GlobalPlatform has updated its Composition Model, which streamlines security evaluation of NFC contactless mobile applications.
First released in 2011, the Composition Model defines a simple certification approach for the security of secure element (SE) products carrying sensitive or basic applications as well as simplifies post-issuance application management. The latest enhancements to the model will be of particular interest to mobile application and product issuers like mobile network operators (MNOs) and financial institutions.
A composite product consists of an open platform — a secure element for example — with one or more secure applications, known as sensitive applications, and one or more basic applications that don’t require compliance to stringent security requirements. As secure elements in mobile devices become increasingly capable of hosting multiple applications, it is crucial that all apps perform as intended and interference with other services is kept to a minimum.
The Composition Model promotes two key concepts: the re-using of existing security evaluation results and the limiting of security evaluation work to test only the impact of new application and SE combinations. Streamlining methodology in this way makes it easier for the telecom and payment industries to redeploy SEs and applications once they have been certified.
GlobalPlatform has been hard at work, and has also recently released:
The Card Composition Model Security Guidelines for Basic Applications v1.0, which proposes a minimal set of guidelines for basic applications. Adhering to these guidelines will protect sensitive applications, other applications, and the SE.
Card Composition Model v1.1, which introduces the relationship between sensitive and basic applications.
Card Composition Frequently Asked Questions v1.1, which supports industry players using this model for the first time.
All GlobalPlatform documents can be downloaded free of charge at the company’s website.