1 / 29

Embedded Authenticators: Coming Soon to Your Personal Device

Embedded Authenticators: Coming Soon to Your Personal Device. October 23, 2007 Stu Vaeth Diversinet Corp. Magnus Nyström RSA, The Security Division of EMC. Introduction. Industry trends for embedded authenticators Talk focuses on OTP authenticators, but can be applied to PKI

ting
Download Presentation

Embedded Authenticators: Coming Soon to Your Personal Device

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Embedded Authenticators: Coming Soon to Your Personal Device October 23, 2007 Stu Vaeth Diversinet Corp. Magnus Nyström RSA, The Security Division of EMC

  2. Introduction • Industry trends for embedded authenticators • Talk focuses on OTP authenticators, but can be applied to PKI • Application examples • Challenges & considerations • Implementation • Deployment • Credential Provisioning • Standards • Summary

  3. Strong Authentication using any Personal Device Mobile OS Platforms …

  4. Industry Figures on Mobile Device Trends • Global mobile phone shipments in 2006 grew 25% to 1 billion units • Smart phone sales grew at ~50% to 80M in 2006 • Over 190 3G systems (WCDMA/HSDPA & CDMA2000 1X EV-DO) in operation (Q1 07) • With penetration reaching >90% in many countries, carriers focusing on ARPU and data applications • Embedded identities & authentication on mobile phone

  5. Mobile Soft Token: Lower Cost, Greater Convenience Single Application “Multi-Token” Client “Token Necklace” Dilemma Multiple Applications/ Online Services

  6. Embedded Authenticator Application Examples

  7. credentials Mobile Soft Token Authentication: 2 Modes MobiSecureTM Validation Server Mobile Phone SoftToken Browser or PC Application Relying Party e.g. Online Bank, Enterprise Application AUTHENTICATE OTP HTTPS OR RADIUS ASSISTED/ NON CONNECTED MODE AUTHENTICATE OTP MOBILE WIRELESS MODE HTTPSOR RADIUS

  8. 7. Validation request UID TID Remote Access from a Mobile Browser Plug-in SP/Enterprise Application Server 1. Get URL Validation Server MobiSecure Browser Plug-in 2. Login prompt Mobile Browser (HTML, Jscript) 6. User id / PWD + OTP 9. Access result 8. Validation Response 5. OTP 3. Get OTP OTP Generator 4. Generate OTP Credentials Store + Simple user experience (no OTP entry) - Limited support for plug-ins on mobile browsers

  9. ADMISSION ADMISSION ADMISSION MEDICATION MEDICATION MEDICATION ALLERGIES ALLERGIES ALLERGIES Mobile Health Wallet/Vault Display and Remote Control of Personal Health Data Fax Vault Server SMS OTA Delivered Email H-Wallet OTA Activated Mutually Authenticated (OTP) Health Care Hospital Personal Data Secured And Backed Up on Vault Clinic External Data Sources Doctors

  10. Health Wallet - Guest User One Time Access Code

  11. Please wait while Acquiring credentials From TrustedFlash card PC with TrustedFlash™ Card: Access to MNO services • SD Card ships with OTP capability, activated with credential via automated internet provisioning process • On card insertion, the user can connect to an online site • Online site has a VIP section only accessible using one time password technology • Only user with the card can access online V.I.P. services Card insert VIP SECTION Advanced Tickets Music events Bonus tracks or 123 456 OK

  12. Example: Online banking • Authentication using SMS provides two-factor authentication

  13. Authenticators in Mobile Phones:Challenges and Implementation Considerations

  14. Embedded Authenticator Implementation Alternatives • Native (e.g. Symbian, Windows Mobile) • Java Midlet • SIM Toolkit application

  15. Native Implementation • Implementation in Windows Mobile, Symbian, etc. • Typically done in C++, C# • Full access to platform’s capabilities • Easier integration with other native applications (VPN client, Browser, WiFi client,…) • Good performance • Most complex, costly implementation • Ties application to particular platform and UI

  16. Java Midlet Implementation • Easy, well-known implementation environment • Supported by majority of handsets • Platform-independent application • Difficult to leverage by other mobile applications • Not fully standardized platform (e.g. GUI support); differences between vendors complicate developments

