In the last few years, person-to-person wireless communications exploiting Short Messaging Service (SMS) technology has become an extremely common way to exchange textual information while on-the-move. The great popularity of this method of communicating is evidenced by the fact that billions of SMS messages are exchanged per year all over the world.
Ease of use and simple interface are the major advantages of SMS technology, which can be approached even by unaccustomed users.
The popularity of SMS-based communications has also been suggested to exploit such technology for implementing m-business. SMS-based business applications have thus been developed that enable users performing transactions, such as for example remote banking operations, exploiting their cellular phone, via SMS messages.
However, many SMS-based business applications pose a specific need for message integrity and non-repudiation. For example consider SMS-based urgent authorizations to perform banking operations, or SMS-based procurement authorizations in a corporate or government environment: the subject receiving the SMS message has a reasonable doubt of whether the message is authentic, and has been issued by the supposed message sender. The need to ensure the authenticity of the SMS messages thus arises.
Today, solutions for digital signatures in wireless communications mostly rely on implementations of X509-like certificates on board of mobile communications terminals, e.g. cellular phones, to implement a digital signature scheme that actually resembles those adopted for Internet browsers. An example of such standards is the Wireless Identity Module (WIM) technology, adopted by some providers of m-commerce services for making mobile-payment (m-payment) transactions secure and trusted. The WIM is a security module that is usually implemented in the Subscriber Identity Module (SIM) card provisioned by a mobile telephony operator, for WAP applications. A Public Key Infrastructure (PKI) is also needed to manage the X509-like certificates issued to the WIM.
A disadvantage of this solution is that, in order to implement the WIM, special SIM cards have to be provisioned to the users, by either the mobile telephone network operator or the application service providers, or both. Also, the implementation and management of the PKI is costly. Moreover, this solution exhibits a scarce usability, i.e. it is not very user-friendly, because most mobile phone users are not accustomed to, and do not feel comfortable managing digital certificates on their cellular phones.
Although not as standard as the WIM, approaches have been attempted to implement special-purpose SIM cards that can embed some software adapted to perform digital signature for SMS messages. In this case X509-like certificates are also required, and there is the drawback that special-purpose SIM cards have to be provisioned to the users by the mobile telephone network operator and/or by the application service providers. Also, user-friendliness is again scarce, because digital certificates need to be handled.
In a field different from m-business, Patent Application Publication US-A1-2003/0236981 faces the problem of providing a security solution for wireless terminal user equipment remotely managed through SMS messages (so-called “configuration SMSs” that enable the mobile devices to be remotely managed by a remote device management application system, for e.g. changing parameters or software elements in the remotely managed device). The management system generates a digital signature computed with an International Mobile Equipment Identity (IMEI) number as a key, and includes the digital signature in an available field of the SMS message. The receiving wireless terminal equipment verifies the digital signature of a received configuration SMS and, in case the verification is not correct, the configuration SMS is rejected. This solution requires that the receiving wireless terminal equipment be configured (i.e., it embeds dedicated software, e.g. in the SIM card or in the cellular phone) for digital signature verification.
French Publication FR 2 817 108 describes electronic payments made through a GSM mobile terminal over GSM/GPRS and UMTS networks. Authentication makes use of the mobile terminal's SIM card which stores an applet SIM Toolkit. The Applicant observes that also in this case there is the need of special-purpose SIM cards, embedding the application software adapted to implement the authentication.