14
White Paper Smart Card Web Server— Merging the SIM and the World Wide Web

SmartCard WEb Server

Embed Size (px)

DESCRIPTION

SmartCard WEb Server

Citation preview

Page 1: SmartCard WEb Server

White Paper

Smart Card Web Server—

Merging the SIM and the

World Wide Web

Page 2: SmartCard WEb Server

- 2 -

Contents

1 Executive Summary .............................................................................. 3

2 Introduction ......................................................................................... 4

3 Use Cases ............................................................................................ 5

4 SCWS Technology Overview................................................................. 8

5 SCWS Standardization ....................................................................... 10

6 SCWS Administration......................................................................... 11

7 Glossary ............................................................................................. 13

8 About Giesecke & Devrient ................................................................ 14

Page 3: SmartCard WEb Server

- 3 -

1 Executive Summary

For 15 years, the SIM card has been an important component in the world of mobile communications. It is unique in taking over the global market as the one exchangeable authentication token in GSM and UMTS networks. In the past few years, the (U)SIM has been enhanced by many more functionalities than simple user authentication. The (U)SIM has evolved to become a central medium for the storage and administration of user data in the provider network. Moreover, the SIM has been enabled to exchange information directly with the mobile phone user and the provider network using additional mechanisms like the Card Application Toolkit (CAT) and Over the Air (OTA) communication.

The next step to improve integration of (U)SIMs in the provider network and mobile equipment is imminent. Giesecke & Devrient’s innovative GalaxSIM® and ProxSIM® product lines support standard Web technologies like HTML (hypertext markup language) pages and HTTP (hypertext transfer protocol).

Interaction among the (U)SIM, end user, and mobile phone network can be significantly enhanced by bringing Internet technologies to the new (U)SIMs offered by Giesecke & Devrient. On the user side, a Web look and feel simplifies information exchange. For example, users browse a phone book or FAQ list based on HTML pages stored directly on the Smart Card Web Server (SCWS) hosted on the (U)SIM. On the provider side, an HTTP-based update mechanism simplifies the exchange of content with previously issued (U)SIMs.

In conjunction with the Internet technology on smart cards, the variety of different data types stored on the (U)SIM and delivered by the SCWS is increasingly considerably. Moreover, the SIM can be responsible for protecting countless data such as music, video clips, purchased ring tones, personal data, and access information for various mobile services. In conjunction with these new technologies, G&D has the following vision:

The (U)SIM will be an Internet-enabled network node seamlessly

integrated into other IP networks. The (U)SIM is the link that

creates confidence among the mobile phone user, the network

operator, and services providers in the operator’s network.

Page 4: SmartCard WEb Server

- 4 -

2 Introduction

The mobile telecommunications industry has recently opened up an interesting level of service for subscribers. Multimedia features in new handsets, such as high resolution displays and the availability of HTTP browsers, in combination with higher network bandwidths have led to new challenges for network operators. Subscribers want a suitable phone and an interesting service portfolio at a reasonable price. To achieve this, an SCWS can offer new services, while the Internet-enabled (U)SIM can secure additional services offered by (Internet) servers on the provider network. Moreover, the bandwidth of the traditional smart card protocol T=0 appears to limit the usability of new IP-based services, and there is a need for a new high-speed protocol between the handset and (U)SIM. The ETSI has selected USB 2.0 Interchip in full speed mode as the future smart card protocol.

The basic functionality of a Web server is the delivery of Web pages using HTTP protocol. This is the same for an SCWS. However, unlike a regular Web server, the SCWS offers two possible bearers as transport protocols for the HTTP protocol. One is the T=0 protocol with a BIP interface layer. The other is a full TCP/IP stack built on top of the USB 2.0 full speed interface.

For legacy reasons, HTTP data, which is exchanged between a mobile phone browser and an SCWS, can be transmitted over the traditional serial smart card interface according ISO/IEC 7816. This enables the BIP (bearer independent protocol) to be used in a special server mode, which can be easily implemented in the mobile phone firmware.

Page 5: SmartCard WEb Server

- 5 -

In the future, BIP will increasingly be replaced by handsets using a broadband full speed USB interface for transferring HTTP data over a TCP/IP stack implemented in the smart card. But the new high-speed interface will also entail a change in the mobile phone hardware. Therefore it will take some time until mobile phones supporting USB are available.

