M-signature: etronika first in the world

Mobile phones with new generation SIM cards enabling identity check and digital signing are attractive devices for end-users. They are easy to use and close at hand. The technology behind this multi-purpose solution includes exceptionally strong two-channel, two-factor security thus keeping the user experience quick and hassle-free.

Mobile signature is an electronic signature generated by a mobile phone with special smart SIM card.
As equivalent to handwritten signature, mobile signature is legally binding.

For what purpose is mobile signature being used?

Mobile signature is intended to:

  • Confirm authenticity of the signed electronic document.
  • Ensure that transmitted electronic data are not modified illegally.
  • Demonstrate and validate identity of a signature holder.

Mobile signature can be recognized as identity document in the virtual world and used in a wide variety of situations:

  • Secure online bank login.
  • Secure eCommerce purchases.
  • Sell and buy shares with non-repudiation.
  • Sign online credit and loan applications.
  • Sign corporate or financial transactions.
  • Access secure eGoverment services such as tax declarations, tender applications, permits and voting.
  • Remotely access health records provided by health care institutions.
  • Conveniently access corporate networks (VPN).
  • Sign documents such as PDF files and email.
  • Verify anonymously client’s age for restricted access.
  • Top-up mobile wallets and other mobile applications.
  • And many more!

Mobile signature is easier and more convenient to use than other types of electronic signature. Mobile phone is nearby all the time, there is no need to have an additional device and learn to sign with it.

A typical signing with mobile signature procedure looks like this:

  • User opens internet-based software for electronic document signing, and selects signing with a mobile signature from all available electronic signature types.
  • User gets a message to his/her mobile phone asking to confirm, if he/she really intends to sign. User confirms his/her choice.
  • User gets another message his/her mobile phone asking to enter the special PIN (sPIN) which was created when acquiring a special SIM card from a mobile operator.
  • If sPIN is entered correctly and user is not restricted to use mobile signature, software encrypts signed electronic document, relates it with user identification data from the electronic certificate, includes a timestamp and saves the document in a special format.

A similar dialogue between mobile phone and software follows when user logins to the system using his/her mobile signature for authentication. Example of login to internet banking system:

How is strong security of mobile signature assured?

Private and Public Keys
Formation of a mobile signature is based on an asymmetric two-key algorithm used in cryptography.

The most important point of this algorithm is that one of the keys is used to encrypt data, and the other to decrypt them. The key used to sign electronic documents, and decrypt received data, is called private key, and is installed on a special SIM card during its personalization. Another key used to encrypt data before sending, sign documents for verification and identification of the signatory, is called public key.

There is a mathematical relationship between private and public keys, but it is not possible to restore private key from the public key only. Private key always remains confidential. Extraction or copying of it results in the destruction of the SIM card. Public keys of mobile signature are stored and maintained by Certification Authorities (CA) in the Public Key Infrastructure (PKI).

Electronic Certificates
When public key is related to personal identity data (name, surname, identity number, company name, address, etc.), it is considered to be certified. In other words, electronic certificate is an electronic document that binds together person’s identity data and a public key.

Electronic certificate can be created by any individual or any electronic certificate issuing company. However, country laws establish qualified certificate providers to issue legally valid, recognized and definite certificates.

Public Key Infrastructure (PKI)
Mobile signature security also depends on public key infrastructure (PKI) reliability and effective operation. The PKI is used for:

  • Physical verification of user’s identity and distribution of special smart SIM cards, through which mobile signature service can be provided.
  • Creation and activation of the qualified electronic certificates to confirm user’s identity.
  • Usage of mobile signature in practical situations with software applications support.
  • Cancellation of mobile signature usage.

Here are 4 mandatory roles in wireless public key infrastructure (wPKI):

  • Mobile Operator (MO)
    Mobile operator distributes specific SIM cards, through which mobile signature service can be provided. Mobile operator also establishes wireless and secure channel between end-user’s mobile phone and service provider’s applications during the use of mobile signature.
  • Registration Authority (RA)
    This authority verifies user’s identity physically. Registration Authority’s role is usually performed by mobile operator when issuing smart SIM cards for mobile phones.
  • Certificate Authority (CA)
    This authority issues electronic certificates. Usually the end-user has no need apply to this authority individually. Electronic certificate and attributing it to SIM card keys is initiated by mobile operators.
  • Trusted Service Provider (TSP)
    This provider offers mobile signature creation and verification service around the clock. Its applied software must be well-functioning, safe and easily integrated with applications and portals of electronic service providers. Trusted service provider also must handle the required legal and technical infrastructure.
  • Service Provider (SP)
    Service provider provides various types of electronic services. Its software can be used for electronic document signing, online sales of services and goods, making payments, etc. Service provider also may need user’s mobile signature to authenticate login. Service provider connects electronic services software with trusted service provider’s software that delivers mobile signature creation and verification service.

How can one provide adequate security to allow interactions with customers, employees, partners, and suppliers to be richer and more flexible? ETRONIKA provides solutions that enable companies to manage digital identity effectively – not just as a security check, but as a way to extend services and pinpoint the needs of customers and employees.