The subscriber authorizes the operation of sending notifications by service provider through the cellular network. The service provider does not need to know subscriber's identity. If there is no identity information in the certificate, then the subscriber may remain anonymous towards the service provider. However, subscriber may pay for the notification through his phone bill. Subscriber authorizes such payment and the charging is triggered when the service provider sends a notification.
During a transaction UE sends to the service provider an assertion, i.e. signed authorization, to send a notification message to that UE through the cellular network, and subscriber certificate or subscriber certificate URL. The service provider verifies the authorization text and UE's signature with the aid of subscriber certificate. If the signature and the authorization text are correct, then the service provider will send a positive acknowledgement to the UE.
At a later time, for example when a certain sport's event takes place, the service provider creates a notification and submits it to the operator together with the signed UE's authorization and subscriber's certificate. The operator verifies the signed authorization. If the verification succeeds the operator will forward the notification text to the subscriber in an SMS or MMS message.
The subscriber authorizes payment for a service through his phone bill (or with separate bill). Note that the provider of the service does not need to know subscriber's identity. If there is no information in the certificate, then the subscriber may remain anonymous towards the service provider. The service may be e.g. non-cellular access in a environment where the operator's traditional billing mechanisms are not directly applicable, e.g. non-cellular access is provided by 3rd party.
During a payment transaction the UE sends to the service provider a signed invoice and subscriber certificate (or subscriber certificate URL). The service provider verifies the UE's signature with the aid of subscriber certificate. If the signature and the invoice are correct, then the service provider will grant UE access to, or deliver the requested service.
In the settlement phase the service provider forwards the signed invoice to the operator for verification. If the verification is successful then the operator will reimburse service provider and charge the subscriber the price of the service through his phone bill (or with separate bill).
the service provider has a business relationship with operator that issued subscriber's certificate and it knows operator's signature verification key.
if the service provider (e.g. visited access network provider abroad) does not have a direct relationship with the subscriber's home network, the certificate should come from the visited network. The independent access network provider trusts the visited operator as well as the subscriber authentication and certificate from that operator.
the subscriber trusts the billing from the home operator and payment is convenient. During the service usage he will have to type in the payment PIN for configured amounts. The terminal may automatically sign very small amounts. In this case only larger amounts and cumulative sum above a threshold trigger the PIN query.
These secure services deal with payment and an agreement between a cellular network operator and a service provider. The nature of the key pair storage has consequences. The security risk analysis is performed according to the unauthorized usage threats identified in clause A.3.2
Unauthorized usage by using the private key of the victim without retrieving the private key:
if the ME is not sufficiently secure, the attacker may have a program that shows the user a certain message ("payment of €1"
) but ask the UICC to sign a different message ("payment of €100"
). Also if the attacker's program discovers the PIN, it can command the UICC to generate signatures even without the user being aware of it.
the attacker requires an interaction with the UE to gain access to the UICC.
these attacks apply in case of:
key pair storage on the ME;
key pair storage on the UICC.
Unauthorized usage by getting hold of the private key:
if an attacker manages to discover the subscriber's private key then an attack could consists in sending signed authorizations to the service provider, then the subscriber would have to pay for services he did not ask for.
once the key retrieved, the attacker does not require any interaction with the UE equipment to gain access to the UICC.
The attack applies in case of:
key pair storage on the ME.
This attack is based on the key retrieval. So, as the UICC is tamper resistant device so the attack does not apply to UICC.
Consequences of these attacks:
forgeability: the subscriber could pay for services he did not ask for;
repudiation: The cellular network operator and the service provider are not paid for the service they provided.
If there is any way to attack the system a signer can repudiate the performed signatures arguing that the system is not secure. So, if it is possible to use the subscriber's private key without his deliberate consent, then the subscriber can repudiate the signatures sent for authorization, and not pay the associated phone bill. So,:
the operator and the service provider could not be paid for the proposed service;
the trust relationship between the operator and the service provider can be destroyed. The service provider has no guaranty of security; he would no longer trust the subscriber certificates issued by the cellular network operator and the associated signatures;
if there is any problem due to some unauthorized usages of the subscriber private key then the trust in 3G PKI may be lost;
high valued services involving payment and relationship with service provider or 3rd party content provider often require the use of long-term certificates. The issuance of long-term certificates requires more security constraints than the issuance of short-lived certificates. So, according to the unauthorized usage threats present on the UE, the security level may not satisfy the security requirements for long-term certificates issuance and usage.