ABSTRACT
The advancement in technology has made the mobile market the most expanding market in the world. The mobile is a device of choice world over in this age because of its accessibility fueled by cheap prices. Short Message Service in mobile phones together with Multimedia Message Service has emerged to fulfill most of the user requirements and subsequently become an effective communication and information delivery model. The use of mobile extends beyond the personal needs and can be used to access sophisticated applications in a convenient and secure environment. Technologies such as Near Field Communication provide the phone with an interface to emulate a smart card and can be used for a range of applications. However, the limitation of mobile phones include low computing power, low memory and small size and hence less suited for advanced applications. To eliminate these problems, a mobile PKI need to be designed and developed. A number of papers have shown that the functionality of mobile PKI in mobile phones is sufficient for security authentication to facilitate the adaptation of mobiles in e-commerce environments. This paper will survey six papers suggesting the use of mobile PKI to enhance security. They include design of a PKI-based secure architecture for mobile e-commerce, GSM Mobile SMS/MMS using Public Key Infrastructure: m-PKI. There is also security protocol design for electronic-cash transactions in a mobile-PKI environment, Mobile PKI security, potential challenges and prospects, and design for mobile-PKI for using Mobile Phones in various Applications.
INTRODUCTION
A number of applications supporting e-commerce have risen in the recent past. Mobile applications extend e-services using wireless technology. The prevalence of wireless technology has made access to wireless internet easy and users can now transact activities over the internet no matter their locations. However, amid the boom of wireless technology, security has emerged as a great concern for mobile users utilizing electronic services through a wireless internet. In order to provide e-commerce services effectively, the four security concepts of confidentiality, integrity, authentication and non-repudiation should be conserved. Technologies that facilitate the attainment of these aspects in mobile phones. Wireless connectivity environments must be activated to get the same level of security as in a wired environment. The use of text as a communication protocol has gained traction over the past and studies from different sections of the world affirmed that mobile messaging is indisputably the preferred communication medium. Although mobile messaging exerts an impact on people daily life, SMS in its nature is potentially unsafe. A message sent from a mobile device will have a copy stored at the message centre of affiliated network provider and will travel across a number of base stations in an unprotected manner. Some approaches have been tried for securing SMS such as symmetric encryption but they have proved inefficient. Even with e-cash transactions, a big impact will be felt if a security problem is generated. Accordingly, the security of e-cash is very essential.
It therefore calls for a method that is foolproof for protecting services conducted over the mobile framework. Because currently, the mobile application does not provide any security feature in the SMS/MMS architecture, implementation of PKI in the said architecture will eliminate the problems of eavesdropping, information tampering and impersonation. End-to-end encryption is applied secretly to ensure that the intended user reads the information and will accordingly preserve personal and corporate message confidentiality. A mobile PKI facilitate secure mobile commerce transactions in any way possible irrespective of place or time. In another dimension, mobile phones offer a way of authentication and digital signing for transactions conducted on contemporary computing devices such as PCs.
DESCRIPTION OF THE TECHNIQUES
Mobile PKI security
According to this whitepaper, mobile provides enormous opportunities for sustained communication because of the wide spread. While people are increasingly getting mobile, they require a companion that enables seamless connectivity. Mobile qualifies as appropriate devices for providing digital environments irrespective of location whether home, work or somewhere midway.
This paper recognizes that there are a few PKI solutions universally available in the market but are exclusive to some devices such as Blackberry. The solutions are only appropriate in the business environment where there is constant surveillance of the roll out processes of keys, software and certificates.
This whitepaper discusses universal mobile PKI applicable for all brands of devices irrespective of private or business use. It is well understood that every mobile device works with a SIM card that is used for identification, authentication and data storage. The use of SIMs extends from central administration systems to anywhere in the SMS interface and this is the most important qualification for PKI. The mobile phone can be made part of the PKI if it has a private key that must be sent to and stored by the mobile device. O n the other side, a digital certificate is stored by the operators directory server and contains the user's information and public key. When the private and public keys are linked, the device can be used for authentication and digital signing. The question the author tries to discuss in this paper is how to obtain the private key that is to be stored on the device so that it is available for authentication. The challenging part is the enrollment process for trusted key distribution. The enrolment process involves a number of players such as the operator, a trust centre, operators CA, POS, content provider or external trust centre. The process is initiated by the mobile network operator. Though the service for mobile certificate enrolment is available at the POS, authorization to use the operators enrolment service is dependent on the POS possession of a valid certificate issued by the operator trust centre. The enrolment scenario is depicted as follows:
In some case, a mobile PKI can be used directly to authenticate functions via the mobile phone itself. Here, there is a collaboration of application on a mobile device, a validation server that authenticates the user, a challenge response protocol and SIM card signature function. The mobile device can also be used to generate a signature as depicted in the figure below.
