Intruders may have stolen data pertaining to RSA one time password (OTP) tokens. However, RSA won't tell the general public what has happened. There is a support note which is accessible only to customers.
OTP uses keys that need to remain secret, but I don't think these keys have been stolen.
Sunday 20 March 2011
Sunday 6 March 2011
TrustZone and Trusted Execution Environment
This post describes a recent security addition to mobile phones. It has a superficial similarity to the trusted platform module (TPM). Because the TPM seems to cast doubt on anything "trusted" I will compare TrustZone and TPM.
TrustZone is a virtualization technology. The basic idea is that the processor can be switched between normal mode and secure mode. Because of the virtualization the normal mode is unaffected by the secure mode. The secure mode is based on the TrustZone. More technically, some peripherals and keys are only accessible from the secure mode.
The TPM did not use virtualization. There was no unaffected more. It became unclear whether the owner of the computer or the owner of the TPM keys was the real master of the computer.
TrustZone can and will be used to implement a DRM system. However, it won't enforce anything in the normal world. Thus people who do not like to use DRM, can simply ignore it.
Still, there is a feature that will be useful to everyone: The secure mode can be used to protect PIN entry or display of sensitive information from malware. There is hope that such a technology might disrupt the creation of a criminal ecosystem on mobile phones before it gets out of control like it happened on PCs.
The secure mode is typically started from the normal mode, for example because the user wants to enter a PIN. The smart card standardization organization Global Platform intends to standardize this API under the name Trusted Execution Environment. That's the other T-word from the title.
TrustZone is a virtualization technology. The basic idea is that the processor can be switched between normal mode and secure mode. Because of the virtualization the normal mode is unaffected by the secure mode. The secure mode is based on the TrustZone. More technically, some peripherals and keys are only accessible from the secure mode.
The TPM did not use virtualization. There was no unaffected more. It became unclear whether the owner of the computer or the owner of the TPM keys was the real master of the computer.
TrustZone can and will be used to implement a DRM system. However, it won't enforce anything in the normal world. Thus people who do not like to use DRM, can simply ignore it.
Still, there is a feature that will be useful to everyone: The secure mode can be used to protect PIN entry or display of sensitive information from malware. There is hope that such a technology might disrupt the creation of a criminal ecosystem on mobile phones before it gets out of control like it happened on PCs.
The secure mode is typically started from the normal mode, for example because the user wants to enter a PIN. The smart card standardization organization Global Platform intends to standardize this API under the name Trusted Execution Environment. That's the other T-word from the title.
Wednesday 2 March 2011
Malware on Android
As everyone reports: there has been malware on Google's Android market. I have to add that such a thing removes the remaining security from SMS-TANs or similar two factor authentication schemes. One way out of that problem would be to use an additional trusted execution environment on smart phones.
Subscribe to:
Posts (Atom)
Posts
