Leveraging UICC with Open Mobile API for Secure Applications and Services

idleheadedceleryΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 9 μήνες)

84 εμφανίσεις

Leveraging UICC with Open Mobile API for
Secure Applications and Services

Ran Zhou

Introduction and Motivation


Until 2011, there were 6 billion mobile subscriptions (87% of the population)


UICC serves as the security anchor in mobile telecom network


Java Card make the UICC more powerful: digital signature, cryptography…


UICC is an ideal module to enhance the security level of terminal application


Interface is required to fill the gap between UICC applet and terminal application


Open Mobile API is proposed to provide this interface


A Dual Application Architecture together with the access control mechanism will
be introduced


As an example to be implemented: an UICC
-
based Local OpenID protocol will be
considered in this thesis




OpenID
Provider
(
Network
Operator)
OpenID
Provider
(
Network
Operator)
Relying
Party
Relying
Party
User
User
Device
with
Local
OP Server
Device
with
Local
OP Server
Relying
Parties
Relying
Parties
Association
Log
-
on
Trust (Long Term
Secret
)
Local
authentication
OpenID
Provider
(
Network
Operator)
OpenID
Provider
(
Network
Operator)
Relying
Party
Relying
Party
User
User
Device
with
Local
OP Server
Device
with
Local
OP Server
Relying
Parties
Relying
Parties
Association
Log
-
on
Trust (Long Term
Secret
)
Local
authentication
Agenda


Introduction and Motivation


Basic Technologies


UICC


SIMalliance Open Mobile API


OpenID


Concept of Local OpenID


Thesis Outline


Time Plan






Universal Integrated Circuit Card:

UICC


UICC is a smart card used in mobile terminals within telecom networks
[1]


It provides


authentication


secure storage


crypto algorithms





Java Card as UICC can provide
[2]


Hash functions: MD5, SHA
-
1, SHA
-
256 …


Signature functions: HMAC …


Public
-
key cryptography: RSA …


Symmetric
-
key cryptography: AES, DES …








UICC


Related Technologies


Toolkit










Smart Card Web Server





Generic Bootstrapping Architecture
(GBA)










Open Mobile API




[3]

Open Mobile API


Open Mobile API is established by SIMalliance as an open API between the
Secure Element and the Terminal Applications
[4]



Crypto


Authentication


Secure Storage


PKCS#15




Open Mobile API


3 Layers
[5]


Transport Layer: using APDUs for accessing a Secure Element


Service Layer: provide a more abstract interface for functions on SE


Application Layer: represents the various applications using Open Mobile API

Figure 1: Architecture overview

Dual Application Architecture









NFC (Near Field Communication) services


Payment services


Ticketing services


Loyalty services (Kundenbindungsmaßnahmen)


ID Management services (e.g. Single Sign
-
On)

UICC


Terminal
Application

Open Mobile API

Transport Layer

Access
Control

Module

Access
Control

Table

OpenID Provider

Relying Party

User

Device

Relying Parties

Log
-
on

OpenID

OpenID Weakness
[6]


Phishing


An “Identity System” without Trust: no authority can
promise OpenID rzhou.myopenid.com is Ran Zhou


Redirects


Communication Overhead: lots of HTTP requests



Phishing



Sensitive data remains on UICC


An “identity system” without Trust: no authority can
promise OpenID rzhou.myopenid.com is Ran Zhou.


Trusted Identity through Network Operator (contract)


Redirects


Local OpenID Server interface


Communication Overhead: lots of HTTP requests


Significantly reduced authentication traffic



Terminal part is developed by a project partner of Morpho


Integration of UICC is the main topic of this thesis

Concept: Local OpenID Server with UICC

Network OpenID Provider

Relying Party

User

Local OP Provider =
Mobile Application
+ UICC Applet

Relying Parties

Signed Assertion

(with same derivated key)

Local OpenID

Architecture

Trust (Long
-
Term
Secret
)


Local authentication


(with PIN)

Association Handle

+ Derivated Key

Contents

1. INTRODUCTION

1.1 Motivation

1.2 Solution Idea

1.3 Overview

2. UICC AND JAVA CARD

2.1 UICC

2.2 Java Card

2.2.1 Introduction

2.2.2 Security and Crypto

2.2.3 New Features in Java Card 3

2.3 Related Technologies

2.3.1 SIM Toolkit

2.3.2 Smart Card Web Server

2.3.3 Generic Bootstrapping Architecture

3. OPEN MOBILE API

3.1 Introduction

3.2 Fundamental Structure

3.3 Use Pattern

3.4 Access Control

3.5 Application Scenario

4. LOCAL OPENID

4.1 OpenID Protocol

4.1.1 Introduction

4.1.2 Weakness of OpenID

4.2 SAML Protocol

4.2.1 Introduction

4.2.2 Weakness of SAML


Contents

4.3

Local OpenID Protocol

4.3.1 Introduction

4.3.2 Architecture and Description

4.3.3 Compare of OpenID, SAML and Local OpenID

5. IMPLEMENTATION

5.1 Platform

5.1.1 Introduction of Android

5.1.2 Android Security Management

5.2 App on UICC

5.2.1 Applet on UICC

5.2.2 Algorithms and Functions

5.2.3 Configuration of UICC

5.2.4 PKCS15 Structure

5.2.5 Implementation

5.3 App on Android

5.3.1 Functional Description

5.3.2 Open Mobile API in Android

5.3.3 Implementation

5.4 Test

5.4.1 Test Environment

5.4.2 Test Procedure

5.4.3 Test Result

5.5 Weakness Analysis

6. SUMMARY AND FUTURE WORK

6.1 Summary

6.2 Future Work

Time plan

Investigate and design

Nov

Dec

Jan

Feb

Mar

Apr

May

1
st

Implementation

2
nd

Implementation

Jun

1
st

Thesis

2
nd

Thesis

Final Thesis

Test




Thanks!






Questions?

References

[1]

Rankl
, W. (
2oo8
),
Handbuch der Chipkarten
, Carl Hanser Verlag München
.

[2]
Sun Microsystems, I. (2006), 'Application Programming Interface Java Card™
Platform, Version 2.2.2
'.

[3] Wikipedia
, t. f. e. (2012), 'Generic Bootstrapping Architecture
'.

[4]
SIMalliance

(2011), '
SIMalliance

Open Mobile API An Introduction
'.

[5]
SIMalliance

(2011), 'Open Mobile API specification V2.02',
SIMalliance
.

[6] van
Delft, B. (2010), 'A Security Analysis of
OpenID
',
IFIP Advances in Information
and Communication Technology 343/2010, 73
-
84.