Download - Secure Element Access from a Web browser
Secure Element Access from a Web browser
W3C Workshop on Authentication, Hardware Tokens and Beyond
11 September 2014 1
Oberthur Technologies – Identity BU
JAVARY Bruno
11 September 2014 2
• 01. INTRODUCTION
Agenda
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
11 September 2014 3
• 01. INTRODUCTION
Agenda
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
History : OT experience
• June 20th 2013, London, Workshop on Web Applications and Secure Hardware
• July 2013 :
• October 15th 2013, Oberthur Technologies joins FIDO AllianceOT founding member of SIA
• November 2013 : Presentation of PIV for eSE on OT booth demonstrating eservices. “my voice is my password” winner in the Trusted internet/Authentication category
• February 24-27th 2013, Barcelona, GSMA Mobile World Congress : 1st worldwide demonstration of a FIDO authentication secured by the SIM
• March 2014 : Mobile ID study starts with dedicated workforce with objective : “Smartcard Access from Web Browser”
• Summer 2014, w3C call for papers, submission of position paper, result of internal study
4
for eSE finalist
POSITION SUMMARY
• To enable a common access for every single user to trusted services thanks to a secure element, the best candidate is the web browser
• By consequence HTML and JavaScript will be the standard to access a secure element
• Many examples already exist to access hardware o Video, webcam, geolocation, file systemo Thanks to evolutions of standards
11 September 2014 5
POSITION SUMMARY
• Authentication : o For Payment / Internet banking / Corporate network access / Social media o FIDO is an answer
• Access to cryptographic operations : « Secure Operations Execution »o Web crypto apio Issue : define use cases exhaustively
• Low level access to the secure element or hardware token o Access the closest possible to the hardwareo Close to sysapp considerations
11 September 2014 6
Several topics are to be considered
11 September 2014 7
• 01. INTRODUCTION
Agenda
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
Middleware
• Software application that enhances the capacities of our computer applications by creating an abstraction layer
• Implements standard
• Good solution for a local use, it provides secure features established on standards in a controlled IT configuration. However it can’t be used as an online solution or in an opened device.
11 September 2014 8
EXISTING
Web browser extension
• Program integrated into a web browser and which provides new features• Can be : plug-in, java applet, ActiveX
• The only solution right now but many drawbacks :o Heterogeneity of methods to access Smart Cardo Security
Mobility
• Most of the apis are proprietary (eg OT Micro SD)
• There are some promising technologieso NFCo Open Mobile API
• These communications layers remain low level
• Middleware and web browser extensions do not fit in a mobile environment
11 September 2014 9
EXISTING
11 September 2014 10
• 01. INTRODUCTION
Agenda
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
Definition
11 September 2014
PIV - PERSONAL IDENTITY VERIFICATION
Limitations
• US federal employee or contractor wears a PIV card defined by the National Institute of Standards and Technology (NIST).
• The card is required to enter a governmental building and to log on to computers (Physical and Logical Access Control).
• The federal employee can also sign emails or documents and authenticates to remote web sites in HTTPS.
• File decryption or signing must be done locally. In a world of cloud computing and “Software as a Service” it represents a real inconvenience.
• The agent must have an already configured PC or be granted with specific rights, which prevents from using devices “on the go” or “away from office” (in a hotel, an airport, at home).
• To use a Smartphone or a tablet, specific software and hardware (card reader) have to be set up.
11
11 September 2014 12
• 01. INTRODUCTION
Agenda
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
Position
• As a solution provider, we would like to push the standardization of a JavaScript API which allows web browser to communicate with Smart Card
• Objective is to open trusted services with secure element to the mainstream market• In order to be implemented in all browsers and to ensure its liability, the API should be endorsed by
W3C.
11 September 2014 13
PROMOTE A STANDARDIZATION
Secure Element API
• This api is complete and well documented. It presents in details the technical background and use cases and gives a good visibility of Security, Permissions, Access Control and Conformance
• Security is at the heart of OT’s concerns; the proposed solution combines validation of the feature by the user and a specific access control mechanism
• The idea beyond is to propose a trusted access to a secure element from a service provider, preventing from unauthorized use.
Action Plan
• Identify a charter to carry the project
• Define use cases and for each of them demonstrate the impact and validate the consistency of the current proposal.
• Meeting all stakeholders interested in the subject, be aware of each of them interest and create a common basis of communication and strategy
• Establish interactions with other standardizations (eg Open Mobile API)
• Gather work forces to create a proof of concept and decline it to use cases examples (eg eServices)
11 September 2014 14
PERSPECTIVE
Let’s follow, jointly with all companies and associations sharing the same opinion and interest, action plan below:
Thank you for your attention
11 September 2014 15