AFOM, the Association of French Mobile Operators, and Trusted Labs, a specialist in security services, have announced they have developed a new version of the USIM Protection Profile (PP) for the Composite Evaluation Model. This follows last year's demonstration of a USIM card that was certified by composition (Cartes'08). The application and the platform, which were certified separately, each kept their Common Criteria certification when assembled in one product.
The new PP is said to bring the principle of composition to the whole industry, defining a standard to allow any certified application to be hosted securely on any Java Card USIM platform compliant with the PP.
The Composite Evaluation Model is a scheme designed to allow applications to be Common-Criteria certified once only, for all platforms. Going beyond the functional interoperability brought by industry standards, it aims to bring security interoperability, to enable true multi-application – including post-issuance deployment of applications.
The USIM PP being announced today – designed as part of the Composite Evaluation Model – defines Java Card USIM platforms' security interfaces, said to create a de facto security standard. By complying with the USIM PP, platforms designed by different companies will present the exact same security interfaces to applications added on top.
The USIM PP also ensures isolation between the various applications hosted on the same card – so that, for example, a loyalty application cannot access information held in a banking application, and vice-versa.
The new version of the PP has been evaluated for Common Criteria level EAL4+, and is compliant with both GlobalPlatform 2.2 specifications and with Sun's Java Card System Protection Profile, Open Configuration.
USIM cards that comply with the USIM PP will therefore be certifiable at Common Criteria level EAL4+, the standard required by the industry, and will be able to host a number of applications developed by third parties, without compromising their security or their certifications.
Claire Loiseaux, CEO of Trusted Labs, said: "Trusted Labs is proud of its contribution in defining a scheme that makes multi-application, interoperable USIM cards a reality. This scheme – which meets the needs of both mobile and banking operators – is an important step forward that will release the full potential of mobile transactions by enabling a rich eco-system of application developers."
Jean-Marie Danjou, Managing Director of AFOM, added: "All French MNOs deal with the security of SIM cards according to a common security model inside AFOM. They directly address the risks related to the future opening up of SIM cards to multiple stakeholders, with a view to a secure roll-out of mobile transactions. They joined their efforts and resources to produce AFOM USIM PP, which they proudly present you today. In 2010, AFOM will supervise the evolution of this innovative document to deliver a new version that will be interoperable with private payment schemes."
Jean-Philippe Wary, Information Security Expert at AFOM Security Group, concluded: "We have built the necessary conditions to allow every type of mobile transaction businesses around the natural and universal secure element: the USIM Card. This achieved security interoperability significantly reduces time to market and is cost-effective to securely host and operate services onto USIM cards. Moreover, it improves and simplifies the management of heterogeneous secure applications (i.e. payment, digital signature, ticketing) over several certified platforms. Mobile phone combined to certified USIM card play a key role in the chain of trust, liability and security required by online business. The Protection Profile we announce today clearly covers these security market needs."