ISO/IEC 24727 for secure mobile web applications



Similar documents
Using ISO/IEC for mobile devices

How to Use ISO/IEC with Arbitrary Smart Cards

Landscape of eid in Europe in 2013

An Open ecard Plug-in for accessing the German national Personal Health Record

Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy

Electronic Citizen Identities and Strong Authentication

Global eid Developments. Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa

Proposed Framework for an Interoperable Electronic Identity Management System

Smartcards with Webservice Interface

Statewatch Briefing ID Cards in the EU: Current state of play

Position Paper European Citizen Card: One Pillar of Interoperable eid Success

e-sens Electronic Simple European Networked Services Rome,

An Open Source eid Simulator Open Identity Summit 9th -11th September 2013

BiSPI Conformance Testing

Technical Guideline TR ecard-api-framework Overview. Version draft

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke

Server based signature service. Overview

Sicherheitsaspekte des neuen deutschen Personalausweises

E-Identification and Authentication practices for ehealth in the EU Member States

Hungarian Electronic Public Administration Interoperability Framework (MEKIK) Technical Standards Catalogue

Taking down digital barriers to cross- border business

Your Mobile Phone as a Ticket (NFC)

Caught in the Maze of Security Standards

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Communication between contactless readers and fare media

Chytré karty opět o rok dál...

Using mobile phones to access Web Services in a secure way. Dan Marinescu

Standardizing contactless communication between ticketing equipment and fare media Transport Ticketing 2014

Technical Guideline TR ecard-api-framework Protocols. Version 1.1.5

Overview of the key figures for the first nine months

White Paper: OSGi-based E-Health / Assisted Living

The Austrian Citizen Card

Technical Guideline TR eid-client Part 1: Specifications

OVERCOMING CHANNEL BANDWIDTH CONSTRAINTS IN SECURE SIM APPLICATIONS

Biometrics for Public Sector Applications

Biometrics for public sector applications

International Compliance

Java Card. Smartcards. Demos. . p.1/30

EN ISO Safety of machinery Risk assessment. Sicherheit von Maschinen Risikobeurteilung Teil 1: Leitsätze (ISO :2007)

Java ME & NetBeans Mobility. Petr Suchomel Architect, NetBeans Mobility Sun Microsystems

A Secure and Open Solution for Seamless Transit Systems

Loyalty Systems over Near Field Communication (NFC)

How To Control A Record System

Smart Cards for Future Healthcare Systems. Secure, efficient, reliable

A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL

Using the W3C WebCrypto API for Document Signing

Touch & Travel a SIM-based eticketing System

Network-based Access Control

NFC Mobile Handset High Level Requirements V2

Mobile ID: Realization of Mobile Identity Solutions by GlobalPlatform Technologies. White Paper November 2015

White Paper. Bearer Independent Protocol (BIP)

A Comparison of Mobile Peer-to-peer File-sharing Clients

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

Secure Cloud Identity Wallet

Smartcard Web Server Enabler Architecture

Common requirements and recommendations on interoperable media and multi-application management

Framework for the Development of Environmental Risk Management Services According to the ORCHESTRA Architecture

SECURE AND EFFICIENT PROCESSING OF ELECTRONIC DOCUMENTS IN THE CLOUD

A Survey of Electronic Signature Development in Mobile Devices

1. Fault Attacks for Virtual Machines in Embedded Platforms. Supervisor: Dr Konstantinos Markantonakis,

Applying the NFC Secure Element in Mobile Identity Apps. RANDY VANDERHOOF Executive Director Smart Card Alliance

Mobile-PC Suite: Using Mobile Phone as Remote to Control PC Operations

M2M Connectivity T: W:

Conformance test specification for BSI-TR Biometrics for public sector applications

Mobility Solutions in IBM

Defending the Internet of Things

Security Issues in Cross-border Electronic Authentication

A proposal for a payment system for public transport based on the ubiquitous paradigm

UPnP Control Point for Mobile Phones in Residential Networks

How To Protect Your Network From Attack

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

International Mobile Phone Top Up For Consumers & Merchants

Government Smart Card Interoperability Specification

Banking. Extending Value to Customers. KONA Banking product matrix. is leading the next generation of payment solutions.

Significance of Tokenization in Promoting Cloud Based Secure Elements

Case Studies. National Identity Management Commission (NIMC), Nigeria eid Consulting for national ID system

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

Modular biometric architecture with secunet biomiddle

TOWARDS A MODULAR ARCHITECTURE FOR ADAPTABLE SIGNATURE-VERIFICATION TOOLS

Secure Signature Creation Device Protect & Sign Personal Signature, version 4.1

ETSI TS V1.1.1 ( ) Technical Specification

Mobile Devices and Web Services

Best Solutions for Biometrics and eid

Technical Guideline BSI TR Requirements for Smart Card Readers Supporting eid and esign Based on Extended Access Control

How To Use The Smart Cities Smart Contactless Framework

Identity - Privacy - Security

PKI - current and future

BSI-PP for. Protection Profile Secure Signature-Creation Device Type 1, Version developed by

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

A secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach.

