Various electronic devices, e.g. mobile telecommunication terminals, portable computers and PDAs, require access to security related components such as application programs, cryptographic keys, cryptographic key data material, intermediate cryptographic calculation results, passwords, authentication means for externally downloaded data etc. It is often necessary that these components, and the processing of them, is kept secret within the electronic device. Ideally, they shall be known by as few people as possible since a device possibly can be tampered with if its security related components are known. Access to these types of components might aid an attacker which has a malicious intent to manipulate a terminal.
Therefore, a secure execution environment is introduced in which environment a processor within the electronic device is able to access the security related components. Access to the secure execution environment, processing in it and exit from it should be carefully controlled. Prior art hardware comprising this secure environment is often enclosed within a tamper resistant packaging. It should not be possible to probe or perform measurements and tests on this type of hardware which could result in the revealing of security related components and the processing of them.
The “Mobile Information Device Profile” for Java™ 2 Micro Edition, Version 2.0, by the JSR 118 Expert Group, hereinafter referred to as MIDP 2.0, defines an enhanced architecture and associated application program interfaces (APIs) required to enable an open, third-party, application development environment for mobile information devices (MIDs). Examples of MIDs include cellular phones, two-way pagers, and wireless-enabled PDAs. If a device determines that an MID application can be trusted, then access is allowed as indicated by security policy of the device. Signed applications may become trusted by authenticating the signer of the applications.
A device complying with the MIDP 2.0 assigns applications to different protection domains depending on the source of the application. These protection domains are employed to differentiate between downloaded applications based on the signer of the downloaded application. The MIDP 2.0 defines four different protection domains to be used depending on the signer of the application, namely the manufacturer domain, the operator domain, the third-party domain and the untrusted domain, and each domain has its own security policy. Once an application is downloaded to the device, the device implementation determines to which domain the application belongs, based on a public key infrastructure (PKI) authentication scheme. Each protection domain in the device holds a root certificate to which the application is authenticated, and a domain binds a root certificate to a set of permissions. The permissions are specified in the protection domain security policy.
A trusted operator root certificate is used to verify applications emanating from an operator. This operator root certificate is stored at a specific location in a smart card, being for example a SIM, a WIM or a USIM, of the device, and there is no explicit limitation on the number of operator root certificates which can be stored in the card. However, if an operator root certificate is not available at the specified location in e.g. the SIM, the operator domain must be disabled. Alternatively, since many operators yet do not have SIMs provided with operator root certificates, the operator domain must be disabled if the operator root certificate is not stored elsewhere in the device. Typically, because many operators do not yet have SIMs provided with operator root certificates due to cost aspects, the operator root certificates are stored in the device, outside the SIM. It is desirable that, even though the operator root certificate of a specific operator is stored in the device and an application signed by the operator arrives at the device, the signed application is installed in the secure execution environment of the device only if the SIM located in the device has been issued by the specific operator.
A problem in the prior art related to the implementation of operator domains in devices is that, since different operator root certificates are stored in the device in the manufacturing phase, a signed application from a specific operator may be successfully authenticated at and installed in the secure execution environment of the device, if the operator root certificate of the specific operator is stored in the device. Clearly, this violates the MIDP 2.0 specification and is not in line with the security framework of the specification.