In my previous post (https://iotac.eu/front-end-access-control-a-new-solution-for-capability-based-access-control/) I was writing about Front-End Access Control, a kind of delegated access control solution for IoT services, which pushes the authorisation function to the user side. Users have their own dedicated secure elements (chip card or Trusted Execution Environment – TEE), which act as a personal token generator.
Users receive their access credential(s) and store them in their private secure element and when they need to use this capability, they have the secure element issue a signed token for them. The solution is fast and convenient and satisfies all the important functional and security requirements of IoT.
As most IoT user interactions are initiated from a mobile phone it would be obvious to use the SIM cards and the mobile phones as the secure element to store the user credentials. SIM cards (UICC) are smart secure Java cards, regular chip cards in a different form factor. Practically all users have their own dedicated handset, all handsets have a SIM card within (some even have multiple ones), and all SIM cards have available access capacity. However, experience shows that the excess SIM capacity probably cannot be utilized even though the technology is there. Mobile operators are not willing to make it available for external parties in spite of the fact that such additional utilisation would not compromise telco security and would also generate additional revenues.
The TEE (this is an operation environment which utilizes both hardware and software to protect data) would be another obvious choice to be used. It is also present in many user devices, it is also secure (though not as secure as a chip card but still satisfactory for many IoT services), it is standardized and is also technically manageable. However, the TEE faces similar limitations as the SIM card because it is controlled by the OEMs, handset manufacturers, and it is not obvious how one can get access to it. Neither any practice nor business model support the widespread use of the TEE, though a modified version of the Consumer Centric Card Management model* would provide completely adequate technology for the purpose.
If integrated or semi-integrated security technologies cannot be used as user side secure storage, then we need to rely on other options like the use of NFC communication with contactless smart card; USB stick or Bluetooth dongle with SIM size chip cards. From a functional and security perspective these are optimal solutions, but in respect of usability, it is far from the desired concept if someone needs to always carry an additional device besides the mobile phone.
There is however a solution, a completely new approach, which is secure and user friendly and right for the purpose. We call it the Card Farm.
The Card Farm, as the name suggests, is a remote server platform managing a large number of chip cards. Users can access over the air their dedicated secure storage space on the individually assigned chip cards.
Using the Card Farm we can realize all the planned and required objectives:
- Independence from the mobile network operators or handset manufacturers / OEMs
- Highest level security, data protection and privacy
- Absolute mobility
- Great user experience and convenience
While independence, mobility and usability may be obvious, it may make sense to elaborate on the security aspects of the Card Farm in more detail.
Server-side storage of information:
It is a well-known fact that it is preferable to avoid storing a large volume of sensitive information on a public communication network-facing server and, if possible, data should be stored locally, preferably in a distributed environment. Chip cards carried by individual users is probably the best storage medium one can choose.
It may be a valid question why we claim that data security in the Card Farm equals that of on a physical chip card carried by its user.
It must be noted that while a Card Farm is managed by a server which is remotely accessible, sensitive data is still stored in individual chip cards. It means that by attacking the server no sensitive private information can be acquired. To get access to such data the chip cards would need to be individually broken. If this could be achieved, then all – both remote and proximity – chip card-based services from banking to personal IDs would need to be reconsidered.
A weak point of the architecture may be its availability, the capability to assure that the remote chip cards can be accessed anytime by their users. To guarantee high-level availability robust IT architecture, redundant communication capability, as well as highly secure physical infrastructure needs to be provided.
In spite of all the protection, it must be clear that while data protection is rock solid, there is no 100% guarantee for online availability. As physical cards may be lost, stolen or left at home, a network outage, or large-scale attack may temporarily prevent access to the Card Farm. However, if 100% availability is an absolute must it is possible to prepare a back-up physical card which can be used in case of emergency.
It is nowadays a general principle that nothing less than 2-factor authentication is required for secure electronic transactions. In case of a chip card in the hand, the chip card itself is the one factor and the knowledge or biometric information of the user is the other one.
In case of the Card Farm, we need to introduce a different 2nd factor other than the card, as it is not in the physical possession of its user anymore. The user’s mobile phone and the application running on it can be an ideal substitute as the application instance ID is unique and exclusively associated with a “thing” the user has.
We have all the necessary technologies and expertise to implement the new Front-End Access Control solution and the secure Card Farm to facilitate its secure, seamless operation. This model will soon be demonstrated by the IoTAC project with four diverse use-cases, including a smart home operation, automated driving, drones and an industrial implementation.
*On this link you can find a description of the Consumer Centric Card Management model: https://www.linkedin.com/pulse/may-mobile-operators-get-second-last-chance-andras-vilmos/