Upload
kajalz-gada
View
221
Download
0
Embed Size (px)
Citation preview
8/9/2019 Security & trust in Mobile application
1/58
Security and Trust
in mobile applicationsWhite Paper , 3G Americas
1
8/9/2019 Security & trust in Mobile application
2/58
Introduction Traditional- Walled Garden Current scenario
Identity theft, phishin and pharmin
Compromise secure data, pirate contents or ta!e
money from "an! accounts
#etrimental impact on the ser$ice pro$ider
%
8/9/2019 Security & trust in Mobile application
3/58
Secure Mobile Applications Financial Applications
3G&' infrastructure is (ell suited for )nancial applications
*o"ust infrastructure and hihly secure storae
"an!in applications, money transfers, "alance chec!in,
payment applications $ia either credit, de"it, or prepaid
methods etc+
*emotely or Point of sale
3
8/9/2019 Security & trust in Mobile application
4/58
Secure Mobile Applications Near Field Communications (NFC)
allo(s the handset to communicate (ith close-
proimity card readers allo(in point-of-sale
payments
ample. Pu"lic transportation
'o"ile /0C ecosystem consists of- 'o"ile Phone (ith
/0C Chipset and &ecure lement, 'o"ile /et(or!
perator 2'/, &er$ice Pro$iders, Trusted &er$ice
'anaer
4
8/9/2019 Security & trust in Mobile application
5/58
5
8/9/2019 Security & trust in Mobile application
6/58
Mobile Financial Use Cases Mobile Payment
mPayment or mCommerce
diital ser$ices or information ser$ices
Payment- monthly or durin the transaction
6ust in Time shoppin
'icro payment and 'acro Payment
7
8/9/2019 Security & trust in Mobile application
7/58
Mobile Financial Use Cases Mobile Banking
i$es users access to their "an! accounts from their
mo"ile de$ices
chec! "alances, transfer funds electronically, top-up
prepaid to!ens and possi"ly e$en o"tain cash from AT's
-Tic!etin
the de$ice is used in /0C mode to pay for access to
mass transit and round transport systems
mo"ile de$ice or 8o9ine:
;
8/9/2019 Security & trust in Mobile application
8/58
Access ApplicationsApplications that access ser$ice $ia pass(ord, loin or other usercredential "efore ser$ice is ranted
8/9/2019 Security & trust in Mobile application
9/58
Secure Pass Application &tores all employees: pass(ords, I#s, and personal
information in one sinle folder
0or security-focused enterprises it reduces compleity
le$els of access and authori
8/9/2019 Security & trust in Mobile application
10/58
Secure Pass Application Key Features
'anae a user:s identities and pass(ords
&ecured (ith master pass(ord
Can "e modi)ed
Operator benefts
Increased ser$ice usae
=uildin user loyalty
asy to implement (ith minimal operator in$estment
re>uired
8/9/2019 Security & trust in Mobile application
11/58
Secure Pass Application nd !ser "alue
? Accessin secure data e@ortless for the user
? *educed compleity to access the secured data
? Can "e con)ured so that (ith one PI/ or pass(ord,
di$erse con)dential data is stored in one secure folder+
11
8/9/2019 Security & trust in Mobile application
12/58
Protected SMS &ecure Chat application
&ecure one-to-one communication
ia "inary &'& messaes
#i@erent encryption methods 2e++ 3#&
Bimited access throuh an application PI/ or pass(ord+
Key Features
To secure the messae from spyin or snoopin
Access to the secure messae is protected
Guaranties uni>ue !ey for each user:s ser$ice
8/9/2019 Security & trust in Mobile application
13/58
Protected SMS Operator benefts
Increased ser$ice usae
Allo(s the customer to send in circumstances (here
messae security is a concern =uildin user loyalty
*elies on eistin technoloy
nd !ser "alue
Protection for the tet or data that is echaned durin the
session
&ecure storae of these messaes
8/9/2019 Security & trust in Mobile application
14/58
One Time Password Applets TP solutions are scala"le net(or! identity platforms
that deli$er the stron authentication that consumers
re>uire to use sensiti$e on-line ser$ices con)dently+
