The ‘GlobalPlatform Secure Channel Protocol 11’ addresses cases such as mobile banking, where applications utilize both the SE and TEE to protect a secure service.

In use cases like biometric authentication, virtual private networks (VPN) or mobile banking, the SE in the device is used to store the critical part of the application and its associated cryptographic keys. In parallel, the trusted application resides in the TEE to enable management of the end user and backend interaction prior to a transaction being authorized. The Secure Channel Protocol 11 protects the data being transferred between these two secure components.

From a technical perspective, data passed between trusted applications stored in the TEE and SE is protected by the secure channel, which is established by GlobalPlatform’s TEE SE API. Elliptic curve cryptography (ECC) is used for the generation of the session keys for encryption and authentication. It also provides perfect forward secrecy (PFS) by using ephemeral keys, preventing the decryption of the data by attackers, should they also get hold of the long-term keys.