- Email: [email protected]
Identity management in mobile cellular networks and related applications
Identity management in mobile cellular networks and related applications Abstract While identity management systems for the Internet are debated intensively identity management in mobile application has grown silently over the last 12 years. More then 980 million GSM subscriptions and the SIM infrastructure are the basis for many application oriented initiatives to manage identities. This paper discusses the technological foundations as well as the application scenarios and the privacy challenges and opportunities. Identity Management; Subscriber Identity Module (SIM); Mobile applications; Global System for mobile communication (GSM); profile brokerage; privacy
1. Introduction One of the largest identity management infrastructures existing was introduced with GSM1 mobile communication networks. At the end of May 2003 the GSM association reported 987.3 million subscribers. The number of countries with a GSM system is reported as 197 [GSM 2004], which exceeds the number of UN member states (191 in February 2004 [UN 2004]) and also that of countries where the McDonalds fast food chain is represented (119 in February 2004 [McDonalds 2004]). Even without special technology support quite a few people use a variety of mobile communication accounts (and the corresponding telephone numbers) to manage different identities for e.g. private and business purposes. This paper will: • Start with an overview of (but no definition of) identity management in general; 1 GSM used to be the abbreviation for standardisation committee ‘Groupe Speciale Mobile’ of the European Telecommunications Standards Institute (ETSI), but is nowadays being used as abbreviation for ‘Global System for Mobile Communication’ describing networks and standards according to the specifications that go back to the ‘Groupe Speciale Mobile’.
Kai Rannenberg
• Give a short description how subscriber access and roaming in GSM networks work based on Subscriber Identity Modules (SIMs); • Give examples for GSM-based identity management; • Discuss privacy challenges and the privacy potential of mobile applications and the GSM infrastructure.
2. An overview of identity management Identity management has become a term covering a broad spectrum of meanings. On one end of the spectrum one can find approaches to unify a diversity of identities that happened to pile up for a single user, e.g. an employee in a large organisation with several computer systems. Identity management in this case aims to help users getting their work done without managing too many identities (and the corresponding credentials, e.g. passwords) and to help system administrators to get an overview of the users and their access rights. Often this form of identity management is also named single-sign-on or unified user management. On the other end of the spectrum one can find approaches to protect people’s privacy and to reduce the danger of usage profiles or communication profiles. Identity management in this case helps users to establish, maintain and manage an arbitrary number of identities or pseudonyms that they can use in different arenas of their life, e.g. users can use one pseudonym for participating in a controversial online-chat and another one for registering at a job market or an online auction site. Obviously combinations and examples between the ends of the spectrum exist, e.g. when a certification authority manages signature key certificates and pseudonyms for its customers. Also when a customer orders several mobile communication accounts and SIMs with different numbers from a provider, but asks to manage them 1363-4127/04/© 2004, Elsevier Ltd
77
Prof. Dr. Kai Rannenberg holds the T-Mobile chair for Mobile Commerce & Multilateral Security at Johann Wolfgang Goethe University Frankfurt (www.whatismobile.de). Until 2002 he was with the System Security Group at Microsoft Research Cambridge, UK, focusing on ‘Personal Security Devices and Privacy Technologies’, e.g. within the CamWebSIM project. 1993-1999 Kai coordinated the interdisciplinary ‘Kolleg Security in Communication Technology’ researching multilateral security, especially protection for users and subscribers. Kai’s current research interests are - Mobile applications and Multilateral Security in e.g. M-Banking; - Identity management, communication infrastructures and devices, such as personal security assistants and services; - Application oriented IT security evaluation and certification.
E-Mail: Kai.Rannenberg@whatis mobile.de
Identity Management
all via one Internet and billing account, a combined form of identity management is taking place. This text will not give a single definition of identity management, but introduce several examples from the area of mobile applications, that exist within the spectrum. Most of these examples are already today dealing with a large number of identities.
3. Subscriber access in GSM networks Subscriber access in GSM networks is based on a hardware token (Subscriber Identity Module, SIM) that is placed into any GSM mobile phone. Each SIM contains a secret unique symmetric key (specified as ki) stored together with the ID of the subscriber. This key is only shared with the authentication centre (AuC) of that GSM network operator that issued the SIM. When a GSM subscriber tries to log on to the GSM network (usually when he switches on the phone) the SIM passes the subscriber’s ID to the AuC. The AuC then checks whether the SIM also ‘knows’ the respective ki: The AuC sends a random challenge message to the subscriber’s phone. The SIM in the phone has to encrypt that challenge message with the ki and send it back to the AuC. The AuC encrypts the same message with the local copy of the ki and compares the results. If they match, the subscriber is granted access to the GSM network. The protocol is especially designed to guarantee, that the ki key never leaves the SIM or the authentication centre. This is of special importance, as the subscriber might be interested in ‘roaming’, i.e. using his mobile phone in other networks than that of his provider. Usually roaming happens when subscribers travel internationally. In this case the operator of the ‘visited’ network checks the identity information of the ‘guest’ SIM and routes the request for 78
access to the AuC of the home network. The home AuC then challenges the SIM in the usual way. If the SIM passes the challenge the home AuC informs the visited network that the subscriber’s request for network access is legitimate (and that payment for the visited network’s services is guaranteed by the home provider). Still the ki does not leave its original locations, so there is no need for trusting the connection between the AuC and the SIM. As most GSM network operators have roaming agreements with partners all over the world, the SIM is a globally accepted credential for mobile communication access based on a globally standardized and interoperable identification and authentication infrastructure. The SIM can also be an anonymous or pseudonymous credential, as there is no technical requirement to combine its information with any information on the person using the SIM. Obviously for most post-paid contracts the providers require a billing address, but for pre-paid contracts this billing address is not needed. The security of the GSM authentication system is doubted from time to time, as the standardized algorithms were not published, and when some of them leaked out cryptographic and architectural weaknesses were reported. Some of these reports ‘sound’ very alarming, e.g. [WeLu 1998]. However none of the attack concepts proved to be commercially exploitable or even practical so far. Usually the attacks exploit cryptographic weaknesses of an old authentication algorithm (COMP 128), and moreover they depend on the attacker knowing the PIN of the SIM. Nevertheless for the next generation of mobile communication systems (Universal Mobile Telecommunications Systems – UMTS) additional security features were standardized [PüSM 2001]. One very important aspect is that the network has to
Information Security Technical Report. Vol. 9, No. 1
Kai Rannenberg Identity management in mobile cellular networks and related applications
authenticate itself towards the subscriber, which reduces the risk of attackers pretending to be a network.
