SlideShare a Scribd company logo

Droidcon2013 key2 share_dmitrienko_fraunhofer

Droidcon Berlin
Droidcon Berlin

The document proposes using smartphones as electronic access keys via NFC, summarizing the Key2Share system which employs cryptography to securely issue and delegate digital keys from a web service to smartphones. It discusses technical approaches to implementing a trusted execution environment (TrEE) on Android to protect keys, either in hardware using secure elements or software using OS-level isolation. Performance tests show authentication takes under half a second. Ongoing work aims to address challenges of backward compatibility and full NFC card emulation support.

Technology
1 of 23
Download to read offline
Key2Share: NFC-enabled Smartphone-based Access Control Alexandra Dmitrienko Cyberphysical Mobile Systems Security Group Fraunhofer Institute for Secure Information Technology, Darmstadt
Motivation  Mobile phones are increasingly used in our daily life  Hundred thousands of apps on app markets  New interfaces like NFC open new application fields  Payments, ticketing 2 mPayments mTicketing A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
+ NFC = Why not Using a Smartphone as a Key? A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin 3
Smartphone as a Door Key  Access control by enterprises to their facilities  Access to hotel rooms  Access control in private sector (houses, garages) 4A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Smartphone as a Key for Storage Facilities  Access to safes in hotel rooms  Lockers in luggage storage at train stations/airports  DHL Packing stations 5 DHL packing stations A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Smartphone as a Car Key  Fleet management by enterprises  Car sharing by rental/car sharing companies  Or just share your car with family members or friends 6A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Advantages of Electronic Keys 7 Usual Keys SmartCards Key2Share Distribution Requires physical access Requires physical access Remote Revocation Requires physical access or replacement of the lock Remote Remote Delegation Not possible Not possible Possible Context-aware access (e.g., time frame) Not possible Possible Possible A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Requirements and Challenges 8 Security Protection of electronic keys in transit and on the platform Performance in face of limited NFC bandwidth (~ 10 kbps) Only symmetric-based key crypto for authentication Offline authentication Addressed by protocol design A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Key2Share: System Model 9 Issuer Key2Share web-service Resources 1. Employ the employee/sell the car Users Delegated users 5.Sharekey 3. Electronic key issued 4. User Authentication with the issued key 6. User Authentication with the shared key 2. One-time registration A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Key2Share Security Platform Security 10 Secure communication protocols A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Platform Security Architecture 11 Untrusted host Trusted Execution Environment NFC Chip Key2Share Secure AppKey2Share App WiFi TrEE Service TrEE Mgr Secure Storage User Interface Secure UI A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Possible TrEE Instantiations In software Full virtualization (e.g., based on OKL4 hypervisor) Kernel-level Virtualization (e.g., vServer) OS-level isolation (e.g., BizzTrust) CPU extensions (ARM TrustZone) 12 Secure Element (SE) on SIM card SE on microSD card Embedded SE (eSE) on NFC chip In hardware A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
TrEE in Hardware 13 CPU Extensions (e.g., ARM TrustZone) • Controlled by device manufacturers • No APIs are exposed to apps to access it Secure Element (SE) on SIM Card • Controlled by network operators SE on SD Card • Freely programmable embedded SE (eSE) on NFC Chip • Controlled by device manufacturers • has pre-installed Mifare Classic applet A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
APIs for Accessing Secure Elements  SE on SD Card can be accessed via Open Mobile API  However, access is disabled in stock Android images  eSE can be accessed via Open Mobile API and NFC Private API  NFC Private API can be used only by Google-signed apps  Only white-listed apps can communicate with eSE via Open Mobile API, root access is required to add an app to the white list App layer OS App NFC Private API Open Mobile API (SEEK-for-Android) HW SE on SD Card App App eSE on NFC Chip 14A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
The Best Candidate: SE on SD Card  We used Giesecke & Devrient Mobile Security Card  can be attached to the phone via the microSD slot  It is a stanrdard Java Card and can run applets  Implementation of Key2Share Secure as a Java applet 1515A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
TrEE in Software • We leveraged a security architecture which provides lightweight domain isolation for Android • The architecture is initially was intended to allow usage of a single device for business and private needs • http://www.bizztrust.de/ 16A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
BizzTrust: Dual Persona Phone  Colors corporate and private apps with green and red  Prohibits communication between apps with different colors Application layer Middleware layer Kernel layer AppB IPC MAC File System Linux DAC Network Sockets MAC MAC MAC AppA 17A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin Access control of Android Added by BizzTrust Linux DAC
BizzTrust-based TrEE  Create blue domain isolated from red and green  Execute security sensitive code in blue domain  BizzTrust allows only Key2Share app to communicate with the code from blue domain 18 Software isolation layer: Hardened Android OS (BizzTrust) Trusted Execution Environment (TrEE) Domain BLUE Key2Share Secure Private Domain RED Corporate Domain GREEN Red App Key2Share 18A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Protocol Security 19 Well-established cryptographic primitives (AES, SHA-1, RSA) Formal security proof of the protocols Formal tool-aided verification of protocols A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Implementation in 3 Versions 1. Hardware-based TrEE based on Mobile Security Card 2. Software-based TrEE based on BizzTrust 3. Key2Share Secure as a separate Android application 20A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Authentication Performance  20 rounds  Transmission time for authentication protocol messages (with 95% confidence interval)  92 bytes to be transferred for the user  140 bytes to be transferred for the delegated user  The door locks open within a half a second 21 User Type Connection Establishment, ms Overall session Time, ms User 245.17± 0.54 441.80 ± 0.54 Delegated user 245.17± 0.54 473.55 ± 0.54 A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Work in Progress and Challenges  Backward compatibility to existing access control solutions  Compatibility to MiFare (standard for wireless cards)  Integration into smartcard-based access control solutions (Matrix of Bosch)  Smartphone in card emulation mode (does not require power for authentication)  Challenges are related to missing support of card emulation mode in Android  Other platforms (e.g., Nokia, Blackberry) support card emulation 22A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
Thank you alexandra.dmitrienko@sit.fraunhofer.de 23A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin

Recommended

PrivateWave - sales presentation_en
PrivateWave - sales presentation_enPrivateWave - sales presentation_en
PrivateWave - sales presentation_en
Marco Pissarello
 
Flak general v2 5
Flak general v2 5Flak general v2 5
Flak general v2 5
digiflak
 
Windows 8 Platform NFC Development
Windows 8 Platform NFC DevelopmentWindows 8 Platform NFC Development
Windows 8 Platform NFC Development
Andreas Jakl
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFH
Block Armour
 
Overview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and CertificationsOverview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and Certifications
FIDO Alliance
 
Panel interface connectors
Panel interface connectorsPanel interface connectors
Panel interface connectors
Mencom Corporation
 
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
AuthentiThings: The Pitfalls and Promises of Authentication in the IoTAuthentiThings: The Pitfalls and Promises of Authentication in the IoT
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
TransUnion
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
Block Armour
 

Recommended

PrivateWave - sales presentation_en
PrivateWave - sales presentation_enPrivateWave - sales presentation_en
PrivateWave - sales presentation_en
Marco Pissarello
 
Flak general v2 5
Flak general v2 5Flak general v2 5
Flak general v2 5
digiflak
 
Windows 8 Platform NFC Development
Windows 8 Platform NFC DevelopmentWindows 8 Platform NFC Development
Windows 8 Platform NFC Development
Andreas Jakl
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFH
Block Armour
 
Overview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and CertificationsOverview of FIDO Security Requirements and Certifications
Overview of FIDO Security Requirements and Certifications
FIDO Alliance
 
Panel interface connectors
Panel interface connectorsPanel interface connectors
Panel interface connectors
Mencom Corporation
 
