Mobile Supplicant for SIM Authentication
Abstract
This Master’s thesis proposes a solution for utilizing the GSM SIM to authenticate users to distributed services accessed through the mobile terminal. By combining the GSM SIM authentication mechanisms with the EAP-SIM framework we achieve mutual authentication between the parties. By combining the fact that the GSM SIM is a tamper resistant Smart Card, and that users have to present a valid PIN to activate the system, we have also achieved strong two-factor authentication that fulfils the highest security level defined by NIST. The proposed system is secure, easy to use and inexpensive, because most of the components needed already exist in the GSM network today. Existing strong user authentication systems for mobile handsets require several devices to be able to offer secure services. The proposed system only requires one device, namely the mobile handset which the user is carrying anyway. The only user interaction required is typing the PIN. The authors’ major contribution to the proposed system is the Supplicant, residing on the mobile handset and communicating with the SIM through the SATSA-APDU interface. By running the Supplicant as a local proxy on the mobile handset, it is able to communicate with all kinds of client applications supporting HTTP, e.g. mobile browsers, J2ME MIDlets and native applications. A prototype implementing several of the components in the proposed system has been developed. Unfortunately, due to several reasons, the prototype cannot be deployed on a real mobile handset today’s date. We are missing the necessarily certificate required to get access to the SIM and neither of today’s mobile handsets support all the functionality needed. However, the prototype has been implemented successfully on a PC running the Wireless Toolkit from Sun, which simulates the SIM environment. Based on results from this thesis, the author has written the paper "A Unified Authentication Solution for Mobile Services". The paper was accepted and published on the ERCIM workshop on eMobility in Coimbra, Portugal, on May 2007.