OMAP platform security features



Similar documents
M-Shield mobile security technology

M-Shield Mobile Security Technology: making wireless secure

Texas Instruments OMAP platform optimized for Microsoft Windows Mobile -based devices

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

SoC: Security-on-chip!

Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS security requirement

How mobile operators can monetize 3G investments through an effective applications platform

Embedded Java & Secure Element for high security in IoT systems

Protecting Your Organisation from Targeted Cyber Intrusion

Confidentio. Integrated security processing unit. Including key management module, encryption engine and random number generator

Wireless Security: from the inside out. building security into the OMAP platform. ATechnology and Business Review from Certicom and Texas Instruments

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

BroadSAFE Enhanced IP Phone Networks

Introducing etoken. What is etoken?

Design and Implementation Guide. Apple iphone Compatibility

Secure Network Communications FIPS Non Proprietary Security Policy

Windows Embedded Security and Surveillance Solutions

WHITE PAPER. Securing Process Control Networks

S E P T E M B E R

Best Practices for Outdoor Wireless Security

DesignWare IP for IoT SoC Designs

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

White Paper: Managing Security on Mobile Phones

Solution Recipe: Improve Networked PC Security with Intel vpro Technology

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Trusted Platforms for Homeland Security

Complying with PCI Data Security

Cisco Integrated Services Routers Performance Overview

Certification Report

RSA SecurID Two-factor Authentication

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Building Robust Security Solutions Using Layering And Independence

Configuring Security Solutions

Hardware RAID vs. Software RAID: Which Implementation is Best for my Application?

Using BroadSAFE TM Technology 07/18/05

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Cisco Wireless Security Gateway R2

ACER ProShield. Table of Contents

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Secure USB Flash Drive. Biometric & Professional Drives

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

CHANCES AND RISKS FOR SECURITY IN MULTICORE PROCESSORS

Secure Data Exchange Solution

Security and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation

Steelcape Product Overview and Functional Description

Sustainable Device Security:

Samsung Mobile Security

SCADA SYSTEMS AND SECURITY WHITEPAPER

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Mobile Office Security Requirements for the Mobile Office

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How to Prevent a Data Breach and Protect Your Business

Smartphone Security. A Holistic view of Layered Defenses. David M. Wheeler, CISSP, CSSLP, GSLC. (C) 2012 SecureComm, Inc. All Rights Reserved

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Integrated Services Router with the "AIM-VPN/SSL" Module

Recommended Wireless Local Area Network Architecture

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Side Channel Analysis and Embedded Systems Impact and Countermeasures

Pulse Secure, LLC. January 9, 2015

Understand Electronic-Meter Design to Better Craft Intelligent and Secure Systems

Chapter 1: Introduction

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Readiness Assessments: Vital to Secure Mobility

Intel Network Builders: Lanner and Intel Building the Best Network Security Platforms

TI Linux and Open Source Initiative Backgrounder

Govt. of Karnataka, Department of Technical Education Diploma in Computer Science & Engineering. Sixth Semester

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

Cut Network Security Cost in Half Using the Intel EP80579 Integrated Processor for entry-to mid-level VPN

Trustworthy Computing

Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

BYOD Guidance: BlackBerry Secure Work Space

Threat Model for Software Reconfigurable Communications Systems

Customer Whitepaper. Motion Tablet PC Security Basics. Table of Contents. Whitepaper Goals and Intended Audience...2

User. Role. Privilege. Environment. Checkpoint. System

Securing the Small Business Network. Keeping up with the changing threat landscape

Innovations in Digital Signature. Rethinking Digital Signatures

IINS Implementing Cisco Network Security 3.0 (IINS)

SkyRecon Cryptographic Module (SCM)

Site to Site Virtual Private Networks (VPNs):

FIPS Security Policy 3Com Embedded Firewall PCI Cards

VMware vcloud Networking and Security Overview

Achieving DRM Robustness. securing the device from the silicon up to the application

Huawei One Net Campus Network Solution

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Assessing the Security of Hardware-Based vs. Software-Based Encryption on USB Flash Drives

Implementing Cisco IOS Network Security

Proven LANDesk Solutions

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

Ensuring the security of your mobile business intelligence

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Intel Cyber Security Briefing: Trends, Solutions, and Opportunities. Matthew Rosenquist, Cyber Security Strategist, Intel Corp