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
AuthentiThings: The Pitfalls and Promises of Authentication in the IoTAuthentiThings: The Pitfalls and Promises of Authentication in the IoT
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
TransUnion
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
Block Armour
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
Block Armour
 
Innovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devicesInnovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devices
Defence and Security Accelerator
 
My ppt
My pptMy ppt
My ppt
Arun Ramachandran
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
OWASP Delhi
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
Fido Security Key
Fido Security KeyFido Security Key
Fido Security Key
GoTrust ID
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
Blockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud SecurityBlockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud Security
Block Armour
 
Mobile banking commoditization
Mobile banking commoditizationMobile banking commoditization
Mobile banking commoditization
jiboutin
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA Session
FIDO Alliance
 
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
Microsoft Mobile Developer
 
The Industrial Immune System
The Industrial Immune SystemThe Industrial Immune System
The Industrial Immune System
Justin Hayward
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
Nok Nok Labs, Inc
 
Windows Phone 8 NFC Quickstart
Windows Phone 8 NFC QuickstartWindows Phone 8 NFC Quickstart
Windows Phone 8 NFC Quickstart
Andreas Jakl
 
Go passwordless with fido2
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2
Rob Dudley
 
Nuron VoIP Application Product and Solution
Nuron VoIP Application Product and SolutionNuron VoIP Application Product and Solution
Nuron VoIP Application Product and Solution
Laith Kassis
 
MobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGateMobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGate
Ron Munitz
 
Software potential code protector
Software potential code protector Software potential code protector
Software potential code protector
InishTech
 
Anviz8 page FINAL
Anviz8 page FINALAnviz8 page FINAL
Anviz8 page FINAL
Garth Du Preez
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android application
IAEME Publication
 
Access Control in Enterprises with Key2Share
Access Control in Enterprises with Key2ShareAccess Control in Enterprises with Key2Share
Access Control in Enterprises with Key2Share
Faheem Nadeem
 

More Related Content

What's hot

Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
Block Armour
 
Innovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devicesInnovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devices
Defence and Security Accelerator
 
My ppt
My pptMy ppt
My ppt
Arun Ramachandran
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
OWASP Delhi
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
Fido Security Key
Fido Security KeyFido Security Key
Fido Security Key
GoTrust ID
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
Blockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud SecurityBlockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud Security
Block Armour
 
Mobile banking commoditization
Mobile banking commoditizationMobile banking commoditization
Mobile banking commoditization
jiboutin
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA Session
FIDO Alliance
 
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
Microsoft Mobile Developer
 
The Industrial Immune System
The Industrial Immune SystemThe Industrial Immune System
The Industrial Immune System
Justin Hayward
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
Nok Nok Labs, Inc
 
Windows Phone 8 NFC Quickstart
Windows Phone 8 NFC QuickstartWindows Phone 8 NFC Quickstart
Windows Phone 8 NFC Quickstart
Andreas Jakl
 
Go passwordless with fido2
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2
Rob Dudley
 
Nuron VoIP Application Product and Solution
Nuron VoIP Application Product and SolutionNuron VoIP Application Product and Solution
Nuron VoIP Application Product and Solution
Laith Kassis
 
MobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGateMobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGate
Ron Munitz
 
Software potential code protector
Software potential code protector Software potential code protector
Software potential code protector
InishTech
 
Anviz8 page FINAL
Anviz8 page FINALAnviz8 page FINAL
Anviz8 page FINAL
Garth Du Preez
 

What's hot (20)

Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
 
Innovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devicesInnovative biometric voice verification system for mobile devices
Innovative biometric voice verification system for mobile devices
 
My ppt
My pptMy ppt
My ppt
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
Fido Security Key
Fido Security KeyFido Security Key
Fido Security Key
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
Blockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud SecurityBlockchain Defined Perimeter for Cloud Security
Blockchain Defined Perimeter for Cloud Security
 
