Securing IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

Similar documents
Securing IoT devices with Hardware Secure Element. Fabrice Gendreau EMEA Secure MCUs Marketing & Application Manager

Connecting Securely to the Cloud

New STM32WB Series MCU with Built-in BLE 5 and IEEE

Provisioning secure Identity for Microcontroller based IoT Devices

Trusted Platform Modules Automotive applications and differentiation from HSM

New STM32WB Series MCU with built-in Bluetooth 5 and IEEE

Achieving a legacy cellular security level. Sonia CORRARD Avnet Silica Romain Tesnière Avnet Silica

Atmel Trusted Platform Module June, 2014

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

DesignWare IP for IoT SoC Designs

Cyber security of automated vehicles

Microcontrollers. Claude Dardanne Executive Vice President, General Manager, Microcontrollers, Memory & Secure MCU Group.

AT90SDC10X Summary Datasheet

A Developer's Guide to Security on Cortex-M based MCUs

AT90SO36 Summary Datasheet

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Market Trends and Challenges in Vehicle Security

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

T he key to building a presence in a new market

Renesas Synergy MCUs Build a Foundation for Groundbreaking Integrated Embedded Platform Development

Titan silicon root of trust for Google Cloud

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

AT90SO72 Summary Datasheet

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Windows 10 IoT Core Azure Connectivity and Security

MASP Chapter on Safety and Security

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

$263 WHITE PAPER. Flexible Key Provisioning with SRAM PUF. Securing Billions of IoT Devices Requires a New Key Provisioning Method that Scales

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

Security in NFC Readers

CardOS Secure Elements for Smart Home Applications


The Open Application Platform for Secure Elements.

Resilient IoT Security: The end of flat security models

Trustzone Security IP for IoT

STMicroelectronics NATIXIS Payment Solutions Conference

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

PKI Credentialing Handbook

Spotlight on IoT Security. Choose the right security for the Internet of Things.

STMicroelectronics Payment Solutions. December 6 th 2012

Designing Security & Trust into Connected Devices

IoT connectivity made easier STM32 MCUs & LoRa

Security+ SY0-501 Study Guide Table of Contents

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

Secure automotive on-board networks

The Next Steps in the Evolution of Embedded Processors

AN12120 A71CH for electronic anticounterfeit protection

CYBERSECURITY AND SERVICE STATIONS

Platform Level Security For IoT Devices. Bob Waskiewicz Applications Engineer

The Future of Smart Cards: Bigger, Faster and More Secure

M2MD Communications Gateway: fast, secure, efficient

Security in sensors, an important requirement for embedded systems

Scott Johnson Dominic Rizzo Parthasarathy Ranganathan Jon McCune Richard Ho. Titan: enabling a transparent silicon root of trust for Cloud

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Emerging Financial Payment Applications Powered by Freescale Security Solutions

STM32G0 MCU Series Efficiency at its Best

mbed OS Update Sam Grove Technical Lead, mbed OS June 2017 ARM 2017

Designing Security & Trust into Connected Devices

Oberon M2M IoT Platform. JAN 2016

Wearable Technologies and the IoT. David Lamb Market Development Manager, North Europe STMicroelectronics

Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop

Secure Elements 101. Sree Swaminathan Director Product Development, First Data

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

Kinetis + mbed = the secure connection in IOT

ARM Security Solutions and Numonyx Authenticated Flash

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

g6 Authentication Platform

Secure Application Trend in Smartphones. STMicroelectronics November 2017

SECURITY OF CPS: SECURE EMBEDDED SYSTEMS AS A BASIS

Smart Card ICs. Dr. Kaushik Saha. STMicroelectronics. CSME 2002 (Chandigarh, India) STMicroelectronics

Date: 13 June Location: Sophia Antipolis. Integrating the SIM. Dr. Adrian Escott. Qualcomm Technologies, Inc.

Security Requirements for Crypto Devices

CREDENTSYS CARD FAMILY

Getting to Grips with Public Key Infrastructure (PKI)

econet smart grid gateways: econet SL and econet MSA FIPS Security Policy

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Securing IoT with the ARM mbed ecosystem

STM32 Cortex-M3 STM32F STM32L STM32W

Authentication Technology for a Smart eid Infrastructure.

