GlobalPlatform Enhances Mobile Device Security
Industry body standardizes a secure channel to optimize security for mobile applications
11 June 2015 – GlobalPlatform has published an upgrade to its Card Specification v2.2 to protect the data exchange between a secure element (SE) and a trusted execution environment (TEE) on a mobile device. The ‘GlobalPlatform Secure Channel Protocol 11’addresses the increasing number of use cases, such as mobile banking, where applications utilize both the SE and TEE to protect a secure service. The document is particularly relevant to secure application developers and issuers, and can be downloaded free of charge.
“This advancement focuses on making the best use of security that is already present on the device,” comments Karl Eglof Hartel, Chair of the GlobalPlatform Card Committee and Director for Standards and Innovation in the Mobile Security business unit at Giesecke & Devrient. “Data breaches are growing daily and as more secure services are deployed to mobile devices, hackers will follow. This update seeks to better combine the security characteristics of the SE and TEE, ensuring that the communication channel between them is secure.”
In use cases like biometric authentication, virtual private networks (VPN) or mobile banking, the SE in the device is used to store the critical part of the application and its associated cryptographic keys. In parallel, the trusted application resides in the TEE to enable management of the end user and backend interaction prior to a transaction being authorized. The Secure Channel Protocol 11 protects the data being transferred between these two secure components.
“The combination of advanced cryptography and the secure components simplifies the delivery of secure services,” adds Karl Eglof. “Data is secure while stored in the SE and TEE, and this channel further strengthens the protection of sensitive data when it is in transit. We have brought forward this update to answer a market need for more effective security and to support the long-term requirements of secure application developers and issuers.”
From a technical perspective, data passed between trusted applications stored in the TEE and SE is protected by the secure channel, which is established by GlobalPlatform’s TEE SE API. Elliptic curve cryptography (ECC) is used for the generation of the session keys for encryption and authentication. It also provides perfect forward secrecy (PFS) by using ephemeral keys, preventing the decryption of the data by attackers, should they also get hold of the long-term keys.
The document can be downloaded free of charge from the GlobalPlatform website.
Keep up to date with the latest news from GlobalPlatform:
- Follow on Twitter: https://bit.ly/wOiHFp
- Join us on LinkedIn: https://linkd.in/xjxsN5
- Subscribe to GlobalPlatformTV: https://bit.ly/1BzvLoa
Notes to editors:
- The secure element is a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications and their confidential and cryptographic data.
- The trusted execution environment a secure isolated area in the main processor of a connected device that ensures sensitive data is stored, processed and protected in a trusted environment.
- The trusted user interface (TUI) enables the device to be controlled by the TEE, ensuring the information displayed on screen is correct and from a trusted application. Many sensitive use cases such as bill payment, money transfer, purchasing products / services or document signature validation, require some form of interaction with the end user, meaning that sensitive information needs to be ‘exposed’ to the user for validation. It is also important for the end user to be assured that ‘what you see, is what you sign’ and the transaction has not been modified by a hacker, virus or Trojan, and is being performed in a secure environment.
GlobalPlatform defines and develops specifications to facilitate the secure deployment and management of multiple embedded applications on secure chip technology. Its standardized infrastructure empowers service providers to develop services once and deploy across different markets, devices and channels. GlobalPlatform’s security and privacy parameters enable dynamic combinations of secure and non-secure services from multiple providers on the same device, providing a foundation for market convergence and innovative new cross-sector partnerships.
GlobalPlatform is the international industry standard for trusted end-to-end secure deployment and management solutions. The technology’s widespread global adoption across finance, mobile/telecom, government, healthcare, retail and transit sectors delivers cost and time-to-market efficiencies to all. GlobalPlatform supports the long-term interoperability and scalability of application deployment and management through its secure chip technology open compliance program.
As a non-profit, member-driven association, GlobalPlatform has cross-market representation from all continents. 130+ members contribute to technical committees and market-led task forces. For more information on GlobalPlatform membership visit www.globalplatform.org