White Paper

Intel Wireless Trusted Platform: Security for Mobile Devices

Table of Contents
1. Introduction 2. Intel Personal Internet Client Architecture (Intel PCA) Security Philosophy 3. Threats addressed by the Intel Wireless Trusted Platform 4. Security Building Blocks
Intel Trusted Boot ROM Intel Wireless Trusted Module

3 4 5
5 6 7 7

Security Software Physical Protection

5. Benefits 6. Technical Specification

Cryptographic Algorithms & Functions Miscellaneous Functions Protocols Supported

7 8
8 8 8

Summary

Intel Wireless Trusted Platform: Security for Mobile Devices

White Paper

1. Introduction
In the past few years, the cellular industry has experienced an alarming increase in the number of handset thefts and associated fraud. There has been a corresponding increase in the number of attacks by hackers against cellular devices.

I I

Network Access VPN and Wireless Access to Network Client Integrity Checking Trusted Boot I Protected Logon Information Access Control IPPCP

Information Protection
I

Protected Key Storage Intel PCA Processors

I I

LOB Data Base Locator Privacy Digital Rights Management Protected Communications

Telecommunication fraud losses are estimated at more than a billion dollars yearly. One of the largest markets for this type of fraud is the cloning of cellular telephones from U.S. Secret Service Financial Crimes Divisionhttp://www.secretservice.gov/ financial_crimes.shtml#Telecommunications Vodacom spends over $20 million annually on combating cellular theft and fraud, and blacklists more stolen cell phones than any other GSM cellular network in the world March 24, 2004. Vodaworld Online, http://www.vodaworld.co.za/ showarticle.asp?id=801 Camera phones dial up fraud, theftMarch 23, 2004. Denver Post Online. http://www.denverpost.com/

Crypto Key Generation Documents & Records Acceleration I Multi-Hosting/Secure Web Access Attestation
I

Instant Messaging, E-mail I Voice/FAX

I

Malware Protection

Protected E-Transactions

Virus (Trojan Horse) Detection SW

I I

Online Purchasing Pay for Content

Figure 1: Intel Wireless Trusted Platform Architecture

security building blocks that are designed to be used by a variety of security services and protocols (see Figure 1). The building blocks consist of a hardware and optimized software (Intel Performance Primitives and Intel Cryptographic Primitives). The building blocks help enable platform security services and capabilities such as: 1) A protected execution environment that supports trusted boot and safe processing of secrets, 2) Protected key storage so that keys can be stored on the platform with the risk of compromise, 3) Attestation, which measures the security status of the platform during trusted boot. The Intel Wireless Trusted Platform building blocks enable a rich set of capabilities that include secure network access based on protected logon and secured VPN connections, information access to remote protected documents and records, protection of valuable information stored locally such as private databases, digital tokens, digital content and rights objects, protected communications, and protected electronic transactions including online purchasing and banking. The Intel Wireless Trusted Platform does not directly provide virus detection and protection, however the Intel Trusted Boot ROM helps ensure that the platform boots into a known good state.

Against this background, the mobile industry is depending on the deployment of rich new data services to shore-up Average Revenue Per Unit (ARPU) and open up new revenue sources. Network operators and their customers are highly motivated to see the deployment of a rich set of attractive services such as banking, digital media services, wireless commerce, networked gaming, third-party software downloads and wireless network sales among others. The convergence of these market segment forces with the vulnerability of existing platforms constitutes a substantial risk to existing network revenue. Deployment of these new services must be done without disruptions and outages of their networks, or platform level attacks that could jeopardize their customers private information or content stored on the handset. A comprehensive and coherent security solution is required to mitigate the risk to wireless networks and existing revenue for network providers. They are increasingly requesting greater security in the devices used on their networks. The security requirement is not a means to deny services, but as a means of providing the infrastructure where well-behaved applications and services can thrive, while rogue applications and viruses can be quarantined. In response to these needs, Intel has developed the comprehensive Intel Wireless Trusted Platform architecture. This architecture

is designed to provide an extensible security framework that enables a wide array of security services. These services help support platform trust operations, security protocols, access control mechanisms, protection of private data and more. The Intel Wireless Trusted Platform provides fundamental A hard lesson learned through several spectacular security failures is that security cannot be added on. Security must be a key consideration from the beginning of definition and designed