SECURITY CRYPTOGRAPHY Cryptography Overview Brochure. Cryptography Overview

WAP Security. Helsinki University of Technology S Security of Communication Protocols

6.857 L17. Secure Processors. Srini Devadas

Windows IoT Security. Jackie Chang Sr. Program Manager

Introducing STM32 L0x Series. April

ARM TrustZone for ARMv8-M for software engineers

ST33F1M, ST33F1M0, ST33F896, ST33F768, ST33F640, ST33F512

Trusted Platform Module explained

A Multi-Application Smart-Card ID System for George Mason University. - Suraj Ravichandran.

M2MD Communications Gateway: fast, secure and efficient

Chip Lifecycle Security Managing Trust and Complexity

Trojan-tolerant Hardware & Supply Chain Security in Practice

Beyond TrustZone PSA. Rob Coombs Security Director. Part1 - PSA Tech Seminars Arm Limited

ARM mbed mbed OS mbed Cloud

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

STSAFE-A100. Authentication, state-of-the-art security for peripherals and IoT devices. Features. Hardware features. Security features.

ST33F1M. Smartcard MCU with 32-bit ARM SecurCore SC300 CPU and 1.25 Mbytes high-density Flash memory. Features. Hardware features.

Introducing Hardware Security Modules to Embedded Systems

ARM European Technical Symposium The security challenges that IoT and Mobile Computing Devices are facing. Pierre Garnier, COO

Azure Sphere Transformation. Patrick Ward, Principal Solutions Specialist

New Approaches to Connected Device Security

Transcription:

Securing IoT devices with STM32 & STSAFE Products family Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

2 The leading provider of products and solutions for Smart Driving and the Internet of Things Smart Things Smart Home & City Smart Industry Smart Driving

3 Banking, ID Authentication ST31 STS3921/22- ST53 STSAFE & Custom PayTV, Transport & Banking, ID Smart World & Internet of things / Mobile security ST33 - ST21NFC ST54 Mobile & Secure NFC M2M & Automotive Wearable

is all about risk management 4 Understand the value of the Assets you are going to protect, taking into account all stake holders Understand your Threats and Vulnerabilities Develop a security strategy to reduce Risk, using right level of security for the value of the Assets being protected Make use of the integrity and cryptographic tools available

5 Threats Needs Answer Device Cloning & Counterfeiting A cloned device compromises OEM revenues A counterfeited device compromises OEM brand IoT network or cloud application is polluted by fake devices sending erroneous data Resistance against cloning, hacking Device authentication Device to device Device to server User data corruption & eavesdropping Data travel in clear over the network and expose some personal data An corrupted measurement is sent to the cloud Data privacy & confidentiality Secure Data storage Secure Data communication Encryption & signature Device malfunction An erroneous command is sent to an actuator by a fake server A malware is injected in a device to modify its behavior Prevent denial of service Platform Integrity Secure Boot Secure Firmware Upgrade Authentication and Encryption strength depends on how well keys are protected

6 ATTACKS Remote Misuse of network protocols Box Internet software attack Exploit communication protocol errors Flaws in software design / implementation With the case opened / removed Test / debug port access Board level Inter device bus and IO probing BOX attack Reset, clock attacks Power analysis Temperature / electrical attacks (glitch, overvoltage) Silicon level attack Device de-packaged Circuit analysis and probing Laser fault injection

7 ATTACKS SOLUTIONS Remote software Box Internet attack Adding Secure Element Board level Solution with GP MCUs Add a Certified (CC EAL5+) Secure Element for security improvements BOX attack which guaranties optimum security against Remote, Board and Silicon level attack Silicon level attack Use a MCU s security features offering various security levels linked to FW security development knowhow by customers Read out protection level Write protection Execute only PCROP Memory Protection Firewall Crypto accelerator engine Secure Firmware install Backup RTC RAM memory Protection against faults injection Protection against side-channel attacks Monitoring of environmental parameters Memory obfuscation, Active shields Strong authentication / crypto services Secure key storage and handling Secure code storage and execution Secure key provisioning

