TEE Use Case Made Simple
GlobalPlatform held its annual trusted execution environment (TEE) Conference ‘GlobalPlatform Presents the TEE: Next Generation Mobile Security for Today and Tomorrow’ in Santa Clara last year, bringing together leaders in the mobile security space. The event highlighted the many benefits TEE technology can bring to a variety of industries.
The TEE is a secure area that resides in the main processor of a smart phone (or any mobile device) and ensures that sensitive data is stored, processed and protected in a trusted environment. The TEE's ability to offer safe execution of authorized security software, known as 'trusted applications', enables it to provide end-to-end security by enforcing protection, confidentiality, integrity and data access rights. Its capacity for security means it is of interest to a variety of markets.
There are currently three main use cases driving TEE adoption in the marketplace:
- Premium Content
Premium content such as films, music and e-books not only requires a high level of security to protect against unauthorized distribution and access, but also a high level of functionality to deliver the quality features expected by end-users. There is a growing consumption of premium content on mobile devices and therefore an increasing requirement for end-users to access content from a protected and secure environment.
Management and protection of premium content is a key driver for TEE adoption and will bring significant benefits to the fight against piracy.
GlobalPlatform has created a dedicated Premium Content Task Force which will determine the relevant requirements that need to be specified to protect premium content on a mobile device. The task force is already working with content copyright holders, aggregators, technology providers and device manufacturers to further understand the security level needed to protect this form of content and ensure that GlobalPlatform’s TEE Specifications support today’s premium content requirements.
- Mobile Financial Services
Trusted User Interface
Mobile commerce (mcommerce) incorporates a vast range of financial services including mobile wallets, peer-to-peer payments, contactless payments and using a mobile device as a point-of-sale (POS) terminal. As mcommerce evolves and new stakeholders engage in the market, there is a need for stronger, more standardized security on a mobile device to ensure that a consumer can carry out any financial transaction in a safe and trusted environment.
Currently payment and ID credentials on a mobile device are stored within the tamper resistant environment of a secure element (SE). Despite its high level of security, the SE has limited functionality meaning end user authentication options are restrictive.
The role of the TEE is not to replace the SE but enhance it. The TEE achieves this by offering a safe and trusted user interface (UI) to empower authentication on a mobile device. For example, the trusted UI is able to check that the information comes from an approved trusted application and is isolated from the rich OS, where malicious malware may be located, essentially creating a secure communication channel between the SE and the end user. It does this by asking the user to enter a password or PIN in the trusted UI. The TEE will then encrypt the password / PIN and send it to the payment card stored in the SE: the equivalent of a card present transaction. The TEE also offers an ideal environment to store loyalty and coupon applications, which don't require the same high levels of security as payment cards, but still require protection from applications stored in the rich OS.
One of the highest priorities in the world of information security is confirmation that a person accessing sensitive, confidential, or classified information is authorized to do so. One method of authentication which is becoming increasingly more popular is biometric.
Natural ID authentication is the process of verifying if a user is who they claim to be using digitized biological pieces of the individual, such as fingerprint sensors, voice recognition and facial recognition. For natural ID the authentication process is essentially divided into three stages:
- Extracting an 'image' (scanning the fingerprint or capturing a voice sample, for example).
- A reference 'template' stored on the device for comparison with the extracted 'image'.
- A match engine to process the comparison between the 'image' and the 'template'.
The trusted nature of the TEE positions it as a suitable domain within a mobile device to house the match engine and the associated processes required to authenticate the user. The increased security of this environment is able to protect the data and establish a buffer against the non-secure applications located in the rich OS. This additional security will help to satisfy the needs of service providers in addition to keeping the costs low for handset developers.
The TEE can be applied to any use case that needs to authenticate the user. For example, unlocking a phone or gaining access to a sensitive application such as mobile banking or a mobile wallet.
- Enterprise (Public and Private)
Today, the market is seeing a dramatic increase in the number of organized hacks happening as cyber criminals try to crack into corporations or countries’ online assets. One initiative which is growing in popularity and compounding the security threat landscape for enterprises is bring your own device (BYOD).
The growth of BYOD is in response to a growing trend to reduce enterprise costs while increasing responsiveness and efficiency without sacrificing security. Allowing employees to use their own devices can increase productivity through enabling enterprise networks to be accessed on the move. The security level offered by these devices, however, is becoming a real and critical concern for the enterprise as it strives to ensure data is appropriately protected.
The TEE can be utilized by the enterprise to enable the secure handling of confidential and proprietary information on a mobile device. The TEE offers a level of protection against software attacks generated in the rich OS and assists in the control of access rights. It achieves this by housing sensitive, ‘trusted’ applications that need to be isolated and protected from the rich OS and any malicious malware that may be present. Through utilizing the functionality and security levels offered by the TEE, the enterprise can be assured that employees using their own devices are doing so in a secure and trusted manner.
To find out more about the TEE, read the TEE made simple guide or listen to the recording from our TEE conference. If you are interested in participating in GlobalPlatform’s TEE activity, visit our membership pages. You can also keep up-to-date on our latest news by following us on LinkedIn and Twitter.