Secure Authentication for the Development of Mobile Internet Services Critical Considerations December 2011 V1 Mobile Internet Security Working Group, SIMalliance
AGENDA SIMalliance presentation What s the problem? Current solutions (software-based) and their limitations Login/Password (1) OTP (2) WPKI (3) Scope of the discussion Mobile Internet services market segments and actors Focus on User Centric security SIMalliance anwers with the Secure Element (4) SE Introduction, SE form factors and Open Mobile API ShareZone Service Provider (SP) use case introduction 4.1.SE distributed by the MNO (UICC) 4.2.SE distributed by the SP (microsd) 4.3.SE distributed by the OEM (ese) 2
Who We Are Security. Identity. Mobility MEMBERS STRATEGIC PARTNERS SIMalliance Nov 2011 3
What We Do SIMalliance supports secure mobile service creation, deployment and management by advancing interoperability and extending security across all devices that access wireless networks By anticipating and addressing the complex Security, Identity and Mobility challenges of Internet convergence, SIMalliance provides industry partners with the BLUEPRINT for secure, interoperable mobile service creation, deployment and management, through A series of Working Group with the participation of Strategic Partners from the mobile services value chain Cooperation with other Industry Organisations i.e. ETSI, GSMA, GlobalPlatform, etc Security. Identity. Mobility Since 2000 4
Expert Resource s Working Groups Program Mobile Internet Security Mobile Transactions M2M Consultative Multi-Platform Vertical Focus - Promote the role of the SE in mobile applications & services - Accelerate and facilitate the deployment of SE-based applications & services
Mobile Internet Devices are vulnerable Source:Bullguard 2011 6
Mobile Devices Users data vulnerable as well 7
Mobile Internet Security market (IDC 2010) Segment 2010 (million $) Mobile Threat Management (anti-virus, antimalware, anti-spam, anti-spyware, firewall, intrusion detection and prevention) Mobile IP content (file, disk application encryption, data loss prevention) 2015 (million $) CAGR [%] 2010-2015 99 470 36.5 78 460 42.5 Mobile VPN (infra and clients for mobile devices) Mobile Identity Access Management (authentication, authorization (PKI, SSL, cert) and network access for mobile devices) Mobile Security Vulnerability Management (device wipe, lockdown, patching; password, policy and compliance management) 125 430 28.1 44 225 38.8 40 190 36.5 Other mobile security (such as anti-theft, antifraud) 20 75 29.8 TOTAL 406 1850 35.4 8
Current authentication solutions Login/Password is the most used one but has very low security. One Time Password (OTP) is popular in the PC environment, but not well adapted to to the mobile internet. Wireless Public Key Infrastructure (WPKI) provides the most secured authentication framework, but presents security flaw as as long as a Secure Element is not used. 9
Login Password Scenario 1: Login/ Password Username Password Login/passwor d can be stolen at the client side The authentication is done through a login & Password Login/passwor d can be stolen at the server side Possible security attacks & breaches 10
Username Scenario 2A: OTP via SMS (generated at server side) Username Password 3 1 OTP The OTP should come from a different device to add security 2 OTP Via SMS 1: The device providing the service (PC or mobile) requests an OTP to the server 2: The OTP server generates the OTP and sends it to the mobile 3: If the PC is used, the user enters the OTP in the PC. If service is in the mobile, password is entered in the mobile application. Possible security attacks & breaches 11
Username Scenario 2B: OTP with OTP generator Username Password OTP 2 2 1 OTP generating device The OTP should be generated in a different device to add security 1: The OT is generated within the mobile 2: If the PC provides the service, the user enters the OTP password in the PC. If service is in the mobile, password is entered in the mobile application. In both cases the password is sent to the server. Possible security attacks & breaches 12
Username Pin Credentials must be stored and signature generated in a Secure Element 3 PIN Scenario 3: Identification, Authorization and Encryption (WPKI) Login Request 2 Electronic Signature 1: User provides his Login information 1 Signature Request 4 Username Signature Services Certificates 2: SP signs request with SP certificate and sends to user for signature 3: When the SP signature is proved, the user enters its certificate signing PIN. 4: The certificate is sent back to the SP, access is granted. Possible security attacks & breaches 13
