leveraging uicc with open mobile api for secure applications and services ran zhou
TRANSCRIPT
Leveraging UICC with Open Mobile API for Secure Applications and Services
Ran Zhou
Introduction and Motivation
• Until 2011, there were 6 billion mobile subscriptions (87% of the population)• UICC serves as the security anchor in mobile telecom network• Java Card make the UICC more powerful: digital signature, cryptography…• UICC is an ideal module to enhance the security level of terminal application• Interface is required to fill the gap between UICC applet and terminal application• Open Mobile API is proposed to provide this interface• A Dual Application Architecture together with the access control mechanism will
be introduced• As an example to be implemented: an UICC-based Local OpenID protocol will be
considered in this thesis
OpenID Provider (Network Operator)
OpenID Provider (Network Operator)
Relying PartyRelying Party
UserUserDevice with
Local OP ServerDevice with
Local OP Server
Relying PartiesRelying Parties
Association
Log-on
Trust (Long Term Secret)
Local authentication
OpenID Provider (Network Operator)
OpenID Provider (Network Operator)
Relying PartyRelying Party
UserUserDevice with
Local OP ServerDevice with
Local OP Server
Relying PartiesRelying Parties
Association
Log-on
Trust (Long Term Secret)
Local authentication
Agenda
• Introduction and Motivation• Basic Technologies– UICC– SIMalliance Open Mobile API– OpenID
• Concept of Local OpenID• Thesis Outline• Time Plan
Universal Integrated Circuit Card: UICC
• UICC is a smart card used in mobile terminals within telecom networks [1]
• It provides authentication secure storage crypto algorithms …
• Java Card as UICC can provide [2]
Hash functions: MD5, SHA-1, SHA-256 … Signature functions: HMAC … Public-key cryptography: RSA … Symmetric-key cryptography: AES, DES … …
?
UICC – Related Technologies• Toolkit
• Smart Card Web Server
• Generic Bootstrapping Architecture (GBA)
• Open Mobile API
[3]
Open Mobile API
Open Mobile API is established by SIMalliance as an open API between the Secure Element and the Terminal Applications [4]
• Crypto• Authentication• Secure Storage• PKCS#15• …
Open Mobile API
Open Mobile API3 Layers [5]
- Transport Layer: using APDUs for accessing a Secure Element- Service Layer: provide a more abstract interface for functions on SE- Application Layer: represents the various applications using Open Mobile API
Figure 1: Architecture overview
Dual Application Architecture
• NFC (Near Field Communication) services• Payment services• Ticketing services• Loyalty services (Kundenbindungsmaßnahmen)• ID Management services (e.g. Single Sign-On)
UICC
Terminal Application
Open Mobile API
Transport Layer
Access Control Module
Access Control Table
OpenID Provider
Relying Party
UserDevice
Relying Parties
Submit OpenID
Association
User authentication
Log-on
OpenID
OpenID Weakness[6]
PhishingAn “Identity
System” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou
RedirectsCommunication
Overhead: lots of HTTP requests
Phishing Sensitive data remains on UICC
An “identity system” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou.
Trusted Identity through Network Operator (contract)
RedirectsLocal OpenID Server interface
Communication Overhead: lots of HTTP requestsSignificantly reduced authentication traffic
Terminal part is developed by a project partner of MorphoIntegration of UICC is the main topic of this thesis
Concept: Local OpenID Server with UICC
Network OpenID Provider
Relying Party
UserLocal OP Provider =
Mobile Application + UICC Applet
Relying Parties
Association
Signed Assertion(with same derivated key)
Local OpenID Architecture
Trust (Long-Term Secret)
Local authentication (with PIN)
Association Handle + Derivated KeySubmit O
penID
Associa
tion Han
dle
Contents1. INTRODUCTION
1.1 Motivation1.2 Solution Idea1.3 Overview2. UICC AND JAVA CARD2.1 UICC2.2 Java Card
2.2.1 Introduction2.2.2 Security and Crypto2.2.3 New Features in Java Card 3
2.3 Related Technologies2.3.1 SIM Toolkit2.3.2 Smart Card Web Server2.3.3 Generic Bootstrapping Architecture3. OPEN MOBILE API
3.1 Introduction3.2 Fundamental Structure3.3 Use Pattern3.4 Access Control3.5 Application Scenario4. LOCAL OPENID4.1 OpenID Protocol
4.1.1 Introduction4.1.2 Weakness of OpenID
4.2 SAML Protocol4.2.1 Introduction4.2.2 Weakness of SAML
Contents4.3 Local OpenID Protocol
4.3.1 Introduction4.3.2 Architecture and Description4.3.3 Compare of OpenID, SAML and Local OpenID5. IMPLEMENTATION
5.1 Platform5.1.1 Introduction of Android5.1.2 Android Security Management
5.2 App on UICC5.2.1 Applet on UICC5.2.2 Algorithms and Functions5.2.3 Configuration of UICC5.2.4 PKCS15 Structure5.2.5 Implementation
5.3 App on Android5.3.1 Functional Description5.3.2 Open Mobile API in Android5.3.3 Implementation
5.4 Test5.4.1 Test Environment5.4.2 Test Procedure5.4.3 Test Result
5.5 Weakness Analysis6. SUMMARY AND FUTURE WORK6.1 Summary6.2 Future Work
Time plan
Investigate and design
Nov Dec Jan Feb Mar Apr May
1st Implementation
2nd Implementation
Jun
1st Thesis
2nd Thesis
Final Thesis
Test
Thanks! Questions?
References
[1] Rankl, W. (2oo8), Handbuch der Chipkarten, Carl Hanser Verlag München.[2] Sun Microsystems, I. (2006), 'Application Programming Interface Java Card™ Platform, Version 2.2.2'.[3] Wikipedia, t. f. e. (2012), 'Generic Bootstrapping Architecture'.[4] SIMalliance (2011), 'SIMalliance Open Mobile API An Introduction'.[5] SIMalliance (2011), 'Open Mobile API specification V2.02', SIMalliance.[6] van Delft, B. (2010), 'A Security Analysis of OpenID', IFIP Advances in Information and Communication Technology 343/2010, 73-84.