Saturday, June 29, 2013
Managing Security
On Mobile Phones
( Nokia and TI
)
April 2005
Abstract
The topic describes the challenges of provisioning and
managing security in mobile phone environments and explains how a well-designed
deployment system can alleviate these challenges. This seminar highlights new
technology that Nokia and Texas Instruments are developing to address the challenges of
transparently managing security like IPSec VPN on mobile phones etc. , namely
Nokia Security Service Manager and M-Shield Technology respectively .
Index
1. Introduction
1.1
The
Importance Of Managing Security On Mobile Phones
1.2
Deployment Challenges In A Mobile
Environment
1.3
An
Example Of Security On Mobile Phones
1.4
Requirements
Of A Deployment System
1.4.1
Authenticating
Mobile Phones To A Deployment System
1.4.2
Delivering
Secure Content
1.4.3
Automatically
Updating Security On Mobile Phones
1.4.4
Administering
Large Numbers Of Mobile Phones
1.4.5
Adopting
And Deploying Security Rapidly
1.4.6
Centrally
Managing Mobile Phones
1.5 Enhancing Security Through Management
1.6 Benefits Of A Secure Deployment System
2. Nokia Security Service Manager
2.1. Deploying Security To
Mobile Phones
2.2.
Updating
Security Policies
2.3.
Converting
Security Policies
2.4.
Managing
Mobile Workers
2.5.
Authenticating
To The Deployment System
2.6.
Migrating
To PKI Infrastructure
2.7.
Future
Issues In Managing Mobile Phone Security
3. M-Shield™ Technology
3.1.
Public-key
infrastructure
3.2.
Secure execution
environment
3.3.
Secure
chip-interconnect
3.4.
Secure storage
3.5.
Hardware cryptographic
accelerators
3.6.
M-Shield™ Software solution
4. Conclusion
5. Reference
1.
Introduction
Enterprises can capitalize on mobility to gain business
advantages by connecting employees, customers, and partners. In large part,
this is being achieved by extending the enterprise network to mobile phones
that are designed for business use such as the Nokia 9200 Communicator Series
and Nokia 7650. With mobile phones, the workforce is empowered to check and
respond to email, send and receive faxes, hold conference calls, play video and
audio content, and access CRM (customer relationship management) and ERP
(employee resources planning) applications to view and edit everything from
sales reports to service orders away from their desks. Nokia is developing
technology for securing mobile phones so that they may be used routinely for
business without worry.
1.1 The Importance Of
Managing Security On Mobile Phones
As 3G networks
are successfully deployed worldwide, opportunities are arising to deliver to
end-users a multitude of services that satisfy their business, organizational
and entertainment needs. Wireless operators have started to increase
value-added services such as multimedia services, “e-Wallet” functionality
enabling financial transactions, gaming and messaging. Operators will also
benefit from the increased pipe bandwidth of 3G by performing over-the-air
services, applications provisioning and bug fixes, thus significantly reducing
operational and support costs. The
increased value and availability of the content and benefits of higher bandwidth dictate increased levels of handset security. As people start using mobile phones to tap into computer networks and to serve as payment devices, the potential damage could become severe as viruses spread from the mobile handset to the enterprise network
increased value and availability of the content and benefits of higher bandwidth dictate increased levels of handset security. As people start using mobile phones to tap into computer networks and to serve as payment devices, the potential damage could become severe as viruses spread from the mobile handset to the enterprise network
It is important to
understand the specific requirements of providing secure, reliable access to an
enterprise network in a way that is easily managed. The number of phones with
connectivity to the Internet is expected to grow rapidly over the next few
years. As these devices become more “business enabled,” they will be used by an
increasing number of employees as well as partners and customers to access the
enterprise. A management challenge arises when an enterprise has a large number
of mobile users whose security must be kept up to date. A well-designed
deployment system can significantly alleviate administration burden and
contribute to providing mobile users (employees and customers of an enterprise
alike) with uninterrupted secure, reliable service.
Current security
solutions are software-based and have proven to be vulnerable through hacking,
viruses and other malicious attacks. This lack of adequate security affects the
trust of content, service and financial providers’ trust as well as consumers.
