Secure Mobile Service-Oriented Architecture

Abstract: Mobile transactions have been in development for around ten years. More and more initiatives and efforts are invested in this area resulting in dramatic and rapid development and deployment of mobile technologies and applications. However, there are still many issues that hinder wider deployment and acceptance of mobile systems, especially those handling serious and sensitive mobile transactions. One of the most important of them is security.This dissertation is focused on security architecture for mobile environments. Research issues addressed in this dissertation are based on three currently important groups of problems: a) lack of an open, comprehensive, adaptable and secure infrastructure for mobile services and applications; b) lack of standardized solutions for secure mobile transactions, compliant with various regulatory and user requirements and applicable to different types of popular mobile devices and hardware/software mobile platforms; and c) resource limitations of mobile devices and mobile networks.The main contribution of this dissertation is large-scale, secure service-oriented architecture for mobile environments. The architecture structures secure mobile transaction systems into seven layers, called trusted stack, which is equivalent to ISO/OSI layered networking model. These layers are, starting from the bottom: 1) secure element (chip) layer, 2) applets layer, 3) middleware layer, 4) mobile applications layer, 5) communication layer, 6) services broker layer, and 7) mobile service provider layer. These seven layers include all necessary components required for implementation and operations of secure mobile transaction systems and therefore provide a framework for designing and implementing such systems.Besides the architecture, four types of security services necessary and critical for serious mobile transactions, have also been designed and described in the dissertation. These services are: (1) mobile registration and identity management; (2) mobile PKI; (3) mobile authentication and authorization; and (4) secure messaging. These services are lightweight, therefore suitable for mobile environments, technologies and applications, and also compliant with existing Internet security standards.Finally, as the proof of correctness of the proposed concept and methodology, a prototype system was also developed based on the designed security architecture. The system provides comprehensive security services mentioned above to several types of mobile services providers: mobile banking, mobile commerce, mobile ticketing, and mobile parking. These types of providers have been selected only as currently the most popular and representative, since the architecture is applicable to any other type of mobile service providers.