Embed Size (px)
Citation preview
Application of the U(SIM) card as secure device for electronic signature
Mr. Pedro Fuertes
Head of Business Development and Innovation
Vodafone Spain
8th International Common Criteria CongressRome, September, 26th
Mobile Electronic Signature2 8th ICCC, Rome, 26th Sept 2007
Versión 1.0
Goals
• To introduce the Mobile Digital Signature
from Vodafone Spain
• To show the business opportunities for
secure SIM based products
• To propose the CC world to develop a specific
approach for SIM Certification
Mobile Electronic Signature3 8th ICCC, Rome, 26th Sept 2007
Versión 1.0
Mobile Electronic Signature from Vodafone Spain• Signature of documents from the mobile
• Based on PKI, secure, robust
• Under EU regulations
• Multi CA
• Allows:
– Introduction of new services
– Substitution of existing Authorization
and Authentication methods
• Easy to use
• Large customer base
• HW and Basic SW certified at EAL 4+ (1)
Vodafone’s Mobile Digital Signature solution takes PKI security to the mobile world
How do you sign, How do you sign, pen or mobile?pen or mobile?
(1) Certifications ID BSI-DSZ-CC-0353-2005 And TUVIT-DSZ-CC-9253-2006
Mobile Electronic Signature4 8th ICCC, Rome, 26th Sept 2007
Versión 1.0
Why the mobile, why in the SIM?
HANDSET WITH HANDSET WITH MOBILE MOBILE
ELECTRONICELECTRONIC
SIGNATURESIGNATURE
- PCPC
- INTERNET CONNECTIONINTERNET CONNECTION
- SCREEN- SCREEN
- KEYBOARD - KEYBOARD
- CARD + READER or - CARD + READER or
- SW CERTIFICATE- SW CERTIFICATE
==
1999 2001 2003 2005 2007
Directive 1999/93/CERD 14/1999
34/2002 IS Law59/2003 ES Law
Apps without certificate Mono CA applications Multi CA applications
CA’s set up
DNIe
Coordinates cards
Certificate’s usage
Mobile Electronic Signature
PIN as secure method
Mobile Electronic Signature5 8th ICCC, Rome, 26th Sept 2007
Versión 1.0
Transaction flows
The ENTITY signs with VODAFONE for the service and pays a connexion fee to the Platform, as a variable entrance gate to the service; the fee includes a number of transactions
The END USER signs with Vodafone for the service and pays an entrance fee
The ENTITY pays Vodafone for each sign transaction. The END USER pays VODAFONE for eachsign transaction (similar to SMS)
VODAFONE pays the CA for the certificate validity query, once per transaction
The END USER has a commercial relationship with the ENTITY or is an employee or citizen
END USER
VODAFONE ENTITYor
“SERVICEPROVIDER”
(Bank,Public Ad,
Corp)
CA
(TrustedThirdParty)
END USER
VODAFONE ENTITYor
“SERVICEPROVIDER”
(Bank,Public Ad,
Corp)
CA
(TrustedThirdParty)
1
1
1
122
44
55
3
3
3
3
MES Sign in by Entity
Economic Flows
Customer sign in
Service usage (transactions)
B2BC usage by the Entity
MES Sign in by Entity
Economic Flows
Customer sign in
Service usage (transactions)
B2BC usage by the Entity
• Certificate strength resides in the CA
• Vodafone acts as a intermediate between the Service Provider and the CA, adding the mobility value
• The Service Provider builds its own services on top of the Mobile Electronic Signature
Mobile Electronic Signature6 8th ICCC, Rome, 26th Sept 2007
Versión 1.0
Is it worth to work on SIM Security?• High penetration (> 107% in Spain)
• Intrinsically secure at Operator’s degree
• Room for several certificates
• Increasing processing capacity, Java Cards and crypto-coprocessors
• Increasing importance for Operators– m-Payment
– Mobile TV
– Trusted applications
– DRM
– Access to other networks
Mobile Electronic Signature7 8th ICCC, Rome, 26th Sept 2007
Versión 1.0
Proposals for Mobile Digital Signature ramp up
We propose the CC World to define a specific approach to the SIM Certification in order to realise
all the business opportunities that are ahead
• In order to realise the business opportunities for the
Digital Signature in the mobile world, we recommend the
Common Criteria Forum to work on:
• Speed up the certification process and time
• Adapt and make more flexible the certification process
Thanks.
