Presentation is loading. Please wait.

Presentation is loading. Please wait.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Published byMarilynn Turner Modified over 9 years ago

Similar presentations

Presentation on theme: "LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015."— Presentation transcript:

1 LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015

2 Motivation  Smartphones become the handheld computer and the personal assistant  Growing market has attracted hackers to make the potential for serious security threats on smartphones a reality  UICC serves as the security anchor in mobile networks  GSM Association: the UICC is the strategically best alternative as a secure element for mobile devices [Sma09]  Interface is required to fill the gap between UICC applets and mobile applications 2 9/3/2015

3 Solution Idea  SIMAlliance Open Mobile API: the communication channel  Dual Application Architecture: the basic architecture  An example: Smart OpenID 3 9/3/2015

4 Agenda  Motivation and Solution Idea  Basic Technologies  State of the Art  Smart OpenID  Implementation  Summary and Future Work 4 9/3/2015

5 Universal Integrated Circuit Card: UICC  The bearer of the subscriber’s identity in cellular networks  Secure element secure storage, cryptographic functions  Secure channel transmission between the UICC and the server with authenticity, integrity, confidentiality  Wireless PKI mobile network operator owns root certificate: becomes a certificate authority 5 9/3/2015

6 Open Mobile API Open Mobile API is established by SIMalliance as an open API between secure element and the mobile applications Crypto Authentication Secure Storage PKCS#15 … 6 Open Mobile API 9/3/2015

7 Open Mobile API 7 9/3/2015

8 Agenda  Motivation and Solution Idea  Basic Technologies  State of the Art  Smart OpenID  Implementation  Summary and Future Work 8 9/3/2015

9 State of the Art  Financial applications online-banking, contactless payment, tickets apps  Enterprise applications secure Email, ERP, Software as a Service  Content protection applications digital rights management, secure document  Authentication applications generic bootstrapping architecture, public key infrastructure 9 9/3/2015

10 State of the Art  Malware virus, Trojan horse, Spyware  Eavesdropping traffic (password) on the network  Man-in-the-middle attacker manipulates the transmitted data  Replay attacks a valid data is maliciously repeated or delayed  Phishing acquires data by masquerading as a trustworthy entity 10 9/3/2015

11 State of the Art  Private information is the main aim of the attacker, e.g., password, credit card number etc.  Anti-Malware, secure storage, digital certificate, transport layer security, authentication etc.  Some countermeasures are unusual on smartphone  Existed protocols are vulnerable to different attacks 11 9/3/2015

12 Agenda  Motivation and Solution Idea  Basic Technologies  State of the Art  Smart OpenID  Implementation  Summary and Future Work 12 9/3/2015

13 OpenID Provider Relying Party User Device Relying Parties Submit OpenID Association session: a shared symmetric key + association handle User authentication Authentication response: signed with the shared key OpenID 13

14 Threats to OpenID  Malware virus, Trojan horse, Spyware  Eavesdropping password on the network  Man-in-the-middle attacker captures the transmitted password, authentication assertion, optionally alters it  Replay attacks a valid authentication assertion is maliciously repeated  Phishing acquire password by masquerading as an OP 14 9/3/2015

15 Smart OpenID: Concept  Authentication factor  something the user knows: password  something the user has: smart card  something the user is: finger print  Using UICC as credential  shares a long-term secret (LTS) with the server  derives a key from the LTS and an one-time password  PIN verification to activate the function 15 9/3/2015

16 Network OpenID Provider Relying Party User Local OP Provider = Mobile Application + UICC Applet Relying Parties Association Signed assertion (with same derivated key) Smart OpenID Trust (long-term secret) Local authentication (with PIN) Association handle + derived key (symmetric) Submit OpenID Association Handle 16

17 Smart OpenID  Long-term secret: 64 bytes  Association handle: less than 255 bytes  Key derivation functions: PBKDF2  use HMAC-SHA-1/HMAC-SHA-256 (hash-based message authentication code) as underlying algorithm  configurable iteration count and derived key length 17

18 Security Analysis 18

19 Security Analysis : Phishing 19 Derived Key S = PBKDF2-HMAC-SHA-1(LTS, AH, 64, 64)

20 Agenda  Motivation and Solution Idea  Basic Technologies  State of the Art  Smart OpenID  Implementation  Summary and Future Work 20 9/3/2015

21 Implementation  Platform Android 2.3.5 Java Card UICC 2.2.1  Algorithms key derivation function: PBKDF2-HMAC-SHA-1 signature: HMAC-SHA-1 21 9/3/2015

22 Demo 9/3/2015 22

23 Performance Iteration : 64 rounds AH: 240 bytes Derived key length: 64 bytes 23 9/3/2015

24 Performance Derived key length: 64 bytes 24 9/3/2015

25 Agenda  Motivation and Solution Idea  Basic Technologies  State of the Art  Smart OpenID  Implementation  Summary and Future Work 25 9/3/2015

26 Summary  UICC as secure element on smartphones  Dual Application Architecture with Open Mobile API  Improve existed protocols with the UICC  Other usages:  Digital certificate  Wireless PKI  NFC payment  … 26 9/3/2015

27 Future Work  Smart OpenID with HMAC-SHA-256  Implementation of other applications 27 9/3/2015

28 28 Thank you! Questions? 28 9/3/2015

29 Bibliographie [Sma09]SmartTrust. The role of SIM OTA and the mobile operator in the NFC environment, 4 2009. 29 9/3/2015

30 Smartphone  Mobile phone voice communication and messaging  Feature phone digital camera, gaming, music and video streaming  Smartphone modern operating system, high speed connectivity, third- party applications... 30 9/3/2015

31 Access Control Module 31 9/3/2015

32 Security Analysis : Phishing 32

33 Security Analysis : Phishing 33

Download ppt "LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Mobile Devices in the DoD

Mobile Devices in the DoD
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.

SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Dongyan Wang GlobalPlatform Technical Program Manager

Dongyan Wang GlobalPlatform Technical Program Manager
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
SECURITY IN MOBILE NETWORKS BY BHONGIRI ANAND RAJ VENKAT PAVAN RAVILISETTY NAGA MOHAN MADINENI.

SECURITY IN MOBILE NETWORKS BY BHONGIRI ANAND RAJ VENKAT PAVAN RAVILISETTY NAGA MOHAN MADINENI.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.

Similar presentations

Ads by Google