Thesis presentation am lesas

« Vers un environnement logiciel générique et ouvert pour
le développement d'applications NFC sécurisées »
“Towards a generic and open software environment for
the development of Secure Element-based applications”
Thèse présentée pour obtenir le grade universitaire de docteur
Par Anne-Marie LESAS
Spécialité : Informatique
Soutenue le 14 sept. 2017, Marseille, France, devant les membres du jury:
Pierre PARADINAS Pr. Conservatoire National des Arts et Métiers Rapporteur
Richard CHBEIR Pr. Université de Pau et des pays de l’Adour Rapporteur
Jean-Pierre TUAL Directeur R&D GEMALTO Examinateur
Stuart MADNICK Pr. Massachusetts Institute of Technology Examinateur
Thierry DELOT Pr. Université de Valenciennes Examinateur
Omar BOUCELMA Pr. Aix – Marseille Université Directeur de thèse
Serge MIRANDA Pr. Université Nice – Sophia-Antipolis Co-Directeur de thèse

Plan
Introduction: NFC SE ecosystem
An existing engineering problem we address:
Research scope
Related work
An idea we propose:
SeQL
Our proof-of-concept validation:
WOLF framework
M-PDS use case within F1RST project
Side-effect Access Control contributions:
Provenance-Based Access Control for Mobile (PBAC4M)
Method for the resources access delegation (patent proposal
submitted to the EPO)
Conclusion: prospective research

NFC card emulation mode => Secure Element (SE)
Smart Card technologies
Own Operating System (Java Card-based)
Tamper resistant, secure storage
Cryptography mechanisms
Hosted into the mobile
Protocol APDU
SE 3 physical form factors:
SIM-based
Embedded (eSE)
MicroSD-based
Software-based:
Host-based Card Emulation (HCE)
SE ecosystem for NFC transactional

SE-based application:
End-user interface
(mobile app)
Terminal application
(NFC reader)
Remote services...
SE service
Several actors involved
Service providers (SP)
SE issuers (SEI)
Smartphone manufacturers
Mobile OS editors...
SE content management from a third party interface =>
The trusted Service Manager (TSM) is a bridge between SPs and
the SEIs
SE ecosystem: a plethoric environment

SE ecosystem source of complexity:
SE content management; multi-SE implementation, lifecycle
and security use cases out of functional scope
SE configurations heterogeneity and specificity, third-parties
interfacing, low level implementation, shared security
management, changes in technology…
Main issues:
SE configurations heterogeneity, low level implementation,
specific development, need for specific and high expertise
TSM and/or SEIs dependence, lack of end-to-end control
Lack of business model, costs and return on investment, lack
of scalability
Recurring problem: security enhancement in the distributed
environments
SE ecosystem: a plethoric environment

Model Added value Drawback
Databases: SCQL
and CQL cards
(Paradinas &
Vandewalle, 1994)
The low level protocols are
replaced by a high level SQL-
like language
Specific cards embedding the DBMS
Semantic web:
OWL ontologies
metadata (Alimi,
2012)
OWL metadata is used to
describe the SE and allow the
dynamic management of a
targeted SE
Complex to implement, requires a high
level of expertise, still results in a
specific implementation out of the
functional scope of the service provider
Service oriented:
UCOM (Akram,
2012)
A bottom-up approach enables
the end-user to control SE
services installation and
deletion
Limiting the use cases to available
services, does not address the
implementation and the configurations
heterogeneity
Related work
Related models Pros and Cons

SeQL highlights
High level and generic implementation inspired by DB concepts
and SQL universal standard (Paradinas and Vandewalle’s model)
Business semantics and human understandable implementation
from the developer’s interface
Specificity externalization into a metadata that can be dynamically
retrieved according the configuration (Alimi’s model)
Hiding and automating the repetitive routines and the low level
specific implementation
Transparent handling of the SE heterogeneous configurations
Service Provider-centric bottom-up approach (close to Akram’s
model)
Reduction in the need for expertise, code reduction, etc.
The idea we propose: Secure Element Query Language
(SeQL)

