Dongyan Wang GlobalPlatform Technical Program Manager

Slides:

Advertisements

Similar presentations

Multi-Application in Smart Card-based Devices Christophe Colas, Chief Software Architect August 2002.

Advertisements

Accelerate the on-boarding of Service Providers in Trusted Infrasturcture Virginia Chan, Vice President Hong Kong Mar 19 th, 2014.

Ecosystem Scenarios for Cloud-based NFC Payments

HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.

Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards

Internet of Things Security Architecture

SafeNet Luna XML Hardware Security Module

NFC Devices: Security and Privacy

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

J2ME 25 July Overview  What is J2ME?  The CLDC and CDC configurations  MIDP and MIDlets  Development Tools  Demonstrations.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Data Devices People 6.5B Wireless connections today >42% of global population owns smartphone by end of 2015 >50% User will go to tablet or smartphone.

J2ME Web Services Specification.  With the promise to ease interoperability and allow for large scale software collaboration over the Internet by offering.

User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

02/12/00 E-Business Architecture

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Figure 1.1 Interaction between applications and the operating system.

Web Cryptography & Utilizing ARM TrustZone® based TEE for Authentication & Cryptography Ilhan Gurel September 10th & 11th, 2014.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Cloud Usability Framework

Software Design Division 秘 CONFIDENTIAL Panther Content Security Mar. 14, 2014 Sony Corporation.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Vilnius, October 21st, 2002 © eEurope SmartCards Securing a Telework Infrastructure: Smart.IS - Objectives and Deliverables Dr. Lutz Martiny Co-Chairman,

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou.

Data Center Infrastructure

PRESENTATION OF ETSI © ETSI All rights reserved Sophia Antipolis, 22 May 2014 Luis Jorge Romero Director General, ETSI.

UICC UICC is a smart card used in mobile terminals in GSM and UMTS networks It provides the authentication with the networks secure storage crypto algorithms.

PKI interoperability and policy in the wireless world.

Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Designing System for Internet Commerce 6. Functional Architecture Jinwon Lee.

Business Seminar - Technical Overview & Roadmap August 21, 2002 – Toronto Marc Kekicheff GlobalPlatform Technical Director August 21, 2002 – Toronto Marc.

Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

Application Policy on Network Functions (APONF) G. Karagiannis and T.Tsou 1.

Windows NT Operating System. Windows NT Models Layered Model Client/Server Model Object Model Symmetric Multiprocessing.

Leveraging UICC with Open Mobile API for Secure Applications and Services.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Enhanced Storage Architecture

Chapter 3 Operating System Organization

What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office

Mobile Payments: Key IT Law Issues Sony Gokhale October 26, 2015

Sponsored by the U.S. Department of Defense © 2008 by Carnegie Mellon University page 1 Pittsburgh, PA The Implications of a Single Mobile Computing.

VMM Based Rootkit Detection on Android

Cyber in the Cloud & Network Enabling Offense and Defense Mark Odell April 28, 2015.

Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.

GP Confidential GlobalPlatform’s Modular Approach to its Compliance and certification.

TCS Internal Security. 2 TCS Internal Objective Objective :  Android Platform Security Architecture.

Connect with life Ravi Sankar Technology Evangelist | Microsoft Corporation Ravisankar.spaces.live.com/blog.

Hardware-based secure services past and future Olivier POTONNIEE, Aurélien COUVERT, Virginie GALINDO April 2016.

A catalyst for mobile contactless payments adoption?

Containers as a Service with Docker to Extend an Open Platform

LAS16-203: Platform Security Architecture for embedded devices

Trusted Computing and the Trusted Platform Module

Secure Element API An introduction.

Secure Elements and W3C L. Castillo 06/16/15.

Enhancing Web Application Security with Secure Hardware Tokens

“That’s P-a-r-l-a-y not P-a-r-l-e-z!” Richard Kett BT ACE

Operating Systems: A Modern Perspective, Chapter 3

SCONE: Secure Linux Containers Environments with Intel SGX

Securing Android Apps using Trusted Execution Environment (TEE) - 07/08/14 Presented by: Mike Hendrick VP Product Sequitur Labs.

