Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin
|
|
- Sophia Ball
- 6 years ago
- Views:
Transcription
1 Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions
2 Topic Prerequisites Security concepts Security-related concepts (e.g., entropy) Virtualization and Cloud Computing concepts Symmetric-key, Asymmetric-key, PKI cryptographic concepts Understanding of cryptographic algorithms (e.g., RSA, ECDSA, ECDH, AES, SHA256, HMAC/SHA256, PRNGs) Understanding Transport Layer Security (TLS) Cryptographic security standards (e.g., PKCS#11) 2
3 Agenda Problem Statement and Examples Key Terms and Concepts Trusted Cloud Hardware Advanced Cryptographic Solutions Conclusions 3
4 Problem Statement Requirements Security is of paramount importance Security almost always involves cryptography 4
5 Problem Statement (cont.) Problems Homemade cryptography is bad 5
6 Problem Statement (cont.) Problems Proper cryptography is nontrivial 6
7 Problem Statement (cont.) Problems Cryptographic keys/operations on end points is risky 7
8 Problem Statement (cont.) End Points Large population of Mobile Devices Virtual Machines (VM) Embedded Devices/Sensors Assumed to be untrusted 8
9 Problem Statement (cont.) End Points and Risks High probability of compromise Flaws, vulnerabilities, and malware, at various layers Ownership layer Hardware layer OS layer Hypervisor layer VM and Application layer Not the best place to generate keys/secrets Not the best place to store keys/secrets 9
10 Examples: Mobile Devices: Usage Scenarios and Requirements Outgoing Cryptographic signature (sender's authenticity) signing private keys (e.g., PGP, GPG, S/MIME) 10
11 Examples: Mobile Devices: Usage Scenarios and Requirements Incoming Decryption for sensitive data decryption private keys (e.g., PGP, GPG, S/MIME) 11
12 Examples: Mobile Devices: Usage Scenarios and Requirements Create/View protected data Online/offline storage Symmetric encryption, decryption and signing Shared symmetric keys Asymmetric decryption and signing Private keys 12
13 Examples: Mobile Devices: Compromise Scenarios Attacker gets physical access to the mobile device Attacker gets backup data/image of the smartphone Directed crypto attacks Steals keys Affects the crypto subsystems Plain design/implementation vulnerabilities In RNG layer Other layers 13
14 Examples: VMs: Usage Scenarios and Requirements HTTPS Server Decrypt HTTPS traffic HTTPS/SSL/TLS private keys, depending on SSL/TLS cipher-suite 14
15 Examples: VMs: Usage Scenarios and Requirements Audit logging Symmetric encryption and HMAC Shared symmetric keys Asymmetric decryption and signing Private keys 15
16 Examples: VMs: Compromise Scenarios Attacker gets to VM using vulnerability or misconfiguration in hypervisor/vm layer Attacker copies VM using insecure backup of VM image/snapshot Directed crypto attacks Steals data and keys Affects the crypto subsystems of the device Plain design/implementation vulnerabilities In hypervisor layer In VM layer In hardware layer E.g., Xen security bug prompts AWS Cloud reboot 16
17 Examples: Embedded Devices: Usage Scenarios, Requirements Status/sensor information from embedded devices Sign with private key Encrypt with shared symmetric key 17
18 Examples: Embedded Devices: Usage Scenarios, Requirements Verification and decryption of software/firmware updates Verification and decryption of commands Verify with public key Decrypt with shared symmetric key 18
19 Examples: Embedded Devices: Compromise Scenarios Attacker gets physical access to the embedded device Attacker gets a software/firmware image for the device Directed crypto attacks Steals data and keys Affects the crypto subsystems of the device Knows weak crypto subsystems of the device Plain design/implementation vulnerabilities More end nodes = More problems + More complexity 19
20 Agenda Problem Statement and Examples Key Terms and Concepts Trusted Cloud Hardware Advanced Cryptographic Solutions Conclusions 20
21 Key Terms and Concepts Trusted system A system whose failure may break a specified security policy Trusted Computing (TC) Technologies and standards intended to make computers safer, more reliable and less prone to viruses and malware, through hardware enhancements and associated software modifications Specified by Trusted Computing Group (TCG) 21
22 Key Terms and Concepts Trusted Platform Module (TPM) Specialized security chip on an endpoint device/system Stores RSA keys specific to the endpoint system vtpm for virtualized environments Tamper resistant 22
