securitypolicy_rp.html

J2ME MIDP2.0 final specification

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"><html><head>
	<meta http-equiv="CONTENT-TYPE" content="text/html;
	      charset=iso-8859-1"><title>The Recommended Security Policy for GSM/UMTS Compliant Devices</title>
	<!-- Changed by: Roger Riggs - Sun Microsystems Inc, 25-Jul-2002 -->
	<!-- Changed by: Gary Adams - SMI Software Development, 30-Jul-2002 -->
	
	<meta name="GENERATOR" content="StarOffice 6.0  (Solaris Sparc)">
	<meta name="CREATED" content="20020719;16144600">
	<meta name="CHANGED" content="20020719;17014700">
	<meta name="ProgId" content="Word.Document">
	<meta name="Originator" content="Microsoft Word 9">
    <link REL="STYLESHEET" href="stylesheet.css" charset="ISO-8859-1" type="text/css">
	<!--[if gte mso 9]><xml>
 <o:DocumentProperties>
  <o:Author>CHANDRASIRIP</o:Author>
  <o:Template>Normal</o:Template>
  <o:LastAuthor>CHANDRASIRIP</o:LastAuthor>
  <o:Revision>10</o:Revision>
  <o:TotalTime>2663</o:TotalTime>
  <o:LastPrinted>2002-07-09T08:30:00Z</o:LastPrinted>
  <o:Created>2002-07-09T08:36:00Z</o:Created>
  <o:LastSaved>2002-07-09T08:50:00Z</o:LastSaved>
  <o:Pages>50</o:Pages>
  <o:Words>6111</o:Words>
  <o:Characters>34838</o:Characters>
  <o:Company>Vodafone Group </o:Company>
  <o:Lines>290</o:Lines>
  <o:Paragraphs>69</o:Paragraphs>
  <o:CharactersWithSpaces>42783</o:CharactersWithSpaces>
  <o:Version>9.3821</o:Version>
 </o:DocumentProperties>
</xml><![endif]-->
	<!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:View>Normal</w:View>
  <w:Zoom>130</w:Zoom>
  <w:HyphenationZone>21</w:HyphenationZone>
  <w:DrawingGridVerticalSpacing>0 pt</w:DrawingGridVerticalSpacing>
  <w:Compatibility>
   <w:UseFELayout/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
 </w:WordDocument>
</xml><![endif]-->
	<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1027"/>
</xml><![endif]-->
	<!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1"/>
 </o:shapelayout></xml><![endif]-->
	<style>

	<!--

		TD P { color: #000000 }

		H2 { color: #000000 }

		P { color: #000000 }

		H3 { color: #000000 }

		H4 { color: #000000 }

		A:link { color: #0000ff }

		A:visited { color: #0000ff }

	-->

	</style></head><body lang="en-GB" text="#000000" link="#0000ff" vlink="#0000ff">
<h2 class="DocumentTitle">The Recommended Security Policy for GSM/UMTS Compliant Devices</h2>
<h4 class="TitleContinuation">Addendum to the Mobile Information Device Profile version 2.0</h4>
    <hr>
<h5 class="TitleContinuation"><i>Copyright 2002, Sun Microsystems,
      Inc. ALL RIGHTS RESERVED.</i></h5>
    <hr>
<h2 class="ChapterTitle">Preface</h2>
<p class="Paragraph">This document, <i>The Recommended Security Policy for GSM/UMTS
	Compliant Devices</i> is an addendum to
the <a href="http://jcp.org/jsr/detail/118.jsp">Mobile Information Device Profile (MIDP) version 2.0</a> for the
Java<sup>TM</sup> 2 Platform, Micro Edition (J2ME<sup>TM</sup>).
</p>
<p class="Paragraph">The terminology used herein is defined by
that specification except where noted. 
</p>

