SSG Platform Security Division & IOTG

Jan Krueger | Product Manager | IoT Security Solutions

2

Legal Disclaimers Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service

activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your

system manufacturer or retailer or learn more at www.intel.com.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software,

operations and functions. Any change to any of those

factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating

your contemplated purchases, including the performance of that product when combined with other products.

For more information go to http://www.Intel.Com/performance.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product

specifications

and roadmaps.

Copyright © 2017 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Inside, the Intel Inside logo, and Intel Xeon are

trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

THIS SLIDE MUST BE USED WITH ANY SLIDES REMOVED FROM THIS PRESENTATION

Default Passwords

Delayed Image

updates

Poor, Manual Device

provisioning

Lack of Security

Designed in to HW

Security Breaches - How they Happen

HW Security is an IOT Priority

IoT Security Is Essential to Scale IoT Deployments

4

Isolation & added protections of

HW security has recognized role

Barrier to IoT Adoption* Most Important Items for IOT Platform*

*35% of respondents Gartner 2016 IoT Backbone Survey

Customer Requirement Best practice guidelines

Requirements to secure

YOUR platforms and

solutions.

HW based security moving

from shadows to key RFP

requests

RFP

Security solutions Designed-in to HW are keys to accelerating adoption and scale

Hackers exploiting

poor device security

• HW & SW platform

authentication;

local and remote

• Ensure HW & SW image

are in expected known-

good, non-compromised

configuration

• Enables trusted apps to

run sensitive code, data,

and store credentials in

HW isolated enclaves

• On chip Trusted Platform

Module cryptographic

functions

• Protected memory for data

at rest and in use

Intel® Security Strategy and Solutions

Designed-in

foundation

Unified Application security API

Security

Usages

HW/SW Identity Crypto / Protect Storage Platform Integrity Trusted Execution

On-Demand Lifecycle Services accelerating IIoT / IoT Solutions Intel© Secure Device Onboard - Provisioning of Device Trust and Credentials

Remote Device “Health” Attestation

Customer / Eco System

IOT sf

requirements

• Authentication and

Authorization

• Privacy

• Device Hardware and

Physical Security

• Device Application

Integrity and Authenticity

• Encryption and Key Management (Hardware)

#

Base Platform- Security Accelerators

10

Intel® SoC FPGA Crypto Accelerators – Maximize CPU performance with crypto offload.

Extend the life of MCUs that may risk running out of performance as security needs change.

Intel SoC FPGAs allow security protocols to move from software to custom hardware even

after deployment-extending product lifetime.

Intel® Stratix® 10 Secure Device Manager - Fully configurable &

authenticated boot, configuration schemes, secure key mgt/storage,

and tamper resistance to create an isolated co-processor

Min Max

Security Performance

Surface Area

Protected

Crypto - Intel® Data Protection Technology with AES-NI, SHA-NI, SHA256, RDRAND,

RDSEED, ECC. vPro=FIPS 140-2 L1 Crypto Block.

FPGA-Security Assist

Offload Crypto to Main CPU

Data/Keys

BIOS/FW

OS/VMM

Apps

Malware Protection- Intel® Platform Protection Technology with OS Guard

(privilege-escalation attacks), SMEP, SMAP

Virtualization & VM Isolation - Intel® VTx (CPU), Intel® VTd (I/O), VmFunc

(Hypervisor)

OS Hardening-Memory, Virtualization

8

Surface Area

Protected

BIOS/FW

OS/VMM

Apps

Data/Keys

TCG/ISO standard with open source SDK

Remotely attests device HW ID as part of

valid group without revealing identity

Removes Intel from directly authenticating

the device during the provisioning process

Unique, In-demand, Proven - 2.7 billion

keys distributed with IA & non-IA

platforms. Simplifies key management &

distribution

Enables zero touch device provisioning

with onboarding services Pvt-Key 1 Pvt-Key 2 Pvt-Key X …

Intel® EPID

EPID vs. PKI

Traditional PKI

1-to-1 key match,

standard signature

every time

Pvt-Key

1-to-many key match,

unique signature every

time, ANONYMOUS

Prevents Attack Mapping - Protects device

data vs PKI that reveals data to hack device

Immutable hardware root of trust for IoT networks to Identify devices & secure their communications

Base Platform Identity- Intel® Enhanced Privacy ID

9

Data/Keys

BIOS/FW

OS/VMM

Apps

Surface Area

Protected

Protected Boot Solutions for Platform Integrity

Ecosystem Firmware - Partner & TianoCore.org UEFI open source implementations

Intel® Platform Protection Technology with Boot Guard – Cryptographically verifies first portion of

OEM bios code executing out of reset.

