GlobalPlatform has certified its Secure Element (SE) Protection Profile (PP) with the international standard for computer security certification, Common Criteria (CC). The document is the latest update to GlobalPlatform’s Security Certification Program.
It will make it quicker and easier for stakeholders across industries to validate and compare security features, protect applications and data against high-profile attacks and comply with evolving IoT and cybersecurity regulations.
Since 2000 GlobalPlatform has been the de-facto standard for secure element technologies. Today, there are over 50 billion GlobalPlatform-certified SEs in-market; equipping solutions like mobile phones, IoT devices, banking cards and eID documents, with a tamper-resistant hardware platform to securely host applications and store confidential data.
As the use of digital services continues to proliferate, the newly released PP will address the need for consistent and verifiable security. It offers a simple framework for:
- Security laboratories to evaluate the security of SE-based products, and validate conformance with security, regulatory and data protection mandates, such as the European Cybersecurity Act.
- Silicon and SE vendors to demonstrate their products are secure for use across devices and verticals including payment and identity cards, ePassports, smartphones and IoT devices.
- Device manufacturers to determine the trustworthiness of components, and select a solution with the required features to protect apps and digital services on their devices.
Smart cards used to host one or just a few apps,” comments Gil Bernabeu, Technical Director of GlobalPlatform. “Now, SEs support multiple domains with many apps and increasingly innovative ways of connecting to them and using the secure services they offer. We need secure, confidential ways to remotely load and manage apps without them interfering with each other. Our specifications and Protection Profiles are the vehicle to enable this, fostering trust and collaboration across the industry, and ensuring the same stringent level of security across different deployment models.”
Thanks to a modular structure, the PP enables the evaluation of different SE use cases and form factors. This includes smart card SEs including payment, SIM cards or ID documents, to embedded SEs in smartphones and IoT devices, and also advanced uses cases available on integrated form factors which have emerged to address the security requirements of connected device designs.
To enable simple access to the secure services offered by SEs, like signature or user authentication for consumer payment and identity use cases, as well as Secure Boot or attestation for device-based use cases, GlobalPlatform has selected a security assurance level of EAL4+ augmented with ALC_DVS.2 (sufficiency of security measures) and AVA_VAN.5 (advanced methodical vulnerability analysis).
This assures stakeholders including Mobile Network Operators (MNOs), application developers, IoT cloud platforms and service providers that their critical assets loaded on a GlobalPlatform-certified SE are protected from complex attacks.