Why do we need a TEE?
The answer is simple Mobile and “smart” devices have evolved into open software platforms capable of downloading a huge variety of applications via the internet, as more and more smart connected devices are being used to store and access sensitive information and valuable content they are increasingly becoming targets of malware, viruses and piracy- software alone is proving to be insecure and now requires a component of hardware-based security to provide adequate protection. The rise of mobile financial services, online media and entertainment content, and cloud –based connectivity in corporate environments all require increased levels of security. The TEE isolates secure applications and keeps them away from any malware or viruses which might be downloaded inadvertently.
Business benefits and dependencies In the connected Ecosystem
The TEE is at the core of a “smart connected ecosystem” and is relied upon by all it’s components. Device and chipmakers use TEEs to build platforms that have trust built in from the start, while service and content providers rely on integral trust to start launching innovative services and new business opportunities. To illustrate: Mobile manufacturers need to have a TEE environment present to satisfy the business requirements of different content providers. Mobile Network Operators benefit from the TEE, since it will enable them to offer more and higher value services to customers, facilitating increased revenues. Content providers want the TEE to ensure that their product remains secure and can be deployed to numerous platforms in a common manner Payment service providers want increased protections and standardization to be able to streamline service and application development and reduce the need to support different proprietary environments. Through the application of advanced security technology based on ARM TrustZone technology and integrating tamper resistant elements it is possible to develop devices that can offer both a feature-rich open operating environment and robust security solutions.
What is a Trusted Execution Environment (TEE). The TEE is a secure area that resides in the main processor of a smart phone (or any smart device) and ensures that sensitive data is stored, processed and protected in a trusted environment. The TEE's ability to offer safe execution of authorized security software, known as 'trusted applications', enables it to provide end-to-end security by enforcing protection, confidentiality, integrity and data access rights. Devices developed according to the recommendations of the TrustZone Ready Program and utilize TrustZone technology, deliver a platform that is capable of supporting a full Trusted Execution Environment (TEE) and security aware applications and secure services.
High Value Service Enablement
Video Content Protection
• Digital Rights Management
• Secure High Definition Content
• Wired and Wireless HD Playback
Mobile Payments & Banking
• Secure PIN entry
• Secure Display
• Public transport
• Loyalty-based applications
• Access control of cloud-based documents
• Secure communication
• Anti-malware that is protected from software attack
• Software license management
TEE and The Next Generation Mobile Security Framework
There are three mobile environments which make up the security framework within a mobile phone. Each has a different task:
Rich Operating System (Rich OS): An environment created for versatility and richness where device applications, such as Android, Symbian OS, and Windows Phone for example, are executed. It is open to third party download after the device is manufactured. Security is addressed here but is limited due to it's design and functions it performs.
Trusted Execution Environment (TEE): Made up of software and hardware, the TEE offers a level of protection against software attacks, generated in the Rich OS environment. It assists in the control of access rights and houses sensitive applications, which need to be isolated from the Rich OS and effectively acts as a firewall between the “normal world” and “secure world” For example, the TEE is the ideal environment for content providers offering a video for a limited period of time that need to keep their premium content (e.g. HD video) secure so that it cannot be shared for free.
Secure Operating System (Secure OS): A secure kernel which runs in parallel with a fully featured Rich OS, on the same processor core. It includes drivers for the Rich OS ("normal world") to communicate with the secure kernel ("secure world"). Anything can be made as part of the trusted infrastructure, from interfaces, display, keypad to regions of PCI-E address space and memories. User space applications cannot access protected regions within the system.
Secure Element (SE): The SE is comprised of software and tamper resistant hardware. It allows high levels of security and can even work in tandem with the TEE. The SE is mandatory for hosting proximity payment applications or official electronic signatures where the highest level of security is required. The TEE may also offer a trusted user interface to securely transmit a personal identification number (PIN), which is required in order to make high value transactions. It also filters access to applications stored directly on the SE.
INSIDE TEE Enablement Components
INSIDE solutions are compliant with GlobalPlatform specifications and integrate seamlessly inside trusted execution environments based on ARM TrustZone frameworks.
INSIDE’s Fusion products offer HDCP and DTCP-IP solutions to secure High Definition (HD) video content for wired and wireless device-to-device streaming As well as Embedded DRM Fusion agents to support Microsoft PlayReady providing a modular architecture that allows fast and easy integration on any platform with any multimedia to fulfill the highest security requirement for premium early window content.
Providing secure remote access to sensitive corporate information and applications requires that both the person’s identity information used for login authentication as well as the VPN communication channel maintain its privacy, integrity and confidentiality. INSIDE enables the use of a TEE to protect the users information and secure communications over IPSEC and SSL through its SafeZoneFIPS- Certified Cryptographic modules, and QuickSec and Matrix software development kits.