Abstract
Today, most smartphones feature different kinds of secure hardware, such as processor-based security extensions (e.g., TrustZone) and dedicated secure co-processors (e.g., SIM-cards or embedded secure elements). Unfortunately, secure hardware is almost never utilized by commercial third party apps, although their usage would drastically improve security of security critical apps. The reasons are diverse: Secure hardware stakeholders such as phone manufacturers and mobile network operators (MNOs) have full control over the corresponding interfaces and expect high financial revenue; and the current code provisioning schemes are inflexible and impractical since they require developers to collaborate with large stakeholders.
In this paper we propose a new code provisioning paradigm for the code intended to run within execution environments established on top of secure hardware. It leverages market-based code distribution model and overcomes disadvantages of existing code provisioning schemes. In particular, it enables access of third party developers to secure hardware; allows secure hardware stakeholders to obtain revenue for usage of hardware they control; and does not require third party developers to collaborate with large stakeholders, such as OS and secure hardware vendors. Our scheme is compatible with Global Platform (GP) specifications and can be easily incorporated into existing standards.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Secure boot means a system terminates the boot process in case the integrity check of a component to be loaded fails [32].
- 2.
Please visit our project page http://jcandroid.org.
- 3.
For instance, the retail price for the cgCard [16] is 99 EUR per piece.
- 4.
Indirect access is available for certain crypto operations provided by Android’s KeyStore https://developer.android.com/about/versions/android-4.3.html.
- 5.
- 6.
For instance, GP specifies [23] that Java Cards share with the card issuer (i.e., a stakeholder) the symmetric Data Encryption Key (DEK).
References
BouncyCastle crypto API. https://www.bouncycastle.org/
GlobalPlatform - device specifications. http://www.globalplatform.org/specificationsdevice.asp
Google Wallet: Shop. Save. Pay. With your phone. http://www.google.com/wallet/
jCardSim Java card runtime environment simulator. http://jcardsim.org/
Sierraware. http://www.sierraware.com
SpongyCastle crypto API. http://rtyley.github.io/spongycastle/
Akram, R.N., Markantonakis, K.: Rethinking the smart card technology. In: the Second International Conference on Human Aspects of Information Security, Privacy, and Trust, pp. 221–232 (2014)
Akram, R.N., Markantonakis, K., Mayes, K.: A paradigm shift in smart card ownership model. In: International Conference on Computational Science and its Applications (ICCSA 2010), pp. 191–200, Washington, DC, USA. IEEE Computer Society (2010)
Akram, R.N., Markantonakis, K., Mayes, K.: User centric security model for tamper-resistant devices. In: IEEE International Conference on e-Business Engineering (ICEBE 2011), pp. 168–177 (2011)
Akram, R.N., Markantonakis, K., Mayes, K.: Trusted platform module for smart cards. In: 6th International Conference on New Technologies, Mobility and Security, NTMS 2014, pp. 1–5. IEEE (2014)
Alves, T., Felton, D.: TrustZone: integrated hardware and software security. Inf. Q. 3(4), 18–24 (2004)
Anwar, W., Lindskog, D., Zavarsky, P., Ruhl, R.: Redesigning secure element access control for NFC enabled Android smartphones using mobile trusted computing. In: International Conference on Information Society (i-Society), June 2013
Apple Press. Apple Announces Apple Pay: Transforming Mobile Payments with an Easy, Secure and Private Way to Pay, September 2014. https://www.apple.com/pr/library/2014/09/09Apple-Announces-Apple-Pay.html
Azema, J., Fayad, G.: M-Shield mobile security technology: Making wireless secure. Texas Instruments white paper (2008). http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf
Busold, C., Dmitrienko, A., Seudi, H., Taha, A., Sobhani, M., Wachsmann, C., Sadeghi, A.-R.: Smart keys for cyber-cars: secure smartphone-based NFC-enabled car immobilizer. In: ACM Conference on Data and Application Security and Privacy (CODASPY), February 2013
Certgate. Certgate products. cgCard (2012). http://www.certgate.com/wp-content/uploads/2012/09/20131113_cgCard_Datasheet_EN.pdf
Clark, S.: MasterCard and Samsung introduce embedded NFC payments (2013). http://www.nfcworld.com/2013/12/13/327343/mastercard-samsung-introduce-embedded-nfc-payments/
Dmitrienko, A., Sadeghi, A.-R., Tamrakar, S., Wachsmann, C.: SmartTokens: delegable access control with NFC-enabled smartphones. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) TRUST 2012. LNCS, vol. 7344, pp. 219–238. Springer, Heidelberg (2012)
