Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2015: Financial Cryptography and Data Security pp 387–404Cite as

Market-Driven Code Provisioning to Mobile Secure Hardware

  • Conference paper
  • First Online:

  • 3361 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8975))

Abstract

Today, most smartphones feature different kinds of secure hardware, such as processor-based security extensions (e.g., TrustZone) and dedicated secure co-processors (e.g., SIM-cards or embedded secure elements). Unfortunately, secure hardware is almost never utilized by commercial third party apps, although their usage would drastically improve security of security critical apps. The reasons are diverse: Secure hardware stakeholders such as phone manufacturers and mobile network operators (MNOs) have full control over the corresponding interfaces and expect high financial revenue; and the current code provisioning schemes are inflexible and impractical since they require developers to collaborate with large stakeholders.

In this paper we propose a new code provisioning paradigm for the code intended to run within execution environments established on top of secure hardware. It leverages market-based code distribution model and overcomes disadvantages of existing code provisioning schemes. In particular, it enables access of third party developers to secure hardware; allows secure hardware stakeholders to obtain revenue for usage of hardware they control; and does not require third party developers to collaborate with large stakeholders, such as OS and secure hardware vendors. Our scheme is compatible with Global Platform (GP) specifications and can be easily incorporated into existing standards.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Secure boot means a system terminates the boot process in case the integrity check of a component to be loaded fails [32].

  2. 2.

    Please visit our project page http://jcandroid.org.

  3. 3.

    For instance, the retail price for the cgCard [16] is 99 EUR per piece.

  4. 4.

    Indirect access is available for certain crypto operations provided by Android’s KeyStore https://developer.android.com/about/versions/android-4.3.html.

  5. 5.

    https://code.google.com/p/seek-for-android/.

  6. 6.

    For instance, GP specifies [23] that Java Cards share with the card issuer (i.e., a stakeholder) the symmetric Data Encryption Key (DEK).

References

  1. BouncyCastle crypto API. https://www.bouncycastle.org/

  2. GlobalPlatform - device specifications. http://www.globalplatform.org/specificationsdevice.asp

  3. Google Wallet: Shop. Save. Pay. With your phone. http://www.google.com/wallet/

  4. jCardSim Java card runtime environment simulator. http://jcardsim.org/

  5. Sierraware. http://www.sierraware.com

  6. SpongyCastle crypto API. http://rtyley.github.io/spongycastle/

  7. Akram, R.N., Markantonakis, K.: Rethinking the smart card technology. In: the Second International Conference on Human Aspects of Information Security, Privacy, and Trust, pp. 221–232 (2014)

    Google Scholar 

  8. Akram, R.N., Markantonakis, K., Mayes, K.: A paradigm shift in smart card ownership model. In: International Conference on Computational Science and its Applications (ICCSA 2010), pp. 191–200, Washington, DC, USA. IEEE Computer Society (2010)

    Google Scholar 

  9. Akram, R.N., Markantonakis, K., Mayes, K.: User centric security model for tamper-resistant devices. In: IEEE International Conference on e-Business Engineering (ICEBE 2011), pp. 168–177 (2011)

    Google Scholar 

  10. Akram, R.N., Markantonakis, K., Mayes, K.: Trusted platform module for smart cards. In: 6th International Conference on New Technologies, Mobility and Security, NTMS 2014, pp. 1–5. IEEE (2014)

    Google Scholar 

  11. Alves, T., Felton, D.: TrustZone: integrated hardware and software security. Inf. Q. 3(4), 18–24 (2004)

    Google Scholar 

  12. Anwar, W., Lindskog, D., Zavarsky, P., Ruhl, R.: Redesigning secure element access control for NFC enabled Android smartphones using mobile trusted computing. In: International Conference on Information Society (i-Society), June 2013

    Google Scholar 

  13. Apple Press. Apple Announces Apple Pay: Transforming Mobile Payments with an Easy, Secure and Private Way to Pay, September 2014. https://www.apple.com/pr/library/2014/09/09Apple-Announces-Apple-Pay.html

  14. Azema, J., Fayad, G.: M-Shield mobile security technology: Making wireless secure. Texas Instruments white paper (2008). http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf

  15. Busold, C., Dmitrienko, A., Seudi, H., Taha, A., Sobhani, M., Wachsmann, C., Sadeghi, A.-R.: Smart keys for cyber-cars: secure smartphone-based NFC-enabled car immobilizer. In: ACM Conference on Data and Application Security and Privacy (CODASPY), February 2013

    Google Scholar 

  16. Certgate. Certgate products. cgCard (2012). http://www.certgate.com/wp-content/uploads/2012/09/20131113_cgCard_Datasheet_EN.pdf

  17. Clark, S.: MasterCard and Samsung introduce embedded NFC payments (2013). http://www.nfcworld.com/2013/12/13/327343/mastercard-samsung-introduce-embedded-nfc-payments/

  18. Dmitrienko, A., Sadeghi, A.-R., Tamrakar, S., Wachsmann, C.: SmartTokens: delegable access control with NFC-enabled smartphones. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) TRUST 2012. LNCS, vol. 7344, pp. 219–238. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  19. Edgar Dunn and Company. Advanced payments report (2014). http://www.paymentscardsandmobile.com/wp-content/uploads/2014/02/PCM_EDC_Advanced_Payments_Report_2014_MWC.pdf

  20. Ekberg, J.-E., Kostiainen, K., Asokan, N.: The untapped potential of trusted execution environments on mobile devices. IEEE Secur. Priv. 99:1 (2014) (PrePrints)

    Google Scholar 

  21. Elenkov, N.: Accessing the embedded secure element in Android 4.x (2012). http://nelenkov.blogspot.de/2012/08/accessing-embedded-secure-element-in.html

  22. European Payments Council - GSMA. Trusted Service Manager. Service management requirements and specifications. EPC 220–08. Version 1.0 (2010). http://www.europeanpaymentscouncil.eu/index.cfm/knowledge-bank/epc-documents/epc-gsma-tsm-service-management-requirements-and-specifications/epc220-08-epc-gsma-tsm-wp-v1pdf/

  23. Global Platform. Card specification. Version 2.2 (2006)

    Google Scholar 

  24. Global Platform. Remote application management over HTTP protocol, September 2006

    Google Scholar 

  25. Global Platform. Global Platform card technology: Secure channel protocol 03, September 2009

    Google Scholar 

  26. Global Platform. GlobalPlatform’s proposition for NFC mobile: Secure element management and messaging. White paper (2009). http://www.sicherungssysteme.net/fileadmin/GlobalPlatform_NFC_Mobile_White_Paper.pdf

  27. GlobalPlatform. GlobalPlatform Device Technology. TEE System Architecture. Version 1.0 (2011). http://globalplatform.org/specificationsdevice.asp

  28. GlobalPlatform. A new model: The consumer-centric model and how it applies to the mobile ecosystem (2012). http://www.globalplatform.org/documents/Consumer_Centric_Model_White_PaperMar2012.pdf

  29. GlobalPlatform. Secure element access control (2012). http://www.globalplatform.org/specificationsdevice.asp

  30. González, J., Bonnet, P.: Towards an open framework leveraging a trusted execution environment. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 458–467. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  31. Google. Android API guide - Bluetooth (2010). http://developer.android.com/guide/topics/connectivity/bluetooth.html

  32. Itoi, N., Arbaugh, W.A., Pollack, S.J., Reeves, D.M.: Personal secure booting. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 130–144. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  33. Ekberg, J.-E.: Trustonic.<t-base - a trusted execution environment. White paper (2014)

    Google Scholar 

  34. Kostiainen, K., Ekberg, J.-E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: ACM Symposium on Information, Computer, and Communications Security (ASIACCS), pp. 104–115. ACM (2009)

    Google Scholar 

  35. Kostiainen, K., Reshetova, E., Ekberg, J.-E., Asokan, N.: Old, new, borrowed, blue - a perspective on the evolution of mobile platform security architectures. In: First ACM Conference on Data and Application Security and Privacy, pp. 13–24 (2011)

    Google Scholar 

  36. Marforio, C., Karapanos, N., Soriente, C., Kostiainen, K., Čapkun, S.: Secure enrollment and practical migration for mobile trusted execution environments. In: The Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 93–98. ACM, New York (2013)

    Google Scholar 

  37. Marlowe, C.: Intel and Visa join forces to boost mobile payments (2012). http://www.dmwmedia.com/news/2012/02/28/intel-and-visa-join-forces-to-boost-mobile-payments

  38. Masti, R.J., Marforio, C., Čapkun, S.: An architecture for concurrent execution of secure environments in clouds. In: The ACM Cloud Computing Security Workshop (CCSW), pp. 11–22 (2013)

    Google Scholar 

  39. Press Release, Giesecke and Devrient. G&D makes mobile terminal devices even more secure with new version of smart card in microSD format. http://www.gi-de.com/en/about_g_d/press/press_releases/G%26D-Makes-Mobile-Terminal-Devices-Secure-with-New-MicroSD%E2%84%A2-Card-g3592.jsp

  40. TrendLabs. 3Q 2012 security roundup. Android under siege: Popularity comes at a price (2012). http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-3q-2012-security-roundup-android-under-siege-popularity-comes-at-a-price.pdf

  41. Vasudevan, A., Owusu, E., Zhou, Z., Newsome, J., McCune, J.M.: Trustworthy execution on mobile devices: what security properties can my mobile platform give me? In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) TRUST 2012. LNCS, vol. 7344, pp. 159–178. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

Download references

Acknowledgements

We thank N. Asokan for several fruitful discussions and feedback to the paper draft. Further, we thank anonymous reviewers for their helpful comments. This work was partially supported by the German ministry of education and research (Bundesministerium fr Bildung und Forschung, BMBF) within the Software Campus initiative.

Author information

Authors and Affiliations

  1. CASED/Technische Universität Darmstadt, Darmstadt, Germany

    Stephan Heuser, Thien Duc Nguyen & Ahmad-Reza Sadeghi

  2. CASED/Fraunhofer SIT Darmstadt, Darmstadt, Germany

    Alexandra Dmitrienko, Marcos da Silva Ramos & Andre Rein

Authors
  1. Alexandra Dmitrienko
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stephan Heuser
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thien Duc Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marcos da Silva Ramos
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Andre Rein
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexandra Dmitrienko .

Editor information

Editors and Affiliations

  1. University of Innsbruck, Innsbruck, Austria

    Rainer Böhme

  2. NTT Laboratories, Tokyo, Japan

    Tatsuaki Okamoto

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dmitrienko, A., Heuser, S., Nguyen, T.D., da Silva Ramos, M., Rein, A., Sadeghi, AR. (2015). Market-Driven Code Provisioning to Mobile Secure Hardware. In: Böhme, R., Okamoto, T. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47854-7_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-47854-7_23

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-47853-0

  • Online ISBN: 978-3-662-47854-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation