Karl J. Weaver 魏卡爾 presented on the TEE + uSIM/eSIM and Dual Roots of Trust at the 3rd Annual eSIM Technology and Innovation Summit in Beijing on May 30. 第三届eSIM技术与创新峰会,5月30日在北京新世纪日航饭店。魏卡尔讨论到eSM/eUICC内置电信卡加TEE 可信执行环境的双可信跟。
Apidays New York 2024 - The value of a flexible API Management solution for O...
The T.E.E. + eSIM Dual Roots of Trust
1. Rivetz – A Block Chain Smartphone’s
Secret Sauce
Provable Cybersecurity with Block Chain
and Trusted Computing
2. What is Rivetz Security Architecture all about?
• Rivetz Developer Tools – already built for TEE usage with ARM’s Trustzone and all
Global Platform compliant secure architectures.
• Rivetz delivers 3rd party digital asset protection services for multiple assets,
including a user’s bitcoin wallet with backup/restore, authentication services across
devices.
• We are pioneering the concept of Dual independent Roots of Trust per mobile
device with dual private key verification, authentication, attestation and encryption
processes utilizing our Rivetz Trusted Applications combining the TEE and
uSIM/eSIM security.
• We will play a role in the development of the eSIM ecosystem for security of
Smartphones, protect your Digital Assets, Ensure the quality of your transactions,
and help manage your assets across your collection of Smart & Connected Mobile
Devices
3. How Will adding eSIM change these connected Devices
GreaterSecurity
Embedded&
TamperResistant
Embedded& Root
ofTrust
RegulatorilyFavorable
SpaceSavings
Greater Durability&
LongerLifecycle
StandardsDriven
ServerLinked& Management
SeamlessRemoteServiceProvisioning(RSP)
EasierActivation& Selection
CostSavingsfor Everyone
Multiple DeviceSync
RoamingServiceSelectionFlexibility
DriveNewerServices& BusinessModelsLowerLogistics Costs
Easy Inetegration – Faster Time to Market
eSIM, eUICC, is an operating
system resident in a physical
hardware chip form factor called
MFF2, typically with secure
element, compliant with GSMA’s
Remote SIM Provisioning Program
4. eUICC OS designed, embedded into Device Hardware
eUICC OS directly
embedded into
baseband chip, like
Qualcomm SPU, like
inSE
eSIM OS embedded
into M2M eUICC card
eSIM OS embedded into
eUICC SIM Module(MFF2)
UICC OS soft SIM
embedded into the TEE
+ ARM Trustzone
eSIM OS as soft
SIM using TEE to
port into ARM
Trustzone for
Tamper Resistant
Security
The term iUICC is a
new term for
embedding an
eUICC directly into
a mobile Apps
Processor chip in a
security container
NFC Controller chip
CLF with embedded
SE & eSIM Plug-in
Virtual
5. Device Evolution Drives the need for eSIM Modules
• eSIM & RSP satisfies the need for smarter and more
flexible connectivity management and provisioning
solutions.
• From a Device design standpoint, thinner, smaller and
more power-sensitive device form-factors, often
themselves embedded in a larger machines
• The SIM is seen as a way a stakeholder can control the
relationship with the end customer. So far MNOs have
made sure they have a locked-in relationship with their
customers via traditional SIM form-factors. Expect that
to change if possibly China Unicom launches RSP
services with eSIM for subscribers in June, 2018.
WLCSPAppleSIM 4FF eUICC MFF2
6. eSIM – TEE SIM – Apple SIM – iSIM – which to choose?
• newer SIM solutions from hardware eSIM to TEE/soft SIM to proprietary
(Apple SIM) will enable a change and the control shift to device OEMs,
platform vendors, MVNOs, system integrators as well as the MNO.
• There is a threat of decline in device revenues as operators lose the
customer relationship to OEMs and is directly a result of avoiding the
discussion of RSP.
• Roaming revenues are dropping in China and MNOs in the USA and Europe
are phasing out roaming charges for data usage. By adopting a multi-
screen and one-stop shop approach, MNOs can retain value, but only if they
open up RSP services
• The biggest hurtle to overcome for MNOs will be iSIM because they are
completely removed from eSIM provisioning and must therefore contemplate
Remote SIM Provisioning services from in-chip, on die software stack and
figure out how to retain Subscriber loyalty.
7. Three Possible Outcomes of eSIM + RSP
• 1) The prevailing eSIM and RSP Standard
adoption matures, Consumer Electronic Devices
adopt SM-DP & SM-SR Pushed down on to the
device, eventual process, slower adoption.
