IBM Security Solution for Android

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

IBM Security Solution for Android

Anders Rundgren-2
http://www.v3.co.uk/v3-uk/news/2301853/ibm-releases-nfc-two-factor-authentication-tool-for-android-devices

Personally I don't see the point with a card + phone but some people do
not believe that a phone could ever host keys securely.  They are [of course]
dead wrong :-)

Anders

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

Andreas Schwier (ML)
Of course, mobile phones can host keys securely. But who will control
access to this "secure" key store ? Who will know the backdoor to
compromise the keys ?

As even the NSA can't yet compromise strong cryptography, getting access
to "securely" stored keys is the only viable option.

I wouldn't trust an Intel or Apple CPU to protect my keys - But I would
trust a piece of silicon that has been independently reviewed under a
Common Criteria certification scheme.

And reading your corporate PKI or national eID card via NFC doesn't
sound like a bad idea. At least you can control when you hold your card
to the mobile phone.

Andreas


Am 26.10.2013 07:26, schrieb Anders Rundgren:

> http://www.v3.co.uk/v3-uk/news/2301853/ibm-releases-nfc-two-factor-authentication-tool-for-android-devices
>
> Personally I don't see the point with a card + phone but some people do
> not believe that a phone could ever host keys securely.  They are [of course]
> dead wrong :-)
>
> Anders
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

Frank Morgner
On Saturday, October 26 at 10:30PM, Andreas Schwier (ML) wrote:

> Of course, mobile phones can host keys securely. But who will control
> access to this "secure" key store ? Who will know the backdoor to
> compromise the keys ?
>
> As even the NSA can't yet compromise strong cryptography, getting access
> to "securely" stored keys is the only viable option.
>
> I wouldn't trust an Intel or Apple CPU to protect my keys - But I would
> trust a piece of silicon that has been independently reviewed under a
> Common Criteria certification scheme.
>
> And reading your corporate PKI or national eID card via NFC doesn't
> sound like a bad idea. At least you can control when you hold your card
> to the mobile phone.
You still need a secure user interface on the phone when using it as
smart card reader. As complexity is securities worst enemy, it is not a
good idea to use todays phones as trusted devices. See also
https://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2012-07/SAR-PR-2012-07_.pdf

> Am 26.10.2013 07:26, schrieb Anders Rundgren:
> > http://www.v3.co.uk/v3-uk/news/2301853/ibm-releases-nfc-two-factor-authentication-tool-for-android-devices
> >
> > Personally I don't see the point with a card + phone but some people do
> > not believe that a phone could ever host keys securely.  They are [of course]
> > dead wrong :-)

--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

Anders Rundgren-2
On 2013-10-27 01:06, Frank Morgner wrote:

> On Saturday, October 26 at 10:30PM, Andreas Schwier (ML) wrote:
>> Of course, mobile phones can host keys securely. But who will control
>> access to this "secure" key store ? Who will know the backdoor to
>> compromise the keys ?
>>
>> As even the NSA can't yet compromise strong cryptography, getting access
>> to "securely" stored keys is the only viable option.
>>
>> I wouldn't trust an Intel or Apple CPU to protect my keys - But I would
>> trust a piece of silicon that has been independently reviewed under a
>> Common Criteria certification scheme.
>>
>> And reading your corporate PKI or national eID card via NFC doesn't
>> sound like a bad idea. At least you can control when you hold your card
>> to the mobile phone.
>
> You still need a secure user interface on the phone when using it as
> smart card reader. As complexity is securities worst enemy, it is not a
> good idea to use todays phones as trusted devices. See also
> https://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2012-07/SAR-PR-2012-07_.pdf

Doesn't Apple's recently introduced "KeyChain in the Cloud" with sync and all
essentially say that the big guys are going in the opposite direction?

