There is strong agreement in the security community that passwords are weak and that new authentication mechanisms are needed. One solution is hardware based authentication tokens.
With the ultimate goal of moving “beyond passwords”, to make the web more secure. W3C arranged the “Web Cryptography Next Steps” Workshop in Silicon Valley, California in September.
The workshop looked at the possibilities of developing and standardizing open and easy to use hardware based authentications mechanisms.
With 4 accepted papers, 2 presentations, and 2 panelists, Ericsson was one of the most active companies in the Workshop. [Ericsson’s] In our contributions, we stressed the need for simple, open, and secure web standards that, protect end user security and privacy not only in the client, but also in transfer and when data is stored in the cloud. New authentication standards must also work on mobile browsers just as well as on desktop browsers.
My colleague, Vladimir Katardjiev from Ericsson Reseach, presented “Cloud Privacy in a Pervasive Monitoring Landscape.” There’s an ongoing transformation towards third-party cloud services for storing and managing information. This has many benefits, for example cost, flexibility, ease of use. But data aggregated in global data centers are tempting targets both for pervasive surveillance and for active attacks. The market potential for enterprise and government cloud services and web applications are held back by privacy and security concerns. We argue that sensitive data should be protected in such a way that the service provider cannot access keys nor cleartext. In this way, cleartext data is only accessible by the individual or enterprise that protected it in the first place - or someone selectively given authorization to access the data.
The paper I presented was “Use of SIM Card Authentication in the Open Web Platform, where we emphasize that new web authentication solutions need to work well with mobile browsers. Referring to the Ericsson Mobility Report, I stated that in 2019, the number of mobile subscriptions will reach 9.2 Billion and almost all of them will be mobile broadband subscriptions. This means that the vast majority of browsers will be mobile. In addition, most of them will be used by people in developing countries that cannot be referred to a desktop browser for Internet banking. For many people the mobile phone is not only their first and only computer, but also the first web browser.
Most mobile devices already have a trusted hardware token suitable for authentication – all user friendly and integrated into the phone! The “SIM card” is an ordinary smart card with all the flexibility that implies. The “SIM card” is also well-suited for secure storage and processing of authentication applications such as national eID systems. The “SIM card” enables strong hardware-based mutual authentication between the mobile phone and the operator. Generic Bootstrapping Architecture (GBA) is a technology that enables third-party authentication and authorization providers to reuse this hardware-based authentication so that it can easily be used by web applications.
The “(U)SIM” is just one of many applications that could reside in the SIM card. To not make use of the “SIM card” is a waste of resources. Why not free users of password hassle and let web services enjoy the same high security as access to the mobile network itself? This hardware-based authentication should also be available to web application developers interested in using secure and user-friendly authentication. In my accepted paper, there are more details on the Architecture for Sim card authentication.
John Mattsson, Ericsson Research
Here are the names and the synopses of each of the four accepted papers:
Abstract: There is an ongoing transformation towards third-party cloud services for storing and managing information. Trust in global cloud services is fundamental for the further development of the internet economy. The market potential for enterprise and government cloud services and web applications are held back by privacy and security concerns. For information security and privacy reasons, W3C should work on general mechanisms where the browser encrypts and decrypts information in such a way that the web application cannot access cleartext data in any way. Cloud Services and web applications should be fully trustworthy also in a pervasive monitoring landscape.
-Use of SIM Card Authentication in the Open Web Platform
Abstract: It’s time to move “beyond passwords,” not only for high-value environments such as the financial industry and government, but for all types of web applications. Most mobile devices already have a hardware token suitable for authentication: the SIM card. To not make use of that is a waste. This hardware-based authentication should also be available to web application developers interested in using secure and user-friendly authentication.
Abstract: W3C should strive to make identity and authentication part of the Open Web Platform and standardize developer friendly interfaces for web application interaction with national eID systems, and integration between different eID systems. It is also important that eID solutions work well on mobile devices and browsers. The Web Community has largely made plug-in for games, audio, video, and real time communication obsolete. Working on open standards to abolish plugins for secure identification and authentication is the logical next step.
Abstract: Trust in TLS and the Web’s PKI is fundamental for the further development of the Internet economy, including e-commerce, Internet banking, and e-governance. Unfortunately, there are several ways to perform impersonation and Man‐inthe-Middle attacks on HTTPS. There are some ongoing activities to detect and mitigate such attacks, but this is not enough. In light of the mass-surveillance revelations, W3C and the Internet community should take firm action to detect and mitigate all types of Man-in-the‐Middle and impersonation attacks on HTTPS, this includes specifying different APIs for channel binding.