nisnet winterschool, april 2008 - universitetet i bergen pin code generation (bank id) future sim 9...
TRANSCRIPT
NISnet Winterschool, April 2008
Mobile based authentication and payment
Josef NollProf. stip.
University Graduate Center/University of Oslo
April 2008, Josef NollMobile Payment and Access
Research and Education at Kjeller
Close relation to FFI, IFE, NILU,...
Prof. from Univ. of Trondheim and Oslo
2
April 2008, Josef NollMobile Payment and Access
Outline Admittance, service access and payment Mobile extensions Introduction of RFID and NFC
– Message: “Using the phone for payment and access”– Interfaces and standardisation– Phone implementations
Activities worldwide– Snapshots, Standardisation
“Who owns the SIM?” – My security infrastructure– Ownership versus management
3
Josef Noll, 26.4.2005 RFID - NFC tutorial 4
Service development
1G:
1970 1980 1990 2000 2010
3G:
2G:
B3G:
Mobile telephony
Mobile telephony, SMS, FAX, Data
Multimedia communication
Personalised broadband wireless services
April 2008, Josef NollMobile Payment and Access
The Service ChallengeMobile and Proximity Services
5
NFC
Internet services
signedcertificates
Mobile initiatedservice access
Proximity services
NFC
certificate
Mobile services – services in the mobile– mobile network services– Internet services
Proximity services– Payment– Access, Admittance
April 2008, Josef NollMobile Payment and Access
Current Access & Authentication mechanisms Login/password
Admission card
Payment card
Biometrics
6
April 2008, Josef NollMobile Payment and Access 7
My phone collects all my security
SIM with NFC & PKI
Josef Noll, “Who owns the SIM?”, 5 June 2007
Mobile Services, incl. NFC• Focus in 2008 on
mobile web• Push content upcoming
• NFC needs next generation phones• S60, UIQ, ...• Common Application
development• Integrated
development
[“Mobile Phone Evolution”, Movation White paper, May 2007]
Expected customer usage [%] “have tried” of mobile services in the Nordic Market
0
15
30
45
60
2006 2008 2010
SMS authentication Mobile WebPush content NFC payment
8
April 2008, Josef NollMobile Payment and Access
Mobile Phone supported access SMS one-time password
MMS, barcode
eCommerce (SMS exchange)
Network authentication WAP auto access
Applets: PIN code generation (Bank ID)
Future SIM9
April 2008, Josef NollMobile Payment and Access 10
WAP gatewaySeamless authentication
HTTP request94815894 Hash
HTTP requestcTHG8aseJPIjog==
Pictures for ’rzso’.Password:1234sID: cTHG8aseJPIjog==
April 2008, Josef NollMobile Payment and Access 11
Bankingfrom the mobile phone
Security considerations Equally secure as SMS
(get your account status) Easy to use Advanced functionality
through PIN (if required) Seamless phone (SIM)
authentication Advanced security when
required– BankID or – PIN
Welcome Josef: SIM authentication
Transfer, payments
Advanced functionality
BankID or PIN(double security)
Account status
Information:
Using SIM,no customer input
required
Smartcard interfacesISO/IEC 7816
NFCcommunication
unit
SIM
NFC2SIM
April 2008, Josef NollMobile Payment and Access 12
MyBank example: Banking from the mobile phone
User incentive: “My account is just one
click away” “enhanced security for
transactions”Phone (SIM) authenticationLevel 2 security through
PKI/BankID/PIN?