I'm personally interested in creating "Trusted Web-apps" where for example
a payment application is expressed in transiently downloaded JS/HTML5 from
the merchant site: http://webpki.org/papers/PKI/pki-webcrypto.pdf

I guess this is as far from the "PIN-pad Firewall" that you can get but
I'm more interested in "achievable security" than theory.  None of the
security problem in phones have as far I know created any real mess
compared to card industry's complete lack of progress with connecting
their stuff to the web.  3D Secure?  It is actually a cool concept but
it is still technically stuck at its 1998 level and there it is just a
major PITA ignored by all but the EU.

The proposal above aims creating "3D Secure on Steroids" as well as
addressing on-line signatures required by for example eID cards to
relieve us from weird HTTP redirects, Java plugins and God knows what.

Yes, it requires new eID cards but I can live with that :-)

Cheers
Anders


>
>> Am 26.10.2013 07:26, schrieb Anders Rundgren:
>>> http://www.v3.co.uk/v3-uk/news/2301853/ibm-releases-nfc-two-factor-authentication-tool-for-android-devices
>>>
>>> Personally I don't see the point with a card + phone but some people do
>>> not believe that a phone could ever host keys securely.  They are [of course]
>>> dead wrong :-)
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

Mikael Magnusson-5
In reply to this post by Andreas Schwier (ML)
On 10/26/2013 10:30 PM, Andreas Schwier (ML) wrote:

> Of course, mobile phones can host keys securely. But who will control
> access to this "secure" key store ? Who will know the backdoor to
> compromise the keys ?
>
> As even the NSA can't yet compromise strong cryptography, getting access
> to "securely" stored keys is the only viable option.
>
> I wouldn't trust an Intel or Apple CPU to protect my keys - But I would
> trust a piece of silicon that has been independently reviewed under a
> Common Criteria certification scheme.
>
> And reading your corporate PKI or national eID card via NFC doesn't
> sound like a bad idea. At least you can control when you hold your card
> to the mobile phone.

Yes it could be nice, but which cards support public-key algorithms via
NFC? Some cards support 3DES and AES, but I haven't read about any card
with support for RSA via NFC.

/Mikael


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

helpcrypto helpcrypto
We already tested this.
Actually, we are trying to support all schemes:
 - keys stored on phone
 - keys stored on card+nfc
 - keys stored on crypto microSD
 - keys stored on SIM

server sends data to phone, phone signs and returns signature+public key so we can check original data and signature were not compromised.


On Sun, Oct 27, 2013 at 5:20 PM, Mikael Magnusson <[hidden email]> wrote:
Yes it could be nice, but which cards support public-key algorithms via
NFC? Some cards support 3DES and AES, but I haven't read about any card
with support for RSA via NFC.

Consider NFC as a communication interface, not the application protocol.
In other words: we select the cryptographic applet using our dual interface javacard and everything is solved.


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

J.Witvliet
In reply to this post by Anders Rundgren-2
Excuse me for top-posting (forced upon me by my crackberry)
 Very much interested by the concept of a virtual SC.
Just looked around the pages on sourceforge and read the "studienarbeit".

The idea of storing your priv-key on a mobile device sounds promissing, but where are these stored? If just on the flash-mem? Doesn't sound secure. Otoh if these could be stored onto the SIM, and protected by its PIN, it would be much better. But, afaik there are no SIM's that allow you to store anything else on it. Or are there telco's that are so open minded?

Hans

----- Oorspronkelijk bericht -----
Van: Mikael Magnusson [mailto:[hidden email]]
Verzonden: Sunday, October 27, 2013 05:20 PM W. Europe Standard Time
Aan: [hidden email] <[hidden email]>
Onderwerp: Re: [Opensc-devel] IBM Security Solution for Android

On 10/26/2013 10:30 PM, Andreas Schwier (ML) wrote:

> Of course, mobile phones can host keys securely. But who will control
> access to this "secure" key store ? Who will know the backdoor to
> compromise the keys ?
>
> As even the NSA can't yet compromise strong cryptography, getting access
> to "securely" stored keys is the only viable option.
>
> I wouldn't trust an Intel or Apple CPU to protect my keys - But I would
> trust a piece of silicon that has been independently reviewed under a
> Common Criteria certification scheme.
>
> And reading your corporate PKI or national eID card via NFC doesn't
> sound like a bad idea. At least you can control when you hold your card
> to the mobile phone.