Intel® Platform Protection Technology with BIOS Guard-protection against BIOS recovery attacks.

Ecosystem Values - OEMs & ISV’s like as Boot Guard adds robustness to chain of trust process where

UEFI boot process cryptographically verifies and/or measures each software module before executing it.

Enabling - Requires BIOS enabling and OEM support in signing of the policy manifests, hashing of BIOS

boot block module, programming the hash of OEM public key and boot policies in field programmable

fuses. Supports both TPM families TPM 1.2 and TPM2.0 and also PTT as part of measured boot

Boot Guard

Initial

Boot

Block

IBB

Scope of Coreboot

Scope Boot Guard

Boot Guard Component and Sequence

Reset

SW Stack

Surface Area

Protected

Data/Keys

BIOS/FW

OS/VMM

Apps

Payload:

UEFI

uboot

direct

Platform Trust Technology, firmware Trusted Platform Module (TPM) 2.0

Coreboot OS Loader OS

Operating System

Device Stack

Applications

T

ransitiv

e T

rust C

hain

Kernel

Boot Loader

Hardware RoT

Trusted Code CPU & Boot

Sequence

Fuses/

ROM Key

0011000101 1100010100

Intel

®

PTT

Trusted Storage

for Measurements

Firmware TPM - Intel® Platform Trust Technology

12

Intel® Platform Trust Technology (Intel® PTT)-

HW TPM 2.0 implementation integrated in Intel®

ME/CSME/TXE security engines for credential

storage and key management.

Secure trust element to meet requirements for

TPM 2.0

Measured Boot for remote attestation

Systems boot block is measured by HW/FW

and successfully attests if unaltered

No protection for applications

Surface Area

Protected

Measured Boot to TPM Flow

Data/Keys

BIOS/FW

OS/VMM

Apps

Trusted Execution Environment

9

Intel® Software Guard Extensions (Intel® SGX) –

memory-architecture extension designed to protect select

code or data from disclosure or modification. Enables

trusted in-app “enclaves”, which are protected areas of

execution in memory.

Intel® Dynamic Application Loader - Intel signed &

verified 3rd party java applets run in separate VM sand box

within ME/Intel® TXE security co-processor. Trusted apps

given controlled access to security resources and services.

Apollo Lake specific.

SNOOP

Surface Area

Protected

Protected App

Enclave

DA

TA TEE

CO

DE

Data/Keys

BIOS/FW

OS/VMM

Apps

SGX=on over 70 Ecosystem Platforms, Major CSP Blockchain Announcements-Azure, Alibaba, Fortranix

#

E-to-e Edge to cloud “IOT

Security Channel”

software Solutions”

Wind River Helix* Device Cloud

14 14

Device OS

Device

Cloud Agent

Rest API

Device Management – Connect, Operate, Protect

Security Specific Capabilities

Secure Signed Update - OTA/FOTA integrity checked software or kernel

update over encrypted channel. Reconfigure anything to respond to

vulnerabilities

Security Monitoring - alerts, secure logs, & ability to remotely

decommission device

Management Server - DDOS, anti spoofing, script & forgery protection

Management

Console

Secure Update

Package

Customer’s IOT

Platform &

Apps

Full Device

Lifecycle

Manage

Deploy

Service

Decommission Monitor

Update

On-demand Platform Trust

Services

Intel® Secure Device Onboard

16

Ecosystem wants automated “SIM” like” approach that ties identity to platform initiated activation. No-one is solving.

HardwareSecurity

Device

INTEL® SECUREDEVICE ONBOARD

Intel® Secure Device Onboard drives scalability to move POCs to production. Increases devices in use.

