SlideShare ist ein Scribd-Unternehmen logo

Smart OpenID & Mobile Network Security

A
Andreas Leicher

Smart OpenID brings strong authentication for internet cloud service access to mobile devices by leveraging the crypto capabiliteis provided by smart cards and secure elements in mobile phones. Presentation held at Chip-To-Cloud Forum in Nice, September 2012

Technologie
1 von 12
Downloaden Sie, um offline zu lesen
SMART OPENID & MOBILE NETWORK SECURITY BRINGING STRONG AUTHENTICATION FOR INTERNET ACCESS ON MOBILE DEVICES Chip-to-Cloud 2012 19-20 September 2012 Yogendra Shah InterDigital Carsten Rust Morpho Cards Andreas Leicher Novalyst © 2012 InterDigital, Inc. All rights reserved.
Identity Management on Mobile Platforms • Users are used to an always connected Internet desktop experience • Mobile devices are being used more and more to store confidential data and for secure Internet transactions • Unlike desktops, mobile devices are more likely to be lost or stolen easily • Users are looking for a seamless and secure Internet experience • Concerned about the risk of privacy and giving away their identity information to too many services • Sony PS network hack! • Want consistent, transparent and secure “one-click” access to Internet services • MNO backed single-sign-on or federated identity provides a framework for strong “branded” authentication security • Operator value-add with UICC-based credentials 2
OpenID – Industry Standard HTTP-based SSO Protocol Lightweight protocol designed for Web2.0 Improved user experience and persistent identities Supported by industry groups and US government Relevance for mobile markets is growing BUT … Cuts operator out of identity management Burdens the authentication infra-structure 3
InterDigital’s Smart OpenID - Optimized for Wireless Smart OpenID Operator becomes the Identity Provider Branding on web screen during logon Strong user/device authentication built on security of smartcard / UICC Significantly reduced burden on authentication servers Roll-out feasible via over-the-air App to phone and SMS applet to UICC 4
Operator Anchored OpenID Proxy on UICC • GBA is used for application layer authentication bootstrapping based on UICC based credentials • The MNO acts as an OP, Identity Provider • 3GPP OpenID/GBA protocol runs between the IdP and the device resulting in the following key hierarchy • A Smart OpenID specific shared key is established in the device and in the network by the GBA protocol • The key can be used to generate Source: 3G Americas, Identity Management Overview of Standards & Technology a Relying Party specific key as a trust anchor between the local OP and the network OP • Subsequent authentication runs can be seamless to the user • Related to 3GPP TR 33.924 OpenID/GBA 5
Smart OpenID Realization (1 of 4) One login, then “one-click” access to everything Operator branded Policy driven trust assurance user authentication User authenticates to device ONCE with password, biometrics, etc … 6
Smart OpenID Vision (2 of 4) User navigates to Web services Relying Parties Navigation triggers automation OpenID discovery and association with identity provider over the Internet OpenID Provider 7
Smart OpenID Vision (3 of 4) OpenID provider has a local proxy on the UICC UICC inside Phone In-device authentication mymobile.IdP/myidentity with local proxy on UICC Over-the-air authentication with mobile operator OpenID Provider 8
Smart OpenID Vision (4 of 4) Policy driven automated access to Web services Relying Parties Over-the-Air assertion to relying parties OpenID Provider 9
Open Mobile API A software interface allowing applications access to the secure element (UICC) through the radio interface layer (RIL) on a smartphone A three-layer architecture for the API • Application layer: represents the various applications that use OpenMobileAPI • Service layer: abstracts the available functions, such as cryptography and authentication, in secure elements • Transport layer: provides general access to secure elements using APDUs 10
Implementation of Smart OpenID on UICC • Using the OpenMobileAPI, the mobile application part of the local OP lies in the application layer • By calling APIs from the service layer, the application can • Securely store the secret on the UICC • Verify the user entered PIN to locally authenticate the end user • Sign the authentication assertion using the HMAC function • Communicate data with the generic transport API • All these service requirements are converted into command APDUs in the transport layer and sent to the applet on the UICC 11
Smart OpenID - Identity Management for MNOs • Operator as an Identity Provider (OP) • Strong user/device authentication with ease of access to services • MNOs can leverage their branding and trust infra-structure to provide strong UICC backed authentication • Operator anchored trust foundation for any Web service (RPs) • Branding: custom Operator/Identity Provider web screen on login • 3rd party services can rely on trusted identity and attribute assertions from MNOs, such as • Viability from an Operator’s perspective • Authentication which builds upon existing and proven security of the smartcard/UICC • Mechanism for roll-out of Single-Sign-On through remote download via SMS to UICC • UICC is a controlled and manageable platform for all critical security operations • Downloadable Smart OpenID applet/application • Smartcard based, local authentication enables a secure exchange of identity attributes 12

