Qualified mobile electronic signatures:
Possible, but worth a try?
Lothar Fritsch
1, Johannes Ranke
2, Heiko Rossnagel
1Interest level of audience:
3 - for application developers (interested in IT security)
4 - for IT security specialists
Abstract
Four years have passed since the EU directive on electronic signatures has been enacted by the European Union. By 2002, all EU member countries had to implement local legislation for electronic signatures. Development of products and applications in these countries so far, mainly focuses on signing with desktop PC’s on the basis of smart cards, issued by certification authorities. Several parties worked on mobile signing infrastructures, but as of today, no integrated implementation of qualified mobile signatures has occurred on the market. This raises the question whether qualified mobile signatures can be implemented at all and whether they can be implemented economically.
This paper will analyse and conclude the possible conformance of mobile technology with the EU directive on mobile signatures and discuss economic implications for market scenarios.
1. The EU directive on Electronic Signatures
In the directive 1999/93/EC of the European Parliament [EU_esig1999], legal requirements for a common introduction of electronic signatures in Europe were enacted. Within the following 18 months, the EU countries had to adopt the directive to create a harmonized legal system.
The directive sets a framework of requirements for security of technology used for electronic signatures. Based on certificates issued by certification authorities, which certify public keys for a person registered by a registration authority, electronic signatures can be created with a so-called “secure signature creation device” (SSCD), carrying the private keys of a person. In Germany and Austria, the local implementation of the EU directive requires evaluation of the SSCD to be done against ITSEC E4 or CC EAL 4+ levels [FuFr2000].
For directory services, stringent 24/7 availability and durability is required. Revocation lists and other feasible technology must be available to all accepting parties of signed documents.
The EU suggests the implementation of a public evaluation infrastructure under control of a government authority. Germany has already implemented a system of evaluation service companies, evaluation consulting companies and the Regulatory Authority for Telecommunications [RegTP] as the responsible government authority.
The deployment of products so far focused on smartcards with evaluation against the requirements for lawful electronic signatures. Based on these, personal computer based signature applications have entered the market. These applications require smart card readers attached to the workstation, thereby preventing user mobility.
Mobility of lawful electronic signatures is possible within the legal framework of the German signature legislation, as shown in [RFR2003]. This article will analyze the situation with the European perspective.
1 Chair of Mobile Commerce and Multilateral Security, Goethe-University, Frankfurt am Main, Germany
2Member of "Enabling Technologies forElectronic Commerce" at the Darmstadt University of
Technology and collaborator toconstitutional design of technology (provet) at the
University of Kassel.
2. Approaches for mobile signing infrastructures
Two possible signing approaches in the mobile environment will be analyzed concerning their potential for conformance with the EU directive on electronic signatures: signatures created in centralized signing server environments located at service providers like mobile network carriers; and electronic signatures created inside the signer’s mobile device using a secure signature creation device. Furthermore, solutions using single or multiple smartcards are reviewed, where the conclusion is drawn that SIM- like security modules equipped with signature keys can be part of a law-conforming signing infrastructure.
Server based electronic signatures
Server based electronic signatures are signatures, that are created by a service provider for a specific user. With server based signatures it is essential to distinguish between signatures that have a corresponding certificate issued under the name of the customer and signatures with certificates issued under the name of the service provider or an employee of this provider.
In the first case it is necessary that the customer transfers his private key to the service provider. However according to Art.2, 2(c) the signature has to be created by means that the signatory can maintain under his sole control to achieve the status of an advanced signature.
By giving away his private key this premises can not be fulfilled.
In the case of signatures whose certificates are issued under the name of the service provider you can not assume these to be legal signatures of the customer. They are signatures of the signature service provider and only enable an identification of the provider. Those signatures can achieve the status of advanced signatures with qualified certificates as long as they fulfill the requirements of Annex I and are provided by certification service provider who fulfills the requirements of Annex II. Therefore the signature service provider acts as an replacement for the customer. However based on the signature of the provider it can not be verified that the customer really authorized the signature. Neither the integrity nor the fact that he authorized it himself can be proven. There are possible technical solutions to accomplish the integrity and accountability of his authorization, but they would require a security environment on mobile devices that would enable the device to create qualified signatures by itself.
Mobile device based electronic signatures
Signatures can be created inside the mobile device using a secure signature creation device, which has to fulfill the requirements of Annex III. Using a multiple smart card solution, the signature smart card, certified by a certification provider, is inserted into the mobile device, which already contains the usual SIM-Card. Therefore the signature process takes place on the mobile device and the user is able to use basically any signature card available on the market. To ensure that the requirement of Art.2 2(c) can be met, it is necessary to have some sort of reliable access control to the signature functions. The usual pin used to control the access to the telephone functions is not sufficient, since users can keep their phones and SIMs unlocked for convenience.
It would also be possible to use a single smart card that contains the SIM-telephone functions, as well as the secure signature creation device. This can be achieved either by leaving some free space on the SIM-card, on which the components of the signature creation device can be installed later on, or by shipping SIM-cards with preinstalled signature functionality that has to be initialized. In the first case problems will arise regarding who gets to certify the public key of the user. The mobile service provider, as issuer of the SIM-Card also wants to certify the signing functionality of the issued smartcard. The customer might want to use a different signature service provider. Within the scope of this article we are going to investigate the spectrum of possible shipment models for mobile signatures.
3. Mobility and Electronic Signing
Using Signatures in mobile environments one has to take a look on what is specific about
these situations. Mobile Signatures are made with mobile devices and therefore constraints
have to be addressed that are not present in traditional signing infrastructures.
Data Transfer
First of all any traffic that is necessary will be accounted to the bill of the customer. Therefore it is essential to create as little data traffic as possible. In the case of the signature creation traffic is only necessary for the download of the document to be signed, if at all. In the process of signature verification several documents, especially the key of all CA’s involved have to be downloaded in order to ensure the integrity of the verification process.
Visualization
Mobile devices usually are only able to display few amounts of the content of the document to be signed or verified. This gives potential attackers a huge advantage to compromise the integrity of the document before the signing process takes place. Within the scope of this section we will explore possible points of attack and provide means to counter such attacks.
Verification
Implications on document verification on mobile devices, in particular concerning revocation status and directory accessibility will be reviewed under consideration of various models of certificate validation. With mobile infrastructures for signature verification revocation lists are a particular concern that has to be met. In order to be up to date with actual revocation lists the customer has to be “online” to be able to get access to the actual status of all the involved signatures and certificates. Standards like ISIS-MailTrusT [ISISMTT] can be useful as well as concepts of server centric support in document verification [Fritsch2002]. This section will analyze verification constraints on mobile signatures.
Storage
Mobile devices usually have a rather fixed amount of storage space. This trend grows stronger if you have to store the data on the SIM-card itself, for wha tever reason possible. Therefore mobile signature application should when ever possible try to store the necessary information on a server of the service provider. This of course is in contrast to the goal of minimizing the necessary traffic for signature applications. Therefore a trade off between cached information and information to be transferred has to be found. This is particularly important for the
storage of root certificates, certification chains and certificate revocation lists for offline- verification. We will explore this within this section.
4. Business Applications and Competition
Here, we will suggest an infrastructure for certification of keys on mobile telephone cards.
Certification will be done in a way that will enable users to obtain their certificates from an arbitrary certification service provider, in particular a different one than the issuer of his telephony credentials. As mobile infrastructures tend to be costly, possible beneficial applications of mobile signing infrastructures will finish the article.
SIM, Certification and Competition
Combining GSM security and signing on a single smartcard raises some economic and legal questions. Currently, SIM cards are being deployed to the customer in retail stores. They are already initialized with keys and PIN codes, waiting to be personalized or be sold as “pre- paid” without identity registration in many countries. We propose the usage of evaluated smartcards suitable for qualified electronic signatures which are extended by the SIM functio nality and usable through a unified interface, e.g. with the USIM specification TS 21.111 [3GPPSpec]. Another approach might be the migration and evaluation of USIM with a full WAP/WIM implementation for the purpose of lawful mobile signing [WAPForum].
Evaluation must be carried out with ITSEC or Common Criteria within an evaluation process similar to the evaluation summarized in [FuFr2000].
The resulting card would carry (at least) authentication and key data from a mobile carrier
when handed out to the customer. Furthermore, the lawful signature component of the card is
ready to be initialized and have its public key certified on demand. Through the separation of
the telephony function and the (possibly latter) certification of a user’s identity by a certification service provider, both functions can be sold separately, and can be obtained from different providers.
In our final paper, we will demonstrate an algorithm that ensures the post-certification of keys that are either pre-stored or generated on the signature partition of the smart card while keeping the telephony and certification service provider strictly separated beyond standardization of a smartcard interface and the installation of a certificate.
Applications for Mobile Signature
This section will explain useful and economic applications of mobile electronic qualified signatures. For obvious reasons, a limited set of transactions is suitable for signing on small devices. For economic reasons, the rather complex infrastructure required for mobile signing further limits the application field.
Applications that will be examined include:
• provable electronic consent in processing of personal data
• documented consent in participation in location based services
MO SIM/SSCD
CSP 1 RCA
2
Mobile Equipment 3
4
0
Figure 1: Roles and basic steps in dual use of SIM in GSM and as SSCD.
0. RCA certifies CSP
1. RCA installs root certificate into newly produced, uninitialized SIM/SSCD 2. MO installs IMSI/Ki and subscriber information
3. SIM/SSCD ships to subscriber
4. SSCD is initialized by user and certified by CSP after registration
MO: Mobile Operator RCA: Root Certification Authority SIM: Subscsriber Identity Module CSP: Certification Service Provider SSCD: Secure Signature Creation Device
• legally binding mobile financial transactions, e.g. in intra-banking electronic brokerage
• documented multiparty authorization of commercial transactions, e.g. payment releases
• other transactions in trade and logistics.
Device federations, e.g. on signature-enabled mobile equipment using an evaluated tablet pc as a display, will enable further applications of mobile signatures: providing larger displays, combinations like this will enable mobile signatures to be used as universal signatures on large documents.
This section will conclude with a brief analysis of benefits of signing with federated devices.
5. Summary
Our analysis shows that mobile electronic qualified signatures can be implemented with achievable modifications to the current production and distribution of SIM cards, mobile equipment and protocols. Furthermore, we show sample applications for the employment of mobile signature. Therefore, we conclude that mobile electronic signatures according to European legislation are a valuable development for the information society and should be undertaken to enable certain applications of electronic signatures.
6. References
[3GPPSpec] Specification of GSM, http://www.3gpp.org/ftp/Specs/archive/, 10.1.2003 [ETSI_msig2002] TR MCOMM#3 Draft; available at
http://webapp.etsi.org/WorkProgram/Report_WorkItem.asp?WKI_ID=16182; 16.10.2002
[EU_esig1999] European Union: DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 December 1999 on a Community framework for electronic signatures
[Fritsch2002] Lothar Fritsch: A secure, economic infrastructure for signing of web based documents and financial affairs; CBL – Cyberbanking & Law, issue 2/2002;
[FuFr2000]Thomas Fuchß, Lothar Fritsch: Security Certificates as a tool for reliably software engineering;
Datenschutz und Datensicherheit 9/2000, pp.514ff.;
[ISISMTT1.0.2] Common ISIS-MailTrusT specifications for interoperable PKI applications;
http://www.teletrust.de/Dokumente%5Cag8_isis -mtt-corespec-v1.0.2.pdf; 19.7.2002
[RegTP] Regulierungsbehörde für Telekommunikation und Post (RegTP) der Bundesrepublik Deutschland;
http://www.regtp.de/
[RFR2003] Johannes Ranke, Lothar Fritsch, Heiko Rossnagel: M-Signaturen aus rechtlicher Sicht; in Datenschutz und Datensicherheit 27 (2003) 2, pp.95ff, Vieweg & Sohn, Wiesbaden
[WAPForum] WAP Forum: Spezifikationen von WAP, WIM; http://www.wapforum.org/, 10.1.2003