For authentication on a PC, the user launches an application from the PC and a message is displayed requesting the user to perform authentication using a mobile device. Commitment signatures are also created in the same manner. A user submits data to be signed over the PC which is passed to the validation sever which subsequently interacts with the mobile phone to create a signature.
Design of a mobile-PKI for using Mobile Phones in various applications
Design of a PKI-based Secure Architecture for Mobile E-commerce
The scarce resources in terms of internal memory and computational power of mobile devices prompted the author of this paper to propose a User Authentication Server. It is to act as a third party for authentication of the mobile client and key exchange with the service provider. The design is motivated by the fact that the mobile equipment is incapable of verifying the X.509 digital certificate required for authenticating a service provider.
GSM Mobile SMS/MMS using Public Key Infrastructure: m-PKI
This paper proposes an m-PKI to solve the inefficiency in mobile SMS/MMS. The m-PKI architecture comprises of the m-Certificate Authority, m-Certificate Management System and m Certificate database. The user is required to apply a digital certificate with the certificate authority prior to using the m-PKI application. Once everything has been verified, the certificate authority issues a certificate to the client that is stored at the certificate database under the certificate management system. The user of the m-PKI can determine the status of the certificate from time to time.
Security Protocol Design for Electronic-Cash Transactions in a Mobile-PKI Environment
Thus, the proposed mobile PKI for securing e-cash comprises of an issuing protocol, a dividing protocol and a transaction protocol. These three protocols coordinate to ensure that the user receives money from a bank securely, transfers the money and finally transact repetitively in an uncompromised manner.
The structure of e-cash comprises of six data fields which include a serial number, amount, root issuer, holder, holder number and path.
NFC Mobile Payment with Citizen Digital Certificate
This paper explores the combination of various technologies to come up with a solution that can be used in more than one environment. Naturally, online payments are made using smart cards. Ss more and more smartcards of different types are issued for various functions such as transport, banking and others, an alternative was developed that combines multiple technologies and legacy applications in one card to serve diverse environments. These technologies include near Field Communication, Secure Element-SIM (SE-SIM), Public Key Infrastructure among others. Citizen Digital Certificate refers to a natural person certificate offered by the government in an attempt to solve electronic service offering over the internet. In the use of the combined CDC and NFC mobile payment system, a number of processes are conducted. The main processes are endorsement registration phase and the payment transaction phase. The endorsement phased binds the mobile transactional data with customer credentials certified by another party. The phase uses three entities: MNO/AuC, customers NFC phone/SE-SIM, and customers ID. This phase entails certificate generation and authentication and once a successful endorsement has been established, the customer mobile/SIM can conduct m-payment transaction in the second phase.
COMPARISON BETWEEN THE VARIOUS TECHNIQUES
For the sake of this comparison, this analysis will initialize the paper as paper 1, 2, 3, 4, 5, and 6. The numbers represent Mobile PKI Security: potential, challenges and prospects, design of mobile PKI using mobile phones in various applications, design of PKI-based secure architecture for mobile e-commerce, GSM/Mobile SMS/MMS using public key infrastructure (m-PKI), security protocol design for electronic-cash transactions in a mobile-PKI environment and NFC Mobile Payment with Citizen Digital Certificate.
Paper 1 describes the use of mobile PKI fir direct use via mobile phones, as a secure signature creation device and for authenticating transactions on a PC.