23 Key Terms and Concepts Trusted Platform Module (TPM) Function Secure random number generation Keys storage and derivation Used by OSes for: Data encryption Secure/authenticated boot and root of trust Hardware/platform authentication Cannot be added later (usually) Not scalable: 1 TPM = 1 endpoint device/system 23
24 Key Terms and Concepts TCB = Trusted Computing Base: set of all HW/FW/SW components critical to system's security TEE = Trusted Execution Environment: secure area (code, data) of the main processor TSS = TCG Software Stack: software layer for application developers to use functions provided by a TPM TBS = TPM Base Services: software component that allows the Windows operating system and applications to use services provided by the TPM 24
25 Key Terms and Concepts Example of how TSS, TBS, TPM and sensitive crypto material (e.g., OpenVPN keys) stack and interact 25
26 Key Terms and Concepts Hardware Security Module (HSM) Specialized security HW (e.g., plug-in card/dongle, external appliances) vhsm for virtualized environments CloudHSM for cloud setups Dongle HSM for mobility solutions Tamper resistant 26
27 Key Terms and Concepts Hardware Security Module (HSM) Function Secure random number generation Securely generates, stores and manages cryptographic keys and material for strong authentication and encryption Performs symmetric and asymmetric cryptoprocessing Can be added later, easy to scale 27
28 Trusted Cloud Hardware HSM deployed in Clouds Secure and Scalable Clean APIs Validated HSM HW Lower cost, easier maintenance 28
29 Trusted Cloud Hardware HSM deployed in Clouds Secure and Scalable Clean APIs Validated HSM HW Lower cost, easier maintenance From: Amazon AWS Documentation 29
30 Trusted Cloud Hardware Cloud HSM roles and responsabilities From: Amazon AWS Documentation 30
31 Agenda Problem Statement and Examples Key Terms and Concepts Trusted Cloud Hardware Advanced Cryptographic Solutions Conclusions 31
32 Advanced Cryptographic Solutions Cryptography as a Service (CaaS) Computing on Encrypted Data (Searchable Encryption) Attestation 32
33 CaaS (Cryptography as a Service) Cryptographic operations performed by a CaaS provider on behalf of a device-at-risk via web services APIs Cryptographic keys are stored within the CaaS provider Devices do not possess these keys at any time much lower benefit for attacker Fits well with the Cloud Computing and Virtualization paradigms Variants Software-only (riskier) Hardware-enhanced (safer, higher security, higher costs) 33
34 Examples: CaaS From Cryptography as a Service by Peter Robinson, RSAC
35 CaaS Advantages Improved security No important key or data on end points Important key and data securely stored and managed by CSP, HSM Performance Offload crypto-processing to dedicated HSM hardware Scalable HSM arrays and web API calls in CaaS 35
36 CaaS Disadvantages All end nodes must authenticate to CaaS first Requires network connectivity Certain scenarios do not allow connectivity DoS on the Trusted Cloud Hardware provider More complex of the architecture Higher costs and hardware requirements Latency and performance penalty/overhead due to web APIs 36
37 Computing on Encrypted Data A direction in: Privacy-Preserving Computation (PPC) Multi-Party Computation (MPC) Searchable Encryption (SE) Symmetric Searchable Encryption (SSE) Public-key Encryption with Keyword Search (PEKS) Private-key Searchable Encryption Homomorphic Encryption (HE) Honey Encryption 37
38 Computing on Encrypted Data Why? Untrusted third-party search modules Untrusted remote/cloud storage Storage outsourcing, mail gateways Risk of plain-text data compromise 38
39 Computing on Encrypted Data Requirements Store data externally Store data encrypted Search data easily Avoid downloading everything then decrypt Allow different entities to search data without providing access to plain-text Protect Retrieved data Search query Search query result 39
40 Computing on Encrypted Data Challenges Public key algorithms too slow for large data Main interest in symmetric searchable encryption Classic encryption hides all the information Server cannot/shouldn't search Client must search 40
41 Computing on Encrypted Data Challenges Client must search Client must download entire document/data collection Require Secure Indexes (SI) and two-layer searches performed via trapdoors A secure index is a data structure that allows a querier with a ``trapdoor'' for a word x to test in O(1) time only if the index contains x 41
