Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
SmartCard Forum 2011 - Chytré karty dnes a za 20 let
1. Chytré karty dnes a za 20 let...
SmartCardForum 2011
Jan Němec
Gemalto
Květen 2011
2. Agenda
Chytré karty včera, dnes a za 20 let
eGo
Bezpečnost mobilních telefonů
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 2
3. Smart cards
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 3
4. Smart Cards predecessors …
1950 - plastic cards used for payment issued by Diners Club
200 customers in 27 restaurants in New York
1960ths - magnetic stripe cards
London Transit Authority installed
a magnetic stripe system
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 4
5. … Smart Cards vision 5 year ago …
Source: Chandan – blog
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 5
6. … Smart Cards vision today
Sources: http://www.upgradeyourbody.com
http://www.ego-project.eu/
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 6
7. What you touch is yours
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 7
8. Everywhere…
Any Phone is mine, anywhere!
Eve has: Eve did not:
• borrowed a phone • Insert a card
• placed a phone call • Enter a code in the handset
• returned the phone • Charge the call on the phone
owner’s bill
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 8
9. Fast…
Just take it!
Jeanne has: Jeanne did not:
• Selected her drink • Open her handbag and grab her
• Taken it purse
• Use her credit card
• Insert coins
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 9
10. Friendly…
No more user name/password!
Pierre has: Pierre did not:
• touched his mouse • Enter a login and a password
• Worked within his private • Insert a card
environment
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 10
11. Intuitive…
Open a door without handling a key!
John has: John did not
• Opened the door • turn a key
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 11
12. Safe…
Only my swimming suit and my
bath-towel!
Eve has: Eve did not:
• closed her home door • Be concerned about leaving
• Stepped into her car anything on the beach during her
• Driven to the beach bath
• Purchased a bottle of iced tea
• Placed a phone call
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 12
13. A wireless world
Ubiquity
• Everywhere
• I can use all objects around
me
Security
• All transactions are:
anonymous, authenticated
and non traceable
Autonomy
• Guarantee of mission of at
least a day
Connectivity
• Easy and intuitive pairing and
collaboration between smart
No more physical connectors
objects
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 13
14. Easy pairing principle
The principle involves two wireless technologies:
• INTRA-BODY Communication:
• very short operational range to unambiguously select the device to connect with
• Ultra-Wide Band (UWB) with RTLS (Real Time Location Service)
• Medium operational range, high-speed exchange for application data
Step 1: Securely Pair two devices and bootstrap the UWB
communication
Step 2: Start Application via a fast and secure wireless network and
monitor the distance between the two devices to control an
operational and secure bubble
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 14
15. eGo: a wearable device
eGo can be placed anywhere
on the user’s body
• An NFC antenna would require to be
in close vicinity of the “reader” object,
therefore would be wearable only
when positioned close to the user’s
hand. Reversely, IBC antenna can
be placed anywhere on the user’s
body. IBC-based devices are truly
wearable: intra-body communication
will bridge the two devices.
No standard form factors Physically attached to clothes
or garments you wear
• Has to be kept close to your body at
all time
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 15
16. Intra-body communication
Capacitive Capacitive
Sensing Sensing
Capacitive
Sensing
Ultra-low power
Low frequency (< 10 MHz)
Conveys no application data
Short range (< 20 mm)
No direct skin contact needed. Work through gloves or clothes
Low data rates (few dozens of kbit/s)
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 16
17. eGo: Two-Factor Authentication
1- What you wear
• eGo is a wearable device
2- Who you are
• A Single-Sign-On based
on a fingerprint sensor
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 17
18. eGo: basic security concerns
Active
• When eGo is
attached to your
body and after a
positive SSO
Inactive
• When eGo is not
attached to your
body
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 18
19. eGo: Enhanced Privacy Protection
All transactions may be:
• Anonymous
• Non traceable
• Authenticated
Multiple Identity/Attributes
Providers support
Inherits from smart cards
technology
• Javacard
• Global Platform
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 19
20. Application Distance Control with RTLS
technology
RTLS (Real Time Location
Service) based control
• +/- 10 cm accuracy
• Courtesy of IEEE802.15.4a
precision location
Relay-attack protection
• Application bubble controlled by
the application
• Completed with Out-Of-Band
agreement
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 20
21. eGo and Safety
Intra-Body Communication
• eGo embeds only the receiver
• eGo-ready device generates electric field bursts. SAR is 10 millions
times lower than a mobile phone
• Electric field based technologies are already use for:
• biomedical sensors
• Sensitive PC Pads, touch display
• Sensitive button (lift button, electronic oven control,…)
UWB IEEE802.15.4a
• Ultra low spectral density:
• 1000 times less than Bluetooth class 1
• Specific Absorption Rate
• 3.5 GHz to 8GHz out of range of the water absorption (e.g. Body) which
is around 2.4 GHz
• Low power 3000 times lower than mobile phone
• 99% of the working time in standby mode
• The UWB and Intra-body technology are safe
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 21
23. Malware Applications and Security Holes
are Growing…
January 11, 2010: Android app steals bank login details
An application available via Google's Android Market was infected with a trojan
designed to steal users' bank login details (…)