3 Use Cases

The SCWS is the first step in integrating (U)SIMs as network nodes in the mobile phone provider’s IP network. The following use cases outline the path toward new user and network interaction of smart cards on the basis of an SCWS. For some use cases, BIP is sufficient; other use cases will need a high-speed connection and a full TCP/IP stack on the (U)SIM.

The Next Step in User Interaction beyond SAT

An SCWS can replace user interaction based on the SIM Application Toolkit (SAT) and offer the mobile phone user a Web-based look and feel. In addition to the enhanced user experience, HTML pages offer the possibility to distinguish between pure data and the data layout. This differentiation is an advantage that limits the bandwidth for transferring complex information from the (U)SIM to the handset and offers the opportunity to create a dialog between the user and (U)SIM. Even the slower BIP connection of the SCWS is sufficient for this use case.

Page 6: SmartCard WEb Server

- 6 -

Use case: Java™ Applet Phonebook

The use case described above is the basis for a phonebook based on HTML pages served by the (U)SIM. Giesecke & Devrient has already implemented this phonebook in a Java™ applet. Custom-tailored (U)SIMs with sufficient memory are the ideal platform for phonebook applets, which can replace a multimedia phonebook in mobile phones. A Java™ applet allows storage of a variety of phonebook data such as several phone numbers, address, and e-mail address. Since the phonebook applet is located on the (U)SIM card, it can be used by any 2G or 3G mobile phone. The user interface comes with the applet and is therefore completely independent of different mobile phone types and manufacturers. The phonebook applet can be customized and thus tailored for specific needs. Another strength is that the phonebook applet is supplied as a bundle that includes a phonebook management tool for the customer. The phonebook management tool allows easy synchronization with 3rd party address databases such as Lotus Notes® and MS Outlook™.

Use case: User Interface for Payment and Ticketing Applications

Mobile phone ticketing and payment is on its way to being a widely demonstrated and accepted technology. The (U)SIM can currently play the role of a security module authorizing electronic transactions, but user interaction in ticketing or payment scenarios is currently based on GUIs provided by the handset. An SCWS offers the opportunity to implement the whole ticketing or payment application, including user interaction, on a (U)SIM. This increases the security because the GUI is generated directly on the (U)SIM, while the deployment and administration of contactless applications can be simplified. An SCWS is the basis for offering all functionalities necessary for the eTicketing/ePayment user front end on a (U)SIM. Moreover, the few interfaces to the handset are highly standardized and ensure interoperability between different handsets.

Page 7: SmartCard WEb Server

- 7 -

Use case: Security Proxy and Authentication Gateway

In future use case scenarios, the SCWS can play the role of an HTTP proxy with HTTP client functionality. This gives the (U)SIM the opportunity to offer the functionality of an authentication gateway to an Internet portal. Banking transactions and other security-critical operations such as user authentications can be authorized by the (U)SIM over the HTTP(S) connection to the Internet portal. In this use case scenario, the SCWS provides the user interface to the handset’s browser, which displays the HTML pages tunneled over the security proxy on the (U)SIM. This use case needs a certain bandwidth because two or even more HTTP connections have to be opened simultaneously. Therefore a USB interface is recommended.

Use case: Support of Other Types of Internet Application Level Protocols

SCWS refers primarily to the application level protocol HTTP, but a full TCP/IP stack on a (U)SIM offers the bandwidth to implement other application level protocols such as SOAP or SIP. Moreover, the HTTP binding for the SOAP protocol offers the opportunity to implement Web services on the smart card, in a Java™ applet for example. The SIP (Session Initiation Protocol) is responsible for opening realtime connections on the Internet. A fully Internet-enabled (U)SIM can implement this protocol to trigger multimedia data transmissions such as voice over IP connections controlled by the network operator.

Page 8: SmartCard WEb Server

- 8 -

4 SCWS Technology Overview

The central link between a Web-enabled (U)SIM and the Internet is the routing functionality of the mobile equipment (ME). The ME is the gateway that connects the (U)SIM to the operator network and the Internet. This routing functionality can vary depending on the protocol used for (U)SIM communication.

In the case of a BIP interface, the router in the ME only has to redirect certain HTTP requests from the ME browser to the local available SCWS. HTTP requests on a certain TCP port are sent to the SCWS on the (U)SIM, and the HTML page in the response is generated by the SCWS. HTTP requests not using the TCP port dedicated to BIP are directed to a server on the Internet.

Routing is different when the USB protocol is used in combination with a full TCP/IP stack on the (U)SIM. In this case, the ME has the same IP gateway functionality as other computers connecting an intranet to the Internet. The ME gateway also depends on the IP protocol version used, i.e. IPv4 or IPv6. In comparison to BIP, the full TCP/IP stack also offers the possibility to route requests from the (U)SIM to the Internet, which is the basis for the security gateway use case.

Page 9: SmartCard WEb Server

- 9 -

The SCWS can send out static or dynamic HTML pages.

Static HTML pages are never modified and are sent out in the same format as stored in the NVM (non-volatile memory) of the (U)SIM.

Dynamic HTML pages are generated according the incoming HTTP request by an application running on the smart card. For the SCWS, this application is a Java™ applet that interacts with the SCWS over a dedicated API specified in ETSI TS 102 588. This API allows the Java™ applet to receive an HTTP request and to send out the dynamically generated HTML page. This dynamic behavior can be enhanced by an XML processor for Web services on the (U)SIM. In this case, the XML output formatted by the Java™ applet is transmitted with the HTTP response.

Page 10: SmartCard WEb Server

- 10 -

5 SCWS Standardization

The topic of Internet-enabled smart cards and SCWS has been treated by several standardization bodies.

OMA SCWS Specification

The Open Mobile Alliance (OMA) specification defines the external interfaces of an HTTP server in a smart card (i.e. smart card Web server), which is embedded in a (U)SIM. These interfaces cover the following aspects:

The URL for accessing the Smart Card Web Server (SCWS)

The possible bearers used for the HTTP protocol

The HTTP profile that the Smart Card Web Server needs to implement

A secure remote administration protocol for the Smart Card Web Server

User, or principal, authentication with the Smart Card Web Server and related security protocols

ETSI Specifications

The work of the ETSI is mainly dedicated to the transfer protocols that can be used by the SCWS to enable communication between HTTP applications on the mobile device and the Smart Card Web Server. BIP has already been completely standardized in TS 102 223, and the USB Ethernet Emulation Model in conjunction with a full TCP/IP stack is currently being finalized by the ETSI. The Java programming interface required for the Java™ applet providing dynamic content is described in ETSI specification TS 102 588.

Page 11: SmartCard WEb Server

- 11 -

6 SCWS Administration

OMA standardization has specified a special administrative protocol. The aim of this protocol is the ability to upload new data (e.g. xHTML pages), delete data, and change configuration parameters for the SCWS. Commands are sent using the OMA admin protocol and are divided into single administrative commands, such as installing or deleting a HTML page, and special admin commands, such as defining access control parameters. The OMA admin protocol can use three different bearers:

Lightweight admin protocol over the bearer SMS

The lightweight administration protocol can be used for sending short administration commands for setting or changing a small number of configuration parameters for the SCWS. It is suitable for the exchange of a small amount of data between the administration application and the SCWS. Nevertheless it supports the same command set as the full admin protocol.

Full admin protocol over BIP or TCP/IP

The full administration protocol is suitable for the exchange of a large amount of data between the administration application and the SCWS. The full administration protocol can also be used for securely exchanging or updating data with the Java™ applet registered to the SCWS via the ETSI API. This may be useful for securely updating data used by these applications or for securely retrieving data from them. The full administration protocol enables the use of a standard Web server as the remote administration server implementation. The full administration protocol (and its card administration agent) has the following characteristics:

End-to-end security is based on the standard Internet security layer SSL/TLS

A special administration agent on the (U)SIM is a real HTTP client and manages the connection establishment between the remote administration server and the SCWS.

The card administration agent is able to encapsulate and transparently transport any HTTP exchange between the two servers, i.e. the SCWS and admin server.

The card administration agent is responsible for retry and reconnection management in the event of a communication breakdown.

The card administration agent can be triggered either by external events (e.g. SMS) or by internal events (generated internally by the card) for initializing a connection to the remote administration server.