<h2 class="ChapterTitle">Who Should Use This Document</h2>
<p class="Paragraph">The audience for this document is the Java
Community Process (JCP) Expert Group that defined the MIDP,
implementers of the MIDP, application developers using the MIDP,
service providers deploying MIDP applications, and wireless operators
deploying the infrastructure to support MIDP devices. This document
specifically targets network operators, manufacturers, and
service and application providers operating in GSM and UMTS networks.
</p>
<h2 class="ChapterTitle">Scope of This Document</h2>
<p class="Paragraph">This addendum is informative.
However, all implementations of MIDP 2.0 on GSM/UMTS-compliant
devices are expected to comply with this addendum.</p>

<p class="Paragraph"> MIDP 2.0 defines the framework for
authenticating the source of a MIDlet suite and authorizing the
MIDlet suite to perform protected functions by granting permissions
it may have requested based on the security policy on the device. It
also identifies functions that are deemed security-vulnerable and
defines permissions for those protected functions. Additionally, MIDP
2.0 specifies  the common rules for APIs that can be used
together with the MIDP but are specified outside the MIDP. MIDP 2.0
specification does not mandate a single trust model but rather allows
the model to accord with the device trust policy. 
</p>
<p class="Paragraph">The purpose of this addendum is to extend the base MIDlet suite
security framework defined in MIDP 2.0 and to define the following
areas: 
</p>
<ul type="disc">
	<li class="Bullet1">The required trust model for GSM/UMTS-compliant devices 
	</li>
	<li class="Bullet1">The domain number and structure, as reflected in the
	       policy file
	</li>
	<li class="Bullet1">The mechanism of reading root keys
	  from sources external to the device 
	</li>
	<li class="Bullet1">Capabilities allowed the
	  applications within permissions defined by MIDP 2.0 and other JSRs 
	</li>
	<li class="Bullet1">Application behaviour in the roaming network
	</li>
	<li class="Bullet1">Application behaviour when SIM/USIM is changed 
	</li>
	<li class="Bullet1">The use of user permission types 
	</li>
	<li class="Bullet1">Guidelines on user prompts and notifications 
	</li>
</ul>
<h2 class="ChapterTitle">How This Specification Is Organized</h2>
<p class="Paragraph">This specification is organized as follows:</p>

<p class="Paragraph"> Sections 2 to 4 establish the relationship
between the policy file, different security domains, and requirements
concerning certificate storage on smart cards. Section 5 specifies
the function groups and identifies the permissions and the APIs that
need to be protected using the MIDP 2.0 security framework. Sections
6 and 7 specify rules that must be followed when permissions are
granted, and also requirements of user notifications. Finally Section
8 specifies the MIDlet behaviour during roaming and after changing
the smart card.</p>
<h2 class="ChapterTitle">References</h2>
    <ol>
      <li class="List1">
        Connected Limited Device Configuration (CLDC)<br> <a
        href="http://jcp.org/jsr/detail/30.jsp">http://jcp.org/jsr/detail/30.jsp</a>
      </li>
      <li class="List1">
	Mobile Information Device Profile (MIDP) 2.0<br> <a
	href="http://jcp.org/jsr/detail/118.jsp">
	http://jcp.org/jsr/detail/118.jsp</a>
      </li>
      <li class="List1">
	HTTP 1.1 Specification<br>
	<a href="http://www.ietf.org/rfc/rfc2616.txt">
	  http://www.ietf.org/rfc/rfc2616.txt</a>
      </li>
      <li class="List1">
	WAP Wireless Identity Module Specification (WIM)
	WAP-260-WIM-20010712-a<br>
	<a href="http://www.wapforum.org/what/technical.htm">
	  http://www.wapforum.org/what/technical.htm</a>
      </li>
      <li class="List1">
	WAP Smart Card Provisioning (SCPROV) WAP-186-ProvSC-20010710-a<br>
	<a href="http://www.wapforum.org/what/technical.htm">
	  http://www.wapforum.org/what/technical.htm</a>
      </li>
      <li class="List1">
	PKCS#15 v.1.1 <br>
	<a href="http://www.rsasecurity.com/rsalabs/pkcs/pkcs-15/">
	  http://www.rsasecurity.com/rsalabs/pkcs/pkcs-15/</a>
      </li>
      <li class="List1">
	USIM, 3GPP TS 31.102: "Characteristics of the USIM
	applications" <br>
	<a href="http://www.3gpp.org/">http://www.3gpp.org</a>
      </li>
      <li class="List1">
	RFC3280<br>
	<a href="http://www.ietf.org/rfc">
	  http://www.ietf.org/rfc</a>
      </li>
    </ol>

