What UICC Means for NFC & Security
Se está descargando tu SlideShare.
×
Eche un vistazo a continuación
Recomendado
Más Contenido Relacionado
Presentaciones para usted (20)
A los espectadores también les gustó (20)
Similares a Secure Elements in Web Applications (20)
Más reciente (20)
Secure Elements in Web Applications
- 1. The Path to Inter-Industry Standards for Utilizing Secure Elements in Web Applications Olivier POTONNIEE, Karen LU September 2015
- 2. Secure Elements and The Web Secure Elements in Web Applications2 Telecom • Login / Strong Authentication Payment • Card-present eCommerce ID • eGov • Authentication & Signature Transport • View balance • Reload / Buy tickets online
- 3. Low level Secure Element APIs PC/SC Open Mobile API (OMAPI) 8.1: 10: 3 Secure Elements in Web Applications
- 4. Cross-Platform Secure Element (SE) API Secure Elements in Web Applications4 PC/SC (MSWindows, MacOS, Linux) OMAPI (Android) NFC Desktop Mobile Web Applications Web Runtime OS Secure Element API Access Control …
- 5. Secure Element API Standardization Proposed to W3C (SysApps & WebCrypto WGs) http://opoto.github.io/secure-element/ Transferred to a GlobalPlatform WG https://github.com/globalplatform Implementation Included in Firefox OS 2.2 (June 2015) 5 Secure Elements in Web Applications
- 6. Secure Element API Secure Elements in Web Applications6 Transport-level API (similar to SIM Alliance’s OMAPI) Secure Element Manager Reader Session Channel Enumerate readers SE insertion / removal events Is SE present? Connect to SE SE ATR Connect to Applet Basic / Logical Transmit APDUs
- 7. Access Control Toolbox Secure Elements in Web Applications7 • PIN • Secure Messaging Mutual AuthentN • GlobalPlatform Access Control Secure Element Security Model • Permissions: Access to device/resources (GPS, storage, etc…) • Same Origin Policy (SOP): Data isolation per domain Web Security Model
- 8. Access Control (1/2): The Web Secure Elements in Web Applications8 • PIN • Secure Messaging Mutual AuthentN • GlobalPlatform Access Control Secure Element Security Model • Permissions: Access to device/resources (GPS, storage, etc…) • Same Origin Policy (SOP): Data isolation per domain Web Security Model
- 9. Domain-binded SE apps (SOP compliant) Secure Elements in Web Applications9 An SE app with one credential per domain An SE app is tied to a single domain, which hosts a centralized service Other apps use a delegation protocol to use the centralized service Identity Provider SAML/OpenID Connect Login Authenticate Service Provider (Relying Party)
- 10. Access Control (2/2): Secure Elements Secure Elements in Web Applications10 • PIN • Secure Messaging Mutual AuthentN • GlobalPlatform Access Control Secure Element Security Model • Permissions: Access to device/resources (GPS, storage, etc…) • Same Origin Policy (SOP): Data isolation per domain Web Security Model
- 11. Access Control Enforcer GlobalPlatform Access Control Secure Elements in Web Applications11 Access Rules SE Application Cached Access Rules User Device Application Access Rule: Authorizes a specific app on device to access a specific app on SE [and send specific commands] http://www.globalplatform.org/specificationsdevice.asp
- 12. Secure Element API to build Trusted Services AuthentN Signature Payment Reload Web Applications … Public APIs Restricted APIs WebRuntime Privilege apps, e.g. Extensions 12 Secure Elements in Web Applications Secure Element API Access Control
- 13. The security palette Secure Elements in Web Applications13 Secure Element Built-ins GlobalPlatform Access Control Trusted Services Domain Binding
- 14. Participate! Secure Elements in Web Applications14 . New Working Group: Hardware Security (HaSec) Will work on use cases and APIs http://www.w3.org/2015/hasec/2015-hasec-charter.html . New Working Group: WebApis-for-SE Will work on APIs and Implementation Chaired by Hank Chavers (hank.chavers at globalplatform.org)
- 15. Thanks! Secure Elements in Web Applications15 Questions?
