SlideShare uma empresa Scribd logo

Enhanced SIM (ESIM): a proposal for mobile security

Giuseppe Paterno'
Giuseppe Paterno'
TecnologiaNegócios
1 de 17
Baixar para ler offline
Enhanced SIM (ESIM): a proposal for mobile security Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin
Fàilte (welcome)
Who am I ● Visiting Researcher at Trinity College Dublin (Ireland) ● Solution Architect and EMEA Security Expert in Red Hat ● Previously Security Solution Architect in Sun and also in IBM ● Red Hat Certified Security Specialist (RHCSS), Red Hat Certified Architect (RHCA) and Cisco Certified Network Professinal (CCNP) ● Part of the italian security community sikurezza.org ● Published books and whitepapers ● Forensic analisys for local govs ● More on: – http://www.scss.tcd.ie/Giuseppe.Paterno/ – http://www.gpaterno.com/ – http://www.linkedin.com/in/gpaterno
Current authentication issues ● Increasing number of websites and intranet/extranet lead to: – – ● Increase of username/password combinations to remember Increased number of OTP tokens With the following issues: – You end up writing the username/password somewhere – You can have multiple OTP tokens to carry (I have three!!)
The idea Too many things to carry and a lot of things to remember but .... is anything I carry always with me? My mobile phone
Enhanced SIM (ESIM) ● SIM/USIM are smartcards that contains: – – PIN protected – ● Security authentication for mobile network – ● IMSI Not different from any other smartcard Embed a cryptographic engine in a SIM to hold X.509 and corresponding private key. Pre-loaded keypair with Mobile Operator's own CA
ESIM advantages ● Provide the following security services: – – Website authentication and authorization Corporate logon to resources (Web, Windows Network, …) – – ● Bank/financial services for mobile Any other use that require confidentiality No need to reissue a smartcard and/or a keypair for each user: any corporate or website only need to authorize, no more authentication hassle!
ESIM advantages ● No need to modify current software: – Most webservers has SSL authentication – Microsoft Windows allows PKI log-on – Kerberos PKINIT can provide smartcard authentication for corporate/kerberized environment – Adobe(tm) PDF can use X.509 to crypt documents
ESIM proposed specs ● ● Two parts are involved, the SIM itself and the mobile device that provides access: SIM: JavaCard holding MUSCLE card applet – Contact or contactless Device: CCID smartcard specifications over USB or bluetooth – ●
Certificate Lifecycle: CA ● ● Each operator must have a Certification Authority (CA) that mets common criteria Must publish the following information: – – ● Certificate Revocation List (CRL) for offline – ● CA root certificate URL Online Certificate Status Protocol (OCSP) responder is a plus SIM can optionally hold a list of “preferred” CA roots Hold the public key for lawful interception
Certificate Lifecycle: ESIM ● SIM preloaded with an X.509 keypair at the factory – – Signing of the public key – Common Name (CN) set to IMSI value – ● Key generation command issued Renewals through the SCEP protocol Provisioning – The lifecycle must be integrated with operators' provisioning system to revoke the ESIM certificate if needed
API/Crypto Engine Access Phone manufacturer must: ● ● Publish APIs to access the key infrastructure for both internal and external applications Leverage the existing APIs if possible: – – ● Windows Mobile CertificateStore Iphone keychain service Enable access to standard computer through USB CCID standard – CCID is easy available and requires no drivers
Application Scenario ● VPN access ● Short Messaging Service (SMS) encryption ● Remote device wiping ● IP-based telephony security (SRTP) ● IEEE 802.1x access (EAP) for WiFi and WiMAX ● Financial transactions (security and non repudiation)
Lawful interception ● Required in some countries ● ESIM can be an obstacle to lawful interception ● Home operator must hold a keypair for lawful interception – – ● any “network” services should be encrypted with the operator keypair (ex: SMS) Ensure that the “home” country is responsible for crimes, to protect users' rights when roaming For other applications, the service provider is responsible for providing the required info.
Criticism ● Public key (X.509) never “took off” apart from government agencies/military – ● ● Peer-to-peer crypto is still strong in vertical enviroments (PGP, SSH) Usability is a must for the end-user – ● Maybe due to costs related in maintaining the infrastructure Can lead to a real “flop” if is not easy to use In some countries (ex: Ireland) ID is not required to purchase a SIM
Project status ● ● ● ● Some tests have been done, but not the “full chain” Talking and investigating in building the chain, but mostly lack of cooperation from manufacturers/vendors and mobile operators Exploring other possibilities as well (such as peer-to-peer crypto) Your feedback is well-appreciated!
Thank you!! Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin paternog@cs.tcd.ie http://www.scss.tcd.ie/Giuseppe.Paterno/ http://www.gpaterno.com/

