Sort of related to smart cards...
Somewhat unfortunate for Microsoft and Intel who "bet the house" on TPMs (Trusted Platform Modules), all their competitors in the mobile space including Google and Apple, have rather settled on embedded TEE (Trusted Execution Environment) schemes enabling systems like this: http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937 iOS: http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf How come the competition didn't buy into the TPM? TPMs are based on a "one-size-fits-all" API philosophy. Since Intel relies on external vendors supplying TPM-components this (IMHO fairly unwieldy) API must also be standardized which makes the process updating TPMs extremely slow and costly. TEEs OTOH can be fitted at any time with application-specific security APIs which both can be standardized or entirely proprietary. In fact, even third-parties can create new security APIs using GlobalPlatform's TEE! How about security? Since there is (generally) very little consensus on these matters, I should probably not dive too deep into this :-) Anders ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Apples and oranges comparison. Tee is a privilege level, TPM is a piece of hardware for various crypto, storage, sealage, etc operations. Intel's platform actually supports more privilege levels than arm. And having something like a TPM would be nice as Tees need to typically implement methods to do some of their operations. On Jul 12, 2014 6:45 PM, "Anders Rundgren" <[hidden email]> wrote:
Sort of related to smart cards... ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck® Code Sight™ - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
On 2014-07-14 02:41, William Roberts wrote:
> > Apples and oranges comparison. > Yes, these are indeed entirely different technologies. However, they are currently addressing the same "problem space". > Tee is a privilege level, TPM is a piece of hardware for various crypto, storage, sealage, etc operations. Intel's platform actually supports more privilege levels than arm. And having something like a TPM would be nice as Tees need to typically implement methods to do some of their operations. > Yes, TEEs implement the methods that the particular OS version needs. I got hardware protected keys to my old Android Nexus 7 through an OTA update with Android 4.4! My brand new Dell XPS-15 that has like "everything" will be stuck with TPM 1.2 during its lifetime. That's lame, very lame. The reliance on external hardware is probably manly a relic from the "Palladium" days when HW had less than 1% of the power it has today. Anders > On Jul 12, 2014 6:45 PM, "Anders Rundgren" <[hidden email] <mailto:[hidden email]>> wrote: > > Sort of related to smart cards... > > > Somewhat unfortunate for Microsoft and Intel who "bet the house" on TPMs (Trusted Platform Modules), all their competitors in the mobile space including Google and Apple, have rather settled on embedded TEE (Trusted Execution Environment) schemes enabling systems like this: > > http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937 > > iOS: > http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf > > How come the competition didn't buy into the TPM? > > TPMs are based on a "one-size-fits-all" API philosophy. Since Intel relies on external vendors supplying TPM-components this (IMHO fairly unwieldy) API must also be standardized which makes the process updating TPMs extremely slow and costly. > > TEEs OTOH can be fitted at any time with application-specific security APIs which both can be standardized or entirely proprietary. In fact, even third-parties can create new security APIs using GlobalPlatform's TEE! > > How about security? Since there is (generally) very little consensus on these matters, I should probably not dive too deep into this :-) > > Anders > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > [hidden email] <mailto:[hidden email]> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck® Code Sight™ - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Il 14/07/2014 05:46, Anders Rundgren ha scritto:
> The reliance on external hardware is probably manly a relic from the "Palladium" days when HW had less than 1% of the power it has today. Speaking of relics: smartcards :) If it would be possible to really have a "one size fits all", the others just would disappear... IIUC, TEE just leverages Arm's "runlevels" -- IMVHO it's "quite" like saying that if crypto is done inside a kernel module at ring 0 then it have the same security of a smartcard... Sounds wrong, uh? BYtE, Diego. ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck® Code Sight™ - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
On 2014-07-14 09:36, NdK wrote:
> Il 14/07/2014 05:46, Anders Rundgren ha scritto: > >> The reliance on external hardware is probably manly a relic from the "Palladium" days when HW had less than 1% of the power it has today. > Speaking of relics: smartcards :) > > If it would be possible to really have a "one size fits all", the others > just would disappear... > IIUC, TEE just leverages Arm's "runlevels" -- IMVHO it's "quite" like > saying that if crypto is done inside a kernel module at ring 0 then it > have the same security of a smartcard... Sounds wrong, uh? I don't think this comparison is valid. Smart cards in PCs do not [generally] support Trusted Path and are thus susceptible to malware: http://webpki.org/papers/key-access.pdf iOS doesn't have this problem. Smart cards offer better protection against physical attacks but I think that will soon be history as well because a "Security Enclave" like Apple already have hides keys from bus-monitors, debuggers and even fairly sophisticated attacks on the chip itself. Anyway, TPMs as implemented by MSFT/INTL doesn't offer any smart card functionality unless you are wrapped around AD (Active Directory). Anders > > BYtE, > Diego. > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck® > Code Sight™ - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > Opensc-devel mailing list > [hidden email] > https://lists.sourceforge.net/lists/listinfo/opensc-devel > ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck® Code Sight™ - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by NdK-3
Microsoft's VSC (Virtual Smart Card) management protocol for TPMs:
http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-TPMVSC%5D.pdf Yaeh, DCOM was cool some 10 years ago... ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck® Code Sight™ - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Anders Rundgren-2
TEE vs TPM in practice:
My old Nexus 7 got hardware-protected keys through an OTA update while my new Dell XPS-15 will be stuck with TPM 1.2 during the rest of its life! ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Free forum by Nabble | Edit this page |