Smart OpenID brings strong authentication for internet cloud service access to mobile devices by leveraging the crypto capabiliteis provided by smart cards and secure elements in mobile phones.
Presentation held at Chip-To-Cloud Forum in Nice, September 2012
2. Identity Management on Mobile Platforms
• Users are used to an always connected Internet desktop
experience
• Mobile devices are being used more and more to store
confidential data and for secure Internet transactions
• Unlike desktops, mobile devices are more likely to be lost or
stolen easily
• Users are looking for a seamless and secure Internet
experience
• Concerned about the risk of privacy and giving away their identity
information to too many services
• Sony PS network hack!
• Want consistent, transparent and secure “one-click” access to
Internet services
• MNO backed single-sign-on or federated identity provides a
framework for strong “branded” authentication security
• Operator value-add with UICC-based credentials
2
3. OpenID – Industry Standard HTTP-based SSO Protocol
Lightweight protocol designed for Web2.0
Improved user experience and persistent
identities
Supported by industry groups and US
government
Relevance for mobile markets is growing
BUT …
Cuts operator out of identity management
Burdens the authentication infra-structure
3
4. InterDigital’s Smart OpenID - Optimized for Wireless
Smart OpenID
Operator becomes the Identity Provider
Branding on web screen during logon
Strong user/device authentication built on
security of smartcard / UICC
Significantly reduced burden on
authentication servers
Roll-out feasible via over-the-air App to
phone and SMS applet to UICC
4
5. Operator Anchored OpenID Proxy on UICC
• GBA is used for application layer authentication bootstrapping
based on UICC based credentials
• The MNO acts as an OP, Identity Provider
• 3GPP OpenID/GBA protocol runs between the IdP and the
device resulting in the following key hierarchy
• A Smart OpenID specific shared key is established in the device
and in the network by the
GBA protocol
• The key can be used to generate Source: 3G Americas, Identity Management
Overview of Standards & Technology
a Relying Party specific key as
a trust anchor between the local
OP and the network OP
• Subsequent authentication runs
can be seamless to the user
• Related to 3GPP TR 33.924 OpenID/GBA
5
6. Smart OpenID Realization (1 of 4)
One login, then “one-click” access to everything
Operator branded Policy driven
trust assurance
user
authentication
User authenticates to device
ONCE with password,
biometrics, etc …
6
7. Smart OpenID Vision (2 of 4)
User navigates to Web services
Relying Parties
Navigation
triggers
automation
OpenID discovery and
association with identity
provider over the Internet
OpenID Provider
7
8. Smart OpenID Vision (3 of 4)
OpenID provider has a local proxy on the UICC
UICC inside Phone
In-device authentication
mymobile.IdP/myidentity with local proxy on UICC
Over-the-air authentication
with mobile operator
OpenID Provider
8
9. Smart OpenID Vision (4 of 4)
Policy driven automated access to Web services
Relying Parties
Over-the-Air
assertion to
relying parties
OpenID Provider
9
10. Open Mobile API
A software interface allowing applications access to the secure element
(UICC) through the radio interface layer (RIL) on a smartphone
A three-layer architecture for the API
• Application layer: represents the various applications that use
OpenMobileAPI
• Service layer: abstracts the available functions, such as
cryptography and authentication, in secure elements
• Transport layer: provides general access to secure elements using
APDUs
10
11. Implementation of Smart OpenID on UICC
• Using the OpenMobileAPI, the mobile application part of
the local OP lies in the application layer
• By calling APIs from the service layer, the application
can
• Securely store the secret on the UICC
• Verify the user entered PIN to locally authenticate the end
user
• Sign the authentication assertion using the HMAC function
• Communicate data with the generic transport API
• All these service requirements are converted into
command APDUs in the transport layer and sent to the
applet on the UICC
11
12. Smart OpenID - Identity Management for MNOs
• Operator as an Identity Provider (OP)
• Strong user/device authentication with ease of access to services
• MNOs can leverage their branding and trust infra-structure to provide strong
UICC backed authentication
• Operator anchored trust foundation for any Web service (RPs)
• Branding: custom Operator/Identity Provider web screen on login
• 3rd party services can rely on trusted identity and attribute
assertions from MNOs, such as
• Viability from an Operator’s perspective
• Authentication which builds upon existing and proven security of
the smartcard/UICC
• Mechanism for roll-out of Single-Sign-On through remote
download via SMS to UICC
• UICC is a controlled and manageable platform for all critical security
operations
• Downloadable Smart OpenID applet/application
• Smartcard based, local authentication enables a secure exchange
of identity attributes
12