Mobile banking commoditization
Mobile banking commoditizationMobile banking commoditization
Mobile banking commoditization
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA Session
 
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
LUMIA APP LABS: DEVELOPING NFC APPS IN WINDOWS PHONE 8
 
The Industrial Immune System
The Industrial Immune SystemThe Industrial Immune System
The Industrial Immune System
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
 
Windows Phone 8 NFC Quickstart
Windows Phone 8 NFC QuickstartWindows Phone 8 NFC Quickstart
Windows Phone 8 NFC Quickstart
 
Go passwordless with fido2
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2
 
Nuron VoIP Application Product and Solution
Nuron VoIP Application Product and SolutionNuron VoIP Application Product and Solution
Nuron VoIP Application Product and Solution
 
MobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGateMobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGate
 
Software potential code protector
Software potential code protector Software potential code protector
Software potential code protector
 
Anviz8 page FINAL
Anviz8 page FINALAnviz8 page FINAL
Anviz8 page FINAL
 

Similar to Droidcon2013 key2 share_dmitrienko_fraunhofer

Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android application
IAEME Publication
 
Access Control in Enterprises with Key2Share
Access Control in Enterprises with Key2ShareAccess Control in Enterprises with Key2Share
Access Control in Enterprises with Key2Share
Faheem Nadeem
 
Android
AndroidAndroid
Android
9994426949
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
Vasco Veloso
 
Android operating system
Android operating systemAndroid operating system
Android operating system
Vinayaga Sundar
 
A Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless NetworksA Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless Networks
David González Romero
 
Key2 share moosecon
Key2 share mooseconKey2 share moosecon
Key2 share moosecon
Heinrich Seeger
 
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart Phones
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart PhonesAn Android PGP Manager: Towards Bridging End-User Cryptography to Smart Phones
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart Phones
CSCJournals
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
The Guardian Project
The Guardian ProjectThe Guardian Project
The Guardian Project
natdefreitas
 
Unizen OEM Product Offerings-Feb 2015
Unizen OEM Product Offerings-Feb 2015Unizen OEM Product Offerings-Feb 2015
Unizen OEM Product Offerings-Feb 2015
Gurudev Basavaraj Goud
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CloudIDSummit
 
Certgate
CertgateCertgate
Certgate
Droidcon Berlin
 
Accident detection
Accident detection Accident detection
Accident detection
Samana Rao
 
PPT on Android
PPT on AndroidPPT on Android
PPT on Android
Subhadip Chakraborty
 
M I Dentity 3 G 040111
M I Dentity 3 G 040111M I Dentity 3 G 040111
M I Dentity 3 G 040111
Jan Vekemans
 
android phone feature and value for user
android phone feature and value for userandroid phone feature and value for user
android phone feature and value for userSudhir Kumar
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0
Javier Gonzalez
 
Video streaming using wireless multi hop in android phones
Video streaming using wireless multi hop in android phonesVideo streaming using wireless multi hop in android phones
Video streaming using wireless multi hop in android phones
IAEME Publication
 
IoT and the Role of Platforms
IoT and the Role of PlatformsIoT and the Role of Platforms
IoT and the Role of Platforms
TiE Bangalore
 

Similar to Droidcon2013 key2 share_dmitrienko_fraunhofer (20)

Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android application
 
Access Control in Enterprises with Key2Share
Access Control in Enterprises with Key2ShareAccess Control in Enterprises with Key2Share
Access Control in Enterprises with Key2Share
 
Android
AndroidAndroid
Android
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
Android operating system
Android operating systemAndroid operating system
Android operating system
 
A Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless NetworksA Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless Networks
 
Key2 share moosecon
Key2 share mooseconKey2 share moosecon
Key2 share moosecon
 
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart Phones
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart PhonesAn Android PGP Manager: Towards Bridging End-User Cryptography to Smart Phones
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart Phones
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 
The Guardian Project
The Guardian ProjectThe Guardian Project
The Guardian Project
 
