Study and evaluation of security element platforms
Tutor / director / evaluatorLópez Aguilera, M. Elena
Document typeMaster thesis
Rights accessRestricted access - confidentiality agreement
The increasing adoption of mobile devices applications in daily life activities such as payments, identification, authorization and access control represents a new challenge from the security perspective, since private or sensitive data is being used in an untrusted environment (the mobile device). In this sense, one of the objectives of mobile computing for the near future is to make mobile devices suitable for security-sensitive applications. Since the past decades, secure microcontrollers have been successfully implemented to create smartcards, which have been used to secure banking, transport, access and identification cards. Today, the smartcards have evolved to Secure Elements to be integrated in smartphones, wearables, IoT nodes, and all kind of mobile devices. Secure Elements are computing units encapsulated in an integrated circuit that are capable of securely host and execute applications, store cryptographic material and perform cryptographic operations in a secure environment. The success of Secure Elements is based on their capability to act as physical root of trust for applications and services that require high degree of security in a resource constrained device. In the near future, the massive integration of secure element in mobile devices will enable new kind of security-critical applications to be performed by mobile devices ensuring privacy, authenticity and integrity of data. Identification and passports will be securely embedded in mobile devices, wallet applications will be extensively used, access control to multi-owner vehicles, ticketing, transportation, authentication of IoT nodes, authorization of vehicles in low-emission zones, and all kind of applications requiring secure storage and tamper protection will become feasible from the security point of view. Secure Elements are currently integrated in mobile devices through UICC cards, embedded chips soldered to the mother board or to some extent, smartSD cards. They can be accessed directly through the NFC interface or through the application processor. When the SE is accessed through the NFC interface the communications are routed through the NFC controller, without intervention of the mobile operating system. When the communication is performed from an application running in the application processor, the application require system level permissions that are not usually given to regular applications. Therefore, access to secure elements is currently controlled by a few players and not widely open to application developers, researchers or academics. Nevertheless, there is still a broad field of study around secure elements. This work address several sources of uncertainty around secure elements, including communication interfaces and protocols, development platforms and key capabilities of secure elements which are currently available in the market. The conclusions derived from this work reaffirm that secure elements are promising solutions to secure mobile devices, relying in software and hardware mechanisms to guarantee the desired security properties.