Indian SIM Cards might have Digital Signature for Mobile Transactions

According to this document, titled Discussion Paper On “Enabling Digital Signatures On Mobile Phone”,  on Indian Government CCA Website ( Controller Of Certifying Authorities), Indian Government has started their effort to bring Digital Signature in the SIM card itself. Why ?  To make the m-Payment or Mobile Payments secure.

We all know how much mobile sector has grown and so has Mobile Banking but as of now this processes and transactions are neither authenticated nor secure. This document states that these transactions don’t follow basic requirements of security i.e. Authentication, Non repudiation, Verification and Confidentiality. Mobile Signature is similar to Digital certificates used by websites for secured transactions.

Lets take a look on how the complete process might work. Right from generation of key to registration with certifying authority to bank transactions. Remember this is not yet final but one of the options that is looked upon.

• The card manufacturer manufacturers SIM card having the pseudo number generator embedded in the SIM card.
• The SIM card is sold to the customer.
• Once the SIM card is sold to the customer, the customer can get his Digital Signature Certificate from the Certifying Authority after due verification of his credentials
• After verification of the customers credentials the CA will send the key pair generator along with the signer/verification software over the air (WAP) to the customer.
• Customer generates a key pair with the CA’s application, stores the Private key in the SIM card and public key is also sent back to the CA through that application.
• Customer generates the random number by activating the generator. Customer encrypts the random number with his public key stored on the phone memory.
• The private key is stored on the SIM card with a password. To perform a secure transaction with the bank or any other online transactions, the customer enters his password and uses his private key to decrypt the random number generated which is used as a symmetric key for encrypting the message to be sent.
• Message is encrypted with the symmetric key
• The hash of the message is taken and is encrypted with the private key of the customer and is sent along with the encrypted message
• At the receiving end, the receiver decrypts the hash with the public key of the sender and generates a hash from the decrypted message and compares. This is for verification of integrity of the message.
• In case of first time transaction the bank or receiver request for the customer`s random generated number (Symmetric Key) and stores it in its database.
• On receiving the message the receiver decrypts the message with the symmetric key stored in its database corresponding to the sender. In case there is no entry it would ask for the symmetric key from the sender.
• If the customer has a document on the computer that needs to be signed with his private key, the customer attaches his mobile phone to the computer through the USB, the customized signing application detects the handset as a cryptographic token and signs the document with the signature stored on the SIM CARD