Josef Noll, “Who owns the SIM?”, 5 June 2007
Authentication provider
Auth. provider
Seamless authentication
Physical access VPN
Content access, .mp3,
.jpg
Service access
April 2008, Josef NollMobile Payment and Access
Outline Admittance, service access and payment Mobile extensions Introduction of RFID and NFC
– Message: “Using the phone for payment and access”
– Interfaces and standardisation– Phone implementations
Activities worldwide– Snapshots, Standardisation
“Who owns the SIM?” – My security infrastructure– Ownership versus management
14
Josef Noll, “Who owns the SIM?”, 5 June 2007
ID, trust and personalisation provider
CertificateRemote services
Proximity services
Who provides?– ID provider
Where to store?– Network– Phone
How to store/backup?– long term, short term
April 2008, Josef NollMobile Payment and Access 16
RFID Technology: Principle
RFID-reader sends a RF signal TAG receives it TAG returns predefined signal
RFID-TAG doesn’t need own power supply
TAG gets power to operate from the RF-pulse of reader
No need for physical sight or contact between reader and TAG
Each product can have own id-number
Source: Eurescom P1346 D2, January 2004
April 2008, Josef NollMobile Payment and Access 17
Passive RFID: Main frequencies
Frequency division:– Low: 100-500 kHz– Medium: 6-15 MHz– High: 850-950 MHz and 2.45 GHz
Active responses– AutoPass 5.8 GHz
I.C. Cards13.56 Mhz
Access ControlAnimal ID
125,133 kHz
Toll RoadsItem
Management~900 MHz
ItemManagement
2.45 GHz
10 kHz 100 kHz 1 Mhz 10 MHz 100 MHz 1000 MHz 2.45 GHz
Source: Eurescom P1346 D2, January 2004
April 2008, Josef NollMobile Payment and Access 18
Current Services and Applications
Typical services made using RFID today
Sports Timing Access Control Animal Tracking Asset Management Baggage Handling Product Authentication, Security Supply Chain Management Transportation, user information Wireless Commerce, Payments, Toll Collection
Source: Eurescom P1346 D2, January 2004
April 2008, Josef NollMobile Payment and Access 19
Registrationexample: Birkebeiner
Online information to mobile phone
Could be used for photo, video, etc
April 2008, Josef NollMobile Payment and Access 20
Ticketing
Cinema/Concerts
Bus/Subway
RFID ticketing zone
TerminalIncl. rfid tag
Ticketing terminal with RFID reader
MobileCommerce
RFID ticketing server
Football/Sport
Source: Eurescom P1346 D2, January 2004
April 2008, Josef NollMobile Payment and Access 21
Supply chain
supplier 2
supplier A
Prosessing
wholesaler retailer
customer
customer
Product InfomrationDatabase
RFID reader/gate
customer
Presentation
RFID reader/gate can be placed along manufacturing lines (company internal)and along the distribution chain (company external/between the actors)
Source: Eurescom P1346 D2, January 2004
April 2008, Josef NollMobile Payment and Access 22
Visitor Density, two functions
Resort owner
”What ride has most users?”
Datamining services
Example2: Resort owner services
”Bumber cars; 200 users/day; 50cent/ride”
”Where is my kid?”
”Where was ID:123123 last seen?”
SystemDatabase
Roller-coaster queue reader
InfoSpot
”Roller-coaster queue”
”At the roller-coaster queue”
Reader X
Reader Y
Example1: Customer service
Source: Eurescom P1346 D2, January 2004
April 2008, Josef NollMobile Payment and Access 23
Technology: Range From millimeters to tens of meters Depends on antennas, power of reader,
characteristics of TAG and operation principle Range decided when application developed ISO standards:
– proximity cards: 10 cm– Vicinity cards: 1,5 m
Source: Eurescom P1346 D2, January 2004
April 2008, Josef NollMobile Payment and Access
NFC is ...
RFID at 13.56 MHz RF (modem) and protocolls
24
Passive operation:1) Phone=Reader has static magnetic field2) Tag acts as resonator, “takes energy” ~1/r^6
0 0,8 1,6 2,4 3,2 4 4,8 5,6 6,4 7,2 8 8,8 9,6
0,25
0,5
0,75
1
1/r^2
1/r^6
Power decrease of static and electromagnetic field
April 2008, Josef NollMobile Payment and Access 25
Technology: Security considerations
In the past there was no need for security in RFID-systems– logistic data collection the information has no relevance or
value anywhere else except the originally designed purpose If TAGs are in consumer goods there is a need for security and
privacy Security protocols:
– Bilateral authentication– Key agreement– Encrypted communication
Secure communications needs computing resources
Source: Eurescom P1346 D2, January 2004
Personal items Passport, Payment cards, mobile phone
April 2008, Josef NollMobile Payment and Access
NFC technology and use case Based on RFID technology at
13.56 MHz Typical operating distance 10 cm Compatible with RFID Data rate today up to 424 kbit/s Philips, Sony and Nokia
27
ECMA-340, ISO/IEC 18092 & ECMA-352, …standards
Powered and non-self powered devices
April 2008, Josef NollMobile Payment and Access
NFC use cases Payment and access
– include Master-/Visacard in the phone– have small amount money electronically– admittance to work
Service Discovery– easy access to mobile services:
Web page, SMS, call, ...– local information and proximity services (get
a game) Ticketing
– Mobile tickets for plain, train, bus:Parents can order and distribute, ...
