The enabler of solutions Alexander Summerer, Giesecke & Devrient 30th Oct. 2014
SIMalliance Allows usage of Secure Elements in Mobile Devices Designed for Open Handset OS platforms Common API for Apps Mobile Applications OS and programming language agnostic Access to all kind of Secure Elements Secure Elements Easy to use API for APDU communication - The enabler of solutions 10/30/2014 Page 2
Motivation: Use Case Examples Payment Network Access Mobile Applications Ticketing Identity Management Secure Elements Company Access - The enabler of solutions 10/30/2014 Page 3
Architecture of Application Layer Mobile Applications Mobile Applications APIs Test Specifications SE provider Service Layer Transport Layer Access Control Mobile Device Generic Transport SIM Plug in Crypto API (PKCS / JCE) Crypto provider File Management Transport µsd Plug in Authentication Secure Storage Further SE Further SE Secure Element Provider Interface Storage File system Access Control Further Further Functions Further Functions Functions Secure Elements (e.g. SIM, Secure µsd, ) - The enabler of solutions 10/30/2014 Page 4
reference implementation (SEEK) Open Source project maintained by G&D since 2010 reference implementation for Android Integrated by almost all NFC Android handsets Offers drivers, applications, code samples, guidelines - The enabler of solutions 10/30/2014 Page 5
Revisions Kick-Off Release 2.02 Transport API +Service API Release 2.04 Maintenance +Recommendations for implementers Release 3.0 Maintenance +ANSI-C header Oct 2010 Mar 2011 Nov 2011 Jul 2012 Dec 2013 Feb 2014 Nov 2014 Current schedule Public draft available Release 1.01 Transport API Release 2.03 Maintenance Release 2.05 Maintenance - The enabler of solutions 10/30/2014 Page 6
Compliance Kick-Off Test Spec. 1.1 Transport API Maintenance Test Applet Test Spec. 2.0 Incl. C-Interface Mar 2013 Mar 2014 Jul 2014 Sep 2014 Nov 2014 Current schedule Device Compliance program for Test Spec. 1.0 Transport API - The enabler of solutions 10/30/2014 Page 7
The enabler of solutions Access Management Authentication & Authorization Identity Management Credential Issuance & Life-Cycle-Management Enrolment Identity Management Use credentials Mobile Applications Manage credentials External Secure Elements Secure Elements - The enabler of solutions 10/30/2014 Page 8
Solution: Secure Authentication Authentication Server 2. Forward 4. Grant access Application Server 1. Connect Applications 3. Out-Of-Band Authentication Challenge-Response protocol via OTA (OTP, PKI based or sym. signatures) Supported protocols: GSMA Mobile Connect, OATH, SAML, OpenID, FIDO - The enabler of solutions 10/30/2014 Page 9
Solution: Secure Cloud Storage Key and Certificate Management System Cloud Storage (Dropbox, Google Drive, ) Upload/Download of encrypted files Applications Key Management via OTA - The enabler of solutions 10/30/2014 Page 10
Solution: Secure System Login Key and Certificate Management System Certificate Management Domain Controller Verification Applications Key Management via OTA - The enabler of solutions 10/30/2014 Page 11
Solution: Secure Voice Key and Certificate Management System Certificate Management SIP Server 1. Registration 2. Mutual Authentication 3. Secure Voice & Messaging VoIP communication Key Management via OTA - The enabler of solutions 10/30/2014 Page 12
Solution: Derived Credentials Step 1) Authentication Derived Credential Issuer Remote provisioning of Derived Credentials e.g. NIST SP800-157, Guidelines for Personal Identity Verification (PIV) Derived Credentials Derived Credentials Provisioning System Step 2) Derived Credential Download Local provisioning of Derived Credentials e.g. EN 2(419212) (former 14890), Privacy based Chip Authentication (PCA) E.g. PIV Derived Credential Applet E.g. eidas (ANSSI, BSI, ANTS) Applet - The enabler of solutions 10/30/2014 Page 13
Solution: Vodafone Secure SIM Secure Login 2 factor authentication (access data + SIM identity) Login with End-2-End encryption Seamless integration into existing IT infrastructures No additional hardware required Easy administration via web admin portal Secure Data Encryption of E-Mails, documents, storage and VPN PKI keys and certificates are stored in the SIM Seamless integration into existing security technologies Additional hardware (Smart Cards, Security Tokens) not needed Easy administration via web admin portal Vodafone Secure SIM http://www.vodafone.de/business/firmenkunden/loesungen/security.html - The enabler of solutions 10/30/2014 Page 14
Trusted Execution Environment for Smart Connected Device Processor Normal World Secure World Trusted Execution Environment GP TEE Trusted User Interface API for secure user entry (e.g. PIN) v1.0 was published in June 2013 Rich App Rich App Rich App Trusted App Trusted App Trusted App TEE Client API Rich OS Core API Secure OS SE-API Trusted UI GP TEE Secure Element API for Secure Element Access v1.0 was published in August 2013 TEE Driver Kernel Module Microkernel Secure Elements Funding project: G&D implements currently a prototype compliant - The enabler of solutions 10/30/2014 Page 15
TEE Remote provisioning for Service Providers Secure apps OTA Download Trusted App Download Applet Trusted Service Manager Trusted Service Manager Manage credentials Management of SE and TEE security domains to reflect the business relationships Provisioning and deployment of SE applets and Trusted Applications for the TEE Personalized OTA access and lifecycle management of data and operations to unlimited number of devices. Microkernel Secure Elements - The enabler of solutions 10/30/2014 Page 16
Conclusion is implemented in many handsets (e.g. Android NFC devices from HTC, LG, Sony, Samsung) device qualification is established Mobile Applications Variety of solutions are possible First commercial services exist enables solutions Secure Elements TEE SE API enables TEE based solutions - The enabler of solutions 10/30/2014 Page 17
Thank you for your attention! Alexander Summerer Technology Consultant Mobile Security Giesecke & Devrient GmbH Prinzregentenstrasse 159 81607 Munich, GERMANY www.gi-de.com Telephone +49 89 4119-2418 alexander.summerer@gi-de.com - The enabler of solutions 10/30/2014 Page 18