Trusted mPOS - CARTES Asia

Download Report

Transcript Trusted mPOS - CARTES Asia

GP Confidential ©2013

GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

Dongyan Wang GlobalPlatform Technical Program Manager

Wednesday 19 March TM

GlobalPlatform Members

3

Introducing GlobalPlatform Standards...

• • • With GlobalPlatform standards: Create once based on: o o Stable and interoperable application programming interfaces (APIs) Stable security requirement Deploy ‘everywhere’ GlobalPlatform TM

GlobalPlatform Positioning

GlobalPlatform is the standard for managing applications on secure chip technology

TM Trusted Execution Environment AND Secure Element

Across several market sectors and in converging sectors

Premium Content

Mobile as a Center of the New Service Deployment Trusted Execution Environment

The trusted execution environment (TEE) provides with a unique capability to ensure that a transaction: • Is approved by the right end user • Is on the right and trusted device • Takes place between the application and cloud or back-end service TM

What is a TEE?

Open to malware and rooting / jailbreaking

Rich OS Application Environment Client Applications GlobalPlatform TEE Client API Rich OS Hardware Platform

Isolation of sensitive assets

Trusted Execution Environment Trusted Application DRM Trusted Application Payment Trusted Application Corporate HW Secure Resources API Trusted Core Environment Trusted Functions

• TEE provides

hardware-based isolation

from rich operating systems (OS) such as Android • TEE runs on the

main device chipset and relies on hardware roots of trust (crypto keys and secure boot)

• TEE has

privileged access

to platform and device resources

(user interface, memory controller, video / audio hardware, crypto accelerators, biometry…)

• Technology already

massively deployed

Premium content protection

is currently a major use case TM 6

GlobalPlatform TEE Functions Hardware-based TEE Functions = ToolBox

• • • • • • •

Code and data isolation Secure cryptography Secure storage Secure clock Trusted user interface Secure element (SE) interface Administration scheme Value for Secure App Providers

includes • • • • • •

Device authentication User authentication Protection of any sensitive software engine Digital signature and encryption Secure communication to server and / or SE Upgradable environment

TM

Unique Feature for mPOS : Trusted User Interface (UI) Message to be signed

▪ ▪ Transaction summary displayed by TEE Rich OS environment cannot tamper with the message ▪ The user signs exactly what s/he is seeing 

Explicit Validation Means

▪ PIN / password entry  rich OS environment cannot have access to entered credential 

Security Indicator

▪ ▪ ▪ Text or image ‘Sign-in seal concept’ Information securely configured by the user and securely controlled by the TEE ▪ Prove to the user that the screen is TRUSTED by seeing this known information   Tools to build ‘what you see is what you sign’, anti-phishing and non repudiation TM

Trusted mPOS (1/3)

• Near field communication (NFC) smartphone can be used as card reader • A trusted channel is opened between the card and the mPOS TM

Trusted mPOS (2/3)

• When needed the end user enters a PIN to confirm a contactless transaction • A trusted application will use the trusted UI feature to protect the PIN from any rich OS application PIN TM

Trusted mPOS (3/3)

• mPOS needs to be integrated with back and front office applications • TEE protects the credential required to ensure a trusted channel is opened between the mPOS and the server TM

TEE Supports Value Added Services on mPOS

• Thanks to the GlobalPlatform open architecture supporting

multiple applications,

a smartphone with a qualified TEE is able to support different mPOS applications – Such as mPOS APPs world, mobile, loyalty programs, actionable intelligence, cross-channel and in-store marketing programs.

• But also barcode scanning, LBS, eReceipts, coupons, QR codes, wallets, click & collect, geo-targeted mobile advertising and alternative in-store payments.

TM

TEE Supports Multiple mPOS Model

• Thanks to the GlobalPlatform open architecture supporting multiple applications

from multiple actors,

a smartphone with a qualified TEE is able to support different POS • TEE security certification offers a real insurance for the mPOS deployment • TEE administration will provide a standard language to manage a mPOS application – – Load, install, delete Update TM

Support Different Use Cases

 eCommerce • mPOS installed in end user smartphone • End-user enters his PIN on his mobile  Commerce • mPOS installed in merchant smartphone • End-user enters his PIN on merchant mobile  Hybrid 14 • mPOS installed in merchant smartphone BUT • End-user enters his PIN on his mobile TM

Summary

• Collaboration between TEE and card allows the best of both worlds – High level security of smart card/SEs and usability of smartphone • The massive deployment of GlobalPlatform SE and TEE generates a standardized infrastructure for: – – Enhancing the usability and security of today’s services Deploying new payment services (peer-to-peer, remote payment) • Compliancy is needed to deploy a mobile service across different devices from different providers • Security across different device and suppliers is a must that is central to the GlobalPlatform technology 15 TM

16

More @ www.globalplatform.org

TM