Abstract
Modern foundational electronic IDentity (eID) systems commonly rely on biometric authentication so as to reduce both their deployment costs and the need for cryptographically capable end-user devices (e.g., smartcards, smartphones). However, this exposes the users to significant security and privacy risks. We introduce SIMple ID which uses existing infrastructure, Subscriber Identity Module (SIM) cards and basic feature phones, to realise modern authentication protocols without the use of biometrics. Towards this goal, we extend the international standard for displaying images stored in SIM cards and show how this can be used to generate QR codes on even basic no-frills devices. Then, we introduce a suite of lightweight eID authentication protocols designed for on-SIM execution. Finally, we discuss SIMple ID’s security, benchmark its performance and explain how it can enhance the security and privacy offered by widespread foundational eID platforms such as India’s Aadhaar.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Japan Patent JP4258794A. Two-dimensional code having rectangular region provided with specific patterns to specify cell positions and distinction from background. DENSO Wave Corporation (1994)
GlobalPlatform Card Specification. Version 2.2.1, GlobalPlatform Inc. (2011)
Norwegian Mobile Bank ID: Reaching Scale through Collaboration, GSM (2014)
Compendium of Regulations, Circulars & Guidelines for (Authentication User Agency (AUA)/E-KYC User Agency (KUA), Authentication Service Agency (ASA) and biometric device provider) (2018). https://uidai.gov.in/images/resource/compendium_auth_19042018.pdf
Understanding Cost Drivers of Identification Systems (2018). https://openknowledge.worldbank.org/bitstream/handle/10986/31065/Understanding-Cost-Drivers-of-Identification-Systems.pdf
Aadhaar enrollment/correction/update form, Online. Government of India (2020). https://uidai.gov.in/images/aadhaar_enrolment_correction_form_version_2.1.pdf
Commercial National Security Algorithm (CNSA) Suite. MFS U/00/814670-15, National Security Agency (2021)
ID systems analysed: Aadhaar. Online, Privacy International (2021). https://privacyinternational.org/case-study/4698/id-systems-analysed-aadhaar
Regulation (EU) 2021/953. Official Journal of the European Union L211/1 (2021)
Security analysis of the KaiOS feature phone platform for DFS applications. Online, Financial Inclusion Global Initiative, Security Infrastructure and Trust Working Group (2021). https://figi.itu.int/wp-content/uploads/2021/04/Security-analysis-of-the-KaiOS-feature-phone-platform-for-DFS-applications-1.pdf
Aadhaar Dashboard. Online, Unique Identification Authority of India (2022a). https://uidai.gov.in/aadhaar_dashboard/index.php
About MOSIP, Modular Open Source Identity Platform. Online, Modular Open Source Identity Platform (2022). https://mosip.io/mosip/uploads/files/ABOUT%20MOSIP.pdf
Amazon.in Bestsellers: The most popular items in Basic Mobiles. Online, Amazon.in (2022). https://www.amazon.in/gp/bestsellers/electronics/1805559031
Daily Authentication Transaction Trend, Aadhaar Dashboard (2022). https://uidai.gov.in/aadhaar_dashboard/auth_trend.php?auth_id=dailytrend. Note: 71,477,653,961 Total Authentication Transactions, 53,639,637,282 fingerprint-based
M-Pesa – Africa’s leading fintech platform – marks 15 years of transforming lives. Online, Vodaphone Group (2022). https://www.vodafone.com/news/inclusion/mpesa-marks-15-years
MOSIP ID Object Definition. Online, Modular Open Source Identity Platform (2022). https://docs.mosip.io/1.1.5/modules/registration-processor/mosip-id-object-definition
Population, total - Sub-Saharan Africa. Online, World Bank (2022). https://data.worldbank.org/indicator/SP.POP.TOTL?locations=ZG. Note: 1.14 billion indicated population of Sub-Saharan Africa
The Mobile Economy 2022. Online, GSM Association (2022). https://www.gsma.com/mobileeconomy/wp-content/uploads/2022/02/280222-The-Mobile-Economy-2022.pdf
Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_12
Agrawal, S., Banerjee, S., Sharma, S.: Privacy and security of Aadhaar: a computer science perspective. Econ. Polit. Wkly. 52(37), 93–102 (2017)
Kleinjung, T., et al.: Factorization of a 768-Bit RSA modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_18
Assisi, C., Ramnath, N.: The Aadhaar Effect: Why the World’s Largest Identity Project Matters. Oxford University Press, Oxford (2018)
Baqer, K., Anderson, R., Mutegi, L., Payne, J.A., Sevilla, J.: DigiTally: piloting offline payments for phones. In: Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association (2017)
Baqer, K., Bezuidenhoudt, J., Anderson, R., Kuhn, M.: SMAPs: short message authentication protocols. In: Anderson, J., Matyáš, V., Christianson, B., Stajano, F. (eds.) Security Protocols 2016. LNCS, vol. 10368, pp. 119–132. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62033-6_15
Barker, E.: Recommendation for Key Management: Part 1 - General. NIST Special Publication 800–57 Part 1 Revision 5 (2020)
Birch, D.: Identity is the New Money. London Publishing Partnership (2014)
Camner, G., Pulver, C., Sjöblom, E.: What Makes a Successful Mobile Money Implementation? Learnings from M-PESA in Kenya and Tanzania. GSM (2013)
M’Raihi, D., et al.: HOTP: An HMAC-Based One-Time Password Algorithm. RFC 4226, The Internet Society (2005)
Delaporte, A., Bahia, K.: The State of Mobile Internet Connectivity 2021. Technical report. GSM Association (2021)
Edsbäcker, P.: SIM cards for cellular networks. An introduction to SIM card application development. B.Sc. thesis, Mid Sweden University (2012)
ETSI TR 102 203: Mobile Commerce (M-COMM); Mobile Signatures; Business and Functional Requirements. V1.1.1 (2003)
ETSI TS 101 476: Digital cellular telecommunications system (Phase 2+); GSM API for SIM toolkit stage 2 (3GPP TS 03.19 version 8.5.0 Release 1999) (2002)
ETSI TS 102 221: Smart Cards; UICC-Terminal interface; Physical and logical characteristics (Release 17). V17.1.0 (2022)
ETSI TS 102 223: Smart Cards; Card Application Toolkit (CAT). V15.3.0 (2019)
ETSI TS 102 226: Smart Cards; Remote APDU structure for UICC based applications (Release 16). V16.0.1, European Telecommunications Standards Institute (2020)
ETSI TS 102 384: Smart Cards; UICC-Terminal interface; Card Application Toolkit (CAT) conformance specification (Release 11). V11.0.0 (2022)
ETSI TS 131 102: Characteristics of the Universal Subscriber Identity Module (USIM) application (3GPP TS 31.102 version 17.5.0 Release 17) (2022)
ETSI TS 131 130: (U)SIM Application Programming Interface (API); (U)SIM API for Java\(^{TM}\) Card (3GPP TS 31.130 version 17.0.0 Release 17) (2022)
ETSI TS 151 011: Digital cellular telecommunications system (Phase 2+); Specification of the Subscriber Identity Module - Mobile Equipment (SIM-ME) interface (3GPP TS 51.011 version 4.15.0 Release 4) (2005)
Ford, B.: Identity and personhood in digital democracy: evaluating inclusion, equality, security, and privacy in pseudonym parties and other proofs of personhood. arXiv (2020). https://arxiv.org/abs/2011.02412
Gayoso Martínez, V., Hernández Encinas, L., Sánchez Ávila, C.: Java card implementation of the elliptic curve integrated encryption scheme using prime and binary finite fields. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 160–167. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21323-6_20
