SlideShare une entreprise Scribd logo

Enhanced SIM (ESIM): a proposal for mobile security

Giuseppe Paterno'
Giuseppe Paterno'
TechnologieBusiness
1  sur  17
Télécharger pour lire hors ligne
Enhanced SIM (ESIM): a proposal for mobile security Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin
Fàilte (welcome)
Who am I ● Visiting Researcher at Trinity College Dublin (Ireland) ● Solution Architect and EMEA Security Expert in Red Hat ● Previously Security Solution Architect in Sun and also in IBM ● Red Hat Certified Security Specialist (RHCSS), Red Hat Certified Architect (RHCA) and Cisco Certified Network Professinal (CCNP) ● Part of the italian security community sikurezza.org ● Published books and whitepapers ● Forensic analisys for local govs ● More on: – http://www.scss.tcd.ie/Giuseppe.Paterno/ – http://www.gpaterno.com/ – http://www.linkedin.com/in/gpaterno
Current authentication issues ● Increasing number of websites and intranet/extranet lead to: – – ● Increase of username/password combinations to remember Increased number of OTP tokens With the following issues: – You end up writing the username/password somewhere – You can have multiple OTP tokens to carry (I have three!!)
The idea Too many things to carry and a lot of things to remember but .... is anything I carry always with me? My mobile phone
Enhanced SIM (ESIM) ● SIM/USIM are smartcards that contains: – – PIN protected – ● Security authentication for mobile network – ● IMSI Not different from any other smartcard Embed a cryptographic engine in a SIM to hold X.509 and corresponding private key. Pre-loaded keypair with Mobile Operator's own CA
ESIM advantages ● Provide the following security services: – – Website authentication and authorization Corporate logon to resources (Web, Windows Network, …) – – ● Bank/financial services for mobile Any other use that require confidentiality No need to reissue a smartcard and/or a keypair for each user: any corporate or website only need to authorize, no more authentication hassle!
ESIM advantages ● No need to modify current software: – Most webservers has SSL authentication – Microsoft Windows allows PKI log-on – Kerberos PKINIT can provide smartcard authentication for corporate/kerberized environment – Adobe(tm) PDF can use X.509 to crypt documents
ESIM proposed specs ● ● Two parts are involved, the SIM itself and the mobile device that provides access: SIM: JavaCard holding MUSCLE card applet – Contact or contactless Device: CCID smartcard specifications over USB or bluetooth – ●
Certificate Lifecycle: CA ● ● Each operator must have a Certification Authority (CA) that mets common criteria Must publish the following information: – – ● Certificate Revocation List (CRL) for offline – ● CA root certificate URL Online Certificate Status Protocol (OCSP) responder is a plus SIM can optionally hold a list of “preferred” CA roots Hold the public key for lawful interception
Certificate Lifecycle: ESIM ● SIM preloaded with an X.509 keypair at the factory – – Signing of the public key – Common Name (CN) set to IMSI value – ● Key generation command issued Renewals through the SCEP protocol Provisioning – The lifecycle must be integrated with operators' provisioning system to revoke the ESIM certificate if needed
API/Crypto Engine Access Phone manufacturer must: ● ● Publish APIs to access the key infrastructure for both internal and external applications Leverage the existing APIs if possible: – – ● Windows Mobile CertificateStore Iphone keychain service Enable access to standard computer through USB CCID standard – CCID is easy available and requires no drivers
Application Scenario ● VPN access ● Short Messaging Service (SMS) encryption ● Remote device wiping ● IP-based telephony security (SRTP) ● IEEE 802.1x access (EAP) for WiFi and WiMAX ● Financial transactions (security and non repudiation)
Lawful interception ● Required in some countries ● ESIM can be an obstacle to lawful interception ● Home operator must hold a keypair for lawful interception – – ● any “network” services should be encrypted with the operator keypair (ex: SMS) Ensure that the “home” country is responsible for crimes, to protect users' rights when roaming For other applications, the service provider is responsible for providing the required info.
Criticism ● Public key (X.509) never “took off” apart from government agencies/military – ● ● Peer-to-peer crypto is still strong in vertical enviroments (PGP, SSH) Usability is a must for the end-user – ● Maybe due to costs related in maintaining the infrastructure Can lead to a real “flop” if is not easy to use In some countries (ex: Ireland) ID is not required to purchase a SIM
Project status ● ● ● ● Some tests have been done, but not the “full chain” Talking and investigating in building the chain, but mostly lack of cooperation from manufacturers/vendors and mobile operators Exploring other possibilities as well (such as peer-to-peer crypto) Your feedback is well-appreciated!
Thank you!! Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin paternog@cs.tcd.ie http://www.scss.tcd.ie/Giuseppe.Paterno/ http://www.gpaterno.com/