28Source: Nokia 6131 NFC Technical Product Description
Josef Noll, 26.4.2005 RFID - NFC tutorial 29
NFC standardisation
ECMA-340 • Specifies the RF signal
interface• Initialisation, anti-
collision and protocols• Communication mode
selection mechanism ECMA 352 (v1, Dec 2003)• Selects communication
modes: NFC, PCD, and VCD
• Enables communication in that mode
April 2008, Josef NollMobile Payment and Access 30
NFCIP-2 Interface and protocol(ISO/IEC 21481)
ECMA-340ISO/IEC 14443
PCD mode
(MIFARE, FeliCa)
ISO/IEC 15693VCD mode
(facility access)
InterfaceStandards
April 2008, Josef NollMobile Payment and Access
NFCIP-2 Interface and protocol (ISO/IEC 21481)
31
ECMA-340
Interface Standards
ISO/IEC 14443
PCD mode
(MIFARE, FeliCa)
ISO/IEC 15693
VCD mode
(facility access)
NFC device Proximity CardReader
Vicinity CardReader
NFC ECMA-340
YES340 okay
April 2008, Josef NollMobile Payment and Access
NFCIP-2 Interface and protocol (ISO/IEC 21481)
32
ECMA-340
Interface Standards
ISO/IEC 14443
PCD mode
(MIFARE, FeliCa)
ISO/IEC 15693
VCD mode
(facility access)
NFC device Proximity CardReader
Vicinity CardReader
NFC ECMA-340
NO15693 okay
April 2008, Josef NollMobile Payment and Access
Nokia 6131 Firmware
33Source: Nokia 6131 NFC Technical Product Description
ISO14443
April 2008, Josef NollMobile Payment and Access
NFC phone status (April 2008) Nokia 3320, 5340, 6131, xx Philips/Samsung X700 LG Sagem BenQ T80
Missing specifications Motorola HTC
34
April 2008, Josef NollMobile Payment and Access
Time to marketbased on phone evolution
35
Operators to Launch NFC-Based Mobile Payment Services 13th November 2007, Macau: 12 mobile operators will run trials of contactless mobile payment services in Australia, France, Ireland, Korea, Malaysia, Norway, The Philippines, Singapore, Taiwan, Turkey and the U.S. as a precursor to commercial launches.
Near Field Communications News and Insight
BBC names NFC a top technology for 2008Posted January 16, 2008
Survey shows that US consumers want simple payment features for NFC phonesPosted January 10, 2008
Report: Majority of phones will support NFC once standards are finalizedPosted January 03, 2008
Source: NFCnews.com
DnB Nor and Telenor to form mobile payments unitPosted April 21, 2008
Norwegian banking group DnB Nor and local telco Telenor have revealed plans to establish a new mobile payments program. The new mobile payments system, called Trusted Service Manager (TSM) Nordic, will be a subsidiary of Doorstep.
Orange delays NFC launchPosted April 16, 2008
Mobile operator Orange is postponing its commercial NFC launch by several months, according to CardLine Global.
April 2008, Josef NollMobile Payment and Access
UNIK work Key-exchange for admittance and content protection Analysis and implementation of Easy Pairing Easy Pairing
– Use NFC to establish Bluetooth contact with Media Center
– analyse phones: Nokia 3320, Nokia 6131 Experiences from Implementations
– Phones and NFC tags– Linux pairing– Windows pairing
36
April 2008, Josef NollMobile Payment and Access 37
Prototype:SMS key access
Service Centre
Application1) Send SMS
3) Send service to phone
2) Send info to recipient
4) Enters house with NFC access
Smartcard interfacesISO/IEC 7816
NFCcommunication
unit
SIM
NFC2SIM
April 2008, Josef NollMobile Payment and Access
Implementation
38
(1) Register the user
(2) Send mobile key (mKey) to user
(3) Receive info message(4) Saving the NFC key
April 2008, Josef NollMobile Payment and Access
ITEA WellCom: Interworking Set-top box and mobile
Source: AlcatelLucent, WellCom Meeting
1) Easy device set-up and communication
2) Authentication andService Access
April 2008, Josef NollMobile Payment and Access
Easy Pairing Scenario Using NFC for reading
connectivity data of phone Set-top box initiates process NFC phones can pair through
vicinity– phone in range– start Bluetooth scanning– request for pairing
No NFC phone– use tag with Bluetooth
information
Comment:– security in handling
activities40
Similar procedure for Wifi pairing
1. search for Bluetooth device2. identity phone (tag info)3. service discovery on phone4. pairing
April 2008, Josef NollMobile Payment and Access
Example EnCapEasy authentication Challenge: Find your BankID to sign in for
Internet banking– Could be triggered through login:
www.encap.mobi/demobank – Using NFC for starting secure
authentication Tag starts application on phone
– One time password created
Application areas– all kinds of authentication– local payment– BankID (while waiting for secure SIM)
41
April 2008, Josef NollMobile Payment and Access
Interworking between NFC components Easy programming through Java MIDlet
software development environment available
Interface to Java Card and Mifare environment
42Source: Nokia 6131 NFC Technical Product Description
Tricky:- Interworking Java
Card, Mifare and Java
Ongoing- secure element = SIM
April 2008, Josef NollMobile Payment and Access
Ongoing technical work
Interaction SIM-Mifare-Mobile Phone = “Single-wire protocoll”
Interaction Phone - Devices– Power-on/power-off
Roadmap for secure authentication
43
April 2008, Josef NollMobile Payment and Access
From current SIM to Future SIM
44
New visionsfor mobile / UICC
Current Telenor Current Telenor
SIM (UICC) cardSIM (UICC) card(from 2001)(from 2001)
GlobalPlatform’s
Real Estate 3.rd
Party sec. domains
vision
SUN
2009?
