S. Flake, F.C. Bormann, A. Mauhourat, J. L. Dépinay, C. Rust - Design of an Application Management Framework for TPDs
1
Design of an Application Management Framework for Trusted Personal Devices Stephan Flake, Frank C. Bormann, Arno Mauhourat, Jean L. Dépinay, Carsten Rust
I. THE INSPIRED PROJECT
II. TPD APPLICATION MANAGEMENT FRAMEWORK
Trusted Personal Devices (TPDs) are small, portable devices with tamper-resistant hardware currently designed in the InspireD project, an Integrated Project funded by the European IST 6th Framework Programme. The project vision is that the TPD serves as a common soft- and hardware platform for the next generation of Smart Cards and other secure devices.
In this article, we focus on the design of an appropriate secure TPD application framework, which is the glue between the TPD operating system (encompassing a Virtual Machine, VM) and applications installed on the TPD. We understand the TPD application framework as an onboard management system that enables a secure application life cycle management. Based on the identified requirements for secure application management on TPDs, we investigated related existing frameworks, among which are the GlobalPlatform Card security architecture, GPD application management, JavaCard, Liberty Alliance, and OSGi. Our analysis led to a TPD application framework that defines a powerful, extensible, and adaptable platform and abstracts from underlying application models like, e.g., Stiplets, bundles, applets, or servlets.
TPDs aim to meet the strong demands for privacy, trust, and security among sensitive and valuable data in an emerging pervasive networking environment. Firstly, to establish trust, TPDs rely on security technology, i.e., strong cryptography supported by a dedicated hardware. Secondly, the TPD is meant to be a personal belonging, i.e., each TPD is under the primary control of a person – as opposed to the rather issuercentric approach in current Smart Card applications. Thirdly, the TPD shall be employed as a device within existing networked IT infrastructures. Particular innovative key features of the TPD are – among others – high-bandwidth communication facilities, support of network protocols (TCP/IP), and Web server functionality. Furthermore, the InspireD project investigates a number of proof-of-concept implementations in different application areas, e.g., mobile telecommunication, online services, ID management, and Digital Rights Management.
Holder Security Domain
Issuer Security Domain
General Domain Manager «uses»
«uses»
Holder Verification «uses»
Personal Data «uses»
Compared to rather issuer-centric approaches proposed, e.g., by the GlobalPlatform Card committee, the TPD application framework follows a more user-centric model (cf. Figure 1). Firstly, we envisage a dedicated Holder Security Domain, which is under the control of TPD holders themselves to enhance privacy among sensitive (personal) data. Secondly, we allow TPD holders to install different Issuer Security Domains and switch between them.
Domain Handler
Issuer Policies
«uses»
Application Provider Security Domain
Holder Policies
Protection Domain Handler
«uses»
Application Provider Policies
Applications (Code and Metadata)
Application Lifecycle Manager
«uses»
TPD Runtime Environment Basic Library
«uses»
Running Applications:
A1
A2
A3
Virtual Machine
Figure 1: Main Components of the TPD Application Management Framework
S. Flake, F.C. Bormann, A. Mauhourat, J. L. Dépinay, C. Rust - Design of an Application Management Framework for TPDs
Basically, an Issuer Security Domain on the TPD corresponds to the Card Manager specified by the GlobalPlatform Card committee. Note here that we only allow at most one active Issuer Security Domain at a time. When the TPD is presented to third parties, e.g., for electronic payment or digital rights acquisition, the Issuer Security Domain is employed for trusted provisioning of the TPD holder’s identity within that domain. For primary user authentication, the Holder Security Domain has a Holder Verification Method (HVM). The HVM may be realized in different ways, e.g., verification of a provided PIN or password or of data gained from a biometric sensor.
2
ABOUT THE AUTHORS STEPHAN FLAKE (Speaker) – System Architect ORGA Systems enabling services GmbH Am Hoppenhof 33, 33104 Paderborn, Germany, phone: +49 (0) 5251 889 3685, email:
[email protected] Stephan Flake received his doctoral degree (Dr. rer. nat.) in Computer Science from the University of Paderborn, Germany, in June 2004. In July 2004, he joined ORGA Systems as a project manager in the R&D department. He has been involved in national and international research projects dealing with formal specification, verification, and security technologies. He is working in the European 6th Framework Programme project InspireD as a team member of the TPD Application Framework group, particularly investigating secure application and profile management, policy management, and advanced content protection mechanisms.
FRANK BORMANN – R&D Project Manager TPD application life cycle management comprises installation, de-installation, activation, execution, and termination of applications. The Application Lifecycle Manager makes use of corresponding (digitally signed) application metadata to check for access privileges. The issues of access control for application activation, execution, and termination are primarily handled by the VM, on top of which all applications have to be executed. Here, the Holder and the Issuer Security Domains provide policy-based decision support for the VM. The VM is thus able to continuously control resource access during application runtime.
ORGA Systems enabling services GmbH Am Hoppenhof 33, 33104 Paderborn, Germany, phone: +49 (0) 5251 889 3221, email:
[email protected] Frank Bormann received his doctoral degree (Dr. rer. nat.) in Physics from the University of Bielefeld, Germany, in 1997. After working two years as a R&D Manager in a company dedicated to software and hardware developments for optical measurement systems, he joined ORGA Kartensysteme in 1999. He has been involved in several international research projects on new Smart Card and related system technologies. Since 2001, he is in charge of the technology and innovation management at ORGA. In 2003, he joined the spin-off ORGA Systems enabling services GmbH and took over the project management responsibility for the EC-Research project InspireD. His current research interest is on new concepts for Trusted Personal Devices as networking objects and corresponding management systems.
Furthermore, the Holder Security Domain allows to securely (de-)install and (de-)activate Issuer and Application Provider Domains. This is done by means of the General Domain Manager based on policies that can be configured by TPD holders, issuers, and application providers. In particular, TPD holders can define and install policies themselves to restrict the access to data stored on the TPD, e.g., one can deny access to certain sensitive personal data for all applications of a particular application provider.
JEAN-LOUP DÉPINAY – JavaCard OpenPlatform Architect
III. CONCLUSION The TPD application framework is developed as part of the InspireD project to enhance user privacy by providing the facility to define and change policies to restrict access to sensitive personal data stored on the TPD. TPD holders can now control which of their data is accessible to issuers, application providers, and applications (for both, applications installed on the TPD as well as external applications requesting data as clients). Additionally, the TPD holder gains more control over the TPD issuer(s). The issuers are primarily becoming agencies for the TPD holder, providing trustable identity information to third parties.
Oberthur Card Systems 71-73, rue des hautes Pâtures, 92726 Nanterre Cedex, France, phone: + 33 ( 0) 1 41 38 48 33, email:
[email protected] Jean-Loup Dépinay is an engineer graduated from L'école Supérieure d'Electricité in 1990. After working few years for the graphical arts industry, he joined Delarue Card Systems (which became Oberthur Card Systems in 2000) in 1997 and has been with this company since then. He has been in charge as an architect or as a project leader of several JavaCard platforms deployed worldwide. He has been involved in the development of the JavaCard technology since 1998. He has attended most of the sessions of the JavaCard Forum as an active member. He is also actively participating in the Global Platform card committee. His current interests are security improvement and making the Smart Card an open device supporting network technologies.
ARNO MAUHOURAT – Lead Research Engineer Axalto / Advanced Research 36-38 rue de la Princesse, 78431 Louveciennes Cedex, France, phone: +33 (0) 1 30 08 45 80, email:
[email protected] Arno Mauhourat is a lead research engineer at Axalto Advanced Research. He is responsible for architecture design and implementation of software platforms for Internet-enabled Smart Cards. He was formerly software project manager at SchlumbergerSema E-Payment and designed the STIP (Small Terminal Interoperability Platform) and GlobalPlatform Device API on payment terminals. In the STIP consortium, he was vice-chairman and principal editor of the API and was principal editor for the GlobalPlatform Device committee.
CARSTEN RUST – R&D Project Manager Though the proposed application framework might give the impression to weaken the position of TPD issuers w.r.t. the control over their deployed TPDs (we here think of, e.g., Smart Card issuers like Mobile Network Operators), this application framework is a promising approach due to an increasing market demand for a flexible secure application management in combination with privacy enhancement and self-determined control over sensitive user data.
Sagem Orga GmbH, Am Hoppenhof 33, 33104 Paderborn, Germany, phone: +49 (0) 5251 889 3519, email:
[email protected] Carsten Rust received his degree in Computer Science from the University of Paderborn, Germany, in 1996. Until 2004, he held a research position at a joint research lab operated by the University of Paderborn and Siemens, where he worked on the design of embedded real-time systems. In August 2004, he joined ORGA Kartensysteme (which became Sagem Orga in 2005) as a project manager for R&D projects. At Sagem Orga, he is currently in charge of the European 6th Framework Programme project InspireD. He is involved in the TPD Security group and the TPD Application Framework group.
