Mobile terminals with NFC (near field communication) functions are going to be commercialized in 2012. They realize both offline and online enclosure into tamper-resistant devices, of service users’ personal information, in the form of authentication information such as ID/passwords, points and coupons, and enable the information to be read. Utilizing these functions, the authentication of the users becomes more convenient when accessing e-governmental services through mobile terminals, and all indifferent to generations of citizens have easy and secure access administration services through mobile terminals.
The research by M.I.C. in 2009 examined the security of the following spaces for storing ID information issued for the users by the service providers as a means of mobile access to e-governmental services: 1) public IC card system, used by placing the public ID card issued by the government near the mobile phone, 2) public card system for mobile phones, used by inserting the eligible cards issued by the government into the mobile terminals, 3) public identification information system, used by writing down the information issued by the government into the mobile terminals, etc. Tamper resistant devices are assumed to be 1) full-sized IC cards for the public ID card system, 2) flash memory devices containing the IC chips for the public card system for mobile phones, 3) UICC (universal integrated circuit card) for the public identification card system.
Without the examination above, in order to store and use ID information or users information in tamper-resistant devices, it was necessary to develop and operate an application for mobile phones (hereinafter, mobile app) for each service provider. Also, users need to download and install separate mobile apps provided by service providers. In other words, both service providers and users face inconvenience when a tamper-resistant service is provided. For the purpose of creating an environment convenient for users and in which it is easy for the service providers to provide and operate, we examined technical specifications to realize the mobile access system.
In order to resolve the difficulties, we studied a system that both the users and service providers could commonly utilize. In other words, we studied the technical specifications of a mobile access system consisting of servers for storage and reading safely instead of each service provider and a mobile app utilized commonly for every service to store and use ID information in tamper- resistant devices. Further, verification by experimentation with technical specifications, the specification of issues in light of the institution and operation, and solutions to the issues are studied. In other words, the four following issues are studied.
The graphical explanation of this project outline is attached as Annex A.
Issue A: Examination of technical specifications for a mobile access system realizing online storage and use of ID information.
Issue B: Based on the examination results of issue A, the construction of an experimental environment, inspection of operability and user-friendliness from the viewpoint of both service providers and users, and verification of technologies.
Issue C: Based on the examination and verification results of issues A and B, the specification of possible issues in institutional and operational aspects when actually introducing the system, and deliberation on measures to solve the problems.
Issue D: Diffusion of results of the examination and verification of issues A to C in cooperation with appropriate standardization bodies in the study of the above issues.
The outcomes achieved in response to such issues are below.
Issue A: Multiple service providers which perform writing and reading of ID information into and from tamper-resistant devices have established technical specifications for a mobile access system composed of a common app by integrating a mobile access server that securely sends and receives ID information with a browser. With respect to ID information, established technical specifications for handling are not only e-certificates but optional information, such as other members’ IDs, ticket information, etc. with a common method. To be compatible with various access methods depending on service providers, established the technical specifications that permit a common method (common protocol /API) applicable to any of the public IC card system (IC card), public card system for mobile phones (flash memory type device) or Universal Integrated Circuit Card (UICC).
Issue B: Used a mobile access server and common app within mobile terminals examined in issue A, constructed a demonstrative environment assuming virtual service operated on them, conducted function evaluation, performance evaluation, and dialog evaluation. The function evaluation revealed that the system examined in issue A had sufficient functions. The performance evaluation achieved performance measurement of the operation of the system using two types of mobile terminals and confirmed that writing of ID information and point information in about 6 seconds was possible. The dialog evaluation consulted with service providers and users and confirmed the operability, effectiveness and usability of the mobile access system.
Issue C: Among services which require identification when accessing information with smartphones, and which are highly needed, chose the following applicable services: (1) support service for aged persons (nursing care), (2) computerization of administrative procedures (applying for a residence certificate, etc.), (3) computerization of tax payments, etc. Analysed impacts or the risks, based on the “Risk Evaluation of the online procedure and Electronic Signature and Authentication Guideline” (CIO liaison conference, August 31, 2010) with regard to security and the authentication level required in the application service. It is concluded that Level 4 for security and authentication is necessary. It is confirmed that the mobile access system satisfies Level 4 requirements. Extracted are issues in operational and institutional aspects of services when using smartphones, and revealed issues in operating the mobile access system.
Issue D: Established an Exploratory Committee consisting of leading companies in the related field, such as NTT DOCOMO, INC., KDDI Corporation, SOFTBANK MOBILE Corp., and e-Access Ltd., and an expert, Mr Satoru Tezuka (Tokyo University of Technology). The committee was held four times. The results of the examination and verification of issues A to C were discussed. In order to create guidelines, draft guidelines were input to ARIB MC Committee. Official guidelines will be published within this fiscal year.
Examples of the utilization image of mobile access systems are: (1) writing ID information for certificates to Android terminal-tamper resistant devices, (2) applying for a certificate with an Android terminal online, (3) holding an Android terminal over the ministerial kiosk terminal (multi copy machine) installed at convenience stores and administrative bodies to receive a printed certificate. Another example is (first, holding the user’s Android terminal over the Android terminal of an administrative officer or healthcare personnel, then, after authentication, the user’s information (history of diagnosis and prescription) is displayed on the Android terminal of the administrative officers or healthcare personnel.