Yes it could be nice, but which cards support public-key algorithms via
NFC? Some cards support 3DES and AES, but I haven't read about any card
with support for RSA via NFC.

/Mikael


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

helpcrypto helpcrypto
On Tue, Oct 29, 2013 at 2:52 PM, <[hidden email]> wrote:
Excuse me for top-posting (forced upon me by my crackberry)
 Very much interested by the concept of a virtual SC.
Just looked around the pages on sourceforge and read the "studienarbeit".

The idea of storing your priv-key on a mobile device sounds promissing, but where are these stored?
Wherever you may like, from SD to Secure element, passing by SIM or crypto-MicroSD
 

If just on the flash-mem? Doesn't sound secure. Otoh if these could be stored onto the SIM, and protected by its PIN, it would be much better. But, afaik there are no SIM's that allow you to store anything else on it. Or are there telco's that are so open minded?
Some Telcos have started some pilots for this.
We are trying to standarize it (using JavaCard security domains), but seems quite far in an uthopic future.

 

Hans

----- Oorspronkelijk bericht -----
Van: Mikael Magnusson [mailto:[hidden email]]
Verzonden: Sunday, October 27, 2013 05:20 PM W. Europe Standard Time
Aan: [hidden email] <[hidden email]>
Onderwerp: Re: [Opensc-devel] IBM Security Solution for Android

On 10/26/2013 10:30 PM, Andreas Schwier (ML) wrote:
> Of course, mobile phones can host keys securely. But who will control
> access to this "secure" key store ? Who will know the backdoor to
> compromise the keys ?
>
> As even the NSA can't yet compromise strong cryptography, getting access
> to "securely" stored keys is the only viable option.
>
> I wouldn't trust an Intel or Apple CPU to protect my keys - But I would
> trust a piece of silicon that has been independently reviewed under a
> Common Criteria certification scheme.
>
> And reading your corporate PKI or national eID card via NFC doesn't
> sound like a bad idea. At least you can control when you hold your card
> to the mobile phone.

Yes it could be nice, but which cards support public-key algorithms via
NFC? Some cards support 3DES and AES, but I haven't read about any card
with support for RSA via NFC.

/Mikael


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

Anders Rundgren-2
In reply to this post by J.Witvliet
On 2013-10-29 14:52, [hidden email] wrote:
> Excuse me for top-posting (forced upon me by my crackberry)
>  Very much interested by the concept of a virtual SC.
> Just looked around the pages on sourceforge and read the "studienarbeit".
>
> The idea of storing your priv-key on a mobile device sounds promissing, but
> where are these stored? If just on the flash-mem? Doesn't sound secure.
> Otoh if these could be stored onto the SIM, and protected by its PIN,
> it would be much better. But, afaik there are no SIM's that allow you to
> store anything else on it. Or are there telco's that are so open minded?

This is Google's recent approach after dumping GlobalPlatform:
http://nelenkov.blogspot.fr/2013/08/credential-storage-enhancements-android-43.html

It will presumably be integrated with a suitable on-line provisioning solution like:
https://play.google.com/store/apps/details?id=org.webpki.mobile.android

Anders

>
> Hans
>
> ----- Oorspronkelijk bericht -----
> Van: Mikael Magnusson [mailto:[hidden email]]
> Verzonden: Sunday, October 27, 2013 05:20 PM W. Europe Standard Time
> Aan: [hidden email] <[hidden email]>
> Onderwerp: Re: [Opensc-devel] IBM Security Solution for Android
>
> On 10/26/2013 10:30 PM, Andreas Schwier (ML) wrote:
>> Of course, mobile phones can host keys securely. But who will control
>> access to this "secure" key store ? Who will know the backdoor to
>> compromise the keys ?
>>
>> As even the NSA can't yet compromise strong cryptography, getting access
>> to "securely" stored keys is the only viable option.
>>
>> I wouldn't trust an Intel or Apple CPU to protect my keys - But I would
>> trust a piece of silicon that has been independently reviewed under a
>> Common Criteria certification scheme.
>>
>> And reading your corporate PKI or national eID card via NFC doesn't
>> sound like a bad idea. At least you can control when you hold your card
>> to the mobile phone.
>
> Yes it could be nice, but which cards support public-key algorithms via
> NFC? Some cards support 3DES and AES, but I haven't read about any card
> with support for RSA via NFC.
>
> /Mikael
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> ______________________________________________________________________
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.
>
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