8 Cryptography is the mathematical toolbox providing security services to build secure systems Whatever Symmetric (AES) or Asymmetric (RSA, ECC) cryptography Security mechanism rely on secrets Secrets are keys Level of Security depends on how secrets are generated, stored, and handled

MCU-based devices : possible architectures 9 Keys stored in General Purpose MCU or in a key container as a Secure Element Device Radio General Purpose MCU OR Device Radio General Purpose MCU Sensors Application Key Key Sensors Application Use MCU s embedded security features offering protection against non-invasive attacks Secure Element Add a Certified (CC EAL5+) Secure Element Key Key which guarantees state of the art security protection against physical and logical attacks

10 Software Attacks Non-Invasive Attacks Memory Protection Unit (MPU) Firewall Read Out memory protection Write memory protection Proprietary Code Read-Out Protection (PCROP) RNG, Crypto accelerator, CRC Memory ECC, Parity check Read while write Secure Firmware Install JTAG Read out protection BOOT from Flash only Tamper pads RTC alarm, registers, SRAM mass erase Power supply integrity monitor Clock security system Temperature sensor Invasive Attacks GP MCUs not designed to resist against advanced security attacks

11 A Secure Element (SE): is a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications and storing their confidential and cryptographic data in accordance with the rules and security requirements set forth by a set of well-identified trusted authorities

Secure Element Trusted Security Development, Production and Personalization 12 Non-Invasive attacks Semi-Invasive attacks Invasive Embedded Data, Application Material & IP Theft Fault Injection Physical Attacks (Flash / EEPROM) Secure manufacturing Dedicated architecture Shields and development environments Product lifecycle and design Hardware and Software countermeasures Intrusion detectors Obfuscation Embedded Code (Flash or ROM) management Security evaluated by independent 3rd party laboratories Hardware according to defined rules and rankings

13 STSAFE-A STSAFE-TPM STSAFE-J Optimized SE Standardized SE Flexible Java Card SE Key Function Authentication, Encryption, Signature, Secure Storage Platform integrity measurement and reporting Running Specific Applications Firmware Native OS Providing dedicated Crypto Services TCG compliant OS TPM 1.2 or 2.0 commands set CC EAL4+ certified FIPS 140-2 certified Java Card OS 3.0.4 Global Platform 2.1.1 CC EAL5+ certified Hardware Secure Microcontroller Secure Core CPU / ROM or FLASH memory / Hardware Crypto Accelerators RSA, ECC, DES, AES CC EAL5+ or EAL6+ certified

Combining Secure Element with local Host MCU Enabling easy of use security services for IoT developers 14 COMMUNICATION General Purpose MCU Sensors General Purpose MCU APPLICATION I2C / SPI / ISO Demonstration & Prototyping Tools STSAFE-A Secure Element Host software libraries SECURITY Key Key Secure System on chip with Personalization

Combining STSAFE-A to local Host MCU Highly secure & cost optimized solution for connected devices 15 Authentication (devices to servers) Secure communication (Integrity & Confidentiality) Secure Data storage Signature verification (Secure Boot & Secure Firmware update) Secure key provisioning service EAL5+ Common Criteria certified chip Seamless integration with GP MCU

1 st Use case example : Peripheral authentication 16 Remote server IOT device GP MCU Secure Element CA Certificate I2C IOT Certificate Wire or wireless connection USB, WiFi, Lora Requests IOT Certificate CA Certificate IOT Certificate Read certificate Return IOT device X509 Certificate Read(Index 0) Return Certificate Provides X509 certificate from data partition Index 0 Uses CA certificate to verify IOT Certificate Generates Random Verifies signature using IOT certificate Request authentication(random) Return Signature generate signature(random) Return Signature Signs Random with secret private key If signature is verified, IOT device is authenticated