Page 12: SmartCard WEb Server

- 12 -

Page 13: SmartCard WEb Server

- 13 -

7 Glossary

API Application Programming Interface

BIP Bearer Independent Protocol

ETSI European Telecommunications Standards Institute

HTTP Hyper Text Transfer Protocol

HTML Hyper Text Markup Language

ICC Integrated Circuit Card

IP Internet Protocol

GUI Graphical User Interface

NFC Near Field Communication

NVM Non Volatile Memory

OMA Open Mobile Alliance

SAT SIM Application Toolkit

SCWS Smart Card Web Server

SIM Subscriber Identity Module

SIP Session Initiation Protocol

SMS Short Message Service

SOAP Simple Object Access Protocol

SSL Secure Socket Layer

TCP Transmission Control Protocol

TLS Transport Layer Security

UMTS Universal Mobile Telephone System

(U)SIM Universal SIM

USB Universal Serial Bus

XML Extended Markup Language

Page 14: SmartCard WEb Server

- 14 -

8 About Giesecke & Devrient

Giesecke & Devrient (G&D) is a globally operating technology group. Established in 1852, the company initially specialized in banknote and security printing, later adding automatic currency processing equipment to its product portfolio. Today, G&D is also a leading supplier of smart cards and cutting-edge system solutions in the fields of mobile communications, electronic payment technology, health care, identification, transportation, and IT security (PKI).

The G&D Group, based in Munich, Germany, comprises 52 subsidiaries and joint ventures throughout the world, employing 8,300 people.

As a leading manufacturer of (U)SIM cards for 2G and 3G networks, G&D provides operators with (U)SIM-based solutions for smooth migration from 2G to 3G, with OTA server solutions and service hosting, and with logistics services. With its (U)SIM card products and services, G&D offers tailor-made packages from a single source: from (U)SIM lifecycle management and cost-effective (U)SIM ordering and production processes to the complete development and deployment of mobile services.

The Giesecke & Devrient Group has a strong international orientation. Group companies and joint ventures operate in Germany, Argentina, Australia, Bahrain, Belgium, Brazil, Canada, China, Egypt, Greece, Great Britain, Hong Kong, India, Italy, Japan, Luxembourg, Malaysia, Mexico, Morocco, Nigeria, Portugal, Russia, Singapore, Slovakia, Spain, South Africa, South Korea, Sri Lanka, Taiwan, Turkey, the United Arab Emirates, and the United States.

Security and competence are the international high-tech group’s core concepts. Its customer-focused products, systems, and services make G&D a reliable partner for any organization needing to solve complex problems in security-related fields.

For more information about the subject of this white paper, please contact

[email protected]

Giesecke & Devrient GmbH Prinzregentenstrasse 159 P.O. Box 80 07 29 81607 Munich GERMANY Phone: +49 (0)89 41 19 - 15 43 Fax: +49 (0)89 41 19 – 15 40 www.gi-de.com/telecom [email protected] © Giesecke & Devrient GmbH, 2007. GalaxSIM®, ProxSIM® are registered trademarks of Giesecke & Devrient GmbH. Java™ is a registered trademark of Sun Microsystems, Inc. Lotus Notes® is a registered trademark of IBM Corp. Outlook® is a registered trademark of Microsoft Corporation in the United States and/or other countries. Technical data subject to modification. G&D patents.


Smartcard Login for NASA Web Applications (Launchpad) Smartcard Login for... · Certs should be dynamic and the keychain updated automatically when smartcard is removed. To ensure

Smartcard Login for NASA Web Applications (Launchpad) Smartcard Login for... · Certs should be dynamic and the keychain updated automatically when smartcard is removed. To ensure

Documents
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice

© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice

Documents
Smartcard interface based on STM32Cube firmware · Smartcard reader hardware connection AN4800 10/42 DocID028755 Rev 1 3 Smartcard reader hardware connection To interface to the Smartcard,

Smartcard interface based on STM32Cube firmware · Smartcard reader hardware connection AN4800 10/42 DocID028755 Rev 1 3 Smartcard reader hardware connection To interface to the Smartcard,

