The ever-growing number of applications and uses for mobile devices has long been a hot topic. Using mobiles to electronically sign transactions and documents is one such use case, and many organisations have been looking for mobile e-signature solutions, which could hold legal ground in court.
Thanks to eIDAS, the EU regulation enforcing the standards that enable central signing solutions to deliver qualified electronic signatures (QES), it is now possible to eliminate the traditional problems with mobile signing (more on eIDAS later; in order to understand the regulation’s impact it helps to first set the stage with a background on the security challenges of using mobiles for e-signatures).
Several mobile e-signature solutions have been developed over the past 10 years as smart phones have become mainstream, and they present a great opportunity to add security and convenience to transactional processes such as mobile payments, document processing, etc. When processing a transaction or document, e-signature technologies should ensure the following:
Integrity of data – proof that no corruption has occurred. (e.g. using hashes to verify that no changes have occurred)
Authentication – validation of the signer’s identity
Non-repudiation – A legal concept by which the signer later cannot deny their signature/authorisation of the transaction
How would non-repudiation play a role in mobile transactions?
In the case of a mobile payment transaction (e.g. a consumer wishes to purchase an item from an online seller), non-repudiation ensures that when the buyer initiates business with the seller, neither can deny their participation in the transaction. Non-repudiation is important as it verifies the identities of both the buyer and seller, preventing either from claiming they were not part of the digital transaction. With hard documents, this was often proven with the use of a notary who could act as a witness to transactions and provide a testimony in court if it was ever required. However, with e-signatures, ensuring non-repudiation is a complicated concept to deliver, especially when using mobile phones.
Traditional challenges with PKI on mobile devices
Given vulnerabilities with mobile phones, such as QuadRooter or Stagefright, securing these technologies and providing non-repudiation from signatures via mobile devices has been challenging. While mobile devices have become more secure when they are physically lost, they are still vulnerable to hackers – leaving the door open for e-signature technologies to be leveraged by hackers and unauthorised users.
Traditional problems and challenges with mobile device authentication centre around the use of Public Key Infrastructure (PKI), and where to store private keys. Mobile devices historically have not had the same computational power as computers, which presents vulnerabilities and limitations when using conventional PKI. A larger problem with mobile use of PKI has been the question of where to store signing keys (cryptographic keys), and how exactly to go about doing so. Phones can be very secure computing devices, but there are still issues for app providers to securely store the keys on a secure hardware element within the devices. This is because access to the secure hardware within mobile devices is typically restricted to only the Operating System, handset manufacturer and network operator. Most app providers are limited to storing the cryptographic keys in software, making them generally much more vulnerable to attacks. Additionally, storing private keys in software essentially removes any possibility of non-repudiation in the event the phone is hacked or stolen. Other issues encountered include the management of mobile certificate inventories and access of certificates.
Based on McAfee’s 2016 Mobile Threat Report, SMS phishing has increasingly become a hacker’s preferred method for obtaining sensitive information such as usernames, passwords, and other confidential user information. Additionally, McAfee discovered there was over 37 million malware instances found in mobile applications available in major app stores – including Apple and Google Play. What does that mean for mobile device security specifically? If a hacker gains access to mobile devices, the door is open for hackers to access e-signature technologies, private keys stored on phones, and other user-specific information. All of a sudden, they can perfectly impersonate the owner of the phone – and no one would never know. So much for non-repudiation.
PKI on Mobile Devices: Remediating Vulnerabilities with Central Server Signing
PKI has become a widely used method for mobile device authentication as it was certainly an improvement from basic usernames and passwords. However, vulnerabilities still exist with mobile PKI as we discussed above. Hackers have leveraged this gap to exploit certificates in order to gain access into devices – meaning access into organizations internal networks. Recognizing the need for mobile signing capabilities, Cryptomathic saw that central signing solutions could fill the gap between mobile device signing technologies and non-repudiation.