How To Evaluate Watchguard And Fireware V11.5.1

QuickSpecs. Models. Features and benefits Application highlights. HP 7500 SSL VPN Module with 500-user License

Virtual Private Networks

Transcription:

SWPT008 - July 2003 White Paper OMAP platform security features By Harini Sundaresan Applications Engineer, OMAP Security Texas Instruments, Wireless Terminal Business Unit This white paper introduces TI s OMAP application processors in the wireless and the embedded space and highlights their security features. The security architecture for TI s OMAP platform is a combination of hardware and software components that enforce the security policy and provide secure functionalities to the platform. Table of contents Table of figures OMAP application processors...3 The need for security...4 OMAP security solutions...5 OMAP1510, OMAP710, OMAP310, OMAP5910 processors...6 OMAP161x, OMAP73x processors...6 OMAP platform security features...7 Secure environment...7 Secure boot/secure flash...7 Run-time security...8 Crypto engine...8 Conclusion...9 References...9 Figure 1: OMAP application processors...3 Figure 2: OMAP platform security solutions...5 Figure 3: Three layered security architecture...6

Page 2 Glossary AES Advanced Encryption Standard API Application Programming Interface DBB Digital BaseBand DES/3DES Data Encryption Standard/ Triple-DES DRM Digital Rights Management DSP Digital Signal Processor GPRS General Packet Radio Service GSM Global System for Mobile communication HW Hardware MD5 Message Digest version 5 MPU Main Processing Unit. The main processor used in computers (and phones). NoVo Non Volatile OS Operating System PDA Personal Digital Assistant PKI Public Key Infrastructure PPC Microsoft Windows Pocket PC RAM Random Access Memory a writable memory. RNG Random Number Generator ROM Read Only Memory SE Secure Environment SHA-1 Secure Hash Algorithm. Algorithm version 1. Algorithm used to calculate highly secure hash values SSL Secure Socket Layer SW Software

Page 3 OMAP application processors TI s OMAP application processors can be broadly classified into two categories focusing on different markets: 2.5G and 3G wireless handsets and embedded applications. Wireless OMAP processors address a wide range of market segments from traditional cost-sensitive, voice-centric handsets to multimedia-rich wireless handsets and PDAs with the best combination of high-performance and ultra-low power consumption. Embedded OMAP processors are ideal for designers working with devices that require embedded applications processing in a connected environment such as Internet appliances, web pads, telematics and medical devices. Figure 1: OMAP application processors OMAP1510 OMAP310 OMAP710 OMAP5910 OMAP161x OMAP73x Wireless Single Chip Dual-Core (ARM+DSP) Application Processor Wireless Single Chip ARM based Application Processor Wireless Single Chip (Application Processor (ARM) + Communication Processor (DBB) Embedded Single Chip Dual-Core (ARM+DSP) Application Processor High-end multimedia: PDA's, wireless PPCs, smartphones web tablets, etc Basic multimedia: handsets, smartphones, PDAs, voice-centric applications High-end multimedia: mainstream smartphone, PDAs, internet access devices Connected environment: internet appliances, web pads, telematics, medical devices etc.

Page 4 The need for security The need for strong security in the OMAP platform comes from the vulnerability of the wireless space to security risks such as viruses. The mobile phone has traditionally been a closed system. In Europe, security is mainly relying on the SIM card, which provides the user of the mobile phone with a unique network identity. Due to the closed nature of the system and to the robust smart card manufacturing process, the risk for the Network Operator to suffer from hackers was limited. The introduction of packetized services, such as GPRS, and the move to 3G systems opens the wireless industry to a new range of services and a new vulnerability to hackers. The formerly closed nature of mobile phones is changing to a more open system offering rich content and applications available over the air. With this openness a new level of security is required to protect wireless networks and handsets. Open architectures require security not least because of the threat of viruses but also because malicious software can compromise the intended commercial use of the phone and the deployment of value added services. Japan was the setting for the first example of security weakness for current 2.5G and 3G mobile phones. There were a number of attacks with various consequences including: malicious e-mails to wireless handsets that unleashed malicious code which took control of the communications device and, in some cases, repeatedly called Japan s emergency response system placing long distance calls without the user's knowledge handset lockup, making it impossible for subscribers to use any of the arrier s services Numerous incidents involving spamming, denial-of-service, virus attacks, content piracy and malevolent hacking are becoming rampant in the wireless field. The security breaches that have posed a constant threat to desktop computers over the last 10 years are migrating to the world of wireless communications where they will pose a threat to mobile phones, smartphones, personal digital assistants (PDAs), laptop computers and other yet-to-beinvented devices that capitalize on the convenience of wireless communications. With over 12 years of wireless experience, TI has the depth of knowledge imperative for understanding how critically important security will be to the success of 2.5G and 3G. To meet the needs of the wireless market, in February of 2003 TI announced five new OMAP processors with on-chip hardware security.