• 2)Disruptive Adoption of eSIM with Non-
Standard implementations, like Apple SIM, this
would allow Subscribers more control to rapidly
switch data Plans. This could be from an OTT
(Over the Top Provider) AliPay, Tencent/WeChat,
or an OEM like Huawei, adopting this strategy,
resulting in lose of complete control of the
subscriber relationship for the MNO
• 3)A Large OEM could displace the MNOs role,
taken over ownership of the eSIM + RSP
provisioning model, work with Chinese MVNOs
(Red Tea Mobile, Shanghai GoTell) and
wholesailing connectivity to MNOs
Source: Fierce Wireless Article, Mr. Anthony Dornan, April 30th, 2018
9. ✓ RedteaMobile is a software based SIM technology service provider
(TSP) that has developed its own RSP technology for handsets, IoT
devices and SIM cards and claims to be integrated into more than
100 milliondevicesshipped
✓ Its solution started as a proprietary virtual SIM. It resides in the
device OS though the authentication algorithm in the TEE or
embedded SecureElement.
✓ It has, over time, made its technology compliant with GSMA eUICC
architecture but terminates the Subscription Manager profiles in its
vSIM.
✓ Supports Qualcomm, MediaTek, Samsung chipsets and supports
Android, Linux, Rtos and COS with applications installed in TEE,
eUICC,eSE,or iSSP.
✓ Its software eSIM solution has been integrated into a number of
handsets from OPPO, Xiaomi, vivo, Samsung, ZTE, nubia, Lenovo,
LeEco and Meizu. It is widely deployed in China to assist Chinese
consumerswith international roaming.
✓ It has partnerships with 20+ service providers with networks in more
than 90countries.
✓ Redtea is now targeting devices beyond handsets – such as IoT
applications, for example automotive aftermarket connected smart
rear-view mirror (FAW Pentium X40) or connected AI translator
(iFlytek).
TEE SIM: 红茶移动 ramping up TEE+UICC in Consumer Devices
Source: Counterpoint-2018
10. Types of eUICC or eSIM Implementations
Traditional
Physical
RemovableSIM
Standard– eUICCeSIM
– ChipSoldered
Proprietary–
removable/embedded
eUICC/iUICC/TEE SIM(Virtual)
(Software+ hardware)
SkyTone
✓ The software based eSIM where eUICC software is baked
into the Trusted Execution Environment (TEE)or SoCwithin
the device is gaining steam as it offers greater cost,
manufacturing & logisticalbenefits.
✓ Qualcomm, ARM and others have been pushing the GSMA
for the software based eSIM standard baked into SoCinto a
securezone
✓ Companies such as Redteamobile, Simless, roam2free are
partnering with OEMs, operators and chipset vendors to
drive eUICC capabilities at the core software level either
into the TEEor basebandof the device.
✓ GSMA compliance removes a big hurdle for some of these
soft SIMplayers toscaleand gomassmarket
✓ While software based eSIM has seen some adoption in
mobile handsets, M2M Form-Factor (MFF) hardware
eSIM has seen adoption in enterprise IoT, automotive &
wearables.
✓ The eUICC software is embedded into the MFF2 chip
soldered into the PCBs offering a 90% space reduction,
reprogrammable and GSMA compliant seamless remote
provisioning capabilities.
✓ A broader industry value chain is behind this initiative to
move away from the traditional removable SIM for
growth acrossavariety ofuse-cases
✓ Vertical players such as Apple are positioning themselves
to capture more and more value from the ecosystem as
well as tightly control the customer user-experience and
opportunities tolock-in
✓ This has prompted the likes of Apple to develop a
proprietary SIM solution within some of its product range
that it can directly controle.g. iPads & Apple Watch
✓ Google with its service provider ambitions to also lock-in
and control/access/track the users’ digital lives embedded
eUICCinto its Pixel phones for upselling its ProjectfiSource: Counterpoint-2018
11. Software based eUICC/iUICC : ARM Kigen OS– The Dark Horse?
✓ ARMis likely to be adark horse. It haslaunched KigenOS,which is based
on its SimulityLabsacquisition. It is aiming to drive asoftware-based SIM
solution within future devices.
✓ ARMhasdeeproots into almost all mobile chipset vendors.Thismakes
Kigena potent development. MNOswill resistbut if it is able to drive
adoption of KigenOSSIM functionality directly at the chipset level it will
rapidly offer aviable alternative SIMsolution.
✓ It is agoodsolution for IoTtype applications which do not need roaming or
are difficult or expensive to provision e.g. LPWAIoT(NB-IoT) applications
are the natural customers for this solution.
✓ GSMAcompliance in terms of Securityand RemoteServiceProvisioning
(RSP)will enable the solution to evolve quicklyinto a globalstandard.
✓ Many of the current virtual SIM solutionswith eUICCOSat the TEElevel
causeconcern at the GSMAand among MNOs. ARM’spushfor KigenOSat
SoClevel will make it easier to adopt at globallevel.
