Remote attestation mechanism for embedded devices based on physical unclonable functions

Remote attestation mechanisms are well studied in the high-end computing environments; however, the same is not true for embedded devices-especially for smart cards. With ever changing landscape of smart card technology and advancements towards a true multi-application platform, verifying the current state of the smart card is significant to the overall security of such proposals. The initiatives proposed by GlobalPlatform Consumer Centric Model (GP-CCM) and User Centric Smart Card Ownership Model (UCOM) enables a user to download any application as she desire-depending upon the authorisation of the application provider. Before an application provider issues an application to a smart card, verifying the current state of the smart card is crucial to the security of the respective application. In this paper, we analyse the rationale behind the remote attestation mechanism for smart cards, and the fundamental features that such a mechanism should possess. We also study the applicability of Physical Unclonable Functions (PUFs) for the remote attestation mechanism and propose two algorithms to achieve the stated features of remote attestation. The proposed algorithms are implemented in a test environment to evaluate their performance. © 2013 The authors and IOS Press. All rights reserved

Challenges of security and trust of mobile devices as digital avionics component

Mobile devices are becoming part of modern digital avionics. Mobile devices can be applied to a range of scenarios, from Electronic Flight Bags to maintenance platforms, in order to manage and configure flight information, configure avionics networks or perform maintenance tasks (including offloading flight logs). It can be argued that recent developments show an increased use of personal mobile devices playing an integral part in the digital avionics industry. In this paper, we look into different proposals for integrating mobile devices with various avionics networks -- either as part of the Bring Your Own Device (BYOD) or Corporate Owned Personally Enabled (COPE) paradigms. Furthermore, we will evaluate the security and trust challenges presented by these devices in their respective domains. This analysis will also include the issues related to communication between the mobile device and the aircraft network via either wired or wireless channels. Finally, the paper puts forward a set of guidelines with regards to the security and trust issues that might be crucial when enabling mobile devices to be part of aircraft networks.Comment: 11 pages, 3 figures, 1 tabl

A First Look at Digital Rights Management Systems for Secure Mobile Content Delivery

Digital rights management (DRM) solutions aim to prevent the copying or distribution of copyrighted material. On mobile devices, a variety of DRM technologies have become widely deployed. However, a detailed security study comparing their internal workings, and their strengths and weaknesses, remains missing in the existing literature. In this paper, we present the first detailed security analysis of mobile DRM systems, addressing the modern paradigm of cloud-based content delivery followed by major platforms, such as Netflix, Disney+, and Amazon Prime. We extensively analyse the security of three widely used DRM solutions -- Google Widevine, Apple FairPlay, and Microsoft PlayReady -- deployed on billions of devices worldwide. We then consolidate their features and capabilities, deriving common features and security properties for their evaluation. Furthermore, we identify some design-level shortcomings that render them vulnerable to emerging attacks within the state of the art, including micro-architectural side-channel vulnerabilities and an absence of post-quantum security. Lastly, we propose mitigations and suggest future directions of research