Asan İmza is secure

Identification and digital signing are protected by high-level security technology and respective PIN-codes. The mobile phone acts simultaneously as an e-signature smart card (e-İmza card) and a card reader.

The Asan İmza (Mobile ID) is issued in accordance with the laws of digital signature and the information technological and organizational requirements observed are as strict as those in place for issuing e-signature smart cards (e-İmza cards).

With Asan İmza (Mobile ID): there are no password databases to hack or breach. The ID always travels with the user and is not stored in a remote database. Moreover, Asan İmza is the only safe solution for mobile digital signature in Azerbaijan.

At present, in general, there are three main types of solutions for mobile digital signature: server-based, smartphone-based and SIM-based systems.

Server-based systems are the simplest. All the signing keys are kept in the big signing-server that is maintained by some third party. In order to sign the document, user sends to the server SMS with the password. If the password matches, server signs the document. This system works with all phone and is very cheap to setup. On the other hand it is also very insecure. The password is sent in plaintext! User has very few control over the private key and in many countries it is not possible use this solution for qualified signatures that are required for communication with governmental organizations.

Smartphone based systems use special app in the phone itself for maintaining the keys and signing. The practical security of the system is little bit better than in the previous case, but it is diminishing, because there is more and more malware for the smartphones – especially for the Android based devices. Because the private keys are not protected by hardware means it is not possible to certify this solution according to ISO 15408 (Common Criteria) and achieve the required security level EAL4+ that is needed for qualified certificates that can be used by governmental organizations. Therefore it is not allowed to use this technology by governmental officials and for communication with government. Finally, the solution requires that the user is using smartphone. While smartphones are more common, it can still be seen as an unnecessary barrier for the implementation of such a important service as a digital signature.

Asan İmza belongs to the SIM-based solutions, which are best, because they are easily available in most phones and are very secure. In most cases surpassing the required EAL4+ level and sometimes going as high as EAL5+. In those systems the signing keys are stored in the secure SIM card that is installed into phone. The keys are protected using the separate PIN codes and user has total control over the keys. Therefore the requirements of the law are satisfied and this solution can be used for the governmental communication. All the digital signature specific knowledge is encapsulated within SIM card and can be used with all phones: both simple ones and smartphones. This system is more complex to deploy, because the mobile operators must also involved, but the other good properties more than outweight it.