About Us  |  Search  | FAQ  | Contact Us
Mobile e-commerce
Home
Banking
STP
Risk Management
BCM
CLS
Human Resources
e-commerce
Features
Smarts Cards
Interviews
Optimise CRM
Data Warehousing
Disaster Recovery
Swift Messaging
Securities
M-commerce
Africa
Finance
BPM & Workflow
Capital Markets
Global Custody
Outsourcing
 

 

 

 

Mobile e-commerce for banks

www.nokia.com

A new solutionA new solution for corporate customers, such as banks and financial institutions, who want to offer secure, yet easy to use mobile e-commerce services and business-to-business transactions is now available. The Nokia Activ Signet Solution provides essential requirements in monetary transactions, when accessing highly sensitive information, or signing in electronic approval processes. These types of applications can be mobile banking, brokerage, payment or corporate intranet services.

The new corporate solution will enable certificate and digital signature validation and online certificate enrolment. The solution requires the Enterprise Edition of the Nokia Activ Server and Nokia Activ Security option with client authentication support as an enabling platform for mobile services.

Bankers have been looking forward to a solution enabling theme to deploy true secure mobile banking transactions in volumes. The Solution will be based on open standards, such as the Wireless Public Key Infrastructure, on which the security aspects of the WAP 1.2 specifications are built. Wireless PKI covers the infrastructure and the procedures required enabling authentication and digital signatures for servers and mobile clients. It is a certificate-based cryptographic system that utilizes key pairs (public, private) associated with each party. The Solution will support WAP 1.2 compatible phones which will include (WIM) the tamper resistant module for private key storage and crypto operations.

"As early adopters of mobile commerce technology, we see a strong market demand for technologies, like the WIM (Wireless Identity Module) standard, that will provide increased security for transactions in the wireless environment," said Allen J. Wolpert, Accenture partner - Technology, Financial Services, "The sooner companies, particularly in the financial services industry, implement the PKI security infrastructure, the more quickly they will be able to adopt solutions ....and thus offer secure mobile e-commerce capabilities to their customers."

The Activ Signet Solution for secure mobile e- commerce will be a logical step to support customers who are creating a vast portfolio of innovative and user-friendly services for their clients. The key building blocks of the solution will be based on open standards, therefore enabling customers to leverage their existing investments in e-business, PKI (Public Key Infrastructure) and other corporate IT systems.

WAP
The Wireless Application Protocol (WAP) is the Internet based global standard that allows mobile devices to interactively access content and applications from the Internet and corporate Intranets. WAP creates a global open environment for wireless applications. WAP is network, bearer and manufacturer independent.

WAP specifications are published by the WAP Forum, which is a non-profit industry association open to all industry's. The WAP Forum is widely represented by various members of the mobile commerce value chain, positioning it as the most efficient body to deliver further required specifications.

WAP arose from the need to find a way to effectively take into account the critical constraints of the current wireless world: limited bandwidth, challenging conditions of use, specific graphical user interface and processing characteristics of the mobile phone. The very same constraints will become a reality in the impending future of mobile commerce. Therefore, WAP is the best available choice of platform for the sustainable evolution of mobile commerce.

The evolution of mobile networks towards the 3rd generation will bring along increased bandwidth and the always-on capability of packet-switched networks. Simultaneously, the processing capacity of handsets will steadily develop and the screen size, and consequently the graphical user interface will become more advanced. Due to the strong industry momentum behind WAP its specifications will evolve alongside the evolution of the market.

The security aspects of the WAP 1.2 and WAP 1.3 specifications are fundamentally built on PKI. It is a certificate-based cryptographic system that utilizes asymmetric algorithms based on key pairs (public, private) associated with each party. A certificate is a data structure that binds the identity of the certificate holder to a public key. Certification authorities (CAs) act as a clearinghouse issuing security certificates and ensuring their authenticity.

