mobile based authentication and payment

50
NISnet Winterschool, April 2008 Mobile based authentication and payment Josef Noll Prof. stip. University Graduate Center/ University of Oslo [email protected]

Upload: josef-noll

Post on 08-May-2015

1.702 views

Category:

Technology


5 download

DESCRIPTION

Tutorial at NISnet winter school, April 2008, Finse, Norway

TRANSCRIPT

Page 1: Mobile based authentication and payment

NISnet Winterschool, April 2008

Mobile based authentication and payment

Josef NollProf. stip.

University Graduate Center/University of Oslo

[email protected]

Page 2: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Research and Education at Kjeller

Close relation to FFI, IFE, NILU,...

Prof. from Univ. of Trondheim and Oslo

2

Page 3: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Outline Admittance, service access and payment Mobile extensions Introduction of RFID and NFC

– Message: “Using the phone for payment and access”– Interfaces and standardisation– Phone implementations

Activities worldwide– Snapshots, Standardisation

“Who owns the SIM?” – My security infrastructure– Ownership versus management

3

Page 4: Mobile based authentication and payment

Josef Noll, 26.4.2005 RFID - NFC tutorial 4

Service development

1G:

1970 1980 1990 2000 2010

3G:

2G:

B3G:

Mobile telephony

Mobile telephony, SMS, FAX, Data

Multimedia communication

Personalised broadband wireless services

Page 5: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

The Service ChallengeMobile and Proximity Services

5

NFC

Internet services

signedcertificates

Mobile initiatedservice access

Proximity services

NFC

certificate

Mobile services – services in the mobile– mobile network services– Internet services

Proximity services– Payment– Access, Admittance

Page 6: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Current Access & Authentication mechanisms Login/password

Admission card

Payment card

Biometrics

6

Page 7: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 7

My phone collects all my security

SIM with NFC & PKI

Page 8: Mobile based authentication and payment

Josef Noll, “Who owns the SIM?”, 5 June 2007

Mobile Services, incl. NFC• Focus in 2008 on

mobile web• Push content upcoming

• NFC needs next generation phones• S60, UIQ, ...• Common Application

development• Integrated

development

[“Mobile Phone Evolution”, Movation White paper, May 2007]

Expected customer usage [%] “have tried” of mobile services in the Nordic Market

0

15

30

45

60

2006 2008 2010

SMS authentication Mobile WebPush content NFC payment

8

Page 9: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Mobile Phone supported access SMS one-time password

MMS, barcode

eCommerce (SMS exchange)

Network authentication WAP auto access

Applets: PIN code generation (Bank ID)

Future SIM9

Page 10: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 10

WAP gatewaySeamless authentication

HTTP request94815894 Hash

HTTP requestcTHG8aseJPIjog==

Pictures for ’rzso’.Password:1234sID: cTHG8aseJPIjog==

Page 11: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 11

Bankingfrom the mobile phone

Security considerations Equally secure as SMS

(get your account status) Easy to use Advanced functionality

through PIN (if required) Seamless phone (SIM)

authentication Advanced security when

required– BankID or – PIN

Welcome Josef: SIM authentication

Transfer, payments

Advanced functionality

BankID or PIN(double security)

Account status

Information:

Using SIM,no customer input

required

Smartcard interfacesISO/IEC 7816

NFCcommunication

unit

SIM

NFC2SIM

Page 12: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 12

MyBank example: Banking from the mobile phone

User incentive: “My account is just one

click away” “enhanced security for

transactions”Phone (SIM) authenticationLevel 2 security through

PKI/BankID/PIN?

Page 13: Mobile based authentication and payment

Josef Noll, “Who owns the SIM?”, 5 June 2007

Authentication provider

Auth. provider

Seamless authentication

Physical access VPN

Content access, .mp3,

.jpg

Service access

Page 14: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Outline Admittance, service access and payment Mobile extensions Introduction of RFID and NFC

– Message: “Using the phone for payment and access”

– Interfaces and standardisation– Phone implementations

Activities worldwide– Snapshots, Standardisation

“Who owns the SIM?” – My security infrastructure– Ownership versus management

14

Page 15: Mobile based authentication and payment

Josef Noll, “Who owns the SIM?”, 5 June 2007

ID, trust and personalisation provider

CertificateRemote services

Proximity services

Who provides?– ID provider

Where to store?– Network– Phone

How to store/backup?– long term, short term

Page 16: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 16

RFID Technology: Principle

RFID-reader sends a RF signal TAG receives it TAG returns predefined signal

RFID-TAG doesn’t need own power supply

TAG gets power to operate from the RF-pulse of reader

No need for physical sight or contact between reader and TAG

Each product can have own id-number

Source: Eurescom P1346 D2, January 2004

Page 17: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 17

Passive RFID: Main frequencies

Frequency division:– Low: 100-500 kHz– Medium: 6-15 MHz– High: 850-950 MHz and 2.45 GHz