Page 5 OMAP security solutions OMAP1510, OMAP710, OMAP310, OMAP5910 processors The first generation of the OMAP processors includes the OMAP1510, the OMAP710, the OMAP310, and the OMAP5910. The security solution for the first generation of OMAP processors is software based. TI, working with industry leading security providers, Certicom and Safenet, has high-performance software crypto libraries available for high level operating systems (HLOS) like Linux, Microsoft Windows CE, and Symbian OS that are optimized for the OMAP platform. Apart from core crypto functions, TI also offers Certicom s SSL toolkit and PKI toolkits that are optimized for the OMAP platform. These software crypto engines and toolkits have been tested with regressive tests and provide user friendly API guides and sample test frameworks enabling quick development. Figure 2: OMAP platform security solutions OMAP Security Features OMAP OMAP OMAP OMAP OMAP OMAP Benefits to OEM 1510 161x 310 710 73x 5910 Crypto Engine Optimized to enhance SW Crypto Library performance and efficiently use power True HW-based RNG Enhanced security (versus (Random Number SW-based pseudo RNG) Generator) CyptoHW accelerators High throughput/power (DES/3DES, SHA1/MD5) efficient (VPN/SSL / FileEncrypt/ DRM etc.) GSM/GPRS DBB Modem Flash boot sector write SDRAM Protection protection and shared memory protection Third Party applications Optimized solutions offer fast time-to-market Secure Boot/flash Secure boot/flash process (prevent security attacks during device flashing and booting) Secure Environment Execution of authenticated code, secure crypto and management (VPN/SSL, DRM, e-wallet, etc.)

Page 6 Apart from the SW core crypto library, the OMAP Developer Network offers additional Third party security applications. These applications are optimized for the OMAP platform and offer OEMs development cost savings and faster time-to-market. A few of the offerings from OMAP developers includes: Biometric fingerprint recognition from Authentec VPN application from Safenet and Certicom Virus protection from Network Associates Firewall, Content Filtering and mobile data security from WhiteCell Encrypted FAX capability from Snapshield OMAP161x, OMAP73x processors One of the distinguishing features of the second generation of OMAP processors, the OMAP161x and the OMAP73x devices, is the embedded on-chip security. This is described in detail in the next section. This security solution is a combination of hardware and software components used to create a trusted device. Today, most devices include two layers of security: application layer security and operating system layer security. While these efforts reduce risk, stand-alone they are not sufficient. TI offers a third layer of protection that integrates embedded hardware security technology. By doing this, TI enables manufacturers to offer a new layer of defense at the chip level that is fast and serves as a security foundation for the applications and OS layers, thereby creating a trusted mobile device. Figure 3: Three layered security architecture Application Layer Security OS Layer Security Trusted Terminal On-chip Hardware Security