Outline Operating System Organization Operating System Examples

Presentation transcript:

How GlobalPlatform's TEE is Solving the Missing Security Link for Mobile Wallets Dongyan Wang GlobalPlatform Technical Program Manager Thursday 20 March GP Confidential ©2013 @GlobalPlatform_ www.linkedin.com/company/globalplatform

GlobalPlatform Members

GlobalPlatform Positioning GlobalPlatform is the standard for managing applications on secure chip technology Trusted Execution Environment Secure Element AND Across several market sectors and in converging sectors Premium Content

Mobile as a Center of the New Service Deployment Trusted Execution Environment (TEE) TEE provides with a unique capability to ensure that the transaction: Is approved by the right end user Takes place on the right and trusted device Takes place between the application and cloud or back-end server

A Basic Wallet and Extensions Means to authenticate users A list of services An identified device Root of trust Device authentication Wallet APP Transaction management User Authentication On device: Personal sensitive data storage Transaction validation by user User authentication Secure communication to cloud Secure communication to secure element (SE) Wallet application maintenance Loading 3rd party app on m-Wallet

Sensitive Data Protection in View

GlobalPlatform TEE Isolation of sensitive assets Open to malware and rooting / jailbreaking Isolation of sensitive assets Primary device environment runs as normal, including other security mechanisms Security critical code and resources protected by TEE applications GlobalPlatform APIs ensure portability across handsets / platforms TEE provides the constant security foundation independent of OS choice TEE provided hardware based isolations from rich operating system (OS) TEE has privileged access to platform and device resources: User interface, memory controller, video / audio hardware, crypto accelerators, biometry, …)

What Makes the TEE Secure? Isolation in databus & addr bus level Main security properties in TEE Isolation between rich OS and TEE Isolation between trusted applications (TAs) within TEE Isolation between TAs and TEE OS Temporary or permanent exclusive access to some device resources TEE is an association of: Hardware: Hardware security technology Software: TEE secure operating system (secure kernel, secure drivers, etc.) TEE is built upon: Hardware-based isolation: e.g. system-on-chip hardware-based secure mode Hardware root of trust Secure boot process chain started from ROM code Hardware unique key present within chipset and solely accessible by TEE Small footprint of TEE OS to pass a security certification TEE is designed to protect against any software attack arising from rich OS environment, such as malware or due to device being rooted + TEE OS

Trusted Execution Environment TEE for Wallets Trusted Execution Environment Companion Wallet Trusted Application Financial Server TEE OS Wallet Application Trusted User Interface Open OS Device Secure Storage Crypto Application Processor Secure Elements

TEE: A Toolbox for Wallet Sensitivity in Wallets TEE Security Function in Wallet Scenario TEE Primitives User authentication Protect credential entry (e.g. login/password or PIN entry ) TUI Device authentication By using device specific credentials Crypto Explicit payment action Protect from interactions on the device not intended by the user Transaction information validation Protect transaction information display and potential credential entry (e.g. PIN entry) Data storage Protect information such as user’s profile or transaction logs/statistic Secure storage Hosting of additional 3rd party applications in m-wallet Protect application code & data such as loyalty and couponing All functions SE applet configuration Protect user-configured parameters such as amount threshold for no-PIN transactions TUI + SE + Crypto Communication to SE and SE applet Protect access and communication to SE applets from only TEE applications SE + Crypto Cloud Communication Secure communications from / to cloud Crypto + Network

Fingerprint / Biometry The objective is to protect the control access of biometry sensor Secure enrolment and verification either within the TEE or the TA To support ID initiative, such as FIDO, OpenID 2.0. GlobalPlatform will publish biometry API for Trusted Application including fingerprint sensor access support Target date for public review: end of 2014

Complete End-to-End Infrastructure for Secure Wallet Deployment Messaging End-to-end security

to enable interoperable Ease the Interoperable Wallet Deployment GlobalPlatform Specifications to enable interoperable services Transport Payment Retail MNOs Card Configurations Compliance GlobalPlatform UICC Configuration v1.0.1 / - Contactless Extension v1.0 GlobalPlatform Mapping Guidelines GlobalPlatform Basic Financial Configuration v1.5 GlobalPlatform ID configurations (under review) Common Implementation configuration (under review) TEE Compliance GlobalPlatform TEE Initial Configuration Test Suite 1.1.0.2 GlobalPlatform TEE Protection Profile v1.0 Current and first-phase focus = DEVICE PLATFORM Final product (smartphone, tablet etc): in light delta compliance and / or security certification will be defined in second phase + TEE OS TSM Compliance GlobalPlatform System Messaging Specification for Management of Mobile-NFC Services v1.1.2 Systems Profile and Scripting Specifications v1.1 GlobalPlatform E2E Simplified Services Deployment v1.0

More @ www.globalplatform.org