Secure Elements are physical components in electronic devices that securely store and protect sensitive data and applications. Compared to software-based solutions, they provide higher security and can protect from attacks from malware, hackers, and other malicious actors. Typical applications for Secure Elements include payment cards, mobile phones, and identification cards.

With the increasing adoption of eSE and eUICC/eSIM and the higher performance of those hardware components, it is possible to integrate multiple applications within a single Secure Element. This reduces the number of physical devices that users need to carry and simplifies the integration and updating of applications. However, this flexibility also requires higher implementation efforts and places higher security demands on the specific eSE and corresponding systems that install and personalize the secure applications on the Secure Elements.

BSI addresses and processes the following topics related to Secure Elements: SAM, TSMS, and CSP.

SAM

Secure Application for Mobile (SAM--Secured Applications for Mobile) is a new standardization item pursued by GSMA and GlobalPlatform. It is a proposal to make an eSIM, which is permanently installed in mobile devices, usable beyond telecommunication for protection-requiring applications. Based on the evolution of hardware security chips and a short technical description of the SAM-SD, the following position paper details the BSI’s interest in the topic.

• SAM Position Paper

TSMS

A Trusted Service Management System (TSMS) is a BSI approach for installing JavaCard applets on eSE, eUICC/eSIM from different manufacturers and MNOs. The Technical Guideline BSI TR-03165 defines the technical basics of such a TSMS. Furthermore, it defines core interfaces to foster non-discriminatory access to Secure Elements. In addition to the TR, there is a GitHub Project TSMS, which provides supplemental documentation for developers and machine-readable formats (JAVA, OpenAPI, YAML) of the interfaces defined in the TR.

• BSI Technical Guideline TR-03165 Trusted Service Management System, Version 1.1

CSP

The Cryptographic Service Provider (CSP) is a BSI approach to certifying JavaCard applets on eSE, eUICC/eSIM independently of the underlying hardware platform for use cases requiring a high assurance level. The CSP Whitepaper describes the idea behind this certification's benefits. The BSI TR-03181 CSP2 defines the technical requirements for the implementation of such a CSP. The Protection Profile BSI-CC-PP-0104 CSP is applicable for Common Criteria certifications of CSP implementations with high security demands. The Protection Profile BSI-CC-PP-0111 CSPL is applicable for CSP implementations operated in a relative secure environment.

• CSP Whitepaper v1.0
• BSI TR-03181 Technical Guideline for Cryptographic Service Provider 2 (CSP2)
• Common Criteria Protection Profile Cryptographic Service Provider (CSP)
• Protection Profile Cryptographic Service Provider Light (CSPL)