2. Intel PCA Security Philosophy

White Paper

Intel Wireless Trusted Platform: Security for Mobile Devices

in from a top down system perspective. This fundamental truth is still often overlooked as developers try to patch security by adding security building blocks to address specific vulnerabilities. Individual point solutions do not always interoperate securely and it can be near impossible to measure the resulting level of platform security without the necessary architectural framework. The result of not having a platform approach to security is latent security vulnerabilities that are not known until they are exploited by an attacker or a catastrophic failure occurs. In most cases, because the security was patched into the system to start with, the vulnerability cannot be easily fixed. In addition, the lack of a framework will make it difficult to extend the security architecture cohesively as new services and capabilities are added to the platform. It is better to define an integrated solution that takes advantage of individual building blocks synergistically to reduce the likelihood of security vulnerabilities. Moreover, the security framework must take into account all stages of a products life cycle, from provisioning through customer use and finally end of life, where end customers will want to be able to migrate their security configurations and secrets to a new platform. Intel Wireless Trusted Platform is designed to establish an extensible, coherent security framework that enables the protection of the platform at all times during its life cycle. During manufacturing and provisioning, strong checks verify that the content being loaded onto the platform is not corrupted and has come from authorized parties. When power is applied to a device, the integrity of the platform is measured, ensuring that a virus or rogue software has not corrupted the platform. During use, the runtime environment provides for safe handling of valuable private data. Secrets are processed in a protected environment ensuring that the keys and data cannot be observed, stolen or corrupted. Storage protection mechanisms protect private data from theft or modification. Finally, physical protection ensures that the security features put in place by the hardware and software cannot be disabled or bypassed. The components that make up a security solution must be trustworthy and must execute in a trustworthy environment. Without an underlying trusted platform base, security building blocks can be misused or even completely bypassed without the knowledge or consent of the user. A trusted platform has a verifiable, defined configuration and can be counted on to behave in specific and predictable manors. A trusted platform also provides a trusted environment to guarantee the veracity of the individual security and system components and can validate its own correctness, and the correctness of security building

blocks using strong cryptographic checks. The result is a platform that provides an extensible security framework that enables a wide array of security services to support the trust operations, security protocols, access control mechanisms, etc., required to provide a safe computing environment. The Intel Wireless Trusted Platform is designed to be built upon such a foundation.

3. Threats addressed by the Intel Wireless Trusted Platform

Each day, news articles highlight new security threats facing wireless networks and the devices that use these networks. Some threats, such as viruses, are similar to threats that have been observed for years in the networked world of personal computers. While new threats are created due to small size, mobility, and access to cellular voice networks. The list of potential threats is quite long, but a partial list of threats against handheld devices includes corruption of the handsets internal resources, unauthorized access to private data or services provided by the handset, cloning, theft of the device, and theft of valuable content on the device. The Intel Wireless Trusted Platform has been architected to help mitigate the risk of each of type of threat. One area of high concern to network operators and manufacturers is the protection of the platform from illicit software and hardware modifications. Software modifications may be spread over the network through viruses. If an attacker has physical access to the device it could also result from the memory being reprogrammed. These attacks have resulted from attempts to steal handsets, or network services. The Intel Trusted Boot Rom feature is designed to protect the platform from this family of attacks using strong cryptographic checks to validate the integrity of the platform software. Before consumers will widely adopt the use of rich services, strong protection is needed to guarantee that their personal data, credit card information, stored value, etc., are reasonably protected from attack. Even with credit card companies theft protection guarantees, the personal hassle, risk to the consumers credit rating and the loss of financial control has shown itself to be a strong deterrent to meaningful adoption. Network operators and service vendors want protection from provisioning data being modified or value tokens (i.e., mass transit token) being duplicated or changed. Intel Wireless Trusted Platform protected storage helps secure user and network operator data using strong encryption with integrity

