Anatomy of a Mobile Device Julian Lovelock HID Global Definition of Mobile Creating a Safe place on the mobile device Smartphone Phablet Tablet Safe place for what? Physical Access Credentials Safe place for what? Logical Access Credentials Safe place for what? Secure Remote Access from the phone Secure Remote access Intranets Applications Networks Cloud Virtual Desktops Safe place for what? Phone as a One Time Password Token App on the phone generates a One Time Password Turns the Phone into an OTP token Next OTP 53769270 OTP key is stored in ‘safe place’ Safe Place on the Mobile device Protect credentials against malware on the device. Software based vault UI / Keyboard Software Application #1 based vault Operating system NFC Controller Hardware based vault UI / Keyboard Application #1 Operating system Applet NFC Controller Secure Element / SIM chip Secure Elements . On Phone: • Embedded SE . Removable • UICC / SIM • Smart micro SD Multiple Hardware based vaults UI / Keyboard Application #1 Application #2 Secure Element Access OS AppletApplet #1 Applet #3 Applet #5 Contactless Frontend (CLF) Applet #2 Applet #4 Smart micro SD Secure Embedded UICC/SIM Element SE External vaults . On Phone: • Embedded SE . Removable • UICC / SIM • Smart micro SD . External • Phone Sleeves (ex. iCarte for Apple phones) (still harbours micro SD) • Attached reader inserting ISO smart card • Stickers Multiple options UI / Keyboard Application #1 Application #2 Crypto Middleware Secure Element Access OS Applet #1 Applet #3 Applet #5 External Contactless Reader Frontend (CLF) Applet #2 Applet #4 Smart Micro SD Embedded UICC/SIM SE TEE Trusted Execution Environment • Trusted input/output • Processsor speed video decoding and bio verification • Resource allocation greater (Mb rather th Kb) Trusted Execution Environment UI / Keyboard Trusted UI / Keyboard Application #1 Application #2 TEE Crypto Middleware Trusted App #1 Secure Element Access Trusted App #2 OS Applet #1 Applet #3 Applet #5 External Contactless Reader Frontend (CLF) Applet #2 Applet #4 Smart Micro SD Embedded UICC/SIM SE New developments in the last 12 Months - Bluetooth Smart - Host Card Emulation 17 Bluetooth Smart Supported cross platform (unlike NFC) Different to Bluetooth “classic” Doesn’t require pairing codes Low energy consumption Trend towards software based storage • Secure transactions use NFC Card Emulation mode. • Phone emulates an RFID card. • For payments or access control • Traditionally this mode required NFC reader to use the Secure Element • Secure Element is controlled by the Mobile Network Operator • Host Card Emulation, enables ‘Card Emulation’ mode accessing Host CPU • Leverage software vault, or off phone storage Security Continuum Security SE + TEE Secure combination Element (SE) Trusted Execution Environment Software (TEE) Based Solution Phone OS Complexity Julian Lovelock HID Global [email protected].