Mobile based authentication and payment

  • 1,562 views
Uploaded on

Tutorial at NISnet winter school, April 2008, Finse, Norway

Tutorial at NISnet winter school, April 2008, Finse, Norway

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,562
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
103
Comments
0
Likes
6

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. NISnet Winterschool, April 2008 Mobile based authentication and payment Josef Noll Prof. stip. University Graduate Center/ University of Oslo josef@unik.no
  • 2. Research and  Education at Kjeller Close relation to FFI,  IFE, NILU,... Prof. from Univ. of  Trondheim and Oslo 2 Mobile Payment and Access April 2008, Josef Noll
  • 3. Outline Admittance, service access and payment  Mobile extensions  Introduction of RFID and NFC  Message: “Using the phone for payment and access” – Interfaces and standardisation – Phone implementations – Activities worldwide  Snapshots, Standardisation – “Who owns the SIM?”  My security infrastructure – Ownership versus management – 3 Mobile Payment and Access April 2008, Josef Noll
  • 4. Service development Personalised broadband B3G: wireless services 3G: Multimedia communication Mobile telephony, SMS, FAX, 2G: Data 1G: Mobile telephony 2000 1970 1980 1990 2010 Josef Noll, 26.4.2005 RFID - NFC tutorial 4
  • 5. The Service Challenge Mobile and Proximity Services Mobile services  Internet services te services in the mobile fica – ti cer mobile network services – signed certificates Internet services – NFC Proximity services Mobile initiated NFC service access Proximity services  Payment – Access, Admittance – 5 Mobile Payment and Access April 2008, Josef Noll
  • 6. Current Access & Authentication mechanisms Login/password  Admission card  Payment card  Biometrics  6 Mobile Payment and Access April 2008, Josef Noll
  • 7. My phone collects all my security SIM with NFC & PKI 7 Mobile Payment and Access April 2008, Josef Noll
  • 8. Mobile Services, incl. NFC • NFC needs next • Focus in 2008 on generation phones mobile web • S60, UIQ, ... • Push content upcoming • Common Application development • Integrated SMS authentication Mobile Web Push content NFC payment 60 development 45 30 15 0 2006 2008 2010 Expected customer usage [%] “have tried” of mobile services in the Nordic Market [“Mobile Phone Evolution”, Movation White paper, May 2007] 8 Josef Noll, “Who owns the SIM?”, 5 June 2007
  • 9. Mobile Phone supported access SMS one-time password  MMS, barcode  eCommerce (SMS exchange)  Network authentication  WAP auto access  Applets: PIN code generation  (Bank ID) Future SIM  9 Mobile Payment and Access April 2008, Josef Noll
  • 10. WAP gateway Seamless authentication HTTP request HTTP request Hash 94815894 cTHG8aseJPIjog== Pictures for ’rzso’. Password:1234 sID: cTHG8aseJPIjog== 10 Mobile Payment and Access April 2008, Josef Noll
  • 11. Banking from the mobile phone Security considerations  Equally secure as SMS Welcome Josef: (get your account status) SIM authentication  Easy to use  Advanced functionality Advanced through PIN (if required) Information: functionality  Seamless phone (SIM) Using SIM, authentication BankID or PIN no customer input (double security)  Advanced security when required required BankID or – Transfer, NFC communication Account status PIN – unit payments NFC2 SIM SIM Smartcard interfaces ISO/IEC 7816 11 Mobile Payment and Access April 2008, Josef Noll
  • 12. MyBank example: Banking from the mobile phone User incentive:  “My account is just one click away”  “enhanced security for transactions” Phone (SIM) authentication Level 2 security through PKI/BankID/PIN? 12 Mobile Payment and Access April 2008, Josef Noll
  • 13. Authentication provider Seamless authentication Auth. provider Content Service Physical access, .mp3, VPN access access .jpg Josef Noll, “Who owns the SIM?”, 5 June 2007
  • 14. Outline Admittance, service access and payment  Mobile extensions  Introduction of RFID and NFC  Message: “Using the phone for payment and – access” Interfaces and standardisation – Phone implementations – Activities worldwide  Snapshots, Standardisation – “Who owns the SIM?”  My security infrastructure – Ownership versus management – 14 Mobile Payment and Access April 2008, Josef Noll
  • 15. ID, trust and personalisation provider Who provides?  Certifica Remote services ID provider te – Where to store?  Network – Phone – How to store/backup?  long term, short term – Proximity services Josef Noll, “Who owns the SIM?”, 5 June 2007
