GlobalPlatform SE and TEE Overview Hank Chavers Technical Program Manager International Cryptographic Module Conference Rockville, Maryland 4 November 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
GlobalPlatform SE and TEE Overview
Hank Chavers Technical Program Manager International Cryptographic Module Conference Rockville, Maryland 4 November 2015
Defining End-to-End Security
• GlobalPlatform defines end-to-end security as having two trusted endpoints, which ensure security throughout the entirety of the service delivery process
• One endpoint is a secure component within the consumer device
• The other endpoint is a secure server in the cloud or the service provider’s back-end system
2
+
Security in Internet of Things (IoT) Networks
• GlobalPlatform end-to-end security apply in M2M/IoT networks with a gateway connected to a server endpoint and ‘thing’
• One endpoint is a secure component within the ‘thing’
• One intermediary point is a secure component within the gateway
• The last endpoint is a secure server in the cloud or the service provider’s back-end system
3 Gateway 1
A10
C10
Thing 1
A1
C1
T1
Interface
Raw Data
Interface
+ +
Trust Anchor for Services
Our Vision for Secure and Convenient Value-added Services
4
3rd Party Qualification and Certification
Security Evaluation Laboratory
Secure Chip Technology
Secure OS
Secure Chip
Secure Object
GlobalPlatform Qualified Laboratory
Interoperable
Secure
Helicopter View
5
API for
Applications
API
for Application
Management
GlobalPlatform Secure Component
• A GlobalPlatform Secure Component: – Provides an authenticated root of trust - a ‘trust anchor’ on
the end-user side – Protect application performing critical functions – Protect data
• Service provider are able to reduce their risk (risk management) by using a GlobalPlatform trust anchor to deploy their service
• Compatible with any device architecture in the market today (smartphone, IOT device, …)
6
Trust Anchor + Storage
+ Application Management
Two Secure Component Types
7
Or Embedded
Mobile, the Center of Service Deployment TEE is at the core of a Mobile
Trusted Execution Environment (TEE)
TEE provides a unique capability to ensure that the transaction: • àTakes place on the right and trusted device • àTakes place between the right application and back-end server • à Is approved by the right end user
Secure Element
• A secure element (SE) is a tamper-resistant platform capable of securely hosting applications and their confidential and cryptographic data (e.g. key management) in accordance with the rules and security requirements set forth by a set of well-identified trusted authorities.
Secure Channel Protocol (SCP)
• Secure Communications for Content Management – The trust anchor authenticates and communicates securely using accepted
security over secured channels • SCP 03: uses AES in accordance with FIPS 201
• SCP 11: uses ECC in accordance with NIST and BSI
• SCP 22: uses Opacity Blinded in accordance with INCITS B10.12 (under review)
10
The Solution
• Cross-industry interoperability, which allows for portability of services across platforms
• Scalable security that remains robust as the number of devices, applications, and services proliferate
• End-to-End security and interoperability that leverages existing and proven methods and technologies
11
Related Documents
![Root of Trust Definitions and Requirements v1.0 · GPD_SPE_100 : GlobalPlatform Device Technology TEE Sockets API Specification [TEE Sockets] GlobalPlatform KMS . GlobalPlatform Key](https://static.cupdf.com/doc/110x72/5f64aa38c2de63156e600c59/root-of-trust-definitions-and-requirements-v10-gpdspe100-globalplatform-device.jpg)