Its !ey feature is that it transforms the handset into a
secure authentication to!en+
It uses AT TP applet and secret DICC stored !eys to
enerate TP+
8/9/2019 Security & trust in Mobile application
15/58
One Time Password Applets There are 3 "asic interfaces for TP
oice Channel
&'& Channel
''I Channel
TP solutions a$oids the need to remem"er
special procedures, to!ens or memori
8/9/2019 Security & trust in Mobile application
16/58
VPN and Secure Storage of Data A $irtual pri$ate net(or! 2P/ is a net(or! that uses the Internet
to pro$ide remote oEces or indi$idual users (ith secure access to
their orani
8/9/2019 Security & trust in Mobile application
17/58
VPN and Secure Storage of Data P/ applications allo( direct secure access to the corporate
data from the handset or from the PC+
8/9/2019 Security & trust in Mobile application
18/58
Advantages Greater scala"ility
asy to addremo$e users
*educed lon-distance telecommunications costs
'o"ility
&ecurity
1H
8/9/2019 Security & trust in Mobile application
19/58
8/9/2019 Security & trust in Mobile application
20/58
Protection of Downloaded and
Broadcasted ContentTo control the distri"ution and consumption of
do(nloaded diital media o"Jects, the pen 'o"ile
Alliance 2'A has pro$ided appropriate #iital
*ihts 'anaement 2#*' speci)cations to protect
authors and content pro$iders: intellectual property
rihts from unauthori
8/9/2019 Security & trust in Mobile application
21/58
8/9/2019 Security & trust in Mobile application
22/58
&treamin of #*' protected content
A * is enerated, the 1% encryption !ey to access the encrypted
stream is put in the *, and the * is then "ound to a #*' Aent+
&harin Content use case 2&uper #istri"ution and
#omains The "asic model of 'A #*' "inds the * and CL to a speci)c
#*' Aent+ The domain model "ased ser$ice o@ered "y the
&er$ice Pro$ider etends this notion, allo(in a *I to "ind * and
CL to a roup of #*' Aents+ An end user may then share a
speci)c #*' content o@-line (ith other mo"ile e>uipment, either
o(ned "y him or "elonin to friends+
8/9/2019 Security & trust in Mobile application
23/58
Service and Content Protection #iital ideo =roadcastin 2#= orani
8/9/2019 Security & trust in Mobile application
24/58
8/9/2019 Security & trust in Mobile application
25/58
DRM Profile 'A =CA&T #*' Pro)le relies on 'A #*' $%+M
for the !ey material echane "ased on Pu"lic
Ley Infrastructure 2PLI and * manaement
8/9/2019 Security & trust in Mobile application
26/58
8/9/2019 Security & trust in Mobile application
27/58
Smart Card Profile It is a smartcard "ased solution relyin on 3GPP 'ultimedia
=roadcast 'ulticast &er$ice +
It re>uires a continuously acti$e channel to manae
reistration and !ey material+
There are % $ariants .a &I' &martcard Pro)le" DI'C&I' &martcard Pro)le
8/9/2019 Security & trust in Mobile application
28/58
%H
8/9/2019 Security & trust in Mobile application
29/58
'o"ile =roadcast &er$ices na"ler &uite of pen 'o"ile
Alliance #*' and &martcard Pro)les , ha$e the follo(in
features "ased on protection+
Transport layer security (ith &*TP or IP&ec, allo( format
Nei"ility+
o(e$er in I&'ACrypt content layer security allo( solution to
"e completely independent of intrinsic transport or IP layer
&ecurity+
8/9/2019 Security & trust in Mobile application
30/58
Security Requirements 0or consistency in #*' implementations , pen 'o"ile
Terminal Platform 2'TP has pro$ided a set of speci)c
terminal re>uirements+
Accordin to this , the rights object(eg. picture) , is protected
using Rights Encryption Key (REK) for sensitive parts like the
Content Encryption Key (CEK). The R is signed by the Rights
issuer (R!). "uring delivery REK is cryptographically bound to
the target "R# $gent. nly in this %anner can the "R#
agent access the R and thus the CEK.&
8/9/2019 Security & trust in Mobile application
31/58
'TP has pu"lished % documents , i$in a set of security
re>uirements+ These documents are.