SeQL model generic approach in a 3 dimensions model
(P. André et al., 2014)
SeQL metadata describes the SE (sub-)system into the
developer’s high level view :
Information view:
managed data/attributes
Operation view:
available functions
Behaviour view:
use cases, inferences rules,
applicability
SeQL metadata low level view describes the corresponding
specific implementation used by the automated parsing
process
Data
Functions
Behaviours
(SeQL)

SeQL instructions (BNF) available from the client interface:
• "CREATE "<applet>
• "CREATE from "<applet>" params("<attribute>[{","<attribute>}]")"["
values("<value>[{","<value>}]")]
• "SELECT "<attribute>[{","<attribute>}]" from "<applet>[" fetch "<id>]
• "INSERT into "|"INSERT from "<applet>" "["params"]("<attribute>[{",
"<attribute>}]")" values("<value>[{", "<value>}]")"
• "UPDATE "["from "]<applet>" set("|" params("<attribute>
[{","<attribute>}]")" values("<value> [{","<value>}]")"[" fetch
"<id>]
• "DELETE "<attribute>[{","<attribute>}]" from "<applet>[" fetch "<id>]
• <function>[{","<function>}]" from "<applet>" params("<attribute>[
{","<attribute>}]"[" values("<value>[ {","<value>}]")"][" fetch
"<id>]
• ...
(SeQL)

The idea we propose:
Secure Element Query Language
(SeQL)
SeQL instructions
Function Purpose Param(s) Result data
DDL
CREATE
(DF or EF)
Create a new
DF or EF in the
current DF
Attribute(s)
name(s) [,
initial value]
- (returned
status)
DISCOVER Get a recursive
list of the
current DF
content and
subcontent
- List of DFs and
EFs objects
including the
object FID,
name,
permissions,
status and
subcontent
DROP (DF
or EF)
Delete DF/EF
and content
DF/EF
name(s)
-
DML
SELECT Read attribute
record(s)
Attribute(s)
name(s) [,
record rank*]
An array list of
attribute(s)
record(s)
value(s): zero
items if empty,
null if not found
INSERT Append
attribute
records
Attribute(s)
name(s),
value(s) to
be inserted
An array list of
attribute(s)
record(s)
rank(s)
DML
UPDATE Update attribute
record(s)
Attribute(s) name(s),
new value(s) [,
record rank]
-
DELETE Delete attribute
record (s)
Attribute(s) name(s)
[, record rank]
-
DCL
VERIFY or
AUTH(ENTI
CATE)
Check input
value(s) compared
to given attribute(s)’
record(s) value(s)
(or authenticate)
input value(s) [,
record rank]
-
CHANGE Change user
authentication data
old value(s), new
value(s) [, record
rank]
-
RESET Reset fail
counter(s)
[, record rank]
-
PUT
(KEY)
Store a key/key-pair
record
key 1 value [, key 2
value]
Record(s)
rank(s)
GENERATE
(KEY)
Generate key/key-
pair record(s)
attribute name Record(s)
rank(s)
GETPUBLI
C
(KEY)
Get public key(s)
(i.e. key 2) from
key-pair record(s)
[, key record rank]
Public
key(s)
ENCRYPT Encrypt a
(characters
sequence) value(s)
using key type
record(s)
clear value(s) [, key
record rank]
Encrypted
value(s)
DECRYPT Decrypt (encrypted)
value(s) using key
type record(s)
Attribute(s) name’s),
encrypted value(s) [,
key record rank]
Decrypted
value(s)
Etc… (to be defined)Any
<function> Any function(s)
defined by SeQL
alias(es) in the
metadata
Attribute(s)
name(s), value(s) [,
record rank]
A list of
returned
response(
s) data

SeQL instructions parsing into the SE protocol (APDU):
Implementation: Secure Element Query Language
(SeQL)
C-APDU correlation with SeQL DML
C-APDU SeQL
mandatory
Aplpet AID/DF
FID
Targeted SE domain S
(subject)
{CLA}, {INS} SeQL function fn
(predicate)
{P1} (EF ID) Targeted record ai
(attribute)
{P2} Fetch option (attribute
value at rank j)
optional
{Lc} Computed
{Data} Data xi (attribute value)
{Le} Fixed (256 by default or
retreived from SeQL
metadata)

SeQL metadata (XML/JSON):
(SeQL)
"@package": "com.mypackage.myapp",
"services": {
"se": {"@GUID": "ABCDEF1234...",
"applets": {
"applet": {
"@alias": "myapplet",
"@AID": "F000......",
"attributes": {
"attribute": [
{
"alias": “pin",
"id": "01",
"length": "10"},
{
"alias": “myattribute2",
"id": "02",
"length": "10"},
{
...
"functions": {
"function": [
. {
"alias": "create",
"cla": "D0",
"ins": "E0"},
{
"alias": "select",
"cla": "D0",
"ins": "B2"},
…
"permissions": {
"permission": [
{
"attributes": {
"alias": [
“pin",
…]},
"functions": {
"alias": [
"create“,
"verify",
"auth",
"change",
"reset"]},
"maxtries": "3",
"prerequisite": {
"attributes": {
"alias": "pin"},
"functions": {
"alias": "auth"}}},
…

How is managed
the genericity into
SeQL framework?
(SeQL)

SeQL implementation within WOLF framework
SeQL implementations:
Hardware SE (SIM, eSE, microSD) with OMAPI and IDGo800
HCE applet (WOLF-SeQL self-configurable applet)
Contactless from a terminal NFC reader
14
(SeQL)

SeQL implementation within WOLF framework
SeQL tester:
Terminal end-user interface for SeQL contactless instructions
15
(SeQL)

SeQL implementation within WOLF
framework
A set of tools for the
SE-based applications
development
1
2
3
1. From the mobile OS
2. From a terminal
connected to the
NFC reader
3. From a TSM
4. From a multi-part
messaging system…
4
Implementation: Wallet Open Library Framework
(WOLF)

Proof-of-concept use case: Mobile Public Distribution System
(M-PDS) proposal within F1RST project
17
Objective:
Exploit mobile technologies and NFC to provide more traceability
Ease the delivery process, reduce corruption and frauds
PoC use case: digitalization of Public Distribution System (PDS) governmental
program of first aids distribution to India’s poor
Project partners:
GEMALTO
Tata Consultancy Services (TCS)
University of Nice – Sophia-Antipolis
Indian Institute of Sciences of Bangalore

18
Proof-of-concept use case: Mobile Public Distribution System
(M-PDS) proposal within F1RST project

SeQL value-added
Gain example: retrieving balance, debits and credits from a purse
applet
SeQL implementation:
execute(“SELECT balance, debits, credits FROM purse”, cmdId);

SeQL value-added
Non-SeQL implementation (Open Mobile API for Android):
SEService seService = new SEService(context, callback);
Reader[] readers = seService.getReaders();
try {
if (readers.length != 0) {
for (Reader r:readers){
if (r.isSecureElementPresent()){
Session session = r.openSession();
Channel channel = session.openLogicalChannel(aid);
// Send ISO / IEC 7816-4 SELECT APDU
byte[] apduResponse = channel.getSelectResponse();
int length = apduResponse.length;
if (length>1
&& apduResponse[length-2] == APDU_SUCCESS[0]
&& apduResponse[length-1] == APDU_SUCCESS[1]){
HashMap<String, ArrayList<String>> results =
new HashMap<String,ArrayList<String>>();
ArrayList<String> responses = new ArrayList<String>();
byte cla = CLA_SELECT;
byte ins = INS_SELECT;
byte[] records = {ID_BALANCE, ID_CREDITS, ID_DEBITS};
for (int i=0;i<records.length;i++){
byte p1 = records[i];
byte p2 = ID_FIRST;
byte lc = (byte) 0x00;
length = 5;
byte[] apduCommand = new byte[5];
apduCommand[0] = p1;
apduCommand[1] = p2;
apduCommand[2] = lc;
apduCommand[3] = RECORD_SIZE;
byte[] apduCopy = new byte[apduCommand.length];
System.arraycopy(apduCommand, 0, apduCopy, 0,
apduCommand.length);
apduResponse = channel.transmit(apduCommand);
apduCommand = apduCopy;
apduCommand[2] = ID_NEXT;
while (apduResponse.length>2
&& apduResponse[length-2]
== APDU_SUCCESS[0]
&& apduResponse[length-1]
== APDU_SUCCESS[1]){
byte[] data =
new byte[apduResponse.length-2];
System.arraycopy(apduResponse, 0, data, 0,
data.length);
StringBuilder sb =
new StringBuilder(data.length * 2);
for (byte b : data) {
sb.append(String.format("%02X ", b));
}
responses.add(sb.toString());
apduResponse = channel.transmit(apduCommand);
}
results.put(Byte.toString(p1), responses);
}
ArrayList<String> balance =
results.get(Byte.toString(ID_BALANCE));
ArrayList<String> credits =
results.get(Byte.toString(ID_CREDITS));
ArrayList<String> debits =
results.get(Byte.toString(ID_DEBITS));
}
}
}
}
} catch (Exception e) {
//Process errors
}