3GPP TSG SA WG3 Security S3#30 S October 2003 Povoa de Varzim, Portugal. Abstract

STANDARDISIERUNG FÜR EIDAS IM MANDATE/460

Payment Mechanism of E-commerce and Application of the certificate. Antonius Sommer, CEO TÜViT GmbH

Transaction Security. Advisory Services

Mobile Financial Services Business Ecosystem Scenarios & Consequences. Summary Document. Edited By. Juha Risikko & Bishwajit Choudhary

Preventing fraud in epassports and eids

Android pay. Frequently asked questions

ISO The international IT security standard. Marcel Weinand / Marcel Weinand

10. European Union. (a) Past trends

E-Signatures and E-Procurement

Transcription:

ISO/IEC 24727 for secure mobile web applications Jan Eichholz 1 Detlef Houdeau 2 Detlef Hühnlein 3 Manuel Bach 4 1 Giesecke & Devrient GmbH, jan.eichholz@gi-de.com 2 Infineon Technologies AG, detlef.houdeau@infineon.com 3 secunet Security Networks AG, detlef.huehnlein@secunet.com 4 Bundesamt für Sicherheit in der Informationstechnik, manuel.bach@bsi.bund.de Abstract: While the ISO/IEC 24727 series of standards [ISO24727] initially were meant to define architectures and application programming interfaces for electronic identity cards (eid) only, it has become clear in the mean time that the web service based architecture is powerful enough to serve arbitrary web applications and security tokens. As there are already many initiatives around the globe (e.g. in the USA, Australia and Europe) which are about to use this standard in major eid-projects, it may be expected, that this standard will provide a major contribution for global eid interoperability and will become widely adopted in near future. On the other hand there is an ever increasing trend for mobility and the ubiquitous use of portable devices as well as first national eid-projects, which support mobile devices such as PDAs, Netbooks and mobile phones. Therefore it is natural to investigate how ISO/IEC 24727 may be used with mobile devices. The present contribution provides a brief overview of this standard and discusses different options for using this standard to develop secure mobile web applications. Furthermore it emphasizes the interrelationships between secure tokens, mobile devices and internet-based e-government services. 1 Introduction Against the background of the US Government Smart Card Interoperability Specification [NIST-GSCIS] and the activities around the Personal Identity Verification (PIV) program [NIST-PIV] the National Institute of Standards and Technology (NIST) initiated the development of the ISO/IEC 24727 series of standards (cf. [ISO24727], [NIST-SMP]) which defines architectures and application programming interfaces for electronic identity cards (eid). This standard will also be adopted by the Australian Government (cf. [AGIMO-AGSF]) and it forms the basis of the European Citizen Card Application Interface specification [CEN15480] and the German ecard-api-framework [BSI-TR03112]. Therefore it may be expected, that ISO/IEC 24727 will play a major role in global eid interoperability and will become widely adopted in near future, as it captures government employee (e.g. in the U.S., PIV) as well as ehealth and other eidbased citizen services (e.g. Australia and Europe). On the other hand there is an ever increasing trend for mobility and the ubiquitous use of portable devices (cf. [WCIS], [MC07]) and first national eid-projects are supporting portable devices (cf. [A-SIT-ACC], [B-WPKI-F]). Therefore it is natural to investigate how ISO/IEC 24727 may be used with mobile devices.

The present contribution provides in Section 2 a brief overview of the ISO/IEC 24727 architecture and discusses in Section 3 different options for using this standard in a mobile environment. Section 4 will provide a brief overview about the status of major eid-projects in Europe and Section 5 summarizes the main aspects of the present contribution and draws conclusions. 2 ISO/IEC 24727 in a nutshell The architecture defined in Part 1 of [ISO24727] assumes that a Client Application uses the functionality of cryptographic tokens using the Service Access Interface defined in Part 3 of the standard series. This interface comprises generic functions which allow to establish (cryptographically protected) connections to card-applications, manage those card-applications, store and retrieve data, perform cryptographic operations, manage the related key material (so called Differential-Identities (DID)) and manage access rights for data, keys and services provided by card-applications. The Service Access Layer (SAL) maps the generic requests at the Service Access Interface to APDUs of the Generic Card Interface defined in Part 2, which allows a subset of the commands and options defined in [ISO7816] (Part 4, 8 and 9). If the cryptographic token does not support those standard-commands directly they may be translated by the Generic Card Layer before they are sent to the Interface Device (IFD) Layer using the Transmit-command, which is as other IFD-related commands in the IFD-API defined in Part 4 of [ISO24727]. Furthermore there is a dispatcher, which redirects web service requests to remote software stacks and establishes trusted channels e.g. using [RFC4346], if required. The dispatcher may support different web service bindings, such as [SOAP-v1.1] or [PAOSv1.1]. The ISO/IEC 24727 architecture is extensible in two ways. First it allows the execution of arbitrary card-application services using the SAL-functions ExecuteAction and CardApplicationServiceDescribe. Second it supports arbitrary cryptographic (authentication) protocols because all DID-related functions have generic parameters, which are of an open type, which is protocol dependent. We will return to the second alternative in Section 3.2 when we sketch such a protocol tailored for mobile devices.

