host card emulation: moving smart cards to the cloud · host card emulation trusted execution...
TRANSCRIPT
Host Card Emulation: Moving smart cards to the cloud
Jorge Lanza CalderónObservatorio Tecnológico de la Tarjeta Inteligente de la
Universidad de CantabriaOTTIUC
HOST CARD EMULATION: MOVINGSMART CARDS TO THE CLOUD
April 10th, 2014
2ND INTERNATIONAL UNIVERSITY SMART CARD CONGRESS
Jorge Lanza
HOST CARD EMULATION
HCE Applications and Risks
Secure Element alternatives
HCE Basics
Conclusions
HOST CARD EMULATION
HOST CARD EMULATION
NFC is a short range wireless technology that allowscommunication between two devices up to few centimeters Standalone or seamless enabling other technologies
Touch and go paradigm Reader/Writer mode Card emulation mode Peer‐to‐peer mode
It is clear that the world is moving toward mobile environments Heterogeneous communication interfaces Keyboard and screen for user interaction Secure storage and access to information
HOST CARD EMULATION
NFC embedded in mobile devices can be the proxy between thesmartcard and the services in the universities
Positive Negative
HOST CARD EMULATION
HOST CARD EMULATION
Independent from Mobile network operators Phone manufacturer Phone model and technology ¿Service provider?
TUI in the phoneAccessible from already deployed services
Accessible from phone apps
HOST CARD EMULATION
NFC Forum defined card emulation Hardware based solutions – SIM, microSD, etc. as SE Software that behaves as smart card‐based application
First available via Blackberry OS and since December 2013 hasbeen supported by Android KitKat OS
Without SE (HCE)With SE
HOST CARD EMULATION
HCE Mobile device behaves as a PICC Protocol is already defined: client ‐ server
Peer‐to‐Peer (P2P) Two devices exchange data (i.e. Android Beam) Two modes: active and passive Similar to computer network protocols Define exchange protocol to fit application needs Flow is controlled by application Not compatible with most of already deployed smart cardssystems
SNEP
LLCP
ISO 18092 (NFC)
APDU
T=0/T=1/T=CL
ISO 14443A/B
HOST CARD EMULATION
Virtualization of University of Cantabria TUI and 2014 Santander Conference
using HCE
HOST CARD EMULATION
HCE breaks the NFC lock Open solution that makes it easier development anddeployment of applications
Attracts more creative players to NFC ecosystem, which willmake NFC more familiar to end‐users beyond payments
HOST CARD EMULATION
HCE breaks the NFC lock Open solution that makes it easier development anddeployment of applications
Attracts more creative players to NFC ecosystem, which willmake NFC more familiar to end‐users beyond payments
HOST CARD EMULATION
HCE breaks the NFC lock Open solution that makes it easier development anddeployment of applications
Attracts more creative players to NFC ecosystem, which willmake NFC more familiar to end‐users beyond payments
Software based SE enables access from any device, anytime,anywhere Increased flexibility Greater storage and processing power No need for application certification?
HOST CARD EMULATION
Rely on the emulated card application sandbox Prone to malware attacks or device rooting (admin rights)
Interoperability Currently only available for ISO 14443A‐4 Standardization is still ongoing Not available on every mobile
Unavailable low power mode
Applications routing table (Android KitKat) Existing SE apps to be registered Default route is to HCE
Two factor authentication
HOST CARD EMULATION
Trusted Execution Environment Access isolation of hardware and software resources from
rest of OS apps
Sensitive parts to trusted servers on the cloud Need to be always on and low transaction speed Deployment of tokenization methodologies
Application sand box No extra cost, but low protection Cryptographic obfuscation
No additional advantage over traditional SE approach More complexity to application routing
HOST CARD EMULATION
CHARACTERISTICSOF HCE
CHARACTERISTICSOF THE SE
Tamper resistant hardware
Black box
Interoperable
Certified
Standardized
Non transferable physical token
Fast time to market
Relative easy deployment
Security dependent on device OS
Proprietary
Software tokens open to user misused (sharing)
HOST CARD EMULATION
Supported only by Broadcom chipset NXP has recently adapted firmware (Mifare emulation?)
Visa and MasterCard are implementing cloud‐based SE First specifications released end February Deploy several layers of security to protect paymentaccounts from app to network through user hardware One‐time use data, real‐time transaction analysis, paymenttokens and device fingerprinting technology
Some banks are deploying pilots
HOST CARD EMULATION
Loyalty
Open loop payments
Contentprotection
Couponing Mobileidentity
Close loop payments
AccessControl
Transport
Nice to have
Mandatory
Services in accordance to requirements on accessing SE
HCE is currently best suited forlow value applications with notmandatory requirements
HOST CARD EMULATION
Your opinion is really valuable Help us improving
DO NOT HESITATE ON CONTACTINGOTTIUCOTTIUC
Luis Muñoz - Jorge LanzaPablo Sotres
OTTIUCNetwork Planning & Mobile Communications Lab
Universidad de CantabriaAvda. Castros s/n, 39005 - Santander (Spain)
Phone: +34 942 200 914Fax: +34 942 201 488
Email: [email protected]