Gelb, A., Metz, A.: Identification Revolution: Can Digital ID be Harnessed for Development? Brookings Institution Press, Washington (2018)
George, N.A., McKay, F.H.: The public distribution system and food security in India. Int. J. Environ. Res. Public Health 16(17), 3221 (2019)
Verzelettiet, G.M., et al.: A national mobile identity management strategy for electronic government services. In: 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing And Communications (2018)
Goldreich, O.: Foundations of Cryptography, vol. 2. Cambridge University Press, Cambridge (2004)
GS1 General Specifications: The foundational GS1 standard that defines how identification keys, data attributes and barcodes must be used in business applications. Release 22.0, GS1 (2022)
GSM 11.11: Digital cellular telecommunications system (Phase 2+); Specification of the Subscriber Identity Module - Mobile Equipment interface;. V5.3.0 (1996)
Gupta, B., Quamara, M.: A taxonomy of various attacks on smart card-based applications and countermeasures. Concurr. Comput.: Pract. Experience 33(7), 1 (2021)
Handschuh, H., Paillier, P.: Smart card crypto-coprocessors for public-key cryptography. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 372–379. Springer, Heidelberg (2000). https://doi.org/10.1007/10721064_35
Hassinen, M., Hypponen, K.: Strong mobile authentication. In: 2005 2nd International Symposium on Wireless Communication Systems (2005)
Hughes, N., Lonie, S.: M-PESA: mobile money for the “Unbanked” turning cellphones into 24-hour tellers in Kenya. Technology, Governance, Globalization, Innovations (2007)
ISO/IEC 18004:2015: Information technology - Automatic identification and data capture techniques - QR Code bar code symbology specification (2015)
ISO/IEC 7816–4:2020: Identification cards - Integrated circuit cards - Part 4: Organization, security and commands for interchange (2020)
Ivatury, G., Mas, I.: The Early Experience with Branchless Banking. Focus Note No. 46, CGAP (2008)
James, J.: The smart feature phone revolution in developing countries: bringing the internet to the bottom of the pyramid. Inf. Soc. 36(4), 226–235 (2020)
Java Card Platform: Runtime Environment Specification. Version 2.2.1 (2003)
Kaliski, B., Staddon, J.: PKCS #1: RSA Cryptography Specifications Version 2.0. RFC 2437, The Internet Society (1998)
Khera, R.: Impact of Aadhaar in welfare programmes. Econ. Polit. Wkly. 52(50), 61–70 (2017)
Konoth, R.K., Fischer, B., Fokkink, W., Athanasopoulos, E., Razavi, K., Bos, H.: SecurePay: strengthening two-factor authentication for arbitrary transactions. In: 2020 IEEE European Symposium on Security and Privacy (EuroS &P) (2020)
Krimpe, J.: Mobile ID: crucial element of m-government. In: Proceedings of the 2014 Conference on Electronic Governance and Open Society: Challenges in Eurasia. Association for Computing Machinery (2014)
Kubach, M., Leitold, H., Roßnagel, H., Schunck, C.H., Talamo, M.: SSEDIC.2020 on Mobile eID. In: Open Identity Summit 2015 (2015)
Laud, P., Roos, M.: Formal analysis of the Estonian mobile-ID protocol. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 271–286. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04766-4_19
Manoil, V., Turcanu, I.: Moldova Mobile ID Case Study. World Bank (2018)
Martin, A.K.: Aadhaar in a box? Legitimizing digital identity in times of crisis. Surveill. Soc. 19(1), 104–108 (2021)
Martínez, V.G., Álvarez, F.H., Encinas, L.H., Ávila, C.S.: A comparison of the standardized versions of ECIES (2010)
Mavroudis, V., Svenda, P.: JCMathLib: wrapper cryptographic library for transparent and certifiable JavaCard applets. In: 2020 IEEE European Symposium on Security and Privacy (EuroS &P) Workshops (2020)
