PKI Framework for Supporting the Security of Mobile Communication from its Core

 

In the past ten years within the computing world, the term "mobile computing" has become popular. And owing to the improved performance of mobile information terminals such as cell phones, notebook computers, and personal digital assistants (PDAs), the use of such devices has continued to spread into areas that were unthinkable ten years ago.

Taking the example of mobile phones, we can see that their display size has got bigger year on year, and it has now become a matter of course that internet web pages specially prepared for mobile-phone use can be viewed on these bigger displays. What's more, the entire business area of so-called "electronic commerce" (referred to as EC or e-commerce)–including mobile banking and mobile shopping–is continuing to expand.

More specifically, in the case of mobile banking, a mobile phone can be used for various banking services, such as balance enquiries, deposit and withdrawal enquiries, direct deposits, and money transfers. And in the case of mobile commerce, it can be used for such activities as enjoying shopping from "net catalog" schemes and selling one's things through "net auction" services.

Furthermore, to take the example of notebook PCs, it seems that these days internet environments called "hot spots" are appearing on every street corner, and they have created a situation in which users of notebook PCs can freely use the internet with the same sensation whether at home or at the office.

It is worth mentioning that hot spots started to appear from 2001 onwards; that is, after one type of specification for wireless local area networks (LANs), namely, IEEE 802.11b, and a wireless communication protocol for mobile information terminals, namely, Bluetooth, became popular. This trend has created the situation these days that almost any places where many people congregate (airports, train stations, convenience stores, fast-food outlets, family restaurants, etc.) are invariably set up as hot spots.

2. Ever-increasing importance of security measures

 

The applications of mobile computing include more than just the ones mentioned above. For example, several business scenarios come to mind: business people accessing business-use web applications used within one's company while on the move outside the company; checking one's schedule; confirming stocks and delivery dates of products; and settling travel and accommodation expenses while on business trips. And from now onwards, as regards public institutions, each business person will acquire their own electronic certificate, which they will use to perform various electronic-government procedures such as completing various documents and submitting tenders for business projects. As a matter of fact, given the current technical standards, it is not that difficult to meet the various needs regarding the business scenarios described above. However, there is one remaining problem, security measures, as explained below.

In the case of the previously mentioned hot spots, as its name suggests, a wireless LAN literally uses "wireless" transmission in which radiowaves fly through the air carrying data. There is thus the risk that anybody else in the wireless LAN area through which the radiowaves are carried can also receive the transmitted data by simply eavesdropping on that transmission area. On top of that, mobile phone users are becoming more exposed to the risk of attack by so-called "spoofing"–namely, a way of stealing information concerning financial transactions (such as passwords and account numbers of bank- and credit-card accounts) or tampering with contract documents.

Hereafter, this article turns to its main theme, namely, Public Key Infrastructure (PKI) technology that our research group observed to prevent the above-described problems.

In other words, to assure security of procedures for e-commerce and e-government under a mobile computing environment, it is necessary to perform various authentication procedures on all the players that appear in this environment. And we think that PKI is one promising solution to meet this need.

3. What is PKI technology?

 

In the following, I'll give a more detailed explanation of PKI.

To assure secure communication on networks (that is, prevent contract tampering and authenticate business contacts), technology called public key cryptosystems is available. As regards such technology, the main tool for encrypting and decrypting data is called a "key". And in the case of public key cryptosystems, two kinds of key–a "public key" and a "private key"–are used for data encryption and decryption. The private key is held by one person and is, so to speak, for that person's use only; in contrast, the public key corresponding to that private key is open to the general public for widespread use.

In the case of authentication by a public key cryptosystem, the person subject to authentication starts by encrypting the transmitted data with their private key; this encrypted transmitted data cannot be read unless a great deal of complex decryption is done. This transmitted encrypted data cannot even be read by the person who encrypted it.

In the next step, the public key that corresponds to the private key enters the picture.

The person doing the authentication uses the public key to decrypt the transmitted data, and the data returns to readable status. And in the case that the transmitted encrypted data can be decrypted correctly, that person judges that the key used for encrypting the data was the private key that corresponds to their public key; in other words, the person who encrypted the data must be the holder of the private key.

So what happens if the person performing the authentication mistakes the holder of the private key?

Whether the encrypted transmitted data can be decrypted correctly simply depends on the public key corresponding with the private key. This means that in the case the public key is thought to belong to the person undergoing authentication but does not actually correspond to the private key, the encrypted transmitted data cannot be decrypted. On the other hand, in the case that the public key is thought to belong to a complete stranger but does correspond to the private key, it can become possible for the stranger to decrypt the encrypted transmitted data. That is to say, authentication of a legitimate person can be mistaken, and it is possible that someone can pass themselves off as someone else (so-called "spoofing").

