Secure Environment management based on CoAP
Sebastian Hans
[ETSI CoAP workshop]
S hi Antipolis
Sophia
A ti li November
N
b 2012
©2012
1
@GlobalPlatform_
www.linkedin.com/company/globalplatform
GlobalPlatform reaches 100 Members
3
Result of Collaboration
TCG
PCI
EMVCo
SDA
Contactl
ess
Payment
ISO
GlobalPlatform
•
•
•
•
•
GSMA Pay-Buy Mobile
Mobey Forum
Payez Mobile
European Payments Council (EPC)
StolPan
• ISO SC17/WG4
• ISO TC204/WG 8
Govern
ment
ETSI/
SCP
National Institute of Standards and Technology (NIST)
European Committee for Standardization (CEN)
NICSS
Public
Transit
• IFM project
Collaboration with ETSI
• Started in 1999 with ETSI SCP
– Liaison statement and join meetings
• 1999-2004 – First collaborations
– Collaboration on OTA Application management and security perspective
• 2005-2011 – Strong technical integration
– Hosting and OTA management of 3rd Party applications
• Allowing to host non Telecommunication related application in a UICC
– NFC and contactless application management
• End user activation of contactless services
Result : GlobalPlatform UICC configuration with the associated compliance
program
• THE market reference for Secure element for the mobile NFC contacltess
• endorsed by different organizations such as GSMA, EMVCO, EPC, AEPM, …
5
What GP has today
• A set of specifications to manage keys
• and
d applications
li ti
iin a secure element
l
t
– load, install (multiple instances), delete, personalize
• To establish a secure channel between entities in the secure element and an
entities outside the secure element
– based on 3DES, AES, RSA and ECC
• specs are network agnostic
• can manage all kinds of secure environments
– smartcard,
smartcard SIM
SIM, SD
SD-card,
card embedded secure element
– management of Trusted Executions Environment
• to represent
p
multiple
p service p
provider in the secure element
– the concept is called Security Domain
• a conformance process for devices, tools and conformance labs
• a proven technology used in SIM card, payment and ID card all over the world
6
Remote management
• Remote management of SIM/UICC cards based on GP (references in ETSI
SCP 3GPP) ttechnology
SCP,
h l
wellll established
t bli h d iin th
the market
k t
– but very specific to the mobile network technology and SIM card technology
– based on SMS and SIM Toolkit technology
– typically under the control of the operator
• OTA management over HTTP of SIM cards already deployed in the market
– but targeting networks with high bandwith e.g.
e g UMTS
UMTS, LTE
• OTA management based on GP technology references by ETSI M2M in TS
102 690
– but is focusing on the SIM/UICC platform
7
Devices in scope for this work item
examples …
• In General all device hosting at least one Secure Environment
–
–
–
–
UICC
smart micro SD for industrial environments
build in Secure Element
Trusted Execution Environment
• Gateway
– The German BSI has p
produced a specification
p
where they
y request
q
to have a p
physical
y
EAL 4+ certified secure token in the Gateway
– https://www.bsi.bund.de/ContentBSI/Publikationen/TechnischeRichtlinien/tr03109/ind
ex_htm.html;jsessionid=801BCBAF4841E42CB80E185B4BB3510D.2_cid241
– Such a secure element needs to be managed and keys needs to be provisioned
• ETSI M2M devices with a Security Environment
– can be
b a UICC b
butt can b
be any other
th ttype off secure environment,
i
t e.g. SE
SE, TEE
Smart metering use case from ETSI M2M
Smart metering device
– as described in TR 102 935 (4.2.5) making explicit references to TS 102 241, 225
and 226 which are based on GlobalPlatform mechanim
– such devices require isolated applications and secure end-to-end communications
b t
between
device
d i and
d service
i b
backend
k d
Why are we considering CoAP
• much better for constrained devices like a smartcard chip as HTTP
• ETSI M2M is referencing CoAP in their service architecture
– integrate the management of the secure environment as a service in the overall
service architecture
• ETSI M2M talks about secure environments in their specs
– SIM is only one possible implementation for the secure environment
– we want to cover all secure environments not only SIM cards that can be deployed in
an M2M / IoT environment
• Main focus at the moment is alignment with ETSI M2M service architecture
10
HTTP based management in GP
• GP has two solutions for HTTP based management of secure environments
– they will be the starting point for the adaptation to CoAP
– Æ mapping the existing HTTP mechanism to CoAP mechanism
• Amendment B
– based on the OMA Smart Card web server
– focus on a migration from legacy card management to HTTPS based remote
management
• POST APDU encoded messages to a Security Domain in the card
• naming is AID based
• focus on the ISO 7816 and Java Card Classic application model
– based on TLS_PSK as security
• Network Framework
–
–
–
–
11
allll managementt commands
d are encoded
d d iin ASN
ASN.1
1 notation
t ti
naming is based on URI’s
HTTP is one mechanism to transport GlobalPlatform commands
can handle different type of application models and is in general more extendable
Integration with HTTP infrastructure
• GlobalPlatform relies on the network integration of the device or the secure
environment
i
t
– today this is done in ETSI SCP, 3GPP, 3GPP2 and OMA SCWS specifications
• For secure environment with no direct network connections hosted in network
device we use
– Secure Element Remote Application Management
– It defines an admin agent in the device and is reusing the mechanism from
Amendment B for the management
12
Technical stuff that is under discussion
• Data can be cached on the Gateway/Proxy and delivered at a later point in
titime
– sleepy device are not in the scope of GP today
– group management is not in the scope of GP today
• Gateway communication over HTTP/TLS/TCP with the server, device
communication via CoAP/DTLS/UDP
– mapping of HTTP based management to CoAP based management
– DTLS as secure mechanism
– provisioning and management of credentials for DTLS
• CoAP in mobile networks architectures
• Web-linking for discovery of GlobalPlatform resources and services in the
de ice
device
13
Thank you!
Questions ?
14