GlobalPlatform enables the Web to access Advanced Security Services
January 2017 by Emmanuelle Lamandé
GlobalPlatform has defined a standardized communications interface between web applications and secure element (SEs), which will enable developers of web services to build in advanced security features to protect online services against many types of attack and fraud.
By allowing web services to utilize a dedicated tamper resistant piece of hardware within a device, known as a SE, the newly released Web API for Accessing Secure Elements v1.0 enables sensitive data from online applications to be securely stored and processed in a secure, isolated environment. By doing so, it enables web services to address multiple use cases that are central to the deployment of value added services:
Authentication - access to an online service may be protected by a strong authentication mechanism based on credentials stored and processed within a SE.
Digital signatures - web applications may use a digital signature to digitally sign a document or data with a key stored in the SE.
Payment - when online commerce transactions are made via a mobile device, the payment application may be hosted on the SE within a device, to enforce the security of the online transaction. This may alleviate the need for the user to handle multiple physical devices (e.g. a mobile device plus a payment card).
Credential provisioning - a web service may update the content of the SE to install, update or remove an application or credential it may hold. For example, a public transport app may credit a user’s NFC-enabled transport card or mobile device with tickets bought online. The tickets would be stored securely in the SE, ensuring access only to authorized parties.
The new API enables web-based applications to access SEs of any form factor, including UICC or eUICC, embedded SEs and smart micro SD cards.