Group Developing Standards For Secure Cell Phone Hardware
The Trusted Computing Group plans to deliver a spec before June for functions including device authentication, third-party digital rights management, and software downloads.
SAN JOSE, Calif. An ad hoc industry group has taken its first step toward delivering in the first half of 2006 a hardware-security standard for cellphones.
The Trusted Computing Group released 11 user scenarios that are the basis for the spec it will release before next June.
The TCG established a standard for verifying the integrity of PCs more than a year ago. It specifies use of a security device, called the Trusted Platform Module (TPM), that creates cryptographic keys to identify a system’s integrity and provide secure data storage and execution space as needed. Developing a version of that spec for the more complex mobile sector has so far proved slow going.
That is due in part to the wide variety and diversity of stakeholders in the cellular industry. Active members in the TCG’s mobile work group include Authentec, Ericsson, France Telecom, IBM, Infineon, Intel, Lenovo, Motorola, Nokia, Philips, Samsung, Sony, STMicroelectronics, Texas Instruments, VeriSign, Vodaphone and Wave Systems.
The group has developed 11 user scenarios to guide its parallel efforts on drafting technical requirements and the final spec itself. The specification is currently about 70-percent complete, according to Janne Uusilehto, a senior technology manager in Nokia Corp.’s technology platforms group who chairs the TCG mobile group.
That draft differs from the existing PC spec in two major ways. While PCs have generally chosen to implement the TPM as a standalone chip, cellphones will likely embed the function in a block inside an existing chip. In addition, PC users have the option of turning off all TPM functions; however, cellphone users will not be able to turn off certain base security functions required by carriers or service providers, said Uusilehto.
Using the TCG’s technology, cellphones will be able to provide hardware-backed security for functions such as device authentication, third-party digital rights management and software downloads. A full list of the 11 user scenarios is at www.trustedcomputinggroup.org.
The technology is expected to open several doors, including encouraging premium content owners such as music studios to release their products to mobile phones via over-the-air services. Currently, studios are reluctant to release content to phones, fearing piracy.
“This spec will go a long way to addressing that,” said Thomas Hardjono, a TCG member and a principal scientist at VeriSign, which recently acquired businesses that sells ringtones and wallpaper for cellphones and hopes to begin selling full music tracks as well.
The technology has been presented to studios by at least one TCG member company. However, TCG members would not comment on the studio’s reception to the mobile spec to date.
The new spec “gives us an opportunity to have multiple sources of interoperable hardware that integrate these security services,” said Uusilehto of Nokia. “Because it is an open spec we also get the benefit of a wide review from industry security specialists, and the customers wind up with more reliable handsets,” he added.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.