SlideShare ist ein Scribd-Unternehmen logo

Droidcon2013 key2 share_dmitrienko_fraunhofer

Droidcon Berlin
Droidcon Berlin
Technologie
1 von 23
Downloaden Sie, um offline zu lesen
Key2Share: NFC-enabled Smartphone-based Access Control Alexandra Dmitrienko Cyberphysical Mobile Systems Security Group Fraunhofer Institute for Secure Information Technology, Darmstadt
Motivation  Mobile phones are increasingly used in our daily life  Hundred thousands of apps on app markets  New interfaces like NFC open new application fields  Payments, ticketing 2 mPayments mTicketing A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
+ NFC = Why not Using a Smartphone as a Key? A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin 3
Smartphone as a Door Key  Access control by enterprises to their facilities  Access to hotel rooms  Access control in private sector (houses, garages) 4A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Smartphone as a Key for Storage Facilities  Access to safes in hotel rooms  Lockers in luggage storage at train stations/airports  DHL Packing stations 5 DHL packing stations A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Smartphone as a Car Key  Fleet management by enterprises  Car sharing by rental/car sharing companies  Or just share your car with family members or friends 6A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Advantages of Electronic Keys 7 Usual Keys SmartCards Key2Share Distribution Requires physical access Requires physical access Remote Revocation Requires physical access or replacement of the lock Remote Remote Delegation Not possible Not possible Possible Context-aware access (e.g., time frame) Not possible Possible Possible A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Requirements and Challenges 8 Security Protection of electronic keys in transit and on the platform Performance in face of limited NFC bandwidth (~ 10 kbps) Only symmetric-based key crypto for authentication Offline authentication Addressed by protocol design A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Key2Share: System Model 9 Issuer Key2Share web-service Resources 1. Employ the employee/sell the car Users Delegated users 5.Sharekey 3. Electronic key issued 4. User Authentication with the issued key 6. User Authentication with the shared key 2. One-time registration A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Key2Share Security Platform Security 10 Secure communication protocols A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Platform Security Architecture 11 Untrusted host Trusted Execution Environment NFC Chip Key2Share Secure AppKey2Share App WiFi TrEE Service TrEE Mgr Secure Storage User Interface Secure UI A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Possible TrEE Instantiations In software Full virtualization (e.g., based on OKL4 hypervisor) Kernel-level Virtualization (e.g., vServer) OS-level isolation (e.g., BizzTrust) CPU extensions (ARM TrustZone) 12 Secure Element (SE) on SIM card SE on microSD card Embedded SE (eSE) on NFC chip In hardware A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
TrEE in Hardware 13 CPU Extensions (e.g., ARM TrustZone) • Controlled by device manufacturers • No APIs are exposed to apps to access it Secure Element (SE) on SIM Card • Controlled by network operators SE on SD Card • Freely programmable embedded SE (eSE) on NFC Chip • Controlled by device manufacturers • has pre-installed Mifare Classic applet A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
APIs for Accessing Secure Elements  SE on SD Card can be accessed via Open Mobile API  However, access is disabled in stock Android images  eSE can be accessed via Open Mobile API and NFC Private API  NFC Private API can be used only by Google-signed apps  Only white-listed apps can communicate with eSE via Open Mobile API, root access is required to add an app to the white list App layer OS App NFC Private API Open Mobile API (SEEK-for-Android) HW SE on SD Card App App eSE on NFC Chip 14A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
The Best Candidate: SE on SD Card  We used Giesecke & Devrient Mobile Security Card  can be attached to the phone via the microSD slot  It is a stanrdard Java Card and can run applets  Implementation of Key2Share Secure as a Java applet 1515A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
TrEE in Software • We leveraged a security architecture which provides lightweight domain isolation for Android • The architecture is initially was intended to allow usage of a single device for business and private needs • http://www.bizztrust.de/ 16A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
BizzTrust: Dual Persona Phone  Colors corporate and private apps with green and red  Prohibits communication between apps with different colors Application layer Middleware layer Kernel layer AppB IPC MAC File System Linux DAC Network Sockets MAC MAC MAC AppA 17A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin Access control of Android Added by BizzTrust Linux DAC
BizzTrust-based TrEE  Create blue domain isolated from red and green  Execute security sensitive code in blue domain  BizzTrust allows only Key2Share app to communicate with the code from blue domain 18 Software isolation layer: Hardened Android OS (BizzTrust) Trusted Execution Environment (TrEE) Domain BLUE Key2Share Secure Private Domain RED Corporate Domain GREEN Red App Key2Share 18A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Protocol Security 19 Well-established cryptographic primitives (AES, SHA-1, RSA) Formal security proof of the protocols Formal tool-aided verification of protocols A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Implementation in 3 Versions 1. Hardware-based TrEE based on Mobile Security Card 2. Software-based TrEE based on BizzTrust 3. Key2Share Secure as a separate Android application 20A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Authentication Performance  20 rounds  Transmission time for authentication protocol messages (with 95% confidence interval)  92 bytes to be transferred for the user  140 bytes to be transferred for the delegated user  The door locks open within a half a second 21 User Type Connection Establishment, ms Overall session Time, ms User 245.17± 0.54 441.80 ± 0.54 Delegated user 245.17± 0.54 473.55 ± 0.54 A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Work in Progress and Challenges  Backward compatibility to existing access control solutions  Compatibility to MiFare (standard for wireless cards)  Integration into smartcard-based access control solutions (Matrix of Bosch)  Smartphone in card emulation mode (does not require power for authentication)  Challenges are related to missing support of card emulation mode in Android  Other platforms (e.g., Nokia, Blackberry) support card emulation 22A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Thank you alexandra.dmitrienko@sit.fraunhofer.de 23A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin

Empfohlen

PrivateWave - sales presentation_en
PrivateWave - sales presentation_enPrivateWave - sales presentation_en
PrivateWave - sales presentation_en
Marco Pissarello
 
Flak general v2 5
Flak general v2 5Flak general v2 5
Flak general v2 5
digiflak
 
Windows 8 Platform NFC Development
Windows 8 Platform NFC DevelopmentWindows 8 Platform NFC Development
Windows 8 Platform NFC Development
Andreas Jakl
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFH
Block Armour
 
Overview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and CertificationsOverview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and Certifications
FIDO Alliance
 
Panel interface connectors
Panel interface connectorsPanel interface connectors
Panel interface connectors
Mencom Corporation
 
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
AuthentiThings: The Pitfalls and Promises of Authentication in the IoTAuthentiThings: The Pitfalls and Promises of Authentication in the IoT
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
TransUnion
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
Block Armour
 

Empfohlen

PrivateWave - sales presentation_en
PrivateWave - sales presentation_enPrivateWave - sales presentation_en
PrivateWave - sales presentation_en
Marco Pissarello
 
Flak general v2 5
Flak general v2 5Flak general v2 5
Flak general v2 5
digiflak
 
Windows 8 Platform NFC Development
Windows 8 Platform NFC DevelopmentWindows 8 Platform NFC Development
Windows 8 Platform NFC Development
Andreas Jakl
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFH
Block Armour
 
Overview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and CertificationsOverview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and Certifications
FIDO Alliance
 
Panel interface connectors
Panel interface connectorsPanel interface connectors
Panel interface connectors
Mencom Corporation
 
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
AuthentiThings: The Pitfalls and Promises of Authentication in the IoTAuthentiThings: The Pitfalls and Promises of Authentication in the IoT
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
TransUnion
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
Block Armour
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
Block Armour
 
Innovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devicesInnovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devices
Defence and Security Accelerator
 
My ppt
My pptMy ppt
My ppt
Arun Ramachandran
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
OWASP Delhi
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
Fido Security Key
Fido Security KeyFido Security Key
Fido Security Key
GoTrust ID
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
Blockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud SecurityBlockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud Security
Block Armour
 
Mobile banking commoditization
Mobile banking commoditizationMobile banking commoditization
Mobile banking commoditization
jiboutin
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA Session
FIDO Alliance
 
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
Microsoft Mobile Developer
 
The Industrial Immune System
The Industrial Immune SystemThe Industrial Immune System
The Industrial Immune System
Justin Hayward
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
Nok Nok Labs, Inc
 
Windows Phone 8 NFC Quickstart
Windows Phone 8 NFC QuickstartWindows Phone 8 NFC Quickstart
Windows Phone 8 NFC Quickstart
Andreas Jakl
 
Go passwordless with fido2
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2
Rob Dudley
 
Nuron VoIP Application Product and Solution
Nuron VoIP Application Product and SolutionNuron VoIP Application Product and Solution
Nuron VoIP Application Product and Solution
Laith Kassis
 
MobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGateMobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGate
Ron Munitz
 
Software potential code protector
Software potential code protector Software potential code protector
Software potential code protector
InishTech
 
Anviz8 page FINAL
Anviz8 page FINALAnviz8 page FINAL
Anviz8 page FINAL
Garth Du Preez
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android application
IAEME Publication
 
Access Control in Enterprises with Key2Share
Access Control in Enterprises with Key2ShareAccess Control in Enterprises with Key2Share
Access Control in Enterprises with Key2Share
Faheem Nadeem
 

Weitere ähnliche Inhalte

Was ist angesagt?

LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
Microsoft Mobile Developer
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
Nok Nok Labs, Inc
 
Software potential code protector
Software potential code protector Software potential code protector
Software potential code protector
InishTech
 

Was ist angesagt? (20)

Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
 
Innovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devicesInnovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devices
 
My ppt
My pptMy ppt
My ppt
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
Fido Security Key
Fido Security KeyFido Security Key
Fido Security Key
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
Blockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud SecurityBlockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud Security
 
Mobile banking commoditization
Mobile banking commoditizationMobile banking commoditization
Mobile banking commoditization
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA Session
 
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
 
The Industrial Immune System
The Industrial Immune SystemThe Industrial Immune System
The Industrial Immune System
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
 
Windows Phone 8 NFC Quickstart
Windows Phone 8 NFC QuickstartWindows Phone 8 NFC Quickstart
Windows Phone 8 NFC Quickstart
 
Go passwordless with fido2
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2
 
Nuron VoIP Application Product and Solution
Nuron VoIP Application Product and SolutionNuron VoIP Application Product and Solution
Nuron VoIP Application Product and Solution
 
MobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGateMobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGate
 
Software potential code protector
Software potential code protector Software potential code protector
Software potential code protector
 
Anviz8 page FINAL
Anviz8 page FINALAnviz8 page FINAL
Anviz8 page FINAL
 

Ähnlich wie Droidcon2013 key2 share_dmitrienko_fraunhofer

Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android application
IAEME Publication
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
android phone feature and value for user
android phone feature and value for userandroid phone feature and value for user
android phone feature and value for user
Sudhir Kumar
 
Video streaming using wireless multi hop in android phones
Video streaming using wireless multi hop in android phonesVideo streaming using wireless multi hop in android phones
Video streaming using wireless multi hop in android phones
IAEME Publication
 

Ähnlich wie Droidcon2013 key2 share_dmitrienko_fraunhofer (20)

Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android application
 
Access Control in Enterprises with Key2Share
Access Control in Enterprises with Key2ShareAccess Control in Enterprises with Key2Share
Access Control in Enterprises with Key2Share
 
Android
AndroidAndroid
Android
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
Android operating system
Android operating systemAndroid operating system
Android operating system
 
A Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless NetworksA Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless Networks
 
Key2 share moosecon
Key2 share mooseconKey2 share moosecon
Key2 share moosecon
 
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart Phones
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart PhonesAn Android PGP Manager: Towards Bridging End-User Cryptography to Smart Phones
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart Phones
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 
The Guardian Project
The Guardian ProjectThe Guardian Project
The Guardian Project
 
Unizen OEM Product Offerings-Feb 2015
Unizen OEM Product Offerings-Feb 2015Unizen OEM Product Offerings-Feb 2015
Unizen OEM Product Offerings-Feb 2015
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
Certgate
CertgateCertgate
Certgate
 
Accident detection
Accident detection Accident detection
Accident detection
 
PPT on Android
PPT on AndroidPPT on Android
PPT on Android
 
M I Dentity 3 G 040111
M I Dentity 3 G 040111M I Dentity 3 G 040111
M I Dentity 3 G 040111
 
android phone feature and value for user
android phone feature and value for userandroid phone feature and value for user
android phone feature and value for user
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0
 
Video streaming using wireless multi hop in android phones
Video streaming using wireless multi hop in android phonesVideo streaming using wireless multi hop in android phones
Video streaming using wireless multi hop in android phones
 
IoT and the Role of Platforms
IoT and the Role of PlatformsIoT and the Role of Platforms
IoT and the Role of Platforms
 

Mehr von Droidcon Berlin

Droidcon de 2014 google cast
Droidcon de 2014 google castDroidcon de 2014 google cast
Droidcon de 2014 google cast
Droidcon Berlin
 
Android programming -_pushing_the_limits
Android programming -_pushing_the_limitsAndroid programming -_pushing_the_limits
Android programming -_pushing_the_limits
Droidcon Berlin
 
Android industrial mobility
Android industrial mobility Android industrial mobility
Android industrial mobility
Droidcon Berlin
 
From sensor data_to_android_and_back
From sensor data_to_android_and_backFrom sensor data_to_android_and_back
From sensor data_to_android_and_back
Droidcon Berlin
 
new_age_graphics_android_x86
new_age_graphics_android_x86new_age_graphics_android_x86
new_age_graphics_android_x86
Droidcon Berlin
 
