Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dongyan Wang GlobalPlatform Technical Program Manager

Published byCamron Henderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Dongyan Wang GlobalPlatform Technical Program Manager"— Presentation transcript:

1 How GlobalPlatform's TEE is Solving the Missing Security Link for Mobile Wallets
Dongyan Wang GlobalPlatform Technical Program Manager Thursday 20 March GP Confidential ©2013 @GlobalPlatform_

2 GlobalPlatform Members

3 GlobalPlatform Positioning
GlobalPlatform is the standard for managing applications on secure chip technology Trusted Execution Environment Secure Element AND Across several market sectors and in converging sectors Premium Content

4 Mobile as a Center of the New Service Deployment
Trusted Execution Environment (TEE) TEE provides with a unique capability to ensure that the transaction: Is approved by the right end user Takes place on the right and trusted device Takes place between the application and cloud or back-end server

5 A Basic Wallet and Extensions
Means to authenticate users A list of services An identified device Root of trust Device authentication Wallet APP Transaction management User Authentication On device: Personal sensitive data storage Transaction validation by user User authentication Secure communication to cloud Secure communication to secure element (SE) Wallet application maintenance Loading 3rd party app on m-Wallet

6 Sensitive Data Protection in View

7 GlobalPlatform TEE Isolation of sensitive assets
Open to malware and rooting / jailbreaking Isolation of sensitive assets Primary device environment runs as normal, including other security mechanisms Security critical code and resources protected by TEE applications GlobalPlatform APIs ensure portability across handsets / platforms TEE provides the constant security foundation independent of OS choice TEE provided hardware based isolations from rich operating system (OS) TEE has privileged access to platform and device resources: User interface, memory controller, video / audio hardware, crypto accelerators, biometry, …)

8 What Makes the TEE Secure?
Isolation in databus & addr bus level Main security properties in TEE Isolation between rich OS and TEE Isolation between trusted applications (TAs) within TEE Isolation between TAs and TEE OS Temporary or permanent exclusive access to some device resources TEE is an association of: Hardware: Hardware security technology Software: TEE secure operating system (secure kernel, secure drivers, etc.) TEE is built upon: Hardware-based isolation: e.g. system-on-chip hardware-based secure mode Hardware root of trust Secure boot process chain started from ROM code Hardware unique key present within chipset and solely accessible by TEE Small footprint of TEE OS to pass a security certification TEE is designed to protect against any software attack arising from rich OS environment, such as malware or due to device being rooted + TEE OS

9 Trusted Execution Environment
TEE for Wallets Trusted Execution Environment Companion Wallet Trusted Application Financial Server TEE OS Wallet Application Trusted User Interface Open OS Device Secure Storage Crypto Application Processor Secure Elements

10 TEE: A Toolbox for Wallet
Sensitivity in Wallets TEE Security Function in Wallet Scenario TEE Primitives User authentication Protect credential entry (e.g. login/password or PIN entry ) TUI Device authentication By using device specific credentials Crypto Explicit payment action Protect from interactions on the device not intended by the user Transaction information validation Protect transaction information display and potential credential entry (e.g. PIN entry) Data storage Protect information such as user’s profile or transaction logs/statistic Secure storage Hosting of additional 3rd party applications in m-wallet Protect application code & data such as loyalty and couponing All functions SE applet configuration Protect user-configured parameters such as amount threshold for no-PIN transactions TUI + SE + Crypto Communication to SE and SE applet Protect access and communication to SE applets from only TEE applications SE + Crypto Cloud Communication Secure communications from / to cloud Crypto + Network

11 Fingerprint / Biometry
The objective is to protect the control access of biometry sensor Secure enrolment and verification either within the TEE or the TA To support ID initiative, such as FIDO, OpenID 2.0. GlobalPlatform will publish biometry API for Trusted Application including fingerprint sensor access support Target date for public review: end of 2014

12 Complete End-to-End Infrastructure for Secure Wallet Deployment
Messaging End-to-end security

13 to enable interoperable
Ease the Interoperable Wallet Deployment GlobalPlatform Specifications to enable interoperable services Transport Payment Retail MNOs Card Configurations Compliance GlobalPlatform UICC Configuration v1.0.1 / - Contactless Extension v1.0 GlobalPlatform Mapping Guidelines GlobalPlatform Basic Financial Configuration v1.5 GlobalPlatform ID configurations (under review) Common Implementation configuration (under review) TEE Compliance GlobalPlatform TEE Initial Configuration Test Suite GlobalPlatform TEE Protection Profile v1.0 Current and first-phase focus = DEVICE PLATFORM Final product (smartphone, tablet etc): in light delta compliance and / or security certification will be defined in second phase + TEE OS TSM Compliance GlobalPlatform System Messaging Specification for Management of Mobile-NFC Services v1.1.2 Systems Profile and Scripting Specifications v1.1 GlobalPlatform E2E Simplified Services Deployment v1.0

14 More @ www.globalplatform.org

Download ppt "Dongyan Wang GlobalPlatform Technical Program Manager"

Similar presentations

Multi-Application in Smart Card-based Devices Christophe Colas, Chief Software Architect August 2002.

Multi-Application in Smart Card-based Devices Christophe Colas, Chief Software Architect August 2002.
Accelerate the on-boarding of Service Providers in Trusted Infrasturcture Virginia Chan, Vice President Hong Kong Mar 19 th, 2014.

Accelerate the on-boarding of Service Providers in Trusted Infrasturcture Virginia Chan, Vice President Hong Kong Mar 19 th, 2014.
Ecosystem Scenarios for Cloud-based NFC Payments

Ecosystem Scenarios for Cloud-based NFC Payments
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.

HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards

Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards
Internet of Things Security Architecture

Internet of Things Security Architecture
SafeNet Luna XML Hardware Security Module

SafeNet Luna XML Hardware Security Module
NFC Devices: Security and Privacy

NFC Devices: Security and Privacy
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
J2ME 25 July 2002. Overview  What is J2ME?  The CLDC and CDC configurations  MIDP and MIDlets  Development Tools  Demonstrations.

J2ME 25 July Overview  What is J2ME?  The CLDC and CDC configurations  MIDP and MIDlets  Development Tools  Demonstrations.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division.

Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Data Devices People 6.5B Wireless connections today >42% of global population owns smartphone by end of 2015 >50% User will go to tablet or smartphone.

Data Devices People 6.5B Wireless connections today >42% of global population owns smartphone by end of 2015 >50% User will go to tablet or smartphone.
J2ME Web Services Specification.  With the promise to ease interoperability and allow for large scale software collaboration over the Internet by offering.

J2ME Web Services Specification.  With the promise to ease interoperability and allow for large scale software collaboration over the Internet by offering.
User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

Similar presentations

Ads by Google