IoTPlatformProvider

Zero-touch

Automation - Takes seconds at power on

Security - Unique HW protected onboarding w/privacy

Dynamic – Provisioning to customer’s IoT platform of choice

Scale - 1-to-many enablement for device makers

Device

Intel® EPID SDK

TEE

Onboard

Client

Mgr Agent

IoT Platform

Service Provider

Device Mgt Service

Onboard API

Platform Registration

Service

Enabling Tools

17

Initial Device

Identification

(EPID

Attestation) SDO Service

Identification

1 2

Take Ownership

3

Device securely on-boarded

under Normal Platform Control

4

ATTEST

ONBOARD

New Owner

Supplier

Ownership

Proxy

Silicon Providers

– EPID SDK

CSP/ISV Toolkit -

integrate onboard API

into their IoT Platform

Intel® Secure Device

Onboard

OEM Credential

Toolkit - board and

gateways - integrate

client software into

their platfrom

Supply Chain -

traceability signing

tool

#

Unsigned firmware 1

Network Video

Recorder

Intel® Boot Guard Enforced secure boot allowing

only signed & untampered

firmware to run

Intel® secure device onboard

Provides service that uses HW

key to secure the rendezvous

of device to its owner

Intel® AES-NI Enable AES computation without

compromising performance

Intel® Enhanced Privacy ID

Wind River® Helix device cloud

Utilize unique HW based key for

secure channel establishment

1

2

3

5

6

Automate FW/SW over-the-air

update & full device lifecycle

management

Intel® Platform Trust Technology

fTPM enables cryptographic

keys to be securely stored in

tampered-resistant keys vault

4

Allows hacker to easily break the integrity

of the boot firmware and OS image.

Hacker infiltrates the system by

subverting execution flow.

Intel© Security Essentials API

7

Abstracted, simplified HW

security development

4

Leaves the cryptographic keys used to protect platform

and owner secrets easily recovered by hacker

Insecure key storage

7

Weak P2P (Cloud) Link Weakness may grant remote

hacker access to the local network

from any remote location

5

Sending unencrypted video

streams in the clear increases

data privacy risks

3 Insecure data-in-transit

7

?

Secure IoT Smart Camera – Mitigated Attacks

</>

Missed FW/SW Update Not updated or

older FW leaves

device vulnerable to

known exploits.

6

Camera

plugin

Web

App

CGI

process

P2P

(Cloud)

Agent

SRAM HW

FW

SOC eMMC/

SDXC COMMS

Bootloader

Linux Kernel

Services (telnet, httpd, sshd, etc)

Kernel

Services

App

2 Default Credential Leave device vulnerable to cyber-

attacks. In 2014-73,011 security

cameras were “secured” only by

default credentials (i.e User: admin,

Password: admin)

#

#

Internet of Things Group Intel Confidential

IoT Security Ecosystem

Equipment

Providers

HWROT Silicon

Providers

IoT Platforms & Solution Providers

Telit - HDC

Oracle - HDC

Intel EPID Intel SDO

Devices

Intel SDO

Platforms

Device Cloud

Partners

FPGA Crypto

Providers

Portfolio Solutions to Secure Entire Device Lifecycle

Develop, Attest, Onboard

Manufacture FAB/OEM/ODM

Configure OEM/ODM

Onboard Installer

Provision System Integrator

Operate IT & OT

Decommission Admin/End User

Operational Security Management

IA-enabled

IoT Security ISVs

Root of Trust

Technologies

Ecosystem

Enabling Tools

</>

Gateway/Fog Edge

Security

Intel® Security Essentials

core security capabilities/

technologies

Intel® Security Essentials API

Intel® Platform Protection

Technology

TianoCore UEFI Firmware

Coreboot and FSP

Intel® EPID Identity SDK

Enhanced Security for

Gateways

Platform Trust

Services

Intel® Secure Device

Onboard Services

Device

Management

Wind River*

Helix* Device Cloud

5

ATTE

ST

ONBOA

RD

• Proven open-source Device

Identity with

Intel© Enhanced Privacy ID

(Intel© EPID)

• Mature Technology for

multiple applications

• BSP/FSP enabling UEFI

Secure Boot, Protected

Boot or Measured Boot on

all supported platforms

• Intel© Software Guard Extensions (SGX)

• Intel© Dynamic Application Loader applets

• Protected Execution and Encrypted

Storage

• Firmware based Trusted Platform Model

(TPM 2.0) – Intel© Platform Trust Technology

(PTT)

• Secure and Accelerated Cryptographic

operations – AES-NI, SHA-NI, TrueKey®

Intel SGX Ecosystem

Cloud Solution

Providers Identity/Security

IoT Platforms & Solution Providers

Telit - HDC

Oracle - HDC

Blockchain Payments