over the air 2011 security workshop
DESCRIPTION
https://labs.ericsson.com/apis?api_category=199Ericsson Labs' presentation at Over the Air 2011. Examples of how to establish a trusted identity, how to do mash-ups of multiple data feeds and how to secure peer-to-peer communication.TRANSCRIPT
OTa 2011 WorkshopSecurity enablers at ericsson
Labs
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 2
This is Ericsson
› We no longer manufacture phones (Sony-Ericsson does)
› More than 40% of the world's mobile traffic passes through Ericsson networks
› We have customers in more than 180 countries and over 98,000 employees
› We are largely a software company
Ericsson’s first telephone, 1878Ericsson’s first telephone, 1878 World’s first LTE network, 2009
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 3
What is Ericsson labs?
Experimental
> Early technology trials
Open innovation
> Apis for new technologies
creativity
> New innovation by developers
50 bn connected devices
> m2m service enablers
Simplify
� Hide cloud complexity
� Low barriers to entry
Provide
�Easy to use APIs/SDKs
�Early & perpetual beta
Converse
� Experts support
� Feedback
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 4
ericsson labs APIs
Maps & positioning
3D 3D
LandscapeLandscapeMobile Mobile
LocationLocationMobile Mobile
MapsMaps
Web Web
MapsMaps
communication
AsyncAsync
VoiceVoice
SMS Send & SMS Send &
ReceiveReceiveMobile Mobile
PushPushGroup Voice Group Voice
MixerMixer
Mobile Web Security Mobile Web Security
BootstrapBootstrap CAPTCHACAPTCHAOauth2 Oauth2
FrameworkFramework
Identity Management Identity Management
FrameworkFrameworkKey Management Key Management
ServiceService
Web technologies
Web Web
ConnectivityConnectivity EventSourceEventSourceWeb Background Web Background
ServiceService
Web Device Web Device
ConnectivityConnectivityDistributed Distributed
Shared MemoryShared Memory
Web RealWeb Real--Time Time
CommunicationCommunication
Media and graphics
Face Face
DetectorDetectorStreaming Streaming
MediaMedia
Converting Converting
MediaMedia
TextText--toto--SpeechSpeech
User & network information
Mobile Mobile
IdentificationIdentification
Mobile Network Mobile Network
LookLook--upupNetwork Network
ProbeProbe
Machine learning
Cluster Cluster
ConstructorConstructor
NFC & sensors
Sensor NetworkingSensor Networking
Application PlatformApplication PlatformTag ToolTag Tool
Mobile Sensor Mobile Sensor
Actuator LinkActuator Link
security
Federated authentication
Delegated authorization
P2p key exchange
sim card Identification
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 6
Sim card identification
› P The traditional authentication scheme
with username/password has several
drawbacks
› Q What if we could use the credentials
stored on the SIM card instead?
› A This is exactly what the 3GPP standard
GBA accomplishes. Basically, we replace
– the username with the suscriber identity; and
– the password with the subscriber key
› The MWSB (Mobile Web Secure
Bootstrapping) enabler allows you to try it
out in you own web application
1/3
123456
password
winnerseinfeld 12345
Top ten PlayStation Network passwords(Digicure, 2011)
123456789
1234
12345678
123
Attempt to increase security through SMS verification
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 7
Sim card identification
1. The client bootstraps (using the SIM card) with the GBA server and
obtains a key (Ks_NAF)
2. The client authenticates itself to the web app using HTTP(S) digest with the key as password and a temporary identifier (B-TID) as username
3. The web application sends the identifier to the GBA server, receives the key, and validates the client supplied password
2/3
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 8
Sim card identification
Pros: High security, convenient for the user, standardized
Cons: Currently not supported by browser – forced to rely on plugin, applet, or re-compile browser engine
3/3
Federated authentication
Delegated authorization
P2p key establishment
sim card identification
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 10
federated authentication
auth
entic
atio
ns
delegated authentication
› P Password management is costly for site
owners and user experience is negatively
affected due to differing password policies
› Q What if site owners could delegate
authentication to a trusted party where
authentication can be enforced to be strong?
› A This can be achieved with the OpenID
protocol where the OpenID Provider acts as
the trusted party. The security can be further
improved by combining OpenID with SIM
based identification.
› The Identity Management Framework on
Ericsson Labs is running an OpenID
provider which your web app can use
(instructions and Java code available)
1/3
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 11
federated authentication
How the user authenticates (4) is
intentionally left unspecified and both username/password and SIM based
identification can be used.
2/3
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 12
Federated authentication
Traditional username/password
SIM based identification (automatic)
Modified WebKit
We
GBA applet GBA plugin
3/3
Federated authentication
Delegated authorization
P2p key establishment
sim card identification
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 14
Delegated authorization
› P Users are willing to share limited portions
of the data but without losing control over
who is accessing the data and what part of it
is being accessed.
› Q Why not use a standardized token based
delegation pattern?
› A Oauth is a IETF effort to standardize and
isolate the delegated authorization. Making it
simpler to re use both code and know-how
about how authorization is handeled.
1/3
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 15
Delegated authorization2/3
Authorization
Server
ProtectedResource
Webclient
(service provider)
Resource
Server
Browser
OauthToken
Authenticate
Authorize
ClientIDClientSecretCallbackURI
Code
Scope
Authentication
Server
OP
GBA
RP
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 16
Delegated authorization3/3
Mobile
Desktop
Federated authentication
Delegated authorization
P2p key establishment
sim card identification
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 18
P2p key establishment
› P Up until now we have only considered
client-server applications where it is
relatively easy to protect communications
using TLS/SSL.
In a P2P application where there is no
existing trust relation between the parties
(e.g., certificates or keys), setting up a
secure channel is more complex.
› Q How can we enable secure, end-to-end
communication in a P2P application?
› A With the help from a KMS (Key
Management Server) the two parties are
able to establish a shared secret key which
in turn is used to setup the secure channel.VoIP. messaging, file sharing
1/3
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 19
P2p key establishment
› Based on the Mikey-Ticket protocol (RFC 6043) which is designed for high security
applications (e.g., national safety, police, etc)
› Note that there must exist a trust relationship between each client and the KMS.
The 3GPP recommended solution is to use the SIM card.
2/3
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 20
P2p key establishment
› The KMS API at Ericsson Labs can be used to secure any type of communication,
for example VoIP (above figures)
› Most of the signalling is hidden by the API. Setting up the shared secret key
requires only a few lines of code
› The API is written in C but can be still be used in Android using JNI (Java Native
Interface)
3/3
How does it all fit
together?
Federated AuthN (OpenID) Delegated AuthZ (OAuth)SIM identification P2P Key Est.
used in used in
›The OAuth Authorization server authenticates the user using OpenID
›The OpenID Provider authenticates the user using SIM card identification
›The P2P key establishment is largely independent from the other tools
(though the peer-KMS trust relation is based on SIM card identification)
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 23
DEMO – Mashing GOOGLE LATITUDE
23 APIs as of end of September 2011.
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 24
Demo-setup
Authentication
Filter
Oauth
Token FilterLatitude
RestClient
Populated
Data Model
Fremarker
Presentation
HTTP
REST Endpoint
GMap
Mashup
You can try !
http://eus2.fuatara.com:8080/latitude/
OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 | Page 25
Q&A
Visit: labs.ericsson.com