Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September Oberthur Technologies – Identity BU JAVARY Bruno
11 September INTRODUCTION Agenda 02. EXISTING : WHAT ARE THE DRAWBACKS 03. USE CASE : PIV 04. PERSPECTIVE AND PROPOSAL
11 September INTRODUCTION Agenda 02. EXISTING : WHAT ARE THE DRAWBACKS 03. USE CASE : PIV 04. PERSPECTIVE AND PROPOSAL
History : OT experience June 20th 2013, London, Workshop on Web Applications and Secure Hardware July 2013 : October 15 th 2013, Oberthur Technologies joins FIDO Alliance OT founding member of SIA November 2013 : Presentation of PIV for eSE on OT booth demonstrating eservices. “my voice is my password” winner in the Trusted internet/ Authentication category February th 2013, Barcelona, GSMA Mobile World Congress : 1st worldwide demonstration of a FIDO authentication secured by the SIM March 2014 : Mobile ID study starts with dedicated workforce with objective : “Smartcard Access from Web Browser” Summer 2014, w3C call for papers, submission of position paper, result of internal study 4 for eSE finalist
POSITION SUMMARY To enable a common access for every single user to trusted services thanks to a secure element, the best candidate is the web browser By consequence HTML and JavaScript will be the standard to access a secure element Many examples already exist to access hardware o Video, webcam, geolocation, file system o Thanks to evolutions of standards 11 September
POSITION SUMMARY Authentication : o For Payment / Internet banking / Corporate network access / Social media o FIDO is an answer Access to cryptographic operations : « Secure Operations Execution » o Web crypto api o Issue : define use cases exhaustively Low level access to the secure element or hardware token o Access the closest possible to the hardware o Close to sysapp considerations 11 September Several topics are to be considered
11 September INTRODUCTION Agenda 02. EXISTING : WHAT ARE THE DRAWBACKS 03. USE CASE : PIV 04. PERSPECTIVE AND PROPOSAL
Middleware Software application that enhances the capacities of our computer applications by creating an abstraction layer Implements standard Good solution for a local use, it provides secure features established on standards in a controlled IT configuration. However it can’t be used as an online solution or in an opened device. 11 September EXISTING Web browser extension Program integrated into a web browser and which provides new features Can be : plug-in, java applet, ActiveX The only solution right now but many drawbacks : o Heterogeneity of methods to access Smart Card o Security
Mobility Most of the apis are proprietary (eg OT Micro SD) There are some promising technologies o NFC o Open Mobile API These communications layers remain low level Middleware and web browser extensions do not fit in a mobile environment 11 September EXISTING
11 September INTRODUCTION Agenda 02. EXISTING : WHAT ARE THE DRAWBACKS 03. USE CASE : PIV 04. PERSPECTIVE AND PROPOSAL
Definition 11 September 2014 PIV - PERSONAL IDENTITY VERIFICATION Limitations US federal employee or contractor wears a PIV card defined by the National Institute of Standards and Technology (NIST). The card is required to enter a governmental building and to log on to computers (Physical and Logical Access Control). The federal employee can also sign s or documents and authenticates to remote web sites in HTTPS. File decryption or signing must be done locally. In a world of cloud computing and “Software as a Service” it represents a real inconvenience. The agent must have an already configured PC or be granted with specific rights, which prevents from using devices “on the go” or “away from office” (in a hotel, an airport, at home). To use a Smartphone or a tablet, specific software and hardware (card reader) have to be set up. 11
11 September INTRODUCTION Agenda 02. EXISTING : WHAT ARE THE DRAWBACKS 03. USE CASE : PIV 04. PERSPECTIVE AND PROPOSAL
Position As a solution provider, we would like to push the standardization of a JavaScript API which allows web browser to communicate with Smart Card Objective is to open trusted services with secure element to the mainstream market In order to be implemented in all browsers and to ensure its liability, the API should be endorsed by W3C. 11 September PROMOTE A STANDARDIZATION Secure Element API This api is complete and well documented. It presents in details the technical background and use cases and gives a good visibility of Security, Permissions, Access Control and Conformance Security is at the heart of OT’s concerns; the proposed solution combines validation of the feature by the user and a specific access control mechanism The idea beyond is to propose a trusted access to a secure element from a service provider, preventing from unauthorized use.
Action Plan Identify a charter to carry the project Define use cases and for each of them demonstrate the impact and validate the consistency of the current proposal. Meeting all stakeholders interested in the subject, be aware of each of them interest and create a common basis of communication and strategy Establish interactions with other standardizations (eg Open Mobile API) Gather work forces to create a proof of concept and decline it to use cases examples (eg eServices) 11 September PERSPECTIVE Let’s follow, jointly with all companies and associations sharing the same opinion and interest, action plan below:
Thank you for your attention 11 September