Documents
iGuard™ Biometrics Fingerprint / PIN / Smartcard based Flyer.pdfBiometrics Fingerprint / PIN / Smartcard based Time Attendance and Access Control System with Web based Software iGuard™

iGuard™ Biometrics Fingerprint / PIN / Smartcard based Flyer.pdfBiometrics Fingerprint / PIN / Smartcard based Time Attendance and Access Control System with Web based Software iGuard™

Documents
Registration Authority Policy for Smartcard Access to ... · Registration Authority Policy for Smartcard Access to National Programme ... Ratiel Gapa 2 RA policy has ... Smartcard

Registration Authority Policy for Smartcard Access to ... · Registration Authority Policy for Smartcard Access to National Programme ... Ratiel Gapa 2 RA policy has ... Smartcard

Documents
Presentacion smartcard- Shayuri ccapa

Presentacion smartcard- Shayuri ccapa

Technology
Remote smartcard registration – emergency guidance · Web viewMaggie Kelly Head of RA Service NEL RA Service Appendix 1 Remote smartcard registration – emergency guidance Guidance

Remote smartcard registration – emergency guidance · Web viewMaggie Kelly Head of RA Service NEL RA Service Appendix 1 Remote smartcard registration – emergency guidance Guidance

Documents
Smartcard lecture #5

Smartcard lecture #5

Education
Smartcard Document

Smartcard Document

Documents
Smartcard Logon

Smartcard Logon

Documents
SmartCard lab - KTH

SmartCard lab - KTH

Documents
The Smartcard Focus Myth-busting Guide to Smartcard Logon · The server infrastructure can be on-premise or in the cloud, but you will need a full Windows Server running somewhere

The Smartcard Focus Myth-busting Guide to Smartcard Logon · The server infrastructure can be on-premise or in the cloud, but you will need a full Windows Server running somewhere

Documents
Security of National eID (smartcard-based) Web Applications

Security of National eID (smartcard-based) Web Applications

Documents
Sentinel smartcard PC client application Installation and ... · 4. Configuring the client to use a Proxy Server If your organisation uses a web proxy to facilitate internet access,

Sentinel smartcard PC client application Installation and ... · 4. Configuring the client to use a Proxy Server If your organisation uses a web proxy to facilitate internet access,

Documents
SmartCard ticketing_FINAL.pdf

SmartCard ticketing_FINAL.pdf

Documents
Festival smartcard

Festival smartcard

Technology
Smartcard Intro

Smartcard Intro

Documents
Interactive Multitask smartcard

Interactive Multitask smartcard

Documents
Electronic Commerce Lecture 8. e e -Consumers Internet TCP/IP Needs currencies smartcard Web Server HTTP Form Input (CGI)

Electronic Commerce Lecture 8. e e -Consumers Internet TCP/IP Needs currencies smartcard Web Server HTTP Form Input (CGI)

Documents
Tgs Ti Sp (Smartcard)

Tgs Ti Sp (Smartcard)

Documents
Smartcard Manish Tomar

Smartcard Manish Tomar

Documents
Cesg Smartcard Security_1-0

Cesg Smartcard Security_1-0

Documents
OSNcontent.osn.com/doc/manual/OSN_Retail_Box_self...OSN Smartcard Inserting Your Smartcard You will need the supplied OSN Smartcard so that you can receive programmes and services

OSNcontent.osn.com/doc/manual/OSN_Retail_Box_self...OSN Smartcard Inserting Your Smartcard You will need the supplied OSN Smartcard so that you can receive programmes and services

Documents
SmartCard PPT

SmartCard PPT

Documents
SmartCard Final A

SmartCard Final A

Documents
SmartCard Handbook

SmartCard Handbook

Documents
Guidance for smartcard evaluation

Guidance for smartcard evaluation

Documents
Solaris Smartcard Administration Guide - Oracle · The Solaris Smartcard Administration Guide is intended for the system administrator who sets up and administers the Solaris Smartcard

Solaris Smartcard Administration Guide - Oracle · The Solaris Smartcard Administration Guide is intended for the system administrator who sets up and administers the Solaris Smartcard

Documents
Vanderhoof smartcard-roadmap

Vanderhoof smartcard-roadmap

Documents
SmartCard Forum 2008 - Gemalto

SmartCard Forum 2008 - Gemalto

Technology