Product vendors are now able to undertake formal security evaluations for TEE products
The Common Criteria portal has officially listed the GlobalPlatform® Trusted Execution Environment (TEE) Protection Profile (PP) on its website, under the Trusted Computing category. This important milestone means that industries using TEE technology to deliver services such as premium content and mobile wallets, or enterprises and governments establishing secure mobility solutions, can now formally request that TEE products are certified against this security framework.
GlobalPlatform presented its TEE Protection Profile to Common Criteria for certification via Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI).
The GlobalPlatform TEE PP specifies the typical threats the hardware and software of the TEE – a secure area that resides in the main processor of a mobile device and ensures that sensitive data is stored, processed and protected in a secure environment – needs to withstand. It also details the security objectives that are to be met in order to counter these threats and the security functional requirements that a TEE will have to comply with. A security assurance level of EAL2+ has been selected; the focus is on vulnerabilities that are subject to widespread, software-based exploitation.
Vincent Strubel, spokesperson from ANSSI, comments: “It is important to remember that organizations expect all the services that they wish to deploy, especially those offering mobility of users and their access to sensitive information, to operate in a secure way. The TEE – regardless of manufacturer – must meet the requirements of a range of service providers from a variety of markets. Creating an international baseline for this technology is therefore important to bring clarity and consistency to this secure content environment and enable service providers to effectively manage risk. We were pleased to support GlobalPlatform in achieving Common Criteria certification for its TEE PP.”
With the GlobalPlatform TEE PP officially certified by Common Criteria, product vendors are now able to undertake formal security evaluation of their TEE products using laboratories licensed by supporting Certification Bodies (CB) to evaluate and certify that they meet the security requirements in the document. In addition to ANSSI, the TEE PP has received support from the Netherlands Common Criteria Scheme (NSCIB), with many other national certification schemes expected to follow shortly.
In addition to working with Common Criteria CBs, GlobalPlatform is extending its technical community collaboration to finalize its evaluation methodology. The industry body will launch a TEE security certification secretariat later this year, as well as announce GlobalPlatform security accredited laboratories.
Gil Bernabeu, GlobalPlatform’s Technical Director, adds: “We are delighted to receive this formal certificate for the GlobalPlatform TEE PP. As the standard for managing applications on secure chip technology, GlobalPlatform understands the importance of establishing a stable and scalable TEE ecosystem through testing and certification to support product interoperability and commercial efficiencies. To support all stakeholders within the TEE market and ensure products perform as required, GlobalPlatform has already established a functional testing environment. Advancing the security certification element enables us to offer a complete evaluation solution that will allow the community to effectively manage risk.”
The GlobalPlatform TEE PP defines the level of security required in a TEE. The document identifies the security needs of the TEE to support different market requirements by combining the standard security methodology outlined by Common Criteria, with the best practice specifications as defined by GlobalPlatform in relation to TEE architecture and interfaces.