42 Computing on Encrypted Data Advantages Improved privacy Improved security If nodes are compromised, only encrypted data is leaked, no important keys and materials are leaked, thanks to (Cloud-)HSM 42
43 Computing on Encrypted Data Disadvantages Not standardized yet (NIST, FIPS) Searching stored documents linear with size of DB Adaptive attackers with search-queries can infer existing and future data 43
44 Examples: Computing on Encrypted Data Homomorphic Encryption 44
45 Examples: Computing on Encrypted Data Searchable Strong Encryption From Powerful Encryption and Key Management for Cloud Applications and Databases with CipherCloud and Gemalto 45
46 Attestation The process of making a claim about properties of a target system by supplying evidence to a verifier system Target system's TPM creates a nearly unforgeable hash key summary of the hardware and software configuration This allows a third party (Cloud, HSM) to verify that the software has not been changed 46
47 Attestation: CaaS and HSM Endpoint attestation Attest: device hardware, (parts of) software/memory Uses device attestation certificates E.g., TPM AIK = Attestation Identity Key CaaS/(Cloud)HSM confirms device manufacturer, model, serial number CaaS/(Cloud)HSM confirms device is not tampered with 47
48 Examples: Attestation Local attestation From Txt Introduction by SVG 48
49 Examples: Attestation Remote attestation From Vpn-info.com. Introduction to Trusted Platform Module. 49
50 Examples: Attestation VMs attestation in Cloud (e.g., Intel TXT/SGX) From: Intel TXT 50
51 Examples: Attestation Device attestation on Internet (e.g., ARM TrustZone) From: Samsung Knox ISV SDK 51
52 Examples: Attestation Untrusted components attestation (device, VM) From: SoftLayer brochure 52
53 Agenda Problem Statement and Examples Key Terms and Concepts Trusted Cloud Hardware Advanced Cryptographic Solutions Conclusions 53
54 Conclusions Cryptographic keys and operations on end nodes are risky Software-only solutions have limitations and vulnerabilities Hardware enhancements, such as TPM, HSM, can provide strong guarantees for trusted computing HSMs in particular are a scalable way towards trusted cloud hardware 54
55 Conclusions Trusted cloud hardware is a basic building block towards advanced cryptographic solutions CaaS paradigm can assure strong crypto primitives and guarantees even to the most limited end nodes with connectivity Searchable Encryption can assure that critical data is usable and still safe even after compromise, as critical crypto keys never leave trusted cloud hardware Attestation can assure that a platform is either in a trusted state (secure), or detected as untrusted (compromised) 55
56 Thank you! 56
57 End to end example 57
58 End to end example Time: Manufacturing Device is programmed with Device ID (e.g., serial number) Start-up Entropy (e.g., devices contrained) Manufacturer public key (used for verification of software/firmware/configuration updates) Manufacturer puts bootstrap information onto device 58
59 End to end example Time: Installation Device gets software update: Signed by private key of manufacturer (e.g., verify) Contains provider public key Device can verify (control) messages from cloud Provider can decrypt (data) messages from device Provider puts more bootstrap information onto device 59
60 End to end example Time: Installation Device authenticates to CaaS CaaS sends to device Signed by private key of provider Additional entropy (e.g., from (Cloud-)HSM) to support strong crypto Server's ephemeral EC details for ECDH key agreement Can be encrypted with initial symmetric key (e.g., device id + pin) 60
61 End to end example Time: Installation Device sends to CaaS Encrypted with public key of provider Device's public key Device's ephemeral EC details fro ECDH agreement Device and CaaS use ECDH to derive a shared symmetric AES key Device has public key of provider CaaS has the public key of device Device and CaaS can communicate securely 61
62 End to end example Time: Usage CaaS/server to device: AES symmetric encrypted control message Signed by CaaS with CaaS private key Verified by device with CaaS public key Device to CaaS/server: AES symmetric encrypted status message Signed by device with device private key Verified by CaaS with device public key 62
63 End to end example VM has NO keys CaaS/server has keys Device has keys Device keys generated with help of CaaS/HSM 63
Lecture Embedded System Security Trusted Platform Module
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2015 Roadmap: TPM Introduction to TPM TPM architecture
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2017/18 Roadmap: TPM
More informationBlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module
BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE Cryptographic Appliances with Integrated Level 3+ Hardware Security Module The BlackVault hardware security platform keeps cryptographic material
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17 Roadmap: TPM
More informationFIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2
Oracle Solaris Kernel Cryptographic Framework with SPARC T4 and T5 Software Version: 1.0 and 1.1; Hardware Version: SPARC T4 (527-1437-01) and T5 (7043165) FIPS 140-2 Non-Proprietary Security Policy Level
More informationPKI Credentialing Handbook
PKI Credentialing Handbook Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key
More informationTerra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)
Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006) Trusted Computing Hardware What can you do if you have
More informationWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control SESSION ID: CDS-T11 Sheung-Chi NG Senior Security Consulting Manager, APAC SafeNet, Inc. Cloud and Virtualization Are Change the
More informationMassively Parallel Hardware Security Platform
Massively Parallel Hardware Security Platform Dan Cvrček, Enigma Bridge, UK dan@enigmabridge.com Petr Švenda, CRoCS, Masaryk University, CZ svenda@fi.muni.cz Overview 1. Cryptography as a Service 2. Usage
More informationIntroducing Hardware Security Modules to Embedded Systems
Introducing Hardware Security Modules to Embedded Systems for Electric Vehicles charging according to ISO/IEC 15118 V1.0 2017-03-17 Agenda Hardware Trust Anchors - General Introduction Hardware Trust Anchors
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Introduction to Trusted Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Summer Term 2017 Roadmap: Trusted Computing Motivation
More informationConnecting Securely to the Cloud
Connecting Securely to the Cloud Security Primer Presented by Enrico Gregoratto Andrew Marsh Agenda 2 Presentation Speaker Trusting The Connection Transport Layer Security Connecting to the Cloud Enrico
More informationDyadic Security Enterprise Key Management
Dyadic Security Enterprise Key Management The Secure-as-Hardware Software with a Mathematical Proof Dyadic Enterprise Key Management (EKM) is the first software-only key management and key protection system
More informationWho s Protecting Your Keys? August 2018
Who s Protecting Your Keys? August 2018 Protecting the most vital data from the core to the cloud to the field Trusted, U.S. based source for cyber security solutions We develop, manufacture, sell and
More informationThis Security Policy describes how this module complies with the eleven sections of the Standard:
Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24 th, 2012 2011 Vormetric Inc. All rights
More informationHypervisor Security First Published On: Last Updated On:
First Published On: 02-22-2017 Last Updated On: 05-03-2018 1 Table of Contents 1. Secure Design 1.1.Secure Design 1.2.Security Development Lifecycle 1.3.ESXi and Trusted Platform Module 2.0 (TPM) FAQ 2.
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationAWS CloudHSM. User Guide
AWS CloudHSM User Guide AWS CloudHSM: User Guide Copyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with
More informationUnbound and Oasis KMIP Interoperability
Unbound and Oasis KMIP Interoperability Thad Roemer, Solutions Architect April 2018 What does KMIP do? Security Applications or Appliances Key Material & Metadata Transport KMIP Key Management Server Create,
More informationCryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators
Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators Belfast, 11-Nov-2010 Innovative Software Solutions. Thomas Bahn - graduated in mathematics, University of Hannover - developing
More informationWAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
More informationKey Protection for Endpoint, Cloud and Data Center
Key Protection for Endpoint, Cloud and Data Center ENCRYPTION IS ONLY AS SECURE AS ITS LEAST SECURE KEY Encryption is undoubtedly one of the pillars of information security. It is used everywhere today:
More informationIntroduction and Overview. Why CSCI 454/554?