Edgar Dunn and Company. Advanced payments report (2014). http://www.paymentscardsandmobile.com/wp-content/uploads/2014/02/PCM_EDC_Advanced_Payments_Report_2014_MWC.pdf
Ekberg, J.-E., Kostiainen, K., Asokan, N.: The untapped potential of trusted execution environments on mobile devices. IEEE Secur. Priv. 99:1 (2014) (PrePrints)
Elenkov, N.: Accessing the embedded secure element in Android 4.x (2012). http://nelenkov.blogspot.de/2012/08/accessing-embedded-secure-element-in.html
European Payments Council - GSMA. Trusted Service Manager. Service management requirements and specifications. EPC 220–08. Version 1.0 (2010). http://www.europeanpaymentscouncil.eu/index.cfm/knowledge-bank/epc-documents/epc-gsma-tsm-service-management-requirements-and-specifications/epc220-08-epc-gsma-tsm-wp-v1pdf/
Global Platform. Card specification. Version 2.2 (2006)
Global Platform. Remote application management over HTTP protocol, September 2006
Global Platform. Global Platform card technology: Secure channel protocol 03, September 2009
Global Platform. GlobalPlatform’s proposition for NFC mobile: Secure element management and messaging. White paper (2009). http://www.sicherungssysteme.net/fileadmin/GlobalPlatform_NFC_Mobile_White_Paper.pdf
GlobalPlatform. GlobalPlatform Device Technology. TEE System Architecture. Version 1.0 (2011). http://globalplatform.org/specificationsdevice.asp
GlobalPlatform. A new model: The consumer-centric model and how it applies to the mobile ecosystem (2012). http://www.globalplatform.org/documents/Consumer_Centric_Model_White_PaperMar2012.pdf
GlobalPlatform. Secure element access control (2012). http://www.globalplatform.org/specificationsdevice.asp
González, J., Bonnet, P.: Towards an open framework leveraging a trusted execution environment. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 458–467. Springer, Heidelberg (2013)
Google. Android API guide - Bluetooth (2010). http://developer.android.com/guide/topics/connectivity/bluetooth.html
Itoi, N., Arbaugh, W.A., Pollack, S.J., Reeves, D.M.: Personal secure booting. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 130–144. Springer, Heidelberg (2001)
Ekberg, J.-E.: Trustonic.<t-base - a trusted execution environment. White paper (2014)
Kostiainen, K., Ekberg, J.-E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: ACM Symposium on Information, Computer, and Communications Security (ASIACCS), pp. 104–115. ACM (2009)
Kostiainen, K., Reshetova, E., Ekberg, J.-E., Asokan, N.: Old, new, borrowed, blue - a perspective on the evolution of mobile platform security architectures. In: First ACM Conference on Data and Application Security and Privacy, pp. 13–24 (2011)
Marforio, C., Karapanos, N., Soriente, C., Kostiainen, K., Čapkun, S.: Secure enrollment and practical migration for mobile trusted execution environments. In: The Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 93–98. ACM, New York (2013)
Marlowe, C.: Intel and Visa join forces to boost mobile payments (2012). http://www.dmwmedia.com/news/2012/02/28/intel-and-visa-join-forces-to-boost-mobile-payments
Masti, R.J., Marforio, C., Čapkun, S.: An architecture for concurrent execution of secure environments in clouds. In: The ACM Cloud Computing Security Workshop (CCSW), pp. 11–22 (2013)
Press Release, Giesecke and Devrient. G&D makes mobile terminal devices even more secure with new version of smart card in microSD format. http://www.gi-de.com/en/about_g_d/press/press_releases/G%26D-Makes-Mobile-Terminal-Devices-Secure-with-New-MicroSD%E2%84%A2-Card-g3592.jsp
TrendLabs. 3Q 2012 security roundup. Android under siege: Popularity comes at a price (2012). http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-3q-2012-security-roundup-android-under-siege-popularity-comes-at-a-price.pdf
Vasudevan, A., Owusu, E., Zhou, Z., Newsome, J., McCune, J.M.: Trustworthy execution on mobile devices: what security properties can my mobile platform give me? In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) TRUST 2012. LNCS, vol. 7344, pp. 159–178. Springer, Heidelberg (2012)
Acknowledgements
We thank N. Asokan for several fruitful discussions and feedback to the paper draft. Further, we thank anonymous reviewers for their helpful comments. This work was partially supported by the German ministry of education and research (Bundesministerium fr Bildung und Forschung, BMBF) within the Software Campus initiative.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dmitrienko, A., Heuser, S., Nguyen, T.D., da Silva Ramos, M., Rein, A., Sadeghi, AR. (2015). Market-Driven Code Provisioning to Mobile Secure Hardware. In: Böhme, R., Okamoto, T. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47854-7_23
Download citation
DOI: https://doi.org/10.1007/978-3-662-47854-7_23
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47853-0
Online ISBN: 978-3-662-47854-7
eBook Packages: Computer ScienceComputer Science (R0)