Remote server IOT device 2 nd Use case example : TLS Handshake V1.2 (RFC 5246) 17 CA Certificate Host Certificate Wire or wireless connection GP MCU I2C Secure Element IOT Certificate CA Certificate USB, WiFi, Lora Replies algorithms choices Client Hello (client random) Server Hello (server random) Client provides supported TLS version, algorithms and a random Provides X509 certificate and signed random Request IOT device X509 certificate Provides EC public key and the curve to use Verifies IOT Device certificate and authenticate IOT device Computes Diffie-Hellman shared secret Starts exchange ciphering Certificate (), signed client random Certificate Request () Server Key Exchange () Server Hello done () Certificate (), signed server random Client Key Exchange () Certificate Verify () Change Cipher Spec () Client Finished () Change Cipher Spec () Server Finished () Processing - Verify Server host certificates with CA certificate - Authenticate server verifying signature - Generate ephemeral EC key pairs - Computes shared secret using Remote server public key Provides IOT device X509 certificate and signed random Provides ephemeral public key Starts exchange ciphering

Secure Element personalization service Securing IoT devices manufacturing 18 CERTIFICATIONS Configure administration and transport keys Hardware Security Module ST factory personalization Interaction with customer Configuration Customer certificate Compute customer secrets Personalize product : Put secret keys Store certificates Hardware Development Firmware Development Diffusion & Test Prepersonalization Package Personalization CUSTOMER Development Phase Fabrication & personalization phases Approved by

Secure Element seamless integration A comprehensive set of tools and services STSAFE Nucleo Expansion STSAFE Toolkit PC application Personalization service Host library Example codes 19

Scalable Security Platform for IoT Devices powered by STSAFE, ProvenCore-M & STM32 20 Ensuring platform integrity STM32L4 MCU For faster, reliable and robust applications development ProvenCore -M Secure Operating System For application isolation, stability and integrity of the platform STSAFE -A Secure Element Providing secure storage, crypto-services to strengthen secure boot & firmware update

Secure Cloud Connectivity with STSAFE-A 21 STSAFE-A100 secure and ease devices registration to Amazon Web Services Device by device registration with STSAFE-A100 standard personalization for evaluation Devices JIT(just in time) registration to AWS with STSAFE-A100 preconfigured for AWS Allow mass devices automatic registration to AWS STSAFE-A100 TLS secure connection STSAFE-A100 evaluation Kit Security for Amazon Web Services establishment

Secure Sigfox Ready TM Connectivity powered by STSAFE-A, S2-LP & STM32 22 Ultra-low-power Sensor-to-Cloud Connectivity out-of-the-box S2-LP Ultra-low power, high performance, Sub-1GHz RF transceiver S2-LP evaluation Kit STEVAL-FKI868V1 (*) 868MHZ STEVAL-FKI915V1 (*) - 915MHz + PA (*) SIGFOX End Product certified STSAFE-A1SX Plug and play certified security HW CC EAL5+ STM32L STSAFE-A1SX evaluation Kit Security for Sigfox Ready TM Ultra-low-power MCU portfolio

Secure LoRaWAN TM Connectivity powered by STSAFE-A1LR & STM32L 23 G+D, Murata, and STMicroelectronics Bring Flexible and Efficient Security Solutions to LoRaWAN TM devices http://www.st.com/content/st_com/en/about/media-center/press-item.html/t3957.html The solution consists of : G+D s Key Management System STM s STSAFE-A secure element attached to STM32 general-purpose microcontroller MURATA s LoRaWAN module

24 Security is becoming a major concern for IoT devices makers A security breach could lead to loss of consumer confidence, loss of brand reputation and loss of businesses! Start with your own risks assessment, understanding the value of assets for all the stake holders Perform a Threats analysis to better understand your Risks Remember Confidentially, Availability and Integrity Define your security policy in order to reduce the risks Hackers will go after the weakest links in the system not necessarily directly to their target Develop your solution resilient against attacks through out its whole life-cycle By using MCU s embedded security features for protection against non-invasive attacks And adding a companion Secure Element which guaranties state of the art security protection

Secure Solutions Ensuring your peace of mind http://www.st.com/en/secure-mcus/authentication-secure-iot.html

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback