Amanda Lowe Director Product Marketing WindRiver, an Intel Company

Size: px

Start display at page:

Download "Amanda Lowe Director Product Marketing WindRiver, an Intel Company"

Melinda Powers
5 years ago
Views:

1 October 26, 2017 Guy AlLee IoT Security Product Manager SSG Platform Security Division Amanda Lowe Director Product Marketing WindRiver, an Intel Company

2 ONBOARD ATTEST How long does it take to securely onboard 10,000 IoT lightbulbs? Onboard = From out-of-box to securely streaming data to an IoT Platform

3 Agenda Overview The Imperative: Secure and Scale IoT Security Fundamental #1 Immutable Identity with Intel Enhanced Privacy ID (EPID) Any Device into Any Cloud Intel Secure Device Onboard (SDO) Wind River Helix Device Cloud 3

for IoT - Only way we get to 50B devices by 2020 is automation. Tremendous ROI drag.

4 Manual IoT Onboarding Today & now to type in the 256 character key on my cell phone on top a 20-ft. ladder how convenient... Device arrives on-site Technician installs, turns on device Manual provisioning IT backend accepts device credentials & connects it to device management system Device starts working Major Barrier for IoT - Only way we get to 50B devices by 2020 is automation. Tremendous ROI drag. Missing Element for Security - Must solve Mirai style attacks: ship default passwords for headless devices and users Privacy - Need to preserve device anonymity to prevent future attacks Traditional PKI Identity - Still has role to play for IoT but too heavyweight & costly to embed in hardware at scale Ecosystem wants automated SIM like approach that ties identity to platform initiated activation. Nobody solving! 4

5 Trust Rendezvous Service Intel SDO Target - for IoT Platform ISVs & CSP marketplaces whose customers are struggling with siloed & manual device provisioning Solution Secure Device Onboard provides a service that automates and secures the rendezvous of devices to their owner s control platforms Differentiation using a more scalable device enablement method that works for any IoT platform ecosystem Place, Power, Provision Solves major pain point in securely deploying IoT things Manual deployment, staging, & OEM pre-loads are not optimal and causing deployment delays Hardware root of trust EPID based service for zero touch device onboarding Tremendous ROI for customers & ecosystem SDO = adds SCALE to move POCs to production. INCREASES # of devices in use 5

Device Management Platforms Place, Power,

Provisions dynamically to customer s IOT

6 Device Management Platforms Place, Power, Provision Intel s Zero Touch Device Onboarding Solution Will Scale IoT to Billions of Devices Takes seconds at power on Provisions dynamically to customer s IOT platform of choice Hardware secured Designed-in, ready for Device ODMs

8 Growing IoT Cyber Threats Not just Data Control & Life/Safety too! Stuxnet German Steel Mill Attack 2014 Jeep in Ditch 2015 BlackEnergy Ukrainian Power Grid Attack 2015 Mirai Botnet attack on Dyn 2016 WannaCry

Barrier to IoT Adoption* Hackers exploiting poor

Most Important Items for IOT Platform* RFP

recognized role Pattern to secure & role of HW

key RFP request Security solutions Designed-in

scale *Gartner 2016 IoT Backbone Survey *Trusted

9 IoT Security Is Essential to Scale IoT Deployments HW Security is an IOT Priority Barrier to IoT Adoption* Hackers exploiting poor device security New Specs Customer Requirement Most Important Items for IOT Platform* RFP Isolation & added protections of HW security has recognized role Pattern to secure & role of HW is defined HW security moving from shadows to key RFP request Security solutions Designed-in to HW are keys to accelerating adoption and scale *Gartner 2016 IoT Backbone Survey *Trusted Computing Group: What Embedded and IoT Developers Think About IoT Security 9

Designed in Foundation - Device HW Identity Intel Enhanced Privacy ID (Intel EPID) Target/key problem - For IoT device manufacturers and service providers who need to secure their IoT offerings

10 Designed in Foundation - Device HW Identity Intel Enhanced Privacy ID (Intel EPID) Target/key problem - For IoT device manufacturers and service providers who need to secure their IoT offerings Solution - EPID is the IoT Identity HW Root of Trust that immutably identifies an IoT device Differentiation Scales with IoT Preserves privacy Simplifies certificate management Supports distributed, direct device-to-service trust, eliminating a centralized, 3rd-party trust authority, with its single point of vulnerability and potential vendor-lock Pre-provisioned before 1st boot Use as a best practice identity for device onboarding to set up secure anonymous channel Open international standard created by world reknown cryptographers. Solves privacy for IOT 10

An Identity Model Created for IoT Proven at Scale Baseline Minimum HW Root of Trust Secure App Container TEE Attest SW HW Identity TCG/ISO standard with privacy preserving group

reveals data to hack device Intel EPID EPID vs. PKI Traditional PKI Open source SDK Proven - 2.

