The previous image reflects our initial approach to a typical mobile scenario using a TEE-enabled smartphone, splitting the key between the Movistar/Telefonica SIM and the TEE managed by the Rivetz Middleware and App. One of the reasons of this distribution in these two roots, despite the fact that they’re in the same device is that they are under control of completely different entities. The Carrier is in control of the SIM while the TEE remains under control of the device manufacturer of the device, but accesible by granted third-parties such us Rivetz. Through a special application given permission to perform activities inside the TEE, the user can remain in control of the secrets within.
- Open Mobile API provides permissioned access to SIM via Android native calls
- SIM Provision with ARA (Access Rules Application) which enables identified REE (Rich Execution Environment) world application access to the specified SIM Java Card application
- SIM Provision with DRA Java Card application for the CLIP split key algorithm
- Access from TEE to DRA is controlled via ARA control list.
- In case of SIM swapping to another mobile device, with a theoretical unlocked SIM, the user remains protected, as part of his key is located in his phone hardware, therefore, malicious user will not be able to register into the Carrier infrastructure due to the lack of proper remote attestation performed by Carrier at the initial negotiation.
- Similar happens if trusted SIM is substituted with another one, the attacker will not be able to get passwords, wallets keys, etc. As part of this data is protected because original SIM contains part of the neccesary splitted key. Literally, attacker will get an error when trying to decrypt the key through the phone.
- Finally, when user loses their phone, gets new one, then gets a new SIM, calling MNO (Mobile Network Operator) to activate it in network, even if MNO verified identity and pass through SIM card, user remains protected through the Trusted network. This concept relies on a backup and migration process based on 2-3 other user devices (Cell Phone, Cable Box, Smart TV, etc.). Therefore any impersonation using private details of the user will fail because they won’t be able to register into the Carrier network.