Upload
myron-tate
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
TDL Sprint
Trustworthy Mobile Devices:Token based MDM for Native
Application Policy Enforcement
2014 – 03
CRYPTAS, NEC Laboratories Europe
Stefan Bumerl
Description of Sprint:Why at all? (high-level)
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 2
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
⁄ Sprint cooperation of NEC and CRYPTAS⁄ Increasing demand of secured applications in BYOD scenarios
_ Many different applications -> since a trusted mobile-device-independent anchor is required: encapsulated container solutions not always feasible
_ Different policies for applications, potentially depending on different criteria
⁄ Need for certificate based security_ Existing solutions often PW based
_ Continuous integration of tokens
_ Secure element personalization often not possible
_ Use of NFC and microSD
⁄ Combining technology_ Device application modification and MDM with policy management
_ CAVE clientless solution with TicTok tokens via NFC
⁄ Collecting and implementing user requirements⁄ Demo for interaction of trusted stack mechanisms and eID federation
Technology description:What is inside? (low-level)
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 3
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
In-Device Modification of Application-Code
Mobile Device Management:• Enterprise• SaaS• Privately
managed MDM
Trusted Hardware Anchor:• Unique ID• Trusted
Comm. Channels
• Trusted Signatures Trustworthy
Mobile Devices:Token based MDM
for Native Application Policy
Enforcement
Sprint
21 3
NEC Application Container – 1„Enforcing Policies“
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 4
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
/ NLE provides a Secure Application Container that is capable of enforcing enterprise-defined policies to every installed non-system-
App on the end-users mobile device.
/ It runs together with the “BYOD Management & User Notification“ component and adds Policy Enforcement Points (PEPs) to each
target application during the rewriting process.
/ All user-interaction is done through the “BYOD Management & User Notification“ App.
AppAPP-
REWRITINGSecure App Container
App
PEPPEP PEP PEP
PEP
NEC Application Container – 2 „Manipulating Mobile Devices“ & MDM
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 5
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
Policy Decision Point (PDP)
App
App
PEP
BYOD ManagementApp
App
App
App
App
PEP
App
PEP
CheckPolicy
ProvidePolicies
Modify andEnforce
Mobile Device
Secure HardwareAnchor
MDMBackend
VPN
MDMWeb-InterfaceAdd/ Delete/
Modify Policies
ExternalPartner
VPN
Add/ Delete/Modify PEPs
Trusted Environment (e.g., Enterprise)
VP
N
Internet
API
API
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
Secure eID – „clientless“ CAVE.
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 6
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
CAVE - Features
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 7
⁄ Card access without the need of any middleware on the client⁄ Increasing security as direct secure channel between secure environment
and the card is established⁄ Reducing the TCO
_ No extra support for different client platforms
_ No influence of different middlewares in multi card environments
_ No dependency of client configurations (applications, firewalls, antivirus ..)
_ No client side updates, enhancements are immediately for all available
⁄ Enabling server side virtual cards_ Can be uses for replacement actions (e.g. forgotten cards)
_ Especially in combination with other supported strong authentication mechanisms (SMS – OTP, ..)
⁄ CAVE – API_ For non browser based applications
_ For deeper application integration requirements (mobile Apps)
⁄ Integration in federated environment⁄ Multiple simultaneous card support
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
TicTok - „One Card fits it all…“.
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 8
Private PKIe.g. domain logon, VPN, OWA, ....
Federated PKIIdentity Provider / Digital Signature
Alternative Authentication
One-Time-Password Generator
Add-On-Applicationse.g. EmergencyApp, Ticket-Store, …
RFID-Emulatione.g. Mifare, NFC, Legic “Card-In-
Card”…
Conta
ct Inte
rface
ISO
78
16
base
d fo
r standard
readers
Conta
ctless In
terfa
ceIS
O 1
44
43
base
d fo
r NFC
, PAC
S,…
Cost efficient Existing
environmentReliability
Mobile Environments
Fast TransactionsNFC
Compatibility
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
TicTok - Specifiaction
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 9
⁄ Java Card / GlobalPlatform powered secure microcontroller⁄ CommonCriteria and FIPS certified configurations⁄ ISO 7816 contact interface⁄ ISO 14443 Type B contactless interface
_ Enabling NFC applications
⁄ Cryptographic functions: _ DES, 3DES, AES,
_ RSA, ECC
_ SHA-1, SHA-224, -256, -384 und -512
⁄ Biometric Match-On-Card Application (optional)⁄ Windows 7 Plug-n-play⁄ Support for card and credential management systems
User Experience:What does the user expect from us?
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 10
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
Easy to manage Mobile Device Management (MDM) interface, offering easy integration of devices associated to users.
Easy to use user-application, managing all modified applicaitons. Running on Android-OS.
Every User has his own and unique Smardcard, providing policies and secure channels.
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
Benefits / Impact: Identities + Mobile Devices everywhere!
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 11
/ Enterprise customers > 250Emp. *Statistik Austria 2007
_ Total ~1.000 companies in total 890.000 employees
_ Banks and Insurances: 61 with in total 70.000 employees
_ Energy and utility: 27 with in total 22.000 employees
_ Manufacturers: 459 with in total 292.000 employees· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·
/ Health sector *Gesundheitsministerium 2010
_ Hospitals: in total 102.400 health professionals excluding management
(21.000 doctors, 53.000 nurses, 13.800 ambulance, 13.300 MTA, 1.300 midwives)
_ Social insurances: in total 26.700 employees
_ GDA (support organizations, rescue services, geriatric centers..) 100.000 est.· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ··
/ Academia *Statistik Austria 2010
_ 273.000 students at public universities
_ 37.000 students at colleges
_ 6.000 students at private universities (+ 16.000 rest)· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·
/ Loyalty programs_ Regional customer retention (NÖ-Card, Kärnten-Card…)
_ Discount cards (Retailer, clubs…)
_ Member cards (ÖAMTC, AK, WKO,…)· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·
Class 4“Secure” Qualified Digital
Signaturelegally binding
secure personal registrationassurance according signature
law
Class 3“Standard” Trusted eID
e.g. WPV, enterprise, health
formal registration, federated trust, limited liabiltity
Class 2“Entry” Multi app. systemse.g. eTicket, universities…
deployment on base of existing and accepted data bases
Class 1“Loyalty” Marketing
e.g. Customer retention
simple registration, post delivery, plausibility, existing
customer
Scheduling of the Sprint
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 12
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
• First Demo: At TDL Event – beginning of April 2014
• Second Demo: At trial users – end of April 2014• Solution adaptation: Together with users,
implementing user wishes, solution customization – until end of July 2014
• Quality control and user survey – until end of August 2014
NO
W
En
d A
pr.
En
d A
ug
.
En
d J
ul.
Sprint requirements:
CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 13
© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]
For a successful TDL Sprint, the following requirements have to be fulfilled:
⁄ Initial Version of „CAVE API“ present (CRYPTAS)⁄ Initial Version of „Application Container“ present
(NEC)⁄ Fully functional microSD / NFC Smardcards
(CRYPTAS)⁄ Provision of MDM Server-Backend⁄ Interested End-Users need to be contacted⁄ Adaptation of Smartcard OS / Software (CRYPTAS)⁄ Adaptation of Application Container (NEC)