Extending the GSM/3G Key Infrastructure DIMACS Workshop on Mobile and Wireless Security November 3, 2004 Scott B. Guthery ...
Outline <ul><li>SIM for Mobile Network Authentication </li></ul><ul><li>SIM for Internet Authentication </li></ul><ul><li>...
Subscriber Identity Module <ul><li>Integral part of GSM security from the start </li></ul><ul><li>Holds secret key Ki </li...
GSM/3G Authentication <ul><li>Roaming is the stepping off point for extending the GSM/3G key infrastructure </li></ul><ul>...
SIM for Internet Authentication <ul><li>EAP-SIM uses SIM for Internet authentication </li></ul><ul><ul><li>visited network...
SIM Toolkit <ul><li>SIM gives commands to the handset </li></ul><ul><ul><li>display text, get key hit, send SMS, block cal...
SIM for Local Authentication <ul><li>SIM-based authentication and authorization </li></ul><ul><ul><li>visited network is a...
User-Equipment Split <ul><li>SIM is in the device needing signing and authentication services </li></ul><ul><li>All that’s...
Business Models for SIM Security Extension Theory, Reality and Lessons Learned <ul><li>Theory:  Compelling business and re...
Three Potential Business Cases <ul><li>SIM-hosted and authenticated non-telephony m-commerce applications and services </l...
SIM-Hosted M-Commerce Applications <ul><li>Business Model:  Multiple applications are stored on a single SIM card to allow...
SIM-Enabled Security for Mobile Devices <ul><li>Business Model:  Dual-slot handsets provide external slot for smart card t...
SIM Authentication in Non-Telephony Networks <ul><li>Business Model:  Embed SIM in WiFi and other networked devices or pro...
Conclusion:  Still Searching for Clear Business Case for SIM Extension <ul><li>Limited applications to date outside of wir...
Upcoming SlideShare
Loading in …5
×

guthery.ppt - Center for Discrete Mathematics and Theoretical ...

703 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
703
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

guthery.ppt - Center for Discrete Mathematics and Theoretical ...