Active responses– AutoPass 5.8 GHz

I.C. Cards13.56 Mhz

Access ControlAnimal ID

125,133 kHz

Toll RoadsItem

Management~900 MHz

ItemManagement

2.45 GHz

10 kHz 100 kHz 1 Mhz 10 MHz 100 MHz 1000 MHz 2.45 GHz

Source: Eurescom P1346 D2, January 2004

Page 18: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 18

Current Services and Applications

Typical services made using RFID today

Sports Timing Access Control Animal Tracking Asset Management Baggage Handling Product Authentication, Security Supply Chain Management Transportation, user information Wireless Commerce, Payments, Toll Collection

Source: Eurescom P1346 D2, January 2004

Page 19: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 19

Registrationexample: Birkebeiner

Online information to mobile phone

Could be used for photo, video, etc

Page 20: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 20

Ticketing

Cinema/Concerts

Bus/Subway

RFID ticketing zone

TerminalIncl. rfid tag

Ticketing terminal with RFID reader

MobileCommerce

RFID ticketing server

Football/Sport

Source: Eurescom P1346 D2, January 2004

Page 21: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 21

Supply chain

supplier 2

supplier A

Prosessing

wholesaler retailer

customer

customer

Product InfomrationDatabase

RFID reader/gate

customer

Presentation

RFID reader/gate can be placed along manufacturing lines (company internal)and along the distribution chain (company external/between the actors)

Source: Eurescom P1346 D2, January 2004

Page 22: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 22

Visitor Density, two functions

Resort owner

”What ride has most users?”

Datamining services

Example2: Resort owner services

”Bumber cars; 200 users/day; 50cent/ride”

”Where is my kid?”

”Where was ID:123123 last seen?”

SystemDatabase

Roller-coaster queue reader

InfoSpot

”Roller-coaster queue”

”At the roller-coaster queue”

Reader X

Reader Y

Example1: Customer service

Source: Eurescom P1346 D2, January 2004

Page 23: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 23

Technology: Range From millimeters to tens of meters Depends on antennas, power of reader,

characteristics of TAG and operation principle Range decided when application developed ISO standards:

– proximity cards: 10 cm– Vicinity cards: 1,5 m

Source: Eurescom P1346 D2, January 2004

Page 24: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

NFC is ...

RFID at 13.56 MHz RF (modem) and protocolls

24

Passive operation:1) Phone=Reader has static magnetic field2) Tag acts as resonator, “takes energy” ~1/r^6

0 0,8 1,6 2,4 3,2 4 4,8 5,6 6,4 7,2 8 8,8 9,6

0,25

0,5

0,75

1

1/r^2

1/r^6

Power decrease of static and electromagnetic field

Page 25: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 25

Technology: Security considerations

In the past there was no need for security in RFID-systems– logistic data collection the information has no relevance or

value anywhere else except the originally designed purpose If TAGs are in consumer goods there is a need for security and

privacy Security protocols:

– Bilateral authentication– Key agreement– Encrypted communication

Secure communications needs computing resources

Source: Eurescom P1346 D2, January 2004

Personal items Passport, Payment cards, mobile phone

Page 26: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 26

ViVOtech 2006:Contactless replaces cash

Page 27: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

NFC technology and use case Based on RFID technology at

13.56 MHz Typical operating distance 10 cm Compatible with RFID Data rate today up to 424 kbit/s Philips, Sony and Nokia

27

ECMA-340, ISO/IEC 18092 & ECMA-352, …standards

Powered and non-self powered devices

Page 28: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

NFC use cases Payment and access

– include Master-/Visacard in the phone– have small amount money electronically– admittance to work

Service Discovery– easy access to mobile services:

Web page, SMS, call, ...– local information and proximity services (get

a game) Ticketing

– Mobile tickets for plain, train, bus:Parents can order and distribute, ...

