GlobalPlatform | Composition Model Made Simple
What is a composite product?
A composite product consists of an open platform (such as a secure element [SEs]), with one or more sensitive applications (such as mobile payment or identity / end-user authentication), and optionally one or more basic applications (which does not need to comply with stringent security requirements to operate, for example couponing or advertising).
What is the GlobalPlatform Composition Model?
The technical document is a common, cross-industry certification model for SEs with post-issuance capabilities. In essence, it outlines a methodology that streamlines the security evaluation of a near-field-communication (NFC) mobile composite product by specifying how EMVCo and Common Criteria certificates can be re-used for chips and SE platforms that have previously been certified.
EMVCo is the EMV® standards body jointly owned by American Express, JCB, MasterCard, UnionPay and Visa. Common Criteria is an international security certification standard involving national certification bodies that work on a mutual agreement basis to secure IT products and systems.
The document is of particular interest to mobile application and product issuers, such as mobile network operators (MNOs) and financial institutions.
Why is GlobalPlatform working in this space? I was not aware it was a certificate authority.
GlobalPlatform Specifications and supporting documentation are viewed as best practice and endorsed by a wide-range of industry players and certification bodies. While GlobalPlatform is not a certification authority, it has leveraged the knowledge of its members to develop solutions that address industry challenges.
So what industry challenge is GlobalPlatform addressing?
The industry is continually looking at ways to reduce product time to market while simultaneously advancing the security of a NFC mobile product. As SEs in mobile devices begin to host multiple applications, it is important that all applications perform as intended and do not interfere with the other services being delivered.
Evaluating the security of sensitive applications and the potential impact of adding a basic application pre and post issuance is therefore vital, but needs to be cost and time effective for all market stakeholders. Currently, as there is no basic application process, when a new application is introduced onto an SE - sensitive or basic - a full re-test is required of the entire product before it can be released. A developer launching a basic application, however, does not want to spend significant resources evaluating the full product (sensitive and basic applications) to validate that its product does not interfere with a sensitive application.
For NFC to reach its full potential, a balance needs to be achieved between technical, commercial and security requirements, as well as an understanding of the responsibilities and motivations of each actor contributing to the product.
How does the model work?
The GlobalPlatform Composition Model specifies how:
- Existing security evaluation results from EMVCo and Common Criteria can be re-used.
- Security evaluation work can be limited to only test the impact of a new application and SE combination.
This modular approach where each element of the product receives its own security certificate - optimizes the testing requirements of EMVCo and Common Criteria when a new sensitive application or a new platform is combined with a previously certified platform or sensitive application.
- The chip is certified against Common Criteria or EMVCo Security Requirements, as is the SE platform. This produces a single certificate for the combined chip/SE product.
- Independent certificates are received for each sensitive application installed. Any basic applications are 'verified' to confirm that they will not put any sensitive applications or the SE at risk.
What documents are available?
- The Card Composition Model Security Guidelines for Basic Applications v1.0, which proposes a minimal set of guidelines for basic applications. Adhering to these guidelines will protect sensitive applications, other applications, and the SE.
- Card Composition Model v1.1, which addresses the re-certification of multi-application products with additional applications.
- Card Composition Frequently Asked Questions v1.1, which supports industry players using this model for the first time.
All documents can be downloaded from the GlobalPlatform website without charge.
Is the industry as a whole in support of the model?
The GlobalPlatform Composition Model was developed with support from EMVCo and the GSMA. It has been endorsed by AFSCM, the European Payments Council, the European Telecommunications Standard Institute (ETSI) and SIMalliance. The document has also received a contribution from the International Security Certification Initiative.
What is next for GlobalPlatform within the security space?
GlobalPlatform is continually looking at ways to support its members and the wider industry in advancing the secure chip ecosystem. The GlobalPlatform Composition Model will evolve to reflect advancing industry needs.