  1. 1. Extending the GSM/3G Key Infrastructure DIMACS Workshop on Mobile and Wireless Security November 3, 2004 Scott B. Guthery CTO, Mobile-Mind [email_address] Mary J. Cronin Professor of Management Boston College [email_address]
  2. 2. Outline <ul><li>SIM for Mobile Network Authentication </li></ul><ul><li>SIM for Internet Authentication </li></ul><ul><li>SIM for Local Authentication </li></ul>
  3. 3. Subscriber Identity Module <ul><li>Integral part of GSM security from the start </li></ul><ul><li>Holds secret key Ki </li></ul><ul><ul><li>other copy held by subscriber’s network operator </li></ul></ul><ul><li>8-bit processor, 8KB EEPROM, file system, cryptographic algorithms </li></ul>Identity token with a wireless connection to an authentication and billing service
  4. 4. GSM/3G Authentication <ul><li>Roaming is the stepping off point for extending the GSM/3G key infrastructure </li></ul><ul><li>Visited network authenticates without being in possession of Ki </li></ul>SIM 1) Identity 3) Challenge & Response 4) Challenge 5) Response Visited Network Home Network 2) Identity Ki Ki
  5. 5. SIM for Internet Authentication <ul><li>EAP-SIM uses SIM for Internet authentication </li></ul><ul><ul><li>visited network is an EAP authenticator </li></ul></ul><ul><ul><li>draft-haverinen-pppext-eap-sim-14.txt </li></ul></ul><ul><li>Uses GSM/3G authentication but generates a stronger session key </li></ul>SIM EAP Authenticator Home Network Ki Ki Internet Service
  6. 6. SIM Toolkit <ul><li>SIM gives commands to the handset </li></ul><ul><ul><li>display text, get key hit, send SMS, block call </li></ul></ul><ul><li>Operator controls loading of applications </li></ul><ul><ul><li>GlobalPlatform architecture used to manage keys for non-operator applications </li></ul></ul>Application 1 Application 2 Application 3 Handset STK
  7. 7. SIM for Local Authentication <ul><li>SIM-based authentication and authorization </li></ul><ul><ul><li>visited network is a merchant or a door </li></ul></ul><ul><li>SIM-based cryptographic services </li></ul><ul><ul><li>session keys, certificates, signing, tickets, etc. </li></ul></ul>Operator SIM Handset Local Connections (IR, Bluetooth, etc.) Other SIM 3G Network
  8. 8. User-Equipment Split <ul><li>SIM is in the device needing signing and authentication services </li></ul><ul><li>All that’s left of the mobile communication network is the extended key infrastructure </li></ul>SIM A SIM B SIM C Network Operator Handset
  9. 9. Business Models for SIM Security Extension Theory, Reality and Lessons Learned <ul><li>Theory: Compelling business and revenue opportunities based on leveraging SIM security </li></ul><ul><ul><li>Enormous global installed base of active SIM cards </li></ul></ul><ul><ul><ul><li>Over 800 million GSM and 3G handsets and subscribers </li></ul></ul></ul><ul><ul><li>Well-established international standards for SIM applications and key infrastructure </li></ul></ul><ul><ul><ul><li>Well documented architecture and tools for development using SIM Application Toolkit and Java Card™ platform </li></ul></ul></ul><ul><ul><li>Multiple business models from different industries (banking, retail, media, IT, health, etc.) in search of strong mobile security solution will embrace the SIM </li></ul></ul>
  10. 10. Three Potential Business Cases <ul><li>SIM-hosted and authenticated non-telephony m-commerce applications and services </li></ul><ul><ul><li>Allow trusted third parties to load applications onto the SIM card and share the existing key infrastructure to authenticate customers and authorize transactions via the wireless public network </li></ul></ul><ul><li>SIM-enabled use of mobile handset for authenticated and authorized transactions via the wireless public network </li></ul><ul><li>Embedded SIMs for authorization of users or devices attached to any network, particularly WiFi </li></ul>
  11. 11. SIM-Hosted M-Commerce Applications <ul><li>Business Model: Multiple applications are stored on a single SIM card to allow subscriber to conduct secure banking, make and pay for purchases, download and store value, tickets, etc to the SIM </li></ul><ul><ul><li>Third party consumer and enterprise applications both supported </li></ul></ul><ul><ul><ul><li>SIM application provider gets share of projected $60 billion plus in m-commerce transactions </li></ul></ul></ul><ul><li>Reality as of 2004 </li></ul><ul><ul><li>Technical requirements are in place </li></ul></ul><ul><ul><ul><li>Almost all recent SIMs are multi-application Java Card™ SIMs </li></ul></ul></ul><ul><ul><ul><li>Over 260 million of them are Global Platform compliant </li></ul></ul></ul><ul><ul><li>SIM-hosted applications have been scarce </li></ul></ul><ul><ul><ul><li>Limited to small mobile banking pilots in Europe and Asia </li></ul></ul></ul><ul><ul><ul><li>Majority of booming m-commerce business has moved to handset downloads and back end server-based security systems </li></ul></ul></ul>
  12. 12. SIM-Enabled Security for Mobile Devices <ul><li>Business Model: Dual-slot handsets provide external slot for smart card to conduct secure transactions and move value via the SIM, making the mobile a cash dispenser, a ticket, a POS, etc. </li></ul><ul><ul><li>1999 launch of dual slot phones to great fanfare </li></ul></ul><ul><ul><ul><li>Datamonitor projected over 32 million such phones in use by 2003 </li></ul></ul></ul><ul><ul><ul><li>All major handset makers announced plans to manufacture them </li></ul></ul></ul><ul><li>Reality as of 2004 </li></ul><ul><ul><li>Dual slot phones are hard to find collectors’ items </li></ul></ul><ul><ul><li>Revival of the model via “add-on” module for standard GSM phone to create a mobile POS for developing markets </li></ul></ul><ul><ul><ul><li>Way Systems has some initial traction with this approach for China </li></ul></ul></ul>
  13. 13. SIM Authentication in Non-Telephony Networks <ul><li>Business Model: Embed SIM in WiFi and other networked devices or provide SIM-USB token to subscribers for authentication and payment for WiFi access and roaming </li></ul><ul><ul><li>One solution for problems with 802.11 security </li></ul></ul><ul><ul><li>Potential for portability and roaming on different networks </li></ul></ul><ul><ul><li>Possible integration with wireless subscriber accounts </li></ul></ul><ul><li>Reality as of 2004 </li></ul><ul><ul><li>WLAN Smart Card Consortium attempting to define standards </li></ul></ul><ul><ul><li>Commercial deployments increasing but still in early stages </li></ul></ul><ul><ul><ul><li>Transat solution launches with 3,500 hotspots in the UK (4/04) </li></ul></ul></ul><ul><ul><ul><li>Orange implements in Switzerland (3/04) </li></ul></ul></ul><ul><ul><ul><li>Tartara demonstrates solution with Verisign (3/04) </li></ul></ul></ul><ul><ul><ul><li>TSI demonstrates solution with Boingo Wireless (5/04) </li></ul></ul></ul>
  14. 14. Conclusion: Still Searching for Clear Business Case for SIM Extension <ul><li>Limited applications to date outside of wireless telephony and some notable business failures such as dual-slot handsets </li></ul><ul><ul><li>The combined business drivers of a billion SIMs, a rapidly growing m-commerce market and unsolved mobile security issues continue to bring new players and approaches to the table </li></ul></ul><ul><li>Lesson learned: Wireless carriers have made controlling and guarding the SIM key infrastructure a priority over increasing revenues through extension </li></ul><ul><ul><li>Carriers have the ability to cut off third party access to the SIM platform </li></ul></ul><ul><ul><li>WiFi and non-telephony network authentication looks like a good match for the SIM key infrastructure, but long-term models may require wireless carrier participation </li></ul></ul>

×