key management

service

A labs.ericsson.com APIhttps://labs.ericsson.com/apis/key-management-service/

© Ericsson AB 2010 | Page 2

Key management service

› Secure P2P service

› This service allows two clients to establish a shared secret key via an easy-to-use API

› The key can be used to secure all types of peer-to-peer communication e.g. voice calls, conferencing, video, chat, immediate messaging, file transfer, etc.

› Since MWSB (GBA) is used for bootstrapping, nothing new needs to be managed or distributed

© Ericsson AB 2010 | Page 3

WHY key management service?

› Existing security enablers (MWSB and Oauth2) are client-server – not peer-to-peer

› Currently key management for P2P is complicated and therefore not used

› The Secure P2P enabler gives app developers an easy-to-use API

› Extensibility – can be used to secure any type of P2P communication

› Standard – recently standardized in 3GPP and IETF

© Ericsson AB 2010 | Page 4

Overview

© Ericsson AB 2010 | Page 5

C API Usage

› An easy-to-use C library is available on the Ericsson Labs portal

› The library handles message creation/parsing and the communication with the KMS

› As a developer, all you need to do is:

– Setup the Initiator and Responder

– Deliver the Initiator’s initmsg (output by the library) to the Responder

– Deliver the Responder’s respmsg (also output by the library) to the Initiator

› Once the above is done, the shared key can be retrieved by calling the function getKey()

© Ericsson AB 2010 | Page 6

C API usage – Initiator

client_t *initiator;char *initmsg, *respmsg;

unsigned char key[KEY_LEN];

// Setup the Initiator KMS client

initiator = client_init(IMPI_I, IMPU_I, KEY_I, APIKEY, HTTP-PROXY);

initmsg = create_transfer_init(initiator);

< application specific: initmsg is sent and respmsg is received >

parse_transfer_resp(initiator, respmsg);

get_key(initiator, key);

< Use key to secure Initiator-Responder communication >

Note: The Initiator IMPI, IMPU, and key are obtained via the MWSB API at Ericsson Labs

© Ericsson AB 2010 | Page 7

C API usage – Responder

client_t *responder;char *respmsg, *initmsg;

unsigned char key[KEY_LEN];

// Setup the Responder KMS clientresponder = client_init(IMPI_R, IMPU_R, KEY_R, APIKEY, HTTP-PROXY);

< application specific: initmsg is received from Initiator >

respmsg = parse_transfer_init(responder, initmsg)

< application specific: respmsg is sent to Initiator >

get_key(responder, key);

< Use key to secure Initiator-Responder communication >

Note: The Responder IMPI, IMPU, and key are obtained via the MWSB API at Ericsson Labs

© Ericsson AB 2010 | Page 8

Example applications

Secure chat

Secure messaging

Secure voice

Secure conferencing

Secure video

Secure file transfer

Any application requiring confidentiality, authentication, or integrity

© Ericsson AB 2010 | Page 9