Cellular Device -- The Versatile Personal Identification Mechanism

(Position Paper for Joint Workshop on Mobile Web Privacy

WAP Forum & World Wide Web Consortium)

Prof. Danny Dolev (dolev@cs.huji.ac.il) (W3C)

Shmil Ginzberg (shmil.ginzberg@cform.com) (WAP Forum)
Alex Finkelstein (alexf@cform.com) (WAP Forum)

 

School of Engineering and Computer Science

Hebrew University

Jerusalem, 91904

Israel

Phone: +972-2-6584116

Fax: +972-2-6758936

CFORM

Shalom Tower, 9 Ehad Ha’am St.

Tel-Aviv, 65251

Israel

Phone: 972-3-5163733

Fax: 972-3-5163701

 

 

Introducing cFORM

CFORM is a software solution provider that develops a comprehensive solution for enabling transaction-based services over various platforms. Our solution enables parties that are participating in the transaction, to perform secure, encrypted, authenticated and non-repudiated transaction using arbitrary network devices, based on a combination of standard electronic interface, standard data structure and a personal information repository device. This unique software system provides a convenient and easy to use way to perform transactions electronically and automatically, while keeping personal information private and enabling verification of both parties in the transaction. Our software system creates and manages a significant volume of transactions across various platforms (web-cellular). CFORM software system is platform independent and multi-lingual.

As cFORM software handles significant amounts of information, which in most cases is confidential and private (due to the nature of the electronic transactions), over many systems and means and communication, we are interested to supply the best possible solution, relaying on the present means and devices. Primarily, we are interested in providing

  1. Privacy – using strong encryption methods;
  2. Authenticity – so that we can provide a positive identification of the parties that are participating in the transaction;
  3. Security – to ensure that information that is involved in the transaction safely arrives to its destination without interference or attacks;
  4. Non repudiation – so that tracing back the transaction participants can be performed;
  5. In addition the system must adhere to the following guidelines:

  6. Ease of use – in terms of user interface and needed time to perform transaction;
  7. Availability – place, device and access platform independence.

 

Current challenges

As of today, some of the goals that were detailed above are implemented in an adequate level of success. There are strong encryption methods and algorithms that are available commercially and as free resources. There is also a significant progress in the field of biometrics means, voice recognition and smart cards in order to establish authentication and identification. The digital signature related processes and methods allow providing users and organization with no-repudiation and a reliable identification.

As the “pipe” used to carry the information that is involved in electronic transactions is sufficiently secured, at this point of time there are no effective means to identify positively the parties that are engaged in the transaction. So basically, we can ensure that the credit card number travels safely to the e-merchant but we cannot provide the identification of the cardholder nor any third party that is involved in the transaction.

Although a considerable effort is invested in order to promote these methods to become a common use, none of it is at a stage that allows a true massive use without adding costly and proprietary hardware or software devices. We do not yet see that every workistation or at least a majority of Internet connected machines are enabled with such identification methods. The volume of electronic transactions is constantly growing but it is not able to become a truly popular method due to the lack of an accessible, affordable and personal method of identification and authentication.

The cellular perspective

At this present stage the number of cellular users is way above the 500,000,000 mark, whereas the number of Internet users is lagging behind. Advancement of the information (data) based services is expected to push forward the number of cellular users. Although it is clear that future cellular devices will provide mainly data based services, currently it is applied as a voice centric device only.

Cellular providers are widely spread over the globe and their business as well as geographical location establish an infrastructure that may be a basis for a global system, which will provide a method for positive identification of the cellular owner.

The cellular service providers currently identify the cellular owner. The identification allows the cellular providers to bill the users and perform various activities in their behalf, with a low rate of dispute.

CFORM position

In order to provide a true and mass implementation of electronic transactions, an accessible and widely spread infrastructure is needed. Cellular devices are currently in the position that allow it to become the personal device, which can:

  1. Enable a positive personal identification of the user;
  2. Provide a sufficient level of security;
  3. Enable non-repudiation;
  4. Become a cost-effective alternative, which is ready at hand.

 

In order to achieve this goal, cellular devices need to be:

  1. Positioned as personal identification devices;
  2. Equipped various identification and electronic signature means (hardware and software);
  3. Equipped with a standard and accepted method to remotely sign transactions and data.

 

In order to achieve the goals above, personal identification token is likely to be positioned in the cellular device itself. Whether the solution will be SIM or other built in component, there is a need for the operating system that is installed on the cellular device to be able to address the hardware in order to accomplish the identification process. This solution, by its nature, requires a standard approach that will allow applications to create connectivity with hardware components of the cellular device, with the mediation of the operating system. Clearly, more than one operating system as well as methods for providing security and authentication are to be present in this market. Thus, we see a need to address this issue on a basic level of establishing a common way to communicate with cellular hardware components.

We see the cellular devices as the way to carry out the long standing dream of a versatile smart card that enables the owner to electronically sign transactions, safely identifies the owner, and control the access to owners approved information exchange.

We hope that the workshop may produce the move to agree on the guidelines needed to establish the cellular device as a default mean of identification and to provide the ground rules for applications that ensure this functionality.