Trusted Identity Module
A local smartphone module acting as an OpenID Connect Server proxy and delivers trusted tokens to installed native applications. The TIM improves the user experience with single sign on, security and privacy enhancement.
Description
The Trusted Identity Module project is a set of four projects: an Android service (tim_service), a JAVA Card Service (TimCardlet), a modified OpenID Connect Server (phpOpTim) and a basic Android TIM-Client app enabling to test the TIM services (HelloTim). The OIDC-TIM server is based on an open source implementation of OpenID Connect in PHP by Nomura Research Institute, Ltd.
The TIM (Android and JavaCard parts) operates as a server and receives requests from native applications needing to access user personnal data. The TIM works in offline and online modes and provides many benefits among with:
- Usage continuity when in offline scenario (or in a roaming situation)
- Privacy improvement for the end-user as the online IdP is not contacted and therefore unable to track the user’s activity
- Improved security with the use of a combination of Trusted Execution and Secure storage
In online mode the TIM is connected to the OIDC-TIM server and recovers access tokens and refresh tokens for the requesting app. The TIM then stores the tokens in the JAVA Card. Based on those tokens the TIM creates new access tokens (tim-access tokens) for the requesting application which can then use it to access a Ressource Server and recover requested user personnal data.
In the offline mode, the TIM does not contact the OIDC-TIM server but instead uses the stored tokens to create tim-access tokens for native applications. The offline mode prevents the server from monitoring the user activity and hence preserves his privacy. The security is enhanced by the smart card, with the secure storage. The TIM is not dependent of a particular network access technology and ensures the usage continuity when moving from a technology to another (eg: wifi to 4G).
References
- OpenID Connect protocol
- OpenID Connect Server Implementation (PHP) (phpOIDC Project, commit number 6ac8e6d from 2014-09-05)
- Smart Card API for Android Seek For Android
- Cryptography Libraries for Android Spongy castle libs from Roberto Tyley
Development Tools
- SIM Development: IzyNFC
- Android Development: Eclipse + Android ADT plugin
- Server Development: Any PHP Server, Easy PHP is a good one
Required Equipment
- For JAVA Card development: a JAVA Card at least version 2.2.1 with a Card Reader
- For Android development: a compatible android device
Installation
After downloading and setting up the development environments, download every part of the project (OIDC-TIM Server, Android service, JAVA Card service, and the test app)
Import the projects in the corresponding environments, for example: the Android Service and the test app in Eclipse + ADT, the JAVA Card service in IzyNfc. For the OIDC-TIM server, follow the steps described in the phpOIDC project and then replace the corresponding files with the OIDC-TIM project files.
Compile and execute on the corresponding devices (JAVACard and Android devices).
TIM Sequence Diagram
Authorization request
Refresh Token Request
New TIM Access Token Request
User Infos Request
User Infos Request
Use Case 01
Use Case 02
License
Copyright © 2015 Orange
This project is licensed under the Apache License, Version 2.0 (the "License"); you may not use it except in compliance with the License. You may obtain a copy of the License here
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.