Mobile signature
Encyclopedia
A mobile signature is a digital signature
generated either on a mobile phone or on a SIM card.
The term first appeared in articles introducing mSign (short for Mobile Electronic Signature Consortium). It was founded in 1999 and comprised 35 member companies. In October 2000, the consortium published an XML-interface defining a protocol allowing service providers to obtain a mobile (digital) signature from a mobile phone subscriber.
In 2001, mSign gained industry-wide coverage when it came apparent that Brokat (one of the founders company) also obtained a process patent in Germany for using the mobile phone to generate digital signatures.
MoSign project and standardization attempt
The MoSign project (short for Mobile Signature) initiated by the companies Deutsche Bank
, Ericsson
, Materna, Microsoft
, Sema Group
, Siemens
and TC TrustCenter was meant to demonstrate the deployment of electronic signatures using a "mobile signing device".
The mobile signing device comprised a Siemens IC35 organizer with an integrated WAP browser and a Smart card reader. The user was meant to connect the IC35 via the IrDA interface to an internet-enabled mobile device, that would enable the IC 35's WAP browser to view WAP pages from a remote server. To generate a mobile signature the user inserted a Smart card into the IC35's card slot. The digital keys are stored on the Smart card and the signing application was based on the WAP 1.2 Crypto SignText implementation in the WAP browser stack.
In March 2001, four German banks - Deutsche Bank, Commerzbank
, Dresdner Bank
and HypoVereinsbank
announced that they would use the findings from the MoSign project and would develop it into a single standard for electronic signatures used in conjunction with mobile devices and financial services.
ETSI-MSS standardization
The term was then used by Paul Gibson (G&D) and Romary Dupuis (France Telecom
) in their standardisation work at the European Telecommunications Standards Institute
(ETSI) and published in ETSI Technical Report TR 102 203.
The ETSI-MSS specifications define an XML interface and Mobile Signature Roaming for systems implementing mobile signature services.
phones and WAP
phones are mostly supporting this technology. Those mobile signature services on sim cards can be supported by almost all GSM phones, regardless of their capacity. In the near future, 3 G-phones and other portable devices will feature a similar mobile signature application.
The mobile signature is the legal equivalent of your own wet signature. The mobile signature
is created by typing a secret code (i.e. your signing PIN) into the signing device (for
example: your mobile phone). This secret code in combination with your key storage
token (for example: SIM card) and a chosen text triggers a cryptographic algorithm to
generate the (digital) signature.
Each of your mobile/digital signatures can be linked to a digital certificate (an electronic record) that vouches for your real-world identity.
Thus, the mobile signature is a unique feature for:
Authentication may still be vulnerable to man in the middle attacks and trojan horses, depending on the scheme employed. Schemes like one-time-password-generators and two-factor authentication does not completely solve man in the middle attacks on an open network like the Internet. However, supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack. If application provider provides a detailed explanation of the transaction to be signed both on its Internet site and signing request to mobile operator, the attack can easily be recognized by the individual by comparing both screens. Since operators do not let anonymous third parties to send signing request, normally the cost and technicality of intrusion between the application provider and the mobile operator, makes it an improbable attack target.
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
generated either on a mobile phone or on a SIM card.
Origins of the term
mSignThe term first appeared in articles introducing mSign (short for Mobile Electronic Signature Consortium). It was founded in 1999 and comprised 35 member companies. In October 2000, the consortium published an XML-interface defining a protocol allowing service providers to obtain a mobile (digital) signature from a mobile phone subscriber.
In 2001, mSign gained industry-wide coverage when it came apparent that Brokat (one of the founders company) also obtained a process patent in Germany for using the mobile phone to generate digital signatures.
MoSign project and standardization attempt
The MoSign project (short for Mobile Signature) initiated by the companies Deutsche Bank
Deutsche Bank
Deutsche Bank AG is a global financial service company with its headquarters in Frankfurt, Germany. It employs more than 100,000 people in over 70 countries, and has a large presence in Europe, the Americas, Asia Pacific and the emerging markets...
, Ericsson
Ericsson
Ericsson , one of Sweden's largest companies, is a provider of telecommunication and data communication systems, and related services, covering a range of technologies, including especially mobile networks...
, Materna, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, Sema Group
Sema Group
Sema Group plc was an Anglo-French IT services company. It was listed on the London Stock Exchange and was a constituent of the FTSE 100 Index but was acquired by Schlumberger in 2001.-History:...
, Siemens
Siemens
Siemens may refer toSiemens, a German family name carried by generations of telecommunications industrialists, including:* Werner von Siemens , inventor, founder of Siemens AG...
and TC TrustCenter was meant to demonstrate the deployment of electronic signatures using a "mobile signing device".
The mobile signing device comprised a Siemens IC35 organizer with an integrated WAP browser and a Smart card reader. The user was meant to connect the IC35 via the IrDA interface to an internet-enabled mobile device, that would enable the IC 35's WAP browser to view WAP pages from a remote server. To generate a mobile signature the user inserted a Smart card into the IC35's card slot. The digital keys are stored on the Smart card and the signing application was based on the WAP 1.2 Crypto SignText implementation in the WAP browser stack.
In March 2001, four German banks - Deutsche Bank, Commerzbank
Commerzbank
Commerzbank AG is the second-largest bank in Germany, after Deutsche Bank, headquartered in Frankfurt am Main.-Activities:Commerzbank is mainly active in commercial bank, retail banking and mortgaging. It suffered reversals in investment banking in early 2000s and scaled back its Securities unit...
, Dresdner Bank
Dresdner Bank
Dresdner Bank AG was one of Germany's largest banking corporations and was based in Frankfurt. It was acquired by competitor Commerzbank in December 2009.- 19th century :...
and HypoVereinsbank
HypoVereinsbank
UniCredit Bank Aktiengesellschaft is the sixth-largest private German financial institution, with a strong presence in Bavaria. The company is based in Munich, and together with Deutsche Bank, Dresdner Bank, Commerzbank and Deutsche Postbank, it belongs to the Cash Group...
announced that they would use the findings from the MoSign project and would develop it into a single standard for electronic signatures used in conjunction with mobile devices and financial services.
ETSI-MSS standardization
The term was then used by Paul Gibson (G&D) and Romary Dupuis (France Telecom
France Télécom
France Telecom S.A. is the main telecommunications company in France, the third-largest in Europe and one of the largest in the world. It currently employs about 180,000 people and has 192.7 million customers worldwide . In 2010 the group had revenue of €45.5 billion...
) in their standardisation work at the European Telecommunications Standards Institute
European Telecommunications Standards Institute
The European Telecommunications Standards Institute is an independent, non-profit, standardization organization in the telecommunications industry in Europe, with worldwide projection...
(ETSI) and published in ETSI Technical Report TR 102 203.
The ETSI-MSS specifications define an XML interface and Mobile Signature Roaming for systems implementing mobile signature services.
Mobile signatures today
Currently, GSMphones and WAP
Wireless Application Protocol
Wireless Application Protocol is a technical standard for accessing information over a mobile wireless network.A WAP browser is a web browser for mobile devices such as mobile phones that uses the protocol.Before the introduction of WAP, mobile service providers had limited opportunities to offer...
phones are mostly supporting this technology. Those mobile signature services on sim cards can be supported by almost all GSM phones, regardless of their capacity. In the near future, 3 G-phones and other portable devices will feature a similar mobile signature application.
The mobile signature is the legal equivalent of your own wet signature. The mobile signature
is created by typing a secret code (i.e. your signing PIN) into the signing device (for
example: your mobile phone). This secret code in combination with your key storage
token (for example: SIM card) and a chosen text triggers a cryptographic algorithm to
generate the (digital) signature.
Each of your mobile/digital signatures can be linked to a digital certificate (an electronic record) that vouches for your real-world identity.
Thus, the mobile signature is a unique feature for:
- Proving your real-world identity to third parties without face-to-face communications
- Making a legally-binding commitment by sending a confirmed message to another party
- Solve security problems of the online world with identity confirmation.
Authentication may still be vulnerable to man in the middle attacks and trojan horses, depending on the scheme employed. Schemes like one-time-password-generators and two-factor authentication does not completely solve man in the middle attacks on an open network like the Internet. However, supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack. If application provider provides a detailed explanation of the transaction to be signed both on its Internet site and signing request to mobile operator, the attack can easily be recognized by the individual by comparing both screens. Since operators do not let anonymous third parties to send signing request, normally the cost and technicality of intrusion between the application provider and the mobile operator, makes it an improbable attack target.
Mobile Signature with On Board Key Generation
Turkcell is the first provider of a mobile signature service with "On Board Key Generation" functionality, which enables customers to create their signing and validation key pair, after they get the simcard. In this way GSM operators do not need to distribute signing PINs to customers. Customers can create their PIN anew, on their own.Sources for the origins of the term
- mSign: Announcement of MSign formation (in German only), 17.10.2000
- MoSign: Materna Monitor - company magazine, December 2004
- MoSign: International Herald Tribune tech brief, 26.3.2001
- MobilImza: Turkcell Mobil Imza 10.3.2008