4. GSM based identity management The almost global dominance of the GSM standard for mobile communications and the high penetration rates that GSM systems reached in many markets have inspired quite a few initiatives to piggy-back on the GSM system and especially the SIM as platforms for identity management and related applications. • Identity management can be integrated into the SIM-Hardware. • Identity management can use GSM subscriber information as issued with the SIM. • Identity management can use GSM subscriber information stored in the GSM network. The first two approaches aim at supporting the ID management that already exists in applications by using the GSM infrastructure. The third approach expands the GSM ID and user management itself and allows e.g. new revenue models in mobile communications. All three approaches are described in the remainder of this section and may be extended in UMTS networks.
4.1. Integrated into the SIM hardware An early approach was to combine the access to mobile banking services with the service offerings and the infrastructure of mobile network operators. Therefore additional credentials (especially a symmetric key and some account information) were put into the respective SIMs. They allow the customers to access the mobile banking service of their financial institutions. Mobile Banking is mainly in competition with two other options a
customer has, when he wants to access services offered his bank: • Entering a branch office of the bank • Using the Internet banking facilities of the bank Therefore the mobile banking option is in principle the more popular the fewer branches a bank maintains for customer contact and the less Internet access the customer base has. The first application was launched in November 1999 by Radiomobil (today TMobile Czech) together with several Czech banks. The technology was provided by Giesecke & Devrient [GiDe 2003]. Technology wise this was one of the first applications of the SIM Application Toolkit, a GSM standard that specifies an interface between the SIM and the mobile phone, e.g. allowing the SIM to display text on the mobile phone or to get input form the phone’s keyboard. Business wise this application required co-operation and mutual trust between the mobile communication providers and the banking sector. Elements of this were a joint marketing campaign and cooperation in distributing the ‘banking enhanced’ SIMs that can be purchased from the banks. A degree of mutual trust was needed, as Radiomobil had to give up the paradigm that the SIM was totally under their control, while the banks had to accept, that they could not control the token (the SIM) that includes their banking credentials. The security concept had given Giesecke & Devrient (G&D) a major role. G&D produced the SIMs. Beside the GSM credentials these SIMs contain a collection of (inactive) access keys to the mobile banking of all participating banks. When the subscriber wants to start using the ‘new’ SIM for banking he has to visit a branch of his bank, where his key is activated (and all other banking keys are destroyed for
Information Security Technical Report. Vol. 9, No. 1
79
Identity Management
security reasons). This method allows using one type of SIM for the different banks and therefore saves costs. The concerns were overcome, and similar systems have been implemented elsewhere, e.g. in Australia and China. Obviously also other combinations would be possible, e.g. in mobile shopping. However in e.g. Germany banks and mobile network operators could not agree on a similar cooperation so far. This lack of cooperation and trust has also affected the use of SIMs for digital signatures. In principle a SIM could be a good signature creation device with the mobile phones being the display and input device. Using the SIM and the phone would also overcome the low distribution of chip card readers, while the well established SIM distribution channels of the mobile providers would make the distribution of signature cards very easy. [RaFR 2003] analyses the legal situation of mobile signatures and shows, that a joint use of the SIM and its distribution channels is possible. However the respective business model needs to be found and considered to promise return of investment.
4.2. Using SIM credentials The simplest approach to use SIM credentials for identity management is the ‘classic’ call-back procedure using the subscribers’ mobile phone number. Especially with mobiles the usual assumption is that they are personal communication devices and not being passed around. One example is the payment procedure of Paybox [Paybox 2003]: Users register their mobile phone number with Paybox. Paybox calls them under this number when a payment needs to be authorized. Paybox had been closing down its consumer oriented operations in the beginning of 2003, but is now announcing a new start under the flag of Moxmo [Moxmo 2004]. 80
In a similar way a SIM credential can be used to enhance the security of remote login procedures, e.g. to corporate backends or internet banking services. The subscribers’ mobile phone number is registered with the authentication centre of the server. When the subscriber tries to login to the backend computer the backend computer sends a challenge to the mobile phone, e.g. an SMS which the subscriber needs to answer. In its simplest form this authentication protocol cannot replace the ‘classic’ login via password, chip card, or key fob, but it can enhance it. To get access to the protected account the attacker needs to not only know the account and the password of the legitimate user but also needs to get access to the mobile phone and its PIN in exactly that moment, when the attack is being launched. So the mobile phone and the SIM become an extra security token, which has one advantage to the usual security token: it has a ‘real’ non-security use (mobile communication) and is therefore less prone to be forgotten than a dedicated security token. Moreover, when the legitimate user receives the challenge he can decide whether the login try was a legitimate or erroneous one or whether it looks like an attack. In the last case he can send an alarm message to the security management of the backend, which enable the security management to learn about this attack immediately and not only at the next legitimate login. There is however a dependency on the trustworthiness of the network provider, as the network provider could fake the reaction to the challenge. The European project WiTness (Wireless Trust for mobile business, [WiTness 2003]) explores these options to protect the access via mobile devices to corporate backend computers. WiTness especially tries to limit the trust to be placed on the network
Information Security Technical Report. Vol. 9, No. 1
Kai Rannenberg Identity management in mobile cellular networks and related applications
operator by adding interaction protocols that can still be run by small mobile devices or federations of these devices. Therefore some of the prototypes realized in WiTness could also be seen as just using the SIM as a platform and would then rather fit into section 3.1 than into section 3.2. The same holds for research prototypes such as WebSIM or CamWebSIM [GuKP 2000, Rann 2002]. They are SIMs that process HTTP requests and enable applications like authorizing a transaction or an access request. The Internet connectivity of CamWebSIM is achieved by an HTTP/SMS gateway acting as a proxy with both an Internet and a GSM connection (see Figure 1). This proxy receives HTTP requests coming from the Internet and forwards them to the SIM via the GSM SMS (Short Message Service). Again the usage of the mobile phone number of the user is crucial. One way of using SIM credentials for identity management is quite problematic, but nevertheless popular. Many users expect an SMS to come from the address given in the sender field. This may be wrong, as quite a few services, e.g. [Sportlogos.de 2003], offer to send SMS messages with deliberate sender information. Sportlogos.de is also an example for a service that can be accessed via the Internet, so not even Sportlogos.de might be able to determine the sender. Again this example shows that identity management based in SIM credentials requires some trust into the mobile network and service providers. However the SMS service is a particularly bad example, as it is a datagram service with almost no sender authentication and there are a large number of service centres offering SMS bulk sending. Making sure, that only the right receiver gets a message or a phone call, is an easier
Figure 1: CamWebSIM Setup Abbildung 1 task for the GSM networks. One reason for this is the quite closed architecture of the GSM switching systems. So a sender can be quite sure that an SMS message reaches the right receiver (as given in the address) and not an illegitimate one – if the SMS message reaches any receiver at all, which is not guaranteed in the SMS service specification.