Intel Wireless Trusted Platform: Security for Mobile Devices

White Paper

checks. This is designed to allow large amounts of data to be stored in system memory without risk of observation or modification without detection. In addition, access control mechanisms ensure that only authorized parties have permission to use the keys required to decrypt the protected data. Access control allows the data to be separated into domains according to ownership. For example, a virus would not be able to detect a credit card number for broadcast later, nor could a token value be stolen from or modified by a consumer. Network operators have a very strong desire to protect the International Mobile Equipment Identifier (IMEI) from being modified. The IMEI is the identity of the phone and if the IMEI is modified the stolen phones can be given a valid IMEI replacement. It is essential that the IMEI is well protected while it is stored and when in use. This is an excellent example of the need for a comprehensive security architecture. Protecting the IMEI during storage, but then exposing it when used does not provide the full protection required by network operators. Fortunately, the Intel Wireless Trusted Platform helps enables the protection of the IMEI at all times, even when the IMEI is being used or is being transferred between subsystems. Encryption and/or physical partitioning protects the IMEI while it is stored. One popular service with consumers is the ability to download multimedia content like MPEG video and audio (MP3) files. The Intel Wireless Trusted Platform is designed to provide strong mechanisms to protect the content on the platform and to ensure that the DRM is not violated. Content temporarily stored on the platform is protected by strong encryption and the access control policy prevents unauthorized access to the keys needed to decrypt the content. The specific management information governing the use of a particular file is protected by encryption and integrity checks. Finally the software that enforces the DRM policy can be completely checked for integrity at boot time and can be re-tested each time the DRM application is launched.

4. Security Building Blocks

The Intel Wireless Trusted Platform is designed to provide a core set of hardware and software technologies that provide the basis for a trusted computing environment. Other security components such as VPN clients, virus scan software, IPSec protocol stack and others can be built upon and take advantage of the underlying Intel Wireless Trusted Platform security components. The components provided in the Intel Wireless Trusted Platform include:

Intel Trusted Boot ROM Intel Wireless Trusted Module (an integrated security module) Security Software Protected Storage Physical Protection

Each of these is briefly described below.

Intel Trusted Boot ROM

Intel XScale Core

Security Module Boundary System Interface

Cryptographic Engines

Instruction Sequencer

Internal Memory

Secure Key Storage

PRNG

Figure 2: Intel Wireless Trusted Platform Module Block Diagram

Intel Trusted Boot ROM

The Intel Trusted Boot ROM is the Intel Wireless Trusted Platform component that validates the integrity of the platform and boots the platform into a know good configuration. Trusted boot is an active part of the security solution during all stages of a products life cycle, from manufacturing through the sale and use of the handset by consumers. It is invoked whenever power is applied or when commanded by the operating system. The Intel Trusted Boot ROM is first invoked during device manufacturing. As part of the manufacturing boot, a device may also be loaded with cryptographic keys used for digital signature

White Paper

Intel Wireless Trusted Platform: Security for Mobile Devices

verification of the code objects, secure enabling of the JTAG interface and other functions that require asymmetric keys. These are public keys and do not need to be kept secret. During this stage of the product life cycle, trusted boot is designed to validate the integrity of the code and keys and authenticates that the objects being loaded have been signed by the manufacturer. There is essentially no impact to the normal manufacturing flow and since the only keys being loaded are public keys, a secure manufacturing area is not required. The only requirement is that the manufacturer must format the code objects to be consistent with the formatting expected by the trusted boot software. Intel provides a software tool that is designed to perform the expected formatting. After a device is deployed, a power on event initiates trusted boot. At this stage of the products life, trusted boot is designed to validate the integrity of the software code objects on the platform. This is designed to be a powerful service that can detect any modification to the platform software configuration originally loaded by the manufacturer. During trusted boot, the trusted boot code performs a cryptographic measurement of the platforms code objects and compares the measured value to a known good value. The measured value is also stored so that it can be presented to some entity at a later time that may inquire about the state of the platform at boot time. Trusted boot is based on a transitive trust model. It is initiated by the trusted boot code. As trusted boot validates the integrity of other software objects, they are included inside the trust boundary and their functions and capabilities can be used to further extend the trust boundary until the entire platform has been checked and is trusted. The trusted boot code is stored in memory that cannot be modified and cannot be bypassed. This helps ensure that the trusted boot process is always executed on a power up event. Trusted boot can detect platform modifications caused by viruses, malicious software or coding errors. In any case, if the core platform configuration has been altered, then the platform cannot be trusted and the services offered by the platform are limited commensurate with the reduced degree of platform trust. Intel Trusted Boot ROM can also be invoked by the OS or an application at any time after power is applied. In this case, the trusted boot code is designed to measure the present operating configuration of the platform and securely stores that measurement. The measurement can be presented to a user, an internal process, or an external agent, such as a payment server as part of a process called attestation. This allows the requestor to check the present health of a platform before