The second and third paper describes the use of third parties to solve the traditional limitations of mobile devices such as processing memory, storage memory and screen sizes. In paper 2, a Mobile Home Agent based Mobile PKI is used. The MHA adopted is based on the wireless certificate management procedure and takes place in five ways;
- Generation of public-private key pair for mobile phone
- RA authentication and POP verification to ascertain that user has the private key corresponding to the public key required
- CA checking to attest of not the certificate request message
- Assigning of a URL TO Mobile Home Agent and finally
- The forwarding of the URL to the mobile device
In the User Authentication Session technique proposed in the 2, almost similar operations are conducted such as
- Random generation of Na and Seq
- Encryption using the Public key
- Forwarding of the ukey session req to UAS
When the ukey is received on the other end, it is
- Decrypted using own private key
- Hashing to compare matching fingerprints
- Random generation of Nb and calculation of USKey and
- Composition and sending of ukey session rep to ME
The two proposals 2 and 3 have three identifying elements, the mobile client, the service provider and a secure third party.
The only difference is that while 2 is based on a wireless certificate management, 3 is not. The communication protocol in 3 is based on SMS Gateway and Mobile Electronic Service Server that interfaces the wired and wireless networks. MESS interprets the header of message packets and routes the packets to the proper MEs and servers.
1 and 4 are similar in that both employ Certificate Authority, Certificate Management System and Certificate Database. The user must first obtain a certificate from a recognized provider which in case 1 is a service provider. The verification may involve physical presence of the applicant or accompanying credentials. In 4, m-PKI users have to register with an m-Certificate Authority before getting the mobile digital certificate.
The process of authentication and digital signing using a mobile phone occurs through a number of steps:
A user visits an operator’s POS station for the enrollment process. Face-to-face authentication with supporting identification is required.
A POS employee logs in with the software token provided by the operators CA. Using a web-based registration utility, registration is conducted in a graphical user interface. The POS employee randomly gives a PIN and links the identity of the applicant with selected envelope in the RU. RU gives the symmetric key pair from the CA upon which the certificate is generated with all the identity data included.
In order to prove possession of the private key, an interaction with the POS is required. An employee connects the SIM card to the RU via a card terminal for RU to generate a private key and set the PIN.
The difference between the two proposals is that while 1 proposes a solution that works for all kinds of devices, 4 is exclusive to devices which supports Java and allies to Open Mobile Alliance standard such as Mobile Information Device Profile (MIDP).
The e-cash system proposed in 5 is quite different from the rest in terms of the protocol and operation procedure. However, it is similar to 2 because it employs wireless PKI. Both of them lack the X.509 certificate used in the cable environment.
In 6, a different product is proposed which combines a number of technologies. The combination of NFC and CDC is efficient in attaining many functionalities in the same device. CDC is incorporated to provide identification and verification of the user, encryption of data in transmission, signature generation and electronic certificate issuance. Te mode of CDC registration is similar to 1 and 3 where CA and service providers are utilized. The differences are that in 1 and 3, service providers can be distinct private entities while in 6, CDC registration is controlled by the government. 6 when compare with all the proposals, is more advanced and comprehensive.
CONCLUSION
In conclusion, it is apparent that the use of mobile PKI for extending the capabilities of mobile is in the right direction. A number of solutions proposed ascertain the achievement of privacy and security. E-cash transactions can be secured by using mobile PKI that prevents falsification or forgery of information. A Mobile Home Agent and the Trusted Third Party eradicates the limitation of mobile applications in wireless environments. The mobile PKI provides the much-needed mobility and independence but also secure transactions in a great way. It gives service providers a way to identify their users securely while governments can leverage the CDC to provide safe havens in the troubled internet. Secure transactions can now be transacted from any PC or internet café without worrying about privacy. With the increasing proliferation of mobile devices with diverse capabilities all over the globe, mobile PKI becomes a relevant and justifiable solution.
Works Cited
Design of a PKI-based secure architecture for mobile e-commerce. (2010). International Conference on Information and Computing .
Nexus. (2010). Mobile PKI; POTENTIAL, CHALLENGES AND PROSPECTS.
NFC. NFC Mobile Payment with Citizen Digital.
Nor Badrul Anuar, L. N. (2008). GSM Mobile SMS/MMS using P ublic Key Infrastructure: m -PKI . WSEAS TRANSACTIONS on COMPUTERS.
R., S. (2011). Design of Mobile-PKI for using Mobile Phones in Various Applications. International Conference on Recent Trends in Information Systems .
Security Protocol Design for Electronic-Cash Transactions in a Mobile-PKI environment. 9th IEEE/ACIS International Conference on Computer and Information Science. IEEE Computer Society.