Recomendados

e-Sim Sharing (extract)
e-Sim Sharing (extract)e-Sim Sharing (extract)
e-Sim Sharing (extract)
BearingPoint
 
eSIM - "simlos" in die Zukunft?
eSIM - "simlos" in die Zukunft?eSIM - "simlos" in die Zukunft?
eSIM - "simlos" in die Zukunft?
Iskander Business Partner GmbH
 
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Cloudera, Inc.
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013
Udo Seidel
 
Ant tail white paper lora nb_iot__gprs mesh -v2
Ant tail white paper lora nb_iot__gprs mesh -v2Ant tail white paper lora nb_iot__gprs mesh -v2
Ant tail white paper lora nb_iot__gprs mesh -v2
Mark Roemers
 
Anatomia del Mobile World Congress 2016
Anatomia del Mobile World Congress 2016Anatomia del Mobile World Congress 2016
Anatomia del Mobile World Congress 2016
Roca Salvatella
 
Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Workshop on M2M and IoT, internet of Things, organized by European Regulators...Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Thierry Lestable
 
Performance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksPerformance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networks
Marian Marinov
 

Recomendados

e-Sim Sharing (extract)
e-Sim Sharing (extract)e-Sim Sharing (extract)
e-Sim Sharing (extract)
BearingPoint
 
eSIM - "simlos" in die Zukunft?
eSIM - "simlos" in die Zukunft?eSIM - "simlos" in die Zukunft?
eSIM - "simlos" in die Zukunft?
Iskander Business Partner GmbH
 
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Cloudera, Inc.
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013
Udo Seidel
 
Ant tail white paper lora nb_iot__gprs mesh -v2
Ant tail white paper lora nb_iot__gprs mesh -v2Ant tail white paper lora nb_iot__gprs mesh -v2
Ant tail white paper lora nb_iot__gprs mesh -v2
Mark Roemers
 
Anatomia del Mobile World Congress 2016
Anatomia del Mobile World Congress 2016Anatomia del Mobile World Congress 2016
Anatomia del Mobile World Congress 2016
Roca Salvatella
 
Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Workshop on M2M and IoT, internet of Things, organized by European Regulators...Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Thierry Lestable
 
Performance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksPerformance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networks
Marian Marinov
 
 Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2M Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2M
Telefónica IoT
 
MVNO for MNO
MVNO for MNOMVNO for MNO
MVNO for MNO
mikerrr
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Giuseppe Paterno'
 
Programmable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsProgrammable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMs
Gerry O'Prey
 
NB-IoT
NB-IoTNB-IoT
NB-IoT
Oded Rotter
 
IoT in LTE
IoT in LTEIoT in LTE
IoT in LTE
Neha Katyal
 
Diversifying cellular for massive IoT
Diversifying cellular for massive IoTDiversifying cellular for massive IoT
Diversifying cellular for massive IoT
Ericsson
 
IoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_DIoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_D
Ike Alisson
 
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Small Cell Forum
 
LoRa and NB-IoT
LoRa and NB-IoT LoRa and NB-IoT
LoRa and NB-IoT
Darshan Patil
 
Global staffing (rpo) business proposal
Global staffing (rpo) business proposalGlobal staffing (rpo) business proposal
Global staffing (rpo) business proposal
Ajay Tripathi
 