11 An Identity Model Created for IoT Proven at Scale Baseline Minimum HW Root of Trust Secure App Container TEE Attest SW HW Identity TCG/ISO standard with privacy preserving group authentication scheme- UNIQUE & IN-DEMAND Used to open secure, authenticated channel for remote attestation & authentication Prevents Attack Mapping- Protects device data vs PKI that reveals data to hack device Intel EPID EPID vs. PKI Traditional PKI Open source SDK Proven billion keys inherently distributed with Intel platforms 1-to-many key match, unique signature every time, anonymous 1-to-1 key match, standard signature every time Pvt-Key 1 Pvt-Key 2 Pvt-Key X Pvt-Key Enables customers to deliver many use cases where privacy & attestation are key requirements 11

Certificate Path Validation Group Public Key Group Private Key Group Issuing

12 EPID 2.0 Ecosystem Enablement Intel Trust Services Infrastructure Issuer (Intel) Certificate Path Validation Group Public Key Group Private Key Group Issuing Private Key Private Keys 1.. n Chip OEM Device OEM Revocation Lists Inherent Key Distribution EPID Attestation CLOUD SERVICE Member (Edge Device) Verifier 12

13 Device Requirements are Minimal Mandatory immutable key, stored securely 144 Bytes non-volatile, one-time programmable memory Protected in Trusted Execution Environment (e.g., TrustZone-based OP-TEE) Recommended True RNG Re-key strategy (e.g., 2 nd EPID key storage slot, validity flags) Optional performance optimization Signature Pre-computation value, protected as above. Crypto Acceleration HW 13

14 Device Onboard Service 14

15 How Secure Device Onboard Works Place, Power, Provision 15

Silicon Provider Intel SDO Secure Device Onboard (fab) (a) (b) (c) (d Ownership Transfer) EPID Identity GUID, Svc URL A s Public Key (=Ownership Credential) Ownership Proxy

Owner A g=123 OEM/ODM Board/Device Owner B Owner A g=123 Distributor/ Reseller Owner C Owner B Owner A g=123 Online Retailer IoT Platform Device Management Service (SDO Code) Here

16 Silicon Provider Intel SDO Secure Device Onboard (fab) (a) (b) (c) (d Ownership Transfer) EPID Identity GUID, Svc URL A s Public Key (=Ownership Credential) Ownership Proxy (accumulated ledger of ownership). Owner A g=123 OEM/ODM Board/Device Owner B Owner A g=123 Distributor/ Reseller Owner C Owner B Owner A g=123 Online Retailer IoT Platform Device Management Service (SDO Code) Here is my Ownership Proxy, I am Owner for GUID 123 Here is my EPID signature, Device GUID=123 Office NOC d cloud I manage Guid 123. I m available at this IP: Intel SDO Service (Rendezvous) Try GUID Hi, I am 123. Where is my management service? Device shipped separately from Ownership Proxy Office Install 16

Silicon Provider Intel SDO Device Onboarding (fab) (a) (b) (c) (d Ownership Transfer) EPID Identity GUID, SDO URL Ownership Credential

Owner A g=123 OEM/ODM Board/Device Owner B Owner A g=123 Distributor/ Reseller Owner C Owner B Owner A g=123 Online Retailer IoT Platform

yourself to Office NOC Here is info about me and/or certificate signing requests (CSRs) Office NOC d cloud Here are replacement SDO

