Leveraging uicc with open mobile api for secure applications and services
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Leveraging UICC with Open Mobile API for Secure Applications and Services PowerPoint PPT Presentation


  • 163 Views
  • Uploaded on
  • Presentation posted in: General

Leveraging UICC with Open Mobile API for Secure Applications and Services. Ran Zhou. Introduction and Motivation. Until 2011, there were 6 billion mobile subscriptions (87% of the population) UICC serves as the security anchor in mobile telecom network

Download Presentation

Leveraging UICC with Open Mobile API for Secure Applications and Services

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Leveraging uicc with open mobile api for secure applications and services

Leveraging UICC with Open Mobile API for Secure Applications and Services

Ran Zhou


Introduction and motivation

Introduction and Motivation

Until 2011, there were 6 billion mobile subscriptions (87% of the population)

UICC serves as the security anchor in mobile telecom network

Java Card make the UICC more powerful: digital signature, cryptography…

UICC is an ideal module to enhance the security level of terminal application

Interface is required to fill the gap between UICC applet and terminal application

Open Mobile API is proposed to provide this interface

A Dual Application Architecture together with the access control mechanism will be introduced

As an example to be implemented: an UICC-based Local OpenID protocol will be considered in this thesis


Agenda

Agenda

  • Introduction and Motivation

  • Basic Technologies

    • UICC

    • SIMalliance Open Mobile API

    • OpenID

  • Concept of Local OpenID

  • Thesis Outline

  • Time Plan


Universal integrated circuit card uicc

Universal Integrated Circuit Card:UICC

?

  • UICC is a smart card used in mobile terminals within telecom networks [1]

  • It provides

    • authentication

    • secure storage

    • crypto algorithms

  • Java Card as UICC can provide [2]

    • Hash functions: MD5, SHA-1, SHA-256 …

    • Signature functions: HMAC …

    • Public-key cryptography: RSA …

    • Symmetric-key cryptography: AES, DES …


Uicc related technologies

UICC – Related Technologies

  • Generic Bootstrapping Architecture (GBA)

  • Open Mobile API

  • Toolkit

  • Smart Card Web Server

[3]


Open mobile api

Open Mobile API

Open Mobile API is established by SIMalliance as an open API between the Secure Element and the Terminal Applications [4]

  • Crypto

  • Authentication

  • Secure Storage

  • PKCS#15

Open Mobile API


Open mobile api1

Open Mobile API

3 Layers [5]

  • Transport Layer: using APDUs for accessing a Secure Element

  • Service Layer: provide a more abstract interface for functions on SE

  • Application Layer: represents the various applications using Open Mobile API

Figure 1: Architecture overview


Dual application architecture

Dual Application Architecture

Terminal Application

Open Mobile API

Transport Layer

Access ControlModule

UICC

Access ControlTable

  • NFC (Near Field Communication) services

  • Payment services

  • Ticketing services

  • Loyalty services (Kundenbindungsmaßnahmen)

  • ID Management services (e.g. Single Sign-On)


Openid

OpenID

Relying Parties

Relying Party

Submit OpenID

Association

Log-on

Device

User

User authentication

OpenID Provider


Openid weakness 6

OpenID Weakness[6]

Phishing

An “Identity System” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou

Redirects

Communication Overhead: lots of HTTP requests


Leveraging uicc with open mobile api for secure applications and services

Concept: Local OpenID Server with UICC

Phishing

Sensitive data remains on UICC

An “identity system” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou.

Trusted Identity through Network Operator (contract)

Redirects

Local OpenID Server interface

Communication Overhead: lots of HTTP requests

Significantly reduced authentication traffic

  • Terminal part is developed by a project partner of Morpho

  • Integration of UICC is the main topic of this thesis


Local openid architecture

Local OpenIDArchitecture

Submit OpenID

Association Handle

Association

Relying Parties

Relying Party

Association Handle

+ Derivated Key

Signed Assertion

(with same derivated key)

Local authentication

(with PIN)

Local OP Provider = Mobile Application + UICC Applet

User

Network OpenID Provider

Trust (Long-Term Secret)


Contents

Contents

  • 1. INTRODUCTION

    • 1.1 Motivation

    • 1.2 Solution Idea

    • 1.3 Overview

  • 2. UICC AND JAVA CARD

    • 2.1 UICC

    • 2.2 Java Card

      • 2.2.1 Introduction

      • 2.2.2 Security and Crypto

      • 2.2.3 New Features in Java Card 3

    • 2.3 Related Technologies

      • 2.3.1 SIM Toolkit

      • 2.3.2 Smart Card Web Server

      • 2.3.3 Generic Bootstrapping Architecture

  • 3. OPEN MOBILE API

    • 3.1 Introduction

    • 3.2 Fundamental Structure

    • 3.3 Use Pattern

    • 3.4 Access Control

    • 3.5 Application Scenario

  • 4. LOCAL OPENID

    • 4.1 OpenID Protocol

      • 4.1.1 Introduction

      • 4.1.2 Weakness of OpenID

    • 4.2 SAML Protocol

      • 4.2.1 Introduction

      • 4.2.2 Weakness of SAML


Contents1

Contents

  • 4.3Local OpenID Protocol

    • 4.3.1 Introduction

    • 4.3.2 Architecture and Description

    • 4.3.3 Compare of OpenID, SAML and Local OpenID

  • 5. IMPLEMENTATION

    • 5.1 Platform

      • 5.1.1 Introduction of Android

      • 5.1.2 Android Security Management

    • 5.2 App on UICC

      • 5.2.1 Applet on UICC

      • 5.2.2 Algorithms and Functions

      • 5.2.3 Configuration of UICC

      • 5.2.4 PKCS15 Structure

      • 5.2.5 Implementation

    • 5.3 App on Android

      • 5.3.1 Functional Description

      • 5.3.2 Open Mobile API in Android

      • 5.3.3 Implementation

    • 5.4 Test

      • 5.4.1 Test Environment

      • 5.4.2 Test Procedure

      • 5.4.3 Test Result

    • 5.5 Weakness Analysis

  • 6. SUMMARY AND FUTURE WORK

    • 6.1 Summary

    • 6.2 Future Work


  • Time plan

    Time plan

    Feb

    Nov

    Dec

    Jan

    Mar

    Apr

    May

    Jun

    Investigate and design

    1st Implementation

    2nd Implementation

    Test

    1st Thesis

    2nd Thesis

    Final Thesis


    Leveraging uicc with open mobile api for secure applications and services

    Thanks!

    Questions?


    References

    References

    [1]Rankl, W. (2oo8), Handbuch der Chipkarten, Carl Hanser Verlag München.

    [2] Sun Microsystems, I. (2006), 'Application Programming Interface Java Card™ Platform, Version 2.2.2'.

    [3] Wikipedia, t. f. e. (2012), 'Generic Bootstrapping Architecture'.

    [4] SIMalliance(2011), 'SIMalliance Open Mobile API An Introduction'.

    [5] SIMalliance (2011), 'Open Mobile API specification V2.02', SIMalliance.

    [6] van Delft, B. (2010), 'A Security Analysis of OpenID', IFIP Advances in Information and Communication Technology 343/2010, 73-84.


  • Login