key management service on ericsson labs
DESCRIPTION
https://labs.ericsson.com/apis/key-management-service/ With the Key Management Service, two parties can establish a shared secret key via an easy-to-use API. The service provides strong, mutual authentication and the shared key can be used to secure any type of communication including voice calls, conferencing, video, chat, immediate messaging, file transfer, and so forth.TRANSCRIPT
key management
service
A labs.ericsson.com APIhttps://labs.ericsson.com/apis/key-management-service/
© Ericsson AB 2010 | Page 2
Key management service
› Secure P2P service
› This service allows two clients to establish a shared secret key via an easy-to-use API
› The key can be used to secure all types of peer-to-peer communication e.g. voice calls, conferencing, video, chat, immediate messaging, file transfer, etc.
› Since MWSB (GBA) is used for bootstrapping, nothing new needs to be managed or distributed
© Ericsson AB 2010 | Page 3
WHY key management service?
› Existing security enablers (MWSB and Oauth2) are client-server – not peer-to-peer
› Currently key management for P2P is complicated and therefore not used
› The Secure P2P enabler gives app developers an easy-to-use API
› Extensibility – can be used to secure any type of P2P communication
› Standard – recently standardized in 3GPP and IETF
© Ericsson AB 2010 | Page 4
Overview
© Ericsson AB 2010 | Page 5
C API Usage
› An easy-to-use C library is available on the Ericsson Labs portal
› The library handles message creation/parsing and the communication with the KMS
› As a developer, all you need to do is:
– Setup the Initiator and Responder
– Deliver the Initiator’s initmsg (output by the library) to the Responder
– Deliver the Responder’s respmsg (also output by the library) to the Initiator
› Once the above is done, the shared key can be retrieved by calling the function getKey()
© Ericsson AB 2010 | Page 6
C API usage – Initiator
client_t *initiator;char *initmsg, *respmsg;
unsigned char key[KEY_LEN];
// Setup the Initiator KMS client
initiator = client_init(IMPI_I, IMPU_I, KEY_I, APIKEY, HTTP-PROXY);
initmsg = create_transfer_init(initiator);
< application specific: initmsg is sent and respmsg is received >
parse_transfer_resp(initiator, respmsg);
get_key(initiator, key);
< Use key to secure Initiator-Responder communication >
Note: The Initiator IMPI, IMPU, and key are obtained via the MWSB API at Ericsson Labs
© Ericsson AB 2010 | Page 7
C API usage – Responder
client_t *responder;char *respmsg, *initmsg;
unsigned char key[KEY_LEN];
// Setup the Responder KMS clientresponder = client_init(IMPI_R, IMPU_R, KEY_R, APIKEY, HTTP-PROXY);
< application specific: initmsg is received from Initiator >
respmsg = parse_transfer_init(responder, initmsg)
< application specific: respmsg is sent to Initiator >
get_key(responder, key);
< Use key to secure Initiator-Responder communication >
Note: The Responder IMPI, IMPU, and key are obtained via the MWSB API at Ericsson Labs
© Ericsson AB 2010 | Page 8
Example applications
Secure chat
Secure messaging
Secure voice
Secure conferencing
Secure video
Secure file transfer
Any application requiring confidentiality, authentication, or integrity
© Ericsson AB 2010 | Page 9