Secure Element Access from a Web browser

W3C Workshop on Authentication, Hardware Tokens and Beyond

11 September 2014 1

Oberthur Technologies – Identity BU

JAVARY Bruno

11 September 2014 2

• 01. INTRODUCTION

Agenda

• 02. EXISTING : WHAT ARE THE DRAWBACKS

• 03. USE CASE : PIV

• 04. PERSPECTIVE AND PROPOSAL

11 September 2014 3

• 01. INTRODUCTION

Agenda

• 02. EXISTING : WHAT ARE THE DRAWBACKS

• 03. USE CASE : PIV

• 04. PERSPECTIVE AND PROPOSAL

History : OT experience

• June 20th 2013, London, Workshop on Web Applications and Secure Hardware

• July 2013 :

• October 15th 2013, Oberthur Technologies joins FIDO AllianceOT founding member of SIA

• November 2013 : Presentation of PIV for eSE on OT booth demonstrating eservices. “my voice is my password” winner in the Trusted internet/Authentication category

• February 24-27th 2013, Barcelona, GSMA Mobile World Congress : 1st worldwide demonstration of a FIDO authentication secured by the SIM

• March 2014 : Mobile ID study starts with dedicated workforce with objective : “Smartcard Access from Web Browser”

• Summer 2014, w3C call for papers, submission of position paper, result of internal study

4

for eSE finalist

POSITION SUMMARY

• To enable a common access for every single user to trusted services thanks to a secure element, the best candidate is the web browser

• By consequence HTML and JavaScript will be the standard to access a secure element

• Many examples already exist to access hardware o Video, webcam, geolocation, file systemo Thanks to evolutions of standards

11 September 2014 5

POSITION SUMMARY

• Authentication : o For Payment / Internet banking / Corporate network access / Social media o FIDO is an answer

• Access to cryptographic operations : « Secure Operations Execution »o Web crypto apio Issue : define use cases exhaustively

• Low level access to the secure element or hardware token o Access the closest possible to the hardwareo Close to sysapp considerations

11 September 2014 6

Several topics are to be considered

11 September 2014 7

• 01. INTRODUCTION

Agenda

• 02. EXISTING : WHAT ARE THE DRAWBACKS

• 03. USE CASE : PIV

• 04. PERSPECTIVE AND PROPOSAL

Middleware

• Software application that enhances the capacities of our computer applications by creating an abstraction layer

• Implements standard

• Good solution for a local use, it provides secure features established on standards in a controlled IT configuration. However it can’t be used as an online solution or in an opened device.

11 September 2014 8

EXISTING

Web browser extension

• Program integrated into a web browser and which provides new features• Can be : plug-in, java applet, ActiveX

• The only solution right now but many drawbacks :o Heterogeneity of methods to access Smart Cardo Security

Mobility

• Most of the apis are proprietary (eg OT Micro SD)

• There are some promising technologieso NFCo Open Mobile API

• These communications layers remain low level

• Middleware and web browser extensions do not fit in a mobile environment

11 September 2014 9

EXISTING

11 September 2014 10

• 01. INTRODUCTION

Agenda

• 02. EXISTING : WHAT ARE THE DRAWBACKS

• 03. USE CASE : PIV

• 04. PERSPECTIVE AND PROPOSAL

Definition

11 September 2014

PIV - PERSONAL IDENTITY VERIFICATION

Limitations

• US federal employee or contractor wears a PIV card defined by the National Institute of Standards and Technology (NIST).

• The card is required to enter a governmental building and to log on to computers (Physical and Logical Access Control).

• The federal employee can also sign emails or documents and authenticates to remote web sites in HTTPS.

• File decryption or signing must be done locally. In a world of cloud computing and “Software as a Service” it represents a real inconvenience.

• The agent must have an already configured PC or be granted with specific rights, which prevents from using devices “on the go” or “away from office” (in a hotel, an airport, at home).

• To use a Smartphone or a tablet, specific software and hardware (card reader) have to be set up.

11

11 September 2014 12

• 01. INTRODUCTION

Agenda

• 02. EXISTING : WHAT ARE THE DRAWBACKS

• 03. USE CASE : PIV

• 04. PERSPECTIVE AND PROPOSAL

Position

• As a solution provider, we would like to push the standardization of a JavaScript API which allows web browser to communicate with Smart Card

• Objective is to open trusted services with secure element to the mainstream market• In order to be implemented in all browsers and to ensure its liability, the API should be endorsed by

W3C.

11 September 2014 13

PROMOTE A STANDARDIZATION

Secure Element API

• This api is complete and well documented. It presents in details the technical background and use cases and gives a good visibility of Security, Permissions, Access Control and Conformance

• Security is at the heart of OT’s concerns; the proposed solution combines validation of the feature by the user and a specific access control mechanism

• The idea beyond is to propose a trusted access to a secure element from a service provider, preventing from unauthorized use.

Action Plan

• Identify a charter to carry the project

• Define use cases and for each of them demonstrate the impact and validate the consistency of the current proposal.

• Meeting all stakeholders interested in the subject, be aware of each of them interest and create a common basis of communication and strategy

• Establish interactions with other standardizations (eg Open Mobile API)

• Gather work forces to create a proof of concept and decline it to use cases examples (eg eServices)

11 September 2014 14

PERSPECTIVE

Let’s follow, jointly with all companies and associations sharing the same opinion and interest, action plan below:

Thank you for your attention

11 September 2014 15