Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hardware-based secure services past and future Olivier POTONNIEE, Aurélien COUVERT, Virginie GALINDO April 2016.

Published byAlbert Allan Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "Hardware-based secure services past and future Olivier POTONNIEE, Aurélien COUVERT, Virginie GALINDO April 2016."— Presentation transcript:

1 Hardware-based secure services past and future Olivier POTONNIEE, Aurélien COUVERT, Virginie GALINDO April 2016

2 What we did around Secure Element …. W3C status – Sept 2014 2 Sys APP WG proposal Opening a communication channel with Secure Element Does not fit Web Crypto API for hardware token Too early Web Crypto. Next workshop in Sept 2014 Promoting secure element and FIDO authentication Web Authentication WG Up and running

3 Why is not there yet an API to access Secure Element ? W3C perspectives on SE – internal use only 3 Education matters Web dev don’t want to speak APDU Browser makers neither Power industry matters We are only few security vendors in W3C More device and security players are joining : Banks, Visa, Tyfone, Chipset makers, … SE value are not straightforward for browser makers They live in a on-line, real time, risk management world They know how to deal with secure browser, secure enough storage… Concern with privacy and security Services in SE made accessible to everyone is a privacy concern No security solution for access control has been convincing enough up to now

4 What we see for the open web platform…. W3C status – Sept 2014 4 There are some standard services that web app could benefit Cryptography operation and storage Citizen identity Payment services Abstraction : what ever is the hardware-based token flavor The W3C should not worry about integration aspects TEE and secure element are used in transparent way in platforms See iOSSecure Enclave, android hardware-key, android Trusty framework, android fingerprint API, and some mobile payment solutions

5 Example of Web Authentication API…. W3C status – Sept 2014 5 The level of service is Enroll authenticator Authenticate W3C defines attestation, signature and service parameters The implementers manage the FIDO Client and enumeration/communication with the authenticators Security model is HTTPS SOP Centralized server checking device attestation, behing the web app domain

6 Our suggestion for having some hardware-based secure services happening W3C status – Sept 2014 6 Pick one or two use cases Design the basic services we need Prototype integration with UA vendor And improve

7 Sharing with you some technical thoughts…. Footer, 20xx-xx-xx 7

8 Low level Secure Element APIs PC/SC Open Mobile API (OMAPI) 8.1:  10:  8 Secure Elements in Web Applications

9 Cross-Platform Secure Element (SE) API Secure Elements in Web Applications 9 PC/SC (MSWindows, MacOS, Linux) PC/SC (MSWindows, MacOS, Linux) OMAPI (Android) OMAPI (Android) NFC Desktop Mobile Web Applications Web Runtime OS Secure Element API Access Control … …

10 Secure Element API Standardization Proposed to W3C (SysApps & WebCrypto WGs) http://opoto.github.io/secure-element/ Transferred to a GlobalPlatform WG https://github.com/globalplatform Under public review here http://globalplatform.github.io/WebApis-for-SE/doc/. http://globalplatform.github.io/WebApis-for-SE/doc/ Implementation Included in Firefox OS 2.2 (June 2015) 10 Secure Elements in Web Applications

11 Web API for accessing Secure Element Secure Elements in Web Applications 11

12 Secure Element API Secure Elements in Web Applications 12 Transport-level API (similar to SIM Alliance’s OMAPI) Secure Element Manager Reader Session Channel Enumerate readers SE insertion / removal events Is SE present? Connect to SE SE ATR Connect to Applet Basic / Logical Transmit APDUs

13 Access Control Toolbox Secure Elements in Web Applications 13 PIN Secure Messaging Mutual AuthentN GlobalPlatform Access Control Secure Element Security Model Permissions: Access to device/resources (GPS, storage, etc…) Same Origin Policy (SOP): Data isolation per domain Web Security Model

14 Access Control (1/2): The Web Secure Elements in Web Applications 14 PIN Secure Messaging Mutual AuthentN GlobalPlatform Access Control Secure Element Security Model Permissions: Access to device/resources (GPS, storage, etc…) Same Origin Policy (SOP): Data isolation per domain Web Security Model

15 Domain-binded SE apps (SOP compliant) Secure Elements in Web Applications 15 An SE app with one credential per domain An SE app is tied to a single domain, which hosts a centralized service Other apps use a delegation protocol to use the centralized service Identity Provider SAML/OpenID Connect Login Authenticate Service Provider (Relying Party)

16 Access Control (2/2): Secure Elements Secure Elements in Web Applications 16 PIN Secure Messaging Mutual AuthentN GlobalPlatform Access Control Secure Element Security Model Permissions: Access to device/resources (GPS, storage, etc…) Same Origin Policy (SOP): Data isolation per domain Web Security Model

17 Access Control Enforcer GlobalPlatform Access Control Secure Elements in Web Applications 17 Access Rules SE Application SE Application Cached Access Rules User Device Application Access Rule: Authorizes a specific app on device to access a specific app on SE [and send specific commands] http://www.globalplatform.org/specificationsdevice.asp

18 Secure Element API to build Trusted Services AuthentN Signature Payment Reload Web Applications … Public APIs Restricted APIs Web Runtime Privilege apps, e.g. Extensions 18 Secure Elements in Web Applications Secure Element API Access Control

19 The security palette Secure Elements in Web Applications 19 Secure Element Built-ins GlobalPlatform Access Control Trusted Services Domain Binding

20 Or something completely different ! Footer, 20xx-xx-xx 20 a REST API provided by those privileged apps No need to comply with SOP but authentication could be managed by well deplowed techno like OAUTH Permission, privileged context, SRI, CSP, CORS …

Download ppt "Hardware-based secure services past and future Olivier POTONNIEE, Aurélien COUVERT, Virginie GALINDO April 2016."

Similar presentations

Mobile Devices in the DoD

Mobile Devices in the DoD
The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
© 2013 Marcin Nagy & N. Asokan & Jörg Ott 1 PeerShare: A System for Secure Distribution of Sensitive Data among Social Contacts Marcin Nagy, N. Asokan,

© 2013 Marcin Nagy & N. Asokan & Jörg Ott 1 PeerShare: A System for Secure Distribution of Sensitive Data among Social Contacts Marcin Nagy, N. Asokan,
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Internet of Things Security Architecture

Internet of Things Security Architecture
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Don’t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.

Don’t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.
SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information.

Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information.
Dongyan Wang GlobalPlatform Technical Program Manager

Dongyan Wang GlobalPlatform Technical Program Manager
Widget Architecture. Terminology Widget, Gadget, Tool, Badge Widget Engine, Gadget Container, Widget Host Runtime Environment, Tool Proxy Runtime, Widget.

Widget Architecture. Terminology Widget, Gadget, Tool, Badge Widget Engine, Gadget Container, Widget Host Runtime Environment, Tool Proxy Runtime, Widget.
Identity and Access IDGo Secure Email (ISE) for Android Didier Bonnet April 2015.

Identity and Access IDGo Secure (ISE) for Android Didier Bonnet April 2015.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

Similar presentations

Ads by Google