About Us | Search | FAQ | Contact Us
Mobile e-commerce for banks
A new solutionA new solution for corporate customers, such as banks and financial institutions, who want to offer secure, yet easy to use mobile e-commerce services and business-to-business transactions is now available. The Nokia Activ Signet Solution provides essential requirements in monetary transactions, when accessing highly sensitive information, or signing in electronic approval processes. These types of applications can be mobile banking, brokerage, payment or corporate intranet services.
The new corporate solution will enable certificate and digital signature validation and online certificate enrolment. The solution requires the Enterprise Edition of the Nokia Activ Server and Nokia Activ Security option with client authentication support as an enabling platform for mobile services.
Bankers have been looking forward to a solution enabling theme to deploy true secure mobile banking transactions in volumes. The Solution will be based on open standards, such as the Wireless Public Key Infrastructure, on which the security aspects of the WAP 1.2 specifications are built. Wireless PKI covers the infrastructure and the procedures required enabling authentication and digital signatures for servers and mobile clients. It is a certificate-based cryptographic system that utilizes key pairs (public, private) associated with each party. The Solution will support WAP 1.2 compatible phones which will include (WIM) the tamper resistant module for private key storage and crypto operations.
"As early adopters of mobile commerce technology, we see a strong market demand for technologies, like the WIM (Wireless Identity Module) standard, that will provide increased security for transactions in the wireless environment," said Allen J. Wolpert, Accenture partner - Technology, Financial Services, "The sooner companies, particularly in the financial services industry, implement the PKI security infrastructure, the more quickly they will be able to adopt solutions ....and thus offer secure mobile e-commerce capabilities to their customers."
The Activ Signet Solution for secure mobile e- commerce will be a logical step to support customers who are creating a vast portfolio of innovative and user-friendly services for their clients. The key building blocks of the solution will be based on open standards, therefore enabling customers to leverage their existing investments in e-business, PKI (Public Key Infrastructure) and other corporate IT systems.
WAP specifications are published by the WAP Forum, which is a non-profit industry association open to all industry's. The WAP Forum is widely represented by various members of the mobile commerce value chain, positioning it as the most efficient body to deliver further required specifications.
WAP arose from the need to find a way to effectively take into account the critical constraints of the current wireless world: limited bandwidth, challenging conditions of use, specific graphical user interface and processing characteristics of the mobile phone. The very same constraints will become a reality in the impending future of mobile commerce. Therefore, WAP is the best available choice of platform for the sustainable evolution of mobile commerce.
The evolution of mobile networks towards the 3rd generation will bring along increased bandwidth and the always-on capability of packet-switched networks. Simultaneously, the processing capacity of handsets will steadily develop and the screen size, and consequently the graphical user interface will become more advanced. Due to the strong industry momentum behind WAP its specifications will evolve alongside the evolution of the market.
The security aspects of the WAP 1.2 and WAP 1.3 specifications are fundamentally built on PKI. It is a certificate-based cryptographic system that utilizes asymmetric algorithms based on key pairs (public, private) associated with each party. A certificate is a data structure that binds the identity of the certificate holder to a public key. Certification authorities (CAs) act as a clearinghouse issuing security certificates and ensuring their authenticity.
Originally, the PKI emerged on the wired Internet, but its adoption by consumers has been slow. While the technological merits of PKI are indispensable, the PC-centric user environment allows for substitute application-level security methods. Consumers have accustomed themselves to managing the multiple usernames and passwords in a number of ways i.e. writing them on secret files on the PC or onto a Post-It-Note below the monitor, and they see little added value in changing habits. The perceived low added value has a direct correlation to how much they are willing to pay e.g. for PC smart card readers that are relatively expensive to manufacture.
On the other hand, the mobile environment is completely different. The limited keypad and challenging usage situations while on the move, means PKI will deliver much greater added value since substitute methods are clearly inferior. Furthermore, the cost dynamics are attractive in the markets, in which consumers pay for the terminal purchase themselves. Many consumers of the future don't probably even realize that they are purchasing the functionalities of a smart card reader. They simply wish to buy a phone. Therefore the mobile phone will outpace any other card reader solution in the market penetration speed. Once consumers become accustomed to PKI usage through their mobiles, it can be forecast that e.g. the authentication to Internet commerce will be done through the mobile terminal. Therefore, we also see mobility as a key driver for Internet PKI adoption.
The extension to the mobile environment, called Wireless PKI, Mobile PKI or WAP PKI, covers the infrastructure and the procedures required to enable the trust provisioning needed for authentication and digital signatures for servers and clients.
The WPKI specification will address the certificate enrolment and lifecycle management - more specifically - the creation, distribution, verification and revocation of the certificates. The key elements of the WAP/WPKI system are:
n Mobile phones with WIM (WAP Identity Module in which secure data is stored) support
n WAP Gateway enhanced with certificate-based identity validation capability
n Registration Authority (RA) for certificate enrolment
n Back-end PKI infrastructure with access to Certification Authority (CA) infrastructure
In smart card PKI-solutions, the issued certificate is fixed to a specific user identity through customized enrolment. For example, in order to get a government-issued ID chip card one goes to the police station personally with a passport in hand and fills in an application. After that a certificate is issued.
The customized enrolment is not suitable for the mobile commerce mass market. To maintain high security standards, it would mean that the WIM card issuer would have to mobilise and train its whole service network for such a security operation or conversely ask its customers to travel distances to get the task done. Neither approach is very appealing.
