Secure enrollment and practical migration for mobile trusted execution environments

Smartphones can implement various security services from mobile banking to security tokens used for physical access control. System-wide trusted execution environments (TEEs), like ARM TrustZone, allow implementation of these services that withstand malware and operating system compromise. While researchers and developers have focused on secure storage and processing of credentials on such mobile TEEs, secure and practical bootstrapping of security services has been overlooked. The goal of this paper is to put forward the problem of secure user enrollment in the context of mobile system-wide TEEs. We explain why user identity binding to a mobile device is challenging on current smartphone platforms, and argue that current mobile device architectures do not facilitate secure enrollment and migration for such TEEs. We outline possible architecture changes that would enable the realization of secure and practical enrollment, and thus enable more widespread secure deployment of various mobile security services.

[1]  Erik Poll,et al.  Using Trusted Execution Environments in Two-factor Authentication: comparing approaches , 2013, Open Identity Summit.

[2]  Arun Kumar,et al.  Caveat Emptor: A Comparative Study of Secure Device Pairing Methods , 2009, PerCom.

[3]  Alexandra Dmitrienko,et al.  Smart keys for cyber-cars: secure smartphone-based NFC-enabled car immobilizer , 2013, CODASPY.

[4]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[5]  Ahmad-Reza Sadeghi,et al.  SmartTokens: Delegable Access Control with NFC-Enabled Smartphones , 2012, TRUST.

[6]  Christian Stüble,et al.  Towards a Trusted Mobile Desktop , 2010, TRUST.

[7]  N. Asokan,et al.  Old, new, borrowed, blue --: a perspective on the evolution of mobile platform security architectures , 2011, CODASPY '11.

[8]  Jan-Erik Ekberg,et al.  Tapping and Tripping with NFC , 2013, TRUST.

[9]  Minho Shin,et al.  Plug-n-trust: practical trusted sensing for mhealth , 2012, MobiSys '12.

[10]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[11]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[12]  N. Asokan,et al.  On-board credentials with open provisioning , 2009, ASIACCS '09.

[13]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[14]  Alec Wolman,et al.  I am a sensor, and I approve this message , 2010, HotMobile '10.

[15]  James Newsome,et al.  Trustworthy Execution on Mobile Devices: What Security Properties Can My Mobile Platform Give Me? , 2012, TRUST.

[16]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  N. Asokan,et al.  Towards User-Friendly Credential Transfer on Open Credential Platforms , 2011, ACNS.