© 2012 InterDigital, Inc. All rights reserved.
Chip-to-Cloud 2012
19-20 September 2012
SMART OPENID & MOBILE NETWORK
SECURITY BRINGING STRONG AUTHENTICATION
FOR INTERNET ACCESS ON MOBILE DEVICES
Yogendra Shah InterDigital
Carsten Rust Morpho Cards
Andreas Leicher Novalyst
2
Identity Management on Mobile Platforms
• Users are used to an always connected Internet desktop experience • Mobile devices are being used more and more to store
confidential data and for secure Internet transactions • Unlike desktops, mobile devices are more likely to be lost or
stolen easily
• Users are looking for a seamless and secure Internet experience • Concerned about the risk of privacy and giving away their identity
information to too many services • Sony PS network hack!
• Want consistent, transparent and secure “one-click” access to Internet services
• MNO backed single-sign-on or federated identity provides a framework for strong “branded” authentication security • Operator value-add with UICC-based credentials
3
OpenID – Industry Standard HTTP-based SSO Protocol
Lightweight protocol designed for Web2.0
Improved user experience and persistent identities
Supported by industry groups and US government
Relevance for mobile markets is growing
BUT …
Cuts operator out of identity management
Burdens the authentication infra-structure
4
Operator becomes the Identity Provider
Branding on web screen during logon
Strong user/device authentication built on security of smartcard / UICC
Significantly reduced burden on authentication servers
Roll-out feasible via over-the-air App to phone and SMS applet to UICC
InterDigital’s Smart OpenID - Optimized for Wireless
Smart OpenID
5
Operator Anchored OpenID Proxy on UICC
• GBA is used for application layer authentication bootstrapping based on UICC based credentials
• The MNO acts as an OP, Identity Provider
• 3GPP OpenID/GBA protocol runs between the IdP and the device resulting in the following key hierarchy • A Smart OpenID specific shared key is established in the device
and in the network by the GBA protocol
• The key can be used to generate a Relying Party specific key as a trust anchor between the local OP and the network OP
• Subsequent authentication runs can be seamless to the user
• Related to 3GPP TR 33.924 OpenID/GBA
Source: 3G Americas, Identity Management Overview of Standards & Technology
6
Smart OpenID Realization (1 of 4)
One login, then “one-click” access to everything
User authenticates to device ONCE with password,
biometrics, etc …
Operator branded trust assurance
Policy driven
user
authentication
7
Smart OpenID Vision (2 of 4)
Relying Parties
Navigation triggers automation
OpenID discovery and association with identity
provider over the Internet
User navigates to Web services
OpenID Provider
8
Smart OpenID Vision (3 of 4)
OpenID Provider
OpenID provider has a local proxy on the UICC
Over-the-air authentication with mobile operator
UICC inside Phone
In-device authentication with local proxy on UICC mymobile.IdP/myidentity
9
Smart OpenID Vision (4 of 4)
Relying Parties
Over-the-Air assertion to relying parties
Policy driven automated access to Web services
OpenID Provider
10
Open Mobile API A software interface allowing applications access to the secure element
(UICC) through the radio interface layer (RIL) on a smartphone
A three-layer architecture for the API • Application layer: represents the various applications that use
OpenMobileAPI • Service layer: abstracts the available functions, such as
cryptography and authentication, in secure elements • Transport layer: provides general access to secure elements using
APDUs
11
Implementation of Smart OpenID on UICC
• Using the OpenMobileAPI, the mobile application part of
the local OP lies in the application layer
• By calling APIs from the service layer, the application
can
• Securely store the secret on the UICC
• Verify the user entered PIN to locally authenticate the end
user
• Sign the authentication assertion using the HMAC function
• Communicate data with the generic transport API
• All these service requirements are converted into
command APDUs in the transport layer and sent to the
applet on the UICC
12
Smart OpenID - Identity Management for MNOs
• Operator as an Identity Provider (OP) • Strong user/device authentication with ease of access to services
• MNOs can leverage their branding and trust infra-structure to provide strong UICC backed authentication
• Operator anchored trust foundation for any Web service (RPs) • Branding: custom Operator/Identity Provider web screen on login • 3rd party services can rely on trusted identity and attribute
assertions from MNOs, such as
• Viability from an Operator’s perspective • Authentication which builds upon existing and proven security of
the smartcard/UICC • Mechanism for roll-out of Single-Sign-On through remote
download via SMS to UICC • UICC is a controlled and manageable platform for all critical security operations
• Downloadable Smart OpenID applet/application
• Smartcard based, local authentication enables a secure exchange of identity attributes
Recommended
