Leveraging UICC with Open Mobile API for Secure Applications and Services

Ran Zhou

Introduction and Motivation

• Until 2011, there were 6 billion mobile subscriptions (87% of the population)• UICC serves as the security anchor in mobile telecom network• Java Card make the UICC more powerful: digital signature, cryptography…• UICC is an ideal module to enhance the security level of terminal application• Interface is required to fill the gap between UICC applet and terminal application• Open Mobile API is proposed to provide this interface• A Dual Application Architecture together with the access control mechanism will

be introduced• As an example to be implemented: an UICC-based Local OpenID protocol will be

considered in this thesis

OpenID Provider (Network Operator)

OpenID Provider (Network Operator)

Relying PartyRelying Party

UserUserDevice with

Local OP ServerDevice with

Local OP Server

Relying PartiesRelying Parties

Association

Log-on

Trust (Long Term Secret)

Local authentication

OpenID Provider (Network Operator)

OpenID Provider (Network Operator)

Relying PartyRelying Party

UserUserDevice with

Local OP ServerDevice with

Local OP Server

Relying PartiesRelying Parties

Association

Log-on

Trust (Long Term Secret)

Local authentication

Agenda

• Introduction and Motivation• Basic Technologies– UICC– SIMalliance Open Mobile API– OpenID

• Concept of Local OpenID• Thesis Outline• Time Plan

Universal Integrated Circuit Card: UICC

• UICC is a smart card used in mobile terminals within telecom networks [1]

• It provides authentication secure storage crypto algorithms …

• Java Card as UICC can provide [2]

Hash functions: MD5, SHA-1, SHA-256 … Signature functions: HMAC … Public-key cryptography: RSA … Symmetric-key cryptography: AES, DES … …

?

UICC – Related Technologies• Toolkit

• Smart Card Web Server

• Generic Bootstrapping Architecture (GBA)

• Open Mobile API

[3]

Open Mobile API

Open Mobile API is established by SIMalliance as an open API between the Secure Element and the Terminal Applications [4]

• Crypto• Authentication• Secure Storage• PKCS#15• …

Open Mobile API

Open Mobile API3 Layers [5]

- Transport Layer: using APDUs for accessing a Secure Element- Service Layer: provide a more abstract interface for functions on SE- Application Layer: represents the various applications using Open Mobile API

Figure 1: Architecture overview

Dual Application Architecture

• NFC (Near Field Communication) services• Payment services• Ticketing services• Loyalty services (Kundenbindungsmaßnahmen)• ID Management services (e.g. Single Sign-On)

UICC

Terminal Application

Open Mobile API

Transport Layer

Access Control Module

Access Control Table

OpenID Provider

Relying Party

UserDevice

Relying Parties

Submit OpenID

Association

User authentication

Log-on

OpenID

OpenID Weakness[6]

PhishingAn “Identity

System” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou

RedirectsCommunication

Overhead: lots of HTTP requests

Phishing Sensitive data remains on UICC

An “identity system” without Trust: no authority can promise OpenID rzhou.myopenid.com is Ran Zhou.

Trusted Identity through Network Operator (contract)

RedirectsLocal OpenID Server interface

Communication Overhead: lots of HTTP requestsSignificantly reduced authentication traffic

Terminal part is developed by a project partner of MorphoIntegration of UICC is the main topic of this thesis

Concept: Local OpenID Server with UICC

Network OpenID Provider

Relying Party

UserLocal OP Provider =

Mobile Application + UICC Applet

Relying Parties

Association

Signed Assertion(with same derivated key)

Local OpenID Architecture

Trust (Long-Term Secret)

Local authentication (with PIN)

Association Handle + Derivated KeySubmit O

penID

Associa

tion Han

dle

Contents1. INTRODUCTION

1.1 Motivation1.2 Solution Idea1.3 Overview2. UICC AND JAVA CARD2.1 UICC2.2 Java Card

2.2.1 Introduction2.2.2 Security and Crypto2.2.3 New Features in Java Card 3

2.3 Related Technologies2.3.1 SIM Toolkit2.3.2 Smart Card Web Server2.3.3 Generic Bootstrapping Architecture3. OPEN MOBILE API

3.1 Introduction3.2 Fundamental Structure3.3 Use Pattern3.4 Access Control3.5 Application Scenario4. LOCAL OPENID4.1 OpenID Protocol

4.1.1 Introduction4.1.2 Weakness of OpenID

4.2 SAML Protocol4.2.1 Introduction4.2.2 Weakness of SAML

Contents4.3 Local OpenID Protocol

4.3.1 Introduction4.3.2 Architecture and Description4.3.3 Compare of OpenID, SAML and Local OpenID5. IMPLEMENTATION

5.1 Platform5.1.1 Introduction of Android5.1.2 Android Security Management

5.2 App on UICC5.2.1 Applet on UICC5.2.2 Algorithms and Functions5.2.3 Configuration of UICC5.2.4 PKCS15 Structure5.2.5 Implementation

5.3 App on Android5.3.1 Functional Description5.3.2 Open Mobile API in Android5.3.3 Implementation

5.4 Test5.4.1 Test Environment5.4.2 Test Procedure5.4.3 Test Result

5.5 Weakness Analysis6. SUMMARY AND FUTURE WORK6.1 Summary6.2 Future Work

Time plan

Investigate and design

Nov Dec Jan Feb Mar Apr May

1st Implementation

2nd Implementation

Jun

1st Thesis

2nd Thesis

Final Thesis

Test

Thanks! Questions?

References

[1] Rankl, W. (2oo8), Handbuch der Chipkarten, Carl Hanser Verlag München.[2] Sun Microsystems, I. (2006), 'Application Programming Interface Java Card™ Platform, Version 2.2.2'.[3] Wikipedia, t. f. e. (2012), 'Generic Bootstrapping Architecture'.[4] SIMalliance (2011), 'SIMalliance Open Mobile API An Introduction'.[5] SIMalliance (2011), 'Open Mobile API specification V2.02', SIMalliance.[6] van Delft, B. (2010), 'A Security Analysis of OpenID', IFIP Advances in Information and Communication Technology 343/2010, 73-84.