Smart OpenID & Mobile Network Security
Upcoming SlideShare
Loading in...5

Smart OpenID & Mobile Network Security



Smart OpenID brings strong authentication for internet cloud service access to mobile devices by leveraging the crypto capabiliteis provided by smart cards and secure elements in mobile phones.

Smart OpenID brings strong authentication for internet cloud service access to mobile devices by leveraging the crypto capabiliteis provided by smart cards and secure elements in mobile phones.
Presentation held at Chip-To-Cloud Forum in Nice, September 2012



Total Views
Views on SlideShare
Embed Views



1 Embed 6 6



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Smart OpenID & Mobile Network Security Smart OpenID & Mobile Network Security Presentation Transcript

  • SMART OPENID & MOBILE NETWORKSECURITY BRINGING STRONG AUTHENTICATIONFOR INTERNET ACCESS ON MOBILE DEVICESChip-to-Cloud 201219-20 September 2012 Yogendra Shah InterDigital Carsten Rust Morpho Cards Andreas Leicher Novalyst © 2012 InterDigital, Inc. All rights reserved.
  • Identity Management on Mobile Platforms • Users are used to an always connected Internet desktop experience • Mobile devices are being used more and more to store confidential data and for secure Internet transactions • Unlike desktops, mobile devices are more likely to be lost or stolen easily • Users are looking for a seamless and secure Internet experience • Concerned about the risk of privacy and giving away their identity information to too many services • Sony PS network hack! • Want consistent, transparent and secure “one-click” access to Internet services • MNO backed single-sign-on or federated identity provides a framework for strong “branded” authentication security • Operator value-add with UICC-based credentials2
  • OpenID – Industry Standard HTTP-based SSO Protocol Lightweight protocol designed for Web2.0 Improved user experience and persistent identities Supported by industry groups and US government Relevance for mobile markets is growing BUT … Cuts operator out of identity management Burdens the authentication infra-structure3
  • InterDigital’s Smart OpenID - Optimized for Wireless Smart OpenID Operator becomes the Identity Provider Branding on web screen during logon Strong user/device authentication built on security of smartcard / UICC Significantly reduced burden on authentication servers Roll-out feasible via over-the-air App to phone and SMS applet to UICC4
  • Operator Anchored OpenID Proxy on UICC • GBA is used for application layer authentication bootstrapping based on UICC based credentials • The MNO acts as an OP, Identity Provider • 3GPP OpenID/GBA protocol runs between the IdP and the device resulting in the following key hierarchy • A Smart OpenID specific shared key is established in the device and in the network by the GBA protocol • The key can be used to generate Source: 3G Americas, Identity Management Overview of Standards & Technology a Relying Party specific key as a trust anchor between the local OP and the network OP • Subsequent authentication runs can be seamless to the user • Related to 3GPP TR 33.924 OpenID/GBA5
  • Smart OpenID Realization (1 of 4)One login, then “one-click” access to everything Operator branded Policy driven trust assurance user authentication User authenticates to device ONCE with password, biometrics, etc …6
  • Smart OpenID Vision (2 of 4)User navigates to Web services Relying Parties Navigation triggers automation OpenID discovery and association with identity provider over the Internet OpenID Provider7
  • Smart OpenID Vision (3 of 4)OpenID provider has a local proxy on the UICC UICC inside Phone In-device authentication mymobile.IdP/myidentity with local proxy on UICC Over-the-air authentication with mobile operator OpenID Provider8
  • Smart OpenID Vision (4 of 4)Policy driven automated access to Web services Relying Parties Over-the-Air assertion to relying parties OpenID Provider9
  • Open Mobile API A software interface allowing applications access to the secure element (UICC) through the radio interface layer (RIL) on a smartphone A three-layer architecture for the API • Application layer: represents the various applications that use OpenMobileAPI • Service layer: abstracts the available functions, such as cryptography and authentication, in secure elements • Transport layer: provides general access to secure elements using APDUs10
  • Implementation of Smart OpenID on UICC • Using the OpenMobileAPI, the mobile application part of the local OP lies in the application layer • By calling APIs from the service layer, the application can • Securely store the secret on the UICC • Verify the user entered PIN to locally authenticate the end user • Sign the authentication assertion using the HMAC function • Communicate data with the generic transport API • All these service requirements are converted into command APDUs in the transport layer and sent to the applet on the UICC11
  • Smart OpenID - Identity Management for MNOs • Operator as an Identity Provider (OP) • Strong user/device authentication with ease of access to services • MNOs can leverage their branding and trust infra-structure to provide strong UICC backed authentication • Operator anchored trust foundation for any Web service (RPs) • Branding: custom Operator/Identity Provider web screen on login • 3rd party services can rely on trusted identity and attribute assertions from MNOs, such as • Viability from an Operator’s perspective • Authentication which builds upon existing and proven security of the smartcard/UICC • Mechanism for roll-out of Single-Sign-On through remote download via SMS to UICC • UICC is a controlled and manageable platform for all critical security operations • Downloadable Smart OpenID applet/application • Smartcard based, local authentication enables a secure exchange of identity attributes12