Recommandé

e-Sim Sharing (extract)
e-Sim Sharing (extract)e-Sim Sharing (extract)
e-Sim Sharing (extract)BearingPoint
 
eSIM - "simlos" in die Zukunft?
eSIM - "simlos" in die Zukunft?eSIM - "simlos" in die Zukunft?
eSIM - "simlos" in die Zukunft?Iskander Business Partner GmbH
 
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...Cloudera, Inc.
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013Udo Seidel
 
Ant tail white paper lora nb_iot__gprs mesh -v2
Ant tail white paper lora nb_iot__gprs mesh -v2Ant tail white paper lora nb_iot__gprs mesh -v2
Ant tail white paper lora nb_iot__gprs mesh -v2Mark Roemers
 
Anatomia del Mobile World Congress 2016
Anatomia del Mobile World Congress 2016Anatomia del Mobile World Congress 2016
Anatomia del Mobile World Congress 2016Roca Salvatella
 
Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Workshop on M2M and IoT, internet of Things, organized by European Regulators...Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Workshop on M2M and IoT, internet of Things, organized by European Regulators...Thierry Lestable
 
Performance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksPerformance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksMarian Marinov
 

Recommandé

e-Sim Sharing (extract)
e-Sim Sharing (extract)e-Sim Sharing (extract)
e-Sim Sharing (extract)BearingPoint
 
eSIM - "simlos" in die Zukunft?
eSIM - "simlos" in die Zukunft?eSIM - "simlos" in die Zukunft?
eSIM - "simlos" in die Zukunft?Iskander Business Partner GmbH
 
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...
Hw09 Map Reduce Over Tahoe A Least Authority Encrypted Distributed Filesy...Cloudera, Inc.
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013Udo Seidel
 
Ant tail white paper lora nb_iot__gprs mesh -v2
Ant tail white paper lora nb_iot__gprs mesh -v2Ant tail white paper lora nb_iot__gprs mesh -v2
Ant tail white paper lora nb_iot__gprs mesh -v2Mark Roemers
 
Anatomia del Mobile World Congress 2016
Anatomia del Mobile World Congress 2016Anatomia del Mobile World Congress 2016
Anatomia del Mobile World Congress 2016Roca Salvatella
 
Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Workshop on M2M and IoT, internet of Things, organized by European Regulators...Workshop on M2M and IoT, internet of Things, organized by European Regulators...
Workshop on M2M and IoT, internet of Things, organized by European Regulators...Thierry Lestable
 
Performance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksPerformance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksMarian Marinov
 
 Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2M Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2MTelefónica IoT
 
MVNO for MNO
MVNO for MNOMVNO for MNO
MVNO for MNOmikerrr
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Giuseppe Paterno'
 
Programmable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsProgrammable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsGerry O'Prey
 
NB-IoT
NB-IoTNB-IoT
NB-IoTOded Rotter
 
IoT in LTE
IoT in LTEIoT in LTE
IoT in LTENeha Katyal
 
Diversifying cellular for massive IoT
Diversifying cellular for massive IoTDiversifying cellular for massive IoT
Diversifying cellular for massive IoTEricsson
 
IoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_DIoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_DIke Alisson
 
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)Small Cell Forum
 
LoRa and NB-IoT
LoRa and NB-IoT LoRa and NB-IoT
LoRa and NB-IoT Darshan Patil
 
Global staffing (rpo) business proposal
Global staffing (rpo) business proposalGlobal staffing (rpo) business proposal
Global staffing (rpo) business proposalAjay Tripathi
 
5G TECHNOLOGY
5G TECHNOLOGY5G TECHNOLOGY
5G TECHNOLOGYSAIKRISHNA KOPPURAVURI
 
Gfs vs hdfs
Gfs vs hdfsGfs vs hdfs
Gfs vs hdfsYuval Carmel
 
5G Presentation
5G Presentation5G Presentation
5G PresentationEricsson
 
Link Labs LPWA Webinar
Link Labs LPWA WebinarLink Labs LPWA Webinar
Link Labs LPWA WebinarBrian Ray
 
