over the air 2011 security workshop

OTa 2011 WorkshopSecurity enablers at ericsson

Labs

OTA workshop 2011 | Public | © Ericsson AB 2011 | 2011-08-30 |

This is Ericsson

› We no longer manufacture phones (Sony-Ericsson does)

› More than 40% of the world's mobile traffic passes through Ericsson networks

› We have customers in more than 180 countries and over 98,000 employees

› We are largely a software company

Ericsson’s first telephone, 1878Ericsson’s first telephone, 1878 World’s first LTE network, 2009


What is Ericsson labs?

Experimental

> Early technology trials

Open innovation

> Apis for new technologies

creativity

> New innovation by developers

50 bn connected devices

> m2m service enablers

Simplify

� Hide cloud complexity

� Low barriers to entry

Provide

�Easy to use APIs/SDKs

�Early & perpetual beta

Converse

� Experts support

� Feedback


ericsson labs APIs

Maps & positioning

3D 3D

LandscapeLandscapeMobile Mobile

LocationLocationMobile Mobile

MapsMaps

Web Web

MapsMaps

communication

AsyncAsync

VoiceVoice

SMS Send & SMS Send &

ReceiveReceiveMobile Mobile

PushPushGroup Voice Group Voice

MixerMixer

Mobile Web Security Mobile Web Security

BootstrapBootstrap CAPTCHACAPTCHAOauth2 Oauth2

FrameworkFramework

Identity Management Identity Management

FrameworkFrameworkKey Management Key Management

ServiceService

Web technologies

Web Web

ConnectivityConnectivity EventSourceEventSourceWeb Background Web Background

ServiceService

Web Device Web Device

ConnectivityConnectivityDistributed Distributed

Shared MemoryShared Memory

Web RealWeb Real--Time Time

CommunicationCommunication

Media and graphics

Face Face

DetectorDetectorStreaming Streaming

MediaMedia

Converting Converting

MediaMedia

TextText--toto--SpeechSpeech

User & network information

Mobile Mobile

IdentificationIdentification

Mobile Network Mobile Network

LookLook--upupNetwork Network

ProbeProbe

Machine learning

Cluster Cluster

ConstructorConstructor

NFC & sensors

Sensor NetworkingSensor Networking

Application PlatformApplication PlatformTag ToolTag Tool

Mobile Sensor Mobile Sensor

Actuator LinkActuator Link

security

Federated authentication

Delegated authorization

P2p key exchange

sim card Identification


Sim card identification

› P The traditional authentication scheme

with username/password has several

drawbacks

› Q What if we could use the credentials

stored on the SIM card instead?

› A This is exactly what the 3GPP standard

GBA accomplishes. Basically, we replace

– the username with the suscriber identity; and

– the password with the subscriber key

› The MWSB (Mobile Web Secure

Bootstrapping) enabler allows you to try it

out in you own web application

1/3

123456

password

winnerseinfeld 12345

Top ten PlayStation Network passwords(Digicure, 2011)

123456789

1234

12345678

123

Attempt to increase security through SMS verification



1. The client bootstraps (using the SIM card) with the GBA server and

obtains a key (Ks_NAF)

2. The client authenticates itself to the web app using HTTP(S) digest with the key as password and a temporary identifier (B-TID) as username

3. The web application sends the identifier to the GBA server, receives the key, and validates the client supplied password

2/3



Pros: High security, convenient for the user, standardized

Cons: Currently not supported by browser – forced to rely on plugin, applet, or re-compile browser engine

3/3



P2p key establishment

sim card identification


federated authentication

auth

entic

atio

ns

delegated authentication

› P Password management is costly for site

owners and user experience is negatively

affected due to differing password policies

› Q What if site owners could delegate

authentication to a trusted party where

authentication can be enforced to be strong?

› A This can be achieved with the OpenID

protocol where the OpenID Provider acts as

the trusted party. The security can be further

improved by combining OpenID with SIM

based identification.

› The Identity Management Framework on

Ericsson Labs is running an OpenID

provider which your web app can use

(instructions and Java code available)

1/3


federated authentication

How the user authenticates (4) is

intentionally left unspecified and both username/password and SIM based

identification can be used.

2/3



Traditional username/password

SIM based identification (automatic)

Modified WebKit

We

GBA applet GBA plugin

3/3



› P Users are willing to share limited portions

of the data but without losing control over

who is accessing the data and what part of it

is being accessed.

› Q Why not use a standardized token based

delegation pattern?

› A Oauth is a IETF effort to standardize and

isolate the delegated authorization. Making it

simpler to re use both code and know-how

about how authorization is handeled.

1/3


Delegated authorization2/3

Authorization

Server

ProtectedResource

Webclient

(service provider)

Resource

Server

Browser

OauthToken

Authenticate

Authorize

ClientIDClientSecretCallbackURI

Code

Scope

Authentication

Server

OP

GBA

RP


Delegated authorization3/3

Mobile

Desktop



› P Up until now we have only considered

client-server applications where it is

relatively easy to protect communications

using TLS/SSL.

In a P2P application where there is no

existing trust relation between the parties

(e.g., certificates or keys), setting up a

secure channel is more complex.

› Q How can we enable secure, end-to-end

communication in a P2P application?

› A With the help from a KMS (Key

Management Server) the two parties are

able to establish a shared secret key which

in turn is used to setup the secure channel.VoIP. messaging, file sharing

1/3



› Based on the Mikey-Ticket protocol (RFC 6043) which is designed for high security

applications (e.g., national safety, police, etc)

› Note that there must exist a trust relationship between each client and the KMS.

The 3GPP recommended solution is to use the SIM card.

2/3



› The KMS API at Ericsson Labs can be used to secure any type of communication,

for example VoIP (above figures)

› Most of the signalling is hidden by the API. Setting up the shared secret key

requires only a few lines of code

› The API is written in C but can be still be used in Android using JNI (Java Native

Interface)

3/3

How does it all fit

together?

Federated AuthN (OpenID) Delegated AuthZ (OAuth)SIM identification P2P Key Est.

used in used in

›The OAuth Authorization server authenticates the user using OpenID

›The OpenID Provider authenticates the user using SIM card identification

›The P2P key establishment is largely independent from the other tools

(though the peer-KMS trust relation is based on SIM card identification)


DEMO – Mashing GOOGLE LATITUDE

23 APIs as of end of September 2011.


Demo-setup

Authentication

Filter

Oauth

Token FilterLatitude

RestClient

Populated

Data Model

Fremarker

Presentation

HTTP

REST Endpoint

GMap

Mashup

You can try !

http://eus2.fuatara.com:8080/latitude/


Q&A

Visit: labs.ericsson.com

over the air 2011 security workshop

Technology

public ericsson ab

ericsson ericssons

passwordota workshop

sim card identification33pros

sim card identification231

phones sonyericsson

sim card identification13

web application attempt