Wireless PKI

Shakeel Ahamad Shaik (Research Fellow) Under the supervision of Dr.V.N.Sastry, Associate Professor (IDRBT) & Dr.S.K.Udgata, Reader (UOH)

Friday, January 27, 2012

Wireless PKI

Agenda
 Public Key Systems  PKI Functions in Mobile devices  Problems faced in the adoption of PKI in Mobile Environment  Validation of certificate in WPKI Environment  Requirements & Configurations needed for the Implementation of WPKI in mobile payments  Conclusion  References
Friday, January 27, 2012 Wireless PKI 2

Public-Key Systems

Public Key Systems

Public Key Cryptography (PKC)

Personal security environment (PSE)

Public Key Infrastructure (PKI)

Friday, January 27, 2012

Wireless PKI

Public-Key Systems (Cont.)

The main components of a PKI  Certification Authority (CA) is responsible for issuing and revoking certificates for customers public keys.  The Registration Authority (RA) provides a binding between public keys and the entities of their holders.  Repositories store and make available certificate directories and a certificate revocation list (CRL).  Directory service providers.

CAs in India IDRBT, Safescrypt, NIC,TCS,MTNL,GNFC,e MudhraCA

Friday, January 27, 2012 Wireless PKI 4

PKI functions in Mobile Devices

 Generation of key-pair (public and private keys)  Receiving & Storing certificate issued by CA  Digital Signature generation and verification  Functions for encryption and decryption  Validating third party certificates

Friday, January 27, 2012

Wireless PKI

Challenges in adopting Wired PKI for Mobile Devices

 Wireless network has less bandwidth, more latency, insecure connection and device problems such as less powerful CPU, less memory size, restricted battery power, small display and input device.  Mobile phone lacks computing capabilities of PKI services such as key generation, digital signature generation and verification, certificate validation, and Certificate Revocation List (CRL) verification, and memory size of storing certificate and CRL.  Due to less wireless communication bandwidth, processing of CMP (Certificate Management Protocol) for certificate life cycle such as certificate issue in the mobile phone, and downloading CRL required for certificate verification must be a considerable burden.

Friday, January 27, 2012

Wireless PKI

Validation of Certificate in WPKI Environment

Certificate Validation contains the following steps  Verifying the integrity and authenticity of the certificate by verifying the digital signature of CA on the certificate.  Verifying the validity period of the certificate.  Accessing and examining certificate chain and CRL. The validation is considered successful if all the certificates in the certificate path (i.e. from leaf to the root of the tree) are checked and ensured that none of them have been revoked. This process is heavy on resources and time consuming and it is not suitable for mobile devices.

Friday, January 27, 2012

Wireless PKI

General hierarchical structure

Friday, January 27, 2012

Wireless PKI

Validation of Certificate in WPKI Environment (Cont)

Mechanisms to minimize the Certificate validation process

Online Certificate Status Protocol (OCSP)

Short Lived Certificate (SLC)

Friday, January 27, 2012

Wireless PKI

Validation of Certificate in WPKI Environment (Cont.)

OCSP mechanism
4. Requests for CRL

5. Sends CRL

1. Sends URL of certificat e (or) Certificat e

6. Response of Certificate Validation

3. Delegates certificate Validation of merchants Certificate

2. Merchant sends his X.509 Certificate

Friday, January 27, 2012 Wireless PKI 10

Validation of Certificate in WPKI Environment (Cont.)

Short-Lived Certificate (SLC) mechanism
Certificate: Data: Version: 3 (0x2) Serial Number: 316214 (0x4d336) Signature Algorithm: ecdsa-with-SHA1 Issuer: C=IN, O=IDRBT, OU=CA, CN=CertSIGNECDSA1 Validity Not Before: Apr 17 15:00:00 2010 GMT Not After : Apr 26 14:59:59 2010 GMT Subject: C=IN, O=SBI, OU=CA, CN=test()000021420031112000653 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey 04 04 df e4 6d 84 16 70 1a f3 f4 8e 80 ec ac ac f2 a3 26 b7 e0 60 03 0e 7d 6c ba b9 3e ac 9b eb 85 13 ed 6a b9 75 5c f5 c2 02 b1 Signature Algorithm: ecdsa-with-SHA1 30:2e:02:15:01:3a:07:0f:dc:e4:68:bc:c9:c1:1c:48:68:6b: 1f:99:65:0c:b5:13:55:02:15:03:65:ac:e4:82:c2:30:42:de: ce:f2:49:c5:91:30:c1:90:f3:59:72:5e

Friday, January 27, 2012

Wireless PKI

11

Validation of Certificate in WPKI Environment (Cont.)