enabling a secure service. For example, a payment server may require that a platform be in a certain measurable configuration prior before establishing a connection, or a local application may allow cryptographic keys to be used only if the platform configuration is the same as when the keys were initially created. Intel Trusted Boot ROM provides strong protection for the software loaded onto a handset, and ensures that this software is not accidentally or maliciously modified. Once the boot process is completed, and control is transferred to the operating system, additional security measures, such as virus scan software may be employed with corresponding support from the OS.

Intel Wireless Trusted Module

The Intel Wireless Trusted Module provides a safe, nonobservable place to process secrets. The module includes a suite of cryptographic engines to support a core set of cryptographic services, or security primitives. These include random number generation, symmetric and asymmetric cryptography, key creation, key exchange, digital signature operations, hashing, binding and a monotonic counter. The security operations of the Intel Wireless Trusted Module are atomic. That is, once initiated, the operation runs to completion and the intermediate results are not revealed and cannot be modified by agents outside the module. These core crypto services are used to construct higher level security functions such as platform attestation, protected storage and support for security protocols and services, such as IPSec and Virtual Private Networks (VPN). The Intel Wireless Trusted Module has a well-defined security boundary that allows for hidden execution. The operations being performed by the module cannot be monitored or altered by the application processor. Cryptographic keys, intermediate results of primitive operations, the operating state of the module, the PRNG state, the measured values gathered by trusted boot and other sensitive data are all processed inside the opaque boundary of the security module. Only the final results of a requested function are exposed through a well-defined API. The Intel Wireless Trusted Module is designed to cryptographically bind data elements to a specific platform. As an example, the IMEI can be bound to a particular platform by its trusted module. A bound object can only be unbound by the integrated security module used to bind it, and can be further restricted so that it may only be unbound in the presence of a specific software configuration. With this capability, it is possible to bind the IMEI to a specific platform, and a specific software monitor.

Intel Wireless Trusted Platform: Security for Mobile Devices

White Paper

The monitor can then force a query of the sealed IMEI to IMEI value in use, and halt any operation if this binding is violated. This is a very powerful mechanism to protect the IMEI from being cloned. Attestation uses the Intel Wireless Trusted Module to provide information about the operating environment on a platform. The attestation may represent a measurement of the device at boot time, or at any time after boot. In either instance, the attestation value represents a measurement of the integrity of the platform at the time of measurement. If an operation requires a specific platform configuration before it can be executed, the platform can be measured to determine if it is in the required configuration. If the attestation does not match the expected value, the system can terminate the operation. For the case of protected data, the module may refuse to decrypt data unless the platform is in the same state as when the data was originally encrypted. Similarly, an external entity such as a payment server may only be willing to transact with a device in a known good configuration. In all of these cases, using the attestation function can help provide assurance that the platform is in a trusted configuration before the requested operation is permitted to execute. Protected storage in system flash is another capability provided by the Intel Wireless Trusted Module. This capability allows for the secure nonvolatile storage of secrets on the platform for cryptographic keys, public/private key pairs, passwords, digital rights management data, e-tickets and similar data. Since the volume of data that requires secure nonvolatile storage is likely to exceed that provided by the module, protected storage in system flash memory is required. The information is cryptographically protected for both privacy and integrity so that it is not possible for an attacker to either observe this sensitive information or to substitute modified data for the original data. Finally, the security primitives may be used to support higher level protocols. Protocols like IPSec, Internet Key Exchange (IKE), Secure Sockets Layer (SSL) and services like Digital Rights Management (DRM) all require cryptographic support, and they all can benefit by the use of the primitives provided by the Intel Wireless Trusted Module. There are two benefits to this approach. The first is better performance since the security processing is offloaded to a dedicated security module which executes the algorithms more efficiently than a general-purpose processor. The general-purpose processor is designed to be concurrently available to perform other operations. The second benefit is that the module helps provide a closed and much more secure environment for handling secrets than does the applications subsystem; therefore better protecting the cryptographic keys and related sensitive data.