Financial service providers, banks and consumers alike will not feel comfortable
with the over – the – air processing and handset storage of payment
credentials unless they are offered a high
degree of security. Likewise, content providers will deploy music,
videos or games unless they can trust the terms and conditions of the content
purchase and download are not violated.
Another factor driving the need for wireless security technologies is
operator’s desire to decrease operational and support costs with the ability to deploy over-the-air bug fixes and software patches, as well as flashing and application provisioning at purchase instead of production.
Another factor driving the need for wireless security technologies is
operator’s desire to decrease operational and support costs with the ability to deploy over-the-air bug fixes and software patches, as well as flashing and application provisioning at purchase instead of production.
Solving the security problem is essential for growth of 3G systems. The increased
value and availability of the content and benefits of higher bandwidth are
dictating increased security of the handset without violating
the constraints of performance and power.
the constraints of performance and power.
1.2 Deployment Challenges
In A Mobile Environment
The special
characteristics of mobile phones and networks must be taken into account by a
deployment system. The nature of mobile phones and access impose specific
requirements on managing deployment to phones. For a variety of reasons, mobile
phones are more challenging to manage than familiar remote access devices such
as PC laptops and PDAs. Mobile phones have less memory, storage, and processing
power capacity than laptops. Typically, phones come with 4-16MB of available
memory for applications (additional memory can be added) and have considerably
less powerful processors than standard desktop PCs (e.g. 206Mhz ARM vs. 2Ghz
Pentium IV). Unlike laptops, mobile phones are rarely connected directly to the
corporate intranet. This means that the connections from mobile
phones are almost always
from non-trusted, public networks and are usually shorter in connection duration.
The location of phones changes often in mobile networks. In fact, the location
of phones can change from one type of mobile network to another. Compared to
fixed networks, mobile networks are more diverse in terms of bandwidth,
reliability, and accessibility. For example, GSM HSCSD (Global System for
Mobile Communications using High Speed Circuit
Switched Data) provides
dial-up type data connectivity with speeds ranging from 14.4 kbit/s up to 43.2
kbit/s whereas GPRS (General Packet Radio Service) provides always-on type
connectivity with roughly similar data speeds. While the mobile networks
provide reasonable data speeds and reliability, they are currently slower than
fixed networks speeds.
1.3 An Example Of
Security On Mobile Phones
Remote access VPN usage
is growing quickly, starting first in laptops and now extending to mobile
phones. Remote access VPN refers to individual end users accessing a private
network over insecure public networks forming connections from their mobile
device to the private network. Corporate employees requiring secure access to
the network over the Internet use remote access VPNs. When securing phones,
enterprises often choose to deploy IPSec based Virtual Private Networks (VPN)
in the early stages since VPNs have become an attractive way for enterprises to
provide their employees, partners, and maybe even customers with secure
connections to their allowed resources inside the corporate network in a cost
effective manner. Phones now provide features that make them useful for working
on the move. Today with mobile VPNs, end users are able to work efficiently or
buy services from an enterprise with mobile phones without compromising the
company’s security policies from anywhere they have mobile connectivity.
The nature of mobile
phones and networks adds to the complexity of the VPN solution. Mobile VPNs
like Nokia Mobile VPN Client require management software such as Nokia Security
Service Manager to administer the client environment. (See Figure 1 above.) In
addition to the VPN client software, specific configuration information (often
referred to as VPN policy) is required in the client end so that it can
determine the following:
¨ The gateway
the client should connect to.
¨ The
circumstances under which the client should connect to the gateway,
¨ The security
parameters the client should use when connecting to the gateway.
¨ The protected
networks the client is allowed to access.
¨ The PKI data
configuration if it is to be used in VPN authentication.
Managing the above-listed
information requires a robust deployment system that can securely deliver the
client software and configuration as well as secure, transparent updates to
mobile phones.
1.4 Requirements Of A
Deployment System
The problem of managing
security applications and configuration of them on mobile phones can be divided
into two separate areas that share similar characteristics. They are: 1) the
initial deployment phase; and 2) the subsequent automatic, transparent updates.