Introduction and Overview CSCI 454/554 Why CSCI 454/554? Get Credits and Graduate Security is important More job opportunities More research funds 1 Workload Five homework assignments Two exams (open book
More informationTLS 1.1 Security fixes and TLS extensions RFC4346
F5 Networks, Inc 2 SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security
More informationHow to protect Automotive systems with ARM Security Architecture
How to protect Automotive systems with ARM Security Architecture Thanks to this app You can manoeuvre The new Forpel Using your smartphone! Too bad it s Not my car Successful products will be attacked
More informationTrusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague
Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July 2017 -- IETF 99 th, Prague 2 What do we mean by security? Communication Security Aims
More informationCisco VPN 3002 Hardware Client Security Policy
Introduction This non-proprietary Cryptographic Module Security Policy describes how the VPN 3002 and 3002 8E Hardware Client (Firmware version FIPS 3.6.7.F) meets the security requirements of FIPS 140-2,
More informationOVAL + The Trusted Platform Module
OVAL + The Trusted Platform Module Charles Schmidt June 14, 2010 Overview OVAL Can assess a vast diversity of system state Usually software based software attacks can compromise Trusted Platform Module
More informationGetting to Grips with Public Key Infrastructure (PKI)
Getting to Grips with Public Key Infrastructure (PKI) What is a PKI? A Public Key Infrastructure (PKI) is a combination of policies, procedures and technology that forms a trust infrastructure to issue
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2015 Roadmap: Trusted Computing Motivation Notion of trust
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationAWS CloudHSM. User Guide
AWS CloudHSM User Guide AWS CloudHSM: User Guide Copyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with
More informationDyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof
Dyadic Enterprise Unbound Key Control For Azure Marketplace The Secure-As-Hardware Software With a Mathematical Proof Unbound Key Control (UKC) is the first software-only key management and key protection
More informationAtmel Trusted Platform Module June, 2014
Atmel Trusted Platform Module June, 2014 1 2014 Atmel Corporation What is a TPM? The TPM is a hardware-based secret key generation and storage device providing a secure vault for any embedded system Four
More informationDesigning Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015
Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015 What Could It Cost You? Average of $0.58 a record According to the Verizon
More informationIOS Common Cryptographic Module (IC2M)
IOS Common Cryptographic Module (IC2M) FIPS 140-2 Non Proprietary Security Policy Level 1 Validation Version 0.3 April 18, 2013 Table of Contents 1 INTRODUCTION... 3 1.1 PURPOSE... 3 1.2 MODULE VALIDATION
More informationA Developer's Guide to Security on Cortex-M based MCUs
A Developer's Guide to Security on Cortex-M based MCUs 2018 Arm Limited Nazir S Arm Tech Symposia India Agenda Why do we need security? Types of attacks and security assessments Introduction to TrustZone
More informationMost Common Security Threats (cont.)
Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?
More informationAbout & Beyond PKI. Blockchain and PKI. André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich. February 9, 2017
About & Beyond PKI Blockchain and PKI André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich February 9, 2017 1 Agenda Does blockchain secure PKIs in the longterm? Disadvantages of classic PKIs
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationKeep your fingers off my keys today & tomorrow
SIGS SE February 2017 Keep your fingers off my keys today & tomorrow Marcel Dasen VP Engineering Securosys SA Keys? Encryption keys asymmetric e.g. RSA, ECC public/private key pairs for wrapping symmetric
More informationSecurity in NVMe Enterprise SSDs
Security in NVMe Enterprise SSDs Radjendirane Codandaramane, Sr. Manager, Applications, Microsemi August 2017 1 Agenda SSD Lifecycle Security threats in SSD Security measures for SSD August 2017 2 SSD
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2012 Roadmap: Trusted Computing Motivation Notion of trust
More informationBlackBerry Enterprise Solution Security
Release 4.1 Technical Overview 2006 Research In Motion Limited. All rights reserved. Contents Wireless security... 4 BlackBerry Enterprise Solution security... 4 New security features...6 BlackBerry encryption
More informationAPNIC elearning: Cryptography Basics
APNIC elearning: Cryptography Basics 27 MAY 2015 03:00 PM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationProtect Yourself Against Security Challenges with Next-Generation Encryption
Protect Yourself Against Security Challenges with Next-Generation Encryption agrieco@cisco.com mcgrew@cisco.com How to detect attacks? Malware Broken encryption 2 How to detect attacks? Malware Host Process
More informationTrustzone Security IP for IoT
Trustzone Security IP for IoT Udi Maor CryptoCell-7xx product manager Systems & Software Group ARM Tech Forum Singapore July 12 th 2017 Why is getting security right for IoT so important? When our everyday
More informationFIPS Security Policy
FIPS 140-2 Security Policy BlackBerry Cryptographic Library Version 2.0.0.10 Document Version 1.2 BlackBerry Certifications, Research In Motion This document may be freely copied and distributed provided
More informationTERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004
TERRA Authored by: Garfinkel,, Pfaff, Chow, Rosenblum,, and Boneh A virtual machine-based platform for trusted computing Presented by: David Rager November 10, 2004 Why there exists a need Commodity OS
More informationAbout FIPS, NGE, and AnyConnect
About FIPS, NGE, and AnyConnect, on page 1 Configure FIPS for the AnyConnect Core VPN Client, on page 4 Configure FIPS for the Network Access Manager, on page 5 About FIPS, NGE, and AnyConnect AnyConnect
More informationTrusted Computing Group
Trusted Computing Group Backgrounder May 2003 Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved Trusted Computing Group Enabling the Industry to Make Computing
More informationBCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.
BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.8 Broadcom Ltd. Revision Date: 2016-05-25 Copyright Broadcom 2016. May
More informationTrusted Platform Modules Automotive applications and differentiation from HSM
Trusted Platform Modules Automotive applications and differentiation from HSM Cyber Security Symposium 2017, Stuttgart Martin Brunner, Infineon Technologies Axiom: Whatever is connected can (and will)
More informationTrojan-tolerant Hardware
Trojan-tolerant Hardware + Supply Chain Security in Practice Vasilios Mavroudis Doctoral Researcher, UCL Dan Cvrcek CEO, Enigma Bridge Who we are Vasilios Mavroudis Doctoral Researcher, UCL George Danezis
More informationSECURITY CRYPTOGRAPHY Cryptography Overview Brochure. Cryptography Overview
SECURITY CRYPTOGRAPHY Cryptography Overview Brochure Cryptography Overview DPA-resistant and Standard Cryptographic Hardware Cores DPA (Differential Power Analysis) Resistant Hardware Cores prevent against
More informationSecurity and Privacy in Cloud Computing
Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Securing Clouds Goal: Learn about different techniques for protecting a cloud against
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationCryptographic Mechanisms: Recommendations and Key Lengths
Technical Guideline TR-02102-4 Cryptographic Mechanisms: Recommendations and Key Lengths Part 4 Use of Secure Shell (SSH) (Version 2018-01) Federal Office for Information Security P.O.B. 20 03 63 D-53133
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationNetwork Security and Cryptography. December Sample Exam Marking Scheme
Network Security and Cryptography December 2015 Sample Exam Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers
More informationOracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1
Oracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1 FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Version 1.3 2014-01-08 Copyright 2014 Oracle Corporation Table
More informationAuthentication Technology for a Smart eid Infrastructure.
Authentication Technology for a Smart eid Infrastructure. www.aducid.com One app to access all public and private sector online services. One registration allows users to access all their online accounts
More informationDELIVERING TRUSTED CLOUDS How Intel and Red Hat integrated solutions for secure cloud computing
DELIVERING TRUSTED CLOUDS How Intel and Red Hat integrated solutions for secure cloud computing Steve Orrin - Federal Chief Technologist, Intel Steve Forage - Senior Director, Cloud Solutions, Red Hat
More informationSecuring IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region
Securing IoT devices with STM32 & STSAFE Products family Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region 2 The leading provider of products and solutions for Smart Driving and
More informationTrojan-tolerant Hardware & Supply Chain Security in Practice
Trojan-tolerant Hardware & Supply Chain Security in Practice Who we are Vasilios Mavroudis Doctoral Researcher, UCL Dan Cvrcek CEO, Enigma Bridge George Danezis Professor, UCL Petr Svenda CTO, Enigma Bridge
More informationProtecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets
Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures MIS5206 Week 11 Identity and Access Control Week 10 continued Cryptography, Public Key Encryption and
More informationForensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation
Forensics Challenges Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation Introduction Encrypted content is a challenge for investigators Makes it difficult
More informationPayment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.
Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.0 May 2012 Document Changes Date Version Author Description April 2009
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationAcronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector
Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National
More informationProtecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel
Protecting Keys/Secrets in Network Automation Solutions Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel Agenda Introduction Private Key Security Secret Management Tamper Detection Summary
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2015/2016 Roadmap: TPM Introduction
More informationAdvanced Android Security APIs. KeyStore and Crypto VPN
Advanced Android Security APIs KeyStore and Crypto VPN 1 KEYCHAIN AND CRYPTO APIS Like any other OS: support for crypto operations - SecureRandom: generate cryptographically secure random data E.g., seeding
More informationDistributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing
Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing 02/06/14 Goals Understand principles of: Authenticated booting, diference to (closed) secure
More informationOracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1
Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1 FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Version 1.2 12/12/2013 Copyright 2013 Oracle Corporation Table of
More informationSGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut
SGX Security Background Masab Ahmad masab.ahmad@uconn.edu Department of Electrical and Computer Engineering University of Connecticut 1 Security Background Outline Cryptographic Primitives Cryptographic
