© 2012 InterDigital, Inc. All rights reserved.

Chip-to-Cloud 2012

19-20 September 2012

SMART OPENID & MOBILE NETWORK

SECURITY BRINGING STRONG AUTHENTICATION

FOR INTERNET ACCESS ON MOBILE DEVICES

Yogendra Shah InterDigital

Carsten Rust Morpho Cards

Andreas Leicher Novalyst

2

Identity Management on Mobile Platforms

• Users are used to an always connected Internet desktop experience • Mobile devices are being used more and more to store

confidential data and for secure Internet transactions • Unlike desktops, mobile devices are more likely to be lost or

stolen easily

• Users are looking for a seamless and secure Internet experience • Concerned about the risk of privacy and giving away their identity

information to too many services • Sony PS network hack!

• Want consistent, transparent and secure “one-click” access to Internet services

• MNO backed single-sign-on or federated identity provides a framework for strong “branded” authentication security • Operator value-add with UICC-based credentials

3

OpenID – Industry Standard HTTP-based SSO Protocol

Lightweight protocol designed for Web2.0

Improved user experience and persistent identities

Supported by industry groups and US government

Relevance for mobile markets is growing

BUT …

Cuts operator out of identity management

Burdens the authentication infra-structure

4

Operator becomes the Identity Provider

Branding on web screen during logon

Strong user/device authentication built on security of smartcard / UICC

Significantly reduced burden on authentication servers

Roll-out feasible via over-the-air App to phone and SMS applet to UICC

InterDigital’s Smart OpenID - Optimized for Wireless

Smart OpenID

5

Operator Anchored OpenID Proxy on UICC

• GBA is used for application layer authentication bootstrapping based on UICC based credentials

• The MNO acts as an OP, Identity Provider

• 3GPP OpenID/GBA protocol runs between the IdP and the device resulting in the following key hierarchy • A Smart OpenID specific shared key is established in the device

and in the network by the GBA protocol

• The key can be used to generate a Relying Party specific key as a trust anchor between the local OP and the network OP

• Subsequent authentication runs can be seamless to the user

• Related to 3GPP TR 33.924 OpenID/GBA

Source: 3G Americas, Identity Management Overview of Standards & Technology

6

Smart OpenID Realization (1 of 4)

One login, then “one-click” access to everything

User authenticates to device ONCE with password,

biometrics, etc …

Operator branded trust assurance

Policy driven

user

authentication

7

Smart OpenID Vision (2 of 4)

Relying Parties

Navigation triggers automation

OpenID discovery and association with identity

provider over the Internet

User navigates to Web services

OpenID Provider

8

Smart OpenID Vision (3 of 4)

OpenID Provider

OpenID provider has a local proxy on the UICC

Over-the-air authentication with mobile operator

UICC inside Phone

In-device authentication with local proxy on UICC mymobile.IdP/myidentity

9

Smart OpenID Vision (4 of 4)

Relying Parties

Over-the-Air assertion to relying parties

Policy driven automated access to Web services

OpenID Provider

10

Open Mobile API A software interface allowing applications access to the secure element

(UICC) through the radio interface layer (RIL) on a smartphone

A three-layer architecture for the API • Application layer: represents the various applications that use

OpenMobileAPI • Service layer: abstracts the available functions, such as

cryptography and authentication, in secure elements • Transport layer: provides general access to secure elements using

APDUs

11

Implementation of Smart OpenID on UICC

• Using the OpenMobileAPI, the mobile application part of

the local OP lies in the application layer

• By calling APIs from the service layer, the application

can

• Securely store the secret on the UICC

• Verify the user entered PIN to locally authenticate the end

user

• Sign the authentication assertion using the HMAC function

• Communicate data with the generic transport API

• All these service requirements are converted into

command APDUs in the transport layer and sent to the

applet on the UICC

12

Smart OpenID - Identity Management for MNOs

• Operator as an Identity Provider (OP) • Strong user/device authentication with ease of access to services

• MNOs can leverage their branding and trust infra-structure to provide strong UICC backed authentication

• Operator anchored trust foundation for any Web service (RPs) • Branding: custom Operator/Identity Provider web screen on login • 3rd party services can rely on trusted identity and attribute

assertions from MNOs, such as

• Viability from an Operator’s perspective • Authentication which builds upon existing and proven security of

the smartcard/UICC • Mechanism for roll-out of Single-Sign-On through remote

download via SMS to UICC • UICC is a controlled and manageable platform for all critical security operations

• Downloadable Smart OpenID applet/application

• Smartcard based, local authentication enables a secure exchange of identity attributes