(Java)
Plus ETSI SCP
3 new phys IFs:
12 Mb/s USB
NFC (SWP)
On-board
WEB server !
Multi-
Thread
New visionsfor mobile / UICC
Current Telenor Current Telenor
SIM (UICC) cardSIM (UICC) card(from 2001)(from 2001)
GlobalPlatform’s
Real Estate 3.rd
Party sec. domains
vision
SUN
2009?
(Java)
Plus ETSI SCP
3 new phys IFs:
12 Mb/s USB
NFC (SWP)
On-board
WEB server !
Multi-
Thread
Source: Judith Rossebø, Telenor
To comply with 3G networking requirements (USIM)
– Security features (algorithms and protocols), longer key lengths
– GSM uses EAP SIM: client authentication– UMTS uses EAP AKA: Mutual authentication
3rd party identities – ISIM application (IMS) – private user identity – one or more public user
identities– Long term secret
April 2008, Josef NollMobile Payment and Access
New UICC architecture
45
eHealtheHealth
UICC – elements
UICC UICC ID = ICCIDID = ICCID
12 Mb/s USB
Full speed IF
NFC (or other) IF
(1 connector)
GSM Allocated
(2G/3G) IFs
(5 connectors)
New UICC Architecture / SIM advances
SIM Application Toolkit SIM Application Toolkit !! CAT CAT
PKI / PKI / eIDeID
PaymentPayment
EMVEMV
MultimediaMultimedia
DRM ?DRM ?
TicketingTicketing
(DRM !)(DRM !)
ElectronicElectronic
Purse Purse
Common Common
StorageStorage
USIMUSIMID= IMSIID= IMSI
& MSISDN & MSISDN
SIMSIMID= IMSIID= IMSI
& MSISDN & MSISDN
PhonebookPhonebook
Source: Judith Rossebø, Telenor
April 2008, Josef NollMobile Payment and Access
UICC for multiple ID providers
46
Compartmentalisation of the UICC3.rd party on-board applications featuring
• Internal and segregated Security domains
• Private entrances for SP to applications
(own keys and key management)
• Use of NFC, USB IF or other common
resources
-MNO as house-keeper (Real Estate Manager)
Source: Judith Rossebø, Telenor
Josef Noll, “Who owns the SIM?”, 5 June 2007
Third party business model• Media, • Banks, Service providers• Telecom, Corporate, Home
Identity and personalisation
provider
Customer care
Serviceaggregator
Authentication and Access
provider
Paymentprovider
Content provider
• Service aggregator• Convenient interfaces
• Ease of use
• Identity and personalisation provider• Convenience
• Trust
47
Josef Noll, “Who owns the SIM?”, 5 June 2007
The secure element:
SIM card
Send service to phone
Send info to recipient
Smartcard interfacesISO/IEC 7816
NFCcommunication
unit
SIM
NFC2SIM
Identity and personalisation
providerAuthentication
and Accessprovider
Serviceaggregator
• SIM is secure element
• controlled environment• over-the-air update• open for applications
• SIM will be owned by user
• managed by trusted third party
Send key and credentials
Josef Noll, “Who owns the SIM?”, 5 June 2007
Challenges and Benefits
How insecure is the Internet?
Will the phone be the only secure element?
Dynamic service environment? On-the-fly creation of services?
Are Google, facebook and flickr more trusted than telecom
operators?
Visa and Mastercard enable convenient small amount
purchases
0
50
100
150
200
2006 2008 2010
Telco favourite Third party favourite
Convenience of usage
49
April 2008, Josef NollMobile Payment and Access
Conclusions on Near Field Communications Standardisation well-under-way
– NFC with three modes– SIM interworking – power on (payment) versus power off (ticket)
Commercial kick-off visible – Pre-commercial trials “everywhere”– Critical hand-set status (only low-range phones)
Unclear business models– variety of application areas– co-operation and revenue sharing
“Sufficient Security”? Teaching the customer
– easy to use– “always available”