=asic Trusted n$ironment 2T*PM in %MM7 , (hich pro$ides
the "asic security re>uirements for de"uin , the mo"ilede$ice I# protection , "asic #*' security re>uirements+
Ad$anced Trusted n$ironment 2T*P1 in %MMH , i$es a set
of ad$anced security terminal re>uirements, to deal (ith
threat of hac!ers+ It ena"les &ecure storae facility , &ecure
Bin! "et(een mo"ile e>uipment and the DICC+
8/9/2019 Security & trust in Mobile application
32/58
Authentication Applications #tensible Aut$entication Protocol
&upports multiple authentication methods
&pecify the informational elements rele$ant to speci)c
mechanisms to "e carried in the AP messae, thus
ma!in the AP $ery Nei"le
AP runs directly o$er data lin! layer protocols
3%
8/9/2019 Security & trust in Mobile application
33/58
EAP Architecture
33
8/9/2019 Security & trust in Mobile application
34/58
The peer and authenticator entities start the AP echane+
The later is the lin! end point 2e++, access point or /A&
that initiates AP authentication, the former is the lin! endpoint that responds to the authenticator usin a supplicant,
a soft(are component, (hich ena"les an AP peer to
communicate the AP pac!ets o$er a lin! layer protocol
2e++, PPP or HM%+1+
Actual entity done "y the AP ser$er, (hich implements an
authentication method and terminates the authentication
echane (ith the peer+
AAA &er$er is a *emote Authentication #ial-In Dser &er$ice
2*A#ID& or a #iameter ser$er+
34
8/9/2019 Security & trust in Mobile application
35/58
EAP Methods AP%&'M Aut$entication
#e$eloped "y IT0 in support of 3GPP
speci)es the use of a &I' for mutual authentication and
session !ey distri"ution in G&'+
speci)es enhancements to G&' authentication and !ey
areement
includes net(or! authentication, user anonymity
support, result indications, and a fast re-authentication
procedure+
35
8/9/2019 Security & trust in Mobile application
36/58
AP%AKA Aut$entication "ased on the Authentication and Ley Areement 2ALA
mechanism used in third eneration mo"ile net(or!s
speci)es an AP method for mutual authentication and
session !ey distri"ution that uses the third eneration
Authentication and Ley Areement
D'T& and C#'A%MMM are lo"al third eneration mo"ile
net(or! standards that use the same ALA mechanism+
37
8/9/2019 Security & trust in Mobile application
37/58
AP%& Aut$entication
"eins (ith the authenticator and the peer neotiatin the AP
After that the authenticator sends an AP-*e>uestIdentity pac!et to
the peer and the peer (ill respond (ith an AP *esponseIdentity
pac!et to the authenticator containin the peerFs user identi)er+
0rom this step for(ard, the AP con$erses "et(een the peer and
the AP ser$er, (hich may "e located at the "ac! end
authentication ser$er or "e a part of the authenticator+
When the AP ser$er is located at the "ac! end ser$er, the
authenticator encapsulates the AP pac!ets in the protocol pac!ets
that run "et(een the
le$eraes the handsha!e protocol de)ned in the Transport Bayer
&ecurity 2TB& protocol+
The protocol ena"les the peer and the ser$er to authenticate each
other usin diital certi)cates+
3;
8/9/2019 Security & trust in Mobile application
38/58
AP%& Aut$entication
employs the TB& handsha!e protocol for authenticatin an
authentication ser$er to a peer, "ut the method does notre>uire peer authentication to the ser$er usin the diital
certi)cates+
&uch authentication is done after a secure connection 2TB&
tunnel is esta"lished "et(een the peer and the ser$er as a
result of the handsha!e+
It allo(s the use of the (idely-deployed leacy mechanisms
"y pro$idin additional protection+
sta"lishes the !eyin material that secures the data
connection "et(een the peer and the access point or
2/et(or! Access &er$er /A&+
3H
8/9/2019 Security & trust in Mobile application
39/58
Generic Bootstrapping Architecture
(GBA)
*eneric Bootstrapping Arc$itecture2G=A is a
technoloy that ena"les the authentication of a user+
It ena"les authenticated Dser >uipment 2D access
to the /et(or! Application 0unction 2/A0 ser$ices+
8/9/2019 Security & trust in Mobile application
40/58
The G=A includes three maJor entities.
An end-user (ho is tryin to o"tain net(or! ser$ices usin Dser
>uipment 2D
An application ser$er 2called /et(or! Application 0unction or /A0
A trusted entity 2called =ootstrappin &er$er 0unction or =&0,
(hich authenticates and shares !eys "et(een t(o other entities+
The G=A authenticates a user, (ho is usin D, to an
application ser$er 2/A0 (ithout re$ealin the user:s lon-
term credentials and secrets to the /A0 "y usin a trusted
entity =&0+
8/9/2019 Security & trust in Mobile application
41/58
The G=A authentication procedure results in a secret !ey "ein
shared "y D and /A0+
This shared !ey can "e used for mutual authentication of the D
and /A0, and protected data echane "et(een these entities+
The G=A also supports &inle &in n 2&&+
The && is accomplished "y repeatin the G=A authentication
procedure for authenticatin the D to multiple /A0:s (ithout
re>uestin a user:s loin credentials+
8/9/2019 Security & trust in Mobile application
42/58
8/9/2019 Security & trust in Mobile application
43/58
Public Key Infrastructure (PKI) and
Certificate-based Authentication
The certi)cates are commonly used for
authentication of the net(or! entities+
D ii fA h i i
8/9/2019 Security & trust in Mobile application
44/58
Description of Authentication
CertificateA certi)cate is a diital document that includes an
entity:s identi)er, its attri"utes, an entity pu"lic !ey,
and other authentication information 2i+e+ information
on the certi)cate issuer, startin and endin dates and
times of the certi)cate:s $alidity, etc++
A certi)cate is diitally sined "y a trusted third party,
(hich is called the Certi)cation Authority 2CA+
44
D iti fA th titi
8/9/2019 Security & trust in Mobile application
45/58
Description of Authentication
Certificate The CA computes a hash 2i+e+ &A-1 of all the )elds ecept the )eld
&inature alue, sins it (ith its o(n pri$ate !ey, and then adds the
sinature to the certi)cate in the &inature alue )eld+
To $alidate the data interity, the recipient )rst uses the siner:s pu"lic !ey
to decrypt diital sinature+ The recipient then uses same hashin
alorithm that enerated oriinal hash to enerate ne( hash of same data+
If the t(o hash $alues match, the recipient can trust the certi)cate:s holder
information as lon as it trusts the CA that has issued the certi)cate+
45
8/9/2019 Security & trust in Mobile application
46/58
Certificate-based Authentication &uppose, user A (ishes to send an authenticated messae to user =
assumin that user = has o"tained a certi)cate from a trusted CA, (hich
identi)es user A as the certi)cate:s holder and that = has $eri)ed the
CA:s sinature, chec!ed the $alidity dates etc+
0or = to authenticate the messae, user A encrypts a diest '#2P of his
plain tet messae P, 'ith his private key "$.
Then user A sends the result of the encryption, #A2'#2P to user = alon
(ith the plain tet P itself+ That is, user A sends the messae P, #A2'#2P
to .
8/9/2019 Security & trust in Mobile application
47/58
8/9/2019 Security & trust in Mobile application
48/58
8/9/2019 Security & trust in Mobile application
49/58
Digital Identity There are three participants in diital identity
interactions usin Information Cards.
Identity Pro$iders issue diital identities for you+
*elyin Parties accept identities for you+
&u"Ject is yourself, the party in control of all these
interactions+
8/9/2019 Security & trust in Mobile application
50/58
Identity Selection Applications Dser-centric identity manaement application
Authentication (ith a ser$ice pro$ider
Consistent (ay to (or! (ith multiple diital identities usin
Information Cards 2InfoCards+ The user is not directly conductin the authentication process
(ith the *P+
The authentication process ta!es place "et(een *P and IP
(here the identity selector is a trust "ro!er for the
authentication process usin security to!ens (hich re>uire
mutual authentication+
8/9/2019 Security & trust in Mobile application
51/58
Open ID and SAML 2.0 Model
Com"ination of the identity selector and pen I# pro$ide themost promisin solution for )in the phishin pro"lem
The identity selector can mitiate the middle-man security
attac!s "y usin the pen I# as the authentication process isn:t
"et(een the user and *P+
Comple layers of the &A'B standard speci)cations limits its
adoption+
'/s may support "oth &A'B and pen I# in the identity
selector applet to address di@erent mo"ile application
re>uirements and customer needs+
8/9/2019 Security & trust in Mobile application
52/58
Identity Selector Authentication Flow
8/9/2019 Security & trust in Mobile application
53/58
Key Differentiators The G&' e$olutionary family of mo"ile access technoloies
has a clear ad$antae o$er other access technoloies as far as
security features are concerned+
At the heart of most of these ad$antaes is the DICC+
DICC is a secure porta"le to!en that is reconi
8/9/2019 Security & trust in Mobile application
54/58
1. Security features The 'ilenae alorithm commonly used in D'T& net(or!
access authentication is also $ie(ed as superior to the
authentication mechanisms used in other access
technoloies+ The DICC is enineered to include a num"er of physical and
loical countermeasures that ma!e compromisin its
secrets $irtually impossi"le+
To ensure that only the correct user can access the secrets
stored in the DICC, the information is protected usin a PI/
or pass(ord, (hich ena"les t(o-factor authentication+
2Managingthesensitive
8/9/2019 Security & trust in Mobile application
55/58
2. Managing the sensitive
information nce in the )eld, secure data and applications can "e remotely
manaed $ia the Glo"al Platform+
The distinct ad$antae enJoyed "y the G&' family of operators is that
the net(or! platform used to remotely access secure data are li!elyalready installed in their net(or!+
'ost TA platforms currently deployed utili
8/9/2019 Security & trust in Mobile application
56/58
3. Managing and transferring
credentials.
A collateral ad$antae of stronly tyin security credentials to the
(ireless account is the po(er that this i$es the net(or! operator
to manae the features and credentials used "y a su"scri"er+
In cases of loss or fraud, the credentials can "e $ery easily
terminated or modi)ed "efore they can "e used (ithout the
su"scri"er:s !no(lede+
=y to!eni
8/9/2019 Security & trust in Mobile application
57/58
Conclusion &ecurity and trust are real concerns for consumers and
application pro$iders ali!e+
Attempts to compromise ser$ices and applications such asidentity theft, phishin and pharmin threaten to limit the
types of applications that are pro$ided+
/ot surprisinly, the applications that ha$e the reatest
re$enue potential are also those that are o"$ious tarets for
hac!ers to steal information and use it maliciously+
8/9/2019 Security & trust in Mobile application
58/58