Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hardware Token Support for the Web Analysis of the W3C Workshop on Authentication, Hardware Tokens and Beyond.

Published byHarriet Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "Hardware Token Support for the Web Analysis of the W3C Workshop on Authentication, Hardware Tokens and Beyond."— Presentation transcript:

1 Hardware Token Support for the Web Analysis of the W3C Workshop on Authentication, Hardware Tokens and Beyond

2 Facts 1.Outcome of W3C Workshop on Authentication, Hardware Tokens and Beyond Hardware tokens in scope (including Platform-held keys): unanimous support Key Discovery: high support Device Discovery: high support Attestation of provenance: high support User-owned keys (aka individual-managed ID, aka FIDO): medium support 2.The gap between unanimous support and high support for hardware authentication vs. medium support for individual-managed ID (aka FIDO) is because there are several solutions today used in the web that are for centrally-issued IDs. At the workshop several governments and companies that are in the business of centrally- issued IDs were represented. 3.Both centrally-issued IDs and individual-managed IDs are equally important. One cannot replace the other.

3 Current state of hardware security ● Global Platform (GP) standard covers most of the interesting cases that support centrally-issued IDs ○ Smart cards ○ USIM cards ○ EMV cards ○ TPMs ○ TEEs ● There is substantial OS support for GP APIs (Windows, MacOS, Linux) ● Communications with the app use APDUs with standard framing, but app specific data ● The functions of a GP device are realized through “applications” resident on the device ● Each application has a unique, centrally registered AppID ● Each AppID belongs to a specific organization.

4 Proposal - Architecture Supports BOTH centrally-issued & individual-managed IDs ● Create a specialized JS sandbox for accessing secure hardware ○ Two interfaces: ■ APDU interface to a specific AppID instance (on the secure h/w device) ■ Message channel to web app ○ For some set of AppIDs, the browser obtains a JS “driver” that the owner of the AppID authorizes to access instances of that AppID ■ Driver translates from JS messages/API to APDUs ■ Driver could be delivered through dynamic loading from the web (à la WebRTC IdP) or a more static plugin / addon framework ● Web app requests access to AppID X ○ Browser checks that it has a JS driver for AppID X ○ Browser determines whether there is a device present that has an app with AppID X ○ Browser obtains from the OS a way to pass APDUs to that app instance ○ Browser loads the JS driver into a sandbox with (1) the APDU interface connected to the app instance, and (2) a message channel to the web app ○ Browser passes message channel back to web app

5 Proposal Why support both centrally-issued & individual-managed IDs? Centrally-issuedIndividual-managed Billions of IDs already issued and have Global Platform as the common standard New standard from FIDO Necessary for Liability ownershipNecessary for privacy Cannot provide privacyCannot provide liability or know your customer Supporting individual-managed IDs only = medium support Supporting both individual-managed IDs and centrally-issued IDs = unanimous support

Download ppt "Hardware Token Support for the Web Analysis of the W3C Workshop on Authentication, Hardware Tokens and Beyond."

Similar presentations

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
© 2011 All rights reserved to Ceedo. Ceedo - Flexible Computing Certificate-Based Authentication (CBA - 2FA) The organization MUST be able to positively.

© 2011 All rights reserved to Ceedo. Ceedo - Flexible Computing Certificate-Based Authentication (CBA - 2FA) The organization MUST be able to positively.
© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo Client Offerings For Service Providers Ceedo Client Workspace Virtualization.

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo Client Offerings For Service Providers Ceedo Client Workspace Virtualization.
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.

HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
The team - currently 25 people

The team - currently 25 people
MOOC on M4D 2013 I NTRODUCTION TO THE A NDROID P LATFORM Ashish Agrawal Indian Institute of Technology Kanpur.

MOOC on M4D 2013 I NTRODUCTION TO THE A NDROID P LATFORM Ashish Agrawal Indian Institute of Technology Kanpur.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
A Faster Path to IoT Solutions Chris Lamb Founder and CTO.

A Faster Path to IoT Solutions Chris Lamb Founder and CTO.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Network Identity Kai Kang 27 th October 2004. Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.

Network Identity Kai Kang 27 th October Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Web Services Andrea Miller Ryan Armstrong Alex. Web services are an emerging technology that offer a solution for providing a common collaborative architecture.

Web Services Andrea Miller Ryan Armstrong Alex. Web services are an emerging technology that offer a solution for providing a common collaborative architecture.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
The Architecture of Transaction Processing Systems

The Architecture of Transaction Processing Systems
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September 2014 1 Oberthur Technologies – Identity.

Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September Oberthur Technologies – Identity.

Similar presentations

Ads by Google