17 Silicon Provider Intel SDO Device Onboarding (fab) (a) (b) (c) (d Ownership Transfer) EPID Identity GUID, SDO URL Ownership Credential Ownership Proxy (accumulated ledger of ownership). Owner A g=123 OEM/ODM Board/Device Owner B Owner A g=123 Distributor/ Reseller Owner C Owner B Owner A g=123 Online Retailer IoT Platform Device Management Service (SDO Code) Here are keys, certificates, IP/DNS addresses, data items, URLs, software/scripts, commands to configure yourself to Office NOC Here is info about me and/or certificate signing requests (CSRs) Office NOC d cloud Here are replacement SDO credentials in case I need them later. Now go connect to Office NOC GUID 123 encrypted channel 123 Office Install Device shipped separately from Ownership Proxy Intel SDO trust allows construction of encrypted channel between Mgt Service and Device. 17

18 Intel SDO Device Onboarding (fab) (a) (b) (c) (d Ownership Transfer) EPID Identity GUID, SDO URL Ownership Credential Ownership Proxy (accumulated ledger of ownership). Owner A g=123 Owner B Owner A g=123 Owner C Owner B Owner A g=123 IoT Platform Device Management Service (SDO Code) Office NOC d cloud Silicon Provider OEM/ODM Board/Device Distributor/ Reseller Online Retailer Control using credentials from Office NOC, identity Independent of SDO GUID 123 Replacement SDO credentials can be used for recovery or resale. Otherwise, SDO is dormant. Office Install Device shipped separately from Ownership Proxy COMPLETE 18

19 SDO: A Superior Out-of-Box Customer Experience Quality Time to Onboard Skill set / Segregation of Duties IT / OT tension Trust Privacy COTS devices / SKUs Secrets Automated, Scripted, Reproducible Boot + <1m, Multiple run in parallel Physical installer only and not required to be entrusted w/ keys Fast deployment, with High Security User Controlled, not Centralized, 3 rd -party controlled Established directly between IoT Device and Service With EPID, hard to trace onboarding to deployed operation Just-in-time provisioning of owner key(s) No secrets transmitted 19

20 Ecosystem Enablement 20

Intel SDO Enabling Concept & Components Silicon Providers EPID SDK Device EPID SDK TEE SDO Client Mgr Agent Initial Device Identification (EPID Attestation) 2 OEM Development Toolkit - board and

21 Intel SDO Enabling Concept & Components Silicon Providers EPID SDK Device EPID SDK TEE SDO Client Mgr Agent Initial Device Identification (EPID Attestation) 2 OEM Development Toolkit - board and gateways - integrate SDO client software into their boot code Secure Device Onboard Rendezvous, not authentication Service Take Ownership 4 ONBOARD ATTEST SDO Service Identification Device securely on-boarded under Normal Platform Control 3 1 IoT Platform Service Provider Platform Registration Service SDO API Platform Manager Service Supplier Ownership Proxy New Owner CSP/ISV Toolkit - integrate SDO API into their IoT Platform 21

ROI $ Customer - Simplifies field installation ODM - No need to preload & validate each IoT platform Installer -

22 1 to Many Pre-load Model & Automated Activation From 11 manual steps & 20 min activation per device Kaiser Research Validation Study Available To 1 enablement step & seconds to activate! ROI $ Customer - Simplifies field installation ODM - No need to preload & validate each IoT platform Installer - Eliminates security misconfigure from humans ODM - No need to ship hackable default passwords Min MAX Customer - Deploy more devices faster IoT Platform ISV - More devices under management 22

Use Case Ecosystem Enabling for Customers Sample Onboarding Ecosystem Customer & SI IoT Platform Management Providers OEMs/ODMs Devices Intel & MCUs 3. 1.

realizes Implementation that proprietery - ecosystem onboarding requiring methods determines Platform Provider 500 gateways, which will 2 IA serve devices, as data & devices

MCU devices make up spectrum or agree to enable need using onboarded SDO so developer they choose zone the site.

23 Use Case Ecosystem Enabling for Customers Sample Onboarding Ecosystem Customer & SI IoT Platform Management Providers OEMs/ODMs Devices Intel & MCUs Customer RFP Project - the - has customer s an IoT POC SI started 4. using RFP IoT Response - 2. ODMs Scale & Need -5. realizes Implementation that proprietery - ecosystem onboarding requiring methods determines Platform Provider 500 gateways, which will 2 IA serve devices, as data & devices mgt that have have pre-enabled high configuration enablement cost and download won t scale SDKs for from devices Intel they and back 2 end. MCU devices make up spectrum or agree to enable need using onboarded SDO so developer they choose zone the site. IoT Customers Platform s distribution Zero of devices for project. They specifify SDKs win larger orders Touch Onboard Capability-powered chain digitally signs by order Intel in transit & installer SDO enabled devices as requirement in powers on. Device phone homes to IoT project RFP they send to ecosystem. platform to onboard in seconds. 23

