FIME: NFC security framework needs revision
17 June, 2013
category: NFC
Secure chip testing provider, FIME, has expressed a desire for the security framework for NFC mobile services to better meet the business and technical requirements of all NFC stakeholders.
The white paper, “The NFC Security Quiz: 6 Key Questions Answered,” is free to download and focuses on the work of industry player GlobalPlatform. The goal for the white paper is to clarify and facilitate the security certification process and realize an approach that balances security, functionality and cost requirements.
FIME emphasizes that all NFC stakeholders must recognize their liabilities, undertake a risk assessment, pursue clarity on areas of responsibility and explore ways to positively optimize security. Considering and understanding these key factors allows for the creation of a ‘security chain’, which FIME believes every player in the NFC sector must support.
The white paper goes on to state that the NFC security certification process must do more to address the disconnect between the evolution speed of the mobile industry and the certification speed of products with sensitive applications like payments. FIME suggests that the two must align or face the possibility of increasing product time-to-market and long-term, jeopardizing acceptance of NFC technology.
“Achieving the highest level of security, without compromising usability and within a framework that meets the commercial limitations and technical requirements of the diverse NFC community, is a key challenge for the industry,” says Christian Damour, security business line manager at FIME. “Finding this balance is also a priority, as any security breaches at this stage of implementation could discourage adoption and have a devastating impact on the industry.”
The white paper details three areas of mobile devices and their subsequent levels of security and functionality – the rich operation system (rich OS), trusted execution environment (TEE) and secure element (SE).
Though not a certification authority, GlobalPlatform standardizes the management of applications on secure chip technology – a utility that has been deemed as a best practice by official certification authorities.
GlobalPlatform’s Composition Model facilitates the security evaluation of SEs, shortening product time-to-market and cutting the cost of the certification process. In addition, the GlobalPlatform TEE Protection Profile identifies the security needs for the TEE.