The eSE (embedded Secure Element) is an autonomous, tamper-proof element made of a dedicated silicon chip, a secure OS and applications. It is available in different sizes and designs, and can be embedded in any mobile device. It ensures the data is stored in a safe place, information is given to only authorised applications and people, and and executes cryptographic operations (e.g. authentication, encryption).
In other words, it is like a personal ID for the end-user and for the device itself.
The eSE is multi-applicative and allows to secure a wide range of applications in any device and various use cases: protection of the device against hacking through secure boot or device attestation, digital services for end-users (payment, couponing, transport, access control, ticketing, corporate, cloud computing, e-government).
This is achieved by a secure application hosted in the eSE in charge of performing the sensitive operations required by the service. Depending on the device, eSE functionalities can vary, particularly the remote and secure way to retrieve data, secure connectivity, strong user authentication, device integrity, etc.
According to Eurosmart, the market will grow 5-8% in 2021 after a relatively stable 2020 (due to the pandemic that strongly impacted the sales of smartphones) but actually more smartphones and wearables are being equipped with eSE.
- Mobile payment has been increasing in popularity; smartphone OEM mobile wallet programmes are blooming across the globe.
- Wearables are also seen as a convenient form factor for payment and mass transit.
In 2021, Google, Thales and other eSE vendors have created the Android Ready SE Alliance aiming at the benefits of eSE to the world's most popular mobile OS among connected consumer devices.
Thales has developed specific software to administrate and update eSE during the entire life cycle of the devices.
Thales embedded Secure Elements
Thales’ embedded Secure Element offer is characterised by the following elements:
- State-of-the-art certified eSE
- Compliant with the GlobalPlatform Card Secure Element Configuration standard
- Certified by major payment schemes (EMVCo, Visacard, Mastercard, AMEX, China UnionPay, MTPS) and contactless certifications organisations (FeLiCa, MiFare)
- Integrating all latest features gained in embedded OS, NFC ecosystem and multi-services markets
- Available in various form factors: WLCSP, surface mounted device (SMD)
- Available as a single-chip solution that supports both trusted contactless services (based on eSE) and mobile connectivity (based on eSIM)
- Unrivalled application offer
- Rich application catalogue gathering certified payment, transport, biometrics, enterprise, ID, government apps, both proprietary and with established partners
- Unique expertise for local application development and support
- A unique Trusted Service Hub (TSH) offer to quickly and easily deploy services worldwide.
- Strong local technical teams (Field Application Engineers and Technical Consultants) dedicated to supporting consumer electronics manufacturers.
- Recognised expertise in end-to-end fully deployed NFC projects
- Established relationships with key players in the industry (silicon vendors, combo makers, Contactless Front End (CLF) makers, device manufacturers, certification bodies, payment schemes).
- Continuous technology improvement via the support of some of the newest technologies, such as UWB. Ultra wide-band is a high frequency wireless communication protocol aiming at addressing location purpose and device ranging use cases. It fosters the adoption of unprecedented accurate user experiences (e.g. indoor and vehicle positioning, information transfer of digital car key). The largest smartphone manufacturers support this technology. Thales has joined the FiRa Consortium in 2020.
What’s a connected embedded Secure Element
The Connected eSE is the combination of an eSE and an eSIM in a single security chip, allowing to reduce the number of components in a device.
Thales’ OS ensures a strict separation between the security applications hosted in the eSE domain and the eSIM functionality.
This unique innovation brings a state-of-the-art security level to any NFC service deployed in the connected eSE, unlike more straightforward solutions based on a plain eSIM. Thales was the world's first company to be fully certified for this new generation of products by trade body GSMA.
In March 2020, Samsung has launched the world’s first smartphones, the Samsung Galaxy S20, Galaxy S20+ and Galaxy 20 Ultra, featuring a secure single-chip solution that supports both mobile connectivity and trusted contactless services, leveraging unique Thales’s connected eSE.
In January 2021, Thales' Connected eSE has been selected as the winner of the "IoT Semiconductor Product of the Year" award in the the 5th annual IoT Breakthrough Awards program.
eSE production stage
Before being shipped, the eSE is loaded with a secure, tamper-resistant Operating System (OS) and a set of secure applications selected by the device manufacturer according to his target market(s).
In addition, each unit of eSE is loaded with uniquely diversified keys, identifiers and data files, some of them being specific to the secure applications.
The creation of this data and its loading into the chip are executed in sites and environments that have been certified to comply with stringent security requirements from recognised international bodies such as international payment schemes and GSMA for the connected eSE.
At the end of the loading process, and before it exits the factory, each eSE is logically locked so that only the eSE owner (e.g. the OEM) is allowed to amend it.
eSE post-issuance management
When an end-user purchases a device that embeds a secure element, he or she has to activate the eSE and then can download and personalise any application securely.
Various players are involved in making this scheme successful. The eSE owner (e.g. OEM…) is responsible for activating and administrating the eSE via the Secure Element Issuer Trusted Service Manager (SEI TSM). It can create a security domain for each service provider (SP) which can administrate its application in the eSE once provisioned either:
- through its Service Provider Trusted Service Manager (SP TSM),
- or through the one of a service aggregator, which provides a portfolio of services to the end-user. The aggregator role is optional and can be provided by Thales.
Thales also provides the Trusted Services Hub (TSH) that includes both the SEI TSM and SP TSM functionalities, in addition to the aggregator role. Furthermore, our TSH can be connected to any existing SEI TSM or SP TSM.
Thales proposes a very flexible approach based on various business models to best meet the requirements of consumer electronics manufacturers. The benefits of our TSH are multiple:
- Generate new revenue for device manufacturers when connecting to our hub
- Facilitate service deployment in the eSE anywhere in the world with a "plug and play" solution
- Technical: A single entry point to connect just once to enrich your service portfolio
- Commercial: Simple to connect to numerous service providers (banks, transport operators, etc.) with whom Thales already has commercial agreements.