(anonymous identity + encrypted channel) Secure Update Device image and corporate key download 3 2 HDC or Device

24 Secure Device Onboard + Device Management = Complete Security Channel from 1 st Boot Connected Device Intel Agent SDO Client Device Cloud Agent & OS Agent Secure Intel HW Root of Trust 1 Onboard Service Zero Touch Onboarding (anonymous identity + encrypted channel) Secure Update Device image and corporate key download 3 2 HDC or Device Management Service 4 Data Forwarding for analytics etc Customer s OT IoT Platform & Apps EPID SDK SEE THE DEMO IN BOOTH

26 DEVICE CLOUD OFFERS: Enhanced Device Management Capabilities: Remote monitoring, software over-the-air/firmware over-the-air updates, alerts, rules, update campaigns, data management and monitoring Flexible Deployment Options: Support for public, private and hybrid cloud deployments, as well as expanded regional public cloud hosting options Broad OS Support: Ease of connecting devices utilizing a new Python Agent that simplifies managing a large range of intelligent gateways and devices running different operating systems Expanded set of APIs to simplify contextualizing device data and device applications with business processes and business systems

27 IOT DEVICE LIFECYCLE MANAGEMENT Deploy Decommission Monitor Update Service Manage

28 CONNECT DEVICE TO CLOUD TO ENTERPRISE Device Agent On-cloud Management Platform Installed on IoT device OS Management console Commands device sensors RESTful API Built using RESTful API s Securely connects via wireless or cell Data forwarding to enterprise IT IT systems IoT Big apps data IoT Cloud Big appservices data Security solutions across device and network

ADDRESSING THE CHALLENGE OF ECONOMICALLY MANAGING A NETWORK OF DEPLOYED DEVICES Accelerate time to market to capture ROI from IoT investment Device Cloud Delivers Integration with Intel security

29 ADDRESSING THE CHALLENGE OF ECONOMICALLY MANAGING A NETWORK OF DEPLOYED DEVICES Accelerate time to market to capture ROI from IoT investment Device Cloud Delivers Integration with Intel security services Reduce costs associated with securely managing network of fielded devices, at scale Minimize downtime and outages Security and privacy for enterprise and customer assets and data Manage increasing complexity resulting from the proliferation of intelligent edge devices Business and technology risks associated with device vendor lock-in Operating system agnostic solution Unified management interface Support for Private, Hybrid, and Public clouds Device provisioning, monitoring, servicing, and software updates Integration with enterprise applications 24x7 system monitoring IOT Design Center services for project delivery

30 SUMMARY Imperative: Secure & Scale the Internet of Things Security starts with immutable ID EPID is the Key to IoT Secure Device Onboard Any Device to Any Cloud Place, Power, Provision

31 Additional Resources Intel Secure Device Onboard Enanced Privacy ID Open Source EPID SDK: Internet of Things (IoT) Security Foundation Whitepaper Smashing the IoT Deployment Hurdle: Introducing Intel Secure Device Onboard Service

32 References Platform Embedded Security Technology Revealed, Chapter 5, Privacy at the next level, Intel s Enhanced Privacy Identification (ID) Technology, Apress Books (free download): (EPID 1.1) E. Brickell and Jiangtao Li: Enhanced Privacy ID from Bilinear Pairing for Hardware Authentication and Attestation. IEEE International Conference on Social Computing / IEEE International Converence on Privacy, Security, Risk and Trust Dr. Dobbs: Barreto-Naehrig (B-N) ECC Curve (ISO/IEC , 2009)

34 Legal Disclaimers Intel technologies features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information go to All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps. Copyright 2017 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Inside, the Intel Inside logo, and Intel Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. 34

SSG Platform Security Division & IOTG Jan Krueger Product Manager IoT Security Solutions

SSG Platform Security Division & IOTG Jan Krueger Product Manager IoT Security Solutions THIS SLIDE MUST BE USED WITH ANY SLIDES REMOVED FROM THIS PRESENTATION Legal Disclaimers Intel technologies features