  • 16. RFID Technology: Principle RFID-reader sends a  RF signal TAG receives it  TAG returns  predefined signal   RFID-TAG doesn’t need own power supply  TAG gets power to operate from the RF-pulse of reader  No need for physical sight or contact between reader and TAG Each product can have own id-number Source: Eurescom P1346 D2, January 2004 16 Mobile Payment and Access April 2008, Josef Noll
  • 17. Passive RFID: Main frequencies Toll Roads Item Access Control Item Management I.C. Cards Animal ID Management 2.45 GHz 13.56 Mhz 125,133 kHz ~900 MHz 100 MHz 10 kHz 100 kHz 10 MHz 1 Mhz 1000 MHz 2.45 GHz Frequency division:  Low: 100-500 kHz – – Medium: 6-15 MHz – High: 850-950 MHz and 2.45 GHz Active responses  – AutoPass 5.8 GHz Source: Eurescom P1346 D2, January 2004 17 Mobile Payment and Access April 2008, Josef Noll
  • 18. Current Services and Applications Typical services made using RFID today Sports Timing  Access Control  Animal Tracking  Asset Management  Baggage Handling  Product Authentication, Security  Supply Chain Management  Transportation, user information  Wireless Commerce, Payments, Toll Collection  Source: Eurescom P1346 D2, January 2004 18 Mobile Payment and Access April 2008, Josef Noll
  • 19. Registration example: Birkebeiner Online information to mobile  phone Could be used for photo, video,  etc 19 Mobile Payment and Access April 2008, Josef Noll
  • 20. Ticketing Cinema/Concerts RFID ticketing zone MobileCommerce Football/Sport Terminal Incl. rfid tag Ticketing Bus/Subway terminal with RFID ticketing RFID reader server Source: Eurescom P1346 D2, January 2004 20 Mobile Payment and Access April 2008, Josef Noll
  • 21. Supply chain supplier A customer Prosessing wholesaler retailer customer customer supplier 2 Presentation Product Infomration Database RFID reader/gate RFID reader/gate can be placed along manufacturing lines (company internal) and along the distribution chain (company external/between the actors) Source: Eurescom P1346 D2, January 2004 21 Mobile Payment and Access April 2008, Josef Noll
  • 22. Visitor Density, two functions InfoSpot Example1: Roller-coaster Customer ”Wher queue reader ”Where is e ID:12 was service my kid?” 31 seen? 23 last ” ”At the Reader X roller- ”Roller -coaste coaster r queue” System queue” Database Example2: Reader Y Resort ”What ride has owner most users?” services ”Bumber cars; 200 users/day; Datamining 50cent/ride” Resort owner services Source: Eurescom P1346 D2, January 2004 22 Mobile Payment and Access April 2008, Josef Noll
  • 23. Technology: Range From millimeters to tens of meters  Depends on antennas, power of reader,  characteristics of TAG and operation principle Range decided when application developed  ISO standards:  proximity cards: 10 cm – Vicinity cards: 1,5 m – Source: Eurescom P1346 D2, January 2004 23 Mobile Payment and Access April 2008, Josef Noll
  • 24. NFC is ... Passive operation: RFID at 13.56 MHz  1) Phone=Reader has static RF (modem) and protocolls  magnetic field 2) Tag acts as resonator, “takes energy” ~1/r^6 1 Power decrease of static and electromagnetic field 0,75 0,5 1/r^2 0,25 1/r^6 0 0,8 1,6 2,4 3,2 4 4,8 5,6 6,4 7,2 8 8,8 9,6 24 Mobile Payment and Access April 2008, Josef Noll
  • 25. Technology: Security considerations In the past there was no need for security in RFID-systems  – logistic data collection the information has no relevance or value anywhere else except the originally designed purpose If TAGs are in consumer goods there is a need for security and  privacy Security protocols:  Bilateral authentication – Key agreement – Encrypted communication – Secure communications needs computing resources  Personal items  Passport, Payment cards, mobile phone Source: Eurescom P1346 D2, January 2004 25 Mobile Payment and Access April 2008, Josef Noll
  • 26. ViVOtech 2006: Contactless replaces cash 26 Mobile Payment and Access April 2008, Josef Noll
  • 27. NFC technology and use case ECMA-340, ISO/IEC 18092 & Based on RFID technology at   ECMA-352, …standards 13.56 MHz Powered and non-self Typical operating distance 10 cm   powered devices Compatible with RFID  Data rate today up to 424 kbit/s  Philips, Sony and Nokia  27 Mobile Payment and Access April 2008, Josef Noll
