[I]t would make the most sense for device manufacturers and software designers to separate the iPhone’s payment function from other apps using a Trusted Platform Module (TPM) that can be used to securely store information using cryptographic keys.

The first half of the sentence is good, but the bit about the TPM doesn’t really make sense to me. Of course, rather than a TPM a Mobile Trusted Module (MTM) would be more appropriate, but neither is a magic bullet that will securely store information. They can securely protect encryption keys and use these keys to encrypt and decrypt data securely, but they do do not provide general purpose secure storage. Instead, GlobalPlatform (there are other initiatives, of course) is specifying a complete trusted execution environment that will allow payment functions to be separated off as Mr Nigriny desires:

Using a trusted computing platform type of chip makes the most sense since you know that your other apps won’t bleed over into the trusted payment method.

It’s good that people independent of the Trusted Computing Group are bringing up these sorts of issues, but there still needs to be a lot of education.

The answer might be in Scott Charney’s title: vice president of trustworthy computing. Microsoft, of course, is a leading member of the Trusted Computing Group (TCG). The TCG has developed specifications for how to control what can and cannot run on a computer – and this can already be achieved via Intel chips (Intel is another member of the TCG) installed on the majority of the world’s PCs.

My regular readers will have noticed the errors, I hope, of segueing Trustworthy Computing (a Microsoft initiative to improve the reliability of their own software with regards to security and robustness) into Trusted Computing, an industry-wide initiative to set standards for a root of trust. Strictly speaking, the Mobile Phone Working Group has defined a specification for how to control what can and cannot run on a mobile phone or similar device, but the much more popular Trusted Platform Module documents do not specify how to control what can be run.

The new architecture instead adopts a hosted virtualization platform (a type-2 VMM) that runs on top of the native RTOS installed on the phone. This one is considered the “personal environment” while the VM running on top of it contains the “business environment”

However, Open Kernel Labs seem less than impressed by VMware’s approach for a number of reasons, not least this:

the hybrid hypervisor inherits all the other drawbacks of the Type-2 hypervisor, especially the huge size of the trusted computing base. Everything in the host OS (all of a million or so lines of code!) needs to be trusted, a huge attack surface

There’s a lot happening behind the scenes these days with mobiles; it will be interesting to see over the next few years who wins out in the mobile trust field.

1. Support for multiple environments
2. Easier product development cycle
3. Extend Legacy software window
4. Improved Security
5. Cost Savings

The improved security issue is the interesting one for this blog, with not surprisingly Open Kernel Labs’ OKL4 picked out as a hypervisor which can provide mobile virtualisation. Interestingly, OKL4 was also highlighted as offering cost savings by allowing different display hardware to be implemented without requiring any changes to the host operating system.

It’s an interesting article that’s well worth the read.

It’s an interesting and detailed reference article, and I’ve added the blog to my reading list.

The joint prototype will run on readily available N900 mobile hardware and integrate the Sirrix Turaya Security Kernel (encryption, VPN, MTM/attestation, and trusted GUI) with the OK Labs OKL4 Microvisor to host the Sirrix Trusted Mobile Desktop alongside Android, Linux, and other guest operating systems in OKL4 secure cells.

The N900 is Nokia’s Maemo-based mobile computer that can make phone calls.

The new platform was displayed at Trust 2010: the Third International Conference on Trust and Trustworthy Computing in Berlin, June 21-23, where Sirrix also presented a paper entitled "Toward a Trusted Mobile Desktop" describing their research.

Oh! I just noticed that they include MTM/Attestation! With a bit of luck, I’ll be at Trust 2011 where I hope I can see a finished product.

This chapter provides an overview of a few hardware security architectures (in handsets) to introduce the reader to the problem domain. The main focus of the text is in introducing the MTM specification – by first presenting its main functional concepts, and then by adapting it to one of the hardware architectures first described, essentially presenting a plausible practical deployment. The author also presents a brief security analysis of the MTM component, and a few novel ideas regarding how the (mobile) trusted module can be extended, and be made more versatile.

I’ve placed a request for this book in our office library, as the preface sounds like there’s a lot of interesting coverage of the current state of the art in Trusted Computing.

The authenticity and integrity of software running on mobile equipment is relevant and important in m-commerce. Mobile trusted computing can solve the problem by using Reference Integrity Metric (RIM) certificate. But the RIM certificate stored in Mobile Trusted Module (MTM) is suffered to frequently renew while the software is updated or patched. In the study, a user-specific RIM, uRIM, is presented. Based on the uRIM, a novel software integrity verification protocol is proposed. It allows an easy management of RIM to support the secure boot as well as a low-cost on verifying of software authenticity.

The goal is to replace RIM certificates, which are signed with RSA keys, with a shared secret protected via hashing for performance reasons. However, the document ignores the fact that internal RIM Certificates use HMAC keys, so for each certificate there need only be one RSA signature verification, not one every invocation. The document has a number of errors in the formulae, it redefines the operation of tpm_quote to do something completely different, and generally treats the MTM as a general-purpose secure execution environment. However, the security hole comes in equation 2, e = v XOR S. Here, v should be secret and S is a known hash of the application. It should be obvious that one can evaluate e XOR S and recover v, thus one can change the application and replace e with e’ = v XOR S’.

That seems such an obvious hole I must be missing something…

Nokia have recently had a paper published that was presented at the 2009 ACM workshop on Scalable trusted computing. The title is Trust in a small package: minimized MRTM software implementation for mobile secure environments and by following the link, if you have an account with the ACM, you can download it for free. As the title suggests, they present their implementation of a small but fully-functional Mobile Remote-owner Trusted Module. The MTM emulator itself is also available for download, although this is not the full version that runs on a mobile phone.

Trivia: I was the very first person in the world (outside of Nokia) to see a video of a demonstration of the emulator…