Frank Morgner
In reply to this post by J.Witvliet
On Tuesday, October 29 at 02:52PM, [hidden email] wrote:
> Excuse me for top-posting (forced upon me by my crackberry)
>  Very much interested by the concept of a virtual SC.
> Just looked around the pages on sourceforge and read the "studienarbeit".

Not sure if I linked to the English paper. Just for good measure:
https://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2012-07/SAR-PR-2012-07_.pdf

> The idea of storing your priv-key on a mobile device sounds
> promissing, but where are these stored? If just on the flash-mem?
> Doesn't sound secure. Otoh if these could be stored onto the SIM, and
> protected by its PIN, it would be much better. But, afaik there are no
> SIM's that allow you to store anything else on it. Or are there
> telco's that are so open minded?

Both, the virtual smart card and the emulated smart card reader on the
phone, are software components. So they are not very secure in the end.
However, you can always map software to some piece of hardware. The
question is what piece of hardware you are able to use/access. And this
is where the trouble starts...

Greets, Frank.

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

Andreas Jellinghaus-4
So how fast is the NFC -> software emulation mechanism? And how fast are mobile networks these days
(e.g, UMTS, LTE)?

As far as I know e.g. mastercard paypass has pretty tight timing requirements to finish a transaction within something like 500ms. Thus I guess you could implement such a paypass wallet in software, but you won't be able to loop in any online services with the tight requirements, and instead have to do everything locally on the phone?

Also I wonder: is there any way to control the ATR send by the NFC device? 
IIRC it needs to conform to a spec for any paypass card as well - and I guess for paywave it won't be very different.

Even though I now work at Google, I haven't digged into any internal details on what we do on Android, thus my knowledge is on the same level as everyones else. Also I'm not affiliated with that team (or other teams in Google doing security or using smart cards) in any way and on this list I'm purely posting on my own, my private view of things only.

That said I'd be very interested in pure authentication on smart cards. I like the stuff the gnubby team at google seems to be doing, I found the part about "bring your own" very interesting - centrally managed credentials haven't worked to well for a number of companies. But simple anonymous credentials might work much better - authenticate once using traditional mechanism like user+password (maybe plus email / sms / whatever...) and then have an authenticated extra credential (e.g. public/private keypair stored on the device) as an additional factor for server applications to assess the legitimacy of a request/connection.

The channel id mechnism for ssl/tls plays nice with that: creat

Regards, Andreas



2013/11/4 Frank Morgner <[hidden email]>
On Tuesday, October 29 at 02:52PM, [hidden email] wrote:
> Excuse me for top-posting (forced upon me by my crackberry)
>  Very much interested by the concept of a virtual SC.
> Just looked around the pages on sourceforge and read the "studienarbeit".

Not sure if I linked to the English paper. Just for good measure:
https://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2012-07/SAR-PR-2012-07_.pdf

> The idea of storing your priv-key on a mobile device sounds
> promissing, but where are these stored? If just on the flash-mem?
> Doesn't sound secure. Otoh if these could be stored onto the SIM, and
> protected by its PIN, it would be much better. But, afaik there are no
> SIM's that allow you to store anything else on it. Or are there
> telco's that are so open minded?

Both, the virtual smart card and the emulated smart card reader on the
phone, are software components. So they are not very secure in the end.
However, you can always map software to some piece of hardware. The
question is what piece of hardware you are able to use/access. And this
is where the trouble starts...

Greets, Frank.

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

Andreas Jellinghaus-4
oops.

2013/11/4 Andreas Jellinghaus <[hidden email]>
So how fast is the NFC -> software emulation mechanism? And how fast are mobile networks these days
(e.g, UMTS, LTE)?

As far as I know e.g. mastercard paypass has pretty tight timing requirements to finish a transaction within something like 500ms. Thus I guess you could implement such a paypass wallet in software, but you won't be able to loop in any online services with the tight requirements, and instead have to do everything locally on the phone?

Also I wonder: is there any way to control the ATR send by the NFC device? 
IIRC it needs to conform to a spec for any paypass card as well - and I guess for paywave it won't be very different.

Even though I now work at Google, I haven't digged into any internal details on what we do on Android, thus my knowledge is on the same level as everyones else. Also I'm not affiliated with that team (or other teams in Google doing security or using smart cards) in any way and on this list I'm purely posting on my own, my private view of things only.

That said I'd be very interested in pure authentication on smart cards. I like the stuff the gnubby team at google seems to be doing, I found the part about "bring your own" very interesting - centrally managed credentials haven't worked to well for a number of companies. But simple anonymous credentials might work much better - authenticate once using traditional mechanism like user+password (maybe plus email / sms / whatever...) and then have an authenticated extra credential (e.g. public/private keypair stored on the device) as an additional factor for server applications to assess the legitimacy of a request/connection.

The channel id mechnism for ssl/tls plays nice with that: creat
create a local throw away key pair and self signed cert, authenticate once using traditional means, and then use that keypair for authentication for a while. Similar to a session id cookie, but harder to steal for attackers. And like any session id, there is no guarranty the credential is still valid, instead it can expire and any point in time and a new round of authentication can be requested, to increase security.

It would be nice to have open source projects enabling that direction. Not sure if/how opensc can contribute to the client side parts (or if it is useful to involve smart cards here at all, or better handle these things in software for performance or usability reasons).

Andreas 


Regards, Andreas



2013/11/4 Frank Morgner <[hidden email]>
On Tuesday, October 29 at 02:52PM, [hidden email] wrote:
> Excuse me for top-posting (forced upon me by my crackberry)
>  Very much interested by the concept of a virtual SC.
> Just looked around the pages on sourceforge and read the "studienarbeit".

Not sure if I linked to the English paper. Just for good measure:
https://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2012-07/SAR-PR-2012-07_.pdf

> The idea of storing your priv-key on a mobile device sounds
> promissing, but where are these stored? If just on the flash-mem?
> Doesn't sound secure. Otoh if these could be stored onto the SIM, and
> protected by its PIN, it would be much better. But, afaik there are no
> SIM's that allow you to store anything else on it. Or are there
> telco's that are so open minded?

Both, the virtual smart card and the emulated smart card reader on the
phone, are software components. So they are not very secure in the end.
However, you can always map software to some piece of hardware. The
question is what piece of hardware you are able to use/access. And this
is where the trouble starts...

Greets, Frank.

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel




------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IBM Security Solution for Android

Andreas Schwier (ML)
I also like the U2F idea, however you can already see the big players
getting on board to influence the design in their favour. At the end we
will have another OATH, SAML, OpenID thing that doesn't really work
cross browser and platform.

I think a lot of useful elements are already around, well researched and
available. It's just the question to combine them in an efficient and
elegant way.

Take the whole suite of EAC protocols used in millions of ePassports
worldwide. That combined with card verifiable certificates makes a great
solution for what U2F is trying to reinvent.

U2F requires that you trust the device manufacturer. This trust is the
basis for any attestation of the remote key generation on the U2F
device. Without this mechanism a site can not rely on the uniqueness of
the authentication key, as it might be as well some PKCS#8 container
that you could just copy across the net.

But who will provide that trust ? Who will define the rules for
establishing that trust ? Who will control device manufacturer to comply
with these rules ? Who will sanction manufacturer that break the rules ?

Such schemes only work if they are user driven: Take EMV - driven by the
payment schemes (as technology user, not provider), supported by a large
set of established business rules, strong certification schemes and
world-wide operability. But that ecosystem has taken many years to grow.

Whenever the industry is trying to define such a standard, you end up
with ambiguous specifications that try to embrace what companies already
have on the shelf.

