Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
CONFIDENTIAL © SD Association. All rights reserved. 1 1
To SE, or not to SE that, is the question
This isn’t a play – this is business!
Fabrice Jogand-Coulomb SDA GP Ad-Hoc Committee
& VP Products at DeviceFidelity
CONFIDENTIAL © SD Association. All rights reserved.
About
A global ecosystem of about 1000 companies setting
industry-leading memory card standards.
Est. 8,000+ consumer electronics models manufactured by
way more than 100 brands worldwide rely on SD standards.
microSD is the #1 memory card form factor
for mobile devices with ~95% of mobile
memory card shipments
78% of all mobile phone shipments have a
memory card slot
CONFIDENTIAL © SD Association. All rights reserved.
To SE, or not to SE
that, is the question ?
This isn’t a play – this is business!
CONFIDENTIAL © SD Association. All rights reserved.
No business & services without security
4
security
Protects the service
Protects the
consumer Add tools for legal aspects
Security is implemented for
business reasons
Business drives the
requirements for
security needs/functions and
for security certification and
minimum security level
Business implies money
Upfront investment
Maximum cost
Financial risk
Secure com
authentication
Identification
Privacy
Non-repudiation
Confidentiality
Important elements of the business plan & the revenue model
CONFIDENTIAL © SD Association. All rights reserved.
Available security tools
Secure Element
UICC, eSE and microSD
Trusted Execution
Environment
Dedicated runtime environment
and resources on main CPU
Cloud
Server side secure execution
App
Secure software implementation
SE TEE
App Cloud
CONFIDENTIAL © SD Association. All rights reserved.
Trusted Execution Environment
• TEE runs on main device chipset and
relies on both
• hardware roots of trust (crypto keys and
secure boot) and
• hardware-based isolation from rich OS
such as Android
• TEE has privileged access to platform
and device resources
• user interface,
• memory controller, video / audio HW
• crypto accelerators, biometry, …
• Technology already massively deployed
• Premium content protection is currently
a major use case
6
Open to malware and
rooting / jailbreaking Isolation of
sensitive assets
CONFIDENTIAL © SD Association. All rights reserved.
Software only security
Software short term security
Short term security
continuous software update to stay ahead of hackers
Extending number of devices to QA
High Operation Cost
7
CONFIDENTIAL © SD Association. All rights reserved.
Pros and Cons
Secure Element
UICC, eSE, microSD
Pros
• HW root of trust • Dedicated run time • Secure communication • Certifications
Cons
• Need HW onboard
Trusted Execution Environment
Pros
• Dedicated SW env. • User ID • User Interface
Cons
• No certification • Need vendor SDK • Speed
App
Pros
• Easy SW Cons
• Sec counter measures
Cloud
Pros
• Server security
Cons
• No end user auth • Speed & connection • Proprietary
• Non-repudiation • Strong authentication • Mutual authentication • Secure communication • User identification
SE
TEE
App
Cloud
• App challenges
• Secure display • Secure input • PIN presentation
• Sec vs. User Experience • App maintenance cost
• Need an App for auth and to proxy cloud
CONFIDENTIAL © SD Association. All rights reserved.
Drivers and Requirements for SE
10
No SE
SE for user ID
signature and
authentication
SE for cardlets:
secure run time
Limited financial risk
for service provider
and end user
Typical of private use
Business needs such as:
• User identification
• Remote Authentication
• Non-repudiation
• Confidentiality
+
technical aspects such as:
• Local secure computing
to reduce transaction
time while secured
• By requirements such as
MIFARE, Calypso
Cost of software
maintenance
Great user experience
Technical requirements
Need for a
secure element
CONFIDENTIAL © SD Association. All rights reserved.
All SE aren’t equal
11
OS Integration
App level and
OS on devices
with HCE
contactless APIs
at OS level
Contactless APIs at
OS level
Security
software and
TEE:
unknown
financial risk
level
certified smart card
chip
Differentiation
Must fit within
MNO wallet
guidelines
Must fit within
eSE wallet
guidelines
differentiation and
business
independence
differentiation
and business
independence
differentiation and
business
independence
Business modelbusiness
independence
business
independence
business
independence
Costs
various options:
sold vs.
subsidized,
mailing perso vs.
TSM
token server
and continuous
App udate to
remain secure
various options:
sold vs. subsidized,
mailing perso vs.
TSM
deployment
A few days for
TSM issuance.
Removable yet
MNO specific
A few days for
TSM issuance.
Non removable
yet MNO
independent
A few days for
mailing or TSM.
Remobable &
Device and MNO
indendent
instant
gratification
instant gratification
for users with
smartSD or a few
days
Market Reach
NFC UICC + NFC
phone
but iPhone
(for now)
NFC phones
but iPhone
(for now)
>70% of phones
and growing
+ iPhone support
through accessory
Most recent
smart phones
Most recent smart
phones
UICC eSE smartSD minimal HCE
implementation
optimised HCE
implementation
with smartSD
certified smart card chip in different form factor
Contactless APIs at OS level
Dependent on SE rental
TSM integration costs
+ minor operation costs
smartSD presents the most benefits
to the service provider:
- Business independence
- Full UX/UI differentiation
- Least upfront cost and easiest
launch
- Largest market reach
and provides extra storage to the
end user!
bad Ok good
CONFIDENTIAL © SD Association. All rights reserved.
What about HCE for contactless?
12
OS Integration
App level and
OS on devices
with HCE
contactless APIs
at OS level
Contactless APIs at
OS level
Security
software and
TEE:
unknown
financial risk
level
certified smart card
chip
Differentiation
differentiation and
business
independence
differentiation
and business
independence
differentiation and
business
independence
Business modelbusiness
independence
business
independence
business
independence
Costs
various options:
sold vs.
subsidized,
mailing perso vs.
TSM
token server
and continuous
App udate to
remain secure
various options:
sold vs. subsidized,
mailing perso vs.
TSM
deployment
A few days for
mailing or TSM.
Removable &
Device and MNO
indendent
instant
gratification
instant gratification
for users with
smartSD or a few
days
Market Reach
>70% of phones
and growing
iPhone supported
through accessory
Most recent
smart phones
but iPhone
(for now)
Most recent smart
phones
smartSD minimal HCE
implementation
optimised HCE
implementation
with smartSD
certified smart
card chip in
different form
factor
bad Ok good
+
+
CONFIDENTIAL © SD Association. All rights reserved.
smartSD as security token for HCE
13
smartSD: the only SE form factor that improves the HCE value propositions
smartSD addresses cost generating weaknesses
in the App of minimal HCE implementation such
as backend authentication and user ID and
provides a hardware root of trust that could be
pre-configured for the given service.
HCE App acts as proxy and provide a rich UI.
NFC Controller
Contactless Reader
Host CPU
Token server
Token server
SE with GP & Java card
EU cardlet
+
• HW Root of trust • Authentication • User identification • Secure storage
and more
App short term
security
Challenging UX
Costly App maintenance
CONFIDENTIAL © SD Association. All rights reserved.
Mobile ticketing example
16
Terminal App smartSD
Select Ticketing
cardlet
HCE App
selected
secure storage for
tickets data
Mutual
Authenticationpass through
Mutual
Authentication
Get ticket pass through send ticket
Backend App smartSD
ticket purchase
confirmedPurchase tickets
Authentication pass through Authentication
Write ticket data pass through store ticket data
check history,
set default
ticket, etc
set default
ticket
1. smartSD is authenticated by the backend
and protects the ticket data.
2. Access to Ticket data is protected by
authentication
3. The HCE App doesn’t have any critical
secret and hacking won’t bring much yet
it could provide a rich UI for the end user
CONFIDENTIAL © SD Association. All rights reserved.
Physical access control example
17
1. Door key is stored directly in smartSD
where is it clone-protected.
2. Door key data is protected by
authentication
3. The HCE App doesn’t have any critical
secret and hacking won’t bring much
Doorlock App smartSD
Select door lock
cardlet
HCE App
selected
secure storage for
doorlock data
Mutual
Authenticationpass through
Mutual
Authentication
Get door key (or
key ID)pass through
present door
key
Backend App smartSD
Push door lock
info
App is woken up
through HCE or
online
Authentication pass through Authentication
Write door lock
datapass through
store door lock
data
Office
Museums
Hotels
Stadium & events
CONFIDENTIAL © SD Association. All rights reserved.
Mobile payment example
Terminal App smartSD
select Coffee
Shop App
HCE Coffee shop
App selected
secure storage for
doorlock data
Mutual
authenticationpass through
Mutual
Authentication
Get loyalty
points and
confirm to use
pass throughreturn loyalty
data
select payment
App
HCE payment
App selected
Validate PINPresent PIN to
smartSD(use of TEE)
PIN verification
get payment
tokenpass through Payment token
Update loyalty
data to Coffee
shop App
App is woken up
through HCE or
online
loyalty data is
updated
1. smartSD authenticates to token server
2. smartSD is used to validate user
identification
3. smartSD provides secure storage for
payment tokens and for loyalty data
4. Payment App doesn’t have any critical
security data and Coffee shop App is a
simple UI for loyalty data on smartSD.
CONFIDENTIAL © SD Association. All rights reserved.
Memo
19
All approved by
payment networks.
Implementation choice
is a business and
strategic decision*
*Technical specificities such as MIFARE may prevent HCE implementation
bad Ok good
OS Integration
App level and
OS on devices
with HCE
contactless APIs
at OS level
Contactless APIs at
OS level
Security
software and
TEE:
unknown
financial risk
level
certified smart card
chip
Differentiation
Must fit within
MNO wallet
guidelines
Must fit within
eSE wallet
guidelines
differentiation and
business
independence
differentiation
and business
independence
differentiation and
business
independence
Business modelbusiness
independence
business
independence
business
independence
Costs
various options:
sold vs.
subsidized,
mailing perso vs.
TSM
token server
and continuous
App upgrade for
security
various options:
sold vs. subsidized,
mailing perso vs.
TSM
deployment
A few days for
TSM issuance.
Removable yet
MNO specific
A few days for
TSM issuance.
Non removable
yet MNO
independent
A few days for
mailing or TSM.
Remobable &
Device and MNO
indendent
instant
gratification
instant gratification
for users with
smartSD or a few
days
Market Reach
NFC UICC + NFC
phone but
iPhone
(for now)
NFC phones
but iPhone
(for now)
>70% of phones
and growing
+ iPhone support
through accessory
Most recent
smart phones
but iPhone
(for now)
Most recent smart
phones and iPhone
through accessory
UICC eSE smartSD minimal HCE
implementation
optimised HCE
implementation
with smartSD
certified smart card chip in different form factor
Contactless APIs at OS level
Dependent on SE rental
TSM integration costs
+ minor operation costs
CONFIDENTIAL © SD Association. All rights reserved.
To SE or not to SE ?
20
no need for a SE
smartSD smartSD is best to address digital
security and the enterprise market
SmartSD is best to enhance HCE
with adequate security
Contactless smartSD is best self-
contained secure element
smartSD can be distributed ready
to use for service providers
CONFIDENTIAL © SD Association. All rights reserved.
smartSD overview
21
CONFIDENTIAL © SD Association. All rights reserved.
Retail
• Similar to the millions of microSD sold everyday
• Virgin or pre-perso for one or more services
Vending machine
• Typically bundled with a service and ready to use
• Kiosk at targeted locations
Mailing
• Personalized and mailed as typical banking cards
Acquisition of smartSD
Purchased alone or acquired with a service
Easiest launch and lowest upfront investment (no TSM or token server)
CONFIDENTIAL © SD Association. All rights reserved.
SmartSD: Consumer Centric
smartSD
consumer centric
business model
More Apps & Services
More Interest/ benefits
More users
More NFC HW available
Lower up front
costs
A
VIRTUOUS
SYSTEM
23
CONFIDENTIAL © SD Association. All rights reserved.
smartSD Consumer Centric support
GlobalPlatform and SD
Association have been
working on consumer centric
specifications that smoothens
issuance and provides more
control to the end user
Issuer centric and consumer centric configurations
Issuer centric: no different from today’s UICC and eSE
Consumer centric: better adapted to user-owned product yet no different from issuer centric for service providers
GlobalPlatform provides consumer centric cardlet life cycle management
User acceptance for cardlet issuance
Reset smartSD to blank status
GlobalPlatform provides security for multiple services to share the same smartSD
No different from issuer centric
CONFIDENTIAL © SD Association. All rights reserved.
GP Consumer centric architecture
25
EU IM– End User Interface Module is an on-device wizard (application) to allow End User to view, prioritize and perform authorization based on pre-defined End User Management Policy
EU-SD– End User Security Domain is an unique privileged on-card application identified by a standardized fixed GlobalPlatform AID to implement EU’s preference
In GP committee review – public release expected by mid-October 2014
CONFIDENTIAL © SD Association. All rights reserved.
smartSD: best for digital security and for HCE
26
CONFIDENTIAL © SD Association. All rights reserved. 27
www.sdcard.org
THANK YOU