Unizen OEM Product Offerings-Feb 2015
Unizen OEM Product Offerings-Feb 2015Unizen OEM Product Offerings-Feb 2015
Unizen OEM Product Offerings-Feb 2015
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
Certgate
CertgateCertgate
Certgate
 
Accident detection
Accident detection Accident detection
Accident detection
 
PPT on Android
PPT on AndroidPPT on Android
PPT on Android
 
M I Dentity 3 G 040111
M I Dentity 3 G 040111M I Dentity 3 G 040111
M I Dentity 3 G 040111
 
android phone feature and value for user
android phone feature and value for userandroid phone feature and value for user
android phone feature and value for user
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0
 
Video streaming using wireless multi hop in android phones
Video streaming using wireless multi hop in android phonesVideo streaming using wireless multi hop in android phones
Video streaming using wireless multi hop in android phones
 
IoT and the Role of Platforms
IoT and the Role of PlatformsIoT and the Role of Platforms
IoT and the Role of Platforms
 

More from Droidcon Berlin

Droidcon de 2014 google cast
Droidcon de 2014 google castDroidcon de 2014 google cast
Droidcon de 2014 google cast
Droidcon Berlin
 
Android programming -_pushing_the_limits
Android programming -_pushing_the_limitsAndroid programming -_pushing_the_limits
Android programming -_pushing_the_limits
Droidcon Berlin
 
crashing in style
crashing in stylecrashing in style
crashing in style
Droidcon Berlin
 
Android industrial mobility
Android industrial mobility Android industrial mobility
Android industrial mobility
Droidcon Berlin
 
Details matter in ux
Details matter in uxDetails matter in ux
Details matter in ux
Droidcon Berlin
 
From sensor data_to_android_and_back
From sensor data_to_android_and_backFrom sensor data_to_android_and_back
From sensor data_to_android_and_back
Droidcon Berlin
 
droidparts
droidpartsdroidparts
droidparts
Droidcon Berlin
 
new_age_graphics_android_x86
new_age_graphics_android_x86new_age_graphics_android_x86
new_age_graphics_android_x86
Droidcon Berlin
 
5 tips of monetization
5 tips of monetization5 tips of monetization
5 tips of monetization
Droidcon Berlin
 
Testing and Building Android
Testing and Building AndroidTesting and Building Android
Testing and Building Android
Droidcon Berlin
 
Matchinguu droidcon presentation
Matchinguu droidcon presentationMatchinguu droidcon presentation
Matchinguu droidcon presentation
Droidcon Berlin
 
Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3
Droidcon Berlin
 
The artofcalabash peterkrauss
The artofcalabash peterkraussThe artofcalabash peterkrauss
The artofcalabash peterkraussDroidcon Berlin
 
Raesch, gries droidcon 2014
Raesch, gries droidcon 2014Raesch, gries droidcon 2014
Raesch, gries droidcon 2014
Droidcon Berlin
 
Android open gl2_droidcon_2014
Android open gl2_droidcon_2014Android open gl2_droidcon_2014
Android open gl2_droidcon_2014
Droidcon Berlin
 
20140508 quantified self droidcon
20140508 quantified self droidcon20140508 quantified self droidcon
20140508 quantified self droidcon
Droidcon Berlin
 
Tuning android for low ram devices
Tuning android for low ram devicesTuning android for low ram devices
Tuning android for low ram devices
Droidcon Berlin
 
Froyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradioFroyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradio
Droidcon Berlin
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicro
Droidcon Berlin
 

More from Droidcon Berlin (20)

Droidcon de 2014 google cast
Droidcon de 2014 google castDroidcon de 2014 google cast
Droidcon de 2014 google cast
 
