Hardware-based secure services past and future Olivier POTONNIEE, Aurélien COUVERT, Virginie GALINDO April 2016.

Slides:

Advertisements

Similar presentations

Mobile Devices in the DoD

Advertisements

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.

© 2013 Marcin Nagy & N. Asokan & Jörg Ott 1 PeerShare: A System for Secure Distribution of Sensitive Data among Social Contacts Marcin Nagy, N. Asokan,

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

Internet of Things Security Architecture

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Grid Security. Typical Grid Scenario Users Resources.

Don’t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

WSO2 Identity Server Road Map

Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information.

Dongyan Wang GlobalPlatform Technical Program Manager

Widget Architecture. Terminology Widget, Gadget, Tool, Badge Widget Engine, Gadget Container, Widget Host Runtime Environment, Tool Proxy Runtime, Widget.

Identity and Access IDGo Secure (ISE) for Android Didier Bonnet April 2015.

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

FIT3105 Smart card based authentication and identity management Lecture 4.

Introduction To Windows NT ® Server And Internet Information Server.

WebFTS as a first WLCG/HEP FIM pilot

Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September Oberthur Technologies – Identity.

Web Cryptography & Utilizing ARM TrustZone® based TEE for Authentication & Cryptography Ilhan Gurel September 10th & 11th, 2014.

Remote Access SSL VPN Stewart Duncan Technical Manager.

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

魂▪創▪通魂▪創▪通 Digital Certificate and Beyond Sangrae Cho Authentication Research Team.

Authentication Beyond Authentication - an e-banking and e-government perspective - Sean Michael Wykes CTO - Nascent Technology Consultants

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Online Game JAVA for PDA WAP for Mobile Phone. Java for PDA  Hardware limit - Java API Power Memory  JDK 2M byte. Connectivity Display size.

Proposal for the support of connected and proximity crypto HW in browsers Philip Hoyer – Director Strategic Innovation January 2015 Presentation Title.

Real Security InterSwyft Technical information's.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

UICC UICC is a smart card used in mobile terminals in GSM and UMTS networks It provides the authentication with the networks secure storage crypto algorithms.

Hardware Token Support for the Web Analysis of the W3C Workshop on Authentication, Hardware Tokens and Beyond.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

X-Road – Estonian Interoperability Platform

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication.

Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Leveraging UICC with Open Mobile API for Secure Applications and Services.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Ivo Rosol, OKsystem Middleware.

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

Security Protection on Trust Delegated Medical Data in Public Mobile Networks Dasun Weerasinghe, Muttukrishnan Rajarajan and Veselin Rakocevic Mobile Networks.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.

Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?

Mobile Payments: Key IT Law Issues Sony Gokhale October 26, 2015

Wireless and Mobile Security

Agenda Pattern Authenticate a user against UCWA Operations happen using the user’s identity Interact with the UCWA service endpoint Make HTTP requests.

Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.

Secure Mobile Development with NetIQ Access Manager

Wireless Mesh Networking or Peer to Peer Technology Andre Lukito – Johnsonsu – Wednesday, 9.

Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.

2016 LOGO Comparison Between Apple Pay and Ali Pay Zhu Liang Li Zhihao

Power BI Security Best Practices

Secure Element API An introduction.

Secure Elements and W3C L. Castillo 06/16/15.

OPERATING SYSTEMS.

Enhancing Web Application Security with Secure Hardware Tokens

Web Authentication and other security services

Giovanni Carnovale – Regional Sales Manager Central & Eastern Europe

OpenID Enhanced Authentication Profile (EAP) Working Group

Presentation transcript:

Hardware-based secure services past and future Olivier POTONNIEE, Aurélien COUVERT, Virginie GALINDO April 2016

What we did around Secure Element …. W3C status – Sept Sys APP WG proposal Opening a communication channel with Secure Element Does not fit Web Crypto API for hardware token Too early Web Crypto. Next workshop in Sept 2014 Promoting secure element and FIDO authentication Web Authentication WG Up and running

Why is not there yet an API to access Secure Element ? W3C perspectives on SE – internal use only 3 Education matters Web dev don’t want to speak APDU Browser makers neither Power industry matters We are only few security vendors in W3C More device and security players are joining : Banks, Visa, Tyfone, Chipset makers, … SE value are not straightforward for browser makers They live in a on-line, real time, risk management world They know how to deal with secure browser, secure enough storage… Concern with privacy and security Services in SE made accessible to everyone is a privacy concern No security solution for access control has been convincing enough up to now

