1 / 7

TRUST PROVISIONING Related Hardware Embedded Secure Elements for Mobile Phone applications

TRUST PROVISIONING Related Hardware Embedded Secure Elements for Mobile Phone applications. Service Provider (bank). Smart Card Initialization & Personalization. Card 5566..0001 – Mr Bianchi. Card 5566..0001 – Mr Bianchi. Card 5566..0002 – Mr Gallo. Card 5566..0002 – Mr Gallo.

hasad
Télécharger la présentation

TRUST PROVISIONING Related Hardware Embedded Secure Elements for Mobile Phone applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TRUST PROVISIONINGRelated Hardware Embedded Secure Elements for Mobile Phone applications

  2. Service Provider (bank) Smart CardInitialization & Personalization Card 5566..0001 – Mr Bianchi Card 5566..0001 – Mr Bianchi Card 5566..0002 – Mr Gallo Card 5566..0002 – Mr Gallo Card 5566..0003 – Mr Rossi Card 5566..0003 – Mr Rossi Silicon Manufacturer Card Vendor O.S. Provider ROM Mask, EEPROM Image, Wafer Testing … Card 5566..0001 Personalization Pre-perso Mr Bianchi Card 5566..0002 Mr Gallo Card 5566..0003 Mr Rossi SMART CARD 5566 .. 002 Mr Gallo Flow of Trust Mr Gallo Flow of Hardware Press <space> once!

  3. Trust ProvisioningInitialization & Personalization service provider Service Provider(s!) (bank) Trusted Service Manager Silicon Manufacturer O.S. Provider ROM Mask, EEPROM Image Mr Koch – 040-238679 OTA IC Personalization Uid..001 OTA Uid..002 Diffusion, Wafer Testing, Initialization (1Key4Die),… Uid..001 X X X Uid..002 Uid..00n Uid..00n 001 002 Non trusted OEM/ODM Mr. Koch 00n MNO Distribution / Retail 00n 00n 002 002 001 001 001 End

  4. Body Signed Hash How Keys and Certificates are created Start Silicon Manufacturer Public/Private Key Pair NXP private keysecurelystored in NXP HSM public public private private Generate IC-specific Public/Private Key Pair Key Generator Secure Key Storage Signing Create Device Certificate Body Hardware Secure Module (HSM) Calculate Hash of Certificate Body Example Signature Sign Hash with NXP Private Key Insert Device Certificate + IC-specific Private Key in Embedded SEChip ESE Chip Ready

  5. Root CA Certificate Device Certificate Device Certificate Body … Public Key … Signed HASH Body … Public Key … Signed HASH Body … Public Key … Signed HASH Offline authentication CLIENT (Authentication Device) HOST (MCU) Request certificate Send certificate Private Key Client Certificate is genuine Validate certificate NOK Rnd# OK Send challenge Sign challenge Sign(Rnd#) Send response Validate response Client knows its private key NOK OK stop Continue service

  6. Client-authenticated TLS handshake ClientHelloCertificateClientKeyExchangeCertificateVerifyChangeCipherSpecFinished ServerHelloCertificateCertificateRequestServerHelloDoneChangeCipherSpecsFinished RNDa+caps RNDb+method selection Certificate verification Server certificate+CA sign Client certificate+CA sign Secret key Certificate verification Transaction signature

  7. Hands-on: Exampleof a TLS link Using A70CM

More Related