1 / 13

Managing Access to Security Hardware in PC Browsers

Managing Access to Security Hardware in PC Browsers. L. Castillo, Principal Engineer . 06/20/2013. Secure Devices Manufacturer. Operated Services & Solutions. Web applications & secure devices. API signing. Get rid of passwords. Sign Documents. Strong Authentication.

rhonda
Download Presentation

Managing Access to Security Hardware in PC Browsers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Access to Security Hardware in PC Browsers L. Castillo, Principal Engineer 06/20/2013

  2. Secure Devices Manufacturer Operated Services & Solutions 2013-06-20

  3. Web applications & secure devices API signing • Get rid of passwords • Sign Documents Strong Authentication • Electronic Transactions Client side Encryption • Secure Cloud Resources Electronic Signatures • Protect Storage Anonymous Credentials • Safeguard Privacy Digital Money Many use cases… 2013-06-20

  4. The issue: connectivity 2013-06-20

  5. Requirements for a good solution • Number one priority • Simple install & upgrade experience • Ease of use, design clarity, speed, … Usable • New attack vector • Build Trust in solution • End User Consent: Don’t surprise Secure • Adapt to fast moving environment • Don’t break things • Self Update Extensible 2013-06-20

  6. PC SEAM: Architecture PC Server Server Browser Web Application JS Engine Javascript Application Code SEAM Extension SEAM Library Secure Add-Ons Manager Secure Add-Ons Manager Library Add-On (SC) Add-On (BIO) … Add-On (SW) Add-On Library (SC) Add-On Library (BIO) … Add-On Library (SW) Library SW Library SC Library Bio Library Driver SC Driver Bio Driver 2013-06-20

  7. Usability TRANSPARENT SECURITY Minimalistic interactions with end user CLEAR DESIGN Simple, obvious UI with step-by-step install & usage instructions AVOID CLICK GALORE Install & update experience use as few clicks as possible TRANSPARENT UPDATES Updates to Add-ons are transparent and don’t break things SMALLER IS BETTER Initial extension is less than 1 MB, deployed packages as small as possible 2013-06-20

  8. Security • Signed Packages and Extensions • Control Diffusion with Access Keys • Capture user consent at every stage • During install of packages • For each web applications access • Mandate SSL/TLS • Valid certificate, bound to Access Key • Fine grained permissions contained in Access Key 2013-06-20

  9. Extensibility Multiple Hardware Support Multiple Version Support Customizable Easy deployment 2013-06-20

  10. Challenges Many OS / Browsers Combinations… …Walled Gardens… • Heavy deployment constraints • Avoid being seen as malware… • Difficult to maintain a consistent UI • One plugin technology per browsers • ActiveX, XPCOM, NPAPI • One (or more) driver set per OS …And a world evolving fast • One new Chrome and Firefox version every 6 weeks 2013-06-20

  11. What about mobiles? Even more challenges, no perfect solutions • Physical connectivity / drivers are often absent • Closed ecosystem and non extensible browsers • Many more combinations due to Manufacturers and MNOs • Embedded Web Server in Mobile (Gibraltar) • Embedded Web Server in Security Device (over IP enabled physical link) • Extended Hybrid App Framework (Wikipedia) • And of course native applications Alternatives 2013-06-20

  12. Going forward: Standards WebCrypto WG SysApp WG • New security model for hardware access in browsers • More hardware APIs being introduced • “High level” API for cryptography in browsers • Can abstract some security devices 2013-06-20

  13. Thank you! 2013-06-20

More Related