The ever-growing number of applications and uses for mobile devices has long been a hot topic. Using mobiles to electronically sign transactions and documents is one such use case, and many organisations have been looking for mobile e-signature solutions that can hold legal ground in court.
Thanks to eIDAS, the EU regulation enforcing the standards that enable central signing solutions to deliver qualified electronic signatures (QES), it is now possible to eliminate the traditional problems with mobile e-signature signing.
We'll take a closer look at eIDAS later. But, to understand the regulation’s impact it helps to first set the stage with a background on the security challenges of mobile e-signature solutions.
Mobile E-signature Security Challenges
Several mobile e-signature solutions have been developed over the past 10 years as smartphones have become mainstream.
Mobile e-signature solutions present a great opportunity to add security and convenience to transactional processes such as mobile payments and document processing. When processing a transaction or document, e-signature technologies help to ensure the:
Integrity of data – proof that no corruption has occurred. (e.g. using hashes to verify that no changes have occurred)
Authentication – validation of the signer’s identity
Non-repudiation – A legal concept by which the signer cannot later deny their signature/authorisation of the transaction
The Role of Non-repudiation in Mobile Transactions
In the case of a mobile payment transaction (e.g. a consumer wishes to purchase an item from an online seller), non-repudiation ensures that when the buyer initiates business with the seller, neither can deny their participation in the transaction. Non-repudiation is important as it verifies the identities of both the buyer and seller, preventing either from claiming they were not part of the digital transaction.
With hard documents, this was often proven with the use of a notary who could act as a witness to transactions and provide a testimony in court if required. However, with e-signatures, ensuring non-repudiation is a complicated concept to deliver, especially on mobile phones.
Traditional challenges with PKI on mobile devices
Given vulnerabilities with mobile phones, such as QuadRooter or Stagefright, securing these technologies and providing non-repudiation from signatures via mobile devices has been challenging. While mobile devices have become more secure when they are physically lost, they are still vulnerable to hackers. This leaves the door open for e-signature technologies to be leveraged by hackers and unauthorised users.
Traditional problems and challenges with mobile device authentication centre around the use of Public Key Infrastructure (PKI), and where to store private keys. Mobile devices historically have not had the same computational power as computers, which presents vulnerabilities and limitations when using conventional PKI.
A larger problem with mobile use of PKI has been the question of where and how to store signing keys (cryptographic keys). Phones can be very secure computing devices, but there are still issues for app providers to securely store the keys on a secure hardware element within the devices. This is because access to the secure hardware within mobile devices is typically restricted to only the Operating System, handset manufacturer, and network operator. Most app providers are limited to storing the cryptographic keys in software, making them generally much more vulnerable to attacks. Additionally, storing private keys in software essentially removes any possibility of non-repudiation in the event the phone is hacked or stolen. Other issues encountered include the management of mobile certificate inventories and access to certificates.
Based on McAfee’s 2016 Mobile Threat Report, SMS phishing has become a hacker’s preferred method for obtaining sensitive information such as usernames and passwords. McAfee discovered there were over 37 million malware instances found in mobile applications available in major app stores – including Apple and Google Play.
What does that mean for mobile device security and mobile e-signature solutions? If a hacker gains access to mobile devices, the door is open for hackers to access e-signature technologies, private keys stored on phones, and other user-specific information. All of a sudden, they can perfectly impersonate the owner of the phone – and no one would ever know. So much for non-repudiation.
PKI on Mobile Devices: Remediating Vulnerabilities with Central Server Signing
PKI has become a widely used method for mobile device authentication. However, as we have seen, vulnerabilities still exist with mobile PKI. Hackers have leveraged this gap to exploit certificates and gain access to devices – which, by extension, means access to an organization's internal networks. Recognizing the need for mobile signing capabilities, Cryptomathic realized that central signing solutions could fill the gap between mobile e-signature technologies and non-repudiation.
In simple terms, Cryptomathic’s central signing solution, Signer, removes the need for PKI on mobile devices. It does this by storing the user’s signing key in a secure centralized location, allowing the user to securely access their private key and sign their documents or transactions from any web browser. Signer essentially removes the opportunity for hackers to exploit mobile PKI technology, safehousing keys in more robust hardware security modules (HSMs) protected by stronger security controls than any mobile device would ever be able to support.
Multi-factor Authentication: Strengthening Central Signing
With the increasing popularity of central signing comes one of the largest questions: how do we protect the device against unauthorised users?
Until recently, non-repudiation has been a questionable concept – not just for mobile devices or internet technologies, but even for hard documents. An individual could easily forge the signature of another without a court of law ever knowing the difference. So, why have more regulations been placed on e-signatures? In theory, “wet signatures” could be validated by a witness (a notary in many cases) verifying that the signer put their signature on a document. With computers, it could be more easily forged if a hacker were to log in to a user’s account and sign documents without a witness ever being present.
One option is multi-factor authentication (MFA) and/or strong authentication. Many online services, such as e-banking, e-Gov, and so on, utilise the technology to protect user accounts against attacks and unauthorised access. By leveraging multi-factor authentication, central signing solutions can work on any type of device. The newest, preferred authentication mechanisms include biometrics (for example, finger scan or retina scan) and multi-factor authentication (using a hard or soft token).
These technologies are vital for non-repudiation as they verify that the user is authorized to access accounts. This extra layer is important to prevent just anyone from accessing accounts from any mobile device. By using new or existing MFA deployments, a business can offer central signing on mobile devices, without any changes to the end-user device or additional end-user software or hardware.
The Regulatory Order: eIDAS and Central Signing
eIDAS regulations cover everything around eID and electronic trust services, including initiation, time-stamping, e-seals, and central electronic signing. In addition, they provide a framework that can be leveraged to enable a solution to provide confidentiality, integrity, and non-repudiation for a platform. If a signing solution is compliant with eIDAS standards for QES, that means it will stand in a court of law, holding the same legal value as a wet signature.
Since it came into force in 2016, eIDAS has opened the door for the use of mobile e-signature technology, so long as the platform can provide verification of the integrity of the signature. But eIDAS requires all e-signature platforms – including those on mobile devices – to be compliant with eIDAS regulations. Without central signing technology, this translates into the need for mobile device platforms to provide support for advanced signatures, and security controls such as advanced cryptography and innovative PKI solutions.
eIDAS sets requirements around central server signing, leveraging a number of different technical standards (including CEN and ETSI) which must be implemented in the solution. Cryptomathic’s central signature solution, Signer, is able to deliver Qualified Electronic Signature (QES) according to eIDAS regulations, thereby addressing the case for non-repudiation and allowing users to sign transactions or documents on any connected device, straight from their internet browser.
Traditional PKI has left security gaps in mobile applications, but central signing eliminates the risks typically associated with mobile e-signature solutions. This finally enables users to securely access their online services, using strong authentication techniques.
Utilising central signing solutions, such as Cryptomathic Signer, ensures that the user has sole control of their signing key – a particularly important qualification for QES. Central signing ensures authentication, data integrity, and non-repudiation of a transaction, regardless of which device the user has. This makes it a secure and legally-binding transaction.
By combining strong authentication with PKI, mobile devices have become a much safer platform with the ability to support e-signatures without ever storing private keys on the device.
This article was co-published with Thales e-Security in the Key Management and Payments Security Blog. Feel free to participate in our discussions around the subject at @thalesesecurity.
Find out more about Cryptomathic’s eIDAS Compliant Digital Signatures Solution using Thales nShield HSMs.
References and Further Reading
- Digital Signatures in Mobile Banking and Payment Processing (2016) by Heather Walker
- Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internet Banking Services (2016), Hong Kong Monetary Authority