1 / 14

Scott B. Guthery CTO, Mobile-Mind Sguthery@mobile-mind

Extending the GSM/3G Key Infrastructure DIMACS Workshop on Mobile and Wireless Security November 3, 2004. Scott B. Guthery CTO, Mobile-Mind Sguthery@mobile-mind.com. Mary J. Cronin Professor of Management Boston College Cronin@bc.edu. Outline. SIM for Mobile Network Authentication

jswindle
Download Presentation

Scott B. Guthery CTO, Mobile-Mind Sguthery@mobile-mind

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Extending the GSM/3G Key InfrastructureDIMACS Workshop on Mobile and Wireless SecurityNovember 3, 2004 Scott B. Guthery CTO, Mobile-Mind Sguthery@mobile-mind.com Mary J. Cronin Professor of Management Boston College Cronin@bc.edu

  2. Outline • SIM for Mobile Network Authentication • SIM for Internet Authentication • SIM for Local Authentication

  3. Subscriber Identity Module • Integral part of GSM security from the start • Holds secret key Ki • other copy held by subscriber’s network operator • 8-bit processor, 8KB EEPROM, file system, cryptographic algorithms Identity token with a wireless connection to an authentication and billing service

  4. GSM/3G Authentication • Roaming is the stepping off point for extending the GSM/3G key infrastructure • Visited network authenticates without being in possession of Ki 1) Identity 2) Identity SIM Visited Network Home Network 3) Challenge & Response 4) Challenge 5) Response Ki Ki

  5. SIM for Internet Authentication • EAP-SIM uses SIM for Internet authentication • visited network is an EAP authenticator • draft-haverinen-pppext-eap-sim-14.txt • Uses GSM/3G authentication but generates a stronger session key Internet Service SIM EAP Authenticator Home Network Ki Ki

  6. SIM Toolkit • SIM gives commands to the handset • display text, get key hit, send SMS, block call • Operator controls loading of applications • GlobalPlatform architecture used to manage keys for non-operator applications Application 1 STK Handset Application 2 Application 3

  7. SIM for Local Authentication • SIM-based authentication and authorization • visited network is a merchant or a door • SIM-based cryptographic services • session keys, certificates, signing, tickets, etc. Local Connections (IR, Bluetooth, etc.) Operator SIM Handset Other SIM 3G Network

  8. User-Equipment Split • SIM is in the device needing signing and authentication services • All that’s left of the mobile communication network is the extended key infrastructure SIM A Network Operator Handset SIM B SIM C

  9. Business Models for SIM Security ExtensionTheory, Reality and Lessons Learned • Theory: Compelling business and revenue opportunities based on leveraging SIM security • Enormous global installed base of active SIM cards • Over 800 million GSM and 3G handsets and subscribers • Well-established international standards for SIM applications and key infrastructure • Well documented architecture and tools for development using SIM Application Toolkit and Java Card™ platform • Multiple business models from different industries (banking, retail, media, IT, health, etc.) in search of strong mobile security solution will embrace the SIM

  10. Three Potential Business Cases • SIM-hosted and authenticated non-telephony m-commerce applications and services • Allow trusted third parties to load applications onto the SIM card and share the existing key infrastructure to authenticate customers and authorize transactions via the wireless public network • SIM-enabled use of mobile handset for authenticated and authorized transactions via the wireless public network • Embedded SIMs for authorization of users or devices attached to any network, particularly WiFi

  11. SIM-Hosted M-Commerce Applications • Business Model: Multiple applications are stored on a single SIM card to allow subscriber to conduct secure banking, make and pay for purchases, download and store value, tickets, etc to the SIM • Third party consumer and enterprise applications both supported • SIM application provider gets share of projected $60 billion plus in m-commerce transactions • Reality as of 2004 • Technical requirements are in place • Almost all recent SIMs are multi-application Java Card™ SIMs • Over 260 million of them are Global Platform compliant • SIM-hosted applications have been scarce • Limited to small mobile banking pilots in Europe and Asia • Majority of booming m-commerce business has moved to handset downloads and back end server-based security systems

  12. SIM-Enabled Security for Mobile Devices • Business Model: Dual-slot handsets provide external slot for smart card to conduct secure transactions and move value via the SIM, making the mobile a cash dispenser, a ticket, a POS, etc. • 1999 launch of dual slot phones to great fanfare • Datamonitor projected over 32 million such phones in use by 2003 • All major handset makers announced plans to manufacture them • Reality as of 2004 • Dual slot phones are hard to find collectors’ items • Revival of the model via “add-on” module for standard GSM phone to create a mobile POS for developing markets • Way Systems has some initial traction with this approach for China

  13. SIM Authentication in Non-Telephony Networks • Business Model: Embed SIM in WiFi and other networked devices or provide SIM-USB token to subscribers for authentication and payment for WiFi access and roaming • One solution for problems with 802.11 security • Potential for portability and roaming on different networks • Possible integration with wireless subscriber accounts • Reality as of 2004 • WLAN Smart Card Consortium attempting to define standards • Commercial deployments increasing but still in early stages • Transat solution launches with 3,500 hotspots in the UK (4/04) • Orange implements in Switzerland (3/04) • Tartara demonstrates solution with Verisign (3/04) • TSI demonstrates solution with Boingo Wireless (5/04)

  14. Conclusion: Still Searching for Clear Business Case for SIM Extension • Limited applications to date outside of wireless telephony and some notable business failures such as dual-slot handsets • The combined business drivers of a billion SIMs, a rapidly growing m-commerce market and unsolved mobile security issues continue to bring new players and approaches to the table • Lesson learned: Wireless carriers have made controlling and guarding the SIM key infrastructure a priority over increasing revenues through extension • Carriers have the ability to cut off third party access to the SIM platform • WiFi and non-telephony network authentication looks like a good match for the SIM key infrastructure, but long-term models may require wireless carrier participation

More Related