The initial deployment stage is where the software, for example a mobile VPN
client, and the configuration information need to be delivered to mobile
phones. There are several ways of accomplishing this. The initial installation
may be carried out centrally by the corporate IT-services. In this case, the
mobile worker gets a phone with the VPN client software installed and
configured. Here, it can be assumed that the personnel carrying out the
installation are trusted and authorized to do the work. Therefore, there is no
problem related in establishing initial trust in the phone. In another case,
mobile workers may be required to carry out the initial installation of the
mobile VPN client software. In this scenario, it is critical to establish
initial trust in phones without compromising the overall security of the VPN
system. Establishing the initial trust is the first stage since it will be used
for providing automatic configuration updates to phones. This makes the initial
deployment stage especially challenging since phones have nothing either VPN
gateways or the deployment system can trust.
The initial trust between
a phone and the deployment system can be achieved by utilizing the existing
user authentication systems in an enterprise. In addition to authenticating the
user to the deployment system, it must authenticate to the user. Once both
parties have authenticated each other, a certificate can be issued to the phone
for future authentication. Similarly, the deployment system will use
certificates to authenticate itself to the phone. The subsequent automatic
updates to the client software and its configuration must take place securely.
Trust in the form of certificates created between the phone and the deployment
system is used to securely authenticate both parties and deliver the required
updates to the phone. In mobile networks, certificates provide an ideal method
of authentication. Using certificates for content updates saves mobile users
time and effort since they do not have to spend valuable airtime using manual
authentication methods to get their updates. The initial deployment and
subsequent update phases set a unique set of requirements for a secure,
transparent, powerful deployment system, which are discussed in detail below.
A system-level approach with intimate hardware and software
interleaving provides several benefits over the current software solutions,
including:
A more difficult and expensive process to reverse-engineer and
hack
• A hardware
accelerated cryptographic library and several hardware-based protection mechanisms against attacks providing
much higher performance and security level than the software implementation
• A more challenging
duplication
• Tampering attempts can
be detected and the system can react more efficiently
• Power optimization
• Transparent to the user
Texas
Instruments’ (TI’s) M-Shield mobile security technology solution provides the
highest level of terminal and content security in the industry as
well as setting the benchmark for the level of security needed to allow secure financial applications. M-Shield security technology is a system-level solution that intimately interleaves hardware and software mechanisms to provide the highest level of security.
well as setting the benchmark for the level of security needed to allow secure financial applications. M-Shield security technology is a system-level solution that intimately interleaves hardware and software mechanisms to provide the highest level of security.
M-Shield
technology is the key security element of the widely used OMAP™ platform and recently
announced OMAP-Vox™ family of scalable wireless solutions. The OMAP platform is
a family of high-performance, low power
consumption applications processors featuring an open, flexible architecture that is driving innovative solutions across the wireless industry. TI’s new OMAP-Vox
solutions are built on the industry leading OMAP architecture. By integrating modem and application processing, OMAP-Vox solutions are optimized to efficiently run a dynamic mixture of applications and communications functions
on the same hardware. Complete chipsets will also include analog components , power management and RF devices.
consumption applications processors featuring an open, flexible architecture that is driving innovative solutions across the wireless industry. TI’s new OMAP-Vox
solutions are built on the industry leading OMAP architecture. By integrating modem and application processing, OMAP-Vox solutions are optimized to efficiently run a dynamic mixture of applications and communications functions
on the same hardware. Complete chipsets will also include analog components , power management and RF devices.
1.4.1 Authenticating
Mobile Phones To A Deployment System
Before any kind of
configuration information is sent to the phone, the deployment system as well
as the client must authenticate each other to ensure that the parties engaged
in communications can be trusted. Unless this trust can be reliably
established, there is a danger that intruders portray themselves as a trusted
part. For example, if a mobile worker cannot reliably authenticate
the deployment server, an
intruder could provide the user with false configuration information and then
either render the mobile VPN client inoperable or direct the client to a false
service. There are number of ways to authenticate parties. In large mobile
client environments, PKI based authentication methods provide a scalable and
manageable solution. A deployment system should be able to utilize an
enterprise’s existing PKI solution or provide the required PKI functionality or
both.
