Overview#The Secure Element is an industry-standard, certified chip running the Java Card platform and hosts a specially designed applet's to manage both the local and includes payment applets certified by the each individual Payment Networks.
Secure Element is comprised of software and tamper resistant hardware that:
- allows high levels of security and can even work in tandem with the Trusted Execution Environment.
- is mandatory for hosting proximity payment applications or official electronic signatures where the highest level of security is required.
- may also offer a trusted user interface to securely transmit a personal identification number (PIN), which is required in order to make high value transactions.
- filters access to applications stored directly on the SE.
Credit or debit card data is sent from the Payment Network or Card Issuer encrypted to these payment applets using keys that are known only to the payment network and the payment applets' security domain. This data is stored within these payment applets and protected using the Secure Element’s security features. During a transaction, the terminal communicates directly with the Secure Element through the NFC controller.
The Secure Element is part of the Trusted Execution Environment.GlobalPlatform refers to the definition:
A tamper-resistant combination of hardware, software, and protocols capable of embedding smart card-grade applications. Typical implementations include UICC, embedded Secure Element, and removable memory cards.
More details#GlobalPlatform defines Secure Element (SE) as a tamper-resistant platform capable of securely hosting applications and their confidential and cryptographic data in accordance with the rules and security requirements set forth by a set of well-identified trusted authorities.
Put simply, a Secure Element can be considered to be a chip that offers a dynamic environment to store data securely, process data securely and perform communication with external entities securely. If you try to mess with it by tampering in any form, it may self-destruct, but will not allow you to gain unauthorized access.
In today’s smartphones, a Secure Element can be found as a chip embedded directly into the phone’s hardware, or in a SIM/UICC card provided by your network operator or in an SD card that can be inserted into the mobile phone.
Typically the payment applets which are in the Secure Element emulates the Contactless Chip Card. These payment applets perform handshake with the terminal, sends the right responses to the right queries, generates dynamic cryptograms, authenticates the stored card and so on.
The Secure Element provides secure storage and execution environment for the payment applications.
Secure Element is not a necessity to emulate Contactless Chip Card although it is the most secure to date. An alternative is to use Host-based Card Emulation HCE which moves the secure storage and execution environment to the cloud instead of the Secure Element.
A smart card is essentially a minimal computing environment on single chip, complete with a CPU, ROM, EEPROM, RAM and I/O port. Recent cards also come equipped with cryptographic co-processors implementing common algorithms such as DES, AES and RSA. Smart cards use various techniques to implement tamper resistance, making it quite hard to extract data by disassembling or analyzing the chip.
Secure Elements come pre-programmed with a multi-application OS that takes advantage of the hardware's memory protection features to ensure that each application's data is only available to itself. Application installation and (optionally) access is controlled by requiring the use of cryptographic keys for each operation.
The Secure Element can be integrated in devices in various form factors:
- UICC (commonly known as a SIM card)
- embedded in the handset
- SD card slot.
Smart cards have been around for a while and are now used in applications ranging from pre-paid phone calls and transit ticketing to credit cards and VPN credential storage.
Since an Secure Element installed in a mobile device has equivalent or superior capabilities to that of a smart card, it can theoretically be used for any application physical smart cards are currently used for.
Additionally, since an Secure Element can host multiple applications, the Secure Element has the potential to replace the bunch of cards people use daily with a single device.
Furthermore, because the Secure Element can be controlled by the device's OS, access to it can be restricted by requiring additional authentication (PIN or passphrase) to enable the Secure Element.
Why Not use Secure Element#When using the Host based Secure Element, the Secure Element owner, typically the MNOs owns the key and All others will have to go through complex business models, partnerships, and dependencies to gain access and it makes the whole process that much more complex and expensive.
Additionally, the Secure Element itself has only limited storage capacity and processing speed.
The embedded Secure Element, as the name implies, an embedded Secure Element is part of the device's mainboard, either as a dedicated chip or integrated with the NFC one, and is not removable. This is what is typically used in Android devices.
More Information#There might be more information for this subject on one of the following:
- Apple Pay
- Credential Management
- FIDO Authenticator
- Google Wallet
- Host Card Emulation
- Mobile Security Framework
- Secure Element
- Secure Enclave
- Universal Integrated Circuit Card
- Yubikey NEO
- [#1] - Accessing the embedded secure element in Android 4.x - based on 2015-01-09