The above-described scenario means that in the case of authentication by using a public key cryptosystem, it is extremely important to correctly connect the correct person and the public key. Consequently, it has become essential to devise a system that can certify–by means of utilizing a third-party organization with no direct connection to the person undergoing authentication–whether the person in question is unmistakably the person holding the private key corresponding to the public key or whether that person is a malicious stranger intending to spoof the cryptosystem. And this scheme is called Public Key Infrastructure (PKI): a core technology that configures the security infrastructure for protecting the bare bones of e-commerce.

4. Social system for supporting PKI

 

This figure shows how various organizations involved in authentication and certification are set up within the PKI system.

To begin with, as the first key concept concerning the PKI, a so-called Certification Authority (CA) confirms who is the owner of the private key corresponding to the public key and fixes the correspondence between the keys. The CA then issues and controls a so-called "electronic certificate" as the authorization of this correspondence. In particular, set up as an organization with responsibility for checking the certification of the key holder with the CA, the Registration Authority (RA) verifies the identity of the key holder in a face-to-face manner.

By the way, it should be mentioned that in April 2001 in Japan, a law allowing electronic signatures and electronic-authorization services was introduced. As a result, electronic signatures could then be handled in the same manner as personal written signatures or seals, and CAs approved by the Japanese government have been established since then. Moreover, these days, CAs run by the private company have appeared, and an environment in which electronic certification is just another business is being created.

As the second key concept in PKI, a so-called Validation Authority (VA) is set. The VA is a body for checking the legality of electronic certificates; namely, whether a certificate is valid and whether that certificate was issued by a trustworthy CA. Since the PKI is a system to prevent spoofing, the procedure that checks the validity of the electronic certificate is said to be the most important among the PKI operations.

5. Our research group is also actively committed to activities in the outside world

 

With the aim of establishing PKI security infrastructure, our research group is engaged in research and development to provide solutions to various technical problems; that is to say, we are not only continuing research on basic technologies for public key cryptosystems but also implementing PKI to support mobile terminals with strictly limited resources (such as mobile phones). For example, one achievement of our research efforts is a Certificate Validation Server (CVS) that we have developed for Validation Authorities (VAs).

Furthermore, since becoming as a participant in the "Mobile IT Forum" (mITF) under the Ministry of Public Management, Home Affairs, Posts and Telecommunications in June 2001 and without regard to a narrow framework concerning Hitachi Ltd, we taken the stance of actively contributing to the establishment of the security infrastructure for the mobile generation.

In addition, our research group has been participating in the technical studies performed under the International Telecommunications Union, Telecommunication Standardization Sector (ITU-T).

Established by the United Nations and headquartered in Geneva, Switzerland, the International Telecommunications Union (ITU) is a specialized organization–made up from members from over 150 nations–for performing standardization for telecommunications technologies, services, and protocols. The ITU is composed of four main sections, one of which, the ITU-T (ITU-Telecommunication Standardization Sector), handles standardization for communcation-related technologies.

At the ITU-T, one two-week technical discussion takes place every half year, and new technical standardization is implemented one time every four years. In other words, for the "study period" from 2001 to 2004, "mobile security" was taken up as one investigation theme, and in March this year (2004), standardization schemes for the principle security technologies were determined by vote and introduced as official standards in May.

6. Building up a "safety zone" in the Internet world

 

 

Now, although we are reaching the end of this article, I would like to briefly introduce myself.

After joining Systems Development Laboratory (at that time) in 1996, I was dispatched to Hitachi in Boston, USA, to take part in developing business models in collaboration with local venture-capital organizations.

Since then, I have been involved in research and development on the above-described Public Key Infrastructure (PKI). And since December 2003, in collaboration with telecommunications carriers, computer vendors and so on, I have been helping to set up the "Secure Trusted Network Forum". As an organizing member of that body, I am currently making up a research environment aimed at making use of the many internet technologies easier.

My dream as a researcher is explained in the following. In the so-called "lawless world" of the internet, a safe zone should be created. As mentioned previously, use of the internet has jumped out from the confined spaces of offices and homes and become common place in crowded places like trains in transit and corner coffee shops. In response to these circumstances, I want to make this internet world much simpler and much safer. In other words, I want to create a world in which anyone can use the internet in the same way as we have used the telephone up till now.

Please note that although the website of the Secure Trusted Network Forum is still in the early days of being set up, it is now open to the public and interested readers are encouraged to browse it freely.

Src: http://www.hitachi.com/rd/yrl/people/pki/index06.html