  • 28. NFC use cases Payment and access  include Master-/Visacard in the phone – have small amount money electronically – admittance to work – Service Discovery  easy access to mobile services: – Web page, SMS, call, ... local information and proximity services (get – a game) Ticketing  Mobile tickets for plain, train, bus: – Parents can order and distribute, ... Source: Nokia 6131 NFC Technical Product Description 28 Mobile Payment and Access April 2008, Josef Noll
  • 29. NFC standardisation ECMA-340 Specifies the RF signal • interface Initialisation, anti- • collision and protocols Communication mode • ECMA 352 (v1, Dec 2003) selection mechanism Selects communication • modes: NFC, PCD, and VCD Enables communication in • that mode Josef Noll, 26.4.2005 RFID - NFC tutorial 29
  • 30. NFCIP-2 Interface and protocol (ISO/IEC 21481) Interface Standards ISO/IEC 14443 ISO/IEC 15693 PCD mode VCD mode ECMA-340 (MIFARE, FeliCa) (facility access) 30 Mobile Payment and Access April 2008, Josef Noll
  • 31. NFCIP-2 Interface and protocol (ISO/IEC 21481) Proximity Card Vicinity Card NFC device Reader Reader YES 340 okay Interface Standards NFC ECMA-340 ECMA-340 ISO/IEC 14443 ISO/IEC 15693 PCD mode VCD mode (MIFARE, FeliCa) (facility access) 31 Mobile Payment and Access April 2008, Josef Noll
  • 32. NFCIP-2 Interface and protocol (ISO/IEC 21481) Proximity Card Vicinity Card NFC device Reader Reader NO 15693 okay Interface Standards NFC ECMA-340 ECMA-340 ISO/IEC 14443 ISO/IEC 15693 PCD mode VCD mode (MIFARE, FeliCa) (facility access) 32 Mobile Payment and Access April 2008, Josef Noll
  • 33. Nokia 6131 Firmware ISO 14443 Source: Nokia 6131 NFC Technical Product Description 33 Mobile Payment and Access April 2008, Josef Noll
  • 34. NFC phone status (April 2008) Nokia 3320, 5340, 6131, xx  Philips/Samsung X700  LG  Sagem  BenQ T80  Missing specifications  Motorola  HTC  34 Mobile Payment and Access April 2008, Josef Noll
  • 35. Time to market based on phone evolution DnB Nor and Telenor to form mobile payments unit Posted April 21, 2008 Norwegian banking group DnB Nor and local telco Telenor have revealed plans to establish a new mobile payments program. The new mobile payments system, called Trusted Service Manager (TSM) Nordic, will be a subsidiary of Doorstep. Orange delays NFC launch Posted April 16, 2008 Mobile operator Orange is postponing its commercial NFC launch by several months, according to CardLine Global. Operators to Launch NFC-Based Mobile Payment Services 13th November 2007, Macau: 12 mobile operators will run trials of contactless mobile payment services in Australia, France, Ireland, Korea, Malaysia, Norway, The Philippines, Singapore, Taiwan, Turkey and the U.S. as a precursor to commercial launches. Near Field Communications News and Insight BBC names NFC a top technology for 2008 Posted January 16, 2008 Survey shows that US consumers want simple payment features for NFC phones Posted January 10, 2008 Report: Majority of phones will support NFC once standards are finalized Posted January 03, 2008 Source: NFCnews.com 35 Mobile Payment and Access April 2008, Josef Noll
  • 36. UNIK work Key-exchange for admittance and content protection  Analysis and implementation of Easy Pairing  Easy Pairing  Use NFC to establish Bluetooth contact with Media – Center analyse phones: Nokia 3320, Nokia 6131 – Experiences from Implementations  Phones and NFC tags – Linux pairing – Windows pairing – 36 Mobile Payment and Access April 2008, Josef Noll
  • 37. Prototype: SMS key access Service Centre 2) Send info 1) Send SMS to recipient Application 3) Send service to phone 4) Enters house NFC with NFC access communication unit NFC2SI M SIM Smartcard interfaces ISO/IEC 7816 37 Mobile Payment and Access April 2008, Josef Noll
  • 38. Implementation (3) Receive info message (1) Register the user (4) Saving the NFC key (2) Send mobile key (mKey) to user 38 Mobile Payment and Access April 2008, Josef Noll
  • 39. ITEA WellCom: Interworking Set-top box and mobile 1) Easy device set-up 2) Authentication and and communication Service Access Source: AlcatelLucent, WellCom Meeting Mobile Payment and Access April 2008, Josef Noll
  • 40. Easy Pairing Scenario Using NFC for reading  connectivity data of phone Set-top box initiates process  NFC phones can pair through  vicinity – phone in range – start Bluetooth scanning 1. search for Bluetooth device – request for pairing 2. identity phone (tag info) 3. service discovery on phone No NFC phone  4. pairing – use tag with Bluetooth information Comment: Similar procedure for Wifi   pairing – security in handling activities 40 Mobile Payment and Access April 2008, Josef Noll