4.3 Using GSM subscriber information Mainly two types of GSM subscriber information are being used for mobile applications: • The account and billing information of the subscriber; • Information on the location of the subscriber. Two other types of information on the subscriber can quite easily be collected and maintained as subscriber information, even if they are not ‘core mobile’ communication information. • Information on the situation of the subscriber, e.g. where the subscriber is located at the respective moment, how fast the subscriber is moving, or how actively he is communicating and which services he is using;
Information Security Technical Report. Vol. 9, No. 1
81
Identity Management
combination with a pre-paid SIM makes this also a nice option for Internet cashpayment. A special case is the use of the GSM payment system to pay for access to a public WLAN access points (‘Hotspots’) operated by GSM providers: The user sends an SMS to the WLAN operator and gets a credential (password) back, that allows him to use the WLAN for a while. The costs are then charged to the subscriber’s telephone bill.
Figure 2: The Mobile operator acting as a profile broker (from [FSMR 2003]) • Information on the subscriber’s preferences. The ‘classic’ example of using account and billing information of the subscriber is the dialling of ‘900’ numbers at vending machines, for example, to buy a drink. However, meanwhile there are more sophisticated methods to let subscribers pay over their mobile phones, see [Roehn 2003, T-Mobile 2003]: On the retailer’s web or WAP page, customers choose to pay via T-Mobile m-payment. Thereafter, they will be transferred to a payment gate where they log in their user’s name and password which they use in t-zones (the wireless Internet offering from T-Mobile). After logging into the payment gate, customers will be called upon to confirm the payment for the ordered goods, based on a provided summary about the retailer and the ordered goods or services. Customers will be informed of the results of the payment in a window of the Internet or WAP browser and via SMS confirmation; then they will be transferred back to the retailer’s pages. The 82
Information on the location of the mobile subscriber is easily available in the mobile network, as it is needed to route calls to the mobile receivers. Therefore for every subscriber, who is logged in, the information on the nearest base station system is stored. The information on the location of the subscriber can be made more precise by using e.g. triangulation between three base stations, thus finding out, how far the subscriber is away from each of the base stations. This type of information can be used for e.g. finding members of a fire brigade that get lost during a task, e.g. during major forest fires or floods [FrRa 2003]. Other applications can be searching and finding children or senior citizens. Last but not least the information on the location of the subscriber can be combined with information on the current situation of the subscriber (e.g. busy, relaxing) and with his preferences (cf. [FSMR 2003] and Fig. 2). The background of this idea is to make mobile data communication more affordable for the subscriber by finding third parties that pay parts of the subscriber’s communication costs. The incentive for the paying third parties is that they can efficiently interact with potential customers (e.g. sending advertisements to the subscriber). To be efficient and attractive for the third parties’ marketing activities the allocation has to very precise.
Information Security Technical Report. Vol. 9, No. 1
Kai Rannenberg Identity management in mobile cellular networks and related applications
Here the mobile operator can not only make use of its knowledge about the location. The operator can also act as profile broker, comparing the situation description of the subscribers with a target customer profile, cf. Fig. 3. Only when these profiles match the service provider may launch a message to the subscriber advertising his offers. The careful check of profiles makes sure that the subscriber does not receive unwanted messages. This sharpens the targeting of the advertisements.
• Banks have probably the most detailed information of their customers, but they act in a market with very many competitors. • Pay TV corporations have some experience in fielding hardware, e.g. settop boxes with access control features, but this hardware is mostly distributed on a household basis and may not reach individual persons.
5. Privacy aspects Mobile applications can raise significant privacy problems when they collect and store detailed information on the whereabouts of their users. Especially the way from location based services to movement profiles is not very long. On the other hand the GSM system has established an infrastructure of prepaid SIMs that enables not only anonymous or pseudonymous mobile co mmunication but also anonymous or pseudonymous payment for telecommunication or even Internet services.
Fig. 3: Matching situation description and target customer profile (from [FSMR 2003]) With this approach the mobile operators would move into the role of profile brokers, and would need to very carefully protect these profiles and their trust-relation with their subscribers. However given the trust relations that already exist, they may be quite well positioned for this task, as a preliminary comparison with five major ‘competitors’ shows. • Solely Internet based systems have to get a trusting customer base first. • States have a ‘natural customer base for identity management’, but their approach is mainly national and very often internationally incompatible.