Originally, the PKI emerged on the wired Internet, but its adoption by consumers has been slow. While the technological merits of PKI are indispensable, the PC-centric user environment allows for substitute application-level security methods. Consumers have accustomed themselves to managing the multiple usernames and passwords in a number of ways i.e. writing them on secret files on the PC or onto a Post-It-Note below the monitor, and they see little added value in changing habits. The perceived low added value has a direct correlation to how much they are willing to pay e.g. for PC smart card readers that are relatively expensive to manufacture.

On the other hand, the mobile environment is completely different. The limited keypad and challenging usage situations while on the move, means PKI will deliver much greater added value since substitute methods are clearly inferior. Furthermore, the cost dynamics are attractive in the markets, in which consumers pay for the terminal purchase themselves. Many consumers of the future don't probably even realize that they are purchasing the functionalities of a smart card reader. They simply wish to buy a phone. Therefore the mobile phone will outpace any other card reader solution in the market penetration speed. Once consumers become accustomed to PKI usage through their mobiles, it can be forecast that e.g. the authentication to Internet commerce will be done through the mobile terminal. Therefore, we also see mobility as a key driver for Internet PKI adoption.

The extension to the mobile environment, called Wireless PKI, Mobile PKI or WAP PKI, covers the infrastructure and the procedures required to enable the trust provisioning needed for authentication and digital signatures for servers and clients.

The WPKI specification will address the certificate enrolment and lifecycle management - more specifically - the creation, distribution, verification and revocation of the certificates. The key elements of the WAP/WPKI system are:

n Mobile phones with WIM (WAP Identity Module in which secure data is stored) support

n WAP Gateway enhanced with certificate-based identity validation capability

n Registration Authority (RA) for certificate enrolment

n Back-end PKI infrastructure with access to Certification Authority (CA) infrastructure

Certificate enrolment in WPKI
The back-end PKI infrastructure is pretty much the same for both wired PKI and wireless PKI. The main difference is in the certificate enrolment. The process of enrolling a Certification Authority (CA) certificate needs to be re-worked to accommodate an efficient mass-market roll-out.

In smart card PKI-solutions, the issued certificate is fixed to a specific user identity through customized enrolment. For example, in order to get a government-issued ID chip card one goes to the police station personally with a passport in hand and fills in an application. After that a certificate is issued.

The customized enrolment is not suitable for the mobile commerce mass market. To maintain high security standards, it would mean that the WIM card issuer would have to mobilise and train its whole service network for such a security operation or conversely ask its customers to travel distances to get the task done. Neither approach is very appealing.

The wireless PKI solution entails anonymous key pairs being pre-installed into the WIM cards together with a corresponding PIN (Personal Identity Number) code. The authenticity of the keys is ensured by a manufacturer certificate. In the first instance of secure service usage, the Registration Authority (RA) of the WPKI validates the credentials and then requests the CA to create and send a certificate thus binding the anonymous key pair to a specific user identity.

The WAP specification on certificate storage allows for different options. The cleared certificate can be stored on the WIM card or in a directory on the WPKI system. Alternatively, the URL can be replaced with a hash key, an algorithmic digest of the public key. In this case, no data needs to be stored on the WIM.

MeT
The MeT Initiative was formed by Ericsson, Motorola, and Nokia on April 11, 2000, with the purpose of jointly developing an open and common industry framework for secure mobile electronic transactions. The initiative uses existing and emerging standards to create a common framework that will facilitate the fast adoption of trusted mobile commerce services globally. Since its establishment, the mobile phone manufacturers, Siemens, Matsushita, and now Sony, have joined the initiative. More information can be found at www.mobiletransaction.org.

WAP
Wireless Application Protocol (WAP) is the de facto standard for providing Internet communications and advanced telephony services on digital mobile phones, pagers, personal digital assistants and other wireless terminals. For more information: http://www.wapforum.org/

WIM
WIM is the Wireless Identity Module specified in the WAP 1.2 specifications. A WIM supports two key security concepts: client authentication and digital signature capability on an application level. The WAP specifications call for WIM implementations in tamper-resistant devices: in most cases it is to be expected that WIM functionality will be implemented as part of smart cards; either SIM cards or WIM cards issued by 3rd parties.

