Mobile Web Security Bootstrap On Labs

•

3 likes•428 views

The SIM can not only be used for cellular access and connectivity, but also for securing mobile applications. Based on industry standards, the Mobile Web Security Bootstrap enabler allows developers to write application servers that can establish shared secret key between an application server and a mobile web client. The shared secret key can then be used to secure mobile applications that require e.g. authentication, confidentiality, integrity, single sign on among others.

Technology

Mobile Web Security Bootstrap
A labs.ericsson.com enabler
http://labs.ericsson.com/apis/mobile-web-security-bootstrap/

Mobile Web Security Bootstrap
The SIM is commonly used for getting cellular access,
mobile connectivity and access to some mobile services

The SIM proven security features can also be used for
securing any mobile web applications

This enabler provides an API for establishing a secret key
between mobile web clients and web applications

2

Why?

Security – As secure as SIM

Standard – Based on industry standard

Acceptance – Many standardized applications

Convenience – Transparent to users

Extensibility – Any applications can exploit the SIM

3

Main Features
Based on 3GPP industry standard
Generic Bootstrapping Architecture

Client and server Web/Java APIs available and
documented with examples

HTTP interfaces

Soft client available to allow focusing on the
development of the network side of the web
application

4

Overview
Mobile Web
Network
Application Server
Network
Application
Ub interface – Mobile client uses
Application
API to bootstrap a master secret
key
Ua Zn
Ua interface –Mobile Web Client
uses API to derive application- * HTTP
specific master key

Zn interface – Mobile Web Mobile
Web Client Bootstrap
Application Server uses API to
obtain the corresponding Ub Server
application-specific master key Bootstrap
Client HTTP
At the end of the API usage
Subscriber
transactions the client and server
share an application-specific secret- Database
key
Mobile Web Client MWSB
Mobile Web
Security Bootstrap

5

Java Client API
Soft Client API provided for focusing on server application

Example showing how to establish a shared key

// Create soft client with user identity and permanent key
GbaClient softclient = new GbaClient(myID, myKey);

// Bootstrap client with master key. btid is the handler.
String btid = softclient.bootstrap();

// Derive application-specific key to be shared with app server
byte[] appKey = softclient.getKsNaf(app_Fqdn);

// Use the app key for HTTP Digest Authentication
boolean authResult = runUaHttpDigest(app_URL, btid, appKey);

6

Java Server API
API towards mobile client and API towards MWSB
Servlet example showing how to establish a shared key
// Applicatin Servlet doGet()

// Create application context with Labs authorization API key
GbaNaf app = new GbaNaf(myFqdn, myApiKey)

// Parse GET authorization headers & fetch btid (key Handler)
Authorization authz = Authorization.parse(authorizationHeader);
String btid = authz.getUsername();

// Derive the application-specific key to be shared with client
appKey = app.getKsNaf(btid);

// Use the shared key to authenticate the mobile client
Digest.verify(authorization, appKey)

7

Possible applications

Identity Management

Authentication Single Sign On

Integrity Confidentiality

Key Management

8

More from Tor Björn Minde

With the Network Probe application you can measure certain characteristics of the NAT (Network Address Translator) or firewall between your application and a server on the Internet. To understand these characteristics is important for applications relying on having information pushed form a server to a client. You can also study the measurements performed by others to get a broader understanding of these characteristics.

Network Probe On Labs

Tor Björn Minde

Mobile Sensor Actuator Gateway On Labs

Tor Björn Minde

Ericsson Labs 100322

Tor Björn Minde

Converting Media On Labs

Tor Björn Minde

Event Source On Labs

Tor Björn Minde

Mobile Identification On Labs

Tor Björn Minde

Face Detector On Labs

Tor Björn Minde

The Web Connectivity API allows you to quickly and easily connect and send messages between your mobile or desktop web applications, pages and servers, using a unified addressing and messaging system. The API consists of a JavaScript™ library for client development and simple HTTP interface allowing you to connect your web servers. We also provide a Web Connectivity Ruby on Rails plugin for rapid web application development.

Web Connectivity On Labs

Tor Björn Minde

3D Landscape on Labs

Tor Björn Minde

Mobile Location On Labs

Tor Björn Minde

Streaming Media On Labs

Tor Björn Minde

Ericsson Labs OTA09 090925

Web Location On Labs

Ericsson Labs 090702

Mobile Maps On Labs

SMS On Labs

Mobile Java Push On Labs

Tor Björn Minde

IMS framework On Labs

Tor Björn Minde

More from Tor Björn Minde (18)

Network Probe On Labs

Mobile Sensor Actuator Gateway On Labs

Ericsson Labs 100322

Converting Media On Labs

Event Source On Labs

Mobile Identification On Labs

Face Detector On Labs

Web Connectivity On Labs

3D Landscape on Labs

Mobile Location On Labs

Streaming Media On Labs

Ericsson Labs OTA09 090925

Web Location On Labs

Ericsson Labs 090702

Mobile Maps On Labs

SMS On Labs

Mobile Java Push On Labs

IMS framework On Labs

Recently uploaded

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison

A Domino Admins Adventures (Engage 2024)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Why Teams call analytics are critical to your entire business

HTML Injection Attacks: Impact and Mitigation Strategies

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

GenAI Risks & Security Meetup 01052024.pdf

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Boost PC performance: How more available memory can improve productivity

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Apidays New York 2024 - The value of a flexible API Management solution for O...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

🐬 The future of MySQL is Postgres 🐘

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

presentation ICT roal in 21st century education

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Mobile Web Security Bootstrap On Labs

1. Mobile Web Security Bootstrap A labs.ericsson.com enabler http://labs.ericsson.com/apis/mobile-web-security-bootstrap/

2. Mobile Web Security Bootstrap The SIM is commonly used for getting cellular access, mobile connectivity and access to some mobile services The SIM proven security features can also be used for securing any mobile web applications This enabler provides an API for establishing a secret key between mobile web clients and web applications 2

3. Why? Security – As secure as SIM Standard – Based on industry standard Acceptance – Many standardized applications Convenience – Transparent to users Extensibility – Any applications can exploit the SIM 3

4. Main Features Based on 3GPP industry standard Generic Bootstrapping Architecture Client and server Web/Java APIs available and documented with examples HTTP interfaces Soft client available to allow focusing on the development of the network side of the web application 4

5. Overview Mobile Web Network Application Server Network Application Ub interface – Mobile client uses Application API to bootstrap a master secret key Ua Zn Ua interface –Mobile Web Client uses API to derive application- * HTTP specific master key Zn interface – Mobile Web Mobile Web Client Bootstrap Application Server uses API to obtain the corresponding Ub Server application-specific master key Bootstrap Client HTTP At the end of the API usage Subscriber transactions the client and server share an application-specific secret- Database key Mobile Web Client MWSB Mobile Web Security Bootstrap 5

6. Java Client API Soft Client API provided for focusing on server application Example showing how to establish a shared key // Create soft client with user identity and permanent key GbaClient softclient = new GbaClient(myID, myKey); // Bootstrap client with master key. btid is the handler. String btid = softclient.bootstrap(); // Derive application-specific key to be shared with app server byte[] appKey = softclient.getKsNaf(app_Fqdn); // Use the app key for HTTP Digest Authentication boolean authResult = runUaHttpDigest(app_URL, btid, appKey); 6

7. Java Server API API towards mobile client and API towards MWSB Servlet example showing how to establish a shared key // Applicatin Servlet doGet() // Create application context with Labs authorization API key GbaNaf app = new GbaNaf(myFqdn, myApiKey) // Parse GET authorization headers & fetch btid (key Handler) Authorization authz = Authorization.parse(authorizationHeader); String btid = authz.getUsername(); // Derive the application-specific key to be shared with client appKey = app.getKsNaf(btid); // Use the shared key to authenticate the mobile client Digest.verify(authorization, appKey) 7

8. Possible applications Identity Management Authentication Single Sign On Integrity Confidentiality Key Management 8

9. 9

Mobile Web Security Bootstrap On Labs

Recommended

Recommended

More Related Content

More from Tor Björn Minde

More from Tor Björn Minde (18)

Recently uploaded

Recently uploaded (20)

Mobile Web Security Bootstrap On Labs