secure elements in web applications
TRANSCRIPT
![Page 1: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/1.jpg)
The Path to Inter-Industry
Standards for Utilizing
Secure Elements in Web
Applications
Olivier POTONNIEE, Karen LU
September 2015
![Page 2: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/2.jpg)
Secure Elements and The Web
Secure Elements in Web Applications2
Telecom• Login / Strong Authentication
Payment• Card-present eCommerce
ID• eGov
• Authentication & Signature
Transport • View balance
• Reload / Buy tickets online
![Page 3: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/3.jpg)
Low level Secure Element APIs
PC/SCOpen Mobile API
(OMAPI)
8.1: 10:
3 Secure Elements in Web Applications
![Page 4: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/4.jpg)
Cross-Platform Secure Element (SE) API
Secure Elements in Web Applications4
PC/SC
(MSWindows, MacOS, Linux)
OMAPI
(Android)NFC
Desktop Mobile
Web Applications
Web
Runtim
eO
S
Secure Element APIAccess Control
…
![Page 5: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/5.jpg)
Secure Element API
Standardization
Proposed to W3C (SysApps & WebCrypto WGs)
http://opoto.github.io/secure-element/
Transferred to a GlobalPlatform WG
https://github.com/globalplatform
Implementation
Included in Firefox OS 2.2 (June 2015)
5 Secure Elements in Web Applications
![Page 6: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/6.jpg)
Secure Element API
Secure Elements in Web Applications6
Transport-level API (similar to SIM Alliance’s OMAPI)
Secure Element
Manager
Reader
Session
Channel
Enumerate readers
SE insertion / removal events
Is SE present?
Connect to SE
SE ATR
Connect to Applet
Basic / Logical
Transmit APDUs
![Page 7: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/7.jpg)
Access Control Toolbox
Secure Elements in Web Applications7
• PIN
• Secure Messaging
Mutual AuthentN
• GlobalPlatform
Access Control
Secure Element
Security Model
• Permissions:
Access to
device/resources
(GPS, storage, etc…)
• Same Origin Policy
(SOP):
Data isolation per
domain
Web
Security Model
![Page 8: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/8.jpg)
Access Control (1/2): The Web
Secure Elements in Web Applications8
• PIN
• Secure Messaging
Mutual AuthentN
• GlobalPlatform
Access Control
Secure Element
Security Model
• Permissions:
Access to
device/resources
(GPS, storage, etc…)
• Same Origin Policy
(SOP):
Data isolation per
domain
Web
Security Model
![Page 9: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/9.jpg)
Domain-binded SE apps (SOP compliant)
Secure Elements in Web Applications9
An SE app with one credential per domain
An SE app is tied to a single domain, which hosts a centralized
service
Other apps use a delegation protocol to use the centralized service
Identity
Provider
SAML/OpenID Connect
Login Authenticate
Service
Provider
(Relying
Party)
![Page 10: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/10.jpg)
Access Control (2/2): Secure Elements
Secure Elements in Web Applications10
• PIN
• Secure Messaging
Mutual AuthentN
• GlobalPlatform
Access Control
Secure Element
Security Model
• Permissions:
Access to
device/resources
(GPS, storage, etc…)
• Same Origin Policy
(SOP):
Data isolation per
domain
Web
Security Model
![Page 11: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/11.jpg)
Access
Control
Enforcer
GlobalPlatform Access Control
Secure Elements in Web Applications11
Access
Rules
SE
Application
Cached
Access
Rules
User Device
Application
Access Rule: Authorizes a
specific app on device to
access a specific app on SE
[and send specific commands]
http://www.globalplatform.org/specificationsdevice.asp
![Page 12: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/12.jpg)
Secure Element API to build Trusted Services
AuthentN Signature Payment Reload
Web Applications
…
Public APIs
Restricted APIs
Web
Ru
nti
me
Privilege apps,
e.g. Extensions
12 Secure Elements in Web Applications
Secure Element API Access Control
![Page 13: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/13.jpg)
The security palette
Secure Elements in Web Applications13
Secure
Element
Built-ins
GlobalPlatform
Access Control
Trusted
Services
Domain
Binding
![Page 14: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/14.jpg)
Participate!
Secure Elements in Web Applications14
.
New Working Group: Hardware Security (HaSec)
Will work on use cases and APIs
http://www.w3.org/2015/hasec/2015-hasec-charter.html
.
New Working Group: WebApis-for-SE
Will work on APIs and Implementation
Chaired by Hank Chavers (hank.chavers at globalplatform.org)
![Page 15: Secure Elements in Web Applications](https://reader031.vdocument.in/reader031/viewer/2022020103/58aafc8d1a28abd35e8b5211/html5/thumbnails/15.jpg)
Thanks!
Secure Elements in Web Applications15
Questions?