A mobile network operator-independent mobile signature service

Electronic signature (e-signature) is an important element in electronic commerce and government applications because it guarantees non-repudiation of transactions. E-signatures generated in a secure signature creation device can be considered legally equivalent to a handwritten signature. Mobile devices based on SIM/USIM cards, which are broadly extended, are the ideal devices to create these e-signatures (named mobile signatures or m-signatures). Furthermore, thanks to m-signatures the development of m-signature-based applications becomes simpler for mobile application/service providers. There are several solutions to create m-signatures. However, current solutions present some problems: either they require that the solution is developed by every mobile network operator or the components to implement it in the mobile handset are too complex. As a solution to these problems we present an m-signature service that is not linked to a mobile network operator and where the client has more control over the signatures to perform them in an easier way. This paper presents the description and analysis of this new m-signature service as well as the prototype that is being tested in the University of Murcia.

[1]  Kemal Bicakci,et al.  Improved server assisted signatures , 2005, Comput. Networks.

[2]  Alexandros Kaliontzoglou,et al.  eInvoke: Secure e-Invoicing based on web services , 2006, Electron. Commer. Res..

[3]  Carmel Miró Spain's Banco Sabadell introduces mobile signature , 2008 .

[4]  Richard L. Rosenbaum Using the Domain Name System To Store Arbitrary String Attributes , 1993, RFC.

[5]  Javier López,et al.  Secure Multi-Party Non-Repudiation Protocols and Applications , 2008, Advances in Information Security.

[6]  C Rust,et al.  The SIM card as an enabler for security, privacy, and trust in mobile services , 2008 .

[7]  Antonio F. Gómez-Skarmeta,et al.  A new fair non-repudiation protocol for secure negotiation and contract signing , 2006, J. Univers. Comput. Sci..

[8]  Nils Agne Nordbotten,et al.  XML and Web Services Security Standards , 2009, IEEE Communications Surveys & Tutorials.

[9]  J. Noll,et al.  SIM as Secure Key Storage in Communication Networks , 2007, 2007 Third International Conference on Wireless and Mobile Communications (ICWMC'07).

[10]  Antonio F. Gómez-Skarmeta,et al.  ACVS: An Advanced Certificate Validation Service in Service-Oriented Architectures , 2008, 2008 Third International Conference on Internet and Web Applications and Services.

[11]  W. Ford,et al.  Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption , 2000 .

[12]  Lawrence C. Paulson,et al.  Inductive analysis of the Internet protocol TLS , 1999, TSEC.

[13]  Kemal Bicakci,et al.  Design and performance evaluation of a flexible and efficient server assisted signature protocol , 2003, Proceedings of the Eighth IEEE Symposium on Computers and Communications. ISCC 2003.

[14]  Edward F. Gehringer Choosing passwords: security and human factors , 2002, IEEE 2002 International Symposium on Technology and Society (ISTAS'02). Social Implications of Information and Communication Technology. Proceedings (Cat. No.02CH37293).

[15]  Jaakko Kangasharju Efficient Implementation of XML Security for Mobile Devices , 2007, IEEE International Conference on Web Services (ICWS 2007).

[16]  Roberto Chinnici,et al.  Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language , 2007 .

[17]  Vitaly Shmatikov,et al.  Contract signing, optimism, and advantage , 2005, J. Log. Algebraic Methods Program..

[18]  Jan Muntermann,et al.  Introducing Sim-Based Security Tokens as Enabling Technology for Mobile Real-Time Services , 2009, NordSec.

[19]  Antonio F. Gómez-Skarmeta,et al.  Mobile Signature Solutions for Guaranteeing Non-Repudiation in Mobile Business and Mobile Commerce , 2009 .

[20]  Craig Neable The .NET Compact Framework , 2002, IEEE Pervasive Comput..

[21]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[22]  Matthias Schunter,et al.  Optimistic fair exchange , 2000 .

[23]  Elaine B. Barker,et al.  SP 800-57. Recommendation for Key Management, Part 1: General (revised) , 2007 .

[24]  Dan Fox,et al.  Building Solutions with the Microsoft .NET Compact Framework: Architecture and Best Practices for Mobile Development , 2003 .

[25]  Kemal Bicakci,et al.  SAOTS: A New Efficient Server Assisted Signature Scheme for Pervasive Computing , 2003, SPC.

[26]  Burton S. Kaliski,et al.  PKCS #10: Certification Request Syntax Specification Version 1.7 , 2000, RFC.

[27]  Heiko Rossnagel,et al.  Making Money with Mobile Qualified Electronic Signatures , 2005, TrustBus.

[28]  Lihua Tao,et al.  Security Study of Mobile Business Based on WPKI , 2009, 2009 Eighth International Conference on Mobile Business.

[29]  Peter W. Resnick,et al.  Internet Message Format , 2001, RFC.

[30]  Antonio F. Gómez-Skarmeta,et al.  Towards e-Government: The security SOA approach of the University of Murcia , 2008, 2008 Third International Conference on Digital Information Management.

[31]  Vitaly Shmatikov,et al.  Finite-State Analysis of SSL 3.0 , 1998, USENIX Security Symposium.

[32]  Ming-Teh Wang,et al.  A framework of electronic tendering for government procurement: a lesson learned in Taiwan , 2002 .

[33]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[34]  Antonio F. Gómez-Skarmeta,et al.  A Survey of Electronic Signature Solutions in Mobile Devices , 2007, J. Theor. Appl. Electron. Commer. Res..

[35]  Heiko Rossnagel,et al.  Mobile Qualified Electronic Signatures and Certification on Demand , 2004, EuroPKI.

[36]  Tomaz Klobucar,et al.  Long-term trusted preservation service using service interaction protocol and evidence records , 2007, Comput. Stand. Interfaces.

[37]  Karen A. Scarfone,et al.  Guidelines on Cell Phone and PDA Security , 2008 .

[38]  Gene Tsudik,et al.  Experimenting with Server-Aided Signatures , 2002, NDSS.

[39]  Ray A. Perlner,et al.  Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology (Special Publication 800-63-1) , 2012 .

[40]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[41]  Erich M. Nahum,et al.  Cryptographic strength of ssl/tls servers: current and recent practices , 2007, IMC '07.

[42]  Evgenia Pisko Mobile Electronic Signatures: Progression from Mobile Service to Mobile Application Unit , 2007, International Conference on the Management of Mobile Business (ICMB 2007).

[43]  William E. Burr,et al.  Recommendation for Key Management, Part 1: General (Revision 3) , 2006 .

[44]  Josep Domingo-Ferrer,et al.  Advances in smart cards , 2007, Comput. Networks.

[45]  Peter Burkholder SSL Man-in-the-Middle Attacks , 2009 .

[46]  M. Sherif,et al.  Protocols for Secure Electronic Commerce , 2000 .

[47]  Jan Ondrus,et al.  A Disruption Analysis in the Mobile Payment Market , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[48]  Yvo Desmedt,et al.  Man-in-the-Middle Attack , 2005, Encyclopedia of Cryptography and Security.

[49]  Keith Mayes,et al.  Smart Cards, Tokens, Security and Applications , 2010 .

[50]  Cheng-Chi Lee,et al.  A secure e-auction scheme based on group signatures , 2009, Inf. Syst. Frontiers.

[51]  Konstantin Hyppönen,et al.  An Open, PKI-Based Mobile Payment System , 2006, ETRICS.