Antriittsvortrag

Report
Leveraging UICC with Open Mobile API for
Secure Applications and Services
Ran Zhou
Introduction and Motivation
•
•
•
•
•
•
•
•
Until 2011, there were 6 billion mobile subscriptions (87% of the population)
UICC serves as the security anchor in mobile telecom network
Java Card make the UICC more powerful: digital signature, cryptography…
UICC is an ideal module to enhance the security level of terminal application
Interface is required to fill the gap between UICC applet and terminal application
Open Mobile API is proposed to provide this interface
A Dual Application Architecture together with the access control mechanism will
be introduced
As an example to be implemented: an UICC-based Local OpenID protocol will be
considered in this thesis
Relying
Relying Party
Parties
As
so
cia
tio
n
Log-on
Local authentication
User
Device with
Local OP Server
OpenID Provider
(Network Operator)
Trust (Long Term Secret)
Agenda
• Introduction and Motivation
• Basic Technologies
– UICC
– SIMalliance Open Mobile API
– OpenID
• Concept of Local OpenID
• Thesis Outline
• Time Plan
Universal Integrated Circuit Card: UICC
• UICC is a smart card used in mobile terminals within telecom networks [1]
• It provides
 authentication
 secure storage
 crypto algorithms
 …
• Java Card as UICC can provide [2]
 Hash functions: MD5, SHA-1, SHA-256 …
 Signature functions: HMAC …
 Public-key cryptography: RSA …
 Symmetric-key cryptography: AES, DES …
 …
UICC – Related Technologies
•
Toolkit
•
Generic Bootstrapping Architecture
(GBA)
[3]
•
Smart Card Web Server
•
Open Mobile API
Open Mobile API
Open Mobile API is established by SIMalliance as an open API between the
Secure Element and the Terminal Applications [4]
•
•
•
•
•
Crypto
Authentication
Secure Storage
PKCS#15
…
Open Mobile API
3 Layers [5]
 Transport Layer: using APDUs for accessing a Secure Element
 Service Layer: provide a more abstract interface for functions on SE
 Application Layer: represents the various applications using Open Mobile API
Figure 1: Architecture overview
Dual Application Architecture
Terminal
Application
Open Mobile API
Transport Layer
•
•
•
•
•
NFC (Near Field Communication) services
Payment services
Ticketing services
Loyalty services (Kundenbindungsmaßnahmen)
ID Management services (e.g. Single Sign-On)
Access Control
Module
UICC
Access
Control Table
OpenID
Relying
RelyingParty
Parties
Log-on
User
Device
OpenID Provider
OpenID Weakness[6]
• Phishing
• An “Identity System” without Trust: no authority can
promise OpenID rzhou.myopenid.com is Ran Zhou
• Redirects
• Communication Overhead: lots of HTTP requests
Concept: Local OpenID Server with UICC
•
•
•
•
Phishing
Sensitive data remains on UICC
An “identity system” without Trust: no authority can
promise OpenID rzhou.myopenid.com is Ran Zhou.
Trusted Identity through Network Operator (contract)
Redirects
Local OpenID Server interface
Communication Overhead: lots of HTTP requests
Significantly reduced authentication traffic
Terminal part is developed by a project partner of Morpho
Integration of UICC is the main topic of this thesis
Local OpenID Architecture
Relying
RelyingParty
Parties
Association Handle
+ Derivated Key
Signed Assertion
(with same derivated key)
User
Local authentication
(with PIN)
Local OP Provider =
Mobile Application
+ UICC Applet
Network OpenID Provider
Trust (Long-Term Secret)
Contents
1. INTRODUCTION
1.1 Motivation
1.2 Solution Idea
1.3 Overview
2. UICC AND JAVA CARD
2.1 UICC
2.2 Java Card
2.2.1 Introduction
2.2.2 Security and Crypto
2.2.3 New Features in Java Card 3
2.3 Related Technologies
2.3.1 SIM Toolkit
2.3.2 Smart Card Web Server
2.3.3 Generic Bootstrapping Architecture
3. OPEN MOBILE API
3.1 Introduction
3.2 Fundamental Structure
3.3 Use Pattern
3.4 Access Control
3.5 Application Scenario
4. LOCAL OPENID
4.1 OpenID Protocol
4.1.1 Introduction
4.1.2 Weakness of OpenID
4.2 SAML Protocol
4.2.1 Introduction
4.2.2 Weakness of SAML
Contents
4.3
Local OpenID Protocol
4.3.1 Introduction
4.3.2 Architecture and Description
4.3.3 Compare of OpenID, SAML and Local OpenID
5. IMPLEMENTATION
5.1 Platform
5.1.1 Introduction of Android
5.1.2 Android Security Management
5.2 App on UICC
5.2.1 Applet on UICC
5.2.2 Algorithms and Functions
5.2.3 Configuration of UICC
5.2.4 PKCS15 Structure
5.2.5 Implementation
5.3 App on Android
5.3.1 Functional Description
5.3.2 Open Mobile API in Android
5.3.3 Implementation
5.4 Test
5.4.1 Test Environment
5.4.2 Test Procedure
5.4.3 Test Result
5.5 Weakness Analysis
6. SUMMARY AND FUTURE WORK
6.1 Summary
6.2 Future Work
Time plan
Nov
Dec
Jan
Feb
Mar
Apr
May
Jun
Investigate and design
1st Implementation
2nd Implementation
Test
1st Thesis
2nd Thesis
Final Thesis
Thanks!
Questions?
References
[1] Rankl, W. (2oo8), Handbuch der Chipkarten, Carl Hanser Verlag München.
[2] Sun Microsystems, I. (2006), 'Application Programming Interface Java Card™
Platform, Version 2.2.2'.
[3] Wikipedia, t. f. e. (2012), 'Generic Bootstrapping Architecture'.
[4] SIMalliance (2011), 'SIMalliance Open Mobile API An Introduction'.
[5] SIMalliance (2011), 'Open Mobile API specification V2.02', SIMalliance.
[6] van Delft, B. (2010), 'A Security Analysis of OpenID', IFIP Advances in Information
and Communication Technology 343/2010, 73-84.

similar documents