SeQL value-added
The SeQL model:
Reduces the needs for expertise (SQL-like universal language)
Abstracts the SE implementation complexity , allows high level
and generic implementation regardless of the underlying
specificities
Eases and reduces the development process, bring scalability;
reduces sensitivity to technologies changes over time
M-PDS use case within F1RST project:
CEFIPRA|IFCPAR agreement for the support of the pilot phase:
TCS will contact GEMALTO’s Indian partners for the continuation
of F1RST project

Related contributions on Access Control:
• Objectives
Security strengthening of mobile resources with a provenance-
based access control
Enable a high-level of access control design according
predefined functional use cases
• Method
Define the graph of the use case (W3C PROV-Data Model)
Define the object dependency list
Define the inference rules
Then, check the compliance of the process

PBAC4M model based on W3C PROV standards family
• Modelling of the PROV-DM use case
Object Abbrev. Description
entity e A digital resource, immutable state (e.g.; a file, data)
activity a A computing activity (e.g.; a process or a task)
agent ag The agent responsible for the activity (e.g.; the activity owner
or a privileged user)

• Modelling of the PROV-DM use case
Relation type Abbreviation Meaning
used use An entity is used by an activity
wasGeneratedBy gen An entity is generated by an activity
wasAssociatedWith assoc An activity is associated (controlled) by an agent
actedOnBehalfOf del An agent acts on behalf of another agent
(responsibility), regarding some activity
wasInformedBy inf An activity is informed (triggered) by another one
wasDerivedFrom der An entity is derived from another one
wasAttributedTo att An entity is attributed to an agent

PBAC4M mobile implementation
• PBAC4M agent for the TEE
Access request to a trusted activity
made from the TEE API by an application
running in the REE that is checked by
the Access Control (AC) Agent: in addition
to the already AC management done to
access the TEE resources, PBAC4M
mediator checks the PROV-DM graph of
the activity history and its compliance with
the PBAC rules ; then, the authorization
result is returned to the AC agent which
can authorize or deny the activity
processing and the use of the resource .

• Use case example: Token-based mobile payment

Objects dependency list:
The entity token issuance dependencies (1),
The Pre-Authorization issuance dependencies (2),
The token attribution dependencies (3),
And the pre-authorization attribution dependencies (4).
< wasIssuedTokenBy, wasGeneratedByIssue_Token.wasAssociatedWith > (1)
< wasIssuedPre-AuthorizationBy, wasGeneratedByIssue_Pre-Authorization.wasAssociatedWith > (2)
< wasIssuedTokenFromBy, wasGeneratedByIssue_Token.used.wasAttributedTo > (3)
< wasIssuedPre-AuthorizationFromBy, wasGeneratedByIssue_Pre-Authorization.used.wasAttributedTo > (4)