More informationUses of Cryptography
Uses of Cryptography What can we use cryptography for? Lots of things Secrecy Authentication Prevention of alteration Page 1 Cryptography and Secrecy Pretty obvious Only those knowing the proper keys can
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 11 Basic Cryptography Objectives Define cryptography Describe hashing List the basic symmetric cryptographic algorithms 2 Objectives
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 24a December 2, 2013 CPSC 467, Lecture 24a 1/20 Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management and Trusted
More informationARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1
ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1 FIPS 140-2 Non-Proprietary Security Policy Level 3 Validation April 2012 Copyright 2012 Algorithmic Research This document
More information6.857 L17. Secure Processors. Srini Devadas
6.857 L17 Secure Processors Srini Devadas 1 Distributed Computation Example: Distributed Computation on the Internet (SETI@home, etc.) Job Dispatcher Internet DistComp() { x = Receive(); result = Func(x);
More informationSymantec Corporation
Symantec Corporation Symantec PGP Cryptographic Engine FIPS 140-2 Non-proprietary Security Policy Document Version 1.0.4 Revision Date 05/01/2015 Symantec Corporation, 2015 May be reproduced only in its
More informationCisco Desktop Collaboration Experience DX650 Security Overview
White Paper Cisco Desktop Collaboration Experience DX650 Security Overview Cisco Desktop Collaboration Experience DX650 Security Overview The Cisco Desktop Collaboration Experience DX650 (Cisco DX650)
More informationSecuring IoT with the ARM mbed ecosystem
Securing IoT with the ARM mbed ecosystem Xiao Sun / Senior Applications Engineer / ARM ARM mbed Connect / Shenzhen, China December 5, 2016 Lots of interest in IoT security Researchers are looking into
More informationJuniper Networks Pulse Cryptographic Module. FIPS Level 1 Security Policy Version: 1.0 Last Updated: July 19, 2013
Juniper Networks Pulse Cryptographic Module FIPS 140-2 Level 1 Security Policy Version: 1.0 Last Updated: July 19, 2013 Juniper Networks, Inc. 1194 N. Mathilda Ave Sunnyvale, CA 94089 Copyright 2013 Juniper
More informationFIPS Security Policy UGS Teamcenter Cryptographic Module
FIPS 140-2 Security Policy UGS Teamcenter Cryptographic Module UGS Corp 5800 Granite Parkway, Suite 600 Plano, TX 75024 USA May 18, 2007 Version 1.3 containing OpenSSL library source code This product
More informationBCA III Network security and Cryptography Examination-2016 Model Paper 1
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 1 M.M:50 The question paper contains 40 multiple choice questions with four choices and student will have to pick the correct
More informationTrusted Platform Module explained
Bosch Security Systems Video Systems Trusted Platform Module explained What it is, what it does and what its benefits are 3 August 2016 2 Bosch Security Systems Video Systems Table of contents Table of
More informationDistributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing
Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing 30/05/11 Goals Understand principles of: Authenticated booting The difference to (closed) secure
More informationApplications of Attestation:
Lecture Secure, Trusted and Trustworthy Computing : IMA and TNC Prof. Dr. Ing. Ahmad Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2011/2012 1 Roadmap: TC
More informationAdding value to your MS customers
Securing Microsoft Adding value to your MS customers Authentication - Identity Protection Hardware Security Modules DataSecure - Encryption and Control Disc Encryption Offering the broadest range of authentication,
More informationCSE484 Final Study Guide
CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.
More informationQUANTUM SAFE PKI TRANSITIONS
QUANTUM SAFE PKI TRANSITIONS Quantum Valley Investments Headquarters We offer quantum readiness assessments to help you identify your organization s quantum risks, develop an upgrade path, and deliver
More informationFIPS Management. FIPS Management Overview. Configuration Changes in FIPS Mode
This chapter contains the following sections: Overview, on page 1 Configuration Changes in FIPS Mode, on page 1 Switching the Appliance to FIPS Mode, on page 2 Encrypting Sensitive Data in FIPS Mode, on
More informationKeys for Success: Today s Landscape of IoT Technologies and Security Standards
Keys for Success: Today s Landscape of IoT Technologies and Security Standards Pratul Sharma, Technical Marketing Manager, ARM Amit Shah, VP R&D, Alcatel-Lucent mbed Sponsored session/ ARM Tech Con 2015
More informationRandomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
More informationTRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?
Overview TRUSTED COMPUTING Why trusted computing? Intuitive model of trusted computing Hardware versus software Root-of-trust concept Secure boot Trusted Platforms using hardware features Description of
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013 Digital Signatures Diagram illustrating how to sign a message Why do we use a one-way hash? How does a collision
More information