Mobile and embedded devices are rapidly evolving into powerful, ubiquitous personal assistants. As such, they will be involved in security-critical operations like authentication, payment, e-Banking and e-Government applications. Nevertheless, they have to be open platforms on which entertainment applications need to find their place.
Being part of the Internet of Things, these platforms become an interesting target to attacks and efficient security mechanisms are required to increase peoples and companies trust in them. The SEPIA project addresses these challenges and considers trustworthiness, security and protection capabilities of such devices as key enablers for new businesses and the integration of mobile platforms in the e-Europe initiative.
SEPIA will, therefore, focus on three topics: Security enhancements of mobile platforms, cryptography and privacy protecting technologies, as well as delta-evaluation and certification methodologies. A major objective of SEPIA is to define a next-generation security-architecture for mobile and embedded systems, addressing topics such as isolated execution space, virtualization and secure protection of confidential data. Therefore, existing security solutions for embedded systems with emphasis on the ARM TrustZone are investigated within SEPIA and solutions and countermeasures for identified threats will be developed.
Another major topic that will be researched in the project are privacy protecting mechanisms, based on strong cryptography. In SEPIA, establishing trustworthiness is seen as an asset that is considered right from the design phase of the platform rather than being addressed as add-on feature. Modern trustworthy platforms provide means for content protection or secure storage of credentials. However, they are lacking support for privacy protection of the platform and the actual owner of the platform. Thus, SEPIA deals with analysis, improvements and integration of support for cryptographic computations on embedded platforms with a special focus on privacy and anonymity protecting technologies.
In order to achieve this goal, SEPIA will investigate existing privacy enhancing technologies (PETs) for improvements in the algorithmic level and applicability to different cryptographic primitives (e.g. elliptic curve cryptography). Moreover, SEPIA will focus on extensions to the CPU in order to support PET schemes on existing embedded microcontrollers allowing the efficient use of PET-technologies on embedded microcontrollers for areas such as identity management, RFID authentication etc. These extensions will be designed in way that common cryptographic schemes can also take advantage of them.
Establishing trust requires assessments from independent organisations. However, existing evaluation methodologies do not keep pace with the rapidly evolving mobile and embedded market. Hence, the project also aims to research how the SEPIA concept can improve assurance on security of hand-helds in terms of efficiency in value- and supply-chain environments where multiple stakeholders are involved and and cost efficient certification processes, reducing the time from design to market.
Therefore, SEPIA will use the Common Criteria (CC) standard as a reference for completeness and terminology and will cover aspects of secure delivery between suppliers of mobile phone components, secure development of hardware/software, completeness in testing and vulnerability analysis of component compositions.
SEPIA includes theoretical and practical research as well as the development of proof-of-concept prototypes. All these efforts will result in the SEPIA reference platform which will be disseminated via demonstrators and as an open platform for further research and product development.