✓ Qualcomm’simplementation of iUICCwithin the Secure ProcessingUnit
(SPU)is similar (and aligned)to ARM’sKigenOS.Apush for the samewill
catalyze eSIMcapabilities in the smartphones and other IoT devices using
ARMbased solutions.
✓ ARM’sRSPserversolution aims to offer flexibility from chip to cloud
connectivity and changesthe dynamicsof the SIMcard value chain; the
control shifts beyond MNOs, SIMcard providers to OEMs,MVNOs, IoT
platform vendors and others.
✓ ARMaims to commoditize “security” and “provisioning” asdefault features
to enable the competition between original value chain players relegated to
offering SIMsubscription management solutions and distribute the SIM
controlawayfrom operators. Thiswill unlock newer services and business
models for different players.
ARMKigenOS:
• GSMAcompliant SIMOSStack
• Code& ImplementationOptimized
ARMKigenServer:
• GSMAcompliant Remote SIM
Provisioning
• Flexible, Scalable& Easyto
Integrate
12. Where will we see eSIMs embedded in 2018?
• Smartwatches:CellularConnectivity+eSIMin PremiumWill BeCommonin2018 from
Samsung, Apple, Huawei, maybe Mobvoi?
• Smartphones: GooglePixel2&2XL -expectHuaweiandotherstojoin.
• TabletPCs:AppleiPadPro,AmazonKindleFire&JapaneseMNODocomo’s
DtabCompactd-01K&d-01J
• NotebookPCS:Windows onSnapdragon, Microsoft Surface Pro, Acer, AsusTek,
Lenovo, HP, Dell, Samsung, possibly Huawei
• Automotive: Smart 4G LTE Connected Cars, BMW, Mercedes Benz, Toyota, Lexus,
Tesla, GM, Daimler, Fiat, Chrysler
• Drones: HighPotential Segment
• AR/VR/XRHeadsets:Biggeropportunity for eSIM in 5G Era
• B2BIoTforLPWA LTE-M& NB-IoT key drivers for cellular IoTRemote
Diagnostics
Emergency Services
Location
Services
Remote
Monitori
ng
Live
NavigationDriving
Behavior
Digital
Dashboard
Safety&
Security Media&
Infotainment
ADAS
Connectivity &Roaming
13. Key Take-Aways
✓ Expect hardware-basedeSIM and software-based eSIM solutions growth in 2018 though software-based
is likely to grow faster with apush from key players such asARMand key global-scale operators
✓ NB-IoT& 5Gwill drive the inflection point for eSIM adoption across different devices andapplications
✓ Among connected devices, automotive, drones,smartwatcheswill be ahead in terms of eSIM adoption
followed by tablets, PCs, smartphonesand AR/VR headsetsasmost of these devices will seeadded
4G/5G connectivity in the next five years
✓ EnterpriseIoT devices will continue to garner highestadoption of eSIM from smart metersto sensor-
basedmodules for asset tracking, smart agriculture, coldchain, logistics,smart cities and more
✓ Software-basedeSIM adoption initially will be very specific toregion, operator, chipset and module OEM
✓ Chinais positioned to drive adoption of both hardware and software-based eSIM faster over the next few
years followed by Europe & the USA
✓ Players such asApple, Googleand Amazonwill try to drive proprietary or locked implementations of eSIM
to own the customer relationship by leveraging eSIM’s flexibility.
14. The Rivetz
Network
Registry &
Notary
Services
Collections
Management
Attestation &
Policy
Control
Confirm
Services
Migration
&
Recovery
Digital Asset
Management
Digital
Asset
Escrow
Threat
Detection and
Remediation
Identity
Services
Rivetz
Registrar
Utility Token
Services
Cyber
Deadbolt
Social Security
These are all the services that the
Rivetz toolkit natively supports.
Rivetz registrar is the TAM for all the
Rivetz network, trusted services
manager, trusted application
manager,
We want to put 3rd party services like
someone’s bitcoin wallet to help
backup/restore, authentication
services across devices,
15. • The Rivetz Toolkit is the collection of software, documentation, and support
which allows access to the Rivetz Network in mobile, desktop, and IoT
applications
• The Rivetz Toolkit enables trusted processing for device applications
• A special combination of hardware/firmware/software is used to create a protected environment for the
storage and use of hardened digital assets
• Access, Usage, and Recovery policies can be individually applied to these assets
• The V1.0 Rivetz Toolkit enables access to the Rivetz Registrar and the Rivetz Network Attestor
• Device Registration
• Service Provider Registration
• HDAs with {Policy}
• Device quality (health) metrics can be collected
• Changes to the device state can deny access to sensitive material
• Permits immutable device Wellness information to be recorded on the blockchain, alongside the actual
transaction
Rivetz Corp Developer Tool Kit
16. Decentralized Security
• Enabling a new model of shared control
• Reduce single points of failure
• Increase systems trust
• Enable new control models
• Reduce single vendor risk for critical systems
17. Introducing Dual Roots of trust
• An application for Sim / eSIM/eUICC and TEE
• Tee + eSIM provide advanced encryption and authentication
• Dual supply chains for key management
• Isolated roots of trust
• Bi-directional attestation
18.
