Recently I began thinking about secure elements, on smartphones, on computers, and their relationship to safety and security as perceived by the everyday person. The fact is that there is very little awareness of these crucial pieces in the security ecosystem that everyone uses and even less about the impact of not having these in place in older equipment.
What kicked off this train of thought? An old friend of mine, visiting my home, started discussing laptop computers and how he could not understand why Microsoft was forcing him to dispose of his (perfectly adequate 5 year-old) laptop and replace it with a newer model just in order to run Windows 11 – which now requires a secure element. From October 2025, Windows 10 will cease to be free-of-charge supported by Microsoft with security updates, and the charges that will be made look like to step up substantially year-on-year.
It’s the same for smartphones. The old models – many of the smartphones in use, globally – do not have the security component embedded, often relying on a supplied hardware token, likely under the control of the telco operator. In the case of smartphones this will lead to reduced security and functionality. So, if you want to have your digital passport or mobile driving license on your phone (as an original and not a copy) then it will be impossible to use them with privacy protections without some form of user-controlled secure element. Also, many users especially in the third world, who rely on the smartphones for sending and receiving money will become more vulnerable as hacking toolkits become more sophisticated and become more geared for mass attacks.
Luckily, along comes eIDAS 2.0 (OK, its a regulation which is just for the EU but is a real beacon for the whole world) and the ability to certify a Remote Signing Element, and in a perfect world we would be looking for a mobile phone solution that has a Level of Assurance LoA3 “high” for the QSCD (Qualified Signature Creation Device). This can be revolutionary for all those older smartphones out there. It is unlikely, however, to be of any help with Windows 10 due to the enormity of the effort and it is just perpetuating a legacy OS anyway.
So how do Remote Signing Elements work in the context of eIDAS2.0, and more importantly, how can this be made as easy to scale deployment as possible without cloud based to aid deployment and democratise use?
One of the most efficient ways that I have seen, with a level of assurance LOA4 – That’s high! (for QSCD and eSeals) is to use a complete QTSP deployed in the cloud. That’s great because if the user device is cryptographically directly bound, then the whole issue of identification via an enrolment using a PID etc can be used, with the keys kept unique to a user and in the user’s control.
Its the way to go to democratise the digital wallet, being lower cost than alternatives without a lot of hard work on the ground. Should be a lot quicker too.
Helping countries grapple with the problem of issuing meaningful wallets and verifiable credentials to a wide variety of older smartphones seems to be a good way forward.
However, it does not bridge the gap between Windows 10 and Windows 11 in any way, so it does look like my friend will need to go out and buy a new laptop before demand goes sky high in October.
Now is the time to buy shares in the chip manufacturers!!
Comments