MOSIP Docs 1.2.0: ID Authentication Services, Modular Open Source Identity Platform (2022). https://docs.mosip.io/1.2.0/modules/id-authentication-services
Murphy, A.: Swisscom Mobile ID: Enabling an Ecosystem for Secure Mobile Authentication. GSM Association (2018)
Naumann, I., Hogben, G.: Privacy features of European eID card specifications. Netw. Secur. 2008(8), 9–13 (2008)
Parsovs, A.: Estonian electronic identity card: security flaws in key management. In: Proceedings of the 29th USENIX Conference on Security Symposium (2020)
Qin, K., Zhou, L., Livshits, B., Gervais, A.: India’s “Aadhaar” biometric ID: structure, security, and vulnerabilities. In: Financial Cryptography and Data Security - 26th International Conference (2022)
Rajput, A., Gopinath, K.: Analysis of newer Aadhaar privacy models. In: Ganapathy, V., Jaeger, T., Shyamasundar, R.K. (eds.) ICISS 2018. LNCS, vol. 11281, pp. 386–404. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05171-6_20
Reaves, B., Scaife, N., Bates, A., Traynor, P., Butler, K.R.B.: Mo(bile) money, Mo(bile) problems: analysis of branchless banking applications in the developing world. In: 24th USENIX Security Symposium (2015)
Reid, J., Looi, M.: Making sense of smart card security certifications. In: Domingo-Ferrer, J., Chan, D., Watson, A. (eds.) Smart Card Research and Advanced Applications. ITIFIP, vol. 52, pp. 225–240. Springer, Boston, MA (2000). https://doi.org/10.1007/978-0-387-35528-3_13
Salem, A.M., Elhingary, E.A., Zerek, A.R.: Value added service for mobile communications. In: 4th International Conference on Power Engineering, Energy and Electrical Drives (2013)
Trichina, E., Hyppönen, K., Hassinen, M.: SIM-enabled open mobile payment system based on nation-wide PKI. In: ISSE/SECURE 2007 Securing Electronic Business Processes, pp. 355–366. Vieweg (2007). https://doi.org/10.1007/978-3-8348-9418-2_38
Vashistha, A., Anderson, R., Mare, S.: Examining security and privacy research in developing regions. In: Proceedings of the 1st ACM SIGCAS Conference on Computing and Sustainable Societies. COMPASS ’18 (2018)
Švenda, P.: Nuances of the JavaCard API on the cryptographic smart cards - JCAlgTest project. In: 7th International Workshop on Analysis of Security API (2014)
Wong, C.W.T., Tsui, T.C.: Automated payment over the counter - a study of Alipay, WeChat Wallet and Octopus currently used in Mainland China and Hong Kong. In: The Future of the Commercial Contract in Scholarship and Law Reform Fourth Annual Conference, Institute of Advanced Legal Studies (2019)
Zefferer, T., Teufl, P.: Leveraging the adoption of mobile eID and e-signature solutions in Europe. In: Kő, A., Francesconi, E. (eds.) EGOVIS 2015. LNCS, vol. 9265, pp. 86–100. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22389-6_7
Acknowledgments
This work was supported, in whole or in part, by the Bill & Melinda Gates Foundation [INV-001309]. Under the grant conditions of the Foundation, a Creative Commons Attribution 4.0 Generic License has already been assigned to the Author Accepted Manuscript version that might arise from this submission. Taisys Technologies Co. Ltd kindly donated 6 SIMoME overlay UICCs and provided technical support.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Hicks, C., Mavroudis, V., Crowcroft, J. (2023). SIMple ID: QR Codes for Authentication Using Basic Mobile Phones in Developing Countries. In: Lenzini, G., Meng, W. (eds) Security and Trust Management. STM 2022. Lecture Notes in Computer Science, vol 13867. Springer, Cham. https://doi.org/10.1007/978-3-031-29504-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-29504-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-29503-4
Online ISBN: 978-3-031-29504-1
eBook Packages: Computer ScienceComputer Science (R0)