<p class="Paragraph"><h2 class="ChapterTitle">1  General</h2></p>
<p class="Paragraph">GSM/UMTS-compliant devices MUST follow the
security framework specified in the MIDP 2.0. Additionally, devices
that support trusted applications MUST follow the PKI-based
authentication scheme as defined in MIDP 2.0 specification. 
</p>
<h2 class="ChapterTitle">2  Domains in the Policy File</h2>
<p class="Paragraph">A domain is a way to differentiate between
downloaded MIDlets based on their origin, and to grant or make
available to a MIDlet suite a set of permissions. A domain binds a
root certificate to a set of permissions. The permissions are
specified in the domain policy. A policy file or policy has as many
entries as there are domains available on the device.  A domain
can exist only for root certificates that contain the
<code>id-kp-codeSigning</code> extended key usage extension.</p>
<p class="Paragraph">Applications that authenticate to a trusted root key are treated
as trusted, and assigned to the corresponding  protection
domain. An application MUST be assigned to only one protection
domain. A MIDlet suite cannot belong to more than one protection
domain. 
</p>
<p class="Paragraph">The representation of domains in the device is
implementation-specific.</p>
<h2 class="ChapterTitle">3  Security Domains and the Permissions
Framework</h2>
<p class="Paragraph">This document specifies two different
requirements as to how the MIDP permissions framework should be used,
depending on the security domain an application executes.</p>
<p class="Paragraph"> </p>
<p class="Paragraph"><b>Manufacturer and Operator Domains</b> &#8211;
Applications are responsible for prompting the user, using the MIDP
2.0 permissions framework when accessing functions for which security
policies are specified in Tables 2 through 6 in this document.</p>
<p class="Paragraph"> </p>
<p class="Paragraph"><b>Third-Party and Untrusted Domains</b> &#8211;
The device implementation is responsible for prompting the user
according to the security policies specified in Tables 1 through 5 in
this document.</p>
<h4>3.1 Manufacturer Domain</h4>
<p class="Paragraph">The trusted root certificate of the device manufacturer is related
to manufacturer applications and MUST have a domain
identified in the policy file. If a given device has no Manufacturer
domain but is capable of authenticating manufacturer-signed
applications (that is, it has a manufacturer root certificate
installed) they will be authorized only as untrusted and will belong
to the Untrusted domain.</p>
<p class="Paragraph">The Manufacturer domain cannot be deleted or modified by the user
or any other party, except by a device-provisioned capability. 
If the manufacturer root certificate is updated, it MUST be mapped
onto the same Manufacturer-domain policy file. If the manufacturer
root certificate is no longer present on the device, the Manufacturer
domain may be removed by a device-provisioned capability. 
</p>
<p class="Paragraph">Permissions in the Manufacturer domain are all marked as
<i>Allowed</i> (see MIDP 2.0 for the definition). Permissions granted by
the Manufacturer domain as <i>Allowed</i> imply that downloaded and
authenticated manufacturer applications perform consistently with
applications pre-installed by the manufacturer in terms of security
and prompts to the user whenever events that require user
acknowledgment occur. Manufacturer applications SHOULD seek
permission from the user when accessing security-vulnerable APIs and
functions. Permissions defined by MIDP 2.0 and other APIs give the
guidelines of which functions are seen as security-vulnerable and
need protection. It is expected that manufacturer applications will
give prompts and notifications to the user consistently regarding
these security-protected functions. The implementation MUST present
the user with the <i>Subject</i> field of the root certificate
containing the manufacturer root public key whenever a new
application is installed in the Manufacturer domain. This user
notification MUST take place at application installation.</p>
<p class="Paragraph">The Manufacturer domain imposes no restriction on the capabilities
specified in the MIDP 2.0 and other JSRs. 
</p>
<h4>3.2 Operator Domain</h4>
<p class="Paragraph">The trusted operator root certificate MUST be
mapped onto the policy file describing the Operator domain on the
device. A device MUST support the policy file describing the Operator
domain.</p>