19. Shared control
• Trusted App in TEE
• Provides full attestation and key
management
• Provisioned through device enabled
trust network
• Applet in SIM/Esim
• Provides full attestation and key
management
• Provisioned through MNO trust
network
TEE
Rivet TA
Device Application
½ secret
APPLET
Rivetz
Applet
½ secret
SIM/UICC
APPLET
eSIM/eUICC
½ secret
20. TEE& uSIM/eSIM opportunitiesShared control
• Trusted App in TEE
• Provides full attestation and key
management
• Provisioned through device enabled
trust network
• Applet in SIM/Esim
• Provides full attestation and key
management
• Provisioned through MNO trust
network
TEE
Rivet TA
Device Application
½ secret
APPLET
Rivetz
Applet
½ secret
SIM/UICC
APPLET
eSIM/eUICC
½ secret
21. Decentralized Security applications
• State of the art protection for
• Identity
• Blockchain applications
• Messaging
• IoT
• Enterprise
• Multiple trust authorities assure provable trust
• Enable strong GDPR controls
• Dramatically reduce the risk of supply chain failure
• Achieve higher assurance and certification levels
22. Blockchain delivered controls
• Enable decentralized controls for multiple
service providers
• Enable Supply chain reference measurements
• Enhance application operations and controls
• Reduce MNO Risk exposure
• Deliver new revenue streams and use cases
• Assured logging and controls from multiple
services and trust systems
23. The Rivetz Network provides:
• Device and Service Provider Registration
• Device Identity and Device Collections
• Hardened Digital Asset Protection
• Transaction Ledgering & Notary
• Device Health/Wellness
• Threat Detection and Remediation
• HDA backup/recovery/migration
• HDA escrow
The Rivetz Network intends to support a variety of trustworthy execution
technologies in the support of Hardened Digital Asset management:
• GP Compliant Trusted Execution Environments (TEE)
• Intel Software Guard Extensions (SGX)
• AMD Secure Encrypted Virtualization (SEV)
• Subscriber Identity Modules (SIM)
• Secure Elements (SE)
• Secure OS (Integrity, LynxSecure, etc)
• Software Obfuscation
• other native platform enclaves
The Rivetz Network offers a variety of RvT (token) usage models:
• Per Event
• Per Device
• Per Collection
• Per Enterprise
The Rivetz Network
APPLET
SIM/UICC
Secure
Element
24. Telefónica & Rivetz Collaborate on
Decentralized Security for Mobile Users
• RICHMOND, Mass., May 10, 2018 /PRNewswire/ -- Rivetz
Corp. and Telefónica today announced an agreement to
collaborate on the development of advanced mobile security
protocols for blockchain transactions and messaging. The
solution expects to leverage dual encryption, supporting
both the Trusted Execution Environment embedded by
multiple device manufacturers and the advanced encryption
on SIMs deployed by Telefónica.
• Rivetz Corp – www.rivetz.com
25. Karl J. Weaver 魏卡爾
OEM Biz Dev Director - China/Asia-Pacific Region
Rivetz Corp www.rivetz.com 电子邮件 : kweaver@rivetz.com 微信手机号码: +1-425-647-9315
Karl J. Weaver is a wireless and mobile device ecosystem specialist in the Smart Card sector of the wireless industry.
Karl is China/Asia-Pacific Business Development Director for Rivetz Corp to provide embedded mobile device
security of Smartphones for the Block Chain using Rivetz developer tools for the TEE. He recently worked as OEM
Biz Dev Director at ARM /Simulity Labs for design-in of eSIM and iSIM for On-Demand Connectivity (RSP) solutions
for IoT, M2M and Wearables smart and connected device manufacturers. Simulity was bought by ARM last July,
2017. Karl also spent 5 years working in China for Gemalto (and Trustonic) as Rainmaker for design in of embedded
Mobile NFC Payments & TEE security technologies to the OEM Smartphone/Tablet PC ecosystem. He is a Globally-
trained, bilingual Mandarin Chinese speaking senior mobility executive with vast experience selling wireless &
mobile device technologies from both sides of the Pacific Rim to the global OEM/ODM handset/tablet PC ecosystem
supply chain. He possess a B.S degree in Business Management from Salve Regina University, Certification in
Mandarin Chinese Language, Customs and Culture from National Taiwan Normal University – Mandarin Training
Center and Certification in Broadband wireless communications from University of Washington (Seattle). Many
presentations on Smartphone technologies can be viewed on You Tube, Youku and Tudou video streaming web sites
在优酷网站查询魏卡尔,谢了!