Over the Air 2011 Security Workshop
Upcoming SlideShare
Loading in...5
×
 

Over the Air 2011 Security Workshop

on

  • 3,824 views

https://labs.ericsson.com/apis?api_category=199...

https://labs.ericsson.com/apis?api_category=199

Ericsson Labs' presentation at Over the Air 2011.

Examples of how to establish a trusted identity, how to do mash-ups of multiple data feeds and how to secure peer-to-peer communication.

Statistics

Views

Total Views
3,824
Views on SlideShare
2,833
Embed Views
991

Actions

Likes
0
Downloads
18
Comments
0

8 Embeds 991

https://labs.ericsson.com 761
http://4g-portal.com 131
http://labs.ericsson.com 87
http://us-w1.rockmelt.com 5
http://labs 4
https://46.51.175.252 1
http://46.51.175.252 1
http://d7labs.cloud.labs.ericsson.net 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Over the Air 2011 Security Workshop Over the Air 2011 Security Workshop Presentation Transcript

  • OTa 2011 WorkshopSecurity enablers at ericssonLabs
  • This is Ericsson Ericsson’s first telephone, 1878 World’s first LTE network, 2009› We no longer manufacture phones (Sony-Ericsson does)› More than 40% of the worlds mobile traffic passes through Ericsson networks› We have customers in more than 180 countries and over 98,000 employees› We are largely a software company OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 2
  • What is Ericsson labs?Experimental> Early technology trialsOpen innovation> Apis for new technologiescreativity> New innovation by developers50 bn connected devices> m2m service enablers Simplify Provide ConverseHide cloud complexity Easy to use APIs/SDKs Experts supportLow barriers to entry Early & perpetual beta FeedbackOTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 3
  • ericsson labs APIs Maps & positioning communication security 3D Mobile Mobile SMS Send & Mobile Group Voice Mobile Web Security Oauth2 Landscape Location Maps Receive Push Bootstrap CAPTCHA Framework Mixer Web Async Identity Management Key Management Maps Voice Framework Service Web technologies Media and graphics User & network information Face Streaming Converting Mobile Mobile Network Network Web Web Background Detector MediaConnectivity EventSource Service Media Identification Look-up Look- Probe Web Device Distributed Web Real-Time Real- Text-to-Speech Text- to- Connectivity Shared Memory Communication Machine learning NFC & sensors Cluster Sensor Networking Mobile Sensor Tag Tool Constructor Application Platform Actuator LinkOTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 4
  • sim card IdentificationFederated authenticationDelegated authorizationP2p key exchange
  • Sim card identification 1/3› P The traditional authentication scheme with username/password has several drawbacks› Q What if we could use the credentials stored on the SIM card instead? password 12345678› A This is exactly what the 3GPP standard 123456 123 winner 123456789 GBA accomplishes. Basically, we replace seinfeld 1234 12345 – the username with the suscriber identity; and Top ten PlayStation Network passwords – the password with the subscriber key (Digicure, 2011)› The MWSB (Mobile Web Secure Bootstrapping) enabler allows you to try it out in you own web application Attempt to increase security through SMS verification OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 6
  • Sim card identification 2/31. The client bootstraps (using the SIM card) with the GBA server and obtains a key (Ks_NAF)2. The client authenticates itself to the web app using HTTP(S) digest with the key as password and a temporary identifier (B-TID) as username3. The web application sends the identifier to the GBA server, receives the key, and validates the client supplied passwordOTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 7
  • Sim card identification 3/3 Pros: High security, convenient for the user, standardized Cons: Currently not supported by browser – forced to rely on plugin, applet, or re- compile browser engineOTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 8
  • sim card identificationFederated authenticationDelegated authorizationP2p key establishment
  • federated authentication 1/3› P Password management is costly for site owners and user experience is negatively s affected due to differing password policies tion i ca ent› Q What if site owners could delegate th au authentication to a trusted party where authentication can be enforced to be strong?› A This can be achieved with the OpenID protocol where the OpenID Provider acts as the trusted party. The security can be further improved by combining OpenID with SIM based identification.› The Identity Management Framework on Ericsson Labs is running an OpenID provider which your web app can use (instructions and Java code available) delegated authentication OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 10
  • federated authentication 2/3 How the user authenticates (4) is intentionally left unspecified and both username/password and SIM based identification can be used.OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 11
  • Federated authentication 3/3 We Traditional username/password Modified WebKit GBA applet GBA plugin SIM based identification (automatic)OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 12
  • sim card identificationFederated authenticationDelegated authorizationP2p key establishment
  • Delegated authorization 1/3› P Users are willing to share limited portions of the data but without losing control over who is accessing the data and what part of it is being accessed.› Q Why not use a standardized token based delegation pattern?› A Oauth is a IETF effort to standardize and isolate the delegated authorization. Making it simpler to re use both code and know-how about how authorization is handeled. OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 14
  • Delegated authorization 2/3Authentication OP Server GBA Scope Protected Resource ClientID RP ClientSecret Authorization Resource CallbackURI Server Server Code Webclient (service provider) OauthToken Authenticate Authorize Browser OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 15
  • Delegated authorization 3/3 Desktop MobileOTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 16
  • sim card identificationFederated authenticationDelegated authorizationP2p key establishment
  • P2p key establishment 1/3› P Up until now we have only considered client-server applications where it is relatively easy to protect communications using TLS/SSL. In a P2P application where there is no existing trust relation between the parties (e.g., certificates or keys), setting up a secure channel is more complex.› Q How can we enable secure, end-to-end communication in a P2P application?› A With the help from a KMS (Key Management Server) the two parties are able to establish a shared secret key which in turn is used to setup the secure channel. VoIP. messaging, file sharing OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 18
  • P2p key establishment 2/3 › Based on the Mikey-Ticket protocol (RFC 6043) which is designed for high security applications (e.g., national safety, police, etc) › Note that there must exist a trust relationship between each client and the KMS. The 3GPP recommended solution is to use the SIM card.OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 19
  • P2p key establishment 3/3 › The KMS API at Ericsson Labs can be used to secure any type of communication, for example VoIP (above figures) › Most of the signalling is hidden by the API. Setting up the shared secret key requires only a few lines of code › The API is written in C but can be still be used in Android using JNI (Java Native Interface)OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 20
  • How does it all fit together? used in used in SIM identification Federated AuthN (OpenID) Delegated AuthZ (OAuth) P2P Key Est.›The OAuth Authorization server authenticates the user using OpenID›The OpenID Provider authenticates the user using SIM card identification›The P2P key establishment is largely independent from the other tools(though the peer-KMS trust relation is based on SIM card identification)
  • DEMO – Mashing GOOGLE LATITUDE 23 APIs as of end of September 2011.OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 23
  • You can try !Demo-setup http://eus2.fuatara.com:8080/latitude/ HTTP REST Endpoint Authentication Oauth Latitude Filter Token Filter RestClient GMap Fremarker Populated Mashup Presentation Data ModelOTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 24
  • Q&A Visit: labs.ericsson.comOTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 25