The wireless PKI solution entails anonymous key pairs being pre-installed into the WIM cards together with a corresponding PIN (Personal Identity Number) code. The authenticity of the keys is ensured by a manufacturer certificate. In the first instance of secure service usage, the Registration Authority (RA) of the WPKI validates the credentials and then requests the CA to create and send a certificate thus binding the anonymous key pair to a specific user identity.
The WAP specification on certificate storage allows for different options. The cleared certificate can be stored on the WIM card or in a directory on the WPKI system. Alternatively, the URL can be replaced with a hash key, an algorithmic digest of the public key. In this case, no data needs to be stored on the WIM.
Legislation in many key countries such as the U.S., Germany and the U.K. has already or is being developed regarding the acceptance of the digital signature as a legally binding transaction. Digital signature technology can fulfil the requirements of authentication and non-repudiation, which are key conditions in establishing the merits for legally binding commercial transactions.
The WAP 1.1 specification has already defined three classifications for WTLS; Class 1, Class 2 and Class 3. The default level WTLS Class 1 allows for an anonymous, secured channel between the WAP client and the WAP server. While the WTLS Class 2 includes Class 1 features plus Server authentication.
WTLS Class 3 includes Class 2 features plus client authentication. WTLS Class 3 also supports mutual authentication between the server and the consumer by an exchange of certificates.
The WIM can also be a removable part of the terminal hardware. This solution is applicable also in mobile terminals that do not use SIM card slots. The benefit is a high level of consumer convenience as everything is integrated into one piece. The drawback is its inflexibility since the lifecycles of the terminal and the WIM are tied to each other.
In the SWIM solution the WIM functionality is stored on the operator issued Subscriber Identity Module (SIM) card. However, the mobile network subscription functionality is separated from the other applications that require authentication and signature capabilities. Standardized features and interfaces are used to ensure the interoperability between the technologies of different manufacturers and the SIM cards of different operators.
The Dual Chip approach means a second separate SIM-sized smart card is placed semi-permanently in the phone. It is removable and issued independently of the SIM card e.g. by a mobile commerce service provider. Its strength is that it separates the network subscription from the other applications thus creating more latitude in terms of business models. Naturally, this requires phone designs that have a possibility of storing two SIM-sized cards. A main concern is whether there is enough mass-market demand for such a specialized solution.
Dual Slot implementation utilizes the regular sized credit card, which is inserted into an integrated smart card reader in the terminal whenever a transaction is to be made. The advantage is that the same card can be used for multiple channels. The drawback is that the consumer needs two different devices. Additionally, the integrated reader challenges the physical size of the terminal -a key criterion for consumers when purchasing a phone. Furthermore, dust and moisture can also affect the reliability of the reader.
In the External Reader solution a separate device with a smart card reader is connected to the mobile terminal by a wire, infrared or Bluetooth short-range radio technology. It allows for a variety of smart card implementations. Again, the drawback is the compromised convenience since the consumer needs to take care of two separate devices. Additionally there is the difficult question of where to allocate the cost of manufacturing the Reader as presumably consumers are not willing to pay for it.
Eventually, customer requirements and demand will have an impact on which of the proposed solutions will be taken into use on the market place. Since the SWIM-solution is the most evolutionary one with the existing phone designs, it is likely to be the first to achieve larger consumer usage. However, it is good to bear in mind that from a service provider's technical perspective, the implementation of WIM is irrelevant. As long as it adheres to the WAP specifications, the server-end execution is exactly the same.
Technically speaking, a certificate is a standard form record that contains a description of its owner, including the public key. The certificate has been digitally signed (or actually issued) by a certificate authority (CA). The certificate authority is someone (e.g. the security department of a company or a government's security authority) known and trusted by the recipient.
The ISO standard that defines the format of the certificate is known as X.509. Because X.509 certificates are rather large in size, WTLS also defines a "light-weight" format of certificates, known as WTLS certificates.
Validating a certificate means traversing a chain of certification authorities until a known authority is met. In the case of two communicating parties this means that when one party receives the certificate of the other party, it can either recognise the certificate and trust the other party, or check who has signed the certificate and whether he can trust that CA. If he does not trust the CA, it is still possible to obtain the certificate of the CA (e.g. from a public certificate server) and check who has issued it, and so on. Obviously, there is an end in the certificate chain, and that is someone whose certificate is known and who is trusted.
There are services known as certificate servers that can be used to query certificates. The certificate server itself needs to be a trusted service (i.e. the client must know its certificate because it is not possible in practice to validate the certificate server).
A certificate usually has an expiration date. Certificate servers may also maintain certificate revocation lists (CRL) containing certificates that have not expired but whose key pair has been compromised.
For the 21st century, digital signets provide a new way of creating very securely protected documents in a digital format without any restrictions of time and place. By using digital signets, all kinds of documents, multimedia, and program code and other similar objects can be sealed securely and validated for authenticity at any given time. In addition to just signing any digital content, very strong privacy can easily be provided by digital signets when the sealed contents are encrypted. Networking is a phenomenon of this century that also provides mobile access to information without constraints of time and place. The Nokia Signet Solution is a family of products that provides security for the mobile user accessing and providing information securely in today's networked world. By using the Solution, mobile users and service providers gain secure access to mobile data. .
Need for security in
a mobile world
Strong and easy-to-use security is needed. No intruders, eavesdroppers or impersonators can be tolerated in the mobile business communications.
Solution for security
|Home | About Us | Search | FAQ | Contact Us|