A relevant requirement for these privacy enhancing services is the possibility to legally and anonymously buy prepaid SIM cards. While this is possible in a large number of countries it was not possible in e.g. Germany: Here legal buyers of prepaid SIMs were required to register showing their identity card. This position upheld by the Regulierungsbehörde für Telekommunikation & Post (RegTP) referred to a legal provision (§90 [TKG 2002]), that seems to be designed to fight organized crime and terrorism. But given the vast number of illegal ways to get a SIM card, this legal provision can not be considered effective. At the same time it is blocking a market for privacy friendly applications that could otherwise be flourishing. Consequently the position could not be upheld in court at the Bundesverwaltungsgericht (BVerwG), which
Information Security Technical Report. Vol. 9, No. 1
83
Identity Management
Acknowledgements This work would not have been possible without T-Mobile International kindly supporting the team at the chair of Mobile Commerce & Multilateral Security in Frankfurt. Moreover I would like to thank the team for worthwhile hints and discussions and especially Heiko Rossnagel, Lothar Fritsch and Stefan Figge and last but not least Scarlet SchwiderskiGrosche for their help to improve this paper.
decided on 2003-10-22, that the legal provisions do not justify a provisional saving of the entire subscriber’s data. [BVerwG 2003].
6. Summary and outlook One can clearly see that mobile applications support and use the full spectrum of identity management variations. GSM, which was not invented for identity management but for mobile communication, has nevertheless established one of the largest (if not the largest) interoperable systems for identity management, and SIM chips are the corresponding tokens in millions of pockets. Consequently this is being used for more and more applications beyond mere telecommunications. So while there is a lot of discussion on identity management in the Internet, GSM based mobile identity management is already there. Moreover with their large penetration rates and the integration of new applications the telecommunication providers are growing into the role of international identity managers and brokers. Actually, they are quite well positioned for this task compared to solely Internet based systems, states, banks, and Pay TV corporations. In any case one can expect more activity in the field of GSM based identity management. Last but not least a wider-spread availability of anonymous pre-paid SIMs would be essential to cope with privacy issues, e.g. in location tracking applications.
7. References [BVerwG 2003] Bundesverwaltungsgericht: Entscheidung zur Erhebung von Kundendaten bei so genannten Prepaid-Produkten; 2003-10-22: Aktenzeichen 6 C 23.02;
84
www.bundesverwaltungsgericht.de/enid/88882cbad092 4b213b144afe39ad6295,0976e07365617263685f6469 73706c6179436f6e7461696e6572092d0933353031/8 o.html; visited 2004-02-05 [FSMR 2003] Stefan Figge, Gregor Schrott, Jan Muntermann, Kai Rannenberg: EARNING M-ONEY – A Situation based Approach for Mobile Business Models; in: Proceedings of the 11th European Conference on Information Systems (ECIS) 2003; June 19-21, 2003, Naples, Italy [FrRa 2003] Lothar Fritsch, Kai Rannenberg: Informationstechnische Voraussetzungen von E-Government am Beispiel des Katastrophenschutzes mittels Mobilkommunikation; pp. 15-39 in: ‘E-Government: Der Staat als Nachfrager und als Anbieter’, Post-Proceedings of the 2002 Annual Conference of Deutsche Gesellschaft für Recht & Informatik, October 2002; Verlag Dr. Otto Schmidt KG; Köln, 2003 [GiDe 2003] Giesecke & Devrient: STARSIM® Applications, STARSIM®banking; www.gdm.de/eng/products/04/index.php4 ?product_id=386, visited 2004-02-05 [GSM 2004] GSM Association: GSM Statistics www.gsmworld.com/news/statistics/index.shtml, visited2004-02-15 [GuKP 2000] Scott Guthery, Roger Kehr, Joachim Posegga: How to turn a GSM SIM into a Web server: Projecting Mobile Trust onto the World Wide Web. In Josep Domingo-Ferrer et. al., editor, Proc. CARDIS 2000. Kluwer, 2000 [McDonalds 2004] www.mcdonalds.com/corporate; visited 2004-02-05 [Moxmo 2004] www.moxmo.com; visited 2004-02-05 [Paybox 2003] www.paybox.de, visited 2003-08-05 [PüSM 2001] Stefan Pütz, Roland Schmitz, Tobias Martin: On the security of the UMTS system; pp. 87-106 in: Dirk Fox, Marit Köhntopp, Andreas Pfitzmann: ‘Verlässliche ITSysteme 2001 – Sicherheit in komplexen IT-Infrastrukturen’, Vieweg Verlag, Wiesbaden 2001, ISBN 3-528-05782-3 [RaFR 2003] Johannes Ranke, Lothar Fritsch, Heiko Rossnagel: M-Signaturen aus rechtlicher Sicht; in: Datenschutz und Datensicherheit 27 (2003) 2, p. 95-100 [Rann 2002] Kai Rannenberg: CamWebSIM and Friends: Steps towards Personal Security Assistants; Pp. 173176 in Viktor Seige et al.: The Trends and Challenges of Modern Financial Services – Proceedings of the Information Security Summit; May 29-30, 2002, Prague; Tate International; ISBN 80-902858-5-6
Information Security Technical Report. Vol. 9, No. 1
Kai Rannenberg Identity management in mobile cellular networks and related applications
[Roehn 2003] Steffen Roehn: Get more. Security; Talk at Freiburg University; 2003-06-16; www.telematik.unifreiburg.de/ring.php?rvrl_id=32
of ‘Erstes Gesetz zur Änderung des Telekommunikationsgesetzes’ of 21.10.2002 (BGBl. I S. 4186 mit Wirkung vom 1.12.2002) [UN 2004] www.un.org/Overview/unmember.html; visited 2004-02-05
[Sportlogos.de 2003] www.sportlogos.de/ index_anonyme.php?&, visited 2003-08-05 [T-Mobile 2003] T-Mobile: Czech Republic: m-payment becomes a universal payment tool for customers; www.t-mobile.net/ CDA/news_details,20,0,newsid1799,en. html?w=925&h=588; visited 2003-08-05 [TKG 2002] Telekommunikationsgesetz (TKG) of 25. Juli 1996, BGBl I 1996, S. 1120, last changes by Art. 1 and 2
[WeLu 1998] Rüdiger Weis, Stefan Lucks: Sicherheitsprobleme bei Authentifizierung und Verschlüsselung in GSM Netzen, Datenschutz und Datensicherheit 22 (1998) 9, pp. 504-508 [WiTness] WiTness; Wireless Trust for mobile business; Project No. IST 2001 32275; www.wireless-trust.org, visited 2004-02-05
Information Security Technical Report. Vol. 9, No. 1
85
1. Introduction One of the largest identity management infrastructures existing was introduced with GSM1 mobile communication networks. At the end of May 2003 the GSM association reported 987.3 million subscribers. The number of countries with a GSM system is reported as 197 [GSM 2004], which exceeds the number of UN member states (191 in February 2004 [UN 2004]) and also that of countries where the McDonalds fast food chain is represented (119 in February 2004 [McDonalds 2004]). Even without special technology support quite a few people use a variety of mobile communication accounts (and the corresponding telephone numbers) to manage different identities for e.g. private and business purposes. This paper will: • Start with an overview of (but no definition of) identity management in general; 1 GSM used to be the abbreviation for standardisation committee ‘Groupe Speciale Mobile’ of the European Telecommunications Standards Institute (ETSI), but is nowadays being used as abbreviation for ‘Global System for Mobile Communication’ describing networks and standards according to the specifications that go back to the ‘Groupe Speciale Mobile’.