Figure 1: ISO/IEC 24727 Architecture 3 Using ISO/IEC 24727 with mobile devices Depending on the use case and the capabilities of the mobile device there are various possible integration scenarios. Among those we will focus on two cases, which seem to cover a large proportion of currently available mobile devices: Cell phones with support for Java TM Mobile Edition (JME) (see Section 3.1) and other devices within a Mobile Signature Services (MSS) based architecture (see Section 3.2). 3.1 Java TM Micro Edition based solution The Java TM Micro Edition (JME) is the dominating open platform for cell phones. Since everything has started in the year 2000 with the definition of the Mobile Information Device Profile (MIDP) [JSR271] the platform has grown over the years and is nowadays covering a wide variety of functionality. The basic stack is defined within the Mobile Service Architecture (MSA) [JSR248] and the Connected Limited Device Configuration (CLDC) [JSR139]. Additionally, a couple of additional Java Specification Requests (JSR's) are adding specific functionality to the basic platform. In the context of eid, the following JSR's are especially important: JSR 177 (Security and Trust Service, [JSR177]) is defining the interface to an embedded security element (e.g. SIM), JSR 257 (Contactless Communication API, [JSR257]) defines the interfaces for contactless communication (RFID, NFC) and JSR 279 (Service Connection API for Java TM ME, [JSR279]) offers the functionality to use and offer web services on a mobile device.

Figure 2 shows the interaction of the different software components with the security element (e.g. SIM card), the eservice and an eid token. Figure 2: Java TM Micro Edition based Architecture In an ISO/IEC 24727 environment, the eservice will use the standardized web service interfaces to communicate with the mobile device. To support complex protocols, like the General Authentication Procedure defined in [BSI-TR3110], the mobile device should offer the Service Access Interface and the IFD-Interface as web service. In the future, the goal should be to define a JSR, which is adding the ISO/IEC 24727 interfaces to the JME platform. In the meantime, a client application on the device (MIDlet), which is based on the above listed JSR's, can add the necessary web services by its own. 3.2 Mobile Signature Service based solution In this case the integration will not take place within the mobile device but rather in the Service Access Layer (SAL) of the Application Provider (AP). This SAL has a virtual card-application embedded, which allows to communicate with a Mobile Signature Service Provider (MSSP) using the messages defined in [ETSI-102204]. For this purpose there will be an MSS-specific ISO/IEC 24727-protocol, in which the (keys of the) mobile users are represented as Differential-Identities. Figure 3: System architecture for MSS-based solution

In the presentation we will sketch how the main functions of [ISO24727] Part 3 map to functions defined in [ETSI-102204] 1. 4 Status on Secure Token, example European Citizen Card 8 of 27 EU member states have electronic eid cards until end of CY 08 in use, with Spain (2006), Portugal (2007); Italy (2006), Belgium (2005), Austria (2004), Finland (2002), Sweden (2005) and Estonia (2004). All eid programs are based on 2-factor authentications. Since 2004 there are ongoing standardization efforts to develop [ISO24727] and the closely related European Citizen Card standard in order to normalize identification, authentication and signing with security tokens, such as eid cards. In addition to the standard developments there are concrete plans by some EU member states, like France (for 2009), Germany (for 2010) and Poland (for 2011), who will implement this standard in the upcoming national eid-card programs. Flanking to this activity the EU Commission has started in June 2008 a pan-european interoperability program, to realize eid-interoperability across borders 2 and it may be expected that ISO/IEC 24727 and the closely related European Citizen Card specifications will play a central role in this project. 5 Conclusion In the current paper we briefly recalled the ISO/IEC 24727 architecture [ISO24727] and sketched two possibilities how this software stack may be used with mobile devices, which either support the Java TM Mobile Edition (JME) platform (see Section 3.1) or the Mobile Signature Services interfaces (see Section 3.2). While the ISO/IEC 24727 interfaces can be easily supported in both cases, the JME-based variant seems to be especially interesting for future developments, as it does not require a special provider infrastructure and may support a broader variety of NFC-related use cases in the future. References [AGIMO-AGSF] Australian Government Information Management Office (AGIMO): Australian Government Smartcard Framework, Phase 2 Version 0.12, Standards and Model Specification Part c, March 2007, http://www.agimo.gov.au/ data/assets/pdf_file/0008/56249/standards_and_ Model_Specification_-_Part_c_-_Version_0.12.pdf [A-SIT-ACC] A-SIT: The Austrian Citizen Card, Overview of Version 1.2.0, May 14th 2004, http://www.buergerkarte.at/konzept/securitylayer/spezifikation/ 20040514/Index.en.html 1 Note that a similar mapping could be defined for other existing architectures and interfaces, as used for the Austrian Citizen Card [A-SIT-ACC] for example. 2 See http://www.eid-stork.eu/.

