secure elements in web applications
TRANSCRIPT
The Path to Inter-Industry
Standards for Utilizing
Secure Elements in Web
Applications
Olivier POTONNIEE, Karen LU
September 2015
Secure Elements and The Web
Secure Elements in Web Applications2
Telecom• Login / Strong Authentication
Payment• Card-present eCommerce
ID• eGov
• Authentication & Signature
Transport • View balance
• Reload / Buy tickets online
Low level Secure Element APIs
PC/SCOpen Mobile API
(OMAPI)
8.1: 10:
3 Secure Elements in Web Applications
Cross-Platform Secure Element (SE) API
Secure Elements in Web Applications4
PC/SC
(MSWindows, MacOS, Linux)
OMAPI
(Android)NFC
Desktop Mobile
Web Applications
Web
Runtim
eO
S
Secure Element APIAccess Control
…
Secure Element API
Standardization
Proposed to W3C (SysApps & WebCrypto WGs)
http://opoto.github.io/secure-element/
Transferred to a GlobalPlatform WG
https://github.com/globalplatform
Implementation
Included in Firefox OS 2.2 (June 2015)
5 Secure Elements in Web Applications
Secure Element API
Secure Elements in Web Applications6
Transport-level API (similar to SIM Alliance’s OMAPI)
Secure Element
Manager
Reader
Session
Channel
Enumerate readers
SE insertion / removal events
Is SE present?
Connect to SE
SE ATR
Connect to Applet
Basic / Logical
Transmit APDUs
Access Control Toolbox
Secure Elements in Web Applications7
• PIN
• Secure Messaging
Mutual AuthentN
• GlobalPlatform
Access Control
Secure Element
Security Model
• Permissions:
Access to
device/resources
(GPS, storage, etc…)
• Same Origin Policy
(SOP):
Data isolation per
domain
Web
Security Model
Access Control (1/2): The Web
Secure Elements in Web Applications8
• PIN
• Secure Messaging
Mutual AuthentN
• GlobalPlatform
Access Control
Secure Element
Security Model
• Permissions:
Access to
device/resources
(GPS, storage, etc…)
• Same Origin Policy
(SOP):
Data isolation per
domain
Web
Security Model
Domain-binded SE apps (SOP compliant)
Secure Elements in Web Applications9
An SE app with one credential per domain
An SE app is tied to a single domain, which hosts a centralized
service
Other apps use a delegation protocol to use the centralized service
Identity
Provider
SAML/OpenID Connect
Login Authenticate
Service
Provider
(Relying
Party)
Access Control (2/2): Secure Elements
Secure Elements in Web Applications10
• PIN
• Secure Messaging
Mutual AuthentN
• GlobalPlatform
Access Control
Secure Element
Security Model
• Permissions:
Access to
device/resources
(GPS, storage, etc…)
• Same Origin Policy
(SOP):
Data isolation per
domain
Web
Security Model
Access
Control
Enforcer
GlobalPlatform Access Control
Secure Elements in Web Applications11
Access
Rules
SE
Application
Cached
Access
Rules
User Device
Application
Access Rule: Authorizes a
specific app on device to
access a specific app on SE
[and send specific commands]
http://www.globalplatform.org/specificationsdevice.asp
Secure Element API to build Trusted Services
AuthentN Signature Payment Reload
Web Applications
…
Public APIs
Restricted APIs
Web
Ru
nti
me
Privilege apps,
e.g. Extensions
12 Secure Elements in Web Applications
Secure Element API Access Control
The security palette
Secure Elements in Web Applications13
Secure
Element
Built-ins
GlobalPlatform
Access Control
Trusted
Services
Domain
Binding
Participate!
Secure Elements in Web Applications14
.
New Working Group: Hardware Security (HaSec)
Will work on use cases and APIs
http://www.w3.org/2015/hasec/2015-hasec-charter.html
.
New Working Group: WebApis-for-SE
Will work on APIs and Implementation
Chaired by Hank Chavers (hank.chavers at globalplatform.org)
Thanks!
Secure Elements in Web Applications15
Questions?