28Source: Nokia 6131 NFC Technical Product Description

Page 29: Mobile based authentication and payment

Josef Noll, 26.4.2005 RFID - NFC tutorial 29

NFC standardisation

ECMA-340 • Specifies the RF signal

interface• Initialisation, anti-

collision and protocols• Communication mode

selection mechanism ECMA 352 (v1, Dec 2003)• Selects communication

modes: NFC, PCD, and VCD

• Enables communication in that mode

Page 30: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 30

NFCIP-2 Interface and protocol(ISO/IEC 21481)

ECMA-340ISO/IEC 14443

PCD mode

(MIFARE, FeliCa)

ISO/IEC 15693VCD mode

(facility access)

InterfaceStandards

Page 31: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

NFCIP-2 Interface and protocol (ISO/IEC 21481)

31

ECMA-340

Interface Standards

ISO/IEC 14443

PCD mode

(MIFARE, FeliCa)

ISO/IEC 15693

VCD mode

(facility access)

NFC device Proximity CardReader

Vicinity CardReader

NFC ECMA-340

YES340 okay

Page 32: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

NFCIP-2 Interface and protocol (ISO/IEC 21481)

32

ECMA-340

Interface Standards

ISO/IEC 14443

PCD mode

(MIFARE, FeliCa)

ISO/IEC 15693

VCD mode

(facility access)

NFC device Proximity CardReader

Vicinity CardReader

NFC ECMA-340

NO15693 okay

Page 33: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Nokia 6131 Firmware

33Source: Nokia 6131 NFC Technical Product Description

ISO14443

Page 34: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

NFC phone status (April 2008) Nokia 3320, 5340, 6131, xx Philips/Samsung X700 LG Sagem BenQ T80

Missing specifications Motorola HTC

34

Page 35: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Time to marketbased on phone evolution

35

Operators to Launch NFC-Based Mobile Payment Services 13th November 2007, Macau: 12 mobile operators will run trials of contactless mobile payment services in Australia, France, Ireland, Korea, Malaysia, Norway, The Philippines, Singapore, Taiwan, Turkey and the U.S. as a precursor to commercial launches.

Near Field Communications News and Insight

BBC names NFC a top technology for 2008Posted January 16, 2008

Survey shows that US consumers want simple payment features for NFC phonesPosted January 10, 2008

Report: Majority of phones will support NFC once standards are finalizedPosted January 03, 2008

Source: NFCnews.com

DnB Nor and Telenor to form mobile payments unitPosted April 21, 2008

Norwegian banking group DnB Nor and local telco Telenor have revealed plans to establish a new mobile payments program. The new mobile payments system, called Trusted Service Manager (TSM) Nordic, will be a subsidiary of Doorstep.

Orange delays NFC launchPosted April 16, 2008

Mobile operator Orange is postponing its commercial NFC launch by several months, according to CardLine Global.

Page 36: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

UNIK work Key-exchange for admittance and content protection Analysis and implementation of Easy Pairing Easy Pairing

– Use NFC to establish Bluetooth contact with Media Center

– analyse phones: Nokia 3320, Nokia 6131 Experiences from Implementations

– Phones and NFC tags– Linux pairing– Windows pairing

36

Page 37: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access 37

Prototype:SMS key access

Service Centre

Application1) Send SMS

3) Send service to phone

2) Send info to recipient

4) Enters house with NFC access

Smartcard interfacesISO/IEC 7816

NFCcommunication

unit

SIM

NFC2SIM

Page 38: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Implementation

38

(1) Register the user

(2) Send mobile key (mKey) to user

(3) Receive info message(4) Saving the NFC key

Page 39: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

ITEA WellCom: Interworking Set-top box and mobile

Source: AlcatelLucent, WellCom Meeting

1) Easy device set-up and communication

2) Authentication andService Access

Page 40: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Easy Pairing Scenario Using NFC for reading

connectivity data of phone Set-top box initiates process NFC phones can pair through

vicinity– phone in range– start Bluetooth scanning– request for pairing

No NFC phone– use tag with Bluetooth

information

Comment:– security in handling

activities40

Similar procedure for Wifi pairing

1. search for Bluetooth device2. identity phone (tag info)3. service discovery on phone4. pairing

Page 41: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Example EnCapEasy authentication Challenge: Find your BankID to sign in for

Internet banking– Could be triggered through login:

www.encap.mobi/demobank – Using NFC for starting secure

authentication Tag starts application on phone

– One time password created

Application areas– all kinds of authentication– local payment– BankID (while waiting for secure SIM)

41

Page 42: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Interworking between NFC components Easy programming through Java MIDlet

software development environment available

Interface to Java Card and Mifare environment

42Source: Nokia 6131 NFC Technical Product Description

Tricky:- Interworking Java

Card, Mifare and Java

Ongoing- secure element = SIM

Page 43: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Ongoing technical work

Interaction SIM-Mifare-Mobile Phone = “Single-wire protocoll”

Interaction Phone - Devices– Power-on/power-off

Roadmap for secure authentication

43

Page 44: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

From current SIM to Future SIM

44

New visionsfor mobile / UICC

Current Telenor Current Telenor

SIM (UICC) cardSIM (UICC) card(from 2001)(from 2001)

GlobalPlatform’s

Real Estate 3.rd

Party sec. domains

vision

SUN

2009?