Empfohlen

FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsNok Nok Labs, Inc
 
Web of Domotics Poster
Web of Domotics PosterWeb of Domotics Poster
Web of Domotics PosterFaisal Razzak
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CloudIDSummit
 
Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Michael Queralt
 
Web Authn & Security Keys: Unlocking the Key to Authentication
Web Authn & Security Keys: Unlocking the Key to AuthenticationWeb Authn & Security Keys: Unlocking the Key to Authentication
Web Authn & Security Keys: Unlocking the Key to AuthenticationFIDO Alliance
 
A Telco and End-user Perspective on the Authentication Journey
A Telco and End-user Perspective on the Authentication JourneyA Telco and End-user Perspective on the Authentication Journey
A Telco and End-user Perspective on the Authentication JourneyFIDO Alliance
 
Usher overview.2014.02 hi
Usher overview.2014.02 hiUsher overview.2014.02 hi
Usher overview.2014.02 hiMark Fazackerley
 

Empfohlen

FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsNok Nok Labs, Inc
 
Web of Domotics Poster
Web of Domotics PosterWeb of Domotics Poster
Web of Domotics PosterFaisal Razzak
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CloudIDSummit
 
Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Michael Queralt
 
Web Authn & Security Keys: Unlocking the Key to Authentication
Web Authn & Security Keys: Unlocking the Key to AuthenticationWeb Authn & Security Keys: Unlocking the Key to Authentication
Web Authn & Security Keys: Unlocking the Key to AuthenticationFIDO Alliance
 
A Telco and End-user Perspective on the Authentication Journey
A Telco and End-user Perspective on the Authentication JourneyA Telco and End-user Perspective on the Authentication Journey
A Telco and End-user Perspective on the Authentication JourneyFIDO Alliance
 
Usher overview.2014.02 hi
Usher overview.2014.02 hiUsher overview.2014.02 hi
Usher overview.2014.02 hiMark Fazackerley
 
Digital authentication
Digital authenticationDigital authentication
Digital authenticationallanh0526
 
TheGRID - Stop Identity Theft
TheGRID - Stop Identity TheftTheGRID - Stop Identity Theft
TheGRID - Stop Identity Thefte-Lock Corporation
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud IdentityMark Diodati
 
FIDO2 and Microsoft
FIDO2 and MicrosoftFIDO2 and Microsoft
FIDO2 and MicrosoftFIDO Alliance
 
Rajan Raj Pant
Rajan Raj PantRajan Raj Pant
Rajan Raj Panteletseditorial
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Expected Use Cases of FIDO Authentication in Social Apps
Expected Use Cases of FIDO Authentication in Social AppsExpected Use Cases of FIDO Authentication in Social Apps
Expected Use Cases of FIDO Authentication in Social AppsFIDO Alliance
 
Strong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesStrong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesFIDO Alliance
 
2014 IoT Forum_ Fido Alliance
2014 IoT Forum_ Fido Alliance2014 IoT Forum_ Fido Alliance
2014 IoT Forum_ Fido AllianceCOMPUTEX TAIPEI
 