Android programming -_pushing_the_limits
Android programming -_pushing_the_limitsAndroid programming -_pushing_the_limits
Android programming -_pushing_the_limits
 
crashing in style
crashing in stylecrashing in style
crashing in style
 
Raspberry Pi
Raspberry PiRaspberry Pi
Raspberry Pi
 
Android industrial mobility
Android industrial mobility Android industrial mobility
Android industrial mobility
 
Details matter in ux
Details matter in uxDetails matter in ux
Details matter in ux
 
From sensor data_to_android_and_back
From sensor data_to_android_and_backFrom sensor data_to_android_and_back
From sensor data_to_android_and_back
 
droidparts
droidpartsdroidparts
droidparts
 
new_age_graphics_android_x86
new_age_graphics_android_x86new_age_graphics_android_x86
new_age_graphics_android_x86
 
5 tips of monetization
5 tips of monetization5 tips of monetization
5 tips of monetization
 
Testing and Building Android
Testing and Building AndroidTesting and Building Android
Testing and Building Android
 
Matchinguu droidcon presentation
Matchinguu droidcon presentationMatchinguu droidcon presentation
Matchinguu droidcon presentation
 
Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3Cgm life sdk_droidcon_2014_v3
Cgm life sdk_droidcon_2014_v3
 
The artofcalabash peterkrauss
The artofcalabash peterkraussThe artofcalabash peterkrauss
The artofcalabash peterkrauss
 
Raesch, gries droidcon 2014
Raesch, gries droidcon 2014Raesch, gries droidcon 2014
Raesch, gries droidcon 2014
 
Android open gl2_droidcon_2014
Android open gl2_droidcon_2014Android open gl2_droidcon_2014
Android open gl2_droidcon_2014
 
20140508 quantified self droidcon
20140508 quantified self droidcon20140508 quantified self droidcon
20140508 quantified self droidcon
 
Tuning android for low ram devices
Tuning android for low ram devicesTuning android for low ram devices
Tuning android for low ram devices
 
Froyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradioFroyo to kit kat two years developing & maintaining deliradio
Froyo to kit kat two years developing & maintaining deliradio
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicro
 

Recently uploaded

inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 

Recently uploaded (20)

inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 

Droidcon2013 key2 share_dmitrienko_fraunhofer

  • 1. Key2Share: NFC-enabled Smartphone-based Access Control Alexandra Dmitrienko Cyberphysical Mobile Systems Security Group Fraunhofer Institute for Secure Information Technology, Darmstadt
  • 2. Motivation  Mobile phones are increasingly used in our daily life  Hundred thousands of apps on app markets  New interfaces like NFC open new application fields  Payments, ticketing 2 mPayments mTicketing A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 3. + NFC = Why not Using a Smartphone as a Key? A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin 3
  • 4. Smartphone as a Door Key  Access control by enterprises to their facilities  Access to hotel rooms  Access control in private sector (houses, garages) 4A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 5. Smartphone as a Key for Storage Facilities  Access to safes in hotel rooms  Lockers in luggage storage at train stations/airports  DHL Packing stations 5 DHL packing stations A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 6. Smartphone as a Car Key  Fleet management by enterprises  Car sharing by rental/car sharing companies  Or just share your car with family members or friends 6A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 7. Advantages of Electronic Keys 7 Usual Keys SmartCards Key2Share Distribution Requires physical access Requires physical access Remote Revocation Requires physical access or replacement of the lock Remote Remote Delegation Not possible Not possible Possible Context-aware access (e.g., time frame) Not possible Possible Possible A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 8. Requirements and Challenges 8 Security Protection of electronic keys in transit and on the platform Performance in face of limited NFC bandwidth (~ 10 kbps) Only symmetric-based key crypto for authentication Offline authentication Addressed by protocol design A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 9. Key2Share: System Model 9 Issuer Key2Share web-service Resources 1. Employ the employee/sell the car Users Delegated users 5.Sharekey 3. Electronic key issued 4. User Authentication with the issued key 6. User Authentication with the shared key 2. One-time registration A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 10. Key2Share Security Platform Security 10 Secure communication protocols A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 11. Platform Security Architecture 11 Untrusted host Trusted Execution Environment NFC Chip Key2Share Secure AppKey2Share App WiFi TrEE Service TrEE Mgr Secure Storage User Interface Secure UI A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 12. Possible TrEE Instantiations In software Full virtualization (e.g., based on OKL4 hypervisor) Kernel-level Virtualization (e.g., vServer) OS-level isolation (e.g., BizzTrust) CPU extensions (ARM TrustZone) 12 Secure Element (SE) on SIM card SE on microSD card Embedded SE (eSE) on NFC chip In hardware A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 13. TrEE in Hardware 13 CPU Extensions (e.g., ARM TrustZone) • Controlled by device manufacturers • No APIs are exposed to apps to access it Secure Element (SE) on SIM Card • Controlled by network operators SE on SD Card • Freely programmable embedded SE (eSE) on NFC Chip • Controlled by device manufacturers • has pre-installed Mifare Classic applet A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 14. APIs for Accessing Secure Elements  SE on SD Card can be accessed via Open Mobile API  However, access is disabled in stock Android images  eSE can be accessed via Open Mobile API and NFC Private API  NFC Private API can be used only by Google-signed apps  Only white-listed apps can communicate with eSE via Open Mobile API, root access is required to add an app to the white list App layer OS App NFC Private API Open Mobile API (SEEK-for-Android) HW SE on SD Card App App eSE on NFC Chip 14A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 15. The Best Candidate: SE on SD Card  We used Giesecke & Devrient Mobile Security Card  can be attached to the phone via the microSD slot  It is a stanrdard Java Card and can run applets  Implementation of Key2Share Secure as a Java applet 1515A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 16. TrEE in Software • We leveraged a security architecture which provides lightweight domain isolation for Android • The architecture is initially was intended to allow usage of a single device for business and private needs • http://www.bizztrust.de/ 16A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 17. BizzTrust: Dual Persona Phone  Colors corporate and private apps with green and red  Prohibits communication between apps with different colors Application layer Middleware layer Kernel layer AppB IPC MAC File System Linux DAC Network Sockets MAC MAC MAC AppA 17A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin Access control of Android Added by BizzTrust Linux DAC
  • 18. BizzTrust-based TrEE  Create blue domain isolated from red and green  Execute security sensitive code in blue domain  BizzTrust allows only Key2Share app to communicate with the code from blue domain 18 Software isolation layer: Hardened Android OS (BizzTrust) Trusted Execution Environment (TrEE) Domain BLUE Key2Share Secure Private Domain RED Corporate Domain GREEN Red App Key2Share 18A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 19. Protocol Security 19 Well-established cryptographic primitives (AES, SHA-1, RSA) Formal security proof of the protocols Formal tool-aided verification of protocols A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 20. Implementation in 3 Versions 1. Hardware-based TrEE based on Mobile Security Card 2. Software-based TrEE based on BizzTrust 3. Key2Share Secure as a separate Android application 20A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 21. Authentication Performance  20 rounds  Transmission time for authentication protocol messages (with 95% confidence interval)  92 bytes to be transferred for the user  140 bytes to be transferred for the delegated user  The door locks open within a half a second 21 User Type Connection Establishment, ms Overall session Time, ms User 245.17± 0.54 441.80 ± 0.54 Delegated user 245.17± 0.54 473.55 ± 0.54 A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin
  • 22. Work in Progress and Challenges  Backward compatibility to existing access control solutions  Compatibility to MiFare (standard for wireless cards)  Integration into smartcard-based access control solutions (Matrix of Bosch)  Smartphone in card emulation mode (does not require power for authentication)  Challenges are related to missing support of card emulation mode in Android  Other platforms (e.g., Nokia, Blackberry) support card emulation 22A. Dmitrienko, Fraunhofer SIT Droidcon 2013, Berlin