SSG Platform Security Division & IOTG Jan Krueger Product Manager IoT Security Solutions
THIS SLIDE MUST BE USED WITH ANY SLIDES REMOVED FROM THIS PRESENTATION Legal Disclaimers Intel technologies features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at www.intel.com. Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information go to http://www.intel.com/performance. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps. Copyright 2017 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Inside, the Intel Inside logo, and Intel Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. 2
Security Breaches - How they Happen Default Passwords Poor, Manual Device provisioning Delayed Image updates Lack of Security Designed in to HW
IoT Security Is Essential to Scale IoT Deployments HW Security is an IOT Priority Best practice guidelines Customer Requirement Barrier to IoT Adoption* Hackers exploiting poor device security Most Important Items for IOT Platform* RFP Isolation & added protections of HW security has recognized role Requirements to secure YOUR platforms and solutions. HW based security moving from shadows to key RFP requests Security solutions Designed-in to HW are keys to accelerating adoption and scale *35% of respondents Gartner 2016 IoT Backbone Survey 4
Intel Security Strategy and Solutions On-Demand Lifecycle Services accelerating IIoT / IoT Solutions Intel Secure Device Onboard - Provisioning of Device Trust and Credentials Remote Device Health Attestation Customer / Eco System Unified Application security API IOT sf requirements Authentication and Authorization Privacy Device Hardware and Physical Security Device Application Integrity and Authenticity Encryption and Key Management (Hardware) Security Usages HW & SW platform authentication; local and remote Ensure HW & SW image are in expected knowngood, non-compromised configuration Enables trusted apps to run sensitive code, data, and store credentials in HW isolated enclaves Protected memory for data at rest and in use On chip Trusted Platform Module cryptographic functions Designed-in foundation HW/SW Identity Platform Integrity Trusted Execution Crypto / Protect Storage
#
Base Platform- Security Accelerators Surface Area Protected Data/Keys Apps OS/VMM BIOS/FW Offload Crypto to Main CPU Crypto - Intel Data Protection Technology with AES-NI, SHA-NI, SHA256, RDRAND, RDSEED, ECC. vpro=fips 140-2 L1 Crypto Block. FPGA-Security Assist Intel SoC FPGA Crypto Accelerators Maximize CPU performance with crypto offload. Extend the life of MCUs that may risk running out of performance as security needs change. Intel SoC FPGAs allow security protocols to move from software to custom hardware even after deployment-extending product lifetime. Intel Stratix 10 Secure Device Manager - Fully configurable & authenticated boot, configuration schemes, secure key mgt/storage, and tamper resistance to create an isolated co-processor Security Performance Min Max 10
OS Hardening-Memory, Virtualization Surface Area Protected Data/Keys Apps OS/VMM BIOS/FW Malware Protection- Intel Platform Protection Technology with OS Guard (privilege-escalation attacks), SMEP, SMAP Virtualization & VM Isolation - Intel VTx (CPU), Intel VTd (I/O), VmFunc (Hypervisor) 8
Base Platform Identity- Intel Enhanced Privacy ID Surface Area Protected Data/Keys Apps OS/VMM BIOS/FW TCG/ISO standard with open source SDK Remotely attests device HW ID as part of valid group without revealing identity Removes Intel from directly authenticating the device during the provisioning process Unique, In-demand, Proven - 2.7 billion keys distributed with IA & non-ia platforms. Simplifies key management & distribution Prevents Attack Mapping - Protects device data vs PKI that reveals data to hack device Intel EPID 1-to-many key match, unique signature every time, ANONYMOUS EPID vs. PKI Traditional PKI 1-to-1 key match, standard signature every time Enables zero touch device provisioning with onboarding services Pvt-Key 1 Pvt-Key 2 Pvt-Key X Pvt-Key Immutable hardware root of trust for IoT networks to Identify devices & secure their communications 9
Protected Boot Solutions for Platform Integrity Ecosystem Firmware - Partner & TianoCore.org UEFI open source implementations Surface Area Protected Data/Keys SW Stack Apps OS/VMM BIOS/FW Intel Platform Protection Technology with Boot Guard Cryptographically verifies first portion of OEM bios code executing out of reset. Intel Platform Protection Technology with BIOS Guard-protection against BIOS recovery attacks. Ecosystem Values - OEMs & ISV s like as Boot Guard adds robustness to chain of trust process where UEFI boot process cryptographically verifies and/or measures each software module before executing it. Enabling - Requires BIOS enabling and OEM support in signing of the policy manifests, hashing of BIOS boot block module, programming the hash of OEM public key and boot policies in field programmable fuses. Supports both TPM families TPM 1.2 and TPM2.0 and also PTT as part of measured boot Reset Boot Guard Component and Sequence Scope of Coreboot Boot Guard Scope Boot Guard Initial Boot Block IBB Payload: Coreboot UEFI uboot OS Loader OS direct Platform Trust Technology, firmware Trusted Platform Module (TPM) 2.0
Transitive Trust Chain Firmware TPM - Intel Platform Trust Technology Surface Area Protected Data/Keys Intel Platform Trust Technology (Intel PTT)- HW TPM 2.0 implementation integrated in Intel ME/CSME/TXE security engines for credential storage and key management. Device Stack Applications Apps OS/VMM BIOS/FW Secure trust element to meet requirements for TPM 2.0 Measured Boot for remote attestation Systems boot block is measured by HW/FW and successfully attests if unaltered No protection for applications 0011000101 1100010100 Trusted Code Operating System Kernel Boot Loader Hardware RoT CPU & Boot Sequence Fuses/ ROM Key Intel PTT Trusted Storage for Measurements Measured Boot to TPM Flow 12
