7

From smartcardalliance.org:

The secure element [...] resides in highly secure crypto chips (usually a smart card chip).

My questions are:

  1. Aside from smart card chip, are there any other types of secure elements?
  2. Is a smart card chip always a secure element? By "smart card", I means a card that has CPU and can do crypto.
std11
  • 101
  • 1
  • 5

3 Answers3

3

According to globalplatform.org, there are three SE technologies:

  1. Universal Integrated Circuit Card (UICC)

  2. embedded SE

  3. microSD.

From the same website, a secure element is a physical object, not data.

A secure element (SE) is a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications and their confidential and cryptographic data (e.g. key management) in accordance with the rules and security requirements set forth by a set of well-identified trusted authorities.

std11
  • 101
  • 1
  • 5
2

1. In the article, the given secure element combo are "secure memory" and "execution environment". Both are huge topics itself.

What it actually mean are one or more set of combining methodology to protect data from direct exposure when processing data. Use of "Secure memory" is required to prevent people that get on hold of the chip try to read the bare data when stuff are loaded into the chip memory, otherwise, a pattern can be derived to decipher the same series of smart chip. The processor is just the part that do decipher and process of data, again, if not protected , it can be used to help cracking the data.

New "elements" may introduced in the future if there is weakness found for current element. It can be any technology in security domains that can be brought into microchip, depends on the pattern and ease manufacturing and availability. It can be stuff like password key input build on the card(such proof of concept smartcard already exists).

2. True at the moment. When an un-patchable exploit is found, new technology/improvement need to be brought in to counter the exploits.

mootmoot
  • 2,387
  • 10
  • 16
0

What makes a secure element a secure element is what it's used for. A chip is a secure element if it's used to store and process confidential material for the benefit of a larger device. So for example a SIM card¹ is a secure element, because it processes data belonging to the network operator for the benefit of a mobile phone. But a credit card is not a secure element, because it is used on its own and interacts with a variety of devices (payment terminals, ATM, etc.).

Not all smartcards are secure elements. Conversely, secure elements must be able to make computations based on the keys that they store, and they're supposed to tamper-resistant, so all secure elements are smart cards. Most secure elements are smaller than the credit card form factor, but they have the same chip physical interface.

Like other types of smart cards, secure elements store confidential data on behalf of remote entities and are supposed to resist physical attacks (preferring to self-destruct rather than reveal secrets). In terms of security, the most relevant difference between a typical smartcard (in banking, authentication, etc.) and a secure element is that a secure element is typically kept inside the device that it acts on behalf of, whereas typical smartcards spend most of their time in the user's pocket or wallet. Embedded secure elements are even soldered onto the device. Thus if a secure element is stolen, it's stolen inside the device that it's useful for.

¹ Strictly speaking, the card with the chip is a UICC, “SIM” refers to its functionality.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • Do you have an example for a smartcard which is not a secure element? Storage cards and RFID certainly are not SE, but they aren't smartcards. Also, a TEE is not a smartcard, but usually seen as SE. How do TEE/embedded SE fit into your picture? – foo Aug 10 '18 at 12:24
  • 1
    @foo A credit card that has a chip is a smartcard, but it isn't a secure element. It has the same security properties but it's used for different things. An embedded secure element is a secure element. A TEE is not a secure element (an SE is defined as physically isolated), but it can do a software emulation of one. – Gilles 'SO- stop being evil' Aug 10 '18 at 23:05
  • I get your other points, but how is a credit card SC not a SE by your definition? It stores and processes confidential material - not for a specific device, but for a service. Is that property the difference between SC and SE from your perspective - it not being soldered in into another device? – foo Aug 13 '18 at 21:57
  • It is mostly a question of certification and protocol support. A programmable smartcard might not be a secure element because it does not support the protocol for a certain transaction (like chip payment) or it might not be certified to be used as such. DESfire is a populär more or less smart card but not a secure element for most applications which use that term. – eckes Nov 16 '18 at 03:00