Secure Authentication for the Development of Mobile Internet Services Critical Considerations

Transcription

1 Secure Authentication for the Development of Mobile Internet Services Critical Considerations December 2011 V1 Mobile Internet Security Working Group, SIMalliance

2 AGENDA SIMalliance presentation What s the problem? Current solutions (software-based) and their limitations Login/Password (1) OTP (2) WPKI (3) Scope of the discussion Mobile Internet services market segments and actors Focus on User Centric security SIMalliance anwers with the Secure Element (4) SE Introduction, SE form factors and Open Mobile API ShareZone Service Provider (SP) use case introduction 4.1.SE distributed by the MNO (UICC) 4.2.SE distributed by the SP (microsd) 4.3.SE distributed by the OEM (ese) 2

3 Who We Are Security. Identity. Mobility MEMBERS STRATEGIC PARTNERS SIMalliance Nov

4 What We Do SIMalliance supports secure mobile service creation, deployment and management by advancing interoperability and extending security across all devices that access wireless networks By anticipating and addressing the complex Security, Identity and Mobility challenges of Internet convergence, SIMalliance provides industry partners with the BLUEPRINT for secure, interoperable mobile service creation, deployment and management, through A series of Working Group with the participation of Strategic Partners from the mobile services value chain Cooperation with other Industry Organisations i.e. ETSI, GSMA, GlobalPlatform, etc Security. Identity. Mobility Since

5 Expert Resource s Working Groups Program Mobile Internet Security Mobile Transactions M2M Consultative Multi-Platform Vertical Focus - Promote the role of the SE in mobile applications & services - Accelerate and facilitate the deployment of SE-based applications & services

6 Mobile Internet Devices are vulnerable Source:Bullguard

7 Mobile Devices Users data vulnerable as well 7

8 Mobile Internet Security market (IDC 2010) Segment 2010 (million $) Mobile Threat Management (anti-virus, antimalware, anti-spam, anti-spyware, firewall, intrusion detection and prevention) Mobile IP content (file, disk application encryption, data loss prevention) 2015 (million $) CAGR [%] Mobile VPN (infra and clients for mobile devices) Mobile Identity Access Management (authentication, authorization (PKI, SSL, cert) and network access for mobile devices) Mobile Security Vulnerability Management (device wipe, lockdown, patching; password, policy and compliance management) Other mobile security (such as anti-theft, antifraud) TOTAL

9 Current authentication solutions Login/Password is the most used one but has very low security. One Time Password (OTP) is popular in the PC environment, but not well adapted to to the mobile internet. Wireless Public Key Infrastructure (WPKI) provides the most secured authentication framework, but presents security flaw as as long as a Secure Element is not used. 9

10 Login Password Scenario 1: Login/ Password Username Password Login/passwor d can be stolen at the client side The authentication is done through a login & Password Login/passwor d can be stolen at the server side Possible security attacks & breaches 10

11 Username Scenario 2A: OTP via SMS (generated at server side) Username Password 3 1 OTP The OTP should come from a different device to add security 2 OTP Via SMS 1: The device providing the service (PC or mobile) requests an OTP to the server 2: The OTP server generates the OTP and sends it to the mobile 3: If the PC is used, the user enters the OTP in the PC. If service is in the mobile, password is entered in the mobile application. Possible security attacks & breaches 11

12 Username Scenario 2B: OTP with OTP generator Username Password OTP OTP generating device The OTP should be generated in a different device to add security 1: The OT is generated within the mobile 2: If the PC provides the service, the user enters the OTP password in the PC. If service is in the mobile, password is entered in the mobile application. In both cases the password is sent to the server. Possible security attacks & breaches 12

13 Username Pin Credentials must be stored and signature generated in a Secure Element 3 PIN Scenario 3: Identification, Authorization and Encryption (WPKI) Login Request 2 Electronic Signature 1: User provides his Login information 1 Signature Request 4 Username Signature Services Certificates 2: SP signs request with SP certificate and sends to user for signature 3: When the SP signature is proved, the user enters its certificate signing PIN. 4: The certificate is sent back to the SP, access is granted. Possible security attacks & breaches 13

