slides

Secure Element Access from a Web
browser
W3C Workshop on Authentication, Hardware Tokens and
Beyond
JAVARY Bruno
Oberthur Technologies – Identity BU
11 September 2014
1
Agenda
• 01. INTRODUCTION
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
11 September 2014
2
Agenda
• 01. INTRODUCTION
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
11 September 2014
3
History : OT experience
• June 20th 2013, London, Workshop on Web Applications and Secure Hardware
• July 2013 :
for eSE
finalist
• October 15th 2013, Oberthur Technologies joins FIDO Alliance
OT founding member of SIA
• November 2013 : Presentation of PIV for eSE on OT booth demonstrating
eservices. “my voice is my password” winner in the Trusted internet/
Authentication category
• February 24-27th 2013, Barcelona, GSMA Mobile World Congress : 1st worldwide
demonstration of a FIDO authentication secured by the SIM
• March 2014 : Mobile ID study starts with dedicated workforce with objective : “Smartcard
Access from Web Browser”
• Summer 2014, w3C call for papers, submission of position paper, result of internal study
4
POSITION SUMMARY
• To enable a common access for every single user to trusted services thanks to a
secure element, the best candidate is the web browser
• By consequence HTML and JavaScript will be the standard to access a secure
element
• Many examples already exist to access hardware
o Video, webcam, geolocation, file system
o Thanks to evolutions of standards
11 September 2014
5
POSITION SUMMARY
Several topics are to be considered
• Authentication :
o For Payment / Internet banking / Corporate network access / Social media
o FIDO is an answer
• Access to cryptographic operations : « Secure Operations Execution »
o Web crypto api
o Issue : define use cases exhaustively
• Low level access to the secure element or hardware token
o Access the closest possible to the hardware
o Close to sysapp considerations
11 September 2014
6
Agenda
• 01. INTRODUCTION
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
11 September 2014
7
EXISTING
Middleware
• Software application that enhances the capacities of our computer applications by creating an
abstraction layer
• Implements standard
• Good solution for a local use, it provides secure features established on standards in a controlled IT
configuration. However it can’t be used as an online solution or in an opened device.
Web browser extension
• Program integrated into a web browser and which provides new features
• Can be : plug-in, java applet, ActiveX
• The only solution right now but many drawbacks :
o Heterogeneity of methods to access Smart Card
o Security
11 September 2014
8
EXISTING
Mobility
• Most of the apis are proprietary (eg OT Micro SD)
• There are some promising technologies
o NFC
o Open Mobile API
• These communications layers remain low level
• Middleware and web browser extensions do not fit in a mobile environment
11 September 2014
9
Agenda
• 01. INTRODUCTION
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
11 September 2014
10
PIV - PERSONAL IDENTITY VERIFICATION
Definition
• US federal employee or contractor wears a PIV card defined by the National Institute of Standards
and Technology (NIST).
• The card is required to enter a governmental building and to log on to computers (Physical and
Logical Access Control).
• The federal employee can also sign emails or documents and authenticates to remote web sites in
HTTPS.
Limitations
• File decryption or signing must be done locally. In a world of cloud computing and “Software as a
Service” it represents a real inconvenience.
• The agent must have an already configured PC or be granted with specific rights, which prevents
from using devices “on the go” or “away from office” (in a hotel, an airport, at home).
• To use a Smartphone or a tablet, specific software and hardware (card reader) have to be set up.
11 September 2014
11
Agenda
• 01. INTRODUCTION
• 02. EXISTING : WHAT ARE THE DRAWBACKS
• 03. USE CASE : PIV
• 04. PERSPECTIVE AND PROPOSAL
11 September 2014
12
PROMOTE A STANDARDIZATION
Position
• As a solution provider, we would like to push the standardization of a JavaScript API which allows web
browser to communicate with Smart Card
• Objective is to open trusted services with secure element to the mainstream market
• In order to be implemented in all browsers and to ensure its liability, the API should be endorsed by
W3C.
Secure Element API
• This api is complete and well documented. It presents in details the technical background and use cases
and gives a good visibility of Security, Permissions, Access Control and Conformance
• Security is at the heart of OT’s concerns; the proposed solution combines validation of the feature by
the user and a specific access control mechanism
• The idea beyond is to propose a trusted access to a secure element from a service provider, preventing
from unauthorized use.
11 September 2014
13
PERSPECTIVE
Action Plan
Let’s follow, jointly with all companies and associations sharing the same opinion
and interest, action plan below:
• Identify a charter to carry the project
• Define use cases and for each of them demonstrate the impact and validate the
consistency of the current proposal.
• Meeting all stakeholders interested in the subject, be aware of each of them
interest and create a common basis of communication and strategy
• Establish interactions with other standardizations (eg Open Mobile API)
• Gather work forces to create a proof of concept and decline it to use cases
examples (eg eServices)
11 September 2014
14
Thank you for your attention
11 September 2014
15