Download as PDF, PPTX
![Java Client API
› Soft Client API provided for focusing on server application
› Example showing how to establish a shared key
// Create soft client with user identity and permanent key
GbaClient softclient = new GbaClient(myID, myKey);
// Bootstrap client with master key. btid is the handler.
String btid = softclient.bootstrap();
// Derive application-specific key to be shared with app server
byte[] appKey = softclient.getKsNaf(app_Fqdn);
// Use the app key for HTTP Digest Authentication
boolean authResult = runUaHttpDigest(app_URL, btid, appKey);
© Ericsson AB 2010 | Page 7](https://image.slidesharecdn.com/mobilewebsecuritybootstraponlabs-100916173538-phpapp02/85/Mobile-Web-Security-Bootstrap-on-Ericsson-Labs-7-320.jpg)
Uploaded byEricsson Labs
Mobile Web Security Bootstrap on Ericsson Labs
The document outlines Ericsson's Mobile Web Security Bootstrap service, which leverages SIM card security features to secure mobile web applications through an API for establishing a shared key between clients and applications. It is based on 3GPP standards and emphasizes security, convenience, and extensibility for various applications, including identity management and single sign-on. The document details client and server APIs for implementing this security framework, providing examples for key establishment and authentication processes.
More Related Content
![Jan20 mb sintro [compatibility mode]](https://cdn.slidesharecdn.com/ss_thumbnails/jan20mbsintrocompatibilitymode-120120101308-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Mobile Web Security Bootstrap on Ericsson Labs
Mobile Web Security Bootstrap on Ericsson Labs
- 1. Mobile Web Security Bootstrap A labs.ericsson.com API http://labs.ericsson.com/apis/mobile-web-security-bootstrap/
- 2. ericsson labs APIs Maps & positioning communication security Mobile Mobile SMS Send & Mobile Group Voice Mobile Web Security Oauth2 Location Maps Receive Push Mixer Bootstrap CAPTCHA Framework Web Async Identity Management Key Management Maps Voice Framework Service Web technologies NFC & sensors User & network information Web Web Background Mobile Sensor Mobile Network Tag Tool Connectivity EventSource Service Actuator Link Identification Probe Web Device Mobile Network Distributed Web Real-Time Real- Sensor Networking Connectivity Shared Memory Communication Application Platform Look-up Look- Machine learning Media and graphics Face Cluster Text-to-Speech Text- to- Detector Constructor © Ericsson AB 2010 | Page 2
- 3. Mobile Web Security Bootstrap › The SIM is commonly used for getting cellular access, mobile connectivity and access to some mobile services › The SIM proven security features can also be used for securing any mobile web applications › This service provides an API for establishing a secret key between mobile web clients and web applications © Ericsson AB 2010 | Page 3
- 4. Why Mobile WebSecurity Bootstrap? › Security – As secure as SIM › Standard – Based on industry standard › Acceptance – Many standardized applications › Convenience – Transparent to users › Extensibility – Any applications can exploit the SIM © Ericsson AB 2010 | Page 4
- 5. Main Features › Basedon 3GPP industry standard Generic Bootstrapping Architecture › Client and server Web/Java APIs available and documented with examples › HTTP interfaces › Soft client available to allow focusing on the development of the network side of the web application © Ericsson AB 2010 | Page 5
- 6. Overview Mobile Web › Ub interface – Mobile client uses Network Application Server Network Application API to bootstrap a master secret Application key Ua Zn › Ua interface – Mobile Web Client uses API to derive application- * HTTP specific master key Mobile › Zn interface – Mobile Web Bootstrap Web Client Application Server uses API to Ub Server obtain the corresponding Bootstrap application-specific master key Client HTTP At the end of the API usage Subscriber transactions the client and server Database share an application-specific secret-key Mobile Web Client MWSB Mobile Web Security Bootstrap © Ericsson AB 2010 | Page 6
- 7. Java Client API ›Soft Client API provided for focusing on server application › Example showing how to establish a shared key // Create soft client with user identity and permanent key GbaClient softclient = new GbaClient(myID, myKey); // Bootstrap client with master key. btid is the handler. String btid = softclient.bootstrap(); // Derive application-specific key to be shared with app server byte[] appKey = softclient.getKsNaf(app_Fqdn); // Use the app key for HTTP Digest Authentication boolean authResult = runUaHttpDigest(app_URL, btid, appKey); © Ericsson AB 2010 | Page 7
- 8. Java Server API ›API towards mobile client and API towards MWSB › Servlet example showing how to establish a shared key // Applicatin Servlet doGet() // Create application context with Labs authorization API key GbaNaf app = new GbaNaf(myFqdn, myApiKey) // Parse GET authorization headers & fetch btid (key Handler) Authorization authz = Authorization.parse(authorizationHeader); String btid = authz.getUsername(); // Derive the application-specific key to be shared with client appKey = app.getKsNaf(btid); // Use the shared key to authenticate the mobile client Digest.verify(authorization, appKey) © Ericsson AB 2010 | Page 8
- 9. Possible applications Identity Management Authentication Single Sign-On Integrity Confidentiality Key Management © Ericsson AB 2010 | Page 9
- 10. © Ericsson AB2010 | Page 10