Application of the U(SIM) card as secure device for electronic signature

Mr. Pedro Fuertes Head of Business Development and Innovation Vodafone Spain
8th International Common Criteria Congress Rome, September, 26th

Goals

To introduce the Mobile Digital Signature from Vodafone Spain To show the business opportunities for

secure SIM based products

To propose the CC world to develop a specific approach for SIM Certification

Mobile Electronic Signature

8th ICCC, Rome, 26th Sept 2007 Versin 1.0

Mobile Electronic Signature from Vodafone Spain

Signature of documents from the mobile Based on PKI, secure, robust Under EU regulations
How do you sign, pen or mobile?

Multi CA
Allows: Introduction of new services Substitution of existing Authorization and Authentication methods Easy to use Large customer base

HW and Basic SW certified at EAL 4+ (1)

Vodafones Mobile Digital Signature solution takes PKI security to the mobile world
3 Mobile Electronic Signature 8th ICCC, Rome, 26th Sept 2007 Versin 1.0 (1) Certifications ID BSI-DSZ-CC-0353-2005 And TUVIT-DSZ-CC-9253-2006

Why the mobile, why in the SIM?

- PC

HANDSET WITH MOBILE ELECTRONIC

- INTERNET CONNECTION

- SCREEN
- KEYBOARD - CARD + READER or - SW CERTIFICATE

SIGNATURE

Directive 1999/93/CE 34/2002 IS Law RD 14/1999 59/2003 ES Law CAs set up Apps without certificate PIN as secure method Mono CA applications Coordinates cards

DNIe

Mobile Multi CA applications Electronic Signature

Certificates usage

1999
4 Mobile Electronic Signature

2001

2003

2005

2007

8th ICCC, Rome, 26th Sept 2007 Versin 1.0

Transaction flows

CA 1 (Trusted Third Party)

2 END USER 3 VODAFONE 3 ENTITY or SERVICE PROVIDER (Bank, Public Ad, Corp) 1

Economic Flows
MES Sign in by Entity Customer sign in Service usage (transactions) B2BC usage by the Entity

Certificate strength resides in the CA The ENTITY signs with VODAFONE for the service and pays a connexion fee to the Platform, as a
variable entrance gate to the service; the fee includes a number of transactions The ENTITY pays Vodafone for each sign transaction. The END USER pays VODAFONE for each sign transaction (similar to SMS) The Service Provider builds its own services on top of the Mobile VODAFONE pays the CA for the certificate validity query, once per transaction Electronic Signature The END USER has a commercial relationship with the ENTITY or is an employee or citizen
Mobile Electronic Signature 8th ICCC, Rome, 26th Sept 2007 Versin 1.0

Vodafone acts as a intermediate between the Service Provider and the The END USER signs with Vodafone for the service and pays an entrance fee CA, adding the mobility value

Is it worth to work on SIM Security? High penetration (> 107% in Spain)

Intrinsically secure at Operators degree

Room for several certificates

Increasing processing capacity, Java Cards and crypto-coprocessors

Increasing importance for Operators
m-Payment
Mobile TV Trusted applications DRM

Access to other networks

6 Mobile Electronic Signature 8th ICCC, Rome, 26th Sept 2007 Versin 1.0

Proposals for Mobile Digital Signature ramp up In order to realise the business opportunities for the Digital Signature in the mobile world, we recommend the Common Criteria Forum to work on: Speed up the certification process and time Adapt and make more flexible the certification process We propose the CC World to define a specific approach to the SIM Certification in order to realise all the business opportunities that are ahead

Mobile Electronic Signature

8th ICCC, Rome, 26th Sept 2007 Versin 1.0

Thanks.