role of the secure element in the new and evolving nfc ...€¦ · 07/10/2015 · nfc ecosystem:...
Post on 03-Aug-2020
0 Views
Preview:
TRANSCRIPT
Hervé Pierre
Chairman, SIMalliance
8 October 2015
Role of the Secure Element in the New and Evolving NFC Landscape
Introduction
NFC Ecosystem: Overview
A Comparison: HCE and SE
Why ‘One Size Fits All’ Doesn’t Apply for NFC: Technology Relevance by Use Case
Conclusion
Securing the future of mobile services 3
Security, Identity, Mobility
SIMalliance: Who we are
SIMalliance members represent approx 90% of the global SIM market and deliver
the most widely distributed secure application delivery platform in the world (UICC/SIM/USIM).
Securing the future of mobile services 4
Security, Identity, Mobility
Security
Mobility
Identity
Securing the future of mobile services 5
Security, Identity, Mobility
Examples of SIMalliance Deliverables
> UICC* Device Implementation Guidelines
– Outline fundamental and optional UICC features device vendors need to support to optimise UICC interoperability in future devices.
> UICC LTE Profile
– A collection of requirements for optimal support of LTE/EPS networks by UICC.
> Stepping Stones Documents
– Best practices for development of interoperable applications (USIM, NFC, SE).
> Open Mobile API
– Standardised way to connect mobile apps with all SEs on a device to provide a more intuitive interface and increasingly powerful functionality.
– Enables delivery of highly secure business and consumer mobile applications across all SE form factors.
– Referenced by GSMA (NFC Handset & APIs Requirements and Test Book).
– Open Source implementation (Seek-for-Android).
– Implemented in nearly 250 models of Android (NFC) Smartphones.
Open Mobile
API
A
P
P
(*) UICC=UMTS Integrated Circuit Card
Introduction
NFC Ecosystem: Overview
A Comparison: HCE and SE
Why ‘One Size Fits All’ Doesn’t Apply for NFC: Technology Relevance by Use Case
Conclusion
Securing the future of mobile services 7
Security, Identity, Mobility
The NFC landscape is growing and converging….
Key market drivers:
• Apple Pay
• Other applications (i.e. transit in China)
• Choice of deployment technologies
Complementary technologies are
emerging:
• HCE, SE (SIM/eSE), TEE, hybrid models
Each will play a part in a future NFC
landscape which offers a graduated security
approach
Securing the future of mobile services 8
Security, Identity, Mobility
2014: Consolidation of NFC infrastructure
Security, Identity, Mobility
Securing the future of mobile services 9
Security, Identity, Mobility
2014: Growth in NFC SIM volumes
Securing the future of mobile services 10
Security, Identity, Mobility
The NFC ecosystem
Securing the future of mobile services 11
Security, Identity, Mobility
HCE – an additional NFC technology
Before HCE:
Card emulation transactions were
isolated from the host OS.
Android 4.4 introduces HCE:
Application running on the Android OS can
emulate a NFC smart card outside of an SE.
Securing the future of mobile services 12
Security, Identity, Mobility
Emergence of hybrid models
Multiple possibilities being defined,
e.g.:
• MNO / SIM
• OEM / eSE
• HCE / tokenisation
• Combinations of the above
Variance according to use case /
service requirements
Introduction
NFC Ecosystem: Overview
A Comparison: HCE and SE
Why ‘One Size Fits All’ Doesn’t Apply for NFC: Technology Relevance by Use Case
Conclusion
Securing the future of mobile services 14
Security, Identity, Mobility
There are challenges with each deployment model…
> SIM-SE (MNO centric model)
– Recognised business model and technical challenges in
development / deployment
– Market fragmentation issues to be overcome
> Embedded SIM / eSE (OEM model)
– Closed systems / ‘walled garden’ approach with one party in control
– Market fragmentation issues to be overcome
Securing the future of mobile services 15
Security, Identity, Mobility
There are challenges with each deployment model…
> HCE
• Costs, risk and responsibility are borne by the service provider
• Security constraints
• Only works on devices running Android 4.4 and Blackberry OS
• HCE doesn’t work when device is powered off
• Does not currently support many transit applications
• Fragmentation between device OS
• Ecosystem not standardised / fragmentation
• To enhance security, HCE Can be used with tokenisation, yet: o Certification framework not yet established for HCE / tokenisation.
o Network coverage needed for token download / usability impact.
• High profile announcement suggests tokenisation requires a hardware SE for acceptable
security.
Securing the future of mobile services 16
Security, Identity, Mobility
But equally there are benefits…HCE
Simplified deployment model for
global service providers
.
Global reach for Android 4.4
Opens up NFC to application
developers
Increases breadth / volume of NFC
services
Increases end user NFC familiarity
/ acceptance
Security can be enhanced via a
hybrid approach
Securing the future of mobile services 17
Security, Identity, Mobility
But equally there are benefits….SE
Highest grade of application security.
.
Established compliance/ certification
schemes.
Usability: SE services work when device
is powered off
Only SE supports many transit applications
NFC SIM infrastructure is globally available,
established and proven
SIM = most trusted business model for
deploying secure mobile services
High profile endorsement that SE is best
suited for NFC payment applications
Securing the future of mobile services 18
Security, Identity, Mobility
HCE and SE – A security comparison
HCE
Software only approach to security
Applications run on the rich OS
(vulnerable to malware / attacks)
Standalone HCE = no application security
No certification scheme to date
‘Acceptable risk’ judgement required /
issuer liabilities
Ecosystem, not yet standardised
Two key approaches to enhance security
(hybrid models):
1) Combination of software and
backend security mechanisms
2) Utilisation of SE
SE
Tamper resistant hardware plus software
offers highest grade of security
SEs rely on extremely secure chips;
variety of form factors
Application and credentials stored
securely together within the SE
SEs provide separate memory for each
application, allowing no interaction
between them
Recognised security; established
certification scheme and proven track
record
Standardised ecosystem
Introduction
NFC Ecosystem: Overview
A Comparison: HCE and SE
Why ‘One Size Fits All’ Doesn’t Apply for NFC: Technology Relevance by Use Case
Conclusion
Securing the future of mobile services 20
Security, Identity, Mobility
One size most definitely doesn’t fit all….
There are benefits to both HCE and SE:
Service providers to use judgement / risk
assessments to establish a suitable
deployment model for their specific use case.
An open SE architecture offers the widest choice
to all service providers, based on unique security
and deployment (business model) choices.
HCE and the SE sit at extremes of security
spectrum: hybrid approaches offer graduated
security and further choices.
Securing the future of mobile services 21
Security, Identity, Mobility
SIMalliance recommended deployment model by use case
Securing the future of mobile services 22
Security, Identity, Mobility
Comparison: Assessment of NFC technology by key criteria
= Not recommended
= Recommended
= Maybe, depending
on implementation
Security
Market reach
Application
Technology
Introduction
NFC Ecosystem: Overview
A Comparison: HCE and SE
Why ‘One Size Fits All’ Doesn’t Apply for NFC: Technology Relevance by Use Case
Conclusion
Securing the future of mobile services 24
Security, Identity, Mobility
Conclusion
> SE, HCE and hybrid NFC deployments are
all now in existence.
> Steep ascent of learning curve:
– how can technologies be leveraged to provide
maximum benefit to specific use cases?
> Deployment models will continue to evolve;
undefined hybrid models will materialise.
SIMalliance anticipates a future where SE and HCE will continue to co-exist, and in
many cases converge.
This will be the basis of an optimally efficient and secure NFC ecosystem.
Thank you
@SIMalliance
https://uk.linkedin.com/company/simalliance
top related