  • 41. Example EnCap Easy authentication Challenge: Find your BankID to sign in for  Internet banking – Could be triggered through login: www.encap.mobi/demobank – Using NFC for starting secure authentication Tag starts application on phone  – One time password created Application areas  all kinds of authentication – local payment – BankID (while waiting for secure SIM) – 41 Mobile Payment and Access April 2008, Josef Noll
  • 42. Interworking between NFC components Easy programming through Java MIDlet  software development environment available Interface to Java Card and Mifare environment  Tricky:  Interworking Java - Card, Mifare and Java Ongoing  secure element = SIM - Source: Nokia 6131 NFC Technical Product Description 42 Mobile Payment and Access April 2008, Josef Noll
  • 43. Ongoing technical work Interaction SIM-Mifare-Mobile Phone = “Single-wire  protocoll” Interaction Phone - Devices  Power-on/power-off – Roadmap for secure authentication  43 Mobile Payment and Access April 2008, Josef Noll
  • 44. New visions GlobalPlatform From current SIM to Future SIM Real Estate 3.r ionsfor mobile / UICC GlobalPlatform’s Party sec. dom vision Real Estate 3.rd  To comply with 3G networking requirements UICC Party sec. domains (USIM) vision Security features (algorithms and protocols), – longer key lengths GSM uses EAP SIM: client authentication – UMTS uses EAP AKA: Mutual authentication – 3rd party identities  ISIM application (IMS) – Current Telenor private user identity On-board On-board – WEB server ! WEB server ! SIM (UICC) card one or more public user – (from 2001) identities Multi- Multi- Thread Plus ETSI SCP– Long term secret Thread Plus ETSI 3 new phys IFs: 3 new phy 12 Mb/s USB SUN 2009? 12 Mb/s SUN (Java) NFC (SWP) 2009? Source: Judith Rossebø, Telenor (Java) NFC (S 44 Mobile Payment and Access April 2008, Josef Noll
  • 45. New UICC Architecture / SIM advances UICC architecture UICC – elements New eHealth Payment Multimedia DRM ? EMV PKI / eID Ticketing (DRM !) SIM USIM Electronic ID= IMSI Purse ID= IMSI & MSISDN & MSISDN Common Storage Phonebook SIM Application Toolkit ! CAT UICC ID = ICCID GSM Allocated NFC (or other) IF 12 Mb/s USB (2G/3G) IFs (1 connector) (5 connectors) Full speed IF Source: Judith Rossebø, Telenor 45 Mobile Payment and Access April 2008, Josef Noll
  • 46. UICC for multiple ID providers Compartmentalisation of the UICC 3.rd party on-board applications featuring • Internal and segregated Security domains • Private entrances for SP to applications (own keys and key management) • Use of NFC, USB IF or other common resources -MNO as house-keeper (Real Estate Manager) Source: Judith Rossebø, Telenor 46 Mobile Payment and Access April 2008, Josef Noll
  • 47. Third party business model • Media, • Banks, Service providers Content provider • Telecom, Corporate, Home Service Payment aggregator • Service aggregator provider • Convenient interfaces • Ease of use Identity and personalisation • Identity and personalisation provider provider Customer Authentication care and Access • Convenience provider • Trust 47 Josef Noll, “Who owns the SIM?”, 5 June 2007
  • 48. The secure element: SIM card Identity and personalisation Service Authentication provider aggregator and Access provider Send key and Send info to • SIM is secure credentials recipient element NFC communication Send service to unit • controlled environment phone NFC2SIM • over-the-air update • open for applications SIM Smartcard interfaces ISO/IEC 7816 • SIM will be owned by user • managed by trusted third party Josef Noll, “Who owns the SIM?”, 5 June 2007
  • 49. Challenges and Benefits 200 Convenience How insecure is the of usage Internet? Will the phone be the only 150 secure element? 100 Visa and Mastercard enable convenient small amount purchases Are Google, facebook and flickr more trusted than telecom 50 operators? Dynamic service environment? On-the-fly creation of services? 0 2006 2008 2010 Telco favourite Third party favourite 49 Josef Noll, “Who owns the SIM?”, 5 June 2007
  • 50. Conclusions on Near Field Communications Standardisation well-under-way  NFC with three modes – SIM interworking – power on (payment) versus power off (ticket) – Commercial kick-off visible  Pre-commercial trials “everywhere” – Critical hand-set status (only low-range phones) – Unclear business models  variety of application areas – co-operation and revenue sharing – “Sufficient Security”?  Teaching the customer  easy to use – “always available” – Mobile Payment and Access April 2008, Josef Noll