The future of a smart mobile device as a trusted personal
Identity management assistant
Vladimir JirasekCISSP-ISSAP & ISSMP, CISM, CISA
Senior Enterprise Security Architect, Nokia
Steering Group, Common Assurance Maturity Model
Non-executive director, CSA UK & Ireland
1
Identity model in a physical world
2
• Mutual international acceptance of government issued passports.
• Acceptance of country specific ID cards within the country by government agencies and businesses.
Identity problem in cyber space
3
Identity problem in cyber space
4
Security risk,
inconvenience and
economic acceleration
hindrance
Digital catching up physicalgovernments are waking up
• USA – National Strategy for Trusted identity in Cyberspace (NSTIC)
• EU – European ID (eID)
• Other states may have their own plans
5
Leading ThinkTank on Information SecurityPrinciples of de-perimiterisation (2006)Now published Identity commandments (May 2011)
Interoperability is not given but should be architected into the digital identity systemsInteroperability is not given but should be
architected into the digital identity systems
NSTIC already in discussions with leading identity providersNSTIC already in discussions with leading identity providers
The shift in identity management is imminent
• People will embrace new way of identity management
• Iceberg with topple (violently – be prepared)
• Single (or very few) personal identity
• Self-assured or trusted attribute providers
6
We need a trusted device that manages this for us
We need a trusted device that manages this for us
Mobile device becomes ubiquitous identity assistant
7
Certifies attributes
Certifies Identity provider
Certifies Attribute provider
Contract
Requests identity
Issues identity into smart
device
Authenticates user
Seamless login
Authenticates user
Manages different “Personas” on behalf of userAuthenticates user and passes required attributes
Manages different “Personas” on behalf of userAuthenticates user and passes required attributes
Policies for required level of identity assurance and attributes
(Multiple of)
(Multiple of)
Now we have vision! What next?
Technology• SAML• Oauth• Secure mobile device• mTPM• Secure key storage• Secure and trusted OS• NFC• Bluetooth• Face recognition• Voice recognition• Cryptography and PKI
Governance• Jericho forum Identity
Commandments compliance• Segregation of Identity and
Attribute providers!• Trust between Service
providers and Identity and Attribute providers
• International agreement on compatibility of identity protocols
8
Mobile device as a trusted device: [4,5]
How does mobile HW and OS hold up?
9
Typically contains System on Chip (SoC)
Load Kernel and mobile OS
Load mobile applications
If Trust is not assured from HW up then there is no trust at all!
Enterprise apps accessed from mobile devices
OS security capabilities are crucial
Application segregation, security reviews
Mobile threats summary [2]
10
• Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content
• Malware – traditional viruses, worms, and Trojan horses
• Social engineering attacks – phishing. Also used to install malware.
• Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls)
• Malicious and unintentional data loss – exfiltration of information from phone
• Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
• Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content
• Malware – traditional viruses, worms, and Trojan horses
• Social engineering attacks – phishing. Also used to install malware.
• Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls)
• Malicious and unintentional data loss – exfiltration of information from phone
• Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
Mobile Security Models [2]
• Traditional Access Control: passwords and idle-time screen locking.
• Application Provenance: Application signing and Application review in App store
• Encryption: Encryption of device data and application data
• Isolation: traditional Sandboxing and Storage separation
• Permissions-based access control: Limiting application to needed functionality only
11
All must be supported by Trust from HW up.
Jailbreaking breaks the security model!Jailbreaking breaks the security model!
12
Interoperable cyber identity means more security and more convenience for users
= economic benefits
Interoperable cyber identity means more security and more convenience for users
= economic benefits
Smart mobile device becomes a centre of identity management – secure store and conveniently user digital identity in
everyday life(Communicate, Contribute, Access, Pay)
Smart mobile device becomes a centre of identity management – secure store and conveniently user digital identity in
everyday life(Communicate, Contribute, Access, Pay)
Governments should promote interoperable identity frameworks
Governments should promote interoperable identity frameworks
Identity and attribute providers will operate internationallyRegistration authorities will operate mostly nationally
Identity and attribute providers will operate internationallyRegistration authorities will operate mostly nationally
Resources1. Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/
2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=20110627_02
3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile
4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture-of-smartphones
5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec-comparison-ETHZ-mar2011.pdf
6. Security in Windows Phone 7 - http://msdn.microsoft.com/en-us/library/ff402533(v=VS.92).aspx
7. Difference between Oauth and OpenID - http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing
8. Kantara Initiative - http://kantarainitiative.org/
9. NSTIC - http://www.nist.gov/nstic/
10. ENISA - http://www.enisa.europa.eu/
11. Jericho Forum - https://www.opengroup.org/jericho/
13
Questions?Click on the questions tab on your screen, type in your question, name
and e-mail address; then hit submit.
14
Question 1: Which party issues a trusted digital identity to an
user• Government
• Attribute provider
• Registration authority
• Identity provider
15
Question 2: Which technology makes sure that the mobile device boot loader has not been altered
• Bluetooth
• Trusted Computing Base for mobile
• NFC
• Face recognition
16
Question 3: Which security mechanism ensured that mobile applications cannot directly talk to each
other
• Access control
• Sandboxing
• Data encryption
• Clipboard protection
17
Question 4: What is NSTIC
• National Science Technology Institute for Computing
• National Strategy for Trusted Identity for Computers
• National Strategy for Trusted Identity in Cyberspace
• National Strategy for Technology Inovation in Cyberspace
18