<p class="Paragraph">If a given device has no Operator domain but is
capable of authenticating operator-signed applications (that is, it
is able to obtain an operator root certificate from a smart card)
they will be authorized only as untrusted and will belong to the Untrusted domain. 
</p>

<p class="Paragraph">Trusted root certificates are read from the Certificate Directory
File (CDF) for trusted certificates [WIM]. Root certificates found in
the trustedCertificates file on the WIM are mapped onto the Operator
domain or onto the Trusted Third-Party domain,
depending on the trustedUsage field in the
CommonCertificateAttributes associated with the certificate
[PKCS15]:</p>
<blockquote>
<p class="Paragraph">If the trustedUsage field is present and contains the OID for key usage
&#8220;Operator Domain&#8221; (to be defined), then the certificate
is to be mapped onto the Operator domain.</p>
<p class="Paragraph">If the trustedUsage
field is not present, or does not contain the OID for key usage
&#8220;Operator Domain,&#8221; then the certificate is to be mapped
onto the Trusted Third-Party domain.</p>
</blockquote>

<p class="Paragraph">Operator-trusted root certificates may be placed
in the trustedCertificates Certificate Directory File (CDF) of a WIM,
SIM, or USIM. If operator root certificates are stored directly on a
SIM or USIM, that is, not under the WIM application, then they shall
be stored in the EF trustedCertificates CDF located under
DF(PKCS#15), as defined by [SCPROV]. Operator root certificates can
be obtained only from the trusted CDF or equivalent directory (the
card holder can not update this directory) and not from any
other directory of the smart card. 
</p>
<p class="Paragraph">As operator root certificates are external to the device itself,
and it is not known in advance which root certificates are available
for authenticating downloaded operator applications at the time the
smart card can be changed, mapping of the operator root certificates
onto the Operator domain is implementation-specific. Any operator
root certificate MUST, however, be mapped onto the same set of
<i>Allowed </i>permissions in the Operator domain. The Operator
domain cannot be deleted or modified by the user or any other party,
except by a device-provisioned capability. 
</p>
<p class="Paragraph">A signed and authenticated application MUST be authorized to the Operator
domain if the application was authenticated to the operator root public key.
The operator root public key MUST be obtained from the trusted CDF of a currently
inserted and enabled smart card and not from any other location on the smart
card or the device. The implementation MUST present the user with the <e>Subject</i>
field of the root certificate containing the operator root public
key whenever a new application is installed in the Operator domain.
This user notification MUST take place at application
installation.</p>

<p class="Paragraph">Permissions in the Operator domain are all marked as<i> Allowed
</i>(see MIDP 2.0 for the definition). Permissions granted by the Operator domain as <i>Allowed</i> imply that downloaded and
authenticated operator applications perform consistently with other
applications installed by the operator in terms of security and
prompts to the user whenever events that require user acknowledgment
occur. Operator applications SHOULD seek permission from the user
when accessing security-vulnerable APIs and functions. Permissions
defined by MIDP 2.0 and other APIs provide guidelines as to which
functions are seen as security-vulnerable and need protection. It is
expected that operator-trusted applications will give prompts and
notifications to the user when accessing these security-protected
functions.</p>

<p class="Paragraph">The Operator domain imposes no restriction on the capabilities
specified in the MIDP 2.0 and other APIs unless stated otherwise.</p>
<p class="Paragraph">MIDlets installed in the Operator domain MUST store, along with
the application itself, a hash of the root certificate public key
under which the signing certificate used to sign the application was
issued. The hash algorithm to be used is the following: starting with
the root certificate, compute the 20-byte SHA-1 hash of the value of