TDL Sprint Trustworthy Mobile Devices: Token based MDM for Native Application Policy Enforcement...

transcript

TDL Sprint

Trustworthy Mobile Devices:Token based MDM for Native

Application Policy Enforcement

2014 – 03

CRYPTAS, NEC Laboratories Europe

Stefan Bumerl

Description of Sprint:Why at all? (high-level)

CRYPTAS it-Security GmbH / cryptas.com / cohors.net / cryons.com / cryptoshop.com / 2

⁄ Sprint cooperation of NEC and CRYPTAS⁄ Increasing demand of secured applications in BYOD scenarios

_ Many different applications -> since a trusted mobile-device-independent anchor is required: encapsulated container solutions not always feasible

_ Different policies for applications, potentially depending on different criteria

⁄ Need for certificate based security_ Existing solutions often PW based

_ Continuous integration of tokens

_ Secure element personalization often not possible

_ Use of NFC and microSD

⁄ Combining technology_ Device application modification and MDM with policy management

_ CAVE clientless solution with TicTok tokens via NFC

⁄ Collecting and implementing user requirements⁄ Demo for interaction of trusted stack mechanisms and eID federation

Technology description:What is inside? (low-level)

In-Device Modification of Application-Code

Mobile Device Management:• Enterprise• SaaS• Privately

managed MDM

Trusted Hardware Anchor:• Unique ID• Trusted

Comm. Channels

• Trusted Signatures Trustworthy

Mobile Devices:Token based MDM

for Native Application Policy

Enforcement

Sprint

NEC Application Container – 1„Enforcing Policies“

/ NLE provides a Secure Application Container that is capable of enforcing enterprise-defined policies to every installed non-system-

App on the end-users mobile device.

/ It runs together with the “BYOD Management & User Notification“ component and adds Policy Enforcement Points (PEPs) to each

target application during the rewriting process.

/ All user-interaction is done through the “BYOD Management & User Notification“ App.

AppAPP-

REWRITINGSecure App Container

PEPPEP PEP PEP

NEC Application Container – 2 „Manipulating Mobile Devices“ & MDM

Policy Decision Point (PDP)

BYOD ManagementApp

CheckPolicy

ProvidePolicies

Modify andEnforce

Mobile Device

Secure HardwareAnchor

MDMBackend

MDMWeb-InterfaceAdd/ Delete/

Modify Policies

ExternalPartner

Add/ Delete/Modify PEPs

Trusted Environment (e.g., Enterprise)

Internet

Secure eID – „clientless“ CAVE.

CAVE - Features

⁄ Card access without the need of any middleware on the client⁄ Increasing security as direct secure channel between secure environment

and the card is established⁄ Reducing the TCO

_ No extra support for different client platforms

_ No influence of different middlewares in multi card environments

_ No dependency of client configurations (applications, firewalls, antivirus ..)

_ No client side updates, enhancements are immediately for all available

⁄ Enabling server side virtual cards_ Can be uses for replacement actions (e.g. forgotten cards)

_ Especially in combination with other supported strong authentication mechanisms (SMS – OTP, ..)

⁄ CAVE – API_ For non browser based applications

_ For deeper application integration requirements (mobile Apps)

⁄ Integration in federated environment⁄ Multiple simultaneous card support

TicTok - „One Card fits it all…“.

Private PKIe.g. domain logon, VPN, OWA, ....

Federated PKIIdentity Provider / Digital Signature

Alternative Authentication

One-Time-Password Generator

Add-On-Applicationse.g. EmergencyApp, Ticket-Store, …

RFID-Emulatione.g. Mifare, NFC, Legic “Card-In-

Card”…

ct Inte

r standard

readers

ctless In

Cost efficient Existing

environmentReliability

Mobile Environments

Fast TransactionsNFC

Compatibility

TicTok - Specifiaction

⁄ Java Card / GlobalPlatform powered secure microcontroller⁄ CommonCriteria and FIPS certified configurations⁄ ISO 7816 contact interface⁄ ISO 14443 Type B contactless interface

_ Enabling NFC applications

⁄ Cryptographic functions: _ DES, 3DES, AES,

_ RSA, ECC

_ SHA-1, SHA-224, -256, -384 und -512

⁄ Biometric Match-On-Card Application (optional)⁄ Windows 7 Plug-n-play⁄ Support for card and credential management systems

User Experience:What does the user expect from us?

Easy to manage Mobile Device Management (MDM) interface, offering easy integration of devices associated to users.

Easy to use user-application, managing all modified applicaitons. Running on Android-OS.

Every User has his own and unique Smardcard, providing policies and secure channels.

Benefits / Impact: Identities + Mobile Devices everywhere!

/ Enterprise customers > 250Emp. *Statistik Austria 2007

_ Total ~1.000 companies in total 890.000 employees

_ Banks and Insurances: 61 with in total 70.000 employees

_ Energy and utility: 27 with in total 22.000 employees

_ Manufacturers: 459 with in total 292.000 employees· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·

/ Health sector *Gesundheitsministerium 2010

_ Hospitals: in total 102.400 health professionals excluding management

(21.000 doctors, 53.000 nurses, 13.800 ambulance, 13.300 MTA, 1.300 midwives)

_ Social insurances: in total 26.700 employees

_ GDA (support organizations, rescue services, geriatric centers..) 100.000 est.· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ··

/ Academia *Statistik Austria 2010

_ 273.000 students at public universities

_ 37.000 students at colleges

_ 6.000 students at private universities (+ 16.000 rest)· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·

/ Loyalty programs_ Regional customer retention (NÖ-Card, Kärnten-Card…)

_ Discount cards (Retailer, clubs…)

_ Member cards (ÖAMTC, AK, WKO,…)· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·

Class 4“Secure” Qualified Digital

Signaturelegally binding

secure personal registrationassurance according signature

Class 3“Standard” Trusted eID

e.g. WPV, enterprise, health

formal registration, federated trust, limited liabiltity

Class 2“Entry” Multi app. systemse.g. eTicket, universities…

deployment on base of existing and accepted data bases

Class 1“Loyalty” Marketing

e.g. Customer retention

simple registration, post delivery, plausibility, existing

customer

Scheduling of the Sprint

• First Demo: At TDL Event – beginning of April 2014

• Second Demo: At trial users – end of April 2014• Solution adaptation: Together with users,

implementing user wishes, solution customization – until end of July 2014

• Quality control and user survey – until end of August 2014

Sprint requirements:

For a successful TDL Sprint, the following requirements have to be fulfilled:

⁄ Initial Version of „CAVE API“ present (CRYPTAS)⁄ Initial Version of „Application Container“ present

(NEC)⁄ Fully functional microSD / NFC Smardcards

(CRYPTAS)⁄ Provision of MDM Server-Backend⁄ Interested End-Users need to be contacted⁄ Adaptation of Smartcard OS / Software (CRYPTAS)⁄ Adaptation of Application Container (NEC)

TDL Sprint Trustworthy Mobile Devices: Token based MDM for Native Application Policy Enforcement...

Documents