(Java)

Plus ETSI SCP

3 new phys IFs:

12 Mb/s USB

NFC (SWP)

On-board

WEB server !

Multi-

Thread

New visionsfor mobile / UICC

Current Telenor Current Telenor

SIM (UICC) cardSIM (UICC) card(from 2001)(from 2001)

GlobalPlatform’s

Real Estate 3.rd

Party sec. domains

vision

SUN

2009?

(Java)

Plus ETSI SCP

3 new phys IFs:

12 Mb/s USB

NFC (SWP)

On-board

WEB server !

Multi-

Thread

Source: Judith Rossebø, Telenor

To comply with 3G networking requirements (USIM)

– Security features (algorithms and protocols), longer key lengths

– GSM uses EAP SIM: client authentication– UMTS uses EAP AKA: Mutual authentication

3rd party identities – ISIM application (IMS) – private user identity – one or more public user

identities– Long term secret

Page 45: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

New UICC architecture

45

eHealtheHealth

UICC – elements

UICC UICC ID = ICCIDID = ICCID

12 Mb/s USB

Full speed IF

NFC (or other) IF

(1 connector)

GSM Allocated

(2G/3G) IFs

(5 connectors)

New UICC Architecture / SIM advances

SIM Application Toolkit SIM Application Toolkit !! CAT CAT

PKI / PKI / eIDeID

PaymentPayment

EMVEMV

MultimediaMultimedia

DRM ?DRM ?

TicketingTicketing

(DRM !)(DRM !)

ElectronicElectronic

Purse Purse

Common Common

StorageStorage

USIMUSIMID= IMSIID= IMSI

& MSISDN & MSISDN

SIMSIMID= IMSIID= IMSI

& MSISDN & MSISDN

PhonebookPhonebook

Source: Judith Rossebø, Telenor

Page 46: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

UICC for multiple ID providers

46

Compartmentalisation of the UICC3.rd party on-board applications featuring

• Internal and segregated Security domains

• Private entrances for SP to applications

(own keys and key management)

• Use of NFC, USB IF or other common

resources

-MNO as house-keeper (Real Estate Manager)

Source: Judith Rossebø, Telenor

Page 47: Mobile based authentication and payment

Josef Noll, “Who owns the SIM?”, 5 June 2007

Third party business model• Media, • Banks, Service providers• Telecom, Corporate, Home

Identity and personalisation

provider

Customer care

Serviceaggregator

Authentication and Access

provider

Paymentprovider

Content provider

• Service aggregator• Convenient interfaces

• Ease of use

• Identity and personalisation provider• Convenience

• Trust

47

Page 48: Mobile based authentication and payment

Josef Noll, “Who owns the SIM?”, 5 June 2007

The secure element:

SIM card

Send service to phone

Send info to recipient

Smartcard interfacesISO/IEC 7816

NFCcommunication

unit

SIM

NFC2SIM

Identity and personalisation

providerAuthentication

and Accessprovider

Serviceaggregator

• SIM is secure element

• controlled environment• over-the-air update• open for applications

• SIM will be owned by user

• managed by trusted third party

Send key and credentials

Page 49: Mobile based authentication and payment

Josef Noll, “Who owns the SIM?”, 5 June 2007

Challenges and Benefits

How insecure is the Internet?

Will the phone be the only secure element?

Dynamic service environment? On-the-fly creation of services?

Are Google, facebook and flickr more trusted than telecom

operators?

Visa and Mastercard enable convenient small amount

purchases

0

50

100

150

200

2006 2008 2010

Telco favourite Third party favourite

Convenience of usage

49

Page 50: Mobile based authentication and payment

April 2008, Josef NollMobile Payment and Access

Conclusions on Near Field Communications Standardisation well-under-way

– NFC with three modes– SIM interworking – power on (payment) versus power off (ticket)

Commercial kick-off visible – Pre-commercial trials “everywhere”– Critical hand-set status (only low-range phones)

Unclear business models– variety of application areas– co-operation and revenue sharing

“Sufficient Security”? Teaching the customer

– easy to use– “always available”