leveraging uicc with open mobile api for secure applications and services ran zhou
TRANSCRIPT
![Page 1: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/1.jpg)
Leveraging UICC with Open Mobile API for Secure Applications and Services
Ran Zhou
![Page 2: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/2.jpg)
Introduction and Motivation
• Until 2011, there were 6 billion mobile subscriptions (87% of the population)• UICC serves as the security anchor in mobile telecom network• Java Card make the UICC more powerful: digital signature, cryptography…• UICC is an ideal module to enhance the security level of terminal application• Interface is required to fill the gap between UICC applet and terminal application• Open Mobile API is proposed to provide this interface• A Dual Application Architecture together with the access control mechanism will
be introduced• As an example to be implemented: an UICC-based Local OpenID protocol will be
considered in this thesis
OpenID Provider (Network Operator)
OpenID Provider (Network Operator)
Relying PartyRelying Party
UserUserDevice with
Local OP ServerDevice with
Local OP Server
Relying PartiesRelying Parties
Association
Log-on
Trust (Long Term Secret)
Local authentication
OpenID Provider (Network Operator)
OpenID Provider (Network Operator)
Relying PartyRelying Party
UserUserDevice with
Local OP ServerDevice with
Local OP Server
Relying PartiesRelying Parties
Association
Log-on
Trust (Long Term Secret)
Local authentication
![Page 3: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/3.jpg)
Agenda
• Introduction and Motivation• Basic Technologies– UICC– SIMalliance Open Mobile API– OpenID
• Concept of Local OpenID• Thesis Outline• Time Plan
![Page 4: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/4.jpg)
Universal Integrated Circuit Card: UICC
• UICC is a smart card used in mobile terminals within telecom networks [1]
• It provides authentication secure storage crypto algorithms …
• Java Card as UICC can provide [2]
Hash functions: MD5, SHA-1, SHA-256 … Signature functions: HMAC … Public-key cryptography: RSA … Symmetric-key cryptography: AES, DES … …
?
![Page 5: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/5.jpg)
UICC – Related Technologies• Toolkit
• Smart Card Web Server
• Generic Bootstrapping Architecture (GBA)
• Open Mobile API
[3]
![Page 6: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/6.jpg)
Open Mobile API
Open Mobile API is established by SIMalliance as an open API between the Secure Element and the Terminal Applications [4]
• Crypto• Authentication• Secure Storage• PKCS#15• …
Open Mobile API
![Page 7: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/7.jpg)
Open Mobile API3 Layers [5]
- Transport Layer: using APDUs for accessing a Secure Element- Service Layer: provide a more abstract interface for functions on SE- Application Layer: represents the various applications using Open Mobile API
Figure 1: Architecture overview
![Page 8: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/8.jpg)
Dual Application Architecture
• NFC (Near Field Communication) services• Payment services• Ticketing services• Loyalty services (Kundenbindungsmaßnahmen)• ID Management services (e.g. Single Sign-On)
UICC
Terminal Application
Open Mobile API
Transport Layer
Access Control Module
Access Control Table
![Page 9: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/9.jpg)
OpenID Provider
Relying Party
UserDevice
Relying Parties
Submit OpenID
Association
User authentication
Log-on
OpenID
![Page 10: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/10.jpg)
OpenID Weakness[6]
PhishingAn “Identity
System” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou
RedirectsCommunication
Overhead: lots of HTTP requests
![Page 11: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/11.jpg)
Phishing Sensitive data remains on UICC
An “identity system” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou.
Trusted Identity through Network Operator (contract)
RedirectsLocal OpenID Server interface
Communication Overhead: lots of HTTP requestsSignificantly reduced authentication traffic
Terminal part is developed by a project partner of MorphoIntegration of UICC is the main topic of this thesis
Concept: Local OpenID Server with UICC
![Page 12: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/12.jpg)
Network OpenID Provider
Relying Party
UserLocal OP Provider =
Mobile Application + UICC Applet
Relying Parties
Association
Signed Assertion(with same derivated key)
Local OpenID Architecture
Trust (Long-Term Secret)
Local authentication (with PIN)
Association Handle + Derivated KeySubmit O
penID
Associa
tion Han
dle
![Page 13: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/13.jpg)
Contents1. INTRODUCTION
1.1 Motivation1.2 Solution Idea1.3 Overview2. UICC AND JAVA CARD2.1 UICC2.2 Java Card
2.2.1 Introduction2.2.2 Security and Crypto2.2.3 New Features in Java Card 3
2.3 Related Technologies2.3.1 SIM Toolkit2.3.2 Smart Card Web Server2.3.3 Generic Bootstrapping Architecture3. OPEN MOBILE API
3.1 Introduction3.2 Fundamental Structure3.3 Use Pattern3.4 Access Control3.5 Application Scenario4. LOCAL OPENID4.1 OpenID Protocol
4.1.1 Introduction4.1.2 Weakness of OpenID
4.2 SAML Protocol4.2.1 Introduction4.2.2 Weakness of SAML
![Page 14: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/14.jpg)
Contents4.3 Local OpenID Protocol
4.3.1 Introduction4.3.2 Architecture and Description4.3.3 Compare of OpenID, SAML and Local OpenID5. IMPLEMENTATION
5.1 Platform5.1.1 Introduction of Android5.1.2 Android Security Management
5.2 App on UICC5.2.1 Applet on UICC5.2.2 Algorithms and Functions5.2.3 Configuration of UICC5.2.4 PKCS15 Structure5.2.5 Implementation
5.3 App on Android5.3.1 Functional Description5.3.2 Open Mobile API in Android5.3.3 Implementation
5.4 Test5.4.1 Test Environment5.4.2 Test Procedure5.4.3 Test Result
5.5 Weakness Analysis6. SUMMARY AND FUTURE WORK6.1 Summary6.2 Future Work
![Page 15: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/15.jpg)
Time plan
Investigate and design
Nov Dec Jan Feb Mar Apr May
1st Implementation
2nd Implementation
Jun
1st Thesis
2nd Thesis
Final Thesis
Test
![Page 16: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/16.jpg)
Thanks! Questions?
![Page 17: Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e175503460f94b026f4/html5/thumbnails/17.jpg)
References
[1] Rankl, W. (2oo8), Handbuch der Chipkarten, Carl Hanser Verlag München.[2] Sun Microsystems, I. (2006), 'Application Programming Interface Java Card™ Platform, Version 2.2.2'.[3] Wikipedia, t. f. e. (2012), 'Generic Bootstrapping Architecture'.[4] SIMalliance (2011), 'SIMalliance Open Mobile API An Introduction'.[5] SIMalliance (2011), 'Open Mobile API specification V2.02', SIMalliance.[6] van Delft, B. (2010), 'A Security Analysis of OpenID', IFIP Advances in Information and Communication Technology 343/2010, 73-84.