05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
-
Upload
chitichitichiti -
Category
Documents
-
view
212 -
download
0
Transcript of 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
1/14
1
Extending the GSM/3G Key
Infrastructure
DIMACS Workshop on Mobile and Wireless Security
November 3, 2004
Scott B. Guthery
CTO, [email protected]
Mary J. Cronin
Professor of ManagementBoston [email protected]
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
2/14
2
Outline
SIM for Mobile Network Authentication
SIM for Internet Authentication SIM for Local Authentication
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
3/14
3
Subscriber Identity Module
Integral part of GSM security from the start
Holds secret key Ki
other copy held by subscribers network operator 8-bit processor, 8KB EEPROM, file system,
cryptographic algorithms
Identity token with a wireless connection to an
authentication and billing service
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
4/14
4
GSM/3G Authentication
Roaming is the stepping off point forextending the GSM/3G key infrastructure
Visited network authenticates without being inpossession of Ki
SIM
1) Identity
3) Challenge
& Response4) Challenge
5) Response
VisitedNetwork
HomeNetwork
2) Identity
KiKi
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
5/14
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
6/14
6
SIM Toolkit
SIM gives commands to the handset
display text, get key hit, send SMS, block call
Operator controls loading of applications
GlobalPlatform architecture used to manage keysfor non-operator applications
Application 1
Application 2
Application 3
HandsetSTK
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
7/14
7
SIM for Local Authentication
SIM-based authentication and authorization
visited network is a merchant or a door
SIM-based cryptographic services session keys, certificates, signing, tickets, etc.
OperatorSIM
Handset
Local Connections
(IR, Bluetooth, etc.)
OtherSIM
3G Network
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
8/14
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
9/14
9
Business Models for SIM Security Extension
Theory, Reality and Lessons Learned Theory: Compelling business and revenue
opportunities based on leveraging SIM security Enormous global installed base of active SIM cards
Over 800 million GSM and 3G handsets and subscribers
Well-established international standards for SIMapplications and key infrastructure
Well documented architecture and tools for development
using SIM Application Toolkit and Java Card platform Multiple business models from different industries
(banking, retail, media, IT, health, etc.) in search ofstrong mobile security solution will embrace the SIM
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
10/14
10
Three Potential Business Cases
SIM-hosted and authenticated non-telephony m-commerce applications and services Allow trusted third parties to load applications onto the SIM
card and share the existing key infrastructure to authenticate
customers and authorize transactions via the wireless publicnetwork
SIM-enabled use of mobile handset for authenticatedand authorized transactions via the wireless publicnetwork
Embedded SIMs for authorization of users or devicesattached to any network, particularly WiFi
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
11/14
11
SIM-Hosted M-Commerce Applications
Business Model: Multiple applications are stored on asingle SIM card to allow subscriber to conduct securebanking, make and pay for purchases, download andstore value, tickets, etc to the SIM Third party consumer and enterprise applications both
supported SIM application provider gets share of projected $60 billion plus
in m-commerce transactions
Reality as of 2004 Technical requirements are in place
Almost all recent SIMs are multi-application Java Card SIMs
Over 260 million of them are Global Platform compliant
SIM-hosted applications have been scarce Limited to small mobile banking pilots in Europe and Asia
Majority of booming m-commerce business has moved tohandset downloads and back end server-based security systems
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
12/14
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
13/14
13
SIM Authentication in Non-Telephony Networks
Business Model: Embed SIM in WiFi and othernetworked devices or provide SIM-USB token tosubscribers for authentication and payment for WiFiaccess and roaming One solution for problems with 802.11 security
Potential for portability and roaming on different networks Possible integration with wireless subscriber accounts
Reality as of 2004 WLAN Smart Card Consortium attempting to define
standards
Commercial deployments increasing but still in early stages Transat solution launches with 3,500 hotspots in the UK
(4/04)
Orange implements in Switzerland (3/04)
Tartara demonstrates solution with Verisign (3/04)
TSI demonstrates solution with Boingo Wireless (5/04)
-
8/12/2019 05_Extending the GSM-3G Key Infrastructure DIMACS Workshop_2004
14/14
14
Conclusion: Still Searching for ClearBusiness Case for SIM Extension
Limited applications to date outside of wirelesstelephony and some notable business failures suchas dual-slot handsets The combined business drivers of a billion SIMs, a rapidly growing
m-commerce market and unsolved mobile security issues continue
to bring new players and approaches to the table Lesson learned: Wireless carriers have made
controlling and guarding the SIM key infrastructure apriority over increasing revenues through extension Carriers have the ability to cut off third party access to the
SIM platform WiFi and non-telephony network authentication looks like a
good match for the SIM key infrastructure, but long-termmodels may require wireless carrier participation