[BSI-TR3110] BSI: Advanced Security Mechanism for Machine Readable Travel Documents Extended Access Control (EAC), Technical Directive of the Federal Office for Information Security Nr. 03110, BSI TR-03110, Version 2.0 Public Beta 3, 2007 [BSI-TR03112] BSI: ecard-api-framework, Technical Directive of the Federal Office for Information Security Nr. 03112, BSI TR-03112, Version 1.0, 2008, http://www.bsi.bund.de/literat/tr/tr03112/index.htm [B-WPKI-F] Baltic WPKI Forum: Wiki of the Baltic WPKI Forum, http://wpki.eu [CEN15480] CEN: Identification card systems European Citizen Card, CEN TS 15480 (Part 1-4), 2007 [ETSI-102204] ETSI: Mobile Signature Service - Web Service Interface, Technical Specification TS 102 204 V1.1.4, via http://portal.etsi.org/docbox/ec_files/ec_files/ts_102204v010104p.pdf [ISO7816] ISO/IEC: Identification cards Integrated circuit cards, ISO/IEC 7816 (Part 1-13 & 15) [ISO24727] ISO/IEC: Identification cards Integrated circuit cards programming interfaces, ISO/IEC 24727 (Part 1-6) [JSR139] JCP: Connected Limited Device Configuration 1.1, Java Specification Request [JSR177] (JSR) 139, http://www.jcp.org/en/jsr/detail?id=139 JCP: Security and Trust Services API for J2ME TM, Java Specification Request (JSR) 177, http://www.jcp.org/en/jsr/detail?id=177 [JSR248] JCP: Mobile Service Architecture, Java Specification Request (JSR) 248, http://www.jcp.org/en/jsr/detail?id=248 [JSR257] JCP: Contactless Communication API, Java Specification Request (JSR) 257 http://www.jcp.org/en/jsr/detail?id=257 [JSR271] [JSR279] JCP: Mobile Information Device Profile 3, Java Specification Request (JSR) 271, http://www.jcp.org/en/jsr/detail?id=271 JCP: Service Connection API for Java TM ME, Java Specification Request (JSR) 279, http://www.jcp.org/en/jsr/detail?id=279 [MC07] Mobileconnect: Study: Mobile data revenues will increase to more than 200 Billion $US in 2011, in German, http://www.mobileconnect.ch/de/2007/03/05/studie-mobile-datenumsatzesteigen-auf-uber-200-milliarden-us-in-2011/ [NIST-GSCIS] NIST: Government Smart Card Interoperability Specification, Version 2.1., July 2003, http://csrc.nist.gov/publications/nistir/nistir-6887.pdf [NIST-PIV] NIST: Personal Identity Verification (PIV) of Federal Employees and Contractors, FIPS PUB 201-1, March 2006, http://csrc.nist.gov/publications/fips/fips201-1/fips-201-1-chng1.pdf [NIST-SMP] NIST: Standard and Metrics Project, [PAOS-v1.1] [RFC4346] [SOAP-v1.1] http://www.itl.nist.gov/itlprograms/idms/external/standards_metrics.html Liberty Alliance Project: Liberty Reverse HTTP Binding for SOAP Specification, Version v1.1, via http://www.projectliberty.org/liberty/content/download/1219/7957/file/libertypaos-v1.1.pdf E. Rescorla, T. Dierks: The Transport Layer Security (TLS) Protocol Version 1.1, RFC 4346, April 2006, http://www.ietf.org/rfc/rfc4346.txt W3C Note: Simple Object Access Protocol (SOAP) 1.1, 08 May 2000, via http://www.w3.org/tr/2000/note-soap-20000508 [WCIS] Informa Telecoms & Media: World Cellular Information Service, http://www.wcisdata.com/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information