Mobile phone as Trusted identity assistant
-
Upload
vladimir-jirasek -
Category
Technology
-
view
1.522 -
download
1
description
Transcript of Mobile phone as Trusted identity assistant
![Page 1: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/1.jpg)
The future of a smart mobile device as a trusted personal
Identity management assistant
Vladimir JirasekCISSP-ISSAP & ISSMP, CISM, CISA
Senior Enterprise Security Architect, Nokia
Steering Group, Common Assurance Maturity Model
Non-executive director, CSA UK & Ireland
1
![Page 2: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/2.jpg)
Identity model in a physical world
2
• Mutual international acceptance of government issued passports.
• Acceptance of country specific ID cards within the country by government agencies and businesses.
![Page 3: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/3.jpg)
Identity problem in cyber space
3
![Page 4: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/4.jpg)
Identity problem in cyber space
4
Security risk,
inconvenience and
economic acceleration
hindrance
![Page 5: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/5.jpg)
Digital catching up physicalgovernments are waking up
• USA – National Strategy for Trusted identity in Cyberspace (NSTIC)
• EU – European ID (eID)
• Other states may have their own plans
5
Leading ThinkTank on Information SecurityPrinciples of de-perimiterisation (2006)Now published Identity commandments (May 2011)
Interoperability is not given but should be architected into the digital identity systemsInteroperability is not given but should be
architected into the digital identity systems
NSTIC already in discussions with leading identity providersNSTIC already in discussions with leading identity providers
![Page 6: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/6.jpg)
The shift in identity management is imminent
• People will embrace new way of identity management
• Iceberg with topple (violently – be prepared)
• Single (or very few) personal identity
• Self-assured or trusted attribute providers
6
We need a trusted device that manages this for us
We need a trusted device that manages this for us
![Page 7: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/7.jpg)
Mobile device becomes ubiquitous identity assistant
7
Certifies attributes
Certifies Identity provider
Certifies Attribute provider
Contract
Requests identity
Issues identity into smart
device
Authenticates user
Seamless login
Authenticates user
Manages different “Personas” on behalf of userAuthenticates user and passes required attributes
Manages different “Personas” on behalf of userAuthenticates user and passes required attributes
Policies for required level of identity assurance and attributes
(Multiple of)
(Multiple of)
![Page 8: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/8.jpg)
Now we have vision! What next?
Technology• SAML• Oauth• Secure mobile device• mTPM• Secure key storage• Secure and trusted OS• NFC• Bluetooth• Face recognition• Voice recognition• Cryptography and PKI
Governance• Jericho forum Identity
Commandments compliance• Segregation of Identity and
Attribute providers!• Trust between Service
providers and Identity and Attribute providers
• International agreement on compatibility of identity protocols
8
![Page 9: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/9.jpg)
Mobile device as a trusted device: [4,5]
How does mobile HW and OS hold up?
9
Typically contains System on Chip (SoC)
Load Kernel and mobile OS
Load mobile applications
If Trust is not assured from HW up then there is no trust at all!
Enterprise apps accessed from mobile devices
OS security capabilities are crucial
Application segregation, security reviews
![Page 10: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/10.jpg)
Mobile threats summary [2]
10
• Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content
• Malware – traditional viruses, worms, and Trojan horses
• Social engineering attacks – phishing. Also used to install malware.
• Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls)
• Malicious and unintentional data loss – exfiltration of information from phone
• Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
• Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content
• Malware – traditional viruses, worms, and Trojan horses
• Social engineering attacks – phishing. Also used to install malware.
• Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls)
• Malicious and unintentional data loss – exfiltration of information from phone
• Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
![Page 11: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/11.jpg)
Mobile Security Models [2]
• Traditional Access Control: passwords and idle-time screen locking.
• Application Provenance: Application signing and Application review in App store
• Encryption: Encryption of device data and application data
• Isolation: traditional Sandboxing and Storage separation
• Permissions-based access control: Limiting application to needed functionality only
11
All must be supported by Trust from HW up.
Jailbreaking breaks the security model!Jailbreaking breaks the security model!
![Page 12: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/12.jpg)
12
Interoperable cyber identity means more security and more convenience for users
= economic benefits
Interoperable cyber identity means more security and more convenience for users
= economic benefits
Smart mobile device becomes a centre of identity management – secure store and conveniently user digital identity in
everyday life(Communicate, Contribute, Access, Pay)
Smart mobile device becomes a centre of identity management – secure store and conveniently user digital identity in
everyday life(Communicate, Contribute, Access, Pay)
Governments should promote interoperable identity frameworks
Governments should promote interoperable identity frameworks
Identity and attribute providers will operate internationallyRegistration authorities will operate mostly nationally
Identity and attribute providers will operate internationallyRegistration authorities will operate mostly nationally
![Page 13: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/13.jpg)
Resources1. Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/
2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=20110627_02
3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile
4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture-of-smartphones
5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec-comparison-ETHZ-mar2011.pdf
6. Security in Windows Phone 7 - http://msdn.microsoft.com/en-us/library/ff402533(v=VS.92).aspx
7. Difference between Oauth and OpenID - http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing
8. Kantara Initiative - http://kantarainitiative.org/
9. NSTIC - http://www.nist.gov/nstic/
10. ENISA - http://www.enisa.europa.eu/
11. Jericho Forum - https://www.opengroup.org/jericho/
13
![Page 14: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/14.jpg)
Questions?Click on the questions tab on your screen, type in your question, name
and e-mail address; then hit submit.
14
![Page 15: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/15.jpg)
Question 1: Which party issues a trusted digital identity to an
user• Government
• Attribute provider
• Registration authority
• Identity provider
15
![Page 16: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/16.jpg)
Question 2: Which technology makes sure that the mobile device boot loader has not been altered
• Bluetooth
• Trusted Computing Base for mobile
• NFC
• Face recognition
16
![Page 17: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/17.jpg)
Question 3: Which security mechanism ensured that mobile applications cannot directly talk to each
other
• Access control
• Sandboxing
• Data encryption
• Clipboard protection
17
![Page 18: Mobile phone as Trusted identity assistant](https://reader034.fdocuments.in/reader034/viewer/2022042714/554bc8cbb4c9053a298b589e/html5/thumbnails/18.jpg)
Question 4: What is NSTIC
• National Science Technology Institute for Computing
• National Strategy for Trusted Identity for Computers
• National Strategy for Trusted Identity in Cyberspace
• National Strategy for Technology Inovation in Cyberspace
18