mobile web security bootstrap on labs
DESCRIPTION
The SIM can not only be used for cellular access and connectivity, but also for securing mobile applications. Based on industry standards, the Mobile Web Security Bootstrap enabler allows developers to write application servers that can establish shared secret key between an application server and a mobile web client. The shared secret key can then be used to secure mobile applications that require e.g. authentication, confidentiality, integrity, single sign on among others.TRANSCRIPT
Mobile Web Security Bootstrap
A labs.ericsson.com enablerhttp://labs.ericsson.com/apis/mobile-web-security-bootstrap/
2
Mobile Web Security Bootstrap
The SIM is commonly used for getting cellular access, mobile connectivity and access to some mobile services
The SIM proven security features can also be used for securing any mobile web applications
This enabler provides an API for establishing a secret key between mobile web clients and web applications
3
Why?
Security – As secure as SIM
Standard – Based on industry standard
Acceptance – Many standardized applications
Convenience – Transparent to users
Extensibility – Any applications can exploit the SIM
4
Main Features
Based on 3GPP industry standardGeneric Bootstrapping Architecture
Client and server Web/Java APIs available and documented with examples
HTTP interfaces
Soft client available to allow focusing on the development of the network side of the web application
5
Overview
MobileWeb Client
BootstrapClient
Mobile Web Client
SubscriberDatabase
BootstrapServer
MWSB
Mobile Web
Security Bootstrap
HTTP
NetworkApplication
NetworkApplication
Mobile WebApplication Server
HTTP
Ub interface – Mobile client uses API to bootstrap a master secret key
Ua interface –Mobile Web Client uses API to derive application-specific master key
Zn interface – Mobile Web Application Server uses API to obtain the corresponding application-specific master key
At the end of the API usage transactions the client and server share an application-specific secret-key
Ub
ZnUa
*
6
// Create soft client with user identity and permanent key
GbaClient softclient = new GbaClient(myID, myKey);
// Bootstrap client with master key. btid is the handler.
String btid = softclient.bootstrap();
// Derive application-specific key to be shared with app server
byte[] appKey = softclient.getKsNaf(app_Fqdn);
// Use the app key for HTTP Digest Authentication
boolean authResult = runUaHttpDigest(app_URL, btid, appKey);
Java Client API
Soft Client API provided for focusing on server application
Example showing how to establish a shared key
7
// Applicatin Servlet doGet()
// Create application context with Labs authorization API key
GbaNaf app = new GbaNaf(myFqdn, myApiKey)
// Parse GET authorization headers & fetch btid (key Handler)
Authorization authz = Authorization.parse(authorizationHeader);
String btid = authz.getUsername();
// Derive the application-specific key to be shared with client
appKey = app.getKsNaf(btid);
// Use the shared key to authenticate the mobile client
Digest.verify(authorization, appKey)
Java Server API
API towards mobile client and API towards MWSB
Servlet example showing how to establish a shared key
8
Possible applications
Authentication
Identity Management
Single Sign On
ConfidentialityIntegrity
Key Management
9