Trusted Execution Environment and Host Card Emulation
Over the years, mobile devices have become increasingly sophisticated in terms of their features and the use cases they operate. This rise in sophistication poses a major security threat because it increases the attack surface of mobile devices. Consequently, the challenge from a security point of view is to offer security assurances for applications and services hosted on these devices. In this regard, a Trusted Execution Environment (TEE) as a technology provides an execution and storage platform on the device, which is isolated from the rest of the operating system and other applications, and is intended to be trustworthy. This provides security assurances in terms of the confidentiality and integrity for applications and their related data, running on the TEE. In this chapter, we explore what constitutes a TEE and the various security features a TEE is expected to provide. We also highlight standardisation efforts relating to TEEs. Example implementations of TEEs are contrasted along with Host Card Emulation (HCE) used in Near-Field Communication (NFC). NFC card emulation has traditionally relied on a TEE in the form of tamper-resistant Secure Element (SE) chip, whereas HCE allows an application on the host CPU of the mobile device to emulate a smart card. HCE introduces new security risks and this chapter considers how these can be managed to an acceptable level.
KeywordsMobile devices NFC Security Trusted Execution Environment Secure Element Platform integrity Host Card Emulation Tokenisation Secure storage Secure execution
- 1.Amit Vasudevan, Emmanuel Owusu, Zongwei Zhou, James Newsome, and Jonathan M. McCune. Trust and Trustworthy Computing: 5th International Conference, TRUST 2012, Vienna, Austria, June 13-15, 2012. Proceedings, chapter Trustworthy Execution on Mobile Devices: What Security Properties Can My Mobile Platform Give Me?, pages 159–178. Springer Berlin Heidelberg, Berlin, Heidelberg, 2012. Cited 06 Jan 2016.Google Scholar
- 2.EMV Payment Tokenisation Specification. Standard, 2014. Cited 15 Jan 2016.Google Scholar
- 3.ARM Limited. ARM Security Technology Building a Secure System using TrustZone Technology, April 2009. http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf. Cited 08 Feb 2016.
- 4.Trusted Computing Group. TCG Specification TPM 2.0 Mobile Reference Architecture, December 2014. http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-2-0-Mobile-Reference-Architecture-v2-r142-Specification_FINAL2.pdf. Cited 17 Feb 2016.
- 5.Trusted Computing Group. TCG Specification TPM 2.0 Mobile Common Profile, December 2015. http://www.trustedcomputinggroup.org/wp-content/uploads/TPM_2.0_Mobile_Common_Profile_v2r31.pdf. Cited 19 Feb 2016.
- 6.Trusted Computing Group. TCG Specification TPM 2.0 Mobile Command Response Buffer Interface, December 2014. http://www.trustedcomputinggroup.org/wp-content/uploads/Mobile-Command-Response-Buffer-Interface-v2-r12-Specification_FINAL2.pdf. Cited 19 Feb 2016.
- 7.Unified Extensible Firmware Interface Forum. Unified Extensible Firmware Interface Specification–version 2.6, January 2016. http://www.uefi.org/sites/default/files/resources/UEFIUEFI%20Spec%202_6.pdf. Cited 02 Jan 2016.
- 8.GlobalPlatform. GlobalPlatform Device Technology, TEE System Architecture v1.0, December 2011. Cited 06 Mar 2016.Google Scholar
- 9.GlobalPlatform. GlobalPlatform Device Technology, TEE Client API Specification v1.0, July 2010. Cited 06 Mar 2016.Google Scholar
- 10.GlobalPlatform. GlobalPlatform Device Technology, TEE Internal API Specification, December 2011. Cited 10 Mar 2016.Google Scholar
- 11.GlobalPlatform. GlobalPlatform Device Technology, Trusted User Interface API Specification v1.0, June 2013. Cited 12 Mar 2016.Google Scholar
- 12.Intel Corporation. Intel Software Guard Extensions Programming Reference, October 2014. https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf. Cited 18 Mar 2016.
- 13.Smart Card Alliance. Host Card Emulation (HCE) 101. Technical report, Smart Card Alliance, Mobile and NFC Council, August 2014. Cited 20 Mar 2016.Google Scholar
- 14.Doug Yeager. Added NFC Reader support for two new tag types: ISO PCD type A and ISO PCD type B, 2012. https://github.com/CyanogenMod/android_packages_apps_Nfc. Cited 06 Apr 2016.
- 15.Assad Umar, Keith Mayes, and Konstantinos Markantonakis. Performance variation in host-based card emulation compared to a hardware security element. In First Conference on Mobile and Secure Services (MOBISECSERV), pages 1–6, 2015. Cited 11 Apr 2016.Google Scholar
- 16.Stanley Chow, Phil Eisen, Harold Johnson, and Paul C. van Oorschot. Digital Rights Management: ACM CCS-9 Workshop, DRM 2002, Washington, DC, USA, November 18, 2002. Revised Papers, chapter A White-Box DES Implementation for DRM Applications, pages 1–15. Springer Berlin Heidelberg, Berlin, Heidelberg, 2003. Cited 16 Apr 2016.Google Scholar
- 17.Brecht Wyseur. White-box cryptography: Hiding keys in software. Technical report, NAGRA Kudelski Group, Switzerland, 2012. Cited 06 Apr 2016.Google Scholar
- 18.Android Developer Guide. Service. https://developer.android.com/reference/android/app/Service.html#WhatIsAService. Cited 16 Apr 2016.
- 19.Identification cards – Integrated circuit cards – Part 4: Organization, security and commands for interchange. Standard, International Organization for Standardization, Geneva, CH, 2013. Cited 06 Jun 2016.Google Scholar
- 20.Android Developer Guide. Host-based card emulation. https://developer.android.com/guide/topics/connectivity/nfc/hce.html. 16 Apr 2016