1.4.2 Delivering Secure
Content
After both parties have
been successfully authenticated, delivery of the content from the deployment
system’s server must take place in a secure way. This can mean either
encrypting the actual connection between the phone and the deployment system or
encrypting the content that is being delivered. No matter what the approach,
the phone must be able to verify that content delivered is indeed from the
intended originator and that it has not been modified during delivery.
1.4.3 Automatically
Updating Security On Mobile Phones
Updates to policy or any
other configuration information in phone must take place automatically and
transparently without any end user intervention. Consider the case of VPN:
Configuration changes in the VPN infrastructure affect large numbers of users
and any new configuration must be available immediately. Carrying out the
deployment of these new configurations manually can be either impossible or
take so long that it has serious impacts on the VPN service to the mobile
workers. An automatic update mechanism enables either new or updated
configurations to be available for mobile workers as soon as changes take
place. The security infrastructure should be as transparent as possible to
mobile employees as well as partners and customers. When the mobile user is not
required to deal with updates, there is less chance of error occurring.
Furthermore, if updates are done automatically, potential security compromises
during the updates are avoided. An automatic system guarantees that the most
up- to-date configuration is always in use, thus guaranteeing uninterrupted
secure, reliable access to the enterprise.
1.4.4 Administering Large
Numbers Of Mobile Phones
In large deployment environments,
administration tasks are commonly
distributed among many people. One or many system administrators may be
responsible for the overall
configuration and operational aspects of the system. User management may be
distributed to dedicated user administrators who in turn may have management
rights to specific user groups. To support this kind of distributed
administration model, the deployment system must support multiple levels of
administrator roles and strictly control access to the system.
1.4.5 Adopting And
Deploying Security Rapidly
Enterprises that expand
their VPNs to mobile phones must guarantee that new services and security for
them is deployed rapidly. The larger the number of mobile employees, customers,
and partners, the more important it is to make sure the client software and
initial configuration are made available to users as soon as the VPN system is
up and running.
1.4.6 Centrally Managing
Mobile Phones
Key features of a good
deployment system are centralized management of mobile users and their
corresponding configurations. When the amount of phones grows to hundreds or
thousands, management of software like mobile VPN clients becomes almost
impossible without a deployment system. In enterprises, mobile users can
connect to resources through a variety of VPN gateways. These enterprises
require a centralized distribution system to guarantee that the user is always
provided with the most current policies for each gateway so that they can get
access to their work. An automated system for delivering configuration updates
to thousands of mobile phones reduces the time required to send configuration
information to workers. Timely delivery of the required configuration
information is essential to ensure that worker access to the network is not
disrupted. An automated system also reduces the number of people needed to
carry out manual deployment, which can be time consuming. Finally, support
overhead is reduced since potential errors caused by workers manually updating
configurations are eliminated.
1.5 Enhancing Security
Through Management
Any security system is as
vulnerable as its weakest link. Therefore, it is essential that no shortcuts be
taken when deploying security. Having a deployment system that does initial
provisioning and future updates automatically enforces an enterprise’s security
policy. A well-designed deployment system handles various updates to the phone
automatically requiring very little intervention from the worker. Perhaps even
more importantly, an automatic deployment system removes the requirement of having mobile workers update
their security. They don’t have to know how to implement security—it is just
there for them. Additionally, a deployment system can act as a centralized
provider of PKI services for enterprises.
By adopting PKI as part of the security
infrastructure, enterprises can enhance the overall security of its systems.
Authentication is one of many areas where PKI can simplify security. Moving
from legacy authentication to PKI based authenti cation is a major change for
any organization. A well-designed deployment system can provide functionality
to ease this transition.