Kai Rannenberg
• Give a short description how subscriber access and roaming in GSM networks work based on Subscriber Identity Modules (SIMs); • Give examples for GSM-based identity management; • Discuss privacy challenges and the privacy potential of mobile applications and the GSM infrastructure.
2. An overview of identity management Identity management has become a term covering a broad spectrum of meanings. On one end of the spectrum one can find approaches to unify a diversity of identities that happened to pile up for a single user, e.g. an employee in a large organisation with several computer systems. Identity management in this case aims to help users getting their work done without managing too many identities (and the corresponding credentials, e.g. passwords) and to help system administrators to get an overview of the users and their access rights. Often this form of identity management is also named single-sign-on or unified user management. On the other end of the spectrum one can find approaches to protect people’s privacy and to reduce the danger of usage profiles or communication profiles. Identity management in this case helps users to establish, maintain and manage an arbitrary number of identities or pseudonyms that they can use in different arenas of their life, e.g. users can use one pseudonym for participating in a controversial online-chat and another one for registering at a job market or an online auction site. Obviously combinations and examples between the ends of the spectrum exist, e.g. when a certification authority manages signature key certificates and pseudonyms for its customers. Also when a customer orders several mobile communication accounts and SIMs with different numbers from a provider, but asks to manage them 1363-4127/04/© 2004, Elsevier Ltd
77
Prof. Dr. Kai Rannenberg holds the T-Mobile chair for Mobile Commerce & Multilateral Security at Johann Wolfgang Goethe University Frankfurt (www.whatismobile.de). Until 2002 he was with the System Security Group at Microsoft Research Cambridge, UK, focusing on ‘Personal Security Devices and Privacy Technologies’, e.g. within the CamWebSIM project. 1993-1999 Kai coordinated the interdisciplinary ‘Kolleg Security in Communication Technology’ researching multilateral security, especially protection for users and subscribers. Kai’s current research interests are - Mobile applications and Multilateral Security in e.g. M-Banking; - Identity management, communication infrastructures and devices, such as personal security assistants and services; - Application oriented IT security evaluation and certification.
E-Mail: Kai.Rannenberg@whatis mobile.de
Identity Management
all via one Internet and billing account, a combined form of identity management is taking place. This text will not give a single definition of identity management, but introduce several examples from the area of mobile applications, that exist within the spectrum. Most of these examples are already today dealing with a large number of identities.
3. Subscriber access in GSM networks Subscriber access in GSM networks is based on a hardware token (Subscriber Identity Module, SIM) that is placed into any GSM mobile phone. Each SIM contains a secret unique symmetric key (specified as ki) stored together with the ID of the subscriber. This key is only shared with the authentication centre (AuC) of that GSM network operator that issued the SIM. When a GSM subscriber tries to log on to the GSM network (usually when he switches on the phone) the SIM passes the subscriber’s ID to the AuC. The AuC then checks whether the SIM also ‘knows’ the respective ki: The AuC sends a random challenge message to the subscriber’s phone. The SIM in the phone has to encrypt that challenge message with the ki and send it back to the AuC. The AuC encrypts the same message with the local copy of the ki and compares the results. If they match, the subscriber is granted access to the GSM network. The protocol is especially designed to guarantee, that the ki key never leaves the SIM or the authentication centre. This is of special importance, as the subscriber might be interested in ‘roaming’, i.e. using his mobile phone in other networks than that of his provider. Usually roaming happens when subscribers travel internationally. In this case the operator of the ‘visited’ network checks the identity information of the ‘guest’ SIM and routes the request for 78
access to the AuC of the home network. The home AuC then challenges the SIM in the usual way. If the SIM passes the challenge the home AuC informs the visited network that the subscriber’s request for network access is legitimate (and that payment for the visited network’s services is guaranteed by the home provider). Still the ki does not leave its original locations, so there is no need for trusting the connection between the AuC and the SIM. As most GSM network operators have roaming agreements with partners all over the world, the SIM is a globally accepted credential for mobile communication access based on a globally standardized and interoperable identification and authentication infrastructure. The SIM can also be an anonymous or pseudonymous credential, as there is no technical requirement to combine its information with any information on the person using the SIM. Obviously for most post-paid contracts the providers require a billing address, but for pre-paid contracts this billing address is not needed. The security of the GSM authentication system is doubted from time to time, as the standardized algorithms were not published, and when some of them leaked out cryptographic and architectural weaknesses were reported. Some of these reports ‘sound’ very alarming, e.g. [WeLu 1998]. However none of the attack concepts proved to be commercially exploitable or even practical so far. Usually the attacks exploit cryptographic weaknesses of an old authentication algorithm (COMP 128), and moreover they depend on the attacker knowing the PIN of the SIM. Nevertheless for the next generation of mobile communication systems (Universal Mobile Telecommunications Systems – UMTS) additional security features were standardized [PüSM 2001]. One very important aspect is that the network has to
Information Security Technical Report. Vol. 9, No. 1
Kai Rannenberg Identity management in mobile cellular networks and related applications
authenticate itself towards the subscriber, which reduces the risk of attackers pretending to be a network.
