2. Agenda
• Introduction to GlobalPlatform
• IoT Security Use Cases
• Introduction to the Trusted Execution Environment
• Trusted Application Manager
• Question and Answer (Time Permitting)
2
3. Agenda
• Introduction to GlobalPlatform
• IoT Security Use Cases
• Introduction to the Trusted Execution Environment
• Trusted Application Manager
• Question and Answer (Time Permitting)
3
4. GlobalPlatform Overview
• GlobalPlatform is an international standards organization that provides a
comprehensive set of specifications, divided into three domains:
4
– Card
Focus on the Secure Element (SE), secure
chip technology.
– Device
Include the complete set of specifications for
the Trusted Execution Environment (TEE),
and technology to integrate a secure
element into a device such as over-the-air
management or the access control
specification.
– Systems (Cloud)
Cover the interactions between the
managing systems of Secure Element
Issuers (SEIs), Service Providers (SPs), the
Controlling Authority (CA) and Trusted
Service Managers (TSMs).
7. Value of GlobalPlatform’s Solution
• GlobalPlatform’s Specifications offer:
– Interoperability
– Flexibility
– Multi-application management
– Security
• GlobalPlatform is not an all-or-nothing proposition. The Specifications:
– Can be used independently or all together
– Work together with proprietary models
– Support both single and multiple applications
7
8. Secure Element
• A secure element (SE) is a tamper-resistant platform capable of securely
hosting applications and their confidential and cryptographic data (e.g. key
management) in accordance with the rules and security requirements set forth
by a set of well-identified trusted authorities.
From 2013 to 2015, more than
17 billionGlobalPlatform cards or SEs have been
produced
9. • Introduction to GlobalPlatform
• IoT Security Use Cases
• Introduction to the Trusted Execution Environment
• Trusted Application Manager
• Question and Answer (Time Permitting)
Agenda
9
12. IoT security requirements
Device to device
communication:
Device identification
Send message securely to
cloud service: encrypt
Device lifecycle and
management
Identity (Identification,
access control, privacy):
configuration, operations
13. Deployment Example
• Some will adopt GlobalPlatform technologies (Secure Element) for
security purposes
– Smart Meters
– Medical Equipment
– Security Components
13
15. Secure component in use
15
Device
• State of the art Root of Trust
• Simplified key injection (keys are already inside the hardware to be
embedded
• Cost effective crypto processor
• Certified and reliable (no risk on crypto bugs from open source libraries)
• Enables Unique Identification
• Reliable Crypto Environment
• Flexibility of services
• Same platform can be customized depending on the market
• Isolated environment
• Crypto engine protected from other operation in the device
• Provides Remote Administration
• Update of IOT device security features in a multi tenant
environment
16. Secure component in use
16
Device
Security services
for application
Security services
for device
17. • Introduction to GlobalPlatform
• IoT Security Use Cases
• Introduction to the Trusted Execution Environment
• Trusted Application Manager
• Question and Answer (Time Permitting)
Agenda
17
18. GlobalPlatform TEE
18
• GlobalPlatform defines a TEE
as a secure area in the main
processor in a connected
device
• Ensures sensitive data is
stored, processed, and
protected in an isolated, trusted
environment
• Offers isolated safe execution
of authorized security software,
known as 'trusted applications’
which enables end-to-end
security
19. Trusted Execution Environment Adoption
• Android 6.0 requires TEE to protect biometric readers and data
• FIDO Alliance and GlobalPlatform working together to ease development
• oneM2M refers to GlobalPlatform TEE to provide level 2 protection
19
20. 20
Hack Example
› Waze Social Traffic hack
› Attacker creates “ghost jam”
› Other users diverted
› Attacker clears road ahead
› “Sensors” spoofed using
Android dev environments
› Fake user accounts made
› Big Data fooled
› Loss of trust in Service
21. The Rich Execution Environment
21
RICH OS APPLICATION ENVIRONMENT
Rich OS
Hardware Platform
22. GlobalPlatform TEE Architecture
22
RICH OS APPLICATION ENVIRONMENT
GlobalPlatform Published APIs
Rich OS Trusted OS Components
Hardware Platform
TRUSTED EXECUTION ENVIRONMENT
GlobalPlatform Published APIs
TEE
Comm.
Agent
Trusted
Drivers
Trusted
Core
Framework
HW Keys, Storage, TUI Peripherals
(Screen and Keyboard), Secure Element
HW Secure Resources
23. Message Passing Architecture
23
REE
Application
REE
Application
REE
Application Client
Application
Shared
Memory
Public
Device
Drivers
REE
Comms.
Agent
TEE Client API
Rich OS
Components
Trusted
Device
Drivers
TEE
Comms.
Agent
Trusted Kernel
Trusted Core
Framework
Trusted OS Components
TEE Internal Core API and extensions
Shared
Memory
View
Trusted
Application
REE
Application
REE
Application
Trusted
Application
Public Peripherals Trusted Peripherals
Switchable Peripherals
Messages
IsolationdefinedbyTEEProtectionProfile
TEE Protocols
Platform Hardware
24. TEE Specification landscape
• Architecture
– TEE System Architecture v1.0
• Device TEE Access
– TEE Client API Specification v1.0
• APIs for Trusted Applications
– TEE Internal Core API Specification v1.1
– TEE Secure Element API Specification v1.0
– TEE Sockets API Specification v1.0
– Trusted User Interface API Specification v1.0
– TEE TA Debug Specification v1.0
• Security requirements
– TEE Protection Profile v1.2
• Compliance
– TEE Initial Configuration Test Suite 1.1.0.1
24 Download @ https://www.globalplatform.org/specificationsdevice.asp
25. Client application side
1. Create a context
– Client application with TEE
2. Open a session
Client application
and
Trusted Application
3. Exchange
command/operation with a
TA25
result = TEEC_InitializeContext(
NULL,
&context);
if (result != TEEC_SUCCESS)
{ goto cleanup1;
}
result = TEEC_OpenSession(
&context,
&session,
&cryptoTEEApp, /*UUID of the app */
TEEC_LOGIN_USER,
NULL, /* No connection data */
NULL,/* No payload, no cancellation. */
NULL);
result = TEEC_InvokeCommand(
&session,
CMD_ENCRYPT_INIT,
&operation,
NULL);
26. Trusted Application = TA Interface
• TA_CreateEntryPoint
– This is the Trusted Application constructor.
• TA_DestroyEntryPoint
– Guess what? This is the Trusted Application destructor!
• TA_OpenSessionEntryPoint
– This function is called whenever a client attempts to connect to the Trusted
Application instance to open a new session
• TA_CloseSessionEntryPoint
– This function is called when the client closes a session and disconnects
from the Trusted Application instance.
• TA_InvokeCommandEntryPoint
– This function is called whenever a client invokes a Trusted Application
command.26
Each Trusted Application MUST provide the Implementation with a number of functions,
collectively called the “TA interface”.
27. Trusted Application configuration
• Each application is Identified by a UUID gpd.ta.appID
• gpd.ta.singleInstance = create a single (if TRUE) TA instance for all the client
sessions or create a separate instance for each client session
• gpd.ta.multiSession = Whether the Trusted Application instance supports
multiple sessions
• gpd.ta.instanceKeepAlive = When this property is set to true, then the TA
instance is terminated only when the TEE shuts down
• gpd.ta.dataSize = Maximum estimated amount of dynamic data in bytes
configured for the Trusted Application
• gpd.ta.stackSize = Maximum stack size in bytes available to any task in the
Trusted Application at any point in time
• gpd.ta.version
• and gpd.ta.description
27
28. Also
• Trusted Applications are able to
retrieve properties
– From the client application
• gpd.client.identity
– From the TEE
• gpd.tee.deviceID , gpd.tee.apiversion
– Also the current TA
• TAs are able to commit suicide
– When a Trusted Application calls the
TEE_Panic function, the current instance
MUST be destroyed and all the resources
opened by the instance MUST be
reclaimed
28
TEE_GetPropertyAsString
TEE_GetPropertyAsBool
TEE_GetPropertyAsU32
TEE_GetPropertyAsBinaryBlock
29. Trusted Storage
• A Trusted Storage Space contains Persistent Objects identified by an Object Identifier that can
be
– a Cryptographic Key Object,
– a Cryptographic Key-Pair Object,
– or a Data Object
• gpd.tee.trustedStorage.rollbackDetection.protectionLevel gives to the application the level of
protection against rollback attacks
– Typically, protection level is equal to 100 for REE and 1000 with hardware assets controlled by the
TEE
• A TA can also allocate Transient Objects
– have no identifier
– Transient objects are held in memory and are automatically wiped and reclaimed when they are closed
or when the TA instance is destroyed.
• Multiple APIs are available to manage Persistent and Transient objects through object handles
– Example : TEE_CreatePersistentObject, TEE_OpenPersistentObject, TEE_RenamePersistentObject ,
TEE_CloseAndDeletePersistentObject1, TEE_AllocateTransientObject
29
Trusted
Storage
Persistant
object
ID
Transient
object
30. More Internal Core APIs
Crypto API
• Based on Cryptographic operations - pre-allocated for a given operation type, algorithm, and
key size
Time API
• 3 sources of Time
– TA Persistent Time, a real-time source of time
• The origin of this time is set individually by each Trusted Application and MUST persist across reboots.
– System Time
• the system time is not reset or rolled back during the life of a given TA instance
• The level of trust accessible via gpd.tee.systemTime.protectionLevel
• REE Time
Arithmetic API
• The specification offers a tool box for complex crypto functions not yet standardized
– Allow to Implement missing crypto function as plug in
– gives access to a Fast Modular Multiplication primitive
• The “only” limit is input and output are TEE_BigInt [-2M+1, 2M-1]
– M can be retrieved as the implementation property gpd.tee.arith.maxBigIntSize
30
TEE_ALG_SHA256
TEE_MODE_DIGEST
Between 192 and 1024 bits,
multiple of 8 bits
31. • Introduction to GlobalPlatform
• Trusted Execution Environment (TEE) Architecture
• Introduction to TEE APIs
• Trusted Application Manager
• Question and Answer
Agenda
31
32. Trusted Application Manager Overview
• Trusted Application Manager (TAM):
– Provides a scalable and remote means to manage the
• Trusted Execution Environment (TEE)
• Security Domains (SD)
• Trusted Applications (TA)
– Enforces the security policy of TA Providers, TEE Issuers, and TEE Implementers
– Ensures the security and the integrity of these entities
– Enables the confidentiality of the data
• Uses secure protocols and interfaces accessed either through the Client API or
via extensions to the Internal Core API
32
rSD
SD2
TA
SD3
TA
33. 33
How does a TAM operate?
Service Provider
Create Security Domain
1) Install TA
2) TA personalization
Push the App and the TA on
the App Store
1
App
TA
5
App
T
A 2
6
Request installation3
Verify Device Identity4
NOTE: This is only one of many
possible configurations
5
34. 34
Trustonic Developer Tools
App Store
Google Play
Trustonic
Software
Protection
TEE
TA
Ap
p
Ap
p
SW
TA
Ap
p
SW
TA
Main App
TEE TA SW TA
Main App
SW TA
Trustonic TEE
Protection
35. • Introduction to GlobalPlatform
• Trusted Execution Environment (TEE) Architecture
• Introduction to TEE APIs
• Trusted Application Manager
• Question and Answer
Agenda
35