In simple terms, Cryptomathic’s central signing solution, Signer, removes the need for PKI on mobile devices by storing the user’s signing key in a secure centralised location, thus allowing the user to securely access their private key and sign their documents or transactions from any web browser. Signer essentially removes the opportunity for hackers to exploit mobile PKI technology, safehousing keys in more robust hardware security modules (HSMs) protected by stronger security controls than any mobile device would ever be able to support.
Multi-factor Authentication: Strengthening Central Signing
With the increasing popularity of central signing also comes one of the largest questions: how do we protect the device against unauthorised users? Until recently, non-repudiation has been a questionable concept – not just for mobile device or internet technologies, but even for hard documents. An individual could easily forge the signature of another without a court of law ever knowing the difference – so why have more regulations been placed on e-signatures? In theory, “wet signatures” could be validated by a witness (a notary in many cases) verifying that the signer put their signature on a document. With computers, it could be more easily forged if a hacker were to login to a user’s account and sign documents without a witness ever being present.
One option is multi-factor authentication (MFA) and/or strong authentication. Many online services, such as e-banking, e-Gov, and so on, utilise the technology to protect users’ accounts against attacks and unauthorised access. By leveraging multi-factor authentication, central signing solutions can work on any type of device. The newest, preferred authentication mechanisms include biometrics (finger scan, retina scan) and multi-factor authentication (using a hard or soft token).
These technologies are vital for non-repudiation as they verify that the user has authorisation to access accounts. This extra layer is important to prevent just anyone from accessing accounts from any mobile device.
By using new or existing MFA deployments, a business can offer central signing on mobile devices, without any changes to the end-user device or additional end-user software or hardware.
The Regulatory Order: eIDAS and central signing
eIDAS regulations cover everything around eID and electronic trust services, from initiation, time-stamping, e-seals and central electronic signing, and provide a framework that can be leveraged to enable a solution to provide confidentiality, integrity, and non-repudiation for a platform. If a signing solution is compliant with eIDAS standards for QES, that means it will stand in a court of law, holding the same legal value as a wet signature.
eIDAS has opened the door for the use of mobile technologies, so long as the platform can provide verification of the integrity of the signature. But eIDAS requires all e-signature platforms – including those on mobile devices – to be compliant with eIDAS regulations. Without central signing technology, this translates into the need for mobile device platforms to provide support for advanced signatures, and security controls such as advanced cryptography and innovative PKI solutions.
eIDAS set requirements around central server signing, leveraging a number of different technical standards (including CEN and ETSI) which must be implemented on the solution. Cryptomathic’s central signature solution, Signer, is able to deliver Qualified Electronic Signature (QES) according to eIDAS regulations, thereby addressing the case for non-repudiation and allowing users to sign transactions or documents on any connected device, straight from their internet browser.
Traditional PKI has left security gaps in mobile applications but central signing eliminates the risks of using mobile devices for digital signatures and finally enables users to securely access their online services, using strong authentication techniques.
Utilising central signing solutions, such as Cryptomathic Signer, ensures that the user has sole-control of their signing key – a particularly important qualification for QES. Central signing ensures authentication, data-integrity and non-repudiation of a transaction – regardless of which device the user has, thus making it a secure and legally-binding transaction.
By combining strong authentication with PKI, mobile devices have become a much safer platform with the ability to support e-signatures without ever storing private keys on the device.
This article was co-published with Thales e-Security in the Key Management and Payments Security Blog. Feel free to participate in our discussions around the subject at @thalesesecurity.
Find out more about Cryptomathic’s eIDAS Compliant Digital Signatures Solution using Thales nShield HSMs.
References and Further Reading
- Digital Signatures in Mobile Banking and Payment Processing (2016) by Heather Walker
- Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internet Banking Services (2016), Hong Kong Monetary Authority
Image: "Mobile", courtesy of Daniel Julià Lundgren, (CC BY-ND 2.0)