5G TECHNOLOGY
5G TECHNOLOGY5G TECHNOLOGY
5G TECHNOLOGY
SAIKRISHNA KOPPURAVURI
 
Gfs vs hdfs
Gfs vs hdfsGfs vs hdfs
Gfs vs hdfs
Yuval Carmel
 
5G Presentation
5G Presentation5G Presentation
5G Presentation
Ericsson
 
Link Labs LPWA Webinar
Link Labs LPWA WebinarLink Labs LPWA Webinar
Link Labs LPWA Webinar
Brian Ray
 
5G tecnology
5G tecnology5G tecnology
5G tecnology
Abhishek Manwal
 
5g wireless systems
5g wireless systems5g wireless systems
5g wireless systems
Amar
 
OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture IT
Giuseppe Paterno'
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
Giuseppe Paterno'
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloud
Giuseppe Paterno'
 
SecurePass at OpenBrighton
SecurePass at OpenBrightonSecurePass at OpenBrighton
SecurePass at OpenBrighton
Giuseppe Paterno'
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
Giuseppe Paterno'
 

Mais conteúdo relacionado

Destaque

Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Giuseppe Paterno'
 

Destaque (17)

 Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2M Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2M
 
MVNO for MNO
MVNO for MNOMVNO for MNO
MVNO for MNO
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
 
Programmable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsProgrammable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMs
 
NB-IoT
NB-IoTNB-IoT
NB-IoT
 
IoT in LTE
IoT in LTEIoT in LTE
IoT in LTE
 
Diversifying cellular for massive IoT
Diversifying cellular for massive IoTDiversifying cellular for massive IoT
Diversifying cellular for massive IoT
 
IoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_DIoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_D
 
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
 
LoRa and NB-IoT
LoRa and NB-IoT LoRa and NB-IoT
LoRa and NB-IoT
 
Global staffing (rpo) business proposal
Global staffing (rpo) business proposalGlobal staffing (rpo) business proposal
Global staffing (rpo) business proposal
 
5G TECHNOLOGY
5G TECHNOLOGY5G TECHNOLOGY
5G TECHNOLOGY
 
Gfs vs hdfs
Gfs vs hdfsGfs vs hdfs
Gfs vs hdfs
 
5G Presentation
5G Presentation5G Presentation
5G Presentation
 
Link Labs LPWA Webinar
Link Labs LPWA WebinarLink Labs LPWA Webinar
Link Labs LPWA Webinar
 
5G tecnology
5G tecnology5G tecnology
5G tecnology
 
5g wireless systems
5g wireless systems5g wireless systems
5g wireless systems
 

Mais de Giuseppe Paterno'

OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
Giuseppe Paterno'
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloud
Giuseppe Paterno'
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Giuseppe Paterno'
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacenters
Giuseppe Paterno'
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
Giuseppe Paterno'
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
Giuseppe Paterno'
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Giuseppe Paterno'
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and Etherpad
Giuseppe Paterno'
 

Mais de Giuseppe Paterno' (15)

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture IT
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloud
 
SecurePass at OpenBrighton
SecurePass at OpenBrightonSecurePass at OpenBrighton
SecurePass at OpenBrighton
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacenters
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarie
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and Etherpad
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Enhanced SIM (ESIM): a proposal for mobile security