Activity rules:
• A token entity can only be used if it was previously generated by the Issue_Token activity (5),
• A pre-authorization entity can only be used if it was previously generated by the Issue_Pre-
Authorization activity (6),
• An agent can invoke a token usage if: that token was attributed to her, and the owner of the pre-
authorization entity that derived to the token is the same as the one who issued that token (7),
• An agent can invoke a payment using a pre-authorization if: that pre-authorization was attributed to
her, and the owner of the token entity that derived to the pre-authorization is the same as the one who
issued that pre-authorization (8).
allow(agent, Use_Token, entity) ⇒ |entity, wasIssuedTokenBy| = 1 (5)
allow(agent, Validate_Payment, entity) ⇒|entity, wasIssuedPre-AuthorizationBy| = 1 (6)
allow(agent, Invoke_Use_Token, entity) ⇒
agent ∈ (entity, wasAttributedTo)∧ (entity, wasAttributedTo) = (entity, wasIssuedTokenFromBy) (7)
allow(agent, Invoke_Payment, entity) ⇒
agent ∈ (entity, wasAttributedTo)∧ (entity, wasAttributedTo) = (entity, wasIssuedPre-AuthorizationFromBy) (8)

An Access Delegation System For An Owner User To Delegate To A
Delegate An Authorization For Accessing To A Resource
• Oral presentation:
Problem we address
Solution we propose
Innovation claims
Patent submission with GEMALTO

Conclusion
Current status and prospective research
• SeQL model is tipped to integrate the standard proposal for the next
generation of secure element platforms.
• F1RST project and M-PDS use case artefacts including WOLF framework
were delivered to the Indian partner TCS for the industrial pilot deployment
stage.
• PBAC4M proof-of-concep implementation is provided as a Cloud service
(see previous work on PBAC2, Boucelma & Lacroix, 2014) and will be
proposed to our indistrial partners for a TEE prototyping.
• Patent proposal on resources access delegation was submitted by
GEMALTO to the EPO on Sept. 2016...

References
P. Paradinas et J. J. Vandewalle, «A personal and portable database server: the CQL card,» chez Lecture Notes in Computer
Science, vol. 819, W. Litwin et T. Risch, Éds., Springer-Verlag, 1994, pp. 444-457.
P. Paradinas et J. J. Vandewalle, «How to integrate smart cards in Standard Software without writing specific code?,» chez
CardTech/SecurTech (CTST), Rockville, MD, USA, 1994.
3rd Generation Partnership Project (3GPP), «Phone book management with ISO 7816 part 7 (SCQL),» 3GPP TSG-T3, 1999.
V. Alimi et M. Pasquet, «Post-Distribution Provisioning and Personalization of a Payment Application on a UICC-Based Secure Element,» chez
Conference on Availability, Reliability and Security (ARES), Fukuoka, Japon, 2009.
V. Alimi, «Contributions au déploiement des services mobiles et à l'analyse de la sécurité des transactions,» Université de Caen Basse-Normandie,
Thèse de doctorat spécialité Informatique et applications, 2012.
V. Alimi, «An Ontology-based Framework to Model a GlobalPlatform Secure Element,» chez WIMA Conference, NFC Research Track, Monaco, 2012.
R. N. Akram, «A User Centric Security Model for Tamper-Resistant Devices,» Royal Holloway University of London, Thèse de doctorat, Londres,
Angleterre, 2012.
R. Pande, S. Cole, A. Sivasankaran, G. G. Bastian et K. Durlacher, «Does poor people’s access to formal banking services raise their incomes?,»
EPPI-Centre, Social Science Research Unit, Institute of Education, University of London, 2012.
D. Radcliffe, R. Voorhies et Bill & Melinda Gates Foundation, «A Digital Pathway to Financial Inclusion,» 2012.
M. Della Peruta, «Mobile Money Adoption and Financial Inclusion Objectives: A Macroeconomic Approach through a Cluster Analysis,» Groupe de
REcherche en Droit, Economie, Gestion (GREDEG CNRS), University of Nice Sophia Antipolis (UNS), 2015.
A. Kishore et S. Chakrabarti, «Is More Inclusive More Effective? The “New-Style” Public Distribution System in India,» International Food Policy
Research Institute (IFPRI), 2015.
S. Balani, «Functioning of the Public Distribution System,» PRS Legislative Research, 2013.
. Singh, A. Shah, M. Aggarwal, P. Nair, R. Kashyap, S. Mohamed et S. Pal, «Expenditure Management in the Public Distribution System,» Indian
Institute of Management Bangalore (IIMB), 2015.
L. Moreau et P. Missier, «PROV-DM: The PROV Data Model,» W3C Recommendation, 2013.
L. Moreau, J. Freire, J. Futrelle, R. E. McGrath, J. Myers et P. Paulson, «The open provenance model: An overview,» chez International Provenance
and Annotation Workshop (IPAW), 2008.
W3C, «PROV-Overview An Overview of the PROV Family of Documents,» 2013.
J. Lacroix et O. Boucelma, «Trusting the Cloud: A PROV + RBAC Approach,» 2014.
J. Lacroix, «Vers un cloud de confiance : modèles et algorithmes pour une provenance basée sur les contrôles d'accès,» Ecole Doctorale
Mathématiques et Informatique de Marseille (ED184), Aix-Marseille Université (AMU), Thèse de Doctorat Informatique , 2015.
M. Sabt, M. Achemlal et A. Bouabdalla, «Trusted Execution Environment:What It Is, and What It Is Not,» chez 14th IEEE International Conference on
Trust, Security, Helsinki, Finland, 2015.