14 Scenario 4: Secure Elementbased authentication Secure Element (SE) Unique combination of: Temper resistant hardware Security optimized Software Manufactured in secure environments Managed remotely UICC (SIM) Includes the application that authenticates the user in the network Distributed by MNOs Secure MicroSD SE embedded in µsd form factor and featuring large memory Distributed by the Service Provider Embedded Secure Element (ese) SE embedded in the mobile at the time of manufacturing Distributed by the OEM 14

15 App Scenario 4: Secure Elements, tools and Actors MNO Open API* FIs OEM PKI TSM ISP GOV * JSR177 API exists for Java phones 15

16 The link between the Application and the SE: Open Mobile API The Open Mobile API is a software interface on the phone that Adds the missing link between mobile applications and the Secure Elements Provides access to all kinds of Secure Elements via a single interface Mobile Applications Open Mobile API Defined in an OS and programming language agnostic way 16

17 The link between the Service Provider and the SE: Trusted Service Manager (TSM) Why a TSM? Avoid application issuer dealing with multiple entities, phones, OS Which functions does a TSM provide? Activation, provisioning and lifecycle management What does a TSM manage? Credentials and applications stored on the various SE s Who could be the TSM? MNO, application issuer, personalization bureau, 3th party 17

18 MNO Scope of our WorkGroup User centric security (eg. personal data, Apps, web, cloud services Corporate mobile security (eg.secure , intranet, SaaS,) Content protection (eg.mobile TV, GPS Maps) Mobile transactions (eg. Mobile payment, peer-to-peer, money transfer M2M SP OEM 18

19 User- centric Security The ShareZone SP use case ShareZone is an over the top player Provides a photo sharing service in the cloud Wants to launch a mobile service too but is afraid of mobile security Checks secured authentication options provided in mobile internet * Source Instagram 19

20 User- centric Security the SE distribution sub-models Sub-model 1: The SE is the UICC, owned by the MNO Sub-model 2: The SE is a microsd card, issued by the Service Provider Sub-model 3: The SE is embedded in the handset (ese), distributed by the OEM 20

21 5 4.1: SE distributed by the MNO (UICC) App TSM (OTA) MNO 6 MNO 2 MNO 1. SP signs agreements with MNOs 2. User registers in SP s website (or via MNO) 3.SP provides credentials to MNO with user s info 4.MNO stores credentials in UICC through OTA/TSM 5.App checks UICC and sends credentials to SP 6.SP verifies credentials and grants access 21

22 4.2. SE distributed by SP (Direct issuance of microsd cards) 1 App The user registers with SP 2. SP stores user information 3. SP delivers microsd to the user 4. SP App is installed on the device and accesses microsd 5. SP verifies signature and grants access 22

23 4.3: SE distributed by OEM (ese) App TSM 1. The user registers with SP (Hardware ID) 2. The user downloads ShareZone Application 3. TSM loads user certificate in ese 4. ShareZone App accesses ese 5. SP verifies certificate and grants access 23

24 Sub-model comparison The models are mainly characterized by who distributes and manages the SE UICC Secure microsd ese SE distribution MNO SP OEM SE management MNO SP OEM or SP ID provider SP SP SP ID registration SP or MNO SP Number or services Multi Mono Multi App/Middlet distribution SP SP SP OEM or trusted 3th party 24

25 Conclusion Security threats make the use of a Secure Element necessary to store and manage user credential. The Secure Element provides convenient two-factor authentication to connected services, with improved security compared to other methods The SIMalliance members propose different solutions tailored to each business case 25

26 SIMalliance Resources & Events White papers, recommendations, specifications, tools etc. SIMagine, the global competition recognising the very best in secure mobile application and service creation. SIMposium, a series of events showcasing new technologies, discussing emerging models and tackling key market challenges. 26

27 SEE YOU NEXT YEAR!

28 Thank you! Questions?