The SIM can not only be used for cellular access and connectivity, but also for securing mobile applications. Based on industry standards, the Mobile Web Security Bootstrap enabler allows developers to write application servers that can establish shared secret key between an application server and a mobile web client. The shared secret key can then be used to secure mobile applications that require e.g. authentication, confidentiality, integrity, single sign on among others.

1. Mobile Web Security Bootstrap
A labs.ericsson.com enabler
http://labs.ericsson.com/apis/mobile-web-security-bootstrap/

2. Mobile Web Security Bootstrap
The SIM is commonly used for getting cellular access,
mobile connectivity and access to some mobile services
The SIM proven security features can also be used for
securing any mobile web applications
This enabler provides an API for establishing a secret key
between mobile web clients and web applications
2

3. Why?
Security – As secure as SIM
Standard – Based on industry standard
Acceptance – Many standardized applications
Convenience – Transparent to users
Extensibility – Any applications can exploit the SIM
3

4. Main Features
Based on 3GPP industry standard
Generic Bootstrapping Architecture
Client and server Web/Java APIs available and
documented with examples
HTTP interfaces
Soft client available to allow focusing on the
development of the network side of the web
application
4

5. Overview
Mobile Web
Network
Application Server
Network
Application
Ub interface – Mobile client uses
Application
API to bootstrap a master secret
key
Ua Zn
Ua interface –Mobile Web Client
uses API to derive application- * HTTP
specific master key
Zn interface – Mobile Web Mobile
Web Client Bootstrap
Application Server uses API to
obtain the corresponding Ub Server
application-specific master key Bootstrap
Client HTTP
At the end of the API usage
Subscriber
transactions the client and server
share an application-specific secret- Database
key
Mobile Web Client MWSB
Mobile Web
Security Bootstrap
5

6. Java Client API
Soft Client API provided for focusing on server application
Example showing how to establish a shared key
// Create soft client with user identity and permanent key
GbaClient softclient = new GbaClient(myID, myKey);
// Bootstrap client with master key. btid is the handler.
String btid = softclient.bootstrap();
// Derive application-specific key to be shared with app server
byte[] appKey = softclient.getKsNaf(app_Fqdn);
// Use the app key for HTTP Digest Authentication
boolean authResult = runUaHttpDigest(app_URL, btid, appKey);
6

7. Java Server API
API towards mobile client and API towards MWSB
Servlet example showing how to establish a shared key
// Applicatin Servlet doGet()
// Create application context with Labs authorization API key
GbaNaf app = new GbaNaf(myFqdn, myApiKey)
// Parse GET authorization headers & fetch btid (key Handler)
Authorization authz = Authorization.parse(authorizationHeader);
String btid = authz.getUsername();
// Derive the application-specific key to be shared with client
appKey = app.getKsNaf(btid);
// Use the shared key to authenticate the mobile client
Digest.verify(authorization, appKey)
7

8. Possible applications
Identity Management
Authentication Single Sign On
Integrity Confidentiality
Key Management
8

9. 9