Mobile Authentication on the Internet
Mobile Authentication on the InternetMobile Authentication on the Internet
Mobile Authentication on the Internetevidos
 
Overview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and CertificationsOverview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and CertificationsFIDO Alliance
 
OpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGOpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGBjorn Hjelm
 
OpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGOpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGBjorn Hjelm
 
Expected Use Cases of FIDO Authentication for Social Applications
Expected Use Cases of FIDO Authentication for Social ApplicationsExpected Use Cases of FIDO Authentication for Social Applications
Expected Use Cases of FIDO Authentication for Social ApplicationsFIDO Alliance
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
Iot security and Authentication solution
Iot security and Authentication solutionIot security and Authentication solution
Iot security and Authentication solutionPradeep Jeswani
 
OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017Bjorn Hjelm
 
FIDO Authentication in Hong Kong
FIDO Authentication in Hong KongFIDO Authentication in Hong Kong
FIDO Authentication in Hong KongFIDO Alliance
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Digital signature and certificate authority
Digital signature and certificate authorityDigital signature and certificate authority
Digital signature and certificate authorityKrutiShah114
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile AuthenticationFIDO Alliance
 

Weitere ähnliche Inhalte

Was ist angesagt?

Digital authentication
Digital authenticationDigital authentication
Digital authenticationallanh0526
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud IdentityMark Diodati
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Expected Use Cases of FIDO Authentication in Social Apps
Expected Use Cases of FIDO Authentication in Social AppsExpected Use Cases of FIDO Authentication in Social Apps
Expected Use Cases of FIDO Authentication in Social AppsFIDO Alliance
 
Strong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesStrong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesFIDO Alliance
 
2014 IoT Forum_ Fido Alliance
2014 IoT Forum_ Fido Alliance2014 IoT Forum_ Fido Alliance
2014 IoT Forum_ Fido AllianceCOMPUTEX TAIPEI
 
Mobile Authentication on the Internet
Mobile Authentication on the InternetMobile Authentication on the Internet
Mobile Authentication on the Internetevidos
 
Overview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and CertificationsOverview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and CertificationsFIDO Alliance
 
OpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGOpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGBjorn Hjelm
 
OpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGOpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGBjorn Hjelm
 
Expected Use Cases of FIDO Authentication for Social Applications
Expected Use Cases of FIDO Authentication for Social ApplicationsExpected Use Cases of FIDO Authentication for Social Applications
Expected Use Cases of FIDO Authentication for Social ApplicationsFIDO Alliance
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
Iot security and Authentication solution
Iot security and Authentication solutionIot security and Authentication solution
Iot security and Authentication solutionPradeep Jeswani
 
OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017Bjorn Hjelm
 
FIDO Authentication in Hong Kong
FIDO Authentication in Hong KongFIDO Authentication in Hong Kong
FIDO Authentication in Hong KongFIDO Alliance
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Digital signature and certificate authority
Digital signature and certificate authorityDigital signature and certificate authority
Digital signature and certificate authorityKrutiShah114
 

Was ist angesagt? (20)

Digital authentication
Digital authenticationDigital authentication
Digital authentication
 
TheGRID - Stop Identity Theft
TheGRID - Stop Identity TheftTheGRID - Stop Identity Theft
TheGRID - Stop Identity Theft
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
 
FIDO2 and Microsoft
FIDO2 and MicrosoftFIDO2 and Microsoft
FIDO2 and Microsoft
 
Rajan Raj Pant
Rajan Raj PantRajan Raj Pant
Rajan Raj Pant
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
 
Expected Use Cases of FIDO Authentication in Social Apps
Expected Use Cases of FIDO Authentication in Social AppsExpected Use Cases of FIDO Authentication in Social Apps
Expected Use Cases of FIDO Authentication in Social Apps
 
