On-board Credentials: An open credential platform for mobile devices

Kari Kostiainen

    Research output: ThesisDoctoral ThesisCollection of Articles

    Abstract

    Traditional credential solutions have well-known drawbacks. Purely software-based credentials are vulnerable to many attacks, while hardware-based security tokens and smart cards are expensive to deploy and, due to their typical single-purpose nature, force users to carry multiple hardware credentials with them. Recently, general-purpose security elements and architectures have started to become widely available on many commodity devices. On mobile devices, ARM TrustZone is a widely adopted security architecture. Such trusted execution environments enable realization of credentials that combine the flexibility of software solutions with the higher level of protection traditionally offered only by hardware credentials. In this dissertation, we present several aspects of On-board Credentials (ObC), a novel credential platform for mobile devices. The ObC platform allows flexible creation of arbitrary credentials that utilize hardware security mechanisms for higher level of security. We challenge the prevailing thinking that a credential system must be centralized and closed in order to provide a sufficient level of security and usability. The distinguishing feature of the ObC platform is an open provisioning model that allows any service provider to deploy new credential instances to end-user devices without having to request approval from a centralized authority. We study credential life-cycle management in open credential systems and present novel protocols for credential migration, temporary disabling and updates. We also describe mechanisms for key and application attestation. Our application attestation model makes property-based attestation practical by bootstrapping application authentication from existing certification infrastructures. We also compare open and closed credential platforms and show that openness does not have to imply decreased security or usability. We have implemented the On-board Credentials platform for Symbian phones using the TrustZone trusted execution environment. Our implementation is part of the latest Nokia Symbian devices, and the On-board Credentials platform is currently being ported to other smartphone platforms. The first substantial credential deployments are now starting.
    Translated title of the contributionAvoin malli avainten ja salaisuuksien turvalliseen hallintaan mobiililaitteissa
    Original languageEnglish
    QualificationDoctor's degree
    Awarding Institution
    • Aalto University
    Supervisors/Advisors
    • Aura, Tuomas, Supervising Professor
    Publisher
    Print ISBNs978-952-60-4597-9
    Electronic ISBNs978-952-60-4598-6
    Publication statusPublished - 2012
    MoE publication typeG5 Doctoral dissertation (article)

    Keywords

    • security
    • credentials
    • trusted computing
    • mobile devices

    Fingerprint

    Dive into the research topics of 'On-board Credentials: An open credential platform for mobile devices'. Together they form a unique fingerprint.

    Cite this