Testing and Building Android
Testing and Building AndroidTesting and Building Android
Testing and Building Android
Droidcon Berlin
 
Matchinguu droidcon presentation
Matchinguu droidcon presentationMatchinguu droidcon presentation
Matchinguu droidcon presentation
Droidcon Berlin
 
Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3
Droidcon Berlin
 
The artofcalabash peterkrauss
The artofcalabash peterkraussThe artofcalabash peterkrauss
The artofcalabash peterkrauss
Droidcon Berlin
 
Raesch, gries droidcon 2014
Raesch, gries droidcon 2014Raesch, gries droidcon 2014
Raesch, gries droidcon 2014
Droidcon Berlin
 
Android open gl2_droidcon_2014
Android open gl2_droidcon_2014Android open gl2_droidcon_2014
Android open gl2_droidcon_2014
Droidcon Berlin
 
20140508 quantified self droidcon
20140508 quantified self droidcon20140508 quantified self droidcon
20140508 quantified self droidcon
Droidcon Berlin
 
Tuning android for low ram devices
Tuning android for low ram devicesTuning android for low ram devices
Tuning android for low ram devices
Droidcon Berlin
 
Froyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradioFroyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradio
Droidcon Berlin
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicro
Droidcon Berlin
 

Mehr von Droidcon Berlin (20)

Droidcon de 2014 google cast
Droidcon de 2014 google castDroidcon de 2014 google cast
Droidcon de 2014 google cast
 
Android programming -_pushing_the_limits
Android programming -_pushing_the_limitsAndroid programming -_pushing_the_limits
Android programming -_pushing_the_limits
 
crashing in style
crashing in stylecrashing in style
crashing in style
 
Raspberry Pi
Raspberry PiRaspberry Pi
Raspberry Pi
 
Android industrial mobility
Android industrial mobility Android industrial mobility
Android industrial mobility
 
Details matter in ux
Details matter in uxDetails matter in ux
Details matter in ux
 
From sensor data_to_android_and_back
From sensor data_to_android_and_backFrom sensor data_to_android_and_back
From sensor data_to_android_and_back
 
droidparts
droidpartsdroidparts
droidparts
 
new_age_graphics_android_x86
new_age_graphics_android_x86new_age_graphics_android_x86
new_age_graphics_android_x86
 
5 tips of monetization
5 tips of monetization5 tips of monetization
5 tips of monetization
 
Testing and Building Android
Testing and Building AndroidTesting and Building Android
Testing and Building Android
 
Matchinguu droidcon presentation
Matchinguu droidcon presentationMatchinguu droidcon presentation
Matchinguu droidcon presentation
 
Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3
 
The artofcalabash peterkrauss
The artofcalabash peterkraussThe artofcalabash peterkrauss
The artofcalabash peterkrauss
 
Raesch, gries droidcon 2014
Raesch, gries droidcon 2014Raesch, gries droidcon 2014
Raesch, gries droidcon 2014
 
Android open gl2_droidcon_2014
Android open gl2_droidcon_2014Android open gl2_droidcon_2014
Android open gl2_droidcon_2014
 
20140508 quantified self droidcon
20140508 quantified self droidcon20140508 quantified self droidcon
20140508 quantified self droidcon
 
Tuning android for low ram devices
Tuning android for low ram devicesTuning android for low ram devices
Tuning android for low ram devices
 
Froyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradioFroyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradio
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicro
 

Kürzlich hochgeladen

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Kürzlich hochgeladen (20)

Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Droidcon2013 key2 share_dmitrienko_fraunhofer

