Loading in 2 Seconds...
Loading in 2 Seconds...
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
TRUST PROVISIONINGRelated Hardware Embedded Secure Elements for Mobile Phone applications
Service Provider (bank) Smart CardInitialization & Personalization Card 5566..0001 – Mr Bianchi Card 5566..0001 – Mr Bianchi Card 5566..0002 – Mr Gallo Card 5566..0002 – Mr Gallo Card 5566..0003 – Mr Rossi Card 5566..0003 – Mr Rossi Silicon Manufacturer Card Vendor O.S. Provider ROM Mask, EEPROM Image, Wafer Testing … Card 5566..0001 Personalization Pre-perso Mr Bianchi Card 5566..0002 Mr Gallo Card 5566..0003 Mr Rossi SMART CARD 5566 .. 002 Mr Gallo Flow of Trust Mr Gallo Flow of Hardware Press <space> once!
Trust ProvisioningInitialization & Personalization service provider Service Provider(s!) (bank) Trusted Service Manager Silicon Manufacturer O.S. Provider ROM Mask, EEPROM Image Mr Koch – 040-238679 OTA IC Personalization Uid..001 OTA Uid..002 Diffusion, Wafer Testing, Initialization (1Key4Die),… Uid..001 X X X Uid..002 Uid..00n Uid..00n 001 002 Non trusted OEM/ODM Mr. Koch 00n MNO Distribution / Retail 00n 00n 002 002 001 001 001 End
Body Signed Hash How Keys and Certificates are created Start Silicon Manufacturer Public/Private Key Pair NXP private keysecurelystored in NXP HSM public public private private Generate IC-specific Public/Private Key Pair Key Generator Secure Key Storage Signing Create Device Certificate Body Hardware Secure Module (HSM) Calculate Hash of Certificate Body Example Signature Sign Hash with NXP Private Key Insert Device Certificate + IC-specific Private Key in Embedded SEChip ESE Chip Ready
Root CA Certificate Device Certificate Device Certificate Body … Public Key … Signed HASH Body … Public Key … Signed HASH Body … Public Key … Signed HASH Offline authentication CLIENT (Authentication Device) HOST (MCU) Request certificate Send certificate Private Key Client Certificate is genuine Validate certificate NOK Rnd# OK Send challenge Sign challenge Sign(Rnd#) Send response Validate response Client knows its private key NOK OK stop Continue service
Client-authenticated TLS handshake ClientHelloCertificateClientKeyExchangeCertificateVerifyChangeCipherSpecFinished ServerHelloCertificateCertificateRequestServerHelloDoneChangeCipherSpecsFinished RNDa+caps RNDb+method selection Certificate verification Server certificate+CA sign Client certificate+CA sign Secret key Certificate verification Transaction signature