1.6 Benefits Of A Secure
Deployment System
The benefits
of a deployment system can be viewed from various points of view. The maintenance
and management costs involved with
mobile phones are high. The cost of the phones themselves, when compared to the
total cost of ownership over the phones’ lifetime is low. Deployment of a
mobile VPN service is also a matter of cost. The longer the initial deployment
phase, the higher the overall costs of the mobile VPN project. Productivity of
the mobile workers increases considerably when enterprise resources can be
accessed. Financial models, such as various TCO models, provide a means to
estimate the financial impact of mobile phones and give justification for
investing in a management system.1 Ultimately, a sound business case will
determine how much enterprises are willing to invest in a deployment system. Making this decision
requires careful consideration of the technology and maybe even more
importantly the business drivers for extending the enterprise to mobile phones.
2. Nokia Security Service
Manager
Nokia Security Service
Manager (SSM) is a deployment system specifically designed to address the
initial deployment, subsequent configuration management, and PKI related
requirements in mobile environments. To start, Nokia SSM provides a scalable
mobile VPN solution that enterprises can use to extend their VPN to the mobile
domain using the Nokia Mobile VPN Client for Symbian OS and supported Check
Point VPN gateways. This section
explains how Nokia SSM expedites deployment
of security within an enterprise using the Nokia Mobile VPN Client as an
example.
2.1 Deploying Security To
Mobile Phones
Initial deployment of the
Nokia Mobile VPN Client software and policy must take place securely. The key step
in achieving this security is establishing a trust between a mobile phone and the deployment
system, Nokia SSM. Nokia SSM provides a means of reliably and mutually
authenticating mobile phones and Nokia SSM with each other. The authentication
mechanism allows rapid initial deployment of large numbers of mobile phones.
Nokia SSM has a
web-interface that can be accessed by any TLS/SSL enabled browser with high
encryption capabilities (such as 3DES with 168-bit keys). This HTTPS interface
is used to authenticate workers the first time they access Nokia SSM.
Authentication can take place against a RADIUS server, for example. In addition
to providing their user credential, they are also required to enter an
identification code produced by Nokia SSM. This code is delivered by some
out-of-band mechanism and verifies the authenticity of Nokia SSM to them.
2.2 Updating Security
Policies
Nokia SSM provides
automatic policy and configuration updates to Nokia Mobile VPN Clients. The
first time mobile users connect to Nokia SSM, they are required to authenticate
using a username and password. After initial authentication, the client is
issued a device certificate by Nokia
SSM’s internal certification authority (CA) that is then used for
authentication when policy or any other content updates are required. The
mobile phone automatically connects to Nokia SSM to check for updates when a
VPN connection is being initiated. If an update is available, it is installed
on the user’s mobile phone and they are notified that the update took place. The
user can also manually initiate an update request to Nokia SSM.
2.3 Converting Security
Policies
Nokia SSM provides
automatic conversion of the VPN policy to a format required by Nokia Mobile VPN
Client for Symbian OS. Nokia SSM has an open content delivery interface that
defines the format and method of delivering
VPN policy information from any vendors’ VPN policy management system, for
example Check Point’s Smart Management, to Nokia SSM. This open Content Update
Interface is based on SSL protected HTTP requests that contain XMLformatted
messages.
2.4 Managing Mobile
Workers
Nokia SSM provides
flexible tools for managing the mobile population whether they are employees,
partners, or customers. User information can be retrieved using various methods
from the existing databases. Hierarchical user groups enable workers to be
organized to best reflect the planned deployment model. Content delivered to
the phones is associated with the user groups allowing delivery to be managed
at a granular level.
Grouping can be based on
any number of things such as geographical location or departments within a company.
Mobile users can be members of multiple groups. When a user logs into Nokia
SSM, their group memberships are automatically checked. The content presented
to them is based on all the groups the user is a member of or has inherited
from other groups through group hierarchies.
2.5 Authenticating To The
Deployment System
Nokia SSM supports user
authentication using certificates, normal and one- time passwords generated
with token cards such as SecurID against RADIUS servers and usernames and
passwords against Nokia SSM’s local database. Ability to utilize the existing
legacy authentication services that the enterprise already has in place allows
Nokia SSM to be easily integrated as part of existing IT infrastructure.
2.6 Migrating To PKI
Infrastructure
Nokia SSM has powerful
PKI features that provide enterprises an
easy migration path from legacy authentication to certificate-based
authentication (CA). Nokia SSM can act as a registration authority (RA) towards
external CAs providing an automatic certificate enrollment process for end
users. Depending on the external CA used to issue the certificates, Nokia SSM
can communicate with the protocol
required by the CA to enable automatic certificate issuance. Currently, the supported
protocols are SCEP (Simple Certificate Enrollment Protocol) and CRS
(Certificate Request Syntax).
Nokia SSM also adds to
the security of the enrollment process since it can be configured to require
users to authenticate to Nokia SSM when this process is initiated. In addition
to authenticating the mobile worker, Nokia SSM also checks that they are
entitled to carry out the enrollment request. The enrollment gateway functionality
provides a central point where the administrator can see the status of the
enrollment requests and certificates in use. Nokia SSM also includes an
internal CA. It is used in providing PKI based authentication services to the automatic
policy update functionality. It can also be used to issue dedicated
certificates for VPN authentication usage. If the certificates are used in a
closed VPN environment only, then this approach is not only more flexible from
the administration point of view but it can
also result in substantial cost savings compared to using certificates
issued by an external CA. Certificates issued by the Nokia SSM internal CA adhere to the
X.509v3 standard. CRLs (Certificate Revocation List) and OCSP (Online Certificate
Status Protocol) are supported for checking certificate revocation information
issued by internal or external CAs.
2.7 Future Issues In
Managing Mobile Phone Security
Mobile phones differ from
other corporate mobile devices (PCs and laptops) with respect to the
capabilities of the phones and the mobile environment they operate in. They are
also often utilized for both business and personal use, which presents
challenges for managing multiple identities and security domains on phones. Requirements
for security applications on mobile phones and management of them are specific
and complex.
Nokia SSM is a step
towards providing a single point of security
management for all security related applications on mobile phones. It is
designed to be a vendor and application independent, self-sufficient security deployment
system. In the future, the provisioning functionality could be utilized for
rapidly deploying security applications such as anti-virus software and personal
firewalls and providing them with automatic configuration updates. The
standards based PKI functionality in Nokia SSM can also be utilized by various applications
to enhance their security on mobile phones.
3.
M-Shield™ Technology
TI’s M-Shield
mobile security technology solution’s infrastructure includes:
•Public-key
infrastructure with secure on-chip keys (e-fuse)
•Secure execution
environment with hardware counter
measures against attacks
•Secure chip-interconnect
and Dynamic Memories Access (DMA)
•Secure storage mechanism
•Secure storage mechanism
•Secure RAM for protected
applications
•Secure ROM programmed at
production
•Hardware cryptographic
accelerators and Random Number Generator
This
infrastructure allows M-Shield technology to offer a hardware-enforced secure
environment for safe execution of
sensitive authorized applications and secure storage of data. M-Shield
technology also offers:
•Authentication of flashing
and booting software
•100+ services accessible
by secure applications
•Accelerated cryptography
•Hardware-based
protection against software attacks and cloning
•Secure
access/restriction to all chip peripherals and memories
•Secure protection of debug,
trace and test capabilities
M-Shield
solution’s infrastructure provides the highest level of security to reduce the
unauthorized use of handsets and fraud while enabling the deployment of
value-added secure services.
TI’s M-Shield
solution includes a public-key infrastructure that along with the secure
environment subsystem provide complete security. Cryptographic accelerators and
a FIPS compliant Random Number Generator are key elements of the public-key infrastructure.
M-Shield security solution provides hardware-based AES accelerator and Public
Keys Accelerator (PKA), as well as
DES/3DES, SHA1 and MD5 hardware accelerators. By providing fast client authentication and signing, M-Shield
technology accelerators save critical time and enhance the user experience by
offsetting the degradation of software based solutions. To decode 5 MB using 3
DES or AES in hardware takes a mere 230 ms versus almost 6 seconds to decode
the same data amount in software running at 330 MHz.
