Satisfying the phone owner with the trust in her or his ability to keep the phone book active, even in bad circumstances, was a good selling argument for operators. But other functions would also be of interest, this time to operators themselves. One issue that operators have to contend with is the multiplicity of personal electronic devices used by their subscribers. While Subscriber Identity Modules are governed by strict standards, personal electronic devices can be extremely varied. There are simple phones, smart phones, personal assistant with calling capabilities and the list keeps growing. There is no way for operators to inquire all of those multiple devices about their nature and capabilities. However, such information can be very useful. It allows operators not only to know their customers better, but also in some cases to exchange information with the personal electronic devices once they know their type. So, operators went to their central standard organization, the European Telecommunications Standards Institute, and established information standards that any personal electronic device wishing to use cellular communications should communicate to the Subscriber Identity Module. This way, the phone operators could simply ask the SIM about the type of personal electronic device used. Once again, the trust they have in the SIM extends to trusting further information than was originally thought about. Incidentally, this example illustrates again the fact that the trust in a secure core is bounded, since there is no way for the Subscriber Identity Module to know if the information that the personal electronic device communicated is indeed correct. Fortunately, the phone operator is able to put some trust in that information if it is used to communicate with the personal electronic device; either it can answer or not.

These two examples are only two of many applications that can extend the trust put in the Subscriber Identity Module even further. In many countries, cellular phones can be used for gaming, the lottery, betting and many other activities involving fiduciary value. The operator trusts the SIM enough to vouch to the racetrack that the bet will be paid. Causality is a vector of trust extension. And, as trust networks grow, they build their own dynamics so that going outside of the network becomes difficult. For example, we gave the example of the phone book. The trust between the operator and the client provides good service to the owner of the phone. However, it also makes it more painful for the phone owner to switch operators. This is a vivid example of how trust cements networks.

Unfortunately, causality also applies to a flawed assertion of trust. Let us consider a personal electronic device that does not have a trusted core, but might still attempt to provide a digital signature to obtain goods on the Web. To spare the reader flipping back a few pages, we’ll repeat here how a digital signature works. Essentially, if follows the vault model. If only you and I have the key of the vault, any information I put in it, you trust comes from me, since no one else could have deposited it. In the same way, if only my personal electronic device has a key to encrypt my signature, you know that it indeed comes from me. Unfortunately, if my device doesn’t have a secure core, there is no way to strongly trust such an assertion. The way a personal electronic device encodes a digital signature is by loading the key in its memory together with signature information, and by mixing them up mathematically using a cryptographic algorithm. The critical attack point in this process is the period during which the processor of the personal electronic device accesses the key. The reason for this is that there are ways to get to the value of the key in a computer without a trusted core. For example, the memory is typically accessible to more computing entities than the processor. In order to be able to move data between the short-term memory used by the processor and the long-term memory of the device, there is typically a mechanism that allows doing that without needing to ask the processor. This allows increased efficiency of the overall system, but it presents a threat to the signature operation. Another way to access the key information is to trick the processor into revealing data it is currently handling.

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)