I think at the end you need a reduce to the max approach: Have a well
researched protocol like ChipAuthentication from EAC, take same basic
cryptographic primitives and ensure a key attestation where the site can
define whose devices it will trust.

Andreas

Am 04.11.2013 23:44, schrieb Andreas Jellinghaus:

> oops.
>
> 2013/11/4 Andreas Jellinghaus <[hidden email]>
>
>> So how fast is the NFC -> software emulation mechanism? And how fast are
>> mobile networks these days
>> (e.g, UMTS, LTE)?
>>
>> As far as I know e.g. mastercard paypass has pretty tight timing
>> requirements to finish a transaction within something like 500ms. Thus I
>> guess you could implement such a paypass wallet in software, but you won't
>> be able to loop in any online services with the tight requirements, and
>> instead have to do everything locally on the phone?
>>
>> Also I wonder: is there any way to control the ATR send by the NFC device?
>> IIRC it needs to conform to a spec for any paypass card as well - and I
>> guess for paywave it won't be very different.
>>
>> Even though I now work at Google, I haven't digged into any internal
>> details on what we do on Android, thus my knowledge is on the same level as
>> everyones else. Also I'm not affiliated with that team (or other teams in
>> Google doing security or using smart cards) in any way and on this list I'm
>> purely posting on my own, my private view of things only.
>>
>> That said I'd be very interested in pure authentication on smart cards. I
>> like the stuff the gnubby team at google seems to be doing, I found the
>> part about "bring your own" very interesting - centrally managed
>> credentials haven't worked to well for a number of companies. But simple
>> anonymous credentials might work much better - authenticate once using
>> traditional mechanism like user+password (maybe plus email / sms /
>> whatever...) and then have an authenticated extra credential (e.g.
>> public/private keypair stored on the device) as an additional factor for
>> server applications to assess the legitimacy of a request/connection.
>>
>> The channel id mechnism for ssl/tls plays nice with that: creat
>>
> create a local throw away key pair and self signed cert, authenticate once
> using traditional means, and then use that keypair for authentication for a
> while. Similar to a session id cookie, but harder to steal for attackers.
> And like any session id, there is no guarranty the credential is still
> valid, instead it can expire and any point in time and a new round of
> authentication can be requested, to increase security.
>
> It would be nice to have open source projects enabling that direction. Not
> sure if/how opensc can contribute to the client side parts (or if it is
> useful to involve smart cards here at all, or better handle these things in
> software for performance or usability reasons).
>
> Andreas
>
>
>> Regards, Andreas
>>
>>
>>
>> 2013/11/4 Frank Morgner <[hidden email]>
>>
>>> On Tuesday, October 29 at 02:52PM, [hidden email] wrote:
>>>> Excuse me for top-posting (forced upon me by my crackberry)
>>>>  Very much interested by the concept of a virtual SC.
>>>> Just looked around the pages on sourceforge and read the
>>> "studienarbeit".
>>>
>>> Not sure if I linked to the English paper. Just for good measure:
>>>
>>> https://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2012-07/SAR-PR-2012-07_.pdf
>>>
>>>> The idea of storing your priv-key on a mobile device sounds
>>>> promissing, but where are these stored? If just on the flash-mem?
>>>> Doesn't sound secure. Otoh if these could be stored onto the SIM, and
>>>> protected by its PIN, it would be much better. But, afaik there are no
>>>> SIM's that allow you to store anything else on it. Or are there
>>>> telco's that are so open minded?
>>>
>>> Both, the virtual smart card and the emulated smart card reader on the
>>> phone, are software components. So they are not very secure in the end.
>>> However, you can always map software to some piece of hardware. The
>>> question is what piece of hardware you are able to use/access. And this
>>> is where the trouble starts...
>>>
>>> Greets, Frank.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Android is increasing in popularity, but the open development platform
>>> that
>>> developers love is also attractive to malware creators. Download this
>>> white
>>> paper to learn more about secure code signing practices that can help keep
>>> Android apps secure.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>>
>>
>
>
>
> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models. Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org


------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel