The companies agreed that any system would be compromised unless a system-level root of trust between all devices and services providers was established. This led to the definition of the Open Trust Protocol (OTrP), which combines a secure architecture with trusted code management, using on mobile devices proven technologies from banking and data applications.
The protocol is now available for download from the IETF website for prototyping and testing. The key objectives of OTrP are to develop:
an open international protocol based on the Public Key Infrastructure (PKI)
an open market for competing certificate authorities
an ecosystem of client and server vendors around the protocol
Collaboration began in early 2015 and soon grew to 13 companies. The alliance worked with the IETF and Global Platform to get OTrP adopted as a protocol within their organizations.
The OTrP protocol adds a messaging layer on top of the PKI architecture. It is reusing the Trusted Execution Environment (TEE) concept to increase security by physically separating the regular operating system of a device from its security sensitive applications.
Given the heterogeneity of devices, Trusted Services Managers (TSMs) manage keys in the devices to create security domains, authenticate resources and load applications. OTrP defines a protocol between a TSM and a TEE and relies on the IETF JSON mechanisms for end-to-end security.
The protocol assumes that a device is equipped with a TEE and is pre-provisioned with a device-unique public/private key pair, which is securely stored and is referred to as the root of trust. A service provider uses such a device to run Trusted Applications (TA).
The TSM is responsible for originating and coordinating lifecycle management activity on a particular TEE. The TEE resides in the device chip security zone and is responsible for protecting applications from attacks.
The TSM manages the trust in the devices on behalf of service providers. In addition, the TSM provides security domain management and TA management in a device, including over-the-air updates.
Mutual trust between a device, a TSM and services providers is based on certificates. A device embeds a list of root certificates, called trust anchors, from trusted certificate authorities that will be used to validate a TSM. A TSM will validate a device by checking that its certificate comes from a trusted certificate authority.
OTrP establishes appropriate trust anchors to enable TEE and TSMs to communicate in a secure way. The main trust relationships are that the TSM must be able to ensure a TEE is genuine, the TEE must be able to ensure a TSM is genuine, and a secure boot must be able to ensure a TEE is genuine.
OTrP can be used for identity management, strong authentication for payment systems, secure VPN for enterprise systems and digital rights management as well as security jobs specific to markets such as automotive and health care.