PKI
Public key infrastructure (PKI) is a security infrastructure offering security services based on public key cryptography as well as the necessary back-end administrative and management services. A mobile PKI is a security infrastructure optimised for mobile devices on the terminal end, but relying on the existing PKI backbone. Public key cryptography is based on every user being issued with a key pair (a secret key and a public key) for different security actions; such as digital signatures.

Digital signature
The Digital signature is required to fulfil the criterion of non-repudiation. A digital signature is the electronic equivalent of signing a receipt. It is the element needed that can replace the need for visual checks of ID cards, hand-written signatures and paper receipts.

Legislation in many key countries such as the U.S., Germany and the U.K. has already or is being developed regarding the acceptance of the digital signature as a legally binding transaction. Digital signature technology can fulfil the requirements of authentication and non-repudiation, which are key conditions in establishing the merits for legally binding commercial transactions.

WTLS
Within the WAP protocol the transport level security is specified using a protocol known as the Wireless Transport Layer Security (WTLS) protocol. WTLS is conceptually and functionally equivalent to Secure Socket Layer (SSL). WTLS invisibly encrypts and decrypts information sent between a WAP client and a WAP gateway so that a third party cannot decipher the communication between the two. The protocol also ensures the integrity of communication so that the recipient of this secure information can verify that the content has not been changed since it was sent.

The WAP 1.1 specification has already defined three classifications for WTLS; Class 1, Class 2 and Class 3. The default level WTLS Class 1 allows for an anonymous, secured channel between the WAP client and the WAP server. While the WTLS Class 2 includes Class 1 features plus Server authentication.

WTLS Class 3 includes Class 2 features plus client authentication. WTLS Class 3 also supports mutual authentication between the server and the consumer by an exchange of certificates.

WIM
The WIM, i.e. WAP Identity Module or Wireless Identity Module, is the place on the handset into which all the security information such as the keys and the certificates are stored. Additionally, it has the ability to perform cryptographic operations. WIM has been defined as a separate tamper-resistant hardware device, such as ; but not limited to - a smart card or a SIM card. Technically, a WIM can be implemented in several ways. The main differences are in business and usage considerations.

The WIM can also be a removable part of the terminal hardware. This solution is applicable also in mobile terminals that do not use SIM card slots. The benefit is a high level of consumer convenience as everything is integrated into one piece. The drawback is its inflexibility since the lifecycles of the terminal and the WIM are tied to each other.

In the SWIM solution the WIM functionality is stored on the operator issued Subscriber Identity Module (SIM) card. However, the mobile network subscription functionality is separated from the other applications that require authentication and signature capabilities. Standardized features and interfaces are used to ensure the interoperability between the technologies of different manufacturers and the SIM cards of different operators.

The Dual Chip approach means a second separate SIM-sized smart card is placed semi-permanently in the phone. It is removable and issued independently of the SIM card e.g. by a mobile commerce service provider. Its strength is that it separates the network subscription from the other applications thus creating more latitude in terms of business models. Naturally, this requires phone designs that have a possibility of storing two SIM-sized cards. A main concern is whether there is enough mass-market demand for such a specialized solution.

Dual Slot implementation utilizes the regular sized credit card, which is inserted into an integrated smart card reader in the terminal whenever a transaction is to be made. The advantage is that the same card can be used for multiple channels. The drawback is that the consumer needs two different devices. Additionally, the integrated reader challenges the physical size of the terminal -a key criterion for consumers when purchasing a phone. Furthermore, dust and moisture can also affect the reliability of the reader.

In the External Reader solution a separate device with a smart card reader is connected to the mobile terminal by a wire, infrared or Bluetooth short-range radio technology. It allows for a variety of smart card implementations. Again, the drawback is the compromised convenience since the consumer needs to take care of two separate devices. Additionally there is the difficult question of where to allocate the cost of manufacturing the Reader as presumably consumers are not willing to pay for it.