3.1 Public-key
infrastructure
Secure
on-chip keys (e-fuse) are OEM specific one-time programmable keys that
are
accessible only in secure mode for authentication and encryption and include:
¨
Root public key for
authentication
¨
Random key for binding
¨ Customer key for OEM-specific use
¨ Secure Storage Mechanisms
3.2 Secure execution
environment
M-Shield
technology’s
secure
execution environment provides
hardware
countermeasure against
attacks and is the industry’s
only hardware-based
secure
execution environment. The industry’s first Secure State
Machine (SSM)
applies
and guarantees the security
policy rules while entering, executing and
exiting
from the secure environment. The secure environment also provides:
¨
Security via on-chip
public key verification
¨
Debug disable
¨
Secure storage (signed,
encrypted data stored externally)
¨ Shared memory protection
¨ Boot sector write
protection
¨ Secure watchdog timer
to detect a nonregular entrance in secure mode
¨ Cryptographic
libraries
¨ User defined protected
applications
3.3 Secure chip-interconnect
To
further ensure protection against attacks, a secure interconnect allows certain
Peripherals
to be disabled
so that sensitive
information cannot be
stolen.
Peripherals
and other portions of the device that might be disabled include:
¨
MMI peripherals such as
keyboard, LCD, fingerprint sensor
¨
Smartcard physical
interface
¨
Cryptoprocessors
In
addition, M-Shield technology provides DMA to protect secure application data
3.4 Secure
storage
Secure RAM/ROM is critical to
protect security application execution. M-Shield
technology provides the industry’s
only secure ROM, GSM SDRAM protection
and secure DMA. Secure ROM
services include:
¨ Drivers for the
hardware cryptography blocks
¨ Secure Mode
ManagerLoad manager
¨ Secure storage manager
¨ Remote procedure call
interface
¨ Optimized cryptography
library
Secure RAM is critical for:
¨ Authentication and
execution of protected applications
¨ Safe working space for
execution of secure ROM services
¨ Key material
generation
¨ Dynamic keys storage
¨ Certificate signature
and verification
3.5 Hardware
cryptographic accelerators
TI’s M-Shield solution
includes a public-key infrastructure that along with the
secure environment subsystem
provide complete security.
Cryptographic
accelerators and a FIPS compliant Random Number Generator
are key
elements of the public-key infrastructure. M-Shield security solution
provides
hardware-based AES accelerator
and Public Keys
Accelerator (PKA), as well
as DES/3DES, SHA1 and MD5 hardware accelerators. By providing fast client
authentication and signing,
M-Shield technology accelerators save critical time
and enhance
the user experience
by offsetting the degradation
of software-
based solutions. To decode 5 MB using 3 DES or AES in hardware takes a mere
230 ms versus almost 6 seconds
to decode
the same data
amount in software
running at 330 MHz.
3.6 M-Shield™ Software
solution
TI offers a
flexible software solution that includes device drivers as well as security
software libraries and APIs to support third-party middleware software and
applications. M-Shield solution’s flexible API supports a wide range of
cryptography functions and allows the cryptography engine to interface with
higher levels of the system, such as OSs
4. Conclusion
In mobile phone
environments, an easy- to-manage, secure, reliable deployment system adds to
the overall value of a company’s security system. A well-designed system
addresses various requirements in the areas of authentication and content
delivery to mobile phones. PKI plays an important role in making an enterprise capable
of scaling to support large numbers of mobile users.
The guiding
principles in development of Nokia Security Service Manager have been
administration cost reduction, ease of mobile client management, and enhanced
end user experience—all done without compromising security. Nokia SSM will
continue to address the specific needs of mobile security as requirements evolve.
For high-value services’ deployment
to be successful, end users, content and service providers must be confident
the handset provides the right level of security. As the value and complexity
of the applications and high-value content increases, the security level must
also increase. Only a system-level solution can provide the highest level of
security. With TI’s M-Shield mobile security technology solution, along with an
ecosystem of partnerships, 3G secure-sensitive applications will be
successfully deployed.
5. Reference
1. white paper by Texas
Instruments
2. white paper by Nokia
3. www.bitpipe.com
4. www.ittoolbox.com
