Eircell - A PKI Case Study Robbie Ingle Business & Technical Architecture Manager Eircell

Agenda Eircell’s Goal Mobile Banking Visa Cash WAP-based Banking WAP-based Shopping Conclusions

The Trusted Personal Device Privacy, Authentication,Integrity, Non- repudiation Personal: Key to a set of personalised services Small, lightweight, fashionable Device: Not necessarily a phone

Security Modes Mode 1 Mode 2 Mode 3 Customer doesn’t know or trust Merchant Merchant doesn’t know or trust Customer Mode 2 Customer knows and trusts Merchant Mode 3 Merchant knows and trusts Customer

Mobile Banking AIB Bank Simple Application - no Merchants Users check Balances on Mobile Phone SMS used as transport SIM ToolKit (STK) based Very popular: Many phones supported Easy to use

Mobile Banking Symmetric system End-to-end security Security Mode 3 Inflexible Amendments require new SIM card

VISA Cash Eircom Information Age Town - Ennis World’s first mobile cash download Three security levels: 0 Purse (Visa Cash card) to Host Triple DES 1 Phone to Commerce Bridge WTLS; ECC 113; 56 Bit DES for data; SHA-1 for MAC 2 Phone to server; server to host Diffe Hellman session key Single DES and H/W DES for PIN privacy

VISA Cash Security Mode 3 Approved by Visa Special purpose hardware Commerce Bridge Card Reader for Nokia 7110 No commercial application

WAP-based Banking Ulster Bank Launched at Comms 2000 (April) Enquiry facilities at present Based on their Anytime Internet service Registration model Security Mode 3 Transactions will require WTLS

WAP-based Shopping Extension of Eircell’s Eirshop Launched at Easter Registration Process Products: Chocolates Books Ready To Go phones Records Security Mode 3

Conclusions Eircell has been very progressive Built on defined customer constituencies Security processes to date have been proprietary Lack of flexibility has hampered commercial proposition PKI with ubiquity and convenience of mobile phone will be winning combination