Secure Authentication for the Development of Mobile Internet Services Critical Considerations

(1)

December 2011 – V1

Secure Authentication

for the Development of

Mobile Internet

Services

(2)

AGENDA

SIMalliance presentation

What’s the problem?

Current solutions (software-based) and their limitations

Login/Password (1)

OTP (2)

WPKI (3)

Scope of the discussion

Mobile Internet services market segments and actors

Focus on User Centric security

SIMalliance anwers with the Secure Element (4)

SE Introduction, SE form factors and Open Mobile API

ShareZone Service Provider (SP) use case introduction

4.1.SE distributed by the MNO (UICC)

(3)

Who We Are

MEMBERS

STRATEGIC PARTNERS

(4)

What We Do

SIMalliance

supports secure mobile service creation, deployment

and management by advancing interoperability and extending

security across all devices that access wireless networks

By anticipating and addressing the complex

Security, Identity and

Mobility

challenges of Internet convergence, SIMalliance provides

industry partners with the

BLUEPRINT

for secure, interoperable

mobile service creation, deployment and management, through

A series of Working Group with the participation of Strategic

Partners from the mobile services value chain

Cooperation with other Industry Organisations i.e. ETSI, GSMA,

GlobalPlatform, etc…

(5)

Working Groups Program

Mobile Internet Security

Mobile

Transactions M2M

- Promote the role of the SE

in mobile applications &

services

- Accelerate and facilitate

the deployment of SE-based

Expert Resource s

Consultative

Multi-Platform

Vertical Focus

(6)

(7)

(8)

Mobile Internet Security market (IDC 2010)

Segment

2010

(million $)

2015

(million $)

CAGR [%]

2010-2015

Mobile Threat Management (virus, anti-malware, anti-spam, anti-spyware, firewall, intrusion detection and prevention)

99 470 36.5

Mobile IP content (file, disk application encryption, data loss prevention)

78 460 42.5

Mobile VPN (infra and clients for mobile devices)

125 430 28.1

Mobile Identity Access Management

(authentication, authorization (PKI, SSL, cert) and network access for mobile

devices)

44 225 38.8

Mobile Security Vulnerability Management (device wipe, lockdown, patching; password, policy and compliance

management)

40 190 36.5

Other mobile security (such as theft, anti-fraud)

20 75 29.8

(9)

Current authentication solutions

Login/Password is the most used one but has very

low security.

One Time Password (OTP) is popular in the PC

environment, but not well adapted to to the mobile

internet.

Wireless Public Key Infrastructure (WPKI) provides

the most secured authentication framework, but

presents security flaw as as long as a Secure Element

is not used.

(10)

Scenario 1: Login/ Password

_Username

Password

Login

Password

Possible security attacks & breaches

The authentication is done through a login & Password

Login/passwor d can be stolen at the client side

Login/passwor d can be stolen at the server side

(11)

Scenario 2A: OTP via SMS

(generated at server side)

OTP

Via

SMS

Username Password

OTP

Username

1

2

3

1: The device providing the service (PC or mobile) requests an OTP to the server

The OTP should come from a different device to add security

(12)

Scenario 2B: OTP with OTP

generator

Possible security attacks & breaches

OTP

generating

device

Username Password OTP

Username

1

1: The OT is generated within the mobile

2

The OTP should be generated in a

different device to add security

2: If the PC provides the service, the user enters the OTP password in the PC.

If service is in the mobile, password is entered in the mobile application.

(13)

Scenario 3: Identification,

Authorization and Encryption

(WPKI)

Username Signature

Username

Pin

Services

Certificates

Signature Request Login Request Electronic Signature

1: User provides his Login information

1

2

4

3

2: SP signs request with SP certificate and sends to user for signature

Credentials must be stored and signature generated in a Secure Element

(14)

Scenario 4: Secure

Element-based authentication

Secure Element (SE)

Unique combination of:

• Temper resistant hardware

• Security optimized Software

• Manufactured in secure

environments

• Managed remotely

UICC (SIM)

• Includes the application that authenticates the user in the network

• Distributed by MNOs

Secure MicroSD

• SE embedded in µSD form factor and featuring large memory

• Distributed by the Service Provider

Embedded Secure Element (eSE)

• SE embedded in the mobile at the time of manufacturing

(15)

Scenario 4: Secure Elements,

tools and Actors

PKI

MNO

FIs

OEM

ISP

Open API*

App

(16)

The link between the Application

and the SE: Open Mobile API

The Open Mobile API is a software

interface on the phone that

Adds the missing link between

mobile applications and the

Secure Elements

Provides access to all kinds of

Secure Elements via a single

interface

Defined in an OS and

programming language agnostic

way

Open Mobile API

Mobile

Applications

(17)

The link between the Service

Provider and the SE:

Trusted Service Manager (TSM)

Which functions does a TSM

provide?

Activation, provisioning and life-cycle management

Why a TSM ?

Avoid application issuer dealing with multiple entities, phones, OS

(18)

Scope of our WorkGroup

User

centric

security

(eg.

personal

data, Apps,

web, cloud

services

Corporate

mobile

security

(eg.Secure

email,

intranet,

SaaS,)

Content

protection

(eg.Mobile

TV, GPS

Maps)

Mobile

transactions

(eg. Mobile

payment,

peer-to-peer,

money

transfer

M2M

MNO

SP

OEM

(19)

User- centric Security –

The ‘ShareZone’ SP use case

•ShareZone is an over the top player

•Provides a photo sharing service in

the cloud

•Wants to launch a mobile service

too but is afraid of mobile security

•Checks secured authentication

options provided in mobile internet

(20)

User- centric Security –

the SE distribution sub-models

Sub-model 1: The SE is the UICC, owned by the MNO

Sub-model 2: The SE is a microSD card, issued by the

Service

Provider

Sub-model 3: The SE is embedded in the handset (eSE),

distributed by the OEM

(21)

4.1: SE distributed by the MNO

(UICC)

MNO

1. SP signs agreements with MNOs

2

2. User registers in SP’s website (or via MNO) 3.SP provides credentials to MNO with user’s info

6

5 TSM

(OTA)

(22)

4.2. SE distributed by SP

(Direct issuance of microSD cards)

1. The user registers with SP 2. SP stores user information 3. SP delivers microSD to the user

4. SP App is installed on the device and accesses microSD 5. SP verifies signature and grants access

App

1

2

3

4

5

(23)

4.3: SE distributed by OEM

(eSE)

1. The user registers with SP (Hardware ID) 2. The user downloads ShareZone

Application

App

1

2

3 TSM

(24)

Sub-model comparison

The models are mainly characterized by who distributes

and manages the SE

UICC

Secure

microSD

eSE

SE distribution

MNO

SP

OEM

SE management

MNO

SP

OEM or SP

ID provider

SP

ID registration

SP or

MNO

SP

OEM or trusted

3th party

Number or services

Multi

Mono

Multi

App/Middlet

(25)

Conclusion

Security threats make the use of a Secure Element

necessary to store and manage user credential.

The Secure Element provides convenient two-factor

authentication to connected services, with improved

security compared to other methods

The SIMalliance members propose different solutions

tailored to each business case

(26)

SIMalliance Resources & Events

SIMposium,

a series of events

showcasing new technologies, discussing emerging models and tackling key market challenges.

SIMagine,

the global competition recognising the very best in secure mobile application and service creation. White papers, recommendations,

(27)

(28)