What we see for the open web platform…. W3C status – Sept There are some standard services that web app could benefit Cryptography operation and storage Citizen identity Payment services Abstraction : what ever is the hardware-based token flavor The W3C should not worry about integration aspects TEE and secure element are used in transparent way in platforms See iOSSecure Enclave, android hardware-key, android Trusty framework, android fingerprint API, and some mobile payment solutions

Example of Web Authentication API…. W3C status – Sept The level of service is Enroll authenticator Authenticate W3C defines attestation, signature and service parameters The implementers manage the FIDO Client and enumeration/communication with the authenticators Security model is HTTPS SOP Centralized server checking device attestation, behing the web app domain

Our suggestion for having some hardware-based secure services happening W3C status – Sept Pick one or two use cases Design the basic services we need Prototype integration with UA vendor And improve

Sharing with you some technical thoughts…. Footer, 20xx-xx-xx 7

Low level Secure Element APIs PC/SC Open Mobile API (OMAPI) 8.1:  10:  8 Secure Elements in Web Applications

Cross-Platform Secure Element (SE) API Secure Elements in Web Applications 9 PC/SC (MSWindows, MacOS, Linux) PC/SC (MSWindows, MacOS, Linux) OMAPI (Android) OMAPI (Android) NFC Desktop Mobile Web Applications Web Runtime OS Secure Element API Access Control … …

Secure Element API Standardization Proposed to W3C (SysApps & WebCrypto WGs) Transferred to a GlobalPlatform WG Under public review here Implementation Included in Firefox OS 2.2 (June 2015) 10 Secure Elements in Web Applications

Web API for accessing Secure Element Secure Elements in Web Applications 11

Secure Element API Secure Elements in Web Applications 12 Transport-level API (similar to SIM Alliance’s OMAPI) Secure Element Manager Reader Session Channel Enumerate readers SE insertion / removal events Is SE present? Connect to SE SE ATR Connect to Applet Basic / Logical Transmit APDUs

Access Control Toolbox Secure Elements in Web Applications 13 PIN Secure Messaging Mutual AuthentN GlobalPlatform Access Control Secure Element Security Model Permissions: Access to device/resources (GPS, storage, etc…) Same Origin Policy (SOP): Data isolation per domain Web Security Model

Access Control (1/2): The Web Secure Elements in Web Applications 14 PIN Secure Messaging Mutual AuthentN GlobalPlatform Access Control Secure Element Security Model Permissions: Access to device/resources (GPS, storage, etc…) Same Origin Policy (SOP): Data isolation per domain Web Security Model

Domain-binded SE apps (SOP compliant) Secure Elements in Web Applications 15 An SE app with one credential per domain An SE app is tied to a single domain, which hosts a centralized service Other apps use a delegation protocol to use the centralized service Identity Provider SAML/OpenID Connect Login Authenticate Service Provider (Relying Party)

Access Control (2/2): Secure Elements Secure Elements in Web Applications 16 PIN Secure Messaging Mutual AuthentN GlobalPlatform Access Control Secure Element Security Model Permissions: Access to device/resources (GPS, storage, etc…) Same Origin Policy (SOP): Data isolation per domain Web Security Model

Access Control Enforcer GlobalPlatform Access Control Secure Elements in Web Applications 17 Access Rules SE Application SE Application Cached Access Rules User Device Application Access Rule: Authorizes a specific app on device to access a specific app on SE [and send specific commands]

Secure Element API to build Trusted Services AuthentN Signature Payment Reload Web Applications … Public APIs Restricted APIs Web Runtime Privilege apps, e.g. Extensions 18 Secure Elements in Web Applications Secure Element API Access Control

The security palette Secure Elements in Web Applications 19 Secure Element Built-ins GlobalPlatform Access Control Trusted Services Domain Binding

Or something completely different ! Footer, 20xx-xx-xx 20 a REST API provided by those privileged apps No need to comply with SOP but authentication could be managed by well deplowed techno like OAUTH Permission, privileged context, SRI, CSP, CORS …