  • 1. Enhanced SIM (ESIM): a proposal for mobile security Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin
  • 3. Who am I ● Visiting Researcher at Trinity College Dublin (Ireland) ● Solution Architect and EMEA Security Expert in Red Hat ● Previously Security Solution Architect in Sun and also in IBM ● Red Hat Certified Security Specialist (RHCSS), Red Hat Certified Architect (RHCA) and Cisco Certified Network Professinal (CCNP) ● Part of the italian security community sikurezza.org ● Published books and whitepapers ● Forensic analisys for local govs ● More on: – http://www.scss.tcd.ie/Giuseppe.Paterno/ – http://www.gpaterno.com/ – http://www.linkedin.com/in/gpaterno
  • 4. Current authentication issues ● Increasing number of websites and intranet/extranet lead to: – – ● Increase of username/password combinations to remember Increased number of OTP tokens With the following issues: – You end up writing the username/password somewhere – You can have multiple OTP tokens to carry (I have three!!)
  • 5. The idea Too many things to carry and a lot of things to remember but .... is anything I carry always with me? My mobile phone
  • 6. Enhanced SIM (ESIM) ● SIM/USIM are smartcards that contains: – – PIN protected – ● Security authentication for mobile network – ● IMSI Not different from any other smartcard Embed a cryptographic engine in a SIM to hold X.509 and corresponding private key. Pre-loaded keypair with Mobile Operator's own CA
  • 7. ESIM advantages ● Provide the following security services: – – Website authentication and authorization Corporate logon to resources (Web, Windows Network, …) – – ● Bank/financial services for mobile Any other use that require confidentiality No need to reissue a smartcard and/or a keypair for each user: any corporate or website only need to authorize, no more authentication hassle!
  • 8. ESIM advantages ● No need to modify current software: – Most webservers has SSL authentication – Microsoft Windows allows PKI log-on – Kerberos PKINIT can provide smartcard authentication for corporate/kerberized environment – Adobe(tm) PDF can use X.509 to crypt documents
  • 9. ESIM proposed specs ● ● Two parts are involved, the SIM itself and the mobile device that provides access: SIM: JavaCard holding MUSCLE card applet – Contact or contactless Device: CCID smartcard specifications over USB or bluetooth – ●
  • 10. Certificate Lifecycle: CA ● ● Each operator must have a Certification Authority (CA) that mets common criteria Must publish the following information: – – ● Certificate Revocation List (CRL) for offline – ● CA root certificate URL Online Certificate Status Protocol (OCSP) responder is a plus SIM can optionally hold a list of “preferred” CA roots Hold the public key for lawful interception
  • 11. Certificate Lifecycle: ESIM ● SIM preloaded with an X.509 keypair at the factory – – Signing of the public key – Common Name (CN) set to IMSI value – ● Key generation command issued Renewals through the SCEP protocol Provisioning – The lifecycle must be integrated with operators' provisioning system to revoke the ESIM certificate if needed
  • 12. API/Crypto Engine Access Phone manufacturer must: ● ● Publish APIs to access the key infrastructure for both internal and external applications Leverage the existing APIs if possible: – – ● Windows Mobile CertificateStore Iphone keychain service Enable access to standard computer through USB CCID standard – CCID is easy available and requires no drivers
  • 13. Application Scenario ● VPN access ● Short Messaging Service (SMS) encryption ● Remote device wiping ● IP-based telephony security (SRTP) ● IEEE 802.1x access (EAP) for WiFi and WiMAX ● Financial transactions (security and non repudiation)
  • 14. Lawful interception ● Required in some countries ● ESIM can be an obstacle to lawful interception ● Home operator must hold a keypair for lawful interception – – ● any “network” services should be encrypted with the operator keypair (ex: SMS) Ensure that the “home” country is responsible for crimes, to protect users' rights when roaming For other applications, the service provider is responsible for providing the required info.
  • 15. Criticism ● Public key (X.509) never “took off” apart from government agencies/military – ● ● Peer-to-peer crypto is still strong in vertical enviroments (PGP, SSH) Usability is a must for the end-user – ● Maybe due to costs related in maintaining the infrastructure Can lead to a real “flop” if is not easy to use In some countries (ex: Ireland) ID is not required to purchase a SIM
  • 16. Project status ● ● ● ● Some tests have been done, but not the “full chain” Talking and investigating in building the chain, but mostly lack of cooperation from manufacturers/vendors and mobile operators Exploring other possibilities as well (such as peer-to-peer crypto) Your feedback is well-appreciated!
  • 17. Thank you!! Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin paternog@cs.tcd.ie http://www.scss.tcd.ie/Giuseppe.Paterno/ http://www.gpaterno.com/