MobiTOOAL
The MobiTooal® Solution by Mediscs
MEDISCS proposes to Authenticating and Signing electronically on Internet using your mobile phone
Today everyone has a mobile phone in their pocket and it has become one of the means of communication that people are never without.
It is used for phone calls, of course, but also as a diary, a game console, a music and video player.
Most contain a virtual Java machine and enable downloading and use of numerous applications.
Using the telephone as a means of authentication is not new, but it is generally for asynchronous authentication by SMS or MMS in OTP (One time password, for use on a single occasion with a time limit.) While this implementation does allow reinforced authentication, it does not enable the electronic signature of documents or the presentation of an electronic certificate and remains dependent on the SMS OTP transfer times.
The MobiTooal® solution enables the use of the mobile phone as a strong authentication device (thanks to the electronic identity certificates it contains). MobiTooal® makes it possible to offer value-added services (electronic signature, encryption, online payment …) that are based on the certificates contained in the mobile phone.
It is essentially a project concerning authentication on Internet networks with a mobile (WAP) system.
The security aspect is crucial in the MobiTooal® system, and the security techniques used are stable and well-known (asymmetric cryptography). The start-to-finish authentication protocol that solves the security problems associated with WAP protocol was patented by Mediscs in December 2007.
The project concerns the development of authentication systems and mobile networks. Mobile phones have progressed very quickly, which makes it possible to have technologies that are compatible and useable by third-party services (for example, under JAVA) Moreover, electronic certificates have become the accepted technology for strong authentication. Our interest is in combining these two technologies to produce a reliable means of authentication that allows the development of new services.
The basis for the project is the ability to link two distinct devices that Internet users have : a computer and a mobile phone, to the same session on a WEB server.
The web browser initiates the session on the server, the process enables the telephone to be securely linked to this session initiated by the browser.
The telephone contains one or several certificates and a dedicated application that knows the connexion URL to authenticate to the site or an authentication server. The authentication certificate, the server and URL connexion certificate for authentication can de pre-recorded in the telephone, or obtained by a special automated procedure. The web server is accessible via both WEB and WAP.
The user makes a request to be authenticated on the site to be accessed with strong authentication.
Through the telephone application, the user keys in the temporary session password, visualised in the browser and validates this operation. Using its embedded certificates, the telephone creates and encrypts an authentication pack which it sends to the server.
Implementation is very simple because the vast majority of telephones are compatible with the Java program download. Installation is as simple as for a ringtone or a mini-game.
The Java application will confine the sensitive data, like the electronic certificate(s) that will enable strong authentication or electronic signature by the user in a Mediscs electronic safe.
This application is also capable of communicating with a physical certificate container (cryptographic chip) to delegate encryption operations to it.
Once this operation has been carried out, the user can gain authorised access, to the desired website, with strong authentication, and proceed with all sorts of operations with a very high level of security.
It is used for phone calls, of course, but also as a diary, a game console, a music and video player.
Most contain a virtual Java machine and enable downloading and use of numerous applications.
Using the telephone as a means of authentication is not new, but it is generally for asynchronous authentication by SMS or MMS in OTP (One time password, for use on a single occasion with a time limit.) While this implementation does allow reinforced authentication, it does not enable the electronic signature of documents or the presentation of an electronic certificate and remains dependent on the SMS OTP transfer times.
The MobiTooal® solution enables the use of the mobile phone as a strong authentication device (thanks to the electronic identity certificates it contains). MobiTooal® makes it possible to offer value-added services (electronic signature, encryption, online payment …) that are based on the certificates contained in the mobile phone.
Implementation Techniques
It is essentially a project concerning authentication on Internet networks with a mobile (WAP) system.
The security aspect is crucial in the MobiTooal® system, and the security techniques used are stable and well-known (asymmetric cryptography). The start-to-finish authentication protocol that solves the security problems associated with WAP protocol was patented by Mediscs in December 2007.
The project concerns the development of authentication systems and mobile networks. Mobile phones have progressed very quickly, which makes it possible to have technologies that are compatible and useable by third-party services (for example, under JAVA) Moreover, electronic certificates have become the accepted technology for strong authentication. Our interest is in combining these two technologies to produce a reliable means of authentication that allows the development of new services.
MobiTooal® Secure Dialogue
The basis for the project is the ability to link two distinct devices that Internet users have : a computer and a mobile phone, to the same session on a WEB server.
The web browser initiates the session on the server, the process enables the telephone to be securely linked to this session initiated by the browser.
The telephone contains one or several certificates and a dedicated application that knows the connexion URL to authenticate to the site or an authentication server. The authentication certificate, the server and URL connexion certificate for authentication can de pre-recorded in the telephone, or obtained by a special automated procedure. The web server is accessible via both WEB and WAP.
The user makes a request to be authenticated on the site to be accessed with strong authentication.
- The server generates a temporary session password that it presents via the browser.
- The browser asks the user to type the password into the telephone via the embedded application.
- The (WEB) server waits for the session to be taken up by the telephone.
Through the telephone application, the user keys in the temporary session password, visualised in the browser and validates this operation. Using its embedded certificates, the telephone creates and encrypts an authentication pack which it sends to the server.
- The server registers that the session has been opened by the telephone, and sends the certificate information to the browser.
- The user views the certificate on his browser visualise (*option : input of a visual cue on the telephone ) and validates it.
- The (WEB) server sends the page prepared for after the authentication back to the browser. The generation of an electronic document signature is based on the use of a certificate embedded in the telephone.
- The user views the document to sign in the browser.
- The document to sign is picked up by the dedicated application in the telephone.
- It signs the document and sends it back to the server.
Implementation
Implementation is very simple because the vast majority of telephones are compatible with the Java program download. Installation is as simple as for a ringtone or a mini-game.
The Java application will confine the sensitive data, like the electronic certificate(s) that will enable strong authentication or electronic signature by the user in a Mediscs electronic safe.
This application is also capable of communicating with a physical certificate container (cryptographic chip) to delegate encryption operations to it.
Once this operation has been carried out, the user can gain authorised access, to the desired website, with strong authentication, and proceed with all sorts of operations with a very high level of security.
« back