Mobile phone as Trusted identity assistant


Published on

A presentation for ISC2 Identity web-conference.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile phone as Trusted identity assistant

  1. 1. The future of a smart mobile device as a trusted personal Identity management assistant Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
  2. 2. Identity model in a physical world <ul><li>Mutual international acceptance of government issued passports. </li></ul><ul><li>Acceptance of country specific ID cards within the country by government agencies and businesses. </li></ul>
  3. 3. Identity problem in cyber space
  4. 4. Identity problem in cyber space Security risk, inconvenience and economic acceleration hindrance
  5. 5. Digital catching up physical governments are waking up <ul><li>USA – National Strategy for Trusted identity in Cyberspace (NSTIC) </li></ul><ul><li>EU – European ID (eID) </li></ul><ul><li>Other states may have their own plans </li></ul>Leading ThinkTank on Information Security Principles of de-perimiterisation (2006) Now published Identity commandments (May 2011) Interoperability is not given but should be architected into the digital identity systems NSTIC already in discussions with leading identity providers
  6. 6. The shift in identity management is imminent <ul><li>People will embrace new way of identity management </li></ul><ul><li>Iceberg with topple (violently – be prepared) </li></ul><ul><li>Single (or very few) personal identity </li></ul><ul><li>Self-assured or trusted attribute providers </li></ul>We need a trusted device that manages this for us
  7. 7. Mobile device becomes ubiquitous identity assistant Certifies attributes Certifies Identity provider Certifies Attribute provider Contract Requests identity Issues identity into smart device Authenticates user Seamless login Authenticates user Manages different “ Personas ” on behalf of user Authenticates user and passes required attributes Policies for required level of identity assurance and attributes (Multiple of) (Multiple of)
  8. 8. Now we have vision! What next? <ul><li>Technology </li></ul><ul><li>SAML </li></ul><ul><li>Oauth </li></ul><ul><li>Secure mobile device </li></ul><ul><li>mTPM </li></ul><ul><li>Secure key storage </li></ul><ul><li>Secure and trusted OS </li></ul><ul><li>NFC </li></ul><ul><li>Bluetooth </li></ul><ul><li>Face recognition </li></ul><ul><li>Voice recognition </li></ul><ul><li>Cryptography and PKI </li></ul><ul><li>Governance </li></ul><ul><li>Jericho forum Identity Commandments compliance </li></ul><ul><li>Segregation of Identity and Attribute providers! </li></ul><ul><li>Trust between Service providers and Identity and Attribute providers </li></ul><ul><li>International agreement on compatibility of identity protocols </li></ul>
  9. 9. Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load Kernel and mobile OS Load mobile applications If Trust is not assured from HW up then there is no trust at all! Enterprise apps accessed from mobile devices OS security capabilities are crucial Application segregation, security reviews
  10. 10. Mobile threats summary [2] <ul><li>Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content </li></ul><ul><li>Malware – traditional viruses, worms, and Trojan horses </li></ul><ul><li>Social engineering attacks – phishing. Also used to install malware. </li></ul><ul><li>Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls) </li></ul><ul><li>Malicious and unintentional data loss – exfiltration of information from phone </li></ul><ul><li>Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book) </li></ul>
  11. 11. Mobile Security Models [2] <ul><li>Traditional Access Control : passwords and idle-time screen locking. </li></ul><ul><li>Application Provenance : Application signing and Application review in App store </li></ul><ul><li>Encryption : Encryption of device data and application data </li></ul><ul><li>Isolation : traditional Sandboxing and Storage separation </li></ul><ul><li>Permissions-based access control : Limiting application to needed functionality only </li></ul>All must be supported by Trust from HW up. Jailbreaking breaks the security model!
  12. 12. Interoperable cyber identity means more security and more convenience for users = economic benefits Smart mobile device becomes a centre of identity management – secure store and conveniently user digital identity in everyday life (Communicate, Contribute, Access, Pay) Governments should promote interoperable identity frameworks Identity and attribute providers will operate internationally Registration authorities will operate mostly nationally
  13. 13. Resources <ul><li>Veracode Mobile app Top 10 - </li></ul><ul><li>Symantec Security Analysis of iOS and Android - </li></ul><ul><li>Mobile Trusted Computing Platform - </li></ul><ul><li>Understanding HW architecture of Smartphones - </li></ul><ul><li>A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - </li></ul><ul><li>Security in Windows Phone 7 - aspx </li></ul><ul><li>Difference between Oauth and OpenID - </li></ul><ul><li>Kantara Initiative - </li></ul><ul><li>NSTIC - </li></ul><ul><li>ENISA - </li></ul><ul><li>Jericho Forum - </li></ul>
  14. 14. Questions? Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.
  15. 15. Question 1: Which party issues a trusted digital identity to an user <ul><li>Government </li></ul><ul><li>Attribute provider </li></ul><ul><li>Registration authority </li></ul><ul><li>Identity provider </li></ul>
  16. 16. Question 2: Which technology makes sure that the mobile device boot loader has not been altered <ul><li>Bluetooth </li></ul><ul><li>Trusted Computing Base for mobile </li></ul><ul><li>NFC </li></ul><ul><li>Face recognition </li></ul>
  17. 17. Question 3: Which security mechanism ensured that mobile applications cannot directly talk to each other <ul><li>Access control </li></ul><ul><li>Sandboxing </li></ul><ul><li>Data encryption </li></ul><ul><li>Clipboard protection </li></ul>
  18. 18. Question 4: What is NSTIC <ul><li>National Science Technology Institute for Computing </li></ul><ul><li>National Strategy for Trusted Identity for Computers </li></ul><ul><li>National Strategy for Trusted Identity in Cyberspace </li></ul><ul><li>National Strategy for Technology Inovation in Cyberspace </li></ul>