Establish a security verification hardware foundation from TrustZone

To address the issue of personal and password verification, the FIDO (Fast Identity Online) Alliance has developed a new agreement to provide a simple and powerful authentication mechanism between users, devices and trusted credential websites. With FIDO's mobile devices, biometrics such as fingerprint sensing or iris scanning can be used to initiate services, which greatly improves the user experience, makes transactions simpler and more convenient, and device manufacturers can quickly import them.

FIDO must have a secure hardware design to protect against malicious attacks. Resources such as encryption keys, confidential processes, and access to authentication data must be protected against malicious attacks and maintain system integrity. This article describes how ARM TrustZone technology can help the GlobalPlatform organization build the hardware isolation required for the Trusted Execution Environment (TEE) and why this security layer is best suited for FIDO security verification.



Figure 1: FIDO combines biometrics to initiate a secure authentication mechanism that reinforces the shortcomings of traditional systems. (Source: )
To protect against system resource attacks, ARM proposes several technology combinations: from the Cortex core hypervisor model to the TEZ based on the TrustZone architecture, the tamper-resistant security processor, or the secure element using the ARM SecurCoreR processor IP. These technologies enhance the security of the overall system in a multi-layered or isolated manner, and allow mobile devices to be protected not only by other resources of the operating system.

Trusted Execution Environment (TEE) based on TrustZone technology provides enhanced security against against escalating software attacks and general hardware threats (so-called shack attacks) at a lower cost. This architecture separates two execution areas: "normal world" performs open operating systems and applications; secret "secure world" performs confidential operations such as encryption, key management, and integrity an examination. This design has become an important hardware security layer that device manufacturers have developed and standardized over the past decade to protect valuable system resources. The TEE standardization organization GlobalPlatform is responsible for the development of regulations and certification programs, and independent test laboratories can examine whether the various platforms can withstand the threats identified in the profile. GlobalPlatform has published several white papers on TEE, and this article provides more explanations for their FIDO case and ARM TrustZone technology.

The FIDO Alliance's standardization work accelerates the security certification towards biometric identification without password login. The FIDO protocol, such as the Universal Authentication Framework (UAF), can perform authentication of local users using various authentication methods, such as fingerprint sensors, iris scanners, or PIN code logins that replace traditional accounts and passwords.

We often say that security is like a chain, and every link in it is closely related to security. As a metaphor, the first important link is security hardware, which is isolated from the normal execution environment through TrustZone technology and becomes the basis for Trusted Boot. The secure operating system (Trusted OS) and TEE are initialized before the operating system in the normal area is started safely. After the TEE is established, the FIDO Trusted App will be downloaded and installed to manage important data, passwords and other confidential operating procedures.

FIDO UAF's password-free experience

Consumers use smart devices with FIDO technology, just log in once on their favorite online shopping site or bank. At the time of registration, the device establishes a public key and a private key that are specific to the user, the user's device, and the trusted credential website. After signing up, it will be easy and convenient for consumers to visit the online store. Instead of a quick password or a simple PIN (Figure 1), you can replace the common account/password verification steps and purchase confirmation process. The FIDO Agreement does not share general user information because the execution program cannot reveal the user's personal information. In addition, the trust credential website only keeps the public key, so if the web server is attacked (a major problem in the industry), the hacker cannot directly steal the account through the public key.



Figure 2: Simple and convenient FIDO user experience
Introduction to FIDO and FIDO Alliance

The FIDO Alliance consists of more than 180 members, covering the entire industry value chain including wafer partners (such as Qualcomm), device manufacturers (such as Samsung and Lenovo), operating system vendors (such as Microsoft and Google), and FIDO server vendors (such as Nok Nok Labs), as well as trusted credential sites (such as Bank of America and PayPal). The FIDO Alliance is responsible for developing technical specifications and certification programs to implement simpler and more powerful verification mechanisms. The goal of the FIDO Agreement is to improve the convenience of verification, built-in confidentiality, design security, and promote standardization, enabling trusted credential websites to use FIDO-compliant verification methods. The final version of the FIDO 1.0 specification has been published on the web and contains two different user experiences:

1. Universal Authenticator Framework (UAF), which provides a password-free experience for devices with built-in authentication mechanisms such as smart phones;

2. Universal 2nd Factor (U2F), suitable for software encryption locks, to prevent phishing attacks on traditional accounts/passwords. Preparations for the FIDO 2.0 unified standard are underway.

Trust credential websites use account and password as security protection for many years, but there are many risks in this way, which can not meet the security needs of consumers and enterprises. First of all, consumers usually prefer passwords with weak security defenses and use the same passwords on different websites, which is equivalent to opening the door for hackers to steal accounts. But if consumers are forced to set up complex passwords, they may abandon the transaction because they forget the password. More seriously, passwords are easily obtained by spam through phishing, resulting in large-scale financial fraud. According to estimates by Kaspersky, in 2014, phishing criminal groups stole hundreds of millions of dollars from a number of banks.

