leveraging uicc with open mobile api for secure applications and services n.
Download
Skip this Video
Download Presentation
Leveraging UICC with Open Mobile API for Secure Applications and Services

Loading in 2 Seconds...

play fullscreen
1 / 17

Leveraging UICC with Open Mobile API for Secure Applications and Services - PowerPoint PPT Presentation


  • 236 Views
  • Uploaded on

Leveraging UICC with Open Mobile API for Secure Applications and Services. Ran Zhou. Introduction and Motivation. Until 2011, there were 6 billion mobile subscriptions (87% of the population) UICC serves as the security anchor in mobile telecom network

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Leveraging UICC with Open Mobile API for Secure Applications and Services' - heman


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction and motivation
Introduction and Motivation

Until 2011, there were 6 billion mobile subscriptions (87% of the population)

UICC serves as the security anchor in mobile telecom network

Java Card make the UICC more powerful: digital signature, cryptography…

UICC is an ideal module to enhance the security level of terminal application

Interface is required to fill the gap between UICC applet and terminal application

Open Mobile API is proposed to provide this interface

A Dual Application Architecture together with the access control mechanism will be introduced

As an example to be implemented: an UICC-based Local OpenID protocol will be considered in this thesis

agenda
Agenda
  • Introduction and Motivation
  • Basic Technologies
    • UICC
    • SIMalliance Open Mobile API
    • OpenID
  • Concept of Local OpenID
  • Thesis Outline
  • Time Plan
universal integrated circuit card uicc
Universal Integrated Circuit Card:UICC

?

  • UICC is a smart card used in mobile terminals within telecom networks [1]
  • It provides
    • authentication
    • secure storage
    • crypto algorithms
  • Java Card as UICC can provide [2]
    • Hash functions: MD5, SHA-1, SHA-256 …
    • Signature functions: HMAC …
    • Public-key cryptography: RSA …
    • Symmetric-key cryptography: AES, DES …
uicc related technologies
UICC – Related Technologies
  • Generic Bootstrapping Architecture (GBA)
  • Open Mobile API
  • Toolkit
  • Smart Card Web Server

[3]

open mobile api
Open Mobile API

Open Mobile API is established by SIMalliance as an open API between the Secure Element and the Terminal Applications [4]

  • Crypto
  • Authentication
  • Secure Storage
  • PKCS#15

Open Mobile API

open mobile api1
Open Mobile API

3 Layers [5]

  • Transport Layer: using APDUs for accessing a Secure Element
  • Service Layer: provide a more abstract interface for functions on SE
  • Application Layer: represents the various applications using Open Mobile API

Figure 1: Architecture overview

dual application architecture
Dual Application Architecture

Terminal Application

Open Mobile API

Transport Layer

Access ControlModule

UICC

Access ControlTable

  • NFC (Near Field Communication) services
  • Payment services
  • Ticketing services
  • Loyalty services (Kundenbindungsmaßnahmen)
  • ID Management services (e.g. Single Sign-On)
openid
OpenID

Relying Parties

Relying Party

Submit OpenID

Association

Log-on

Device

User

User authentication

OpenID Provider

openid weakness 6
OpenID Weakness[6]

Phishing

An “Identity System” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou

Redirects

Communication Overhead: lots of HTTP requests

slide11

Concept: Local OpenID Server with UICC

Phishing

Sensitive data remains on UICC

An “identity system” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou.

Trusted Identity through Network Operator (contract)

Redirects

Local OpenID Server interface

Communication Overhead: lots of HTTP requests

Significantly reduced authentication traffic

  • Terminal part is developed by a project partner of Morpho
  • Integration of UICC is the main topic of this thesis
local openid architecture
Local OpenIDArchitecture

Submit OpenID

Association Handle

Association

Relying Parties

Relying Party

Association Handle

+ Derivated Key

Signed Assertion

(with same derivated key)

Local authentication

(with PIN)

Local OP Provider = Mobile Application + UICC Applet

User

Network OpenID Provider

Trust (Long-Term Secret)

contents
Contents
  • 1. INTRODUCTION
    • 1.1 Motivation
    • 1.2 Solution Idea
    • 1.3 Overview
  • 2. UICC AND JAVA CARD
    • 2.1 UICC
    • 2.2 Java Card
      • 2.2.1 Introduction
      • 2.2.2 Security and Crypto
      • 2.2.3 New Features in Java Card 3
    • 2.3 Related Technologies
      • 2.3.1 SIM Toolkit
      • 2.3.2 Smart Card Web Server
      • 2.3.3 Generic Bootstrapping Architecture
  • 3. OPEN MOBILE API
    • 3.1 Introduction
    • 3.2 Fundamental Structure
    • 3.3 Use Pattern
    • 3.4 Access Control
    • 3.5 Application Scenario
  • 4. LOCAL OPENID
    • 4.1 OpenID Protocol
      • 4.1.1 Introduction
      • 4.1.2 Weakness of OpenID
    • 4.2 SAML Protocol
      • 4.2.1 Introduction
      • 4.2.2 Weakness of SAML
contents1
Contents
    • 4.3 Local OpenID Protocol
      • 4.3.1 Introduction
      • 4.3.2 Architecture and Description
      • 4.3.3 Compare of OpenID, SAML and Local OpenID
  • 5. IMPLEMENTATION
    • 5.1 Platform
      • 5.1.1 Introduction of Android
      • 5.1.2 Android Security Management
    • 5.2 App on UICC
      • 5.2.1 Applet on UICC
      • 5.2.2 Algorithms and Functions
      • 5.2.3 Configuration of UICC
      • 5.2.4 PKCS15 Structure
      • 5.2.5 Implementation
    • 5.3 App on Android
      • 5.3.1 Functional Description
      • 5.3.2 Open Mobile API in Android
      • 5.3.3 Implementation
    • 5.4 Test
      • 5.4.1 Test Environment
      • 5.4.2 Test Procedure
      • 5.4.3 Test Result
    • 5.5 Weakness Analysis
  • 6. SUMMARY AND FUTURE WORK
    • 6.1 Summary
    • 6.2 Future Work
time plan
Time plan

Feb

Nov

Dec

Jan

Mar

Apr

May

Jun

Investigate and design

1st Implementation

2nd Implementation

Test

1st Thesis

2nd Thesis

Final Thesis

slide16
Thanks!

Questions?

references
References

[1]Rankl, W. (2oo8), Handbuch der Chipkarten, Carl Hanser Verlag München.

[2] Sun Microsystems, I. (2006), 'Application Programming Interface Java Card™ Platform, Version 2.2.2'.

[3] Wikipedia, t. f. e. (2012), 'Generic Bootstrapping Architecture'.

[4] SIMalliance(2011), 'SIMalliance Open Mobile API An Introduction'.

[5] SIMalliance (2011), 'Open Mobile API specification V2.02', SIMalliance.

[6] van Delft, B. (2010), 'A Security Analysis of OpenID', IFIP Advances in Information and Communication Technology 343/2010, 73-84.