That dynamic is changing thanks to an industry collaboration driven by the two-year-old FIDO (Fast Identity Online) Alliance. FIDO has developed new protocols that enable simple, strong authentication between the user, device and the service provider (or relying party). On mobile devices, for example, FIDO can be used with biometric authenticators to enable services with the swipe of a fingerprint or the scan of an iris.
Recently, NTT DoCoMo became the first company to roll out FIDO authentication throughout its network, allowing it to replace passwords for millions of customers across its services with a range of enhanced authentication methods. The goal of FIDO protocols such as the Universal Authentication Framework (UAF) is to enable local user verification with multiple authenticators such as fingerprint, iris or PIN replacing traditional username and password. In other words, register once with a favourite online shopping site or bank and afterward only a simple method of authentication specific to the user can be used (fingerprint, PIN, etc.).
Let’s take a look at how this works and how engineers can build the hardware foundations for simple and strong authentication in a world marked by increasing (and increasingly pernicious) hacking activity around the world.
Barbarians at the gates
Attacks come in all shapes and sizes, and malicious software can be installed by conventional means such as through a rogue app store, social engineering or Trojan, or by other attack vectors such as the browser. When malware is present on a device it has the potential to escape its sandbox or process permissions, and any data held or input into the device can then become compromised.
Alternatively, if an attacker can gain physical access to the device, further attacks become possible. If the attacker can access the file system of the device, he can steal data. If the data is encrypted, the attacker could copy the data off the device and perform an offline attack on the encryption.
Hardware-based security is needed to help protect FIDO from malicious attack. Assets such as cryptographic keys, sensitive processes and the capture of authenticator data should be protected from malicious attack, and the integrity of the system needs to be maintained. This can be done by effectively walling off these areas in hardware. ARM TrustZone technology provides the hardware isolation necessary for a GlobalPlatform Trusted Execution Environment (TEE). This security layer is suited to secure FIDO-based authentication.
The TrustZone based TEE provides a “Secure World” where the security boundary is small enough to offer a route to certification and provable security. It is typically used for securing cryptographic keys, credentials and other secure assets. TrustZone offers a number of system security features not available to the hypervisor: it can support secure debug, offer secure bus transactions and take secure interrupts directly into the Trusted World (useful for trusted input). There is an argument to restrict the amount of security functionality in the trusted world to limit the attack surface and make certification a practical proposition.
The TrustZone security extensions work by providing the processor with an additional “secure state” that allows secure application code and data to be isolated from normal operations. This partitioning enables a protected execution environment where trusted code can run and have access to secure hardware resources such as memory or peripherals. Conventionally, the Trusted World is used with its own dedicated secure operating system and a trusted boot flow to form a TEE that works together with the conventional operating system, such as Linux or Android, to provide secure services.
Security is as strong as the weakest link in a chain of trust. The starting point of the chain is the Root of Trust (ROT) that is normally implemented in hardware to protect it from modification. Mobile device integrity starts by resetting into Secure World and booting from immutable hardware in the form of a Read-Only Memory, and accessing trusted hardware resources such as hardware unique key, random number generators, counters, timers and trusted memory. A carefully designed authenticated trusted boot flow is the basis for device integrity. The Trusted OS is started as part of the trusted boot flow before the “Normal World” Rich OS is booted.
The Trusted OS can provide trusted services for the FIDO protocol, for example, handling cryptography and user matching algorithms in a hardware-protected execution environment. In a typical implementation, nearly all of the FIDO stack will reside in the normal world and only small security sensitive functions are moved into the TEE. The code moved to the TEE is referred to as a Trusted App, as it benefits from the security promises of confidentiality and integrity. This partitioning builds in resistance to scalable attacks. A major use case of the TEE is to provide a secure key store. Since non-volatile memory is rarely found on an applications processor, FIDO keys are encrypted in the TEE with a hardware-unique key burned into the chip. This encrypted and wrapped key is then stored in external memory for storage between boots. Keys would only be decrypted and used within the TEE and never accessible to the Normal World. A FIDO Trusted App could include the functionality for biometric template storage and matching. This could be handled in a similar way to the storage of crypto keys — i.e., encrypted and wrapped within the TEE and stored in external non-volatile storage.
More is on the way, of course, from both GlobalPlatform and FIDO. And expect TrustZone technology to be extended to cover touchscreen input (for protecting PIN entry) and display output providing a “what you see is what you sign/buy” capability.
There’s no doubt we live in a world that can be menaced by black hats. Kaspersky Labs reported earlier this year that one group (the Carbanak cybergang) launched an APT (Advanced Persistent Threat) attack on dozens of banks worldwide that stole $1billion.
FIDO-based authentication is already deployed at scale and looks set to become an industry success story by helping consumers move beyond passwords. The TrustZone-based TEE demonstrates that when security is well architected it can deliver delightful user experiences and keep the black hats at bay.
Rob Coombs is security marketing director at ARM Holdings