Upload
kiral
View
99
Download
7
Tags:
Embed Size (px)
DESCRIPTION
Securing Android Apps using Trusted Execution Environment (TEE) - 07/08/14. Presented by: Mike Hendrick VP Product Dev @ Sequitur Labs. Company Background. Team. Founding. Incorporated in 2010 Prior decade of work on mobile platforms Domain expertise in authorization/authentication - PowerPoint PPT Presentation
Citation preview
Sequitur Labs Inc. Proprietary ©2014 1
Securing Android Apps using Trusted Execution Environment (TEE)- 07/08/14
Presented by:Mike Hendrick
VP Product Dev @ Sequitur Labs
Sequitur Labs Inc. Proprietary ©2014 2
COMPANY BACKGROUND
Founding
Experience
Team Incorporated in 2010 Prior decade of work on mobile
platforms Domain expertise in
authorization/authentication Large enterprise policy
frameworks
Phil Attfield – CEO, (Founder Signal9, acquired by McAfee)
Paul Chenard - CTO Mark Reed – COO Abhijeet Rane – VP Marketing Mike Hendrick – VP Product
Dev
Deep Experience in Network security Embedded systems / mobile Massive scale telecom systems Boeing, T-Mobile, Qualcomm,
HP
AT&T Trustonic ARM (working relationship) Atmel (working relationship)
Customers and Partners
Sequitur Labs Inc. Proprietary ©2014 3
OVERVIEW
Our Vision
Develop enabling technologies and solutions to better secure and manage connected devices of today and the future.
PCs Tablets IoTSmartphonesServers
Sequitur Labs Inc. Proprietary ©2014 4
WHY DOES IT MATTER? EVERYONE IS AT RISK.
Business enablers: Mobile + Devices + Cloud
New devices and use cases Changing IT and information
consumption environment for end users and enterprises
Changing and diverse security and manageability requirements
Traditional IT perimeter has vanished
The promise of mobility can only be realized if TRUST exists between users, services and devices
$5.5 millionU.S. average cost of data breach.
Sequitur Labs Inc. Proprietary ©2014 5
Trustonic TEE
Trustonic
Trustonic Microkernel
Trustonic DriverKernel Module
API
Trustonic Driver Kernel Module
Trustonic Driver
Trustonic Driver API
TRUSTZONE AND THE TEE ARM provides the
reference design for the TrustZone to be incorporated by
SoC manufacturers Device OEMs
Trustonic provides a Trusted Execution Environment (TEE) Protects against software
attack from open/Rich OS Provides scalable and
secure environment for apps like user auth, anti-malware, transactions
Two separate domains, normal and secure Extends across entire
system Secure
Processing path On/off-chip memory I/O and display
Increasingly available on devices
Sequitur Labs Inc. Proprietary ©2014 6
A HEALTHY ECO-SYSTEM IS FORMING AROUND THE TEE
Trustonic TEE Eco-system
Sequitur Labs Inc. Proprietary ©2014 7
DeadBolt™ – STREAMLINING ACCESS TO THE TEE
TrustZone enabled SoC
Trustonic Trusted Execution Environment
Sequitur Trusted ApplicationsSecure Storage
TEE-SSLAuthenticatio
n+++
Sequitur DeadBolt™ Java LibrarySecure Storage
TEE-SSLAuthenticatio
n+++
Android Application
Sequitur Labs Inc. Proprietary ©2014 8
DeadBolt Encrypt
DeadBolt Encrypt – provides data at rest encrypted storage
256 AES CBC cypher Encrypt an OutputStream Decrypt an InputStream DBCryptParams – specifies crypto parameters
APK_BOUND KEY_BOUND DEV_BOUND CUSTOM_BOUND NOT_BOUND
Errors Exception Version
Sequitur Labs Inc. Proprietary ©2014 9
Using FileOutputStream:
FileOutputStream fos = new FileOutputStream(pictureFile);
Using DBEncryptFileOutputStream:
DBEncryptFileOutputStream fos = new DBEncryptFileOutputStream(picturefile, MainActivity.main_activity, new DBCryptParams(MainActivity.CryptoParamMask, MainActivity.CryptoPassword));
DeadBolt Encrypt – Difference from Standard Android
Sequitur Labs Inc. Proprietary ©2014 10
Preform SSL encryption in the TEE
Only call is to initialize the connection DBSSL.Init(context);DBSSLSocketFactory.InitHttpsDefault();
Or
Socket sock=DBSSLSocketFactory.createSocket(host,port);
DeadBolt SSL
Sequitur Labs Inc. Proprietary ©2014 11
Local Authorization via Trusted User Interface Number PIN Code AlphaNumeric Passcode
One Time Password – HOTP based on RFC 4226
Remote Authorization Key Pair Generation Secure delivery of Key to Server Message Signing and Encryption Message Validation and Decryption
DeadBolt Authorization (Future)
Sequitur Labs Inc. Proprietary ©2014 12
DEVELOPING TEE SECURED APPS WITH DeadBolt™
Does not require developers with systems level development experience
Does not require learning new platform primitives
Significantly lower cost of initial and ongoing investment
Rapid time to market
Start developing app
Download and include DeadBolt™
in your app(development
license)
Complete app development and
testing
Get activation license for
commercial distribution
Publish app on public or private
app store
$$
Sequitur simplifies the development and commercial activation of a TEE secured app
Sequit
ur
Develo
per
Port
al
Sequitur Labs Inc. Proprietary ©2014 13
DeadBolt™ - KEY BENEFITS
Enterprise Developers
Enterprise ISVs/SIs/
Consultants
Device OEMs
Reduce time to market and cost
Easily leverage hardware based security
Deliver new value to customers
Deliver secure application platforms
Sequitur Labs Inc. Proprietary ©2014 14
SEQUITUR LABS INC.
Contact
Abhijeet Rane, VP Marketing, [email protected] Jennifer Multari, MarCom Manager,
[email protected] Mike Hendrick, VP Product Development,
[email protected] www.seqlabs.com