Page 7 OMAP platform security features Secure Environment The Secure Environment is a feature available, where critical code and data can be executed securely and sensitive information can be hidden from the outside world with the help of the following security components: Secure Mode (Secure Execution Environment): Can be viewed as a 3rd privilege level allowing secure execution of trusted code via on-chip authentication. Its activation relies on the presence of special purpose hardware creating an environment for protecting sensitive information from access by non-trusted software. The secure mode is set with the assertion of a dedicated security signal after a set of pre-determined security conditions are met. This signal propagates across the system and creates a boundary between resources that only trusted software can access and those resources available to any software. Secure Keys: OEM specific one-time programmable keys accessible only in secure mode used for authentication and encryption in a secure environment. Secure ROM: Accessible only in secure mode and contains security services such as secure storage mechanism using secure keys, key management and cryptographic libraries. Secure RAM: Accessible only in secure mode and used for running OEM specific trusted/authenticated code. Secure Boot/Secure Flash The foundation of a secure platform is the authentication of the software installed on the platform. The authentication process must guarantee the origin and the integrity of the software stored in the external NoVo memory. In security-enabled production devices, secure flash and secure boot is enforced to achieve high level of security. Secure flash ensures that the OEM s OS image is correctly and securely programmed into flash memory at the factory. Secure Boot ensures that the authorized OEM s SW (signed by the OEM) and optionally the OS image (optionally signed by the OEM) is authenticated prior to execution. This prevents the code from being modified by unauthorized entities or the external memory NoVo from being tampered with. It also prevents the execution of any forged or spoofed software code. The authentication of a software module is based on a certificate associated with this module* 1.

Page 8 Run-time Security The OMAP platform secure environment can be extended to OS applications during run-time for relatively short security critical tasks such as key encryption/decryption, authentication and managing other highly secure data. Such operations often require maximum security in DRM, VPN and banking applications. The run-time services require the presence of software interface components like the APIs and drivers designed to integrate the secure environment into the OS. Crypto Engine The OMAP161x and OMAP73x processors have HW crypto engines to achieve higher throughput and enhance security. The HW crypto engines available are DES/3DES, SHA1/MD5 and RNG. These HW crypto engines can be either configured as secure mode access only or both user mode and secure mode access based on the OEM s preference. 1. HW Accelerators in Secure Mode: For security applications that are short and/or require high level of security (e.g.: M-wallet application, DRM key management, Point Of Sale terminal verification), the secure mode only access configuration is desirable. 2. HW Accelerators in User Mode: For security applications that are long and/or require medium or low level security (which does not require the secure mode services) but desire higher throughput (e.g.: VPN, WLAN, bulk data encryption), the user mode access configuration is the preferable choice. The OMAP SW crypto libraries from TI s security providers Certicom and Safenet have an added feature allowing developers to seamlessly access the HW accelerators in user mode from their crypto libraries. Developers simply need to use the IPSec toolkit, SSL toolkit and/or the PKI toolkit running on the top of the SW crypto libraries to take advantage of the HW Accelerators. The ease of development is a great benefit to OEMs and offers faster time-tomarket since TI and its security providers offer the complete, integrated, optimized solution.

Page 9 Conclusion References The security architecture offered by the OMAP platform is a combination of hardware and software mechanisms for safe execution of secure services: On-chip security hardware offers the necessary robustness for tamper resistance Software security provides the modularity and scalability to support numerous cryptographic standards and security protocols for confidently running any value added application Thus, building a security foundation on the OMAP platform, manufacturers that choose TI will meet the trusted security challenges of 2.5 and 3G wireless and embedded devices. The thirst for security can never be quenched completely; however strong we build a fortress, new threats will always appear. TI is determined to continue its leadership in building robust wireless/embedded security solutions for its customers for all future generations of the OMAP processors. 1. www.omap.com 2. Reducing the Security Threats to 2.5G and 3G Wireless Applications www.omap.com 3. Wireless Security: from the inside out www.omap.com * 1 Note: There are other types of devices where secure boot and secure flash is not enforced. It is not in the scope of this white paper to discuss them in detail. Special thanks Special thanks to the following Texas Instruments WTBU members for their contribution to this white paper either in the form of review, feedback or internal reference materials: Erdal Paksoy, Jerome Azema, Sunil Hattangady and Jason Vorel. Important Notice: The products and services of Texas Instruments Incorporated and its subsidiaries described herein are sold subject to TI s standard terms and conditions of sale. Customers are advised to obtain the most current and complete information about TI products and services before placing orders. TI assumes no liability for applications assistance, customer s applications or product designs, software performance, or infringement of patents. The publication of information regarding any other company s products or services does not constitute TI s approval, warranty or endorsement thereof. OMAP is a trademark of Texas Instruments. All other trademarks are the property of their respective owners. 2003 Texas Instruments Incorporated SWPT008

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information