1 / 17

Leveraging UICC with Open Mobile API for Secure Applications and Services

Leveraging UICC with Open Mobile API for Secure Applications and Services. Ran Zhou. Introduction and Motivation. Until 2011, there were 6 billion mobile subscriptions (87% of the population) UICC serves as the security anchor in mobile telecom network

heman
Télécharger la présentation

Leveraging UICC with Open Mobile API for Secure Applications and Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou

  2. Introduction and Motivation Until 2011, there were 6 billion mobile subscriptions (87% of the population) UICC serves as the security anchor in mobile telecom network Java Card make the UICC more powerful: digital signature, cryptography… UICC is an ideal module to enhance the security level of terminal application Interface is required to fill the gap between UICC applet and terminal application Open Mobile API is proposed to provide this interface A Dual Application Architecture together with the access control mechanism will be introduced As an example to be implemented: an UICC-based Local OpenID protocol will be considered in this thesis

  3. Agenda • Introduction and Motivation • Basic Technologies • UICC • SIMalliance Open Mobile API • OpenID • Concept of Local OpenID • Thesis Outline • Time Plan

  4. Universal Integrated Circuit Card:UICC ? • UICC is a smart card used in mobile terminals within telecom networks [1] • It provides • authentication • secure storage • crypto algorithms • … • Java Card as UICC can provide [2] • Hash functions: MD5, SHA-1, SHA-256 … • Signature functions: HMAC … • Public-key cryptography: RSA … • Symmetric-key cryptography: AES, DES … • …

  5. UICC – Related Technologies • Generic Bootstrapping Architecture (GBA) • Open Mobile API • Toolkit • Smart Card Web Server [3]

  6. Open Mobile API Open Mobile API is established by SIMalliance as an open API between the Secure Element and the Terminal Applications [4] • Crypto • Authentication • Secure Storage • PKCS#15 • … Open Mobile API

  7. Open Mobile API 3 Layers [5] • Transport Layer: using APDUs for accessing a Secure Element • Service Layer: provide a more abstract interface for functions on SE • Application Layer: represents the various applications using Open Mobile API Figure 1: Architecture overview

  8. Dual Application Architecture Terminal Application Open Mobile API Transport Layer Access ControlModule UICC Access ControlTable • NFC (Near Field Communication) services • Payment services • Ticketing services • Loyalty services (Kundenbindungsmaßnahmen) • ID Management services (e.g. Single Sign-On)

  9. OpenID Relying Parties Relying Party Submit OpenID Association Log-on Device User User authentication OpenID Provider

  10. OpenID Weakness[6] Phishing An “Identity System” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou Redirects Communication Overhead: lots of HTTP requests

  11. Concept: Local OpenID Server with UICC Phishing Sensitive data remains on UICC An “identity system” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou. Trusted Identity through Network Operator (contract) Redirects Local OpenID Server interface Communication Overhead: lots of HTTP requests Significantly reduced authentication traffic • Terminal part is developed by a project partner of Morpho • Integration of UICC is the main topic of this thesis

  12. Local OpenIDArchitecture Submit OpenID Association Handle Association Relying Parties Relying Party Association Handle + Derivated Key Signed Assertion (with same derivated key) Local authentication (with PIN) Local OP Provider = Mobile Application + UICC Applet User Network OpenID Provider Trust (Long-Term Secret)

  13. Contents • 1. INTRODUCTION • 1.1 Motivation • 1.2 Solution Idea • 1.3 Overview • 2. UICC AND JAVA CARD • 2.1 UICC • 2.2 Java Card • 2.2.1 Introduction • 2.2.2 Security and Crypto • 2.2.3 New Features in Java Card 3 • 2.3 Related Technologies • 2.3.1 SIM Toolkit • 2.3.2 Smart Card Web Server • 2.3.3 Generic Bootstrapping Architecture • 3. OPEN MOBILE API • 3.1 Introduction • 3.2 Fundamental Structure • 3.3 Use Pattern • 3.4 Access Control • 3.5 Application Scenario • 4. LOCAL OPENID • 4.1 OpenID Protocol • 4.1.1 Introduction • 4.1.2 Weakness of OpenID • 4.2 SAML Protocol • 4.2.1 Introduction • 4.2.2 Weakness of SAML

  14. Contents • 4.3 Local OpenID Protocol • 4.3.1 Introduction • 4.3.2 Architecture and Description • 4.3.3 Compare of OpenID, SAML and Local OpenID • 5. IMPLEMENTATION • 5.1 Platform • 5.1.1 Introduction of Android • 5.1.2 Android Security Management • 5.2 App on UICC • 5.2.1 Applet on UICC • 5.2.2 Algorithms and Functions • 5.2.3 Configuration of UICC • 5.2.4 PKCS15 Structure • 5.2.5 Implementation • 5.3 App on Android • 5.3.1 Functional Description • 5.3.2 Open Mobile API in Android • 5.3.3 Implementation • 5.4 Test • 5.4.1 Test Environment • 5.4.2 Test Procedure • 5.4.3 Test Result • 5.5 Weakness Analysis • 6. SUMMARY AND FUTURE WORK • 6.1 Summary • 6.2 Future Work

  15. Time plan Feb Nov Dec Jan Mar Apr May Jun Investigate and design 1st Implementation 2nd Implementation Test 1st Thesis 2nd Thesis Final Thesis

  16. Thanks! Questions?

  17. References [1]Rankl, W. (2oo8), Handbuch der Chipkarten, Carl Hanser Verlag München. [2] Sun Microsystems, I. (2006), 'Application Programming Interface Java Card™ Platform, Version 2.2.2'. [3] Wikipedia, t. f. e. (2012), 'Generic Bootstrapping Architecture'. [4] SIMalliance(2011), 'SIMalliance Open Mobile API An Introduction'. [5] SIMalliance (2011), 'Open Mobile API specification V2.02', SIMalliance. [6] van Delft, B. (2010), 'A Security Analysis of OpenID', IFIP Advances in Information and Communication Technology 343/2010, 73-84.

More Related