The Mobile Finnish Identity Certificate Dr.Tech. Göran Pulkkis and BSc (Eng.) Jonny Karlsson ARCADA Polytechnic Helsinki Finland PRESENTATION OUTLINE Finnish Electronic Identity (FINEID) as a Smartcard Application Mobile Fineid based on PKI SIM Cards Standardized Mobile Signature Service Authentication Service based on Mobile FINEID Practical demonstration: authentication to a www service Mobile FINEID Deployment Issues
FINEID APPLICATION Based on open standards Public Key Infrastructure 2 key pairs, certificates and PIN Codes: Authentication + encryption Non-repudiation signature PKIX based Certificate Policy X.509v.3 certificates and X.500 and LDAP directories http://www.fineid.fi/vrk/fineid/home.nsf/pages/index_eng FINEID APPLICATION The file structure of the FINEID application is is based onthe ISO/IEC 7816-15 and PKCS#15 specification. Notice that the FINEID application must be selected prior to being able to access this file structure. The FINEID application may potentially exist in a multiapplication smart card or other interoperable token.
FINEID APPLICATION FINEID APPLICATION
FINEID APPLICATION FINEID APPLICATION Individuality
SMARTCARDS Specific security components in user devices in mobile cellular networks are smartcards such as: SIM (Subscriber Identity Module) USIM (Universal SIM) PKI SIM (Public Key Infrastructure SIM) A SIM/USIM card securely stores an authentication key identifying a GSM/3G network user. A PKI SIM is a SIM/USIM with an integrated RSA crypto processor and storage space for private keyes. SIM Card Mobile phone a personal trusted device GSM PKI Solution Enabling Secure Mobile Communications In Finland the Population Register Centre has concluded a co-operation agreement with TeliaSonera Finland and Elisa in creating a mobile phone service for the electronic identification of a person It is possible to use the services of both public administration and the private sector Can be utilised also in communications services through the Internet, in which case the mobile phone acts like a card reader
Mobile Electronic Identity Mobile FINEID (Finnish Electronic Identity) is a mobile electronic ID for inhabitants in Finland. Based on PKI with user private keys integrated in a PKI SIM: Mobile Electronic Identity PKI SIM cards are currently issued by two Finnish operators. PKI SIM owner identities are verified by mobile citizen certificates issued by the Finnish Population Register Center (PRC).
Technical Features of a FINEID PKI SIM Contains a crypto processor and two PIN code protected private keyes: Authentication/encryption key Signature key Technical Features of a FINEID PKI SIM The corresponding X.509 certified public keys are stored in the FINEID certificate directory administrated by the PRC. http://www.fineid.fi/vrk/fineid/home.nsf/en/certificate_directory Hashes of both public keys are stored in the PKI SIM for retreival of correct certificates from the certificate directory.
Technical Features of a FINEID PKI SIM Contains a SIM Application Toolkit (SAT) application known as Wireless Internet Browser (WIB). A PKI plug-in (PKCS#7 Signature plug-in) is used to generate signatures with the private keys through function calls executed by the WIB. Function calls to, input data to, and retreival of return data from the signature plug-in are encapsulated in SMS messages transmitted over an Over the Air (OTA) connection. Mobile Signature Service (MSS) Architecture
Mobile Signature Service (MSS) Architecture Communication between the service provider and the operator is based on an ETSI TS 102.204 standarized web service interface. The interface is mainly based on: Simple Object Access Protocol (SOAP) XML HTTP/HTTPS Signature roaming is supported and is based on a public standard: ETSI TS 102 207 standard Authentication based on Mobile FINEID Example: User authentication to a Protected WEB Service 1. The user tries to access the web service using HTTP and the web service informs the user that authentication is required and asks s for the user s s phone number 2. After receiving the phone number the service provider (in this case c the web service) sends a signature request message, containing the user s s phone number, to the mobile operator. 3. The mobile operator sends a signature request to the user s s mobile phone PKI SIM, where a PKCS#1 signature is generated with the private key. 4. The PKCS#1 signature and the public key hash is sent back to the mobile operator and the user s s citizen certificate is retrieved from the PRC directory based on the hash. 5. The signature is embedded into a PKCS#7 package, containing the user certificate, and sent to the service provider. 6. After successful signature verification, the user can access the protected WEB service
Authentication based on Mobile FINEID Example: User authentication to a Protected WEB Service Practical demonstration: https://vrk.fineid.fi/hstsign/gsmtunnistus/mobiilitesti.htm MSS Architecture Evaluation The architecture of current MSS systems is complex because of the required SMS communication with the PKI SIM. An agreement between the SP and the operator is required. The technical specifications of operator specific PKI SIMs are confidential and application and service development is thus mostly operator dependent. Currently, there are no public services for mobile FINEIDs.
CONCLUSIONS Mobile Electronic Identities provide strong PKI based authentication, encryption, and digital signature services. Further work should be done on improving the usability of and on developing applications for Mobile FINEID