Upload
andreas-leicher
View
685
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Smart OpenID brings strong authentication for internet cloud service access to mobile devices by leveraging the crypto capabiliteis provided by smart cards and secure elements in mobile phones. Presentation held at Chip-To-Cloud Forum in Nice, September 2012
Citation preview
© 2012 InterDigital, Inc. All rights reserved.
Chip-to-Cloud 2012
19-20 September 2012
SMART OPENID & MOBILE NETWORK
SECURITY BRINGING STRONG AUTHENTICATION
FOR INTERNET ACCESS ON MOBILE DEVICES
Yogendra Shah InterDigital
Carsten Rust Morpho Cards
Andreas Leicher Novalyst
2
Identity Management on Mobile Platforms
• Users are used to an always connected Internet desktop experience • Mobile devices are being used more and more to store
confidential data and for secure Internet transactions • Unlike desktops, mobile devices are more likely to be lost or
stolen easily
• Users are looking for a seamless and secure Internet experience • Concerned about the risk of privacy and giving away their identity
information to too many services • Sony PS network hack!
• Want consistent, transparent and secure “one-click” access to Internet services
• MNO backed single-sign-on or federated identity provides a framework for strong “branded” authentication security • Operator value-add with UICC-based credentials
3
OpenID – Industry Standard HTTP-based SSO Protocol
Lightweight protocol designed for Web2.0
Improved user experience and persistent identities
Supported by industry groups and US government
Relevance for mobile markets is growing
BUT …
Cuts operator out of identity management
Burdens the authentication infra-structure
4
Operator becomes the Identity Provider
Branding on web screen during logon
Strong user/device authentication built on security of smartcard / UICC
Significantly reduced burden on authentication servers
Roll-out feasible via over-the-air App to phone and SMS applet to UICC
InterDigital’s Smart OpenID - Optimized for Wireless
Smart OpenID
5
Operator Anchored OpenID Proxy on UICC
• GBA is used for application layer authentication bootstrapping based on UICC based credentials
• The MNO acts as an OP, Identity Provider
• 3GPP OpenID/GBA protocol runs between the IdP and the device resulting in the following key hierarchy • A Smart OpenID specific shared key is established in the device
and in the network by the GBA protocol
• The key can be used to generate a Relying Party specific key as a trust anchor between the local OP and the network OP
• Subsequent authentication runs can be seamless to the user
• Related to 3GPP TR 33.924 OpenID/GBA
Source: 3G Americas, Identity Management Overview of Standards & Technology
6
Smart OpenID Realization (1 of 4)
One login, then “one-click” access to everything
User authenticates to device ONCE with password,
biometrics, etc …
Operator branded trust assurance
Policy driven
user
authentication
7
Smart OpenID Vision (2 of 4)
Relying Parties
Navigation triggers automation
OpenID discovery and association with identity
provider over the Internet
User navigates to Web services
OpenID Provider
8
Smart OpenID Vision (3 of 4)
OpenID Provider
OpenID provider has a local proxy on the UICC
Over-the-air authentication with mobile operator
UICC inside Phone
In-device authentication with local proxy on UICC mymobile.IdP/myidentity
9
Smart OpenID Vision (4 of 4)
Relying Parties
Over-the-Air assertion to relying parties
Policy driven automated access to Web services
OpenID Provider
10
Open Mobile API A software interface allowing applications access to the secure element
(UICC) through the radio interface layer (RIL) on a smartphone
A three-layer architecture for the API • Application layer: represents the various applications that use
OpenMobileAPI • Service layer: abstracts the available functions, such as
cryptography and authentication, in secure elements • Transport layer: provides general access to secure elements using
APDUs
11
Implementation of Smart OpenID on UICC
• Using the OpenMobileAPI, the mobile application part of
the local OP lies in the application layer
• By calling APIs from the service layer, the application
can
• Securely store the secret on the UICC
• Verify the user entered PIN to locally authenticate the end
user
• Sign the authentication assertion using the HMAC function
• Communicate data with the generic transport API
• All these service requirements are converted into
command APDUs in the transport layer and sent to the
applet on the UICC
12
Smart OpenID - Identity Management for MNOs
• Operator as an Identity Provider (OP) • Strong user/device authentication with ease of access to services
• MNOs can leverage their branding and trust infra-structure to provide strong UICC backed authentication
• Operator anchored trust foundation for any Web service (RPs) • Branding: custom Operator/Identity Provider web screen on login • 3rd party services can rely on trusted identity and attribute
assertions from MNOs, such as
• Viability from an Operator’s perspective • Authentication which builds upon existing and proven security of
the smartcard/UICC • Mechanism for roll-out of Single-Sign-On through remote
download via SMS to UICC • UICC is a controlled and manageable platform for all critical security operations
• Downloadable Smart OpenID applet/application
• Smartcard based, local authentication enables a secure exchange of identity attributes