The document discusses the future of mobile devices as trusted personal identity management assistants. It outlines some of the challenges with digital identity in cyber space and how governments are working to address this through initiatives like NSTIC in the US and eID in the EU. The document proposes that mobile devices could become ubiquitous identity assistants, certifying identity and attribute providers and managing a user's different "personas". It discusses some of the necessary technologies and governance models required for mobile devices to securely fulfill this role.

1. The future of a smart mobile device as a trusted personal Identity management assistant Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland

2. Identity model in a physical world Mutual international acceptance of government issued passports. Acceptance of country specific ID cards within the country by government agencies and businesses.

3. Identity problem in cyber space

4. Identity problem in cyber space Security risk, inconvenience and economic acceleration hindrance

5. Digital catching up physical governments are waking up USA – National Strategy for Trusted identity in Cyberspace (NSTIC) EU – European ID (eID) Other states may have their own plans Leading ThinkTank on Information Security Principles of de-perimiterisation (2006) Now published Identity commandments (May 2011) Interoperability is not given but should be architected into the digital identity systems NSTIC already in discussions with leading identity providers

6. The shift in identity management is imminent People will embrace new way of identity management Iceberg with topple (violently – be prepared) Single (or very few) personal identity Self-assured or trusted attribute providers We need a trusted device that manages this for us

7. Mobile device becomes ubiquitous identity assistant Certifies attributes Certifies Identity provider Certifies Attribute provider Contract Requests identity Issues identity into smart device Authenticates user Seamless login Authenticates user Manages different “ Personas ” on behalf of user Authenticates user and passes required attributes Policies for required level of identity assurance and attributes (Multiple of) (Multiple of)

8. Now we have vision! What next? Technology SAML Oauth Secure mobile device mTPM Secure key storage Secure and trusted OS NFC Bluetooth Face recognition Voice recognition Cryptography and PKI Governance Jericho forum Identity Commandments compliance Segregation of Identity and Attribute providers! Trust between Service providers and Identity and Attribute providers International agreement on compatibility of identity protocols

9. Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load Kernel and mobile OS Load mobile applications If Trust is not assured from HW up then there is no trust at all! Enterprise apps accessed from mobile devices OS security capabilities are crucial Application segregation, security reviews

10. Mobile threats summary [2] Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content Malware – traditional viruses, worms, and Trojan horses Social engineering attacks – phishing. Also used to install malware. Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls) Malicious and unintentional data loss – exfiltration of information from phone Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)

11. Mobile Security Models [2] Traditional Access Control : passwords and idle-time screen locking. Application Provenance : Application signing and Application review in App store Encryption : Encryption of device data and application data Isolation : traditional Sandboxing and Storage separation Permissions-based access control : Limiting application to needed functionality only All must be supported by Trust from HW up. Jailbreaking breaks the security model!

12. Interoperable cyber identity means more security and more convenience for users = economic benefits Smart mobile device becomes a centre of identity management – secure store and conveniently user digital identity in everyday life (Communicate, Contribute, Access, Pay) Governments should promote interoperable identity frameworks Identity and attribute providers will operate internationally Registration authorities will operate mostly nationally

13. Resources Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=20110627_02 Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture-of-smartphones A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec-comparison-ETHZ-mar2011.pdf Security in Windows Phone 7 - http://msdn.microsoft.com/en-us/library/ff402533(v=VS.92). aspx Difference between Oauth and OpenID - http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing Kantara Initiative - http://kantarainitiative.org/ NSTIC - http://www.nist.gov/nstic/ ENISA - http://www.enisa.europa.eu/ Jericho Forum - https://www.opengroup.org/jericho/

14. Questions? Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.

15. Question 1: Which party issues a trusted digital identity to an user Government Attribute provider Registration authority Identity provider

16. Question 2: Which technology makes sure that the mobile device boot loader has not been altered Bluetooth Trusted Computing Base for mobile NFC Face recognition

17. Question 3: Which security mechanism ensured that mobile applications cannot directly talk to each other Access control Sandboxing Data encryption Clipboard protection

18. Question 4: What is NSTIC National Science Technology Institute for Computing National Strategy for Trusted Identity for Computers National Strategy for Trusted Identity in Cyberspace National Strategy for Technology Inovation in Cyberspace