4. GSM based identity management The almost global dominance of the GSM standard for mobile communications and the high penetration rates that GSM systems reached in many markets have inspired quite a few initiatives to piggy-back on the GSM system and especially the SIM as platforms for identity management and related applications. • Identity management can be integrated into the SIM-Hardware. • Identity management can use GSM subscriber information as issued with the SIM. • Identity management can use GSM subscriber information stored in the GSM network. The first two approaches aim at supporting the ID management that already exists in applications by using the GSM infrastructure. The third approach expands the GSM ID and user management itself and allows e.g. new revenue models in mobile communications. All three approaches are described in the remainder of this section and may be extended in UMTS networks.
4.1. Integrated into the SIM hardware An early approach was to combine the access to mobile banking services with the service offerings and the infrastructure of mobile network operators. Therefore additional credentials (especially a symmetric key and some account information) were put into the respective SIMs. They allow the customers to access the mobile banking service of their financial institutions. Mobile Banking is mainly in competition with two other options a
customer has, when he wants to access services offered his bank: • Entering a branch office of the bank • Using the Internet banking facilities of the bank Therefore the mobile banking option is in principle the more popular the fewer branches a bank maintains for customer contact and the less Internet access the customer base has. The first application was launched in November 1999 by Radiomobil (today TMobile Czech) together with several Czech banks. The technology was provided by Giesecke & Devrient [GiDe 2003]. Technology wise this was one of the first applications of the SIM Application Toolkit, a GSM standard that specifies an interface between the SIM and the mobile phone, e.g. allowing the SIM to display text on the mobile phone or to get input form the phone’s keyboard. Business wise this application required co-operation and mutual trust between the mobile communication providers and the banking sector. Elements of this were a joint marketing campaign and cooperation in distributing the ‘banking enhanced’ SIMs that can be purchased from the banks. A degree of mutual trust was needed, as Radiomobil had to give up the paradigm that the SIM was totally under their control, while the banks had to accept, that they could not control the token (the SIM) that includes their banking credentials. The security concept had given Giesecke & Devrient (G&D) a major role. G&D produced the SIMs. Beside the GSM credentials these SIMs contain a collection of (inactive) access keys to the mobile banking of all participating banks. When the subscriber wants to start using the ‘new’ SIM for banking he has to visit a branch of his bank, where his key is activated (and all other banking keys are destroyed for
Information Security Technical Report. Vol. 9, No. 1
79
Identity Management
security reasons). This method allows using one type of SIM for the different banks and therefore saves costs. The concerns were overcome, and similar systems have been implemented elsewhere, e.g. in Australia and China. Obviously also other combinations would be possible, e.g. in mobile shopping. However in e.g. Germany banks and mobile network operators could not agree on a similar cooperation so far. This lack of cooperation and trust has also affected the use of SIMs for digital signatures. In principle a SIM could be a good signature creation device with the mobile phones being the display and input device. Using the SIM and the phone would also overcome the low distribution of chip card readers, while the well established SIM distribution channels of the mobile providers would make the distribution of signature cards very easy. [RaFR 2003] analyses the legal situation of mobile signatures and shows, that a joint use of the SIM and its distribution channels is possible. However the respective business model needs to be found and considered to promise return of investment.
4.2. Using SIM credentials The simplest approach to use SIM credentials for identity management is the ‘classic’ call-back procedure using the subscribers’ mobile phone number. Especially with mobiles the usual assumption is that they are personal communication devices and not being passed around. One example is the payment procedure of Paybox [Paybox 2003]: Users register their mobile phone number with Paybox. Paybox calls them under this number when a payment needs to be authorized. Paybox had been closing down its consumer oriented operations in the beginning of 2003, but is now announcing a new start under the flag of Moxmo [Moxmo 2004]. 80
In a similar way a SIM credential can be used to enhance the security of remote login procedures, e.g. to corporate backends or internet banking services. The subscribers’ mobile phone number is registered with the authentication centre of the server. When the subscriber tries to login to the backend computer the backend computer sends a challenge to the mobile phone, e.g. an SMS which the subscriber needs to answer. In its simplest form this authentication protocol cannot replace the ‘classic’ login via password, chip card, or key fob, but it can enhance it. To get access to the protected account the attacker needs to not only know the account and the password of the legitimate user but also needs to get access to the mobile phone and its PIN in exactly that moment, when the attack is being launched. So the mobile phone and the SIM become an extra security token, which has one advantage to the usual security token: it has a ‘real’ non-security use (mobile communication) and is therefore less prone to be forgotten than a dedicated security token. Moreover, when the legitimate user receives the challenge he can decide whether the login try was a legitimate or erroneous one or whether it looks like an attack. In the last case he can send an alarm message to the security management of the backend, which enable the security management to learn about this attack immediately and not only at the next legitimate login. There is however a dependency on the trustworthiness of the network provider, as the network provider could fake the reaction to the challenge. The European project WiTness (Wireless Trust for mobile business, [WiTness 2003]) explores these options to protect the access via mobile devices to corporate backend computers. WiTness especially tries to limit the trust to be placed on the network
Information Security Technical Report. Vol. 9, No. 1
Kai Rannenberg Identity management in mobile cellular networks and related applications
operator by adding interaction protocols that can still be run by small mobile devices or federations of these devices. Therefore some of the prototypes realized in WiTness could also be seen as just using the SIM as a platform and would then rather fit into section 3.1 than into section 3.2. The same holds for research prototypes such as WebSIM or CamWebSIM [GuKP 2000, Rann 2002]. They are SIMs that process HTTP requests and enable applications like authorizing a transaction or an access request. The Internet connectivity of CamWebSIM is achieved by an HTTP/SMS gateway acting as a proxy with both an Internet and a GSM connection (see Figure 1). This proxy receives HTTP requests coming from the Internet and forwards them to the SIM via the GSM SMS (Short Message Service). Again the usage of the mobile phone number of the user is crucial. One way of using SIM credentials for identity management is quite problematic, but nevertheless popular. Many users expect an SMS to come from the address given in the sender field. This may be wrong, as quite a few services, e.g. [Sportlogos.de 2003], offer to send SMS messages with deliberate sender information. Sportlogos.de is also an example for a service that can be accessed via the Internet, so not even Sportlogos.de might be able to determine the sender. Again this example shows that identity management based in SIM credentials requires some trust into the mobile network and service providers. However the SMS service is a particularly bad example, as it is a datagram service with almost no sender authentication and there are a large number of service centres offering SMS bulk sending. Making sure, that only the right receiver gets a message or a phone call, is an easier
Figure 1: CamWebSIM Setup Abbildung 1 task for the GSM networks. One reason for this is the quite closed architecture of the GSM switching systems. So a sender can be quite sure that an SMS message reaches the right receiver (as given in the address) and not an illegitimate one – if the SMS message reaches any receiver at all, which is not guaranteed in the SMS service specification.
