Upload
doantu
View
273
Download
8
Embed Size (px)
Citation preview
MOBILE PKI
Mobile Connect
2
February 2014, The GSMA announcedlaunch a cooperative initiative,supported by leading mobileoperators, to develop an innovativenew service that will allow consumersto securely access a wide array ofdigital services using their mobilephone account for authentication.
The Mobile Connect service will simplify consumers’ lives, offering a single,trusted, mobile phone number based authentication solution that fullyrespects their online privacy.
Single ID for user
Mobile Connect
Reference: http://www.gsma.com/personaldata/mobile-connect
4
Mobile Connect
URL: https://www.youtube.com/watch?v=H64ykFMbUrs
Mobile Connect - Authentication
Authentication
References:- OpenID Connect - http://openid.net/connect/- Mobile Connect Developer Portal -
http://www.gsma.com/personaldata/developer-portal/
• Single Token
• Platform Independence
Mobile Connect – Attribute Exchange
Authentication
References:- OpenID Connect - http://openid.net/connect/- Mobile Connect Developer Portal -
http://www.gsma.com/personaldata/developer-portal/
• Single Token
• Platform Independence
Mobile Connect – Level of Assurance
7
Le
ve
l o
f A
ssu
ran
ce
Password
Level 1 Level 2
Click OK
OTP One-factor
Authentication
Level 3
Enter PIN
OTP Two-factor
Authentication
Level 4
Enter PIN
Digital Signature Two-factor
Authentication
LoA1 LoA2 LoA3
Mobile Connect: LoA1 - LoA3
สอดคล้องตามลายมือชื่ออิเล็กทรอนิกส์ ตาม ม. 9 พ.ร.บ. ว่าด้วยธุรกรรมทางอิเล็กทรอนิกส์ พ.ศ. 2544
LoA4
Mobile Connect: LoA4
สอดคล้องลายมือชื่ออิเล็กทรอนิกส์ที่เชื่อถือได้ ตาม ม. 26พ.ร.บ. ว่าด้วยธุรกรรมทางอิเล็กทรอนิกส์ พ.ศ. 2544
+ PKI
Mobile Connect – ETA Compliance
Mobile PKI
Mobile Connect: Level of Assurance 4
9
Traditional PKI Token
10
Requirements:
• Smartcard reader
• Laptop, PC or Kiosk
• Install driver
PKI
SMART CARD
11
PKI Advantage: Digital Signature
Authentication
Non-Repudiation
Integrity
12
PKI Advantage: Digital Signature
Integrity
Mobile PKI: Single Token
Mobile PKI: Single Token
Digital Signing
ETSI 102 204
References:- ETSI 102 204 - Mobile Commerce (M-COMM); Mobile Signature Service; Web Service Interface
Private & PublicKey
Single Token for Multiple ID
Mr. Thitikorn Trakoonsirisak+66 61 569 9999
Name: Mr. Thitikorn Trakoonsirisak
National ID: 1 2257 00028 74 6Title: Managing DirectorCompany: KGroup Co.Ltd.Mobile No.: +66 61 569 9999
Bank Account: 169-9-9889-968No.
PERSONAL INFO
BANK
GOVERNMENT
MOBILE OPERATOR
Mobile PKI vs Mobile Connect
16
Crypto SIM & Signing Applet
Commit Transaction
Signing Request[ETSI 102 204] Certificate
Validation
Signing Response[ETSI 102 204]
Sig
nin
g R
esp
onse
(Dig
ital S
ignatu
re)
Sig
nin
g R
equest
Banking/Government Services/e-Commerce
Mobile PKI: Signing Process
Mobile Signing Service Platform
(MSSP)
CertificationAuthority (CA)
Mobile PKI Ecosystem
Mobile PKI Ecosystem
Mobile PKI: Certificate Enrollment
Crypto SIM & Signing Applet
Certificate Enrollment
Certificate Signing Request (CSR)[CMP Protocol]
Cert
ific
ate
Sig
nin
g
Request
(CSR)
Key
Genera
tion
Request
X.509 Certificate[CMP protocol]
Register
Registration Authority (RA)
Mobile Signing Service Platform
(MSSP)
CertificationAuthority (CA)
Mobile Connect: Authentication
Crypto SIM & Signing Applet
Login (Mobile No.)