Security Software
The Intel Wireless Trusted Platform solution includes a security software stack that enables the operating system (OS) and applications to access the Intel Wireless Trusted Platform resources through standard Cryptographic APIs. This allows the OS and applications to access the underlying cryptographic services without having specific information regarding the split of functions between hardware and software, or knowledge of the hardware interfaces and protocols. The application interface is provided by the Intel Integrated Performance PrimitivesCryptographic Primitives (Intel IPP cryptos). The Intel IPP cryptos fill high-level requests for cryptographic services using a combination of software services and the hardware security capabilities found in the security module. When the security module is invoked, the Intel IPP cryptos translates high-level requests for security services to a set of primitive operations that are executed by the Intel Wireless Trusted Module. The Intel IPP cryptos also provides highlevel management for the Intel Wireless Trusted Module functions.

Physical Protection
Physical protection mitigates the threat of critical security components being removed or replaced, thereby destroying the security of the handset. Physical protection is provided in two ways, both by integration of the security hardware in a single device (System on chip or SoC), and by packaging the discrete components into a single physical package (i.e., stacked components). By taking advantage of both types of physical protection, the Intel Wireless Trusted Platform solution is designed to provide strong assurance that security components cannot be replaced, removed, or bypassed, and ensures that security execution is unobservable to attackers.

5. Benefits
The Intel Wireless Trusted Platform is designed to provide a robust security architecture that benefits all members of the wireless ecosystem. Major benefits derived from the architecture include:

It is an integrated and coherent architecture that helps reduce interoperability issues that are likely to occur when point solutions are applied. The Intel Trusted Boot ROM helps ensure platform integrity and reduces the risk that a handset can adversely impact a network. Protective features in the security module help prevent keys from being exposed unencrypted. Stronger security help enables a richer set of services such as digital content delivery, e-ticketing, business enterprise services, etc.

White Paper

Intel Wireless Trusted Platform: Security for Mobile Devices

Provided by Intel ISV Applications

Miscellaneous Functions
Trusted Boot ROM
OS CAPI Layer Intel IPP Cryptos HW Command Layer (OS Independent)

Pseudo Random Number generator Monotonic Counter

Protocols Supported
Security Module Hardware

IPSec
Figure 3: Security Software Stack

Internet Key Exchange (IKE) OMA v1 and v2 Secure Sockets Layer (SSL) Trusted Computing Group Main Specification

The Intel Wireless Trusted Module is a dedicated security module that helps improve system performance. The processor can offload security operations to the security module so it is available for other processing. Support for widely used Cryptographic APIs makes it easy for application developers to take advantage of the strong security features provided in the security hardware.

Summary
The Intel Wireless Trusted Platform architecture is designed to provide an extensible security framework that enables a wide array of security services such as banking, digital media services, wireless commerce, networked games, third party software downloads, wireless network sales, etc. These services help support platform trust operations, security protocols, access control mechanisms, protection of private data and more. Deployment of these new services must be done without network disruptions and outages, or platform level attacks that could jeopardize a customers private information or content stored on the handset. The Intel Wireless Trusted Platform is designed to counteract these issues.

6. Technical Specification
Cryptographic Algorithms & Functions
Advanced Encryption StandardElectronic Code Book (ECB), Cipher Block Chaining (CBC) and Countermode RSA SHA-1 & SHA-1-based HMAC Digital Signature creation and verification (EMSA PKCS v15) Diffie-Hellman Key Exchange

For more information, visit the Intel Web site at: developer.intel.com
Information in this document is provided in connection with Intel products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Intel products are not intended for use in medical, life-saving, or life-sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. The components of the Intel PCA Security Architecture may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. ThisIntel PCA Security Architecture Design Document, as well as the hardware and software described in it, is furnished under license and may only be used or copied in accordance with the terms of the license. This information is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Intel Corporation. Intel Corporation assumes no responsibility or liability for any errors or inaccuracies that may appear in this document or any software that may be provided in association with this document. Except as permitted by such license, no part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the express written consent of Intel Corporation. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained as follows: http://www.intel.com or call 1-800-548-4725 Intel, the Intel logo, and Intel PCA are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright 2004 Intel Corporation All rights reserved. 0304/MD/MS/PDR

Please Recycle

300868-001