4.3 Using GSM subscriber information Mainly two types of GSM subscriber information are being used for mobile applications: • The account and billing information of the subscriber; • Information on the location of the subscriber. Two other types of information on the subscriber can quite easily be collected and maintained as subscriber information, even if they are not ‘core mobile’ communication information. • Information on the situation of the subscriber, e.g. where the subscriber is located at the respective moment, how fast the subscriber is moving, or how actively he is communicating and which services he is using;
Information Security Technical Report. Vol. 9, No. 1
81
Identity Management
combination with a pre-paid SIM makes this also a nice option for Internet cashpayment. A special case is the use of the GSM payment system to pay for access to a public WLAN access points (‘Hotspots’) operated by GSM providers: The user sends an SMS to the WLAN operator and gets a credential (password) back, that allows him to use the WLAN for a while. The costs are then charged to the subscriber’s telephone bill.
Figure 2: The Mobile operator acting as a profile broker (from [FSMR 2003]) • Information on the subscriber’s preferences. The ‘classic’ example of using account and billing information of the subscriber is the dialling of ‘900’ numbers at vending machines, for example, to buy a drink. However, meanwhile there are more sophisticated methods to let subscribers pay over their mobile phones, see [Roehn 2003, T-Mobile 2003]: On the retailer’s web or WAP page, customers choose to pay via T-Mobile m-payment. Thereafter, they will be transferred to a payment gate where they log in their user’s name and password which they use in t-zones (the wireless Internet offering from T-Mobile). After logging into the payment gate, customers will be called upon to confirm the payment for the ordered goods, based on a provided summary about the retailer and the ordered goods or services. Customers will be informed of the results of the payment in a window of the Internet or WAP browser and via SMS confirmation; then they will be transferred back to the retailer’s pages. The 82
Information on the location of the mobile subscriber is easily available in the mobile network, as it is needed to route calls to the mobile receivers. Therefore for every subscriber, who is logged in, the information on the nearest base station system is stored. The information on the location of the subscriber can be made more precise by using e.g. triangulation between three base stations, thus finding out, how far the subscriber is away from each of the base stations. This type of information can be used for e.g. finding members of a fire brigade that get lost during a task, e.g. during major forest fires or floods [FrRa 2003]. Other applications can be searching and finding children or senior citizens. Last but not least the information on the location of the subscriber can be combined with information on the current situation of the subscriber (e.g. busy, relaxing) and with his preferences (cf. [FSMR 2003] and Fig. 2). The background of this idea is to make mobile data communication more affordable for the subscriber by finding third parties that pay parts of the subscriber’s communication costs. The incentive for the paying third parties is that they can efficiently interact with potential customers (e.g. sending advertisements to the subscriber). To be efficient and attractive for the third parties’ marketing activities the allocation has to very precise.
Information Security Technical Report. Vol. 9, No. 1
Kai Rannenberg Identity management in mobile cellular networks and related applications
Here the mobile operator can not only make use of its knowledge about the location. The operator can also act as profile broker, comparing the situation description of the subscribers with a target customer profile, cf. Fig. 3. Only when these profiles match the service provider may launch a message to the subscriber advertising his offers. The careful check of profiles makes sure that the subscriber does not receive unwanted messages. This sharpens the targeting of the advertisements.
• Banks have probably the most detailed information of their customers, but they act in a market with very many competitors. • Pay TV corporations have some experience in fielding hardware, e.g. settop boxes with access control features, but this hardware is mostly distributed on a household basis and may not reach individual persons.
5. Privacy aspects Mobile applications can raise significant privacy problems when they collect and store detailed information on the whereabouts of their users. Especially the way from location based services to movement profiles is not very long. On the other hand the GSM system has established an infrastructure of prepaid SIMs that enables not only anonymous or pseudonymous mobile co mmunication but also anonymous or pseudonymous payment for telecommunication or even Internet services.
Fig. 3: Matching situation description and target customer profile (from [FSMR 2003]) With this approach the mobile operators would move into the role of profile brokers, and would need to very carefully protect these profiles and their trust-relation with their subscribers. However given the trust relations that already exist, they may be quite well positioned for this task, as a preliminary comparison with five major ‘competitors’ shows. • Solely Internet based systems have to get a trusting customer base first. • States have a ‘natural customer base for identity management’, but their approach is mainly national and very often internationally incompatible.
A relevant requirement for these privacy enhancing services is the possibility to legally and anonymously buy prepaid SIM cards. While this is possible in a large number of countries it was not possible in e.g. Germany: Here legal buyers of prepaid SIMs were required to register showing their identity card. This position upheld by the Regulierungsbehörde für Telekommunikation & Post (RegTP) referred to a legal provision (§90 [TKG 2002]), that seems to be designed to fight organized crime and terrorism. But given the vast number of illegal ways to get a SIM card, this legal provision can not be considered effective. At the same time it is blocking a market for privacy friendly applications that could otherwise be flourishing. Consequently the position could not be upheld in court at the Bundesverwaltungsgericht (BVerwG), which
Information Security Technical Report. Vol. 9, No. 1
83
Identity Management
Acknowledgements This work would not have been possible without T-Mobile International kindly supporting the team at the chair of Mobile Commerce & Multilateral Security in Frankfurt. Moreover I would like to thank the team for worthwhile hints and discussions and especially Heiko Rossnagel, Lothar Fritsch and Stefan Figge and last but not least Scarlet SchwiderskiGrosche for their help to improve this paper.
decided on 2003-10-22, that the legal provisions do not justify a provisional saving of the entire subscriber’s data. [BVerwG 2003].