Eventually, customer requirements and demand will have an impact on which of the proposed solutions will be taken into use on the market place. Since the SWIM-solution is the most evolutionary one with the existing phone designs, it is likely to be the first to achieve larger consumer usage. However, it is good to bear in mind that from a service provider's technical perspective, the implementation of WIM is irrelevant. As long as it adheres to the WAP specifications, the server-end execution is exactly the same.

Certificates
Certificates are used for authentication. The main purpose of certificates is to ensure that a certain public key really belongs to a certain instance (e.g. person, organisation, or server/service).

Technically speaking, a certificate is a standard form record that contains a description of its owner, including the public key. The certificate has been digitally signed (or actually issued) by a certificate authority (CA). The certificate authority is someone (e.g. the security department of a company or a government's security authority) known and trusted by the recipient.

The ISO standard that defines the format of the certificate is known as X.509. Because X.509 certificates are rather large in size, WTLS also defines a "light-weight" format of certificates, known as WTLS certificates.

Validating a certificate means traversing a chain of certification authorities until a known authority is met. In the case of two communicating parties this means that when one party receives the certificate of the other party, it can either recognise the certificate and trust the other party, or check who has signed the certificate and whether he can trust that CA. If he does not trust the CA, it is still possible to obtain the certificate of the CA (e.g. from a public certificate server) and check who has issued it, and so on. Obviously, there is an end in the certificate chain, and that is someone whose certificate is known and who is trusted.

There are services known as certificate servers that can be used to query certificates. The certificate server itself needs to be a trusted service (i.e. the client must know its certificate because it is not possible in practice to validate the certificate server).

A certificate usually has an expiration date. Certificate servers may also maintain certificate revocation lists (CRL) containing certificates that have not expired but whose key pair has been compromised.

Signet
Traditionally, signets have been used to seal various kinds of documents or physical objects to provide them authenticity and privacy. The signets have protected integrity, authenticity, as well as privacy of the enclosed objects. Formats of the signets have ranged from crosses and fingerprints to seals and handwritten signatures.

For the 21st century, digital signets provide a new way of creating very securely protected documents in a digital format without any restrictions of time and place. By using digital signets, all kinds of documents, multimedia, and program code and other similar objects can be sealed securely and validated for authenticity at any given time. In addition to just signing any digital content, very strong privacy can easily be provided by digital signets when the sealed contents are encrypted. Networking is a phenomenon of this century that also provides mobile access to information without constraints of time and place. The Nokia Signet Solution is a family of products that provides security for the mobile user accessing and providing information securely in today's networked world. By using the Solution, mobile users and service providers gain secure access to mobile data. .

Need for security in a mobile world
In order to conduct business successfully in the modern mobile environment, not only flexible mobility but also very trustworthy security is crucial. As the communications between the customer and the service may even travel from one side of the globe to the other through various countries and networks owned and operated by multitude of parties, it is very important that the customer and the service are able to fully trust each other, including all the communication services in-between.

Strong and easy-to-use security is needed. No intruders, eavesdroppers or impersonators can be tolerated in the mobile business communications.

Solution for security needs
In today's world of communication, many parties, components and solutions are involved in the exchange of messages between the customer and the service. Thus, it is important to provide means to reject the potential security threats that may reside along the path. Firstly, mutual authentication, privacy and integrity of the communication must be provided for both parties. This can be achieved by creating a secured communications pipe between the customer and the server. Consequently, all the messages transferred within this pipe are protected and also strong authentication of the identity of the parties at both ends of the communication pipe is provided.

 

 

 

Banking

Decision Cycle
Web Enabled
E-continuity!
Integration
Acronyms
Resilience
Drivers for STP
Personal Touch
Micro Finance
Self-service
Intelligent hub
Treasury Solutions
Mobile e-commerce
M-commerce
PKI
ZLE
Copy of Supplier Financing
Pan-European
Relationship Management
Data Management
Rise of e-commerce
e-continuity(tm)
e-payments
Computer Crime
FX deals
Intranet Problems
Operational risk
Successful e-commerce
Wireless payments
Data-agnostics
Authentication
Net Impact

 
 
 

 

Home  |  About Us  |  Search  | FAQ  | Contact Us