More Related Content Similar to Over the Air 2011 Security Workshop (20) More from Ericsson Labs (20) Over the Air 2011 Security Workshop 2. This is Ericsson
Ericsson’s first telephone, 1878 World’s first LTE network, 2009
› We no longer manufacture phones (Sony-Ericsson does)
› More than 40% of the world's mobile traffic passes through Ericsson
networks
› We have customers in more than 180 countries and over 98,000
employees
› We are largely a software company
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 2
3. What is Ericsson labs?
Experimental
> Early technology trials
Open innovation
> Apis for new technologies
creativity
> New innovation by developers
50 bn connected devices
> m2m service enablers
Simplify Provide Converse
Hide cloud complexity Easy to use APIs/SDKs Experts support
Low barriers to entry Early & perpetual beta Feedback
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 3
4. ericsson labs APIs
Maps & positioning communication security
3D Mobile Mobile SMS Send & Mobile Group Voice Mobile Web Security Oauth2
Landscape Location Maps Receive Push Bootstrap CAPTCHA Framework
Mixer
Web Async Identity Management Key Management
Maps Voice Framework Service
Web technologies Media and graphics User & network information
Face Streaming Converting Mobile Mobile Network Network
Web Web Background
Detector Media
Connectivity EventSource Service
Media Identification Look-up
Look- Probe
Web Device Distributed Web Real-Time
Real- Text-to-Speech
Text- to-
Connectivity Shared Memory Communication
Machine learning NFC & sensors
Cluster Sensor Networking Mobile Sensor
Tag Tool
Constructor Application Platform Actuator Link
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 4
6. Sim card identification
1/3
› P The traditional authentication scheme
with username/password has several
drawbacks
› Q What if we could use the credentials
stored on the SIM card instead?
password 12345678
› A This is exactly what the 3GPP standard 123456 123 winner 123456789
GBA accomplishes. Basically, we replace seinfeld 1234 12345
– the username with the suscriber identity; and Top ten PlayStation Network passwords
– the password with the subscriber key (Digicure, 2011)
› The MWSB (Mobile Web Secure
Bootstrapping) enabler allows you to try it
out in you own web application
Attempt to increase security through SMS
verification
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 6
7. Sim card identification
2/3
1. The client bootstraps (using the SIM card) with the GBA server and
obtains a key (Ks_NAF)
2. The client authenticates itself to the web app using HTTP(S) digest with
the key as password and a temporary identifier (B-TID) as username
3. The web application sends the identifier to the GBA server, receives the
key, and validates the client supplied password
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 7
8. Sim card identification
3/3
Pros: High security, convenient for the user, standardized
Cons: Currently not supported by browser – forced to rely on plugin, applet, or re-
compile browser engine
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 8
10. federated authentication
1/3
› P Password management is costly for site
owners and user experience is negatively s
affected due to differing password policies tion
i ca
ent
› Q What if site owners could delegate th
au
authentication to a trusted party where
authentication can be enforced to be strong?
› A This can be achieved with the OpenID
protocol where the OpenID Provider acts as
the trusted party. The security can be further
improved by combining OpenID with SIM
based identification.
› The Identity Management Framework on
Ericsson Labs is running an OpenID
provider which your web app can use
(instructions and Java code available)
delegated authentication
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 10
11. federated authentication
2/3
How the user authenticates (4) is
intentionally left unspecified and both
username/password and SIM based
identification can be used.
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 11
12. Federated authentication
3/3
We
Traditional username/password
Modified WebKit GBA applet GBA plugin
SIM based identification (automatic)
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 12
14. Delegated authorization
1/3
› P Users are willing to share limited portions
of the data but without losing control over
who is accessing the data and what part of it
is being accessed.
› Q Why not use a standardized token based
delegation pattern?
› A Oauth is a IETF effort to standardize and
isolate the delegated authorization. Making it
simpler to re use both code and know-how
about how authorization is handeled.
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 14
15. Delegated authorization
2/3
Authentication OP
Server GBA
Scope Protected
Resource
ClientID RP
ClientSecret
Authorization Resource
CallbackURI
Server Server
Code
Webclient
(service provider) OauthToken
Authenticate
Authorize
Browser
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 15
16. Delegated authorization
3/3
Desktop
Mobile
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 16
18. P2p key establishment
1/3
› P Up until now we have only considered
client-server applications where it is
relatively easy to protect communications
using TLS/SSL.
In a P2P application where there is no
existing trust relation between the parties
(e.g., certificates or keys), setting up a
secure channel is more complex.
› Q How can we enable secure, end-to-end
communication in a P2P application?
› A With the help from a KMS (Key
Management Server) the two parties are
able to establish a shared secret key which
in turn is used to setup the secure channel.
VoIP. messaging, file sharing
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 18
19. P2p key establishment
2/3
› Based on the Mikey-Ticket protocol (RFC 6043) which is designed for high security
applications (e.g., national safety, police, etc)
› Note that there must exist a trust relationship between each client and the KMS.
The 3GPP recommended solution is to use the SIM card.
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 19
20. P2p key establishment
3/3
› The KMS API at Ericsson Labs can be used to secure any type of communication,
for example VoIP (above figures)
› Most of the signalling is hidden by the API. Setting up the shared secret key
requires only a few lines of code
› The API is written in C but can be still be used in Android using JNI (Java Native
Interface)
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 20
21. How does it all fit
together?
used in used in
SIM identification Federated AuthN (OpenID) Delegated AuthZ (OAuth) P2P Key Est.
›The OAuth Authorization server authenticates the user using OpenID
›The OpenID Provider authenticates the user using SIM card identification
›The P2P key establishment is largely independent from the other tools
(though the peer-KMS trust relation is based on SIM card identification)
23. DEMO – Mashing GOOGLE LATITUDE
23 APIs as of end of September 2011.
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 23
24. You can try !
Demo-setup http://eus2.fuatara.com:8080/latitude/
HTTP
REST Endpoint
Authentication Oauth Latitude
Filter Token Filter RestClient
GMap Fremarker Populated
Mashup Presentation Data Model
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 24
25. Q&A
Visit: labs.ericsson.com
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 25