Trusted Execution Environment Protected App Enclave Surface Area Protected Data/Keys Apps OS/VMM BIOS/FW Intel Software Guard Extensions (Intel SGX) memory-architecture extension designed to protect select code or data from disclosure or modification. Enables trusted in-app enclaves, which are protected areas of execution in memory. Intel Dynamic Application Loader - Intel signed & verified 3rd party java applets run in separate VM sand box within ME/Intel TXE security co-processor. Trusted apps given controlled access to security resources and services. Apollo Lake specific. TEE CO DE DA TA SNOOP SGX=on over 70 Ecosystem Platforms, Major CSP Blockchain Announcements-Azure, Alibaba, Fortranix 9
E-to-e Edge to cloud IOT Security Channel software Solutions #
Wind River Helix* Device Cloud Device Management Connect, Operate, Protect Security Specific Capabilities Rest API Secure Signed Update - OTA/FOTA integrity checked software or kernel update over encrypted channel. Reconfigure anything to respond to vulnerabilities Management Console Customer s IOT Platform & Apps Security Monitoring - alerts, secure logs, & ability to remotely decommission device Management Server - DDOS, anti spoofing, script & forgery protection Secure Update Package Deploy Decommission Full Device Monitor Device OS Device Cloud Agent Lifecycle Update Service Manage 14
On-demand Platform Trust Services
Intel Secure Device Onboard Automation - Takes seconds at power on Security - Unique HW protected onboarding w/privacy Dynamic Provisioning to customer s IoT platform of choice Scale - 1-to-many enablement for device makers INTEL SECURE DEVICEONBOARD Hardware Security Device Zero-touch IoT Platform Provider Intel Ecosystem Secure wants Device automated Onboard drives SIM scalability like approach to move that POCs ties identity to production. to platform Increases initiated devices activation. in use. No-one is solving. 16
Enabling Tools Supply Chain - traceability signing tool Silicon Providers EPID SDK Device Intel EPID SDK TEE Onboard Client Mgr Agent Initial Device Identification (EPID Attestation) 2 Intel Secure Device Onboard Take Ownership 4 ONBOARD ATTEST SDO Service Identification 3 1 IoT Platform Service Provider Platform Registration Service Onboard API Device Mgt Service Supplier Ownership Proxy New Owner CSP/ISV Toolkit - integrate onboard API into their IoT Platform OEM Credential Toolkit - board and gateways - integrate client software into their platfrom Device securely on-boarded under Normal Platform Control 17
#
Secure IoT Smart Camera Mitigated Attacks 2 Default Credential Leave device vulnerable to cyberattacks. In 2014-73,011 security cameras were secured only by default credentials (i.e User: admin, Password: admin) 6 Missed FW/SW Update Not updated or older FW leaves device vulnerable to known exploits. 5 Camera plugin Weak P2P (Cloud) Link Weakness may grant remote hacker access to the local network from any remote location Web App CGI process P2P (Cloud) Agent Services (telnet, httpd, sshd, etc) SOC Linux Kernel Bootloader emmc/ SDXC SRAM COMMS 3 7 Insecure data-in-transit Sending unencrypted video 3 streams in the clear increases data privacy risks App Services Kernel FW HW 1 2 4 5 Intel Boot Guard Enforced secure boot allowing only signed & untampered firmware to run Intel secure device onboard Provides service that uses HW key to secure the rendezvous of device to its owner Intel AES-NI Enable AES computation without compromising performance Intel Platform Trust Technology ftpm enables cryptographic keys to be securely stored in tampered-resistant keys vault Intel Enhanced Privacy ID Utilize unique HW based key for secure channel establishment 1? Unsigned firmware Allows hacker to easily break the integrity of the boot firmware and OS image. Hacker infiltrates the system by subverting execution flow. 4 7 Insecure key storage Leaves the cryptographic keys used to protect platform and owner secrets easily recovered by hacker Network Video Recorder 6 7 Wind River Helix device cloud Automate FW/SW over-the-air update & full device lifecycle management Intel Security Essentials API Abstracted, simplified HW security development </>
#
#
Internet of Things Group Intel Confidential
IoT Security Ecosystem HWROT Silicon Providers Equipment Providers IoT Platforms & Solution Providers Intel EPID Intel SDO Devices Intel SDO Platforms FPGA Crypto Providers Telit - HDC Oracle - HDC Device Cloud Partners
Portfolio Solutions to Secure Entire Device Lifecycle Manufacture FAB/OEM/ODM Configure OEM/ODM Onboard Installer Provision System Integrator Operate IT & OT Decommission Admin/End User Develop, Attest, Onboard Operational Security Management </> ONBOA RD Root of Trust Technologies Intel Security Essentials core security capabilities/ technologies Ecosystem Enabling Tools Intel Security Essentials API Intel Platform Protection Technology TianoCore UEFI Firmware Coreboot and FSP Intel EPID Identity SDK ATTE Platform Trust Services ST Intel Secure Device Onboard Services Gateway/Fog Edge Security Enhanced Security for Gateways Device Management Wind River* Helix* Device Cloud IA-enabled IoT Security ISVs 5
Intel SGX Ecosystem Identity/Security Cloud Solution Providers IoT Platforms & Solution Providers Blockchain Payments Telit - HDC Oracle - HDC