5G tecnology
5G tecnology5G tecnology
5G tecnologyAbhishek Manwal
 
5g wireless systems
5g wireless systems5g wireless systems
5g wireless systemsAmar
 
OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITGiuseppe Paterno'
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...Giuseppe Paterno'
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudGiuseppe Paterno'
 
SecurePass at OpenBrighton
SecurePass at OpenBrightonSecurePass at OpenBrighton
SecurePass at OpenBrightonGiuseppe Paterno'
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsGiuseppe Paterno'
 

Contenu connexe

En vedette

 Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2M Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2MTelefónica IoT
 
MVNO for MNO
MVNO for MNOMVNO for MNO
MVNO for MNOmikerrr
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Giuseppe Paterno'
 
Programmable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsProgrammable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsGerry O'Prey
 
Diversifying cellular for massive IoT
Diversifying cellular for massive IoTDiversifying cellular for massive IoT
Diversifying cellular for massive IoTEricsson
 
IoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_DIoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_DIke Alisson
 
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)Small Cell Forum
 
Global staffing (rpo) business proposal
Global staffing (rpo) business proposalGlobal staffing (rpo) business proposal
Global staffing (rpo) business proposalAjay Tripathi
 
5G Presentation
5G Presentation5G Presentation
5G PresentationEricsson
 
Link Labs LPWA Webinar
Link Labs LPWA WebinarLink Labs LPWA Webinar
Link Labs LPWA WebinarBrian Ray
 
5g wireless systems
5g wireless systems5g wireless systems
5g wireless systemsAmar
 

En vedette (17)

 Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2M Connected Living - Embedded SIM & M2M
 Connected Living - Embedded SIM & M2M
 
MVNO for MNO
MVNO for MNOMVNO for MNO
MVNO for MNO
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
 
Programmable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMsProgrammable SIM cards, SoftSIMs and eSIMs
Programmable SIM cards, SoftSIMs and eSIMs
 
NB-IoT
NB-IoTNB-IoT
NB-IoT
 
IoT in LTE
IoT in LTEIoT in LTE
IoT in LTE
 
Diversifying cellular for massive IoT
Diversifying cellular for massive IoTDiversifying cellular for massive IoT
Diversifying cellular for massive IoT
 
IoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_DIoT Standards_ALICON_SE_2017_02_25_Rev_D
IoT Standards_ALICON_SE_2017_02_25_Rev_D
 
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
Discussion on IoT technologies – CAT M1 and NB-IoT (CAT M2)
 
LoRa and NB-IoT
LoRa and NB-IoT LoRa and NB-IoT
LoRa and NB-IoT
 
Global staffing (rpo) business proposal
Global staffing (rpo) business proposalGlobal staffing (rpo) business proposal
Global staffing (rpo) business proposal
 
5G TECHNOLOGY
5G TECHNOLOGY5G TECHNOLOGY
5G TECHNOLOGY
 
Gfs vs hdfs
Gfs vs hdfsGfs vs hdfs
Gfs vs hdfs
 
5G Presentation
5G Presentation5G Presentation
5G Presentation
 
Link Labs LPWA Webinar
Link Labs LPWA WebinarLink Labs LPWA Webinar
Link Labs LPWA Webinar
 
5G tecnology
5G tecnology5G tecnology
5G tecnology
 
5g wireless systems
5g wireless systems5g wireless systems
5g wireless systems
 

Plus de Giuseppe Paterno'

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITGiuseppe Paterno'
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...Giuseppe Paterno'
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudGiuseppe Paterno'
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsGiuseppe Paterno'
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersGiuseppe Paterno'
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free softwareGiuseppe Paterno'
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiGiuseppe Paterno'
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieGiuseppe Paterno'
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadGiuseppe Paterno'
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
 

Plus de Giuseppe Paterno' (15)

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture IT
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloud
 
SecurePass at OpenBrighton
SecurePass at OpenBrightonSecurePass at OpenBrighton
SecurePass at OpenBrighton
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacenters
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarie
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and Etherpad
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
 

Dernier

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 

Dernier (20)

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 

Enhanced SIM (ESIM): a proposal for mobile security

  • 1. Enhanced SIM (ESIM): a proposal for mobile security Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin
  • 3. Who am I ● Visiting Researcher at Trinity College Dublin (Ireland) ● Solution Architect and EMEA Security Expert in Red Hat ● Previously Security Solution Architect in Sun and also in IBM ● Red Hat Certified Security Specialist (RHCSS), Red Hat Certified Architect (RHCA) and Cisco Certified Network Professinal (CCNP) ● Part of the italian security community sikurezza.org ● Published books and whitepapers ● Forensic analisys for local govs ● More on: – http://www.scss.tcd.ie/Giuseppe.Paterno/ – http://www.gpaterno.com/ – http://www.linkedin.com/in/gpaterno
  • 4. Current authentication issues ● Increasing number of websites and intranet/extranet lead to: – – ● Increase of username/password combinations to remember Increased number of OTP tokens With the following issues: – You end up writing the username/password somewhere – You can have multiple OTP tokens to carry (I have three!!)
  • 5. The idea Too many things to carry and a lot of things to remember but .... is anything I carry always with me? My mobile phone
  • 6. Enhanced SIM (ESIM) ● SIM/USIM are smartcards that contains: – – PIN protected – ● Security authentication for mobile network – ● IMSI Not different from any other smartcard Embed a cryptographic engine in a SIM to hold X.509 and corresponding private key. Pre-loaded keypair with Mobile Operator's own CA
  • 7. ESIM advantages ● Provide the following security services: – – Website authentication and authorization Corporate logon to resources (Web, Windows Network, …) – – ● Bank/financial services for mobile Any other use that require confidentiality No need to reissue a smartcard and/or a keypair for each user: any corporate or website only need to authorize, no more authentication hassle!
  • 8. ESIM advantages ● No need to modify current software: – Most webservers has SSL authentication – Microsoft Windows allows PKI log-on – Kerberos PKINIT can provide smartcard authentication for corporate/kerberized environment – Adobe(tm) PDF can use X.509 to crypt documents
  • 9. ESIM proposed specs ● ● Two parts are involved, the SIM itself and the mobile device that provides access: SIM: JavaCard holding MUSCLE card applet – Contact or contactless Device: CCID smartcard specifications over USB or bluetooth – ●
  • 10. Certificate Lifecycle: CA ● ● Each operator must have a Certification Authority (CA) that mets common criteria Must publish the following information: – – ● Certificate Revocation List (CRL) for offline – ● CA root certificate URL Online Certificate Status Protocol (OCSP) responder is a plus SIM can optionally hold a list of “preferred” CA roots Hold the public key for lawful interception
  • 11. Certificate Lifecycle: ESIM ● SIM preloaded with an X.509 keypair at the factory – – Signing of the public key – Common Name (CN) set to IMSI value – ● Key generation command issued Renewals through the SCEP protocol Provisioning – The lifecycle must be integrated with operators' provisioning system to revoke the ESIM certificate if needed
  • 12. API/Crypto Engine Access Phone manufacturer must: ● ● Publish APIs to access the key infrastructure for both internal and external applications Leverage the existing APIs if possible: – – ● Windows Mobile CertificateStore Iphone keychain service Enable access to standard computer through USB CCID standard – CCID is easy available and requires no drivers
  • 13. Application Scenario ● VPN access ● Short Messaging Service (SMS) encryption ● Remote device wiping ● IP-based telephony security (SRTP) ● IEEE 802.1x access (EAP) for WiFi and WiMAX ● Financial transactions (security and non repudiation)
  • 14. Lawful interception ● Required in some countries ● ESIM can be an obstacle to lawful interception ● Home operator must hold a keypair for lawful interception – – ● any “network” services should be encrypted with the operator keypair (ex: SMS) Ensure that the “home” country is responsible for crimes, to protect users' rights when roaming For other applications, the service provider is responsible for providing the required info.
  • 15. Criticism ● Public key (X.509) never “took off” apart from government agencies/military – ● ● Peer-to-peer crypto is still strong in vertical enviroments (PGP, SSH) Usability is a must for the end-user – ● Maybe due to costs related in maintaining the infrastructure Can lead to a real “flop” if is not easy to use In some countries (ex: Ireland) ID is not required to purchase a SIM
  • 16. Project status ● ● ● ● Some tests have been done, but not the “full chain” Talking and investigating in building the chain, but mostly lack of cooperation from manufacturers/vendors and mobile operators Exploring other possibilities as well (such as peer-to-peer crypto) Your feedback is well-appreciated!
  • 17. Thank you!! Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin paternog@cs.tcd.ie http://www.scss.tcd.ie/Giuseppe.Paterno/ http://www.gpaterno.com/