This session will explore an advanced information access control system for mobile devices. It has four main entities. The service provider stores the information and has a Web service that allows users to download it. Because of the ease of deployment and the ability to configure a filter that works as a policy enforcement point, this entity is deployed in the WSO2 Application Server. The identity provider authenticates and authorizes system users by verifying certain requirements before giving access to the information. It also encrypts the information with the user public keys stored during the user registration process. This entity is deployed in the WSO2 Identity Server. WSO2 Identity Server provides a user-friendly way to define single sign-on in its web application, to implement the Smartcard functionality and to define the XACML access control policies. The two final entities are a Java card that contains the user keys and a mobile device through which the user displays the information.

1. Advance Informa.on Access Control
System for Mobile Devices Based on a
WSO2 Architecture
Fidel Paniagua & Javier Ruiz
Research Assistants

2. Content
• Business problem
• Solu.on Architecture
• Decision criteria
• Implementa.on performance
• Deployment info
• Demo

3. Business Problem (I)
• Users share corporate devices at the same .me
• Bring your own device
• Cloud storage
• Keys compromise in user devices
• Disgruntled employees
Data leak informa?on

4. Current solu.ons only covers:
• User profiles
• System cipher
• Container cipher
• Mul.ple authen.ca.on factors
• Informa.on Rights Management
Ø MicrosoG IRM
Ø Adobe DRM
Business Problem (and II)

5. Solu?on architecture (I)
Mobile Device
Iden.ty Server Service Provider
Java Card
• AAA
• Secure key management

6. • Our system provides the following security mechanisms:
– Download and display informa.on access control
– Cypher protec.on
– Keys are storage within the JC
– Mul.factor authen.ca.on
– Informa.on is deciphered within the JC
– Mul.lateral and mul.level security
Solu?on architecture (and II)

7. Decision criteria
• Open source alterna.ve
• WSO2 offers full suite of products
• Iden.ty Server is full integrated with XACML and SAML
• Applica.on Server allows easily to deploy SSO and
XACML in Web Applica.ons
• Applica.on Server supports mul.ple web applica.on
formats
• Public mailing lists
• WSO2 offers a lot of documenta.on and examples

8. Implementa?on performance
Advantages
• XACML evalua.on in a short .me
• Hardware cryptographic opera.ons
Drawbacks
• Policy Administra.on
• Low performance with Java Card + NFC connec.on
Future op.miza.ons: Secure SD

9. Deployment info (I)
Mobile Device
Web Applica.on Iden.ty server
Virtualiza.on
Debian Debian
VMware ESXi
Xperia Z2 Tablet
NFC
User Java Card
Wi-Fi

10. Service Provider
– WSO2 Applica.on Server 5.3.0
• SSO with SAML 2.0
• HTTPS
• En.tlement Filter
Iden.ty Provider
– WSO2 Iden.ty Server 5.1.0
• SSO with SAML 2.0
• XACML 3.0
• Support for MicrosoG Ac.ve Directory
• PIP Customiza.on
Deployment info (and II)

11. Demo
• Video
User Profiles
• Fidel
– Security Clearance: Confiden.al
– Country: Spain
– Ins.tu.on: Army
– Mission: Alpha
• Javier
– Security Clearance: Top Secret
– Country: Spain
– Ins.tu.on: Navy
– Mission: Beta
Documents
• UCAV_2_2_6
– Classifica.on Level: Confiden.al
– Country: Spain
– Ins.tu.on: Army
– Mission: Alpha
• UCAV_2_3_2
– Classifica.on Level: Secret
– Country: Spain

12. Demo

13. Thank You!
#WSO2ConEU
Share your feedback for this session
wso2con.com/app