1 / 33

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES. Ran Zhou. Motivation. Smartphones become the handheld computer and the personal assistant Growing market has attracted hackers to make the potential for serious security threats on smartphones a reality

sophie
Télécharger la présentation

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou

  2. Motivation • Smartphones become the handheld computer and the personal assistant • Growing market has attracted hackers to make the potential for serious security threats on smartphones a reality • UICC serves as the security anchor in mobile networks • GSM Association: the UICC is the strategically best alternative as a secure element for mobile devices [Sma09] • Interface is required to fill the gap between UICC applets and mobile applications

  3. Solution Idea • SIMAlliance Open Mobile API: the communication channel • Dual ApplicationArchitecture: the basic architecture • An example: Smart OpenID

  4. Agenda • Motivation and Solution Idea • Basic Technologies • State of the Art • Smart OpenID • Implementation • Summary and Future Work

  5. Universal Integrated Circuit Card:UICC • The bearer of the subscriber’s identity in cellular networks • Secure element secure storage, cryptographic functions • Secure channel transmission between the UICC and the server with authenticity, integrity, confidentiality • Wireless PKI mobile network operator owns root certificate: becomes a certificate authority

  6. Open Mobile API Open Mobile API is established by SIMalliance as an open API between secure element and the mobile applications • Crypto • Authentication • Secure Storage • PKCS#15 • … Open Mobile API

  7. Open Mobile API

  8. Agenda • Motivation and Solution Idea • Basic Technologies • State of the Art • Smart OpenID • Implementation • Summary and Future Work

  9. State of the Art • Financial applications online-banking, contactless payment, tickets apps • Enterprise applications secure Email, ERP, Software as a Service • Content protection applications digital rights management, secure document • Authentication applications generic bootstrapping architecture, public key infrastructure

  10. State of the Art • Malware virus, Trojan horse, Spyware • Eavesdropping traffic (password) on the network • Man-in-the-middle attacker manipulates the transmitted data • Replay attacks a valid data is maliciously repeated or delayed • Phishing acquires data by masquerading as a trustworthy entity

  11. State of the Art • Private information is the main aim of the attacker, e.g., password, credit card number etc. • Anti-Malware, secure storage, digital certificate, transport layer security, authentication etc. • Some countermeasures are unusual on smartphone • Existed protocols are vulnerable to different attacks

  12. Agenda • Motivation and Solution Idea • Basic Technologies • State of the Art • Smart OpenID • Implementation • Summary and Future Work

  13. OpenID Relying Parties Relying Party Association session: a shared symmetric key + association handle Submit OpenID Authentication response: signed with the shared key User authentication Device OpenID Provider User

  14. Threats to OpenID • Malware virus, Trojan horse, Spyware • Eavesdropping password on the network • Man-in-the-middle attacker captures the transmitted password, authentication assertion, optionally alters it • Replay attacks a valid authentication assertion is maliciously repeated • Phishing acquire password by masquerading as an OP

  15. Smart OpenID: Concept • Authentication factor • something the user knows: password • something the user has: smart card • something the user is: finger print • Using UICC as credential • shares a long-term secret (LTS) with the server • derives a key from the LTS and an one-time password • PIN verification to activate the function

  16. Submit OpenID Association Handle Association Smart OpenID Relying Parties Relying Party Association handle + derived key (symmetric) Signed assertion (with same derivated key) Local authentication (with PIN) Local OP Provider = Mobile Application + UICC Applet User Network OpenID Provider Trust (long-term secret)

  17. Smart OpenID Long-term secret: 64 bytes Association handle: less than 255 bytes Key derivation functions: PBKDF2 • use HMAC-SHA-1/HMAC-SHA-256 (hash-based message authentication code) as underlying algorithm • configurable iteration count and derived key length

  18. Security Analysis

  19. Security Analysis : Phishing Derived Key S = PBKDF2-HMAC-SHA-1(LTS, AH, 64, 64)

  20. Agenda • Motivation and Solution Idea • Basic Technologies • State of the Art • Smart OpenID • Implementation • Summary and Future Work

  21. Implementation • Platform Android 2.3.5 Java Card UICC 2.2.1 • Algorithms key derivation function: PBKDF2-HMAC-SHA-1 signature: HMAC-SHA-1

  22. Demo

  23. Performance Iteration: 64 rounds AH: 240 bytes Derived key length: 64 bytes

  24. Performance Derived key length: 64 bytes

  25. Agenda • Motivation and Solution Idea • Basic Technologies • State of the Art • Smart OpenID • Implementation • Summary and Future Work

  26. Summary • UICC as secure element on smartphones • Dual Application Architecture with Open Mobile API • Improve existed protocols with the UICC • Other usages: • Digital certificate • Wireless PKI • NFC payment • …

  27. Future Work • Smart OpenID with HMAC-SHA-256 • Implementation of other applications

  28. 28 Thank you! Questions?

  29. Bibliographie [Sma09] SmartTrust. The role of SIM OTA and the mobile operator in the NFC environment, 4 2009.

  30. Smartphone • Mobile phone voice communication and messaging • Feature phone digital camera, gaming, music and video streaming • Smartphone modern operating system, high speed connectivity, third-party applications ...

  31. Access Control Module

  32. Security Analysis : Phishing

  33. Security Analysis : Phishing

More Related