05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004

8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004

1/14

1

Extending the GSM/3G Key

Infrastructure

DIMACS Workshop on Mobile and Wireless Security

November 3, 2004

Scott B. Guthery

CTO, [email protected]

Mary J. Cronin

Professor of ManagementBoston [email protected]


2/14

2

Outline

SIM for Mobile Network Authentication

SIM for Internet Authentication SIM for Local Authentication


3/14

3

Subscriber Identity Module

Integral part of GSM security from the start

Holds secret key Ki

other copy held by subscribers network operator 8-bit processor, 8KB EEPROM, file system,

cryptographic algorithms

Identity token with a wireless connection to an

authentication and billing service


4/14

4

GSM/3G Authentication

Roaming is the stepping off point forextending the GSM/3G key infrastructure

Visited network authenticates without being inpossession of Ki

SIM

1) Identity

3) Challenge

& Response4) Challenge

5) Response

VisitedNetwork

HomeNetwork

2) Identity

KiKi


5/14


6/14

6

SIM Toolkit

SIM gives commands to the handset

display text, get key hit, send SMS, block call

Operator controls loading of applications

GlobalPlatform architecture used to manage keysfor non-operator applications

Application 1

Application 2

Application 3

HandsetSTK


7/14

7

SIM for Local Authentication

SIM-based authentication and authorization

visited network is a merchant or a door

SIM-based cryptographic services session keys, certificates, signing, tickets, etc.

OperatorSIM

Handset

Local Connections

(IR, Bluetooth, etc.)

OtherSIM

3G Network


8/14


9/14

9

Business Models for SIM Security Extension

Theory, Reality and Lessons Learned Theory: Compelling business and revenue

opportunities based on leveraging SIM security Enormous global installed base of active SIM cards

Over 800 million GSM and 3G handsets and subscribers

Well-established international standards for SIMapplications and key infrastructure

Well documented architecture and tools for development

using SIM Application Toolkit and Java Card platform Multiple business models from different industries

(banking, retail, media, IT, health, etc.) in search ofstrong mobile security solution will embrace the SIM


10/14

10

Three Potential Business Cases

SIM-hosted and authenticated non-telephony m-commerce applications and services Allow trusted third parties to load applications onto the SIM

card and share the existing key infrastructure to authenticate

customers and authorize transactions via the wireless publicnetwork

SIM-enabled use of mobile handset for authenticatedand authorized transactions via the wireless publicnetwork

Embedded SIMs for authorization of users or devicesattached to any network, particularly WiFi


11/14

11

SIM-Hosted M-Commerce Applications

Business Model: Multiple applications are stored on asingle SIM card to allow subscriber to conduct securebanking, make and pay for purchases, download andstore value, tickets, etc to the SIM Third party consumer and enterprise applications both

supported SIM application provider gets share of projected $60 billion plus

in m-commerce transactions

Reality as of 2004 Technical requirements are in place

Almost all recent SIMs are multi-application Java Card SIMs

Over 260 million of them are Global Platform compliant

SIM-hosted applications have been scarce Limited to small mobile banking pilots in Europe and Asia

Majority of booming m-commerce business has moved tohandset downloads and back end server-based security systems


12/14


13/14

13

SIM Authentication in Non-Telephony Networks

Business Model: Embed SIM in WiFi and othernetworked devices or provide SIM-USB token tosubscribers for authentication and payment for WiFiaccess and roaming One solution for problems with 802.11 security

Potential for portability and roaming on different networks Possible integration with wireless subscriber accounts

Reality as of 2004 WLAN Smart Card Consortium attempting to define

standards

Commercial deployments increasing but still in early stages Transat solution launches with 3,500 hotspots in the UK

(4/04)

Orange implements in Switzerland (3/04)

Tartara demonstrates solution with Verisign (3/04)

TSI demonstrates solution with Boingo Wireless (5/04)


14/14

14

Conclusion: Still Searching for ClearBusiness Case for SIM Extension

Limited applications to date outside of wirelesstelephony and some notable business failures suchas dual-slot handsets The combined business drivers of a billion SIMs, a rapidly growing

m-commerce market and unsolved mobile security issues continue

to bring new players and approaches to the table Lesson learned: Wireless carriers have made

controlling and guarding the SIM key infrastructure apriority over increasing revenues through extension Carriers have the ability to cut off third party access to the

SIM platform WiFi and non-telephony network authentication looks like a

good match for the SIM key infrastructure, but long-termmodels may require wireless carrier participation

05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004

Documents

Transcript of 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004