Mobile Device Security with NFC and Secure Elements
1. Smart Card Security in Mobile Devices
Evolution, Challenges, Opportunity
Jim Sheire
NXP Semiconductors
May 2011
2. Hard Crypto Tokens in Use
Logical Physical
Access Access
Using NFC interface
USB Tokens
MicroSD Read by NFC
Smart Phone
Smart Cards With NFC+SE
PCs, Mobile
Laptops Devices
(no NFC, SE)
2
May 6, 2011
3. Evolution of Tokens in Smart Phones
3G/4G NFC
• Smart Phone with no hardware token
Network Interface security, NFC
• Smart Phone with MicroSD slot
Phone OS, Apps
(Email, Web • Smart Phone with MicroSD w/ NFC
Browser, etc.)
• Smart Phone with NFC
MicroSD • Smart Phone with NFC+SE
Secure
Element Slot
NFC
Smart Phone
3
May 6, 2011
4. The Future: NFC+SE Smart Phone for ICAM
• Credentials loaded directly to embedded
3G/4G secure element, via NFC interface (ISO
Network 14443) or via OS/apps and data network/
“cloud”
• Phone OS and apps securely enabled by
Phone OS, Apps SE OS and apps (encryption, digital
(Email, Web signing, etc.), replacing or supplementing
Browser, etc.) MicroSD/ smart cards
• Phone may also be presented as token to
readers using NFC contactless smart card
Secure NFC interface (ISO 14443), enabling secure
Element Interface PACS, LACS w/ contactless reader)
4
May 6, 2011
5. Multi-application Secure Element
Secure Element
Managed by phone OS + SE OS
Payments Transit Secure ID Other apps
app with app with app with
credential credential credential
(Visa) (Mifare) (PIV)
• Each sub-domain of SE is securely managed by phone OS plus SE OS
(JavaCard/ Global Platform, etc.)
• Entire SE managed by “master key” held by “owner”
5
May 6, 2011
6. Security in Mobile Devices Rollout
Cloud Cloud PCs, Laptop, Doors
PoS, Transport,
PCs, Laptop, Doors
Cloud
Phase 1: Phase 2: Phase 3:
NFC phones NFC phones NFC phones with
Read cards With MicroSD Embedded SE
6
May 6, 2011
7. Challenges
• Who owns and manages Secure Element?
• MNOs (SIM model)?
• Handset Maker/ OS-apps-cloud services provider?
• Other?
• Delegated management
• How would management of trusted sub-domains in SE delegated and
managed by SE owner?
• What commercial and legal issues does this raise?
• Security certifications
• If SE is embedded, must entire smart phone be certified or just embedded
SE? How about removable MicroSD cards? How would MicroSD using a
smart phone OS and NFC interface for contactless be treated?
• Do current security certifications permit delegated/ remote management,
including post-issuance?
• Other (input welcome!)
7
May 6, 2011
8. Opportunity
In commercial space, technology solutions rolling out based on open,
interoperable standards
Ubiquity and ease of use of security embedded in mobile devices likely to solve
certain user workflow/ ease-of-use issues for secure ID
FIPS 201 moving more PIV high security functions to the contactless interface,
enabling NFC
In government, recent FIPS 201-2 workshop examined opening FIPS 201 to
support security in mobile devices, including:
– Alternate form factors for PIV credentials (MicroSD, embedded secure elements)
– Remote management via Global Platform or other standards
Given 1-3 year time frame for government standards development, the Smart
Card Alliance Identity Council may deliver concrete proposals for FIPS 201-2
changes to support the new mobile device form factor
One thing is certain: the demand to use mobile devices for IT will drive policy,
not vice-versa
8
May 6, 2011