Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhancing Web Application Security with Secure Hardware Tokens

Published byHarjanti Yuwono Modified over 6 years ago

Similar presentations

Presentation on theme: "Enhancing Web Application Security with Secure Hardware Tokens"— Presentation transcript:

1 Enhancing Web Application Security with Secure Hardware Tokens
Web Cryptography Next Steps 10-11 September 2014 Mountain View, California, USA Enhancing Web Application Security with Secure Hardware Tokens Dr. Karen Lu, CISSP, CCSK

2 Secure Hardware Tokens
Secure microprocessor, secure memory, crypto engine September 8, 2014

3 Providing security for many domains
September 8, 2014

4 No standard for web applications to use secure hardware tokens
September 8, 2014

5 Secure hardware tokens
Web applications September 8, 2014

6 Authentication, signature, encryption
With the proprietary solution, we are able to provide secure token-based services for web applications, for example, strong authentication, digital signature, and data encryption. September 8, 2014

7 API key protection Remote provisioning WebRTC
We are also able to support new applications, such as … September 8, 2014

8 Secure hardware tokens
Web applications Secure hardware tokens Other companies also built their own proprietary solutions (own bridges). Problems of proprietary solutions Providers: build for each browsers, maintain Developers: adopt, deploy Users: software download All: not interoperable September 8, 2014

9 Application Programming Interface (API) & Access Control
Standardize how web applications communicate with and use secure hardware tokens. Application Programming Interface (API) & Access Control W3C can solve these problems by standardizing how web applications communicate with and use secure hardware tokens. This will allow web applications to utilize additional security and privacy provided by the tokens, enable interoperability, and improve usability. September 8, 2014

10 Secure hardware tokens
Web applications Secure hardware tokens Which level should we build the API? Or Where should we build the bridge? We propose three levels of APIs and let W3C to decide which level to focus on. September 8, 2014

11 Communication and basic access (APDUs)
API level Function Low Communication and basic access (APDUs) The low level API is at the communication level. It enables web applications to communicate with secure hardware tokens using APDU. We already have a draft proposal called secure element API Pros W3C proposal for Secure Element API Based on ISO 7816 Access all and future functionalities Cons Deal with low level communication Wednesday, November 14, 2018

12 Crypto and secure storage
API level Function Medium Crypto and secure storage The mid level API enables web applications to use the crypto and storage functionalities of the secure hardware token Pros W3C WebCrypto API extension (token, key discovery) Easier to use than low level API Cons Middleware Cannot quickly access new token features September 8, 2014

13 Security services (e.g. authentication, payment, token management)
API level Function High Security services (e.g. authentication, payment, token management) The high level API enables web applications to support a specific service, online payment (EMV), authentication (FIDO), and token management (GP). Pros Easy access to services Cons Middleware Maintenance when applicative standard evolves September 8, 2014

14 Security services (e.g. authentication, payment, token management)
API level Function High Security services (e.g. authentication, payment, token management) Medium Crypto and secure storage Low Communication and basic access (APDUs) September 8, 2014

15 Who can access the secure hardware token?
The secure hardware tokens contain secret or private keys for their users. The token has many built-in security mechanisms to protect the keys and the operations, such as physical sensors, secure algorithms, user authentication, and try-counters. Access control is another important mechanism that manages which applications can use which functionalities of the token. In the following, we discuss two access control options. Each of them should also have user consent for each website as an additional control. September 8, 2014

16 User agent controls access
Secure hardware token Cachedaccess rules Access rules Web Application Access control enforcer Secured resource Application based access control This method requires collaborations between the secure hardware token and a trusted entity, called Access Control (AC) enforcer, which resides on the host side. For a mobile device, the AC enforcer belongs to the OS. The token maintains a list of access control rules. When an application requests to communicate with a secure hardware token, the AC enforcer fetches the access control rules from the token and checks the application against the rules to decide whether to allow the access.  Token has AC rules; User Agent helps to enforce it September 8, 2014

17 Token controls access Secure hardware token User Agent Access rules
Web Application Access control Secured resource Origin based access control Token has AC rules that includes origins; User Agent verifies or sends application origin Feature Token controls the access Less change in the user agent Burden Need more changes in the token September 8, 2014

18 Recommendations Consider all these proposals
Leverage the existing proposal September 8, 2014

Download ppt "Enhancing Web Application Security with Secure Hardware Tokens"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
1 Jeremy Wyant W3C DRM Workshop 23 January 2001 Establishing Security Requirements For DRM Enabled Systems.

1 Jeremy Wyant W3C DRM Workshop 23 January 2001 Establishing Security Requirements For DRM Enabled Systems.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September 2014 1 Oberthur Technologies – Identity.

Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September Oberthur Technologies – Identity.
Web Cryptography & Utilizing ARM TrustZone® based TEE for Authentication & Cryptography Ilhan Gurel September 10th & 11th, 2014.

Web Cryptography & Utilizing ARM TrustZone® based TEE for Authentication & Cryptography Ilhan Gurel September 10th & 11th, 2014.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Mobile Data Sharing over Cloud Group No. 8 - Akshay Kantak - Swapnil Chavan - Harish Singh.

Mobile Data Sharing over Cloud Group No. 8 - Akshay Kantak - Swapnil Chavan - Harish Singh.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
魂▪創▪通魂▪創▪通 2014. 9. 10. Digital Certificate and Beyond Sangrae Cho Authentication Research Team.

魂▪創▪通魂▪創▪通 Digital Certificate and Beyond Sangrae Cho Authentication Research Team.
Proposal for the support of connected and proximity crypto HW in browsers Philip Hoyer – Director Strategic Innovation January 2015 Presentation Title.

Proposal for the support of connected and proximity crypto HW in browsers Philip Hoyer – Director Strategic Innovation January 2015 Presentation Title.

Similar presentations

Ads by Google