6. Summary and outlook One can clearly see that mobile applications support and use the full spectrum of identity management variations. GSM, which was not invented for identity management but for mobile communication, has nevertheless established one of the largest (if not the largest) interoperable systems for identity management, and SIM chips are the corresponding tokens in millions of pockets. Consequently this is being used for more and more applications beyond mere telecommunications. So while there is a lot of discussion on identity management in the Internet, GSM based mobile identity management is already there. Moreover with their large penetration rates and the integration of new applications the telecommunication providers are growing into the role of international identity managers and brokers. Actually, they are quite well positioned for this task compared to solely Internet based systems, states, banks, and Pay TV corporations. In any case one can expect more activity in the field of GSM based identity management. Last but not least a wider-spread availability of anonymous pre-paid SIMs would be essential to cope with privacy issues, e.g. in location tracking applications.
7. References [BVerwG 2003] Bundesverwaltungsgericht: Entscheidung zur Erhebung von Kundendaten bei so genannten Prepaid-Produkten; 2003-10-22: Aktenzeichen 6 C 23.02;
84
www.bundesverwaltungsgericht.de/enid/88882cbad092 4b213b144afe39ad6295,0976e07365617263685f6469 73706c6179436f6e7461696e6572092d0933353031/8 o.html; visited 2004-02-05 [FSMR 2003] Stefan Figge, Gregor Schrott, Jan Muntermann, Kai Rannenberg: EARNING M-ONEY – A Situation based Approach for Mobile Business Models; in: Proceedings of the 11th European Conference on Information Systems (ECIS) 2003; June 19-21, 2003, Naples, Italy [FrRa 2003] Lothar Fritsch, Kai Rannenberg: Informationstechnische Voraussetzungen von E-Government am Beispiel des Katastrophenschutzes mittels Mobilkommunikation; pp. 15-39 in: ‘E-Government: Der Staat als Nachfrager und als Anbieter’, Post-Proceedings of the 2002 Annual Conference of Deutsche Gesellschaft für Recht & Informatik, October 2002; Verlag Dr. Otto Schmidt KG; Köln, 2003 [GiDe 2003] Giesecke & Devrient: STARSIM® Applications, STARSIM®banking; www.gdm.de/eng/products/04/index.php4 ?product_id=386, visited 2004-02-05 [GSM 2004] GSM Association: GSM Statistics www.gsmworld.com/news/statistics/index.shtml, visited2004-02-15 [GuKP 2000] Scott Guthery, Roger Kehr, Joachim Posegga: How to turn a GSM SIM into a Web server: Projecting Mobile Trust onto the World Wide Web. In Josep Domingo-Ferrer et. al., editor, Proc. CARDIS 2000. Kluwer, 2000 [McDonalds 2004] www.mcdonalds.com/corporate; visited 2004-02-05 [Moxmo 2004] www.moxmo.com; visited 2004-02-05 [Paybox 2003] www.paybox.de, visited 2003-08-05 [PüSM 2001] Stefan Pütz, Roland Schmitz, Tobias Martin: On the security of the UMTS system; pp. 87-106 in: Dirk Fox, Marit Köhntopp, Andreas Pfitzmann: ‘Verlässliche ITSysteme 2001 – Sicherheit in komplexen IT-Infrastrukturen’, Vieweg Verlag, Wiesbaden 2001, ISBN 3-528-05782-3 [RaFR 2003] Johannes Ranke, Lothar Fritsch, Heiko Rossnagel: M-Signaturen aus rechtlicher Sicht; in: Datenschutz und Datensicherheit 27 (2003) 2, p. 95-100 [Rann 2002] Kai Rannenberg: CamWebSIM and Friends: Steps towards Personal Security Assistants; Pp. 173176 in Viktor Seige et al.: The Trends and Challenges of Modern Financial Services – Proceedings of the Information Security Summit; May 29-30, 2002, Prague; Tate International; ISBN 80-902858-5-6
Information Security Technical Report. Vol. 9, No. 1
Kai Rannenberg Identity management in mobile cellular networks and related applications
[Roehn 2003] Steffen Roehn: Get more. Security; Talk at Freiburg University; 2003-06-16; www.telematik.unifreiburg.de/ring.php?rvrl_id=32
of ‘Erstes Gesetz zur Änderung des Telekommunikationsgesetzes’ of 21.10.2002 (BGBl. I S. 4186 mit Wirkung vom 1.12.2002) [UN 2004] www.un.org/Overview/unmember.html; visited 2004-02-05
[Sportlogos.de 2003] www.sportlogos.de/ index_anonyme.php?&, visited 2003-08-05 [T-Mobile 2003] T-Mobile: Czech Republic: m-payment becomes a universal payment tool for customers; www.t-mobile.net/ CDA/news_details,20,0,newsid1799,en. html?w=925&h=588; visited 2003-08-05 [TKG 2002] Telekommunikationsgesetz (TKG) of 25. Juli 1996, BGBl I 1996, S. 1120, last changes by Art. 1 and 2
[WeLu 1998] Rüdiger Weis, Stefan Lucks: Sicherheitsprobleme bei Authentifizierung und Verschlüsselung in GSM Netzen, Datenschutz und Datensicherheit 22 (1998) 9, pp. 504-508 [WiTness] WiTness; Wireless Trust for mobile business; Project No. IST 2001 32275; www.wireless-trust.org, visited 2004-02-05
Information Security Technical Report. Vol. 9, No. 1
85