Therefore, enterprises sometimes require the use of a second factor, such as a One Time Password (OTP) token, that is, in addition to entering an account number and password, a set of randomly generated codes is also provided. This private code fills the consumer's pockets and drawers with a variety of hardware: one is a bank-specific OTP code, the other is dedicated to the company's e-mail, and other service providers have their own code.

Second, trust credential websites that use traditional authentication mechanisms are also challenged, and they must keep each user's private key. These hugely-owned databases have become the favorite of hackers. They only need to design an attack to steal the personal identity of millions of consumers. This poses a reputational risk to big brand companies. They must first admit that there are security holes in order to require customers to immediately reset their passwords.

FIDO can solve the problems of traditional account and password derivation, and can bring consumers a more enjoyable experience. For example, consumers using the new Samsung Galaxy mobile device can log in to the website or make purchases via fingerprints. Such a simple user experience, the behind-the-scenes hero is the FIDO UAF agreement, using fingerprint verification and other built-in verification mechanisms to replace the account / password login, you can directly unlock the private key in the device, and then with the remote server ( A combination of encryption mechanisms with a public key). The trusted credential website can obtain basic data such as verification type, key protection mechanism, and device model for back-end risk analysis. In addition, biometrics, PINs, or private keys do not exchange information with online servers.

The "Privacy by Design" of the FIDO Agreement provides consumers with additional protection against the possibility of being compromised by security breaches in the store's servers. This encryption mechanism is based on the principle of the Public Key Cryptography, which is secured by a pair of public/private keys generated on the device by each user/device/trust credential website. check.

The safety benefits of FIDO are summarized as follows:

· Ensure device integrity

·Protect the confidentiality of important materials to prevent unauthorized use

· Maintain confidentiality and integrity of confidential processes


If the hacker obtains the physical device, it is possible to carry out further attacks, such as stealing data through the access device's file system. If the data is encrypted, the hacker can copy the data first and then perform an offline attack against the encryption mechanism. Although the threat usually comes from software attacks, if the hacker gets a mobile phone, it is not impossible to disassemble the mobile device and crack the hardware such as the motherboard.

Traditional security architecture design relies on two basic concepts: the principle of least privilege, and the security zone of the isolation system. For example, based on TrustZone's TEE, Secure World remains isolated even if the Normal World has been compromised. The hacker may occupy the normal area and peer into the TEE (Trusted Execution Environment) communication content, but the integrity and confidentiality of the security area will be unscathed.

TrustZone and TEE

GlobalPlatform standardizes the TEE platform (Figure 1) and develops specifications, compliance and certification programs. By publishing a white paper, GlobalPlatform explores TEE technology and how it provides full confidentiality and integrity of services such as payment, content protection and dual persona. This article only provides a short description here. To maintain integrity and confidentiality, the TEE platform protects confidential passwords and data through secure areas, making it impossible for malicious applications to read private keys stored in the device. TEE technology protects against ever-increasing software attacks, and even if the device is stolen, it can withstand common hardware attacks, such as "shack attacks" (a violent attack by a professional attacker on a typical electronic device).

Based on the "Secure World" established by the TrustZone-based TEE platform, the security boundary is small but sufficient for identification and security. Security zones are typically used to protect encryption keys, credentials, and other security resources. TrustZone provides system security features not found in hypervisors: support for secure debug mechanisms, secure bus entry and exit, secure outages, and direct access to secure areas (trusted input). Another proposition is to limit the security features of the security zone, thereby reducing the attack level and enabling security verification.

TrustZone enhances security by providing additional "secure state" of the processor chip to isolate security application code and data from normal operations. This partitioning approach protects the execution environment from performing trusted passwords and accessing secure hardware resources such as memory or peripherals. Typically, security zones have dedicated security operating systems and trusted boot processes that form a TEE that works with traditional operating systems such as Linux or Android to provide secure services.

Whether security is reliable depends on the weakest link in the chain of trust. The starting point of the chain of trust is the root of trust (ROT), which is usually deployed in hardware to prevent tampering. To ensure the security and reliability of mobile devices, you must first reset the device into a secure environment, open secure hardware through read-only memory, and access trusted hardware resources, such as hardware-specific keys and random number generators. , counters, timers, and trusted memory. A well-designed and proven trusted boot process is the basis for the integrity of the mobile device. The trusted boot process starts the trusted operating system and then turns on the normal operating system in the normal zone.



Figure 1: TrustZone provides hardware partitioning and access security resources for TEE. TrustZone-based TEE has a specific role in FIDO execution.

Trusted boot processes and hardware ROTs based on TrustZone are the basis for maintaining device integrity. Trusted operating systems can provide trusted services through FIDO agreements, such as handling encryption and user pairing in a secure, secure execution environment