May 27, 2010: Ubuntu Lucid (PC) can read your iPhone's secrets
Do you have a PIN code on your iPhone? Well, it doesn’t prevent access to your
data … When hooking up a non-jailbroken, fully up-to-date iPhone 3GS to a PC
running Lucid Lynx …
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 23
24. Malware and Attacks in Smartphones are Growing!
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 24
25. Users are Delocking their Smarphones…
Step 1: Set up ADB
Step 2: Push exploid to /sqlite_stmt_journals "adb push exploid
/sqlite_stmt_journals"
Step 3: type "adb shell"
Step 4: type "cd sqlite_stmt_journals"
Step 5: type "chmod 755 exploid"
Step 6: type "./exploid" and follow directions on screen
Step 7: type "rootshell"
Step 8: type in password "secretlol"
Step 9: you’re in root!
⇒ Used by users to get access
and full control to Android
resources by exploiting
Android security holes
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 25
26. Android Case
Android security model based on end-user
• User validates the application permissions at installation
• Example: application X needs to access localization
information
• User is capable of modifying the whole Android system (fully open
model)
Android is a large and complex system
Security holes that can be used by user and malware
e.g. Just a few days to jailbreak a new Android phone model
Any software or sensitive data needs to be isolated from Android
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 26
27. How to Secure Sensitive Applications?
Software to be executed needs to be secured
(code and data such as cryptographic keys)
• Principle: isolation in a secure environment
1. Security for downloadable applications
2. Use of Trusted Execution Environment (TEE)
3. Use of external component: Secure Element
User Interface needs to be secured
• Sensitive information entry (e.g. password)
• Transaction data to be validated (e.g. transaction
amount)
• Principle: Trusted User Interface via Trusted Execution
Environment
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 27
28. What is a Trusted Execution Environment (TEE)?
TEE provides hardware-based
isolation from Rich OS such as
Android, Windows Phone and
Rich OS Application Environment
Symbian. Trusted Execution Environment
Trusted Trusted Trusted
Application Application Application
TEE runs on the main device DRM Payment
Payment Corporate
Corporate
Client Applications
processor
TEE has privileged access to device API
GlobalPlatformTEE Internal API
resources (user interface, crypto GlobalPlatform TEE Client API
accelerators, secure elements, …) Trusted Core Trusted
Environment Kernel
TEE Functions
Rich OS
Security Requirements by HW Secure Resources
Hardware Platform
Advanced Trusted Environment: OMTP TR1
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 28
29. Trusted Execution Environment
Innovative solution from the mobile industry
Hardware protection exists in mobile processors
to isolate critical data and code
Main OS Environment Trusted Execution Environment
SECURE SERVICES
APPLICATIONS
TRUSTED EXECUTION
OS ENVIRONMENT OS
(Trusted Logic
Trusted Foundations™)
Smartphone
Processor
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 29
30. What GlobalPlatform Defines
Rich OS Application Environment Trusted Execution Environment
Trusted Trusted Trusted
Application Application Application
Client Applications DRM Payment
Payment Corporate
Corporate TEE APIs
GlobalPlatform
GlobalPlatform
TEE FunctionalAPI
TEE Functional API GlobalPlatformTEE Internal API
GlobalPlatformTEE Internal
GlobalPlatform TEE Client API
GlobalPlatformTEE Client API
Trusted Core
Trusted Core Trusted TEE
Environment
Environment Functions Compliance
Rich OS
and
TEE Kernel
Security
HW Keys, Secure Storage,
Certification
HW Secure Trusted UI (Keypad, Screen),
Crypto accelerators,
Hardware Platform Resources NFC controller,
Secure Element, etc.
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 30
31. Your questions ...
... thank you!
SmartCardForum 2011 – Chytré karty dnes a za 20 let ... 31