Strong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesStrong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital Services
 
2014 IoT Forum_ Fido Alliance
2014 IoT Forum_ Fido Alliance2014 IoT Forum_ Fido Alliance
2014 IoT Forum_ Fido Alliance
 
Mobile Authentication on the Internet
Mobile Authentication on the InternetMobile Authentication on the Internet
Mobile Authentication on the Internet
 
Overview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and CertificationsOverview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and Certifications
 
OpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGOpenID Foundation MODRNA WG
OpenID Foundation MODRNA WG
 
OpenID Foundation MODRNA WG
OpenID Foundation MODRNA WGOpenID Foundation MODRNA WG
OpenID Foundation MODRNA WG
 
Expected Use Cases of FIDO Authentication for Social Applications
Expected Use Cases of FIDO Authentication for Social ApplicationsExpected Use Cases of FIDO Authentication for Social Applications
Expected Use Cases of FIDO Authentication for Social Applications
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Iot security and Authentication solution
Iot security and Authentication solutionIot security and Authentication solution
Iot security and Authentication solution
 
OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017
 
FIDO Authentication in Hong Kong
FIDO Authentication in Hong KongFIDO Authentication in Hong Kong
FIDO Authentication in Hong Kong
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
 
Digital signature and certificate authority
Digital signature and certificate authorityDigital signature and certificate authority
Digital signature and certificate authority
 

Ähnlich wie Smart OpenID & Mobile Network Security

Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile AuthenticationFIDO Alliance
 
The Future is Flying Cars and Digital Driver's Licenses on Our Phones - Scott...
The Future is Flying Cars and Digital Driver's Licenses on Our Phones - Scott...The Future is Flying Cars and Digital Driver's Licenses on Our Phones - Scott...
The Future is Flying Cars and Digital Driver's Licenses on Our Phones - Scott...IdentityNorthEvents
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
 
Hardware Authentication
Hardware AuthenticationHardware Authentication
Hardware AuthenticationCoder Tech
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketOKsystem
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesSumana Mehta
 
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGOverview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGBjorn Hjelm
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust Datacard
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID Connect: The Mobile Profile
OpenID Connect: The Mobile ProfileOpenID Connect: The Mobile Profile
OpenID Connect: The Mobile ProfileBjorn Hjelm
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsPing Identity
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of ThingsFIDO Alliance
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldPing Identity
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO Alliance
 

Ähnlich wie Smart OpenID & Mobile Network Security (20)

Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile Authentication
 
The Future is Flying Cars and Digital Driver's Licenses on Our Phones - Scott...
The Future is Flying Cars and Digital Driver's Licenses on Our Phones - Scott...The Future is Flying Cars and Digital Driver's Licenses on Our Phones - Scott...
The Future is Flying Cars and Digital Driver's Licenses on Our Phones - Scott...
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
Hardware Authentication
Hardware AuthenticationHardware Authentication
Hardware Authentication
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication market
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity services
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGOverview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard Mobile
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID Connect: The Mobile Profile
OpenID Connect: The Mobile ProfileOpenID Connect: The Mobile Profile
OpenID Connect: The Mobile Profile
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of Things
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for Mobile
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology Landscape
 

Kürzlich hochgeladen

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Smart OpenID & Mobile Network Security