Short-Lived Certificate (SLC) mechanism  Improved computing & storage resources in mobile devices have made it convenient to generate key pairs & verify digital signatures on mobile devices.  Using SLC mobile clients does not have to implement either CRL or OCSP for server authentication.

Friday, January 27, 2012

Wireless PKI

12

Requirements & Configurations needed for the Implementation of WPKI in mobile payments

Friday, January 27, 2012

Wireless PKI

13

Requirements & Configurations needed for the Implementation of WPKI in mobile payments (Cont..)

Friday, January 27, 2012

Wireless PKI

14

Requirements & Configurations needed for the Implementation of WPKI in mobile payments (Cont..)

Friday, January 27, 2012

Wireless PKI

15

Implementation of WPKI in Finland

 Mobile FINEID (Finnish Electronic Identity) is a mobile electronic ID for inhabitants in Finland.  Based on PKI with user private keys integrated in a PKI SIM.  PKI SIM cards are currently issued by two Finnish network operators.  PKI SIM owner identities are verified by mobile citizen certificates issued by Finnish Population Register Center (PRC)

Friday, January 27, 2012

Wireless PKI

16

Implementation of WPKI in Finland (Cont)

Technical features of FINEID PKI SIM  Contains a crypto processor and two PIN code protected private keys: They are (a) Authentication/ Encryption Key & (b) Signature key. In addition to these keys PKI SIM contains PRC s certificate (i.e. CA certificate).  Authentication of users and non-repudiation of payments are ensured using Finnish National PKI infrastructure, for mobile payments in Finland.  PRC maintains an online certificate directory (FINEID directory). Each registered individual gets a unique Finnish Electronic User ID (FINUID). The public keys are maintained in FINEID directory with their certificates. FINEID directory also maintains a revocation list of invalid certificates.

Friday, January 27, 2012

Wireless PKI

17

Conclusion
 Compared to wired PKI Wireless PKI is suitable for low end computing devices such as mobile phones.  Since Mobile payments require high level of security for its transactions which can be ensured by WPKI.  We suggest the existing CA to provide digital certificate to individuals through mobile phones which can be used for mobile payment transactions.

Friday, January 27, 2012

Wireless PKI

18

Abbreviations
CMP WTLS WIM WAP OCSP CRL CA PKI WPKI SIM BER DER ECC SSL ECDSA ECDH URL Certificate Management Protocol Wireless Transport Layer Security Wireless Identity Module Wireless Application Protocol Online Certificate Status Protocol Certificate Revocation List Certification Authority Public Key Infrastructure Wireless Public Key Infrastructure Subscribers Identity Module Basic Encoding Rules Distinguished Encoding Rules Elliptic Curve Cryptography Secure Socket Layer Elliptic Curve Digital Signature Algorithm Elliptic Curve Diffie-Hellman Uniform Resource Locator

1/27/2012

Security Issues in Mobile Payments

19

REFERENCES
1) Yong Lee, Jeail Lee, JooSeokSong, Design and implementation of wireless PKI technology suitable for Mobile phone in Mobile Commerce in Computer Communications 30 (2007), 893-903. Marko Hassinen, Konstantin Hypponen, Elena Trichina, Utilizing national publickey infrastructure in mobile payment system, Electronic Commerce Research and Applications 7 (2008), pp 214-231. Population Register http://www.fineid.fi Centre. FINEID-S4-1 Electronic ID Application.

2)

3) 4)

Antonio Ruiz-Martinez, Daniel Sanchez-Martinez, Maria martinez-Montesinos and Antonio F. Gomez-Skrmeta, A Survey of Electronic Signature Solutions in Mobile Devices in Journal of Theoretical and Applied Electronic Commerce Research, Vol 2, Issue 3, December 2007, pp 94-109. f Theoretical and Applied Electronic Commerce Research

1)

1/27/2012

Security Issues in Mobile Payments

20