Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Web Security Bootstrap on Ericsson Labs

2,256 views

Published on

The Mobile Web Security Bootstrap (MWSB) API can be used to establish shared secret keys between an application server and a mobile web client. The key can be used to secure mobile applications that, for instance, require authentication, data confidentiality and integrity, and single sign on.

Published in: Technology
  • Be the first to comment

Mobile Web Security Bootstrap on Ericsson Labs

  1. 1. Mobile Web Security Bootstrap A labs.ericsson.com APIhttp://labs.ericsson.com/apis/mobile-web-security-bootstrap/
  2. 2. ericsson labs APIs Maps & positioning communication security Mobile Mobile SMS Send & Mobile Group Voice Mobile Web Security Oauth2 Location Maps Receive Push Mixer Bootstrap CAPTCHA Framework Web Async Identity Management Key Management Maps Voice Framework Service Web technologies NFC & sensors User & network information Web Web Background Mobile Sensor Mobile Network Tag ToolConnectivity EventSource Service Actuator Link Identification Probe Web Device Mobile Network Distributed Web Real-Time Real- Sensor Networking Connectivity Shared Memory Communication Application Platform Look-up Look- Machine learning Media and graphics Face Cluster Text-to-Speech Text- to- Detector Constructor© Ericsson AB 2010 | Page 2
  3. 3. Mobile Web Security Bootstrap› The SIM is commonly used for getting cellular access, mobile connectivity and access to some mobile services› The SIM proven security features can also be used for securing any mobile web applications› This service provides an API for establishing a secret key between mobile web clients and web applications© Ericsson AB 2010 | Page 3
  4. 4. Why Mobile Web Security Bootstrap?› Security – As secure as SIM› Standard – Based on industry standard› Acceptance – Many standardized applications› Convenience – Transparent to users› Extensibility – Any applications can exploit the SIM© Ericsson AB 2010 | Page 4
  5. 5. Main Features› Based on 3GPP industry standard Generic Bootstrapping Architecture› Client and server Web/Java APIs available and documented with examples› HTTP interfaces› Soft client available to allow focusing on the development of the network side of the web application© Ericsson AB 2010 | Page 5
  6. 6. Overview Mobile Web› Ub interface – Mobile client uses Network Application Server Network Application API to bootstrap a master secret Application key Ua Zn› Ua interface – Mobile Web Client uses API to derive application- * HTTP specific master key Mobile› Zn interface – Mobile Web Bootstrap Web Client Application Server uses API to Ub Server obtain the corresponding Bootstrap application-specific master key Client HTTP At the end of the API usage Subscriber transactions the client and server Database share an application-specific secret-key Mobile Web Client MWSB Mobile Web Security Bootstrap© Ericsson AB 2010 | Page 6
  7. 7. Java Client API› Soft Client API provided for focusing on server application› Example showing how to establish a shared key // Create soft client with user identity and permanent key GbaClient softclient = new GbaClient(myID, myKey); // Bootstrap client with master key. btid is the handler. String btid = softclient.bootstrap(); // Derive application-specific key to be shared with app server byte[] appKey = softclient.getKsNaf(app_Fqdn); // Use the app key for HTTP Digest Authentication boolean authResult = runUaHttpDigest(app_URL, btid, appKey);© Ericsson AB 2010 | Page 7
  8. 8. Java Server API› API towards mobile client and API towards MWSB› Servlet example showing how to establish a shared key // Applicatin Servlet doGet() // Create application context with Labs authorization API key GbaNaf app = new GbaNaf(myFqdn, myApiKey) // Parse GET authorization headers & fetch btid (key Handler) Authorization authz = Authorization.parse(authorizationHeader); String btid = authz.getUsername(); // Derive the application-specific key to be shared with client appKey = app.getKsNaf(btid); // Use the shared key to authenticate the mobile client Digest.verify(authorization, appKey)© Ericsson AB 2010 | Page 8
  9. 9. Possible applications Identity Management Authentication Single Sign-On Integrity Confidentiality Key Management© Ericsson AB 2010 | Page 9
  10. 10. © Ericsson AB 2010 | Page 10

×