Communications and publications
• Conferences
Lesas AM. “F1RST Research project: Mobiquitous NFC Financial services for
unbanked PEOPLE,” WIMA conference, NFC Research Track, Monaco, April 22, 2014,
Lesas AM. “WOLF/SeQL: Wallet Open Library Framework / Secure Element – Query
Language,” Commission Open Source, Telecom Valley, Sophia-Antipolis, Sept. 10, 2015.
Lesas AM. “Une perspective de la mobiquité au service de la gestion avant / pendant /
après des séismes,” Arelier “SI pour l’aide à la décision et la diffusion d’alerte,” Inforsid
2016, Grenoble, May 31-June 3, 2016.
Publications
Lesas AM., Miranda S., “Architecture logicielle du projet VAMP Plate-forme mobiquitaire
embarquée à bord de véhicules automobiles,” Génie Logiciel, No103, Dec. 2012, pp 38-
48,
Lesas AM., Renaut B., Edouard A., Miranda S. “WOLF: a research Platform to write NFC
secure applications on top of multiple Secure Elements,” International Journal of
Advanced Computer Science and Applications (IJACSA), vol. 5, no. 8, sept. 2014, pp. 20-31.
Lesas AM. “Détecter et monitorer les séismes grâce aux capteurs embarqués dans les
smartphones,” Inforsid 2016, Grenoble, May 31-June 3, 2016.
Lesas AM, Boucelma O., Lacroix J., PBAC4M: Provenance-Based Access Control for
Mobile, Mobiquitous, Posters and Demo track, Melbourne, Australia, Nov. 2017, Accepted.
Poster WOLF-SeQL presented to the “Haut Conseil de l'évaluation de la recherche et de
l'enseignement supérieur » (HCERES), Marseille, jan. 2017

Communications and publications
Lesas AM., Miranda S., “The Art and Science of NFC programming,” Information systems,
Web and pervasive computing series, Intellectual technologies set, vol. 3, WILEY-ISTE,
SBN: 978-1-78630-057-7, pre-order Feb. 2017, 154 pages (available in French and English),
http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1786300575.html
F1RST project demos and meetings
CEFIPRA IRC meeting, Saint Malo, May 22, 2014.
CEFIPRA meeting, Nice, France, June 1st, 2015,
CEFIPRA 28th meeting of the Industrial Research Committee, Tours, France, May 20-22, 2016.
F1RST project Poster for the CEFIPRA meeting in India, Nov. 2016.

Thesis presentation am lesas

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Thesis presentation am lesas

Ähnlich wie Thesis presentation am lesas (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Thesis presentation am lesas