  17. SIM-based Application • Most secure implementation • (very) Weak UI • Ties application to network operators • Creates complex business situation • Access to (memory) space is limited and controlled by operators

  18. Sensitive Data in Credential Store Encryption using a derived key from multiple parameters Code-signing Application authenticity and integrity before installation on device Mobile device clock Synchronization and window management on server (for time-based algorithms) Access Control User access code (PIN) for management actions Access code optional for OTP generation, Idle timeout management Prevent unauthorized access to the token when application is running and token is misplaced Soft Token Security Considerations

  19. Mobile Soft Token Deployment Challenges Why aren’t more people using mobile soft tokens today? • Customer support cost with applications on mobile phones • Larger issue for consumer market than enterprise • User acceptance for mobile app download (varies by region/ demographics) • Mobile operator policies for open internet browsing vs. “walled garden” models • E.g., Verizon BREW • Data plan requirement for token download scenario • Policies and fees vary by carrier • Alternatives to OTP for user authentication (e.g., risk-based auth) • User transparency vs. security Good news – trends support simple deployment, broad acceptance

  20. Credential Provisioning Alternatives • At Manufacturing time • Use SMS • Use Device Management protocols • Using Mobile Browser/Internet

  21. Credential Provisioning Alternative:Manufacturing time • Totally seamless user experience • Potentially highly secure • Ties device vendors to particular solutions • Complex business model • Static solution

  22. Credential Provisioning Alternatives: SMS • Use (binary) SMS to bootstrap provisioning process • Application registers to listen to these SMS messages • Relatively transparent user experience • Requires operator support (for these SMS messages) • Requires operator agreements • Relatively fragile (message delivery assurances)

  23. SMS-based Provisioning: User Experience

  24. Credential Provisioning Alternatives: OMA DM • Mobile-Industry standard for Device Management • Builds on SyncML • Intended for object synchronization but may be used to provision mobile applications, credentials • Wide industry support • Potentially nice user experience – with “push” option, may be totally transparent • Need for custom client code • Introduces “superfluous” layer in protocol stack • Somewhat “chatty” protocol (XML)

  25. Phone # Token ID Credential Internet OTA Provisioning of Soft Tokens on Mobile Phones: High Level Process Flow Server Side User Channel User Registers Online Enterprise/ Bank Enrollment Application Processing Token Order User Receives SMS or email Notification Registration & Provisioning User Downloads Soft Token & Credential

  26. Soft Token Provisioning – Technical Flow Provisioning Server Administrator and/or User Browser or Application Web Form or SPML WS Call (1) REGISTER HTTP Response or SPML WS Response SMS or Email Download Service Indication Mobile Browser HTTP/S, MIDP DL, Auto Device Detection (2) DOWNLOAD SoftToken Download package SoftToken App OTA Credential Provisioning Protocol (IETF Keyprov or Vendor-specific) (3) ACTIVATE

  27. Credential Provisioning: Standardization work related to mobile authenticators • 3GPP GBA, GAA • Telco industry’s architecture for provisioning of keys based on an initial (U/I)SIM authentication • Cryptographic Token Key Initialization Protocol • OTPS document from RSA Laboratories; published as RFC 4758 • IETF KEYPROV • IETF working group to define symmetric key provisioning protocols and associated credential containers

  28. Summary and Future Outlook • Trends point to broad adoption of authenticators built into mobile/personal devices • User acceptance and technology advancements • Self-service OTA provisioning can make deployment simple and low cost • Need effective customer support strategy in place • Future applications • Mobile payments and banking (starting on small scale) • Contactless POS, Ticketing, Currency trading, Bill pay • User-centric identity management (from PC to mobile phone) • Digitally signed mobile transactions

  29. Contact • Stu Vaeth: svaeth@diversinet.com • Magnus Nyström magnus@rsa.com • IETF Keyprov http://www.ietf.org/html.charters/keyprov-charter.html • One-Time Password Specifications http://www.rsa.com/rsalabs/node.asp?id=2816 Thanks for your attention!

More Related