Embed Size (px)
DESCRIPTION
The Mobile Web Security Bootstrap (MWSB) API can be used to establish shared secret keys between an application server and a mobile web client. The key can be used to secure mobile applications that, for instance, require authentication, data confidentiality and integrity, and single sign on.
Citation preview
Mobile Web
Security
Bootstrap
A labs.ericsson.com APIhttp://labs.ericsson.com/apis/mobile-web-security-bootstrap/
© Ericsson AB 2010 | Page 2
ericsson labs APIs
Maps & positioning
Mobile Mobile
LocationLocationMobile Mobile
MapsMaps
Web Web
MapsMaps
communication
AsyncAsync
VoiceVoice
SMS Send & SMS Send &
ReceiveReceiveMobile Mobile
PushPushGroup Voice Group Voice
MixerMixer
security
Mobile Web Security Mobile Web Security
BootstrapBootstrap CAPTCHACAPTCHAOauth2 Oauth2
FrameworkFramework
Identity Management Identity Management
FrameworkFrameworkKey Management Key Management
ServiceService
Web technologies
Web Web
ConnectivityConnectivity EventSourceEventSourceWeb Background Web Background
ServiceService
Web Device Web Device
ConnectivityConnectivityDistributed Distributed
Shared MemoryShared Memory
Web RealWeb Real--Time Time
CommunicationCommunication
Mobile Mobile
IdentificationIdentification
User & network information
Mobile Network Mobile Network
LookLook--upup
Network Network
ProbeProbe
Machine learning
Cluster Cluster
ConstructorConstructor
Media and graphics
Face Face
DetectorDetector TextText--toto--SpeechSpeech
Tag ToolTag ToolMobile Sensor Mobile Sensor
Actuator LinkActuator Link
NFC & sensors
Sensor NetworkingSensor Networking
Application PlatformApplication Platform
© Ericsson AB 2010 | Page 3
Mobile Web Security
Bootstrap
› The SIM is commonly used for getting cellular access, mobile connectivity and access to some mobile services
› The SIM proven security features can also be used for securing any mobile web applications
› This service provides an API for establishing a secret key between mobile web clients and web applications
© Ericsson AB 2010 | Page 4
Why Mobile Web Security
Bootstrap?
› Security – As secure as SIM
› Standard – Based on industry standard
› Acceptance – Many standardized applications
› Convenience – Transparent to users
› Extensibility – Any applications can exploit the SIM
© Ericsson AB 2010 | Page 5
Main Features
› Based on 3GPP industry standardGeneric Bootstrapping Architecture
› Client and server Web/Java APIs available and documented with examples
› HTTP interfaces
› Soft client available to allow focusing on the development of the network side of the web application
© Ericsson AB 2010 | Page 6
Overview
MobileWeb Client
BootstrapClient
Mobile Web Client
SubscriberDatabase
BootstrapServer
MWSB
Mobile Web
Security Bootstrap
HTTP
NetworkApplication
NetworkApplication
Mobile WebApplication Server
HTTP
› Ub interface – Mobile client uses API to bootstrap a master secret key
› Ua interface – Mobile Web Client uses API to derive application-specific master key
› Zn interface – Mobile Web Application Server uses API to obtain the corresponding application-specific master key
At the end of the API usage transactions the client and server share an application-specific secret-key
Ub
ZnUa
*
© Ericsson AB 2010 | Page 7
// Create soft client with user identity and permanent key
GbaClient softclient = new GbaClient(myID, myKey);
// Bootstrap client with master key. btid is the handler.
String btid = softclient.bootstrap();
// Derive application-specific key to be shared with app server
byte[] appKey = softclient.getKsNaf(app_Fqdn);
// Use the app key for HTTP Digest Authentication
boolean authResult = runUaHttpDigest(app_URL, btid, appKey);
Java Client API
› Soft Client API provided for focusing on server application
› Example showing how to establish a shared key
© Ericsson AB 2010 | Page 8
// Applicatin Servlet doGet()
// Create application context with Labs authorization API key
GbaNaf app = new GbaNaf(myFqdn, myApiKey)
// Parse GET authorization headers & fetch btid (key Handler)
Authorization authz = Authorization.parse(authorizationHeader);
String btid = authz.getUsername();
// Derive the application-specific key to be shared with client
appKey = app.getKsNaf(btid);
// Use the shared key to authenticate the mobile client
Digest.verify(authorization, appKey)
Java Server API
› API towards mobile client and API towards MWSB
› Servlet example showing how to establish a shared key
© Ericsson AB 2010 | Page 9
Possible applications
Authentication
Identity Management
Single Sign-On
ConfidentialityIntegrity
Key Management
© Ericsson AB 2010 | Page 10