Scenario 4: Secure Elementbased authentication Secure Element (SE) Unique combination of: Temper resistant hardware Security optimized Software Manufactured in secure environments Managed remotely UICC (SIM) Includes the application that authenticates the user in the network Distributed by MNOs Secure MicroSD SE embedded in µsd form factor and featuring large memory Distributed by the Service Provider Embedded Secure Element (ese) SE embedded in the mobile at the time of manufacturing Distributed by the OEM 14
App Scenario 4: Secure Elements, tools and Actors MNO Open API* FIs OEM PKI TSM ISP GOV * JSR177 API exists for Java phones 15
The link between the Application and the SE: Open Mobile API The Open Mobile API is a software interface on the phone that Adds the missing link between mobile applications and the Secure Elements Provides access to all kinds of Secure Elements via a single interface Mobile Applications Open Mobile API Defined in an OS and programming language agnostic way 16
The link between the Service Provider and the SE: Trusted Service Manager (TSM) Why a TSM? Avoid application issuer dealing with multiple entities, phones, OS Which functions does a TSM provide? Activation, provisioning and lifecycle management What does a TSM manage? Credentials and applications stored on the various SE s Who could be the TSM? MNO, application issuer, personalization bureau, 3th party 17
MNO Scope of our WorkGroup User centric security (eg. personal data, Apps, web, cloud services Corporate mobile security (eg.secure email, intranet, SaaS,) Content protection (eg.mobile TV, GPS Maps) Mobile transactions (eg. Mobile payment, peer-to-peer, money transfer M2M SP OEM 18
User- centric Security The ShareZone SP use case ShareZone is an over the top player Provides a photo sharing service in the cloud Wants to launch a mobile service too but is afraid of mobile security Checks secured authentication options provided in mobile internet * Source Instagram http://instagr.am/ 19
User- centric Security the SE distribution sub-models Sub-model 1: The SE is the UICC, owned by the MNO Sub-model 2: The SE is a microsd card, issued by the Service Provider Sub-model 3: The SE is embedded in the handset (ese), distributed by the OEM 20
5 4.1: SE distributed by the MNO (UICC) App TSM (OTA) MNO 6 MNO 2 MNO 1. SP signs agreements with MNOs 2. User registers in SP s website (or via MNO) 3.SP provides credentials to MNO with user s info 4.MNO stores credentials in UICC through OTA/TSM 5.App checks UICC and sends credentials to SP 6.SP verifies credentials and grants access 21
4.2. SE distributed by SP (Direct issuance of microsd cards) 1 App 2 4 5 3 1. The user registers with SP 2. SP stores user information 3. SP delivers microsd to the user 4. SP App is installed on the device and accesses microsd 5. SP verifies signature and grants access 22
4.3: SE distributed by OEM (ese) App 1 4 5 2 3 TSM 1. The user registers with SP (Hardware ID) 2. The user downloads ShareZone Application 3. TSM loads user certificate in ese 4. ShareZone App accesses ese 5. SP verifies certificate and grants access 23
Sub-model comparison The models are mainly characterized by who distributes and manages the SE UICC Secure microsd ese SE distribution MNO SP OEM SE management MNO SP OEM or SP ID provider SP SP SP ID registration SP or MNO SP Number or services Multi Mono Multi App/Middlet distribution SP SP SP OEM or trusted 3th party 24
Conclusion Security threats make the use of a Secure Element necessary to store and manage user credential. The Secure Element provides convenient two-factor authentication to connected services, with improved security compared to other methods The SIMalliance members propose different solutions tailored to each business case 25
SIMalliance Resources & Events White papers, recommendations, specifications, tools etc. SIMagine, the global competition recognising the very best in secure mobile application and service creation. SIMposium, a series of events showcasing new technologies, discussing emerging models and tackling key market challenges. 26
SEE YOU NEXT YEAR!
Thank you! Questions?