1 / 33

Strong Mobile Authentication in Finland (MPKI, WPKI)

Strong Mobile Authentication in Finland (MPKI, WPKI). Special Discussion Topic Kantara Initiative Telco Identity Working Group Prepared by : Keith Uber Ubisecure Solutions Oy 10.3.2011. Agenda. National ID Commercial Identity Providers in Finland Mobile ID History

errin
Download Presentation

Strong Mobile Authentication in Finland (MPKI, WPKI)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Strong Mobile Authentication in Finland (MPKI, WPKI) SpecialDiscussionTopic Kantara Initiative Telco IdentityWorking Group Preparedby: Keith Uber Ubisecure Solutions Oy 10.3.2011

  2. Agenda • National ID • Commercial Identity Providers in Finland • Mobile ID • History • Questions / Discussion

  3. FinnishPersonalIdentificationNumber • National ID number • Widelyusedincorrectly for identification • Format YYMMDD?123X • Exposesbothdate of birth and gender

  4. eID in Finland • eIDcardcontains • name • optionallyemailaddress • SATU (electronicidentificationnumber) • Notmandatory • Price 51€ • The SATU numbercanbeconverted to a personalidentitynumberthrough a webservicesquery to the populationregister

  5. eIDStatistics • End of November 2010 • 341,800 certificatesissued to date • 272,200 currentlyvalid

  6. PopulationRegistry • Provides Web Service interface to populationregistry data to authorizedparties (VTJKysely) • Interfaceprovides • Citizen, building and realestateinformation • Over 80 differenttypes of attributesavailable • Web serviceinterfaceauthentication at connectionlevelusingclientcertificates

  7. Banks as Commercial IdPs for eGov • TUPAS is a jointbankspecification for electronicauthenticationby the Federation of Finnish Financial Services • Proprietoryprotocol • Usermustbestronglyauthenticated • Typically PIN/TAN list • Banks providelimitedfinancialliability • Userapproves and certifies the personal data released

  8. Banks as Commercial IdPs • 10+ banks • Commercial service • Contractsbetween SP and eachbankrequiredincludingtypically • Establishmentfees • Monthlyfees • Transactionfees • Similarprocess to Verified By Visa etc

  9. Familiarprocess

  10. Bank authentication

  11. Indexed TAN

  12. Attribute release consent

  13. Telcos as Commercial IdPs for eGov • Commercial Wireless PKI (MPKI, WPKI) servicelaunched 30.11.2010 • Named ”Mobiilivarmenne” Mobile Certificate • http://www.mobiilivarmenne.fi/en/en_2.html • Supportedby 3 out of 4 national telcos • Competingwith TUPAS service

  14. Telcos as Commercial IdPs • Long history – previous studies and commercial trials commencing around 2003 to use national ID in the mobile had failed • New business model, purely commercial • Requires government-issued CA license with stringent auditing • Applicationembedded in SIM (applicationtoolkitapplication)

  15. Two Profiles • Authentication • Signing (non-repudiation) • Unique PIN codes for each type • PIN codes distributed on SIM package behind scratch layer • User can change own PINs through SIM menu

  16. Old and new phones alike

  17. Changing PIN codes

  18. Telcos as Commercial IdPs • Works whileroaming (SMS based transport) • Pricing for endusers • Elisa: 0.09 per transaction (FreeuntilNov 2011) • Othertelcopricingunknown • Pricing for SP services • Unpublished • Expected adoption for C2G services in 2011

  19. Process Flow (A)

  20. Process Flow (B)

  21. Standards • Ficom - Finnish Federation for Communications and Teleinformatics • ETSI MSS Mobile Signature Service • ETSI MSS • TS 102 204, TR 102 206, TS 102 207

  22. Service Provider Integration • Operator provided API • ETSI MSS interface • TUPAS Proxy (Emulate banking protocol) • Hosted by Service Provider • Operated by Telco • SAML IdP Proxy • Hosted by Service Provider • Operated by Telco

  23. Architecture

  24. Architecture SAML IdP Proxy SAML2

  25. Architecture SAML Service Provider SAML IdP Proxy SAML2

  26. Authentication during a call • System permits a telephone operator (or automated IVR system) to perform an authentication request during a voice call • Simtoolkit application does not interrupt call • Eg, obtaining blood test results from a clinic

  27. Commercial Identity Providers

  28. Summary • Commercial rollout of mobile certificates has begun • Standards-based architecture (ETSI MSS) • ”Operator roaming” thanks to federation • One service agreement for relying party • Leveraging existing identity value • Ready market of existing services ready to adopt • Competitive identity market

  29. Questions / Discussion

More Related