Digital signatures via SIM cards and mobile phones take off in Finland
17 August, 2005
category: Library
By Andy Williams, Contributing Editor
With a process as easy as sending a text message via your mobile phone, digital signing has taken a huge leap forward in Finland, thanks to backing from the Finnish government and Elisa, the country’s second largest mobile network operator.
The Finnish Population Register Centre now offers its citizens the option of conducting official business over the Internet. This allows the citizen to use a mobile telephone when secure identification is required for online services or requests. The first SIM (subscriber identity module) cards equipped with the security certificate required for the mobile signature are now being offered by Elisa. The basis for this technology is the UniverSIM product line from international technology group Giesecke & Devrient (G&D), providing signature functionality and encryption.
“The Population Register is a government organization that began issuing normal credit card-type photo IDs back in 1999,” said Aimo Maanavilja, research fellow at Elisa. “The integration of this whole system was made possible by Elisa.” He said the Finnish government sees mobile citizen certificates as an important next step in the electronic identity of its citizens for information society services.
Elisa has been working for several years to implement mobile certificates in a SIM card. The mobile operator has actively cooperated with the Finnish government and especially with the Population Register Centre issuing Finnish Public Key Infrastructure (PKI)-based electronic identity cards.
According to the company, a citizen certificate is stored on the SIM card from G&D. This is part of the mobile security architecture – the PKI. If, for example, a citizen wants to register a move to a new home online, he opens the corresponding page on the Internet, fills out the form, and receives a message from the registration office on his mobile telephone requesting him to enter his mobile signature for the online request. The citizen enters a personal PIN to permit the generation of the digital signature. This is generated by the SIM card and returned to the registration office as a special encrypted message.
It is expected that this mobile citizen certificate will be adopted this year as an identification tool in the online services of the Population Register Centre and in the nationwide Electronic Notebook (Sähköinen Reissuvihko) service of Hämeen tietotekniikkakeskus. In addition, OKO Bank and the Social Insurance Institution of Finland (KELA), the Tax Administration and the Ministry of Labour are expected to make use of the citizen certificate by the end of this year.
“One of the key issues with any form of smart card is you need some form of smart card reader, whether you’re a retailer or you’re at home connected to a computer. The benefits provided by this (program) is that the handset acts as the reader,” said Tim Deluca-Smith, communications manager for SmartTrust, a Stockholm, Sweden-based mobile device management vendor. SmartTrust supplies the transport server necessary to secure messages between the operator and handset. The company also provides the client application that sits within the SIM card itself, the SmartTrust WIB (wireless internet browser), to control the creation of the digital signature.
The WIB is a small bit of code that sits on the SIM card acting as an interpreter for messages sent over the air by the operator. “It can be integrated onto any SIM card and SmartTrust makes the specifications available for free to all SIM card vendors that want to implement it,” said Mr. Deluca-Smith. The WIB concept is based on the SIM Application Toolkit (STK). “As STK is a GSM standard it is supported by all handsets and this makes the WIB concept handset-independent.”
If someone is submitting a tax return on the Finnish portal, he is asked to sign for it. He can enter his phone number online, which then passes through the SmartTrust platform and generates an SMS message that is sent to the handset. The SmartTrust WIB requests the user to enter a PIN, which in turn creates a digital signature.
It’s all based on PKI for the mobile world. Sitting on that WIB is a simple PKI plug-in. “That’s what’s decrypting the message and sending it back with a legally-binding signature. We hold a lot of patents for mobile PKI. We started developing that in the 90s, but we were a bit ahead of our time. Only in the last two years have we actually seen mobile operators using it commercially,” said Mr. Deluca-Smith.
It helps that “mobile penetration” in Finland is 100%, said Mr. Deluca-Smith. Added Mr. Maanavilja: “Every active citizen in Finland owns a mobile phone. By issuing these electronic certifications on SIM cards, everyone has an electronic certification in his pocket. There is no need for a card reader. We have also integrated access for service providers, so they can use these authentication phones very easily.”
“Because it’s all standard and based on European Union guidelines, SmartTrust is compatible with all other cards,” added Mr. Deluca-Smith.
The key aspect has been the cost of rolling this out, he said. “One of the primary concerns has been the actual cost of issuing the cards. Using the handset as a card reader is a low-cost approach.”
There are three major mobile operators in Finland, and since implementation is based on international standards, anyone can join up, said Mr. Maanavilja. “It’s like an electronic passport. It can be used as your personal authentication.”
In fact, the authentication process resembles the passport registration process, said Mr. Deluca-Smith. Registration works like this:
1) The User gets the certificate-ready PKI SIM card from a mobile operator, in this case from Elisa’s outlets. Because the client application resides on the SIM card almost every type of GSM mobile handset can be used. In Finland the elements displayed in the user interface of the mobile handset have been standardized, i.e., in the case of mobile authentication and digital signing the user experience is expected to be identical independently of the mobile operator.
2) The user registers his certificate for the SIM card at a local police station, producing documentation that proves his identity. The issuer of the certificates is the Finnish Population Register Centre.
3) In case the user loses the phone/SIM card the certificates is revoked and a new SIM card with new certificates is registered for the user.
4) Elisa provides service providers with a standardized interface to integrate their service systems to access the user certificates.
“In Finland, Elisa Corp. (with its 1.5 million mobile customers) has been very active; and the Finnish government has been very active, at using these electronic means to issue mobile certificates on SIM cards,” said Mr. Maanavilja.
Since inputting your pin number to verify a transaction is as easy as sending text messages, both Mr. Maanavilja and Mr. Deluca-Smith expect the system to grow. Mr. Maanavilja estimated about 50,000 are using the service now. “But what the government and others are seeing is that it can have a large penetration because everyone has this equipment anyway.”
Added Mr. Deluca-Smith: “People are very familiar with text messaging, so there is no learning curve. They know what to do with it, how to respond, how to control it.”
Overview of how it all works
CASE ONE: Signing for a service via the web.
Step 1: On the login screen of the web service type your mobile phone number as a user ID.
Step 2: The authentication request arrives at your mobile handset (as a secure text message).
Step 3: On request type your personal PIN code for authentication.
Step 4: The signed authentication request is returned to the service (as a secure text message).
Step 5: The service is opened to you after successful verification of your ID.
CASE TWO: Digital signing of an application on the web page
Step 1: You fill in an application and you are ready to register it with your digital signature. You press the digital signing button on the web page.
Step 2: The signing request along with the core details of the application are displayed on your mobile handset.
Step 3: You approve the details of registration with your digital signature by pressing OK.
Step 4: On request type your personal PIN code for digital signing of the application data.
Step 5: The signed application data is returned to the service for registration. A digital signature of the web application (e.g. web based form for government, contract or service/product order from a company) is now made according to Finnish law for electronic services which is based on European Commission directive.