Open Mobile API

The enabler of Mobile ID solutionsAlexander Summerer, Giesecke & Devrient

30th Oct. 2014

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 2

SIMalliance Open Mobile API

Access to all kind of

Secure Elements

Common API for Apps

OS and programming

language agnostic

Secure Elements

Open Mobile API

Mobile Applications

Designed forOpen Handset OS

platforms

Allows usage of Secure Elementsin Mobile Devices

Easy to useAPI for APDU communication

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 3

TicketingNetwork

Access

Identity Management

Motivation: Use Case Examples

Secure Elements

Open Mobile API

Mobile Applications

…

Payment

Company

Access

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 4

Further Functions

Further Functions

Mobile Applications

Transport

Ac

cess C

on

tro

l

SIM Plug in

APIs

Gen

eri

c

Tra

nsp

ort

Crypto API (PKCS / JCE)

Crypto provider

File

Man

ag

em

en

t

Au

then

ticati

on

Secu

re S

tora

ge

µSD Plug in

Secu

re E

lem

en

t P

rovid

er

Inte

rface

Further SEFurther SE

Mobile Device

Secure Elements (e.g. SIM, Secure µSD, …)

SE

providerTest

Specifications

Mobile Applications

Storage File systemFurther

FunctionsAccess Control

Tra

ns

po

rtL

aye

rS

erv

ice

La

ye

rA

pp

lic

ati

on

La

ye

r

…

Architecture of Open Mobile API

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 5

Open Mobile API reference implementation (SEEK)

Open Source project maintainedby G&D since 2010

Integrated by almost all NFC Android handsets

Offersdrivers, applications, code samples,guidelines

Open Mobile API reference implementation for Android

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 6

Open Mobile API Revisions

Kick-Off

Feb 2014Mar 2011 Nov 2011Oct 2010 Jul 2012

Release 1.01

Transport API

Release 2.02

Transport API+Service API

Release 2.03

Maintenance

Release 2.05

Maintenance

Release 3.0

Maintenance+ANSI-C header

Dec 2013

Release 2.04Maintenance

+Recommendations

for implementers

Nov 2014

Current schedulePublic draft available

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 7

Open Mobile API Compliance

Kick-Off

Mar 2014Mar 2013

Test Spec. 1.0

Transport API

Sep 2014Jul 2014

Test Spec. 1.1

Transport APIMaintenanceTest Applet

Device Compliance programfor Open Mobile API

Nov 2014

Current schedule

Test Spec. 2.0

Incl. C-Interface

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 8

External Secure Elements

Identity Management

Enrolment IdentityManagement

Managecredentials

Access Management

Use credentials

Authentication & Authorization

Credential Issuance & Life-Cycle-Management

Open Mobile API – The enabler of Mobile ID solutions

Secure Elements

Open Mobile API

Mobile Applications

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 9

Mobile ID Solution: Secure Authentication

1. Connect

Application Server

Challenge-Response protocol via OTA

3. Out-Of-BandAuthentication

(OTP, PKI based or sym. signatures)

Applications

Open Mobile API

Mobile ID

Open Mobile API

Mobile ID

Open Mobile API

Mobile ID

Authentication Server2. Forward

4. Grant access

Supported protocols:GSMA Mobile Connect,OATH, SAML, OpenID,FIDO

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 10

Mobile ID Solution: Secure Cloud Storage

Cloud Storage (Dropbox, Google Drive, …)

Upload/Download of encrypted files

Key Management via OTA

Applications

Open Mobile API

Mobile ID

Open Mobile API

Mobile ID

Open Mobile API

Mobile ID

Key and Certificate Management System

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 11

Mobile ID Solution: Secure System Login

Verification

Domain Controller

Open Mobile API

Mobile ID

Key Management via OTA

Applications

Key and Certificate Management System

Certificate Management

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 12

Mobile ID Solution: Secure Voice

2. Mutual Authentication

SIP Server

1. Registration

Key and Certificate Management System

Key Management via OTA

Open Mobile API

Mobile ID

Open Mobile API

Mobile ID

Certificate Management

3. Secure Voice & Messaging

VoIP communication

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 13

Mobile ID Solution: Derived Credentials

Derived Credential Issuer

Derived CredentialsProvisioning System

Step 2) Derived Credential Download

Step 1) Authentication

e.g. EN 2(419212) (former 14890), Privacy based Chip Authentication (PCA)

Open Mobile API

Mobile ID

�E.g. PIV Derived Credential Applet�E.g. eIDAS (ANSSI, BSI, ANTS) Applet

Local provisioningof Derived Credentials

Remote provisioningof Derived Credentials

e.g. NIST SP800-157, Guidelines for Personal Identity Verification (PIV) Derived Credentials

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 14

Vodafone Secure SIM

Secure Data�Encryption of E-Mails, documents, storage and VPN�PKI keys and certificates are stored in the SIM�Seamless integration into existing security technologies�Additional hardware (Smart Cards, Security Tokens) not needed�Easy administration via web admin portal

Mobile ID Solution: Vodafone Secure SIM

Secure Login�2 factor authentication (access data + SIM identity)�Login with End-2-End encryption�Seamless integration into existing IT infrastructures�No additional hardware required�Easy administration via web admin portal

http://www.vodafone.de/business/firmenkunden/loesungen/security.html

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 15

Trusted Execution Environment for Mobile ID

Smart Connected Device ProcessorSmart Connected Device Processor

Normal World Secure World

Rich OSRich OS

TEE Client APITEE Client API

TEE Driver Kernel ModuleTEE Driver Kernel Module

Trusted Execution Environment

Secure OSSecure OS

Microkernel

CoreAPI

SE-APITrusted

UI

Secure Elements

Rich AppRich AppRich AppRich App

Rich AppRich App Trusted AppTrusted AppTrusted AppTrusted App

Trusted AppTrusted App

GP TEE Trusted User Interface APIfor secure user entry (e.g. PIN)

v1.0 was published in June 2013

GP TEE Secure Element APIfor Secure Element Access

v1.0 was published in August 2013

Open Mobile API compliantFunding project: G&D implements currently a prototype

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 16

Management of SE and TEE security domains to reflect the business relationships

Service Providers

OTA

Trusted Service Manager

Secure apps

Trusted Service Manager

Provisioning and

deployment of SE applets and Trusted Applications for the TEE

Personalized OTA access and lifecycle management of data and operations to unlimited number of devices.

Microkernel

Secure Elements

Managecredentials

DownloadApplet

DownloadTrusted App

TEE Remote provisioning for Mobile ID

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 17

Conclusion

Open Mobile APIenables Mobile ID

solutions

Open Mobile APIdevice qualification

is established

First commercialMobile ID services

exist

Secure Elements

Open Mobile API

Mobile Applications

Variety of Mobile ID solutions

are possible

Open Mobile APIis implemented in

many handsets(e.g. Android NFC devices from

HTC, LG, Sony, Samsung)

TEE SE API enables TEE basedMobile ID solutions

Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 18

Thank you for your attention!

Alexander SummererTechnology Consultant

Mobile SecurityGiesecke & Devrient GmbHPrinzregentenstrasse 15981607 Munich, GERMANYwww.gi-de.com

Telephone +49 89 4119-2418alexander.summerer@gi-de.com