The eSE (embedded Secure Element) is an autonomous, tamper-proof element made of a dedicated silicon chip, a secure OS and applications. It is available in different sizes and designs and can be embedded in any mobile device. It ensures the data is stored safely, information is given to only authorised applications and people, and it executes cryptographic operations (e.g. authentication, encryption).
In other words, it is like a personal ID for the end-user and the device itself.
The eSE is multi-applicative and allows to secure a wide range of applications in any device and various use cases: protection of the device against hacking through secure boot or device attestation, digital services for end-users (payment, couponing, transport, access control, ticketing, corporate, cloud computing, e-government).
This is achieved by a secure application hosted in the eSE that performs the sensitive operations required by the service. Depending on the device, eSE functionalities can vary, particularly the remote and secure way to retrieve data, secure connectivity, strong user authentication, device integrity, etc.
According to Eurosmart
(February 2023, the market will stay flat in 2023 after a relatively stable 2022, with 10B smart cards shipped.
Still, more smartphones and wearables are being equipped with eSE.
- Mobile payment has been increasing in popularity; smartphone OEM mobile wallet programmes are blooming across the globe.
- Wearables are also seen as a convenient form factor for payment and mass transit.
In 2021, Google, Thales and other eSE vendors have created the Android Ready SE Alliance, aiming at the benefits of eSE to the world's most popular mobile OS among connected consumer devices.
Thales has developed specific software to administrate and update eSE during the entire life cycle of the devices.
Thales embedded Secure Elements
Thales' embedded Secure Element offer is characterised by the following elements:
- State-of-the-art certified eSE
- Compliant with the GlobalPlatform Card Secure Element Configuration standard
- Certified by major payment schemes (EMVCo, Visa card, Mastercard, AMEX, China UnionPay, MTPS) and contactless certification organisations (FeLiCa, MiFare)
- Integrating all the latest features gained in embedded OS, NFC ecosystem and multi-services markets
- Available in various form factors: WLCSP, surface mounted device (SMD)
- Available as a single-chip solution that supports both trusted contactless services (based on eSE) and mobile connectivity (based on eSIM)
- Unrivalled application offer
- Rich application catalogue gathering certified payment, transport, biometrics, enterprise, ID, and government apps, both proprietary and with established partners
- Unique expertise in local application development and support
- A unique Trusted Service Hub (TSH) offer to quickly and easily deploy services worldwide.
- Strong local technical teams (Field Application Engineers and Technical Consultants) dedicated to supporting consumer electronics manufacturers.
- Recognised expertise in end-to-end fully deployed NFC projects
- Established relationships with key players in the industry (silicon vendors, combo makers, Contactless Front End (CLF) makers, device manufacturers, certification bodies, and payment schemes).
- Continuous technology improvement via the support of some of the newest technologies, such as UWB. Ultra-wideband is a high-frequency wireless communication protocol aiming at addressing location purposes and device-ranging use cases. It fosters the adoption of unprecedented accurate user experiences (e.g. indoor and vehicle positioning, information transfer of digital car key). The largest smartphone manufacturers support this technology. Thales has joined the FiRa Consortium in 2020.
What's a connected embedded Secure Element
The Connected eSE combines an eSE and an eSIM in a single security chip, reducing the number of components in a device.
Thales' OS ensures a strict separation between the security applications hosted in the eSE domain and the eSIM functionality.
This unique innovation brings a state-of-the-art security level to any NFC service deployed in the connected eSE, unlike more straightforward solutions based on a plain eSIM. Thales was the world's first company to be fully certified for this new generation of products by the trade body GSMA.
In March 2020, Samsung launched the world's first smartphones, the Samsung Galaxy S20, Galaxy S20+ and Galaxy 20 Ultra, featuring a secure single-chip solution that supports mobile connectivity and trusted contactless services, leveraging unique Thales's connected eSE.
In January 2021, Thales' Connected eSE was selected as the winner of the "IoT Semiconductor Product of the Year" award in the 5th annual IoT Breakthrough Awards program.
eSE production stage
Before being shipped, the eSE is loaded with a secure, tamper-resistant Operating System (OS) and a set of secure applications selected by the device manufacturer according to his target market(s).
In addition, each unit of eSE is loaded with uniquely diversified keys, identifiers and data files, some of them being specific to the secure applications.
The creation of this data and its loading into the chip are executed in sites and environments certified to comply with stringent security requirements from recognised international bodies such as international payment schemes and GSMA for the connected eSE.
At the end of the loading process, and before it exits the factory, each eSE is logically locked so that only the eSE owner (e.g. the OEM) can amend it.
eSE post-issuance management
When an end-user purchases a device that embeds a secure element, they have to activate the eSE and then can download and personalise any application securely.
Various players are involved in making this scheme successful. The eSE owner (e.g. OEM…) is responsible for activating and administrating the eSE via the Secure Element Issuer Trusted Service Manager (SEI TSM). It can create a security domain for each service provider (SP), which can administrate its application in the eSE once provisioned either:
- Through its Service Provider, Trusted Service Manager (SP TSM),
- Or through the one-of-a-service aggregator, which provides a portfolio of services to the end-user. The aggregator role is optional and can be supplied by Thales.
Thales also provides the Trusted Services Hub (TSH), which includes the SEI TSM and SP TSM functionalities and the aggregator role. Furthermore, our TSH can be connected to any existing SEI TSM or SP TSM.
Thales proposes a flexible approach based on various business models to meet consumer electronics manufacturers' requirements best. The benefits of our TSH are multiple:
- Generate new revenue for device manufacturers when connecting to our hub
- Facilitate service deployment in the eSE anywhere in the world with a "plug and play" solution
- Technical: A single entry point to connect just once to enrich your service portfolio
- Commercial: Simple to connect to numerous service providers (banks, transport operators, etc.) with whom Thales already has commercial agreements.