  • 1. SMART OPENID & MOBILE NETWORK SECURITY BRINGING STRONG AUTHENTICATION FOR INTERNET ACCESS ON MOBILE DEVICES Chip-to-Cloud 2012 19-20 September 2012 Yogendra Shah InterDigital Carsten Rust Morpho Cards Andreas Leicher Novalyst © 2012 InterDigital, Inc. All rights reserved.
  • 2. Identity Management on Mobile Platforms • Users are used to an always connected Internet desktop experience • Mobile devices are being used more and more to store confidential data and for secure Internet transactions • Unlike desktops, mobile devices are more likely to be lost or stolen easily • Users are looking for a seamless and secure Internet experience • Concerned about the risk of privacy and giving away their identity information to too many services • Sony PS network hack! • Want consistent, transparent and secure “one-click” access to Internet services • MNO backed single-sign-on or federated identity provides a framework for strong “branded” authentication security • Operator value-add with UICC-based credentials 2
  • 3. OpenID – Industry Standard HTTP-based SSO Protocol Lightweight protocol designed for Web2.0 Improved user experience and persistent identities Supported by industry groups and US government Relevance for mobile markets is growing BUT … Cuts operator out of identity management Burdens the authentication infra-structure 3
  • 4. InterDigital’s Smart OpenID - Optimized for Wireless Smart OpenID Operator becomes the Identity Provider Branding on web screen during logon Strong user/device authentication built on security of smartcard / UICC Significantly reduced burden on authentication servers Roll-out feasible via over-the-air App to phone and SMS applet to UICC 4
  • 5. Operator Anchored OpenID Proxy on UICC • GBA is used for application layer authentication bootstrapping based on UICC based credentials • The MNO acts as an OP, Identity Provider • 3GPP OpenID/GBA protocol runs between the IdP and the device resulting in the following key hierarchy • A Smart OpenID specific shared key is established in the device and in the network by the GBA protocol • The key can be used to generate Source: 3G Americas, Identity Management Overview of Standards & Technology a Relying Party specific key as a trust anchor between the local OP and the network OP • Subsequent authentication runs can be seamless to the user • Related to 3GPP TR 33.924 OpenID/GBA 5
  • 6. Smart OpenID Realization (1 of 4) One login, then “one-click” access to everything Operator branded Policy driven trust assurance user authentication User authenticates to device ONCE with password, biometrics, etc … 6
  • 7. Smart OpenID Vision (2 of 4) User navigates to Web services Relying Parties Navigation triggers automation OpenID discovery and association with identity provider over the Internet OpenID Provider 7
  • 8. Smart OpenID Vision (3 of 4) OpenID provider has a local proxy on the UICC UICC inside Phone In-device authentication mymobile.IdP/myidentity with local proxy on UICC Over-the-air authentication with mobile operator OpenID Provider 8
  • 9. Smart OpenID Vision (4 of 4) Policy driven automated access to Web services Relying Parties Over-the-Air assertion to relying parties OpenID Provider 9
  • 10. Open Mobile API A software interface allowing applications access to the secure element (UICC) through the radio interface layer (RIL) on a smartphone A three-layer architecture for the API • Application layer: represents the various applications that use OpenMobileAPI • Service layer: abstracts the available functions, such as cryptography and authentication, in secure elements • Transport layer: provides general access to secure elements using APDUs 10
  • 11. Implementation of Smart OpenID on UICC • Using the OpenMobileAPI, the mobile application part of the local OP lies in the application layer • By calling APIs from the service layer, the application can • Securely store the secret on the UICC • Verify the user entered PIN to locally authenticate the end user • Sign the authentication assertion using the HMAC function • Communicate data with the generic transport API • All these service requirements are converted into command APDUs in the transport layer and sent to the applet on the UICC 11
  • 12. Smart OpenID - Identity Management for MNOs • Operator as an Identity Provider (OP) • Strong user/device authentication with ease of access to services • MNOs can leverage their branding and trust infra-structure to provide strong UICC backed authentication • Operator anchored trust foundation for any Web service (RPs) • Branding: custom Operator/Identity Provider web screen on login • 3rd party services can rely on trusted identity and attribute assertions from MNOs, such as • Viability from an Operator’s perspective • Authentication which builds upon existing and proven security of the smartcard/UICC • Mechanism for roll-out of Single-Sign-On through remote download via SMS to UICC • UICC is a controlled and manageable platform for all critical security operations • Downloadable Smart OpenID applet/application • Smartcard based, local authentication enables a secure exchange of identity attributes 12