Signing Request[ETSI 102 204] Certificate
Validation
Signing Response[ETSI 102 204]
Sig
nin
g R
esp
onse
(Dig
ital S
ignatu
re)
Sig
nin
g R
equest
Authentication Request
Authentication Response
Mobile Signing Service Platform
(MSSP)
CertificationAuthority (CA)
Banking/Government Services/e-Commerce
20
Mobile PKI vs Mobile Connect
Mobile ConnectMobile PKI
• สอดคล้องตาม LoA4 ของ Mobile Connect
• รองรับการยืนยันตัวตน (Authentication) ผ่านโปรโตคอล ETSI 102 204
• รองรับการลงลายมือชื่อดิจิทัลผ่านโปรโตคอล ETSI 102 204
• รองรับการยืนยันตัวตน (Authentication) และแลกเปลี่ยนข้อมูลบุคคล (Attribute Exchange) ผ่านโปรโตคอล OpenID
• ปัจจุบันยังไม่รองรับการลงลายมือชื่อดิจิทัล (อยู่ในระหว่างการขอปรับ Specification ของ OpenID Connect)
SESSION #2
Build On Mobile PKI
21
22
Authentication for Banking
Login with mobile number Login Confirmation
ACCEPT | DECLINE
ENTER PIN08x-xxx-xxxx
Model #1: Mobile PKI
Model #2: Username & Mobile PKI
Login Confirmation
ACCEPT | DECLINE
ENTER PIN08x-xxx-xxxx
Send request to registered mobile number
Username is required
Note:• Accept feature phone• Deny request if username or mobile number are incorrect.• Prevent mobile number randomization & DOS attack
LOGIN
23
Authentication for Banking
Scan QR Code for Login
ENTER PIN
Model #3: Dynamic QR Code & Mobile PKI
Note:• Require smartphone and mobile application• Deny request if QR Code is incorrect or expired.• Prevent mobile number randomization & DOS attack
24
Document Signing
Submit Form xxxxxxConvert Web form to PDF file
Signing Confirmation
Form xxxxxx
ACCEPT | DECLINE
ENTER PIN
Using Digital Signature to signing PDF / Message Digest
Send the document
Receive and validate the signature- CRL Checking- Validate Signature
25
Document Signing
Example document related to bank services
• Insurance
• Loan Agreement
• Registration for Credit Cards
• Consent form
• Leasing
• Letter of Authority
26
Scan QR Code on website for payment
Payment 32.80 $Confirmation
ACCEPT | DECLINE
Transaction complete
Order Detailswww.shopes.com
Scan for payment
Total 32.80 $
Payment & e-Wallet
Customer scan QR Code for payment
ENTER PIN
27
Scan QR Code for Bill Payment
Payment 500 ฿ to Electric Company Transaction
xxxxxx
Confirmation
ACCEPT | DECLINE
Transaction complete
Payment & e-WalletCustomer scan QR Code for payment
Payment & e-Wallet
ENTER PIN
28
Scan QR Code for Payment
Payment 180 ฿ to
Miss Mango Demo Transaction xxxxxx
Confirmation
ACCEPT | DECLINE
Transaction complete
Customer scan QR Code for payment
29
Merchant (Supermarket) calculate amount for payment
User shows barcode to the merchant
Merchant scan barcode
Payment 500 ฿ to CD ShopConfirmation
ACCEPT | DECLINE
ENTER PIN
Transaction complete
Payment & e-WalletMerchant scan customer QR Code to request payment
30
ID Provider (ID as a Service)
Online Shops
Document Signing
Safe Log-in
Verify User
Public Administration
Safer purchase agreement
Bill payment
Login with Mobile ID
08x-xxx-xxxx
31
Case StudyBank ID, Norway
EXAMPLES OF AREAS OF USE• Online shops - Better user experience with BankID• Real estate – Secure bidding with Bank ID• Car dealer - Safer purchase agreements with BankID• Member organizations - Better dialogue with BankID• Electricity - New electricity subscription with BankID• Telecommunications - Simpler and more secure with BankID• Public administration - BankID makes it easier• Banking and insurance - Simple and secure with BankID
https://www.bankid.no
32
Case Studye-Estonia
https://e-estonia.com/
33
Case StudySingapore
http://www.straitstimes.com/singapore/e-identity-cards-for-all-singaporeans-on-the-cards
THANK YOU