure trusted channel.

Kiuru SAM implements various functions including:​

  • Transport encryption – provides a message encryption mechanism for all traffic between the SAM and the Alauda smartphone client application.
  • B17 protocol – implements a signing key splitting mechanism which allows a HSM key wrapped signing key to be split and distributed between the SAM and the app client. B17 protocol provides a strong basis for user sole control of the signing key.
  • Crypto Module – Typically an HSM, Kiuru SAM uses the crypto module for generating signing keys and to create digital signatures.
  • SRP6 validators – implements secure remote password initialization and verification for signer PINs. SRP6 validators binds the signer authentication with the signing key and the data to be signed (DTBS) before the Crypto Module creates a digital signature.

For more details, see Kiuru SAM Product Factsheet

Connectivity Components


The AE MSSP provides a ETSI 102 204 standard API interface for Application providers. It is a SOAP API for application providers to:

  • Request Signatures (synchronous and asynchronous-client-server modes)
  • Request Status information on Signature requests
  • Request Receipt messages on successful Signature requests

All MSSPs also provide a ETSI 102 207 roaming standard API interface for routing messages between interconnected Mobile Signature Service Providers (MSSPs) in an service Mesh.

Kiuru REST

Kiuru REST plays the role of a gateway between relying application providers and the AE MSSP. Kiuru REST provides a simplified JSON API for Application Providers. Kiuru REST converts JSON requests into SOAP protocol, filling any missing information with functional default values. Similarly, SOAP responses are converted into JSON responses before onward delivery to the originating application provider.

For more information, see Kiuru REST API Product Factsheet and Kiuru REST API documentation.


The Kiuru Document Signing service (KDSS) provides a simple and modern OpenAPI based interface for requesting and collecting digital document signatures. The KDSS API allows application providers to invite and send documents to users for signing and retrieve the signed documents immediately all invited signatories have signed the document.

For more information, see KDSS API on GitHub.


The MSS Registration (MReg) API is an administration API provided by the Kiuru ME MSSP and available as a SOAP and JSON APIs. MReg is designed as an interoperable extension to ETSI TS 102 204 standard, and it includes all the basic functions required to run a Registration Authority (RA).


Kiuru RADIUS server is a connectivity product that enables Application Providers to integrate a traditional username/password authentication system in place of MSISDN authentication. A system that uses RADIUS authentication services is able to require strong two-factor authentication of their Users, as well as unify the user experience by using the same username/password authentication system across multiple services.

When a User authenticates themselves to the Application Provider’s service with their username/password, the service requests RADIUS authentication from Kiuru RADIUS. Kiuru RADIUS then resolves the user’s MSISDN and sends a signature request to AE. From there, the mobile signature request proceeds normally.

For more information, see Kiuru RADIUS Product Factsheet.

Other Products

Kiuru Document Signing Service (KDSS)

The Kiuru Document Signing service (KDSS) provides a standard secure digital document signature process as a service. KDSS handles all the application side requirements including document pre-processing and post-processing. All an application need is to send/upload the document to KDSS, KDSS prepare the document for signing, sends it to the MSSP to get user signature. Once the document has been signed by the user, KDSS will also take care of all document post-processing and return the signed document (PAdES, XAdES, CAdES, ASiC, etc.) to the requesting user or application.

For more information, see Kiuru DSS Product Factsheet.


Kiuru RE (Routing Entity) is a server that routes MSSP traffic between different operators’ MSSPs. RE MSSPs unify MSS into a service that an Application Provider can offer regardless of the Mobile User’s operator.

If a User’s HomeMSSP is managed by a different operator from the one the Application Provider uses, the Application Provider’s RE MSSP roams the request to the User’s MSSP.

Kiuru RE MSSP routes ETSI TS 102 204 messages with roaming headers specified in the ETSI TS 102 207 standard.

For more information, see Kiuru RE MSSP Product Factsheet


Kiuru MSSP VE (Verifying Entity) is a specialized platform for validating signatures. It enables you to manage the circle of trust your applications are comfortable with.

Kiuru MSSP VE validates mobile signatures. Signature traffic is routed through the VE system, and on the way back to the application, the VE validates the mobile signature. In addition, Kiuru MSSP VE includes a DSS SOAP interface which allows applications to validate certificates or signatures on-demand.

Kiuru MSSP VE is provides fine-grained controls over who to trust, which allows for applications to offload the costs of maintaining the trust relationships to a single centralized point.

For more information, see Kiuru MSSP VE Product Factsheet

Kiuru WPKI Simulator​​​​

Kiuru WPKI Simulator is used to simulate external systems that the MSSP depends on. The simulator can be used to test a complete MSSP system functionality by simulating OTA and mobile users. The simulator helps with testing the functionality of a WPKI setup in a pre-production environment, where diagnosing faults and tweaking the system accordingly isn’t a burden on actual customers. In a production system, automated scripts can test Kiuru MSSP system integrity continuously.

Kiuru WPKI Simulator also contains Simple CA, which provides CA services for testing/demonstration purposes. Certificates can be managed over CMP (RFC 4210) and PKCS #10 (RFC 2986).

The WPKI simulator simulates live SIM card/Applet. and/or Phone/app client It enables Mobile User test provisioning, activation and certificate issuance, as well as signature service testing.

Key Features


Kiuru MSSP supports the clustering of servers for higher performance and availability. Servers in a clustered system share the same database, and traffic is divided between them by a load balancer. The load balancer also detects MSSP failures and redirects traffic accordingly. In a clustered setup, HomeMSSPs are in one cluster and AE MSSPs are in another.

Kiuru MSSP supports e.g. F5 BIGIP/Radware Alteon load balancers or Apache proxy for mutual TLS authentication, which is a mandatory requirement in the ETSI TS 102 204 standard. Complete system high-availability also requires redundant databases and load balancers.


Geo-redundancy support for Kiuru MSSPs enables service providers to have secondary service sites to which traffic can be redirected in case of unexpected malfunctions. Mobile Signature Services are expected to maintain a high degree of availability at all times, so in the event that an unpredictable event stops the primary site from working, service is maintained in a geographically separate location.

​ME MSSPs replicate operational data from the primary site periodically to the secondary site as a precaution.

See our blog post on geo-redundancy for more information