open mobile api the enabler of mobile id solutions · open mobile api -the enabler of mobile id...
TRANSCRIPT
Open Mobile API
The enabler of Mobile ID solutionsAlexander Summerer, Giesecke & Devrient
30th Oct. 2014
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 2
SIMalliance Open Mobile API
Access to all kind of
Secure Elements
Common API for Apps
OS and programming
language agnostic
Secure Elements
Open Mobile API
Mobile Applications
Designed forOpen Handset OS
platforms
Allows usage of Secure Elementsin Mobile Devices
Easy to useAPI for APDU communication
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 3
TicketingNetwork
Access
Identity Management
Motivation: Use Case Examples
Secure Elements
Open Mobile API
Mobile Applications
…
Payment
Company
Access
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 4
Further Functions
Further Functions
Mobile Applications
Transport
Ac
cess C
on
tro
l
SIM Plug in
APIs
Gen
eri
c
Tra
nsp
ort
Crypto API (PKCS / JCE)
Crypto provider
File
Man
ag
em
en
t
Au
then
ticati
on
Secu
re S
tora
ge
µSD Plug in
Secu
re E
lem
en
t P
rovid
er
Inte
rface
Further SEFurther SE
Mobile Device
Secure Elements (e.g. SIM, Secure µSD, …)
SE
providerTest
Specifications
Mobile Applications
Storage File systemFurther
FunctionsAccess Control
Tra
ns
po
rtL
aye
rS
erv
ice
La
ye
rA
pp
lic
ati
on
La
ye
r
…
Architecture of Open Mobile API
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 5
Open Mobile API reference implementation (SEEK)
Open Source project maintainedby G&D since 2010
Integrated by almost all NFC Android handsets
Offersdrivers, applications, code samples,guidelines
Open Mobile API reference implementation for Android
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 6
Open Mobile API Revisions
Kick-Off
Feb 2014Mar 2011 Nov 2011Oct 2010 Jul 2012
Release 1.01
Transport API
Release 2.02
Transport API+Service API
Release 2.03
Maintenance
Release 2.05
Maintenance
Release 3.0
Maintenance+ANSI-C header
Dec 2013
Release 2.04Maintenance
+Recommendations
for implementers
Nov 2014
Current schedulePublic draft available
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 7
Open Mobile API Compliance
Kick-Off
Mar 2014Mar 2013
Test Spec. 1.0
Transport API
Sep 2014Jul 2014
Test Spec. 1.1
Transport APIMaintenanceTest Applet
Device Compliance programfor Open Mobile API
Nov 2014
Current schedule
Test Spec. 2.0
Incl. C-Interface
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 8
External Secure Elements
Identity Management
Enrolment IdentityManagement
Managecredentials
Access Management
Use credentials
Authentication & Authorization
Credential Issuance & Life-Cycle-Management
Open Mobile API – The enabler of Mobile ID solutions
Secure Elements
Open Mobile API
Mobile Applications
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 9
Mobile ID Solution: Secure Authentication
1. Connect
Application Server
Challenge-Response protocol via OTA
3. Out-Of-BandAuthentication
(OTP, PKI based or sym. signatures)
Applications
Open Mobile API
Mobile ID
Open Mobile API
Mobile ID
Open Mobile API
Mobile ID
Authentication Server2. Forward
4. Grant access
Supported protocols:GSMA Mobile Connect,OATH, SAML, OpenID,FIDO
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 10
Mobile ID Solution: Secure Cloud Storage
Cloud Storage (Dropbox, Google Drive, …)
Upload/Download of encrypted files
Key Management via OTA
Applications
Open Mobile API
Mobile ID
Open Mobile API
Mobile ID
Open Mobile API
Mobile ID
Key and Certificate Management System
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 11
Mobile ID Solution: Secure System Login
Verification
Domain Controller
Open Mobile API
Mobile ID
Key Management via OTA
Applications
Key and Certificate Management System
Certificate Management
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 12
Mobile ID Solution: Secure Voice
2. Mutual Authentication
SIP Server
1. Registration
Key and Certificate Management System
Key Management via OTA
Open Mobile API
Mobile ID
Open Mobile API
Mobile ID
Certificate Management
3. Secure Voice & Messaging
VoIP communication
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 13
Mobile ID Solution: Derived Credentials
Derived Credential Issuer
Derived CredentialsProvisioning System
Step 2) Derived Credential Download
Step 1) Authentication
e.g. EN 2(419212) (former 14890), Privacy based Chip Authentication (PCA)
Open Mobile API
Mobile ID
�E.g. PIV Derived Credential Applet�E.g. eIDAS (ANSSI, BSI, ANTS) Applet
Local provisioningof Derived Credentials
Remote provisioningof Derived Credentials
e.g. NIST SP800-157, Guidelines for Personal Identity Verification (PIV) Derived Credentials
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 14
Vodafone Secure SIM
Secure Data�Encryption of E-Mails, documents, storage and VPN�PKI keys and certificates are stored in the SIM�Seamless integration into existing security technologies�Additional hardware (Smart Cards, Security Tokens) not needed�Easy administration via web admin portal
Mobile ID Solution: Vodafone Secure SIM
Secure Login�2 factor authentication (access data + SIM identity)�Login with End-2-End encryption�Seamless integration into existing IT infrastructures�No additional hardware required�Easy administration via web admin portal
http://www.vodafone.de/business/firmenkunden/loesungen/security.html
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 15
Trusted Execution Environment for Mobile ID
Smart Connected Device ProcessorSmart Connected Device Processor
Normal World Secure World
Rich OSRich OS
TEE Client APITEE Client API
TEE Driver Kernel ModuleTEE Driver Kernel Module
Trusted Execution Environment
Secure OSSecure OS
Microkernel
CoreAPI
SE-APITrusted
UI
Secure Elements
Rich AppRich AppRich AppRich App
Rich AppRich App Trusted AppTrusted AppTrusted AppTrusted App
Trusted AppTrusted App
GP TEE Trusted User Interface APIfor secure user entry (e.g. PIN)
v1.0 was published in June 2013
GP TEE Secure Element APIfor Secure Element Access
v1.0 was published in August 2013
Open Mobile API compliantFunding project: G&D implements currently a prototype
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 16
Management of SE and TEE security domains to reflect the business relationships
Service Providers
OTA
Trusted Service Manager
Secure apps
Trusted Service Manager
Provisioning and
deployment of SE applets and Trusted Applications for the TEE
Personalized OTA access and lifecycle management of data and operations to unlimited number of devices.
Microkernel
Secure Elements
Managecredentials
DownloadApplet
DownloadTrusted App
TEE Remote provisioning for Mobile ID
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 17
Conclusion
Open Mobile APIenables Mobile ID
solutions
Open Mobile APIdevice qualification
is established
First commercialMobile ID services
exist
Secure Elements
Open Mobile API
Mobile Applications
Variety of Mobile ID solutions
are possible
Open Mobile APIis implemented in
many handsets(e.g. Android NFC devices from
HTC, LG, Sony, Samsung)
TEE SE API enables TEE basedMobile ID solutions
Open Mobile API - The enabler of Mobile ID solutions10/30/2014 Page 18
Thank you for your attention!
Alexander SummererTechnology Consultant
Mobile SecurityGiesecke & Devrient GmbHPrinzregentenstrasse 15981607 Munich, GERMANYwww.gi-de.com
Telephone +49 89 [email protected]