TDL Sprint Trustworthy Mobile Devices: Token based MDM for Native Application Policy Enforcement 2014 – 03 CRYPTAS, NEC Laboratories Europe Stefan Bumerl

TDL Sprint

Trustworthy Mobile Devices:Token based MDM for Native

Application Policy Enforcement

2014 – 03

CRYPTAS, NEC Laboratories Europe

Stefan Bumerl

Description of Sprint:Why at all? (high-level)

CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 2

© 2014 CRYPTAS it-Security GmbH / Franzosengraben 8 / 1030 Wien / Austria / T +43 (1) 35553-0 / F +43 (1) 35553-990 / E [email protected]

⁄ Sprint cooperation of NEC and CRYPTAS⁄ Increasing demand of secured applications in BYOD scenarios

_ Many different applications -> since a trusted mobile-device-independent anchor is required: encapsulated container solutions not always feasible

_ Different policies for applications, potentially depending on different criteria

⁄ Need for certificate based security_ Existing solutions often PW based

_ Continuous integration of tokens

_ Secure element personalization often not possible

_ Use of NFC and microSD

⁄ Combining technology_ Device application modification and MDM with policy management

_ CAVE clientless solution with TicTok tokens via NFC

⁄ Collecting and implementing user requirements⁄ Demo for interaction of trusted stack mechanisms and eID federation

Technology description:What is inside? (low-level)



In-Device Modification of Application-Code

Mobile Device Management:• Enterprise• SaaS• Privately

managed MDM

Trusted Hardware Anchor:• Unique ID• Trusted

Comm. Channels

• Trusted Signatures Trustworthy

Mobile Devices:Token based MDM

for Native Application Policy

Enforcement

Sprint

21 3

NEC Application Container – 1„Enforcing Policies“



/ NLE provides a Secure Application Container that is capable of enforcing enterprise-defined policies to every installed non-system-

App on the end-users mobile device.

/ It runs together with the “BYOD Management & User Notification“ component and adds Policy Enforcement Points (PEPs) to each

target application during the rewriting process.

/ All user-interaction is done through the “BYOD Management & User Notification“ App.

AppAPP-

REWRITINGSecure App Container

App

PEPPEP PEP PEP

PEP

NEC Application Container – 2 „Manipulating Mobile Devices“ & MDM



Policy Decision Point (PDP)

App

App

PEP

BYOD ManagementApp

App

App

App

App

PEP

App

PEP

CheckPolicy

ProvidePolicies

Modify andEnforce

Mobile Device

Secure HardwareAnchor

MDMBackend

VPN

MDMWeb-InterfaceAdd/ Delete/

Modify Policies

ExternalPartner

VPN

Add/ Delete/Modify PEPs

Trusted Environment (e.g., Enterprise)

VP

N

Internet

API

API


Secure eID – „clientless“ CAVE.



CAVE - Features


⁄ Card access without the need of any middleware on the client⁄ Increasing security as direct secure channel between secure environment

and the card is established⁄ Reducing the TCO

_ No extra support for different client platforms

_ No influence of different middlewares in multi card environments

_ No dependency of client configurations (applications, firewalls, antivirus ..)

_ No client side updates, enhancements are immediately for all available

⁄ Enabling server side virtual cards_ Can be uses for replacement actions (e.g. forgotten cards)

_ Especially in combination with other supported strong authentication mechanisms (SMS – OTP, ..)

⁄ CAVE – API_ For non browser based applications

_ For deeper application integration requirements (mobile Apps)

⁄ Integration in federated environment⁄ Multiple simultaneous card support


TicTok - „One Card fits it all…“.


Private PKIe.g. domain logon, VPN, OWA, ....

Federated PKIIdentity Provider / Digital Signature

Alternative Authentication

One-Time-Password Generator

Add-On-Applicationse.g. EmergencyApp, Ticket-Store, …

RFID-Emulatione.g. Mifare, NFC, Legic “Card-In-

Card”…

Conta

ct Inte

rface

ISO

78

16

base

d fo

r standard

readers

Conta

ctless In

terfa

ceIS

O 1

44

43

base

d fo

r NFC

, PAC

S,…

Cost efficient Existing

environmentReliability

Mobile Environments

Fast TransactionsNFC

Compatibility


TicTok - Specifiaction


⁄ Java Card / GlobalPlatform powered secure microcontroller⁄ CommonCriteria and FIPS certified configurations⁄ ISO 7816 contact interface⁄ ISO 14443 Type B contactless interface

_ Enabling NFC applications

⁄ Cryptographic functions: _ DES, 3DES, AES,

_ RSA, ECC

_ SHA-1, SHA-224, -256, -384 und -512

⁄ Biometric Match-On-Card Application (optional)⁄ Windows 7 Plug-n-play⁄ Support for card and credential management systems

User Experience:What does the user expect from us?



Easy to manage Mobile Device Management (MDM) interface, offering easy integration of devices associated to users.

Easy to use user-application, managing all modified applicaitons. Running on Android-OS.

Every User has his own and unique Smardcard, providing policies and secure channels.


Benefits / Impact: Identities + Mobile Devices everywhere!


/ Enterprise customers > 250Emp. *Statistik Austria 2007

_ Total ~1.000 companies in total 890.000 employees

_ Banks and Insurances: 61 with in total 70.000 employees

_ Energy and utility: 27 with in total 22.000 employees

_ Manufacturers: 459 with in total 292.000 employees· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·

/ Health sector *Gesundheitsministerium 2010

_ Hospitals: in total 102.400 health professionals excluding management

(21.000 doctors, 53.000 nurses, 13.800 ambulance, 13.300 MTA, 1.300 midwives)

_ Social insurances: in total 26.700 employees

_ GDA (support organizations, rescue services, geriatric centers..) 100.000 est.· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ··

/ Academia *Statistik Austria 2010

_ 273.000 students at public universities

_ 37.000 students at colleges

_ 6.000 students at private universities (+ 16.000 rest)· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·

/ Loyalty programs_ Regional customer retention (NÖ-Card, Kärnten-Card…)

_ Discount cards (Retailer, clubs…)

_ Member cards (ÖAMTC, AK, WKO,…)· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·

Class 4“Secure” Qualified Digital

Signaturelegally binding

secure personal registrationassurance according signature

law

Class 3“Standard” Trusted eID

e.g. WPV, enterprise, health

formal registration, federated trust, limited liabiltity

Class 2“Entry” Multi app. systemse.g. eTicket, universities…

deployment on base of existing and accepted data bases

Class 1“Loyalty” Marketing

e.g. Customer retention

simple registration, post delivery, plausibility, existing

customer

Scheduling of the Sprint



• First Demo: At TDL Event – beginning of April 2014

• Second Demo: At trial users – end of April 2014• Solution adaptation: Together with users,

implementing user wishes, solution customization – until end of July 2014

• Quality control and user survey – until end of August 2014

NO

W

En

d A

pr.

En

d A

ug

.

En

d J

ul.

Sprint requirements:



For a successful TDL Sprint, the following requirements have to be fulfilled:

⁄ Initial Version of „CAVE API“ present (CRYPTAS)⁄ Initial Version of „Application Container“ present

(NEC)⁄ Fully functional microSD / NFC Smardcards

(CRYPTAS)⁄ Provision of MDM Server-Backend⁄ Interested End-Users need to be contacted⁄ Adaptation of Smartcard OS / Software (CRYPTAS)⁄ Adaptation of Application Container (NEC)

Documents

TDL Sprint Trustworthy Mobile Devices: Token based MDM for Native Application Policy Enforcement 2014 – 03 CRYPTAS, NEC Laboratories Europe Stefan Bumerl