  • 1. Key2Share: NFC-enabled Smartphone-based Access Control Alexandra Dmitrienko Cyberphysical Mobile Systems Security Group Fraunhofer Institute for Secure Information Technology, Darmstadt
  • 2. Motivation  Mobile phones are increasingly used in our daily life  Hundred thousands of apps on app markets  New interfaces like NFC open new application fields  Payments, ticketing 2 mPayments mTicketing A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 3. + NFC = Why not Using a Smartphone as a Key? A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin 3
  • 4. Smartphone as a Door Key  Access control by enterprises to their facilities  Access to hotel rooms  Access control in private sector (houses, garages) 4A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 5. Smartphone as a Key for Storage Facilities  Access to safes in hotel rooms  Lockers in luggage storage at train stations/airports  DHL Packing stations 5 DHL packing stations A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 6. Smartphone as a Car Key  Fleet management by enterprises  Car sharing by rental/car sharing companies  Or just share your car with family members or friends 6A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 7. Advantages of Electronic Keys 7 Usual Keys SmartCards Key2Share Distribution Requires physical access Requires physical access Remote Revocation Requires physical access or replacement of the lock Remote Remote Delegation Not possible Not possible Possible Context-aware access (e.g., time frame) Not possible Possible Possible A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 8. Requirements and Challenges 8 Security Protection of electronic keys in transit and on the platform Performance in face of limited NFC bandwidth (~ 10 kbps) Only symmetric-based key crypto for authentication Offline authentication Addressed by protocol design A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 9. Key2Share: System Model 9 Issuer Key2Share web-service Resources 1. Employ the employee/sell the car Users Delegated users 5.Sharekey 3. Electronic key issued 4. User Authentication with the issued key 6. User Authentication with the shared key 2. One-time registration A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 10. Key2Share Security Platform Security 10 Secure communication protocols A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 11. Platform Security Architecture 11 Untrusted host Trusted Execution Environment NFC Chip Key2Share Secure AppKey2Share App WiFi TrEE Service TrEE Mgr Secure Storage User Interface Secure UI A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 12. Possible TrEE Instantiations In software Full virtualization (e.g., based on OKL4 hypervisor) Kernel-level Virtualization (e.g., vServer) OS-level isolation (e.g., BizzTrust) CPU extensions (ARM TrustZone) 12 Secure Element (SE) on SIM card SE on microSD card Embedded SE (eSE) on NFC chip In hardware A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 13. TrEE in Hardware 13 CPU Extensions (e.g., ARM TrustZone) • Controlled by device manufacturers • No APIs are exposed to apps to access it Secure Element (SE) on SIM Card • Controlled by network operators SE on SD Card • Freely programmable embedded SE (eSE) on NFC Chip • Controlled by device manufacturers • has pre-installed Mifare Classic applet A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 14. APIs for Accessing Secure Elements  SE on SD Card can be accessed via Open Mobile API  However, access is disabled in stock Android images  eSE can be accessed via Open Mobile API and NFC Private API  NFC Private API can be used only by Google-signed apps  Only white-listed apps can communicate with eSE via Open Mobile API, root access is required to add an app to the white list App layer OS App NFC Private API Open Mobile API (SEEK-for-Android) HW SE on SD Card App App eSE on NFC Chip 14A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 15. The Best Candidate: SE on SD Card  We used Giesecke & Devrient Mobile Security Card  can be attached to the phone via the microSD slot  It is a stanrdard Java Card and can run applets  Implementation of Key2Share Secure as a Java applet 1515A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 16. TrEE in Software • We leveraged a security architecture which provides lightweight domain isolation for Android • The architecture is initially was intended to allow usage of a single device for business and private needs • http://www.bizztrust.de/ 16A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 17. BizzTrust: Dual Persona Phone  Colors corporate and private apps with green and red  Prohibits communication between apps with different colors Application layer Middleware layer Kernel layer AppB IPC MAC File System Linux DAC Network Sockets MAC MAC MAC AppA 17A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin Access control of Android Added by BizzTrust Linux DAC
  • 18. BizzTrust-based TrEE  Create blue domain isolated from red and green  Execute security sensitive code in blue domain  BizzTrust allows only Key2Share app to communicate with the code from blue domain 18 Software isolation layer: Hardened Android OS (BizzTrust) Trusted Execution Environment (TrEE) Domain BLUE Key2Share Secure Private Domain RED Corporate Domain GREEN Red App Key2Share 18A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 19. Protocol Security 19 Well-established cryptographic primitives (AES, SHA-1, RSA) Formal security proof of the protocols Formal tool-aided verification of protocols A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 20. Implementation in 3 Versions 1. Hardware-based TrEE based on Mobile Security Card 2. Software-based TrEE based on BizzTrust 3. Key2Share Secure as a separate Android application 20A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 21. Authentication Performance  20 rounds  Transmission time for authentication protocol messages (with 95% confidence interval)  92 bytes to be transferred for the user  140 bytes to be transferred for the delegated user  The door locks open within a half a second 21 User Type Connection Establishment, ms Overall session Time, ms User 245.17± 0.54 441.80 ± 0.54 Delegated user 245.17± 0.54 473.55 ± 0.54 A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 22. Work in Progress and Challenges  Backward compatibility to existing access control solutions  Compatibility to MiFare (standard for wireless cards)  Integration into smartcard-based access control solutions (Matrix of Bosch)  Smartphone in card emulation mode (does not require power for authentication)  Challenges are related to missing support of card emulation mode in Android  Other platforms (e.g., Nokia, Blackberry) support card emulation 22A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin