[idea] SFOS Support for Secure Elements (SE) (or Trusted Execution Environment (TEE))

asked 2017-03-18 15:26:31 +0200

WH gravatar image

updated 2017-06-28 09:38:54 +0200

revision 4

SFOS Privacy and Security is excellent. Security could be enhanced in the future by supporting Secure Elements (SE) or even API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) might be very useful for the security even on a mobile, for applications and the OS itself. (IPsec/OpenVPN, GnuPG, S/MIME, random numbers, FIDO U2F, trusted user interface...)

My Use Case: VPN with SE support (e.g. IPsec with strongSwan and PKCS#11 support)

thoughts:

a)Support for SE with OpenSC https://github.com/OpenSC/OpenSC as middleware, PC/SC and a CCID driver for a smart card reader; there are a lot of use cases with OpenSC support and a lot of supported Secure Elements (e.g. OpenSC PKCS#15 Smart Cards are widely used on linux desktops, rasbian too) Could this work in practice with a mobile, with the opensc minidriver and 'read only' PKCS#11 card access, e.g. with SDCard or NFC support?

vevgenievtried access with the browser https://together.jolla.com/question/132416/using-certificate-on-hardware-token-in-browser/

b)Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset manufacturer because it is not a part of AOSP http://seek-for-android.github.io/ this is already done by many manufacturers

c)WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d)TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM)) - widely used for file system encryption, DRM, credential storage in handsets. of course there are important published vulnerabilities of different products...

TEE framework as part of the linux kernel https://www.op-tee.org/blog/op-tee-qa/

EDIT: use case added, minor changes, op-tee

edit retag flag offensive close delete

Comments

what are the privacy concerns for secaas? usb dongles are with the phone; loose the phone, loose the dongle.

tortoisedoc ( 2017-03-18 18:50:41 +0200 )edit
6

I've never seen so many acronyms in one post before.

nthn ( 2017-03-19 01:50:52 +0200 )edit

As far as I understand, integrating SIM-based SE support will be one of the requirement of Android apps requring SIM access to function correctly. TEE support will complement soonish-coming Sailfish Device Manager, but I have no idea on how it will be implemented.

peremen ( 2017-03-19 14:46:42 +0200 )edit
1

Yeah . . . . . . you lost me at SE, API and TA . . . . . : /

davekelly ( 2017-03-20 00:49:35 +0200 )edit
5

That is what you get on a platform like together.jolla.com with mixed intent. Developers and Users and those inbetween gather here ;-)

MoritzJT ( 2017-03-20 02:57:23 +0200 )edit