Mobile Provided Identity Authentication on the Web tle pt by - - PowerPoint PPT Presentation

mobile provided identity authentication on the web
SMART_READER_LITE
LIVE PREVIEW

Mobile Provided Identity Authentication on the Web tle pt by - - PowerPoint PPT Presentation

Aug 20, 2022 155 likes •303 views

Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C s WS on Identity in the Browser tle pt 24-5th May 11 Mountain View, CA, USA Mobile Provided Identity Authentication itle on the Web pt

slide-1
SLIDE 1

tle pt tle pt

Mobile Provided Identity Authentication

  • n the Web

by Jonas Högberg, Ericsson

for W3C’s WS on Identity in the Browser 24-5th May ‘11 Mountain View, CA, USA

slide-2
SLIDE 2

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 2

Mobile Provided Identity Authentication

  • n the Web

› SSO with OpenID

– OpenID is becoming the framework of choice for Identity Management in web-based

  • services. Many well-known service providers support OpenID.

– OpenID is therefore of interest to telecoms operators enabling them to offer Single Sign-On (SSO) to their users for a wide range of applications. – Operators are particularly interested in leveraging their subscriber databases and SIM credentials (i.e. GBA) for providing OpenID-based SSO to their users.

slide-3
SLIDE 3

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 3

Mobile Provided Identity Authentication

  • n the Web

› OpenID – Quick Recap

Relying Party (RP) OpenID Provider (OP) 1) Login 5) HTTP Redirect (user identity, signature) 4) User authenticates (out of scope) User-Agent (browser) 3) HTTP Redirect 6) Verify signature End-User 2) Discover OpenID Provider Appstore, OAuth authorization server,

  • r some other service provider

OpenID intentionally leaves the authentication protocol between client and OP unspecified (step 4).

slide-4
SLIDE 4

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 4

Mobile Provided Identity Authentication

  • n the Web

› OpenID and GBA Inter-working

– OpenID intentionally leaves the authentication protocol between client and the OpenID Provider OP unspecified. – Possible to use GBA (Generic Bootstrapping Architecture) for client authentication – The inter-working of OpenID and GBA is specified in 3GPP TS 33.924 – Basically, OP assumes the role of a NAF and the client authenticates using HTTP Digest with B-TID as username and Ks_NAF as password

slide-5
SLIDE 5

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 5

Mobile Provided Identity Authentication

  • n the Web

› Combined Architecture of OpenID and GBA

HSS Ub Zh Zn BSF OpenID Provider OP (NAF) HTTP (Ua)

SIM

Operator

(IMSI, K) (IMSI, K) RelyingParty HTTP Operator, WAC, or outside party Operator or WAC

GBA OpenID

slide-6
SLIDE 6

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 6

Mobile Provided Identity Authentication

  • n the Web

› Benefits

– OpenID serves as a bridge between the Telco world (AKA, GBA, Diameter, etc) and the web world – Easy for the service provider (relying party) to integrate with the OpenID provider – The combination with GBA gives high security and seamless user experience – Based on industry standards: › GBA specified in 3GPP TS 33.220 › GBA and OpenID inter-working specified in 3GPP TS 33.924 › OpenID specified by OpenID Foundation (OIDF) – The service provider could be the Operator, WAC, or perhaps most interesting, an outside party

slide-7
SLIDE 7

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 7

Mobile Provided Identity Authentication

  • n the Web

› OpenID and GBA inter-working UC to logon to a service that is not provided by the operator/carrier. Internet SIM

Mobile TV

slide-8
SLIDE 8

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 8

Mobile Provided Identity Authentication

  • n the Web

› Open Issues:

– The browser must be GBA enabled: how can we add this functionality? Plug-in? Passing of cookies? – How does the Relying Party (i.e. service provider) discover the OpenID Provider? › If the OpenID provider is hosted by the Operator:

  • Use extra HTTP header with an operator ID (MNC + MCC)
  • User selects his operator from a list
  • User enters the URL of the OpenID provider

– Terminal support for GBA

slide-9
SLIDE 9
slide-10
SLIDE 10

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 10

Mobile Provided Identity Authentication

  • n the Web

› Simple Network Architecture for GBA

slide-11
SLIDE 11

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 11

Mobile Provided Identity Authentication

  • n the Web

› Simple OpenID Network Architecture

slide-12
SLIDE 12

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 12

Mobile Provided Identity Authentication

  • n the Web

› Combined OpenID and GBA Network Architecture

slide-13
SLIDE 13

itle pt ws l 1 pt

  • 5

pt

ˆˇ

s or rea

Ericsson Internal | 2011-05-23 | Page 13

Mobile Provided Identity Authentication

  • n the Web

› Signaling:

RP OP (NAF)

1) Login 4) HTTP 302 Redirect https://op.operator.com 2) Discover OP 5) HTTP 401 Unauthorized realm="3GPP-bootstrapping@op.operator.com” 7) HTTP GET (username = B-TID, digest) 10) HTTP 302 Redirect https://rp.com (identifier, signature) 11) Verify signature 9) Possibly further interaction 3) (optional) A security association is established between OP and RP

BSF

6) If no valid Ks is available within the UE, bootstrapping is performed [details are omitted] 8) Look up Ks_NAF using B-TID and verify digest

UE