Revision history [back]

SFOS Security could be enhanced by supporting Secure Elements (SE) and API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC and a CCID smart card reader (e.g. PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (commonly used on linux desktops and might work with usb otg?)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is a example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and distributed by a service provider with TSM)

SFOS developer - what is the preferred option or are there already solutions?

SFOS Security could be enhanced by supporting Secure Elements (SE) and API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC and a CCID smart card reader (e.g. PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (commonly used on linux desktops and might work with usb otg?)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is a an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and distributed by a service provider with TSM)

SFOS developer - what is the preferred option or are there already solutions?

SFOS Security could be enhanced by supporting Secure Elements (SE) and API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC and a CCID smart card reader (e.g. PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (commonly used on linux desktops and might work with usb otg?)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and distributed by a service provider with TSM)

SFOS developer - what is the preferred option or are there already solutions?

SFOS Security could be enhanced by supporting Secure Elements (SE) and API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC and a CCID smart card reader (e.g. PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (commonly used on linux desktops and might work with usb otg?)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and distributed by a service provider with TSM)

SFOS developer - what is the preferred option or are there already solutions?

SFOS Security could be enhanced by supporting Secure Elements (SE) and API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC and a CCID smart card reader (e.g. PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (commonly used on linux desktops and might work with usb otg?)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and distributed provisioning distributing TA by a service provider with TSM)Trusted Service Manager (TSM)) Have a look at OP-TEE and the simulation for an example https://www.op-tee.org/

SFOS developer developers - what is the preferred option or are there already solutions?

SFOS Security could be enhanced by supporting Secure Elements (SE) and API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC ,PC/SC and a CCID smart card reader (e.g. PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (commonly used on linux desktops and might work with usb otg?)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM)) Have a look at OP-TEE and the simulation for an example https://www.op-tee.org/

SFOS developers - what is the preferred option or are there already solutions?

SFOS Security could be enhanced by supporting Secure Elements (SE) and API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC ,PC/SC and a CCID smart card reader (e.g. opensc PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (commonly used on linux desktops and might work with usb otg?)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM)) Have a look at OP-TEE and the simulation for an example https://www.op-tee.org/

SFOS developers - what is the preferred option or are there already solutions?

SFOS Security could be enhanced by supporting Secure Elements (SE) and API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC ,PC/SC and a CCID smart card reader (e.g. opensc PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (commonly (widely used on linux desktops and might work with usb otg?)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM)) Have a look at OP-TEE and the simulation for an example https://www.op-tee.org/(TSM))

SFOS developers - what is the preferred option or are there already solutions?

SFOS Security could be enhanced by supporting Secure Elements (SE) and API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC ,PC/SC and a CCID smart card reader (e.g. opensc PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (widely used on linux desktops and might work with usb otg?)desktops)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM))

SFOS developers - what is the preferred option are there other (more simple) possibilities or are there already solutions?solutions (using the other half and I2C)?

SFOS Security could be enhanced (in the future) by supporting Secure Elements (SE) and and/or API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) is might be essential for security on a mobile for IPsec, gpg private keys, storing of certificates, generate random numbers, trusted user interface...

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC ,PC/SC and a CCID smart card reader (e.g. opensc PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (widely used on linux desktops)

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM))

SFOS developers - are there other (more simple) possibilities or are there already solutions (using the other half and I2C)?

revision 1

SFOS Privacy and Security is excellent. Security could be enhanced (in the future) in the future by supporting Secure Elements (SE) and/or or even API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) might be essential for very useful for the security even on a mobile for IPsec, gpg private keys, storing of certificates, generate mobile, for applications and the OS itself. (IPsec/OpenVPN, GnuPG, S/MIME, random numbers, FIDO U2F, trusted user interface...interface...)

thoughts:

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC ,PC/SC as middleware, PC/SC and a CCID driver for a smart card reader reader; there are a lot of use cases with OpenSC support and a lot of supported Secure Elements (e.g. opensc OpenSC PKCS#11 Smart Cards, GnuPG Smart Cards, Fido U2F Token, etc.) (widely Cards are widely used on linux desktops)desktops, even rasbian (rasberry pi) supports OpenSC) Could this work in practice with a mobile, e.g. with NFC support? I don't know if this causes a lot of changes in SFOS...

...simple?

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

...complex?

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

---?

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM))

...very complex

SFOS developers - are there other (more simple) (simple) possibilities or are there already solutions (using the other half and I2C)?

revision 1

SFOS Privacy and Security is excellent. Security could be enhanced in the future by supporting Secure Elements (SE) or even API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) might be very useful for the security even on a mobile, for applications and the OS itself. (IPsec/OpenVPN, GnuPG, S/MIME, random numbers, FIDO U2F, trusted user interface...)

thoughts:

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC as middleware, PC/SC and a CCID driver for a smart card reader; there are a lot of use cases with OpenSC support and a lot of supported Secure Elements (e.g. OpenSC PKCS#11 Smart Cards are widely used on linux desktops, even rasbian (rasberry pi) supports OpenSC) Could this work in practice with a mobile, e.g. with NFC support? I don't know if this causes a lot of changes in SFOS...

...simple?...simple, complex or not working?

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

...complex?

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

---?

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM))

...very complexcomplex, indeed

SFOS developers - are there other (simple) possibilities or are there already solutions (using the other half and I2C)?

EDIT: tag changed from feature-request to idea; lots of minor changes

revision 1

SFOS Privacy and Security is excellent. Security could be enhanced in the future by supporting Secure Elements (SE) or even API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) might be very useful for the security even on a mobile, for applications and the OS itself. (IPsec/OpenVPN, GnuPG, S/MIME, random numbers, FIDO U2F, trusted user interface...)

thoughts:

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC as middleware, PC/SC and a CCID driver for a smart card reader; there are a lot of use cases with OpenSC support and a lot of supported Secure Elements (e.g. OpenSC PKCS#11 Smart Cards are widely used on linux desktops, even rasbian (rasberry pi) supports OpenSC) it) Could this work in practice with a mobile, with the opensc minidriver and read only PKCS#11 card access, e.g. with SDCard or NFC support? I don't know if this causes a lot of changes in SFOS...

...simple, complex or not working?

b) Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/

...complex?

c) WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/

---?

d) TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM))

...very complex, indeed

SFOS developers - are there other (simple) possibilities or are there already solutions (using the other half and I2C)?

EDIT: tag changed from feature-request to idea; lots of minor changes

revision 1

SFOS Privacy and Security is excellent. Security could be enhanced in the future by supporting Secure Elements (SE) or even API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) might be very useful for the security even on a mobile, for applications and the OS itself. (IPsec/OpenVPN, GnuPG, S/MIME, random numbers, FIDO U2F, trusted user interface...)

thoughts:

a) Support for SE with OpenSC https://github.com/OpenSC/OpenSC as middleware, PC/SC and a CCID driver for a smart card reader; there are a lot of use cases with OpenSC support and a lot of supported Secure Elements (e.g. OpenSC PKCS#11 Smart Cards are widely used on linux desktops, even rasbian (rasberry pi) supports it) too) Could this work in practice with a mobile, with mobile? With the opensc minidriver and read only PKCS#11 card access, e.g. with SDCard or NFC support? I don't know if this causes a lot of changes in SFOS...

...simple, complex support?