01_trust provisioning

Report
TRUST PROVISIONING
Related Hardware
Embedded Secure
Elements for Mobile
Phone applications
1
Smart Card
Initialization & Personalization
O.S. Provider
Silicon
Manufacturer
Service Provider
(bank)
Card 5566..0001 – Mr Bianchi
Card 5566..0002 – Mr Gallo
Card 5566..0003 – Mr Rossi
Card Vendor
ROM
Mask,
EEPROM
Image,
Card 5566..0001
Card 5566..0002
Card 5566..0003
Wafer Testing
…
Pre-perso
Flow of Trust
Flow of Hardware
Press <space> once!
Personalization
SMART
CARD
5566 .. 002
Mr Gallo
2
Trust Provisioning
Initialization & Personalization
O.S.
Provider
Silicon
Manufacturer
Trusted Service Manager
Mr Koch – 040-238679
OTA
Uid..001
ROM
Mask,
EEPROM
Image
Service
service
Provider(s!)
provider
(bank)
Uid..002
Uid..00n
OTA IC Personalization
Non trusted
OEM/ODM
Mr. Koch
MNO
Diffusion, Wafer Testing,
Initialization (1Key4Die),…
Distribution
/ Retail
End
3
How Keys and Certificates are created
Start
public private
public private
Generate IC-specific
Public/Private Key Pair
Key
Generator
Signing
Create Device Certificate
Body
Silicon Manufacturer Public/Private Key Pair
NXP private key securely stored in NXP HSM
Secure
Key
Storage
Hardware Secure Module (HSM)
Example Signature
Calculate Hash of
Certificate Body
Sign Hash with
NXP Private Key
Body
Insert Device Certificate +
IC-specific Private Key in
Embedded SE Chip
ESE Chip
Ready
Signed
Hash
4
Offline authentication
Root CA Certificate
CLIENT (Authentication Device)
HOST (MCU)
Body
…
Public Key
…
Signed HASH
Request
certificate
NOK
Validate
certificate
Send
certificate
Device Certificate
Body
…
Public Key
…
Signed HASH
Private Key
Client
Certificate
is genuine
OK
Send Rnd#
challenge
Sign
Sign(Rnd#)
challenge
Send
response
NOK
Validate
response
Client
knows its
private key
OK
stop
Continue
service
5
Client-authenticated TLS handshake
ClientHello
RNDa+caps
RNDb+method selection
Certificate
verification
Certificate
ClientKeyExchange
CertificateVerify
ChangeCipherSpec
Finished
Server certificate+CA sign
ServerHello
Certificate
CertificateRequest
ServerHelloDone
Client certificate+CA sign
Secret key
Transaction signature
Certificate
verification
ChangeCipherSpecs
Finished
6
Hands-on: Example of a TLS link Using A70CM
7

similar documents