11. Mobile Trusted Devices

Question 1

Requirements for Qualified Electronic Signature Creation Devices

Answer 1

 Shall ensure: confidentiality, signature creation can occur only once, reliably protected against forgery, protected against use by others
 Shall not alter the data to be signed or prevent such data from being presented
 generating or managing electronic signature creation data on behalf of the signatory may only be done by a qualified trust service provider
 these may duplicate electronic signature creation data only for back-up purposes under following requirements: security of duplicated handsets must be the same as originals & shall not exceed minimum needed to ensure continuity of the service

Question 2

Popular Vision: Security Assistant (&challenges)

Answer 2

storing personal data, performs sensitive processes (e.g. decoding of confidential messages) & assist negotiations (e.g. methods of payment)
— CHALLENGE: usability, protection from unauthorized access to stored data, trust

Question 3

Risks in Current Mobile Platforms & solution?

Answer 3

• Risks of malware
• passwords can be deactivated
• attackers can steal private information
• cameras -> invasion of personal privacy
• communication protocols can be used to attack device/steal data
• —–> SOLUTION: (embedded) Secure Elements, Trend from open platforms to open and trusted platforms

Question 4

Trusted Platform Module (TPM)

Answer 4

(from Trusted Computing Group) Chip to make computers more secure as part of TCG
specifications -> like hardcoded smartcard with difference that ≠ bound to specific user but system

Question 5

Mobile Equipment Identifier (5)

Answer 5

IMEI (International Mobile Equipment Identity)–IMSI (International Mobile Subscriber Identity)–UDID (Apple Unique Device Identifier)–Google Android ID–TPM

Question 6

Mobile Market Players

Answer 6

• mobile equipment manufacturers
• (mobile) telecom operators
• MVNOs
• content providers
• application service providers (not far way from content providers)
• private customers
• corporate buyers (distinction due to the fact that probably different preferences)
• corporate users
• intelligence agencies

Question 7

Usage Scenarios for Trusted Mobile Devices

Answer 7

• secure OS
• mobile device management (MDM)
• secure corporate network interaction
• DRM
• device misuse prevention
• storage of additional credentials on the mobile device
• mobile wallets

Question 8

Matching Usage Scenarios & Players

Answer 8

Security options enabled by trusted platform features & the respective usage scenarios correspond to different interests of the different players within the mobile market.
–> especially important for equipment manufacturers, MOs, MVNOs & corp. buyers

Question 9

Conclusion & Outlook regarding trusted platforms/devices

Answer 9

• Mobile platforms had good chances to migrate into trusted platforms
• All market players have an interest in device security enhancements
• Major players actively engaged in standardization & development process

BUT missing: architecture combining different features all parties are interested in (some interests are contradictory) & entity to drive this architecture