Upload
vuhanh
View
215
Download
1
Embed Size (px)
Citation preview
2
Legal Disclaimers Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service
activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your
system manufacturer or retailer or learn more at www.intel.com.
Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.
Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software,
operations and functions. Any change to any of those
factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating
your contemplated purchases, including the performance of that product when combined with other products.
For more information go to http://www.Intel.Com/performance.
All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product
specifications
and roadmaps.
Copyright © 2017 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Inside, the Intel Inside logo, and Intel Xeon are
trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
THIS SLIDE MUST BE USED WITH ANY SLIDES REMOVED FROM THIS PRESENTATION
Default Passwords
Delayed Image
updates
Poor, Manual Device
provisioning
Lack of Security
Designed in to HW
Security Breaches - How they Happen
HW Security is an IOT Priority
IoT Security Is Essential to Scale IoT Deployments
4
Isolation & added protections of
HW security has recognized role
Barrier to IoT Adoption* Most Important Items for IOT Platform*
*35% of respondents Gartner 2016 IoT Backbone Survey
Customer Requirement Best practice guidelines
Requirements to secure
YOUR platforms and
solutions.
HW based security moving
from shadows to key RFP
requests
RFP
Security solutions Designed-in to HW are keys to accelerating adoption and scale
Hackers exploiting
poor device security
• HW & SW platform
authentication;
local and remote
• Ensure HW & SW image
are in expected known-
good, non-compromised
configuration
• Enables trusted apps to
run sensitive code, data,
and store credentials in
HW isolated enclaves
• On chip Trusted Platform
Module cryptographic
functions
• Protected memory for data
at rest and in use
Intel® Security Strategy and Solutions
Designed-in
foundation
Unified Application security API
Security
Usages
HW/SW Identity Crypto / Protect Storage Platform Integrity Trusted Execution
On-Demand Lifecycle Services accelerating IIoT / IoT Solutions Intel© Secure Device Onboard - Provisioning of Device Trust and Credentials
Remote Device “Health” Attestation
Customer / Eco System
IOT sf
requirements
• Authentication and
Authorization
• Privacy
• Device Hardware and
Physical Security
• Device Application
Integrity and Authenticity
• Encryption and Key Management (Hardware)
Base Platform- Security Accelerators
10
Intel® SoC FPGA Crypto Accelerators – Maximize CPU performance with crypto offload.
Extend the life of MCUs that may risk running out of performance as security needs change.
Intel SoC FPGAs allow security protocols to move from software to custom hardware even
after deployment-extending product lifetime.
Intel® Stratix® 10 Secure Device Manager - Fully configurable &
authenticated boot, configuration schemes, secure key mgt/storage,
and tamper resistance to create an isolated co-processor
Min Max
Security Performance
Surface Area
Protected
Crypto - Intel® Data Protection Technology with AES-NI, SHA-NI, SHA256, RDRAND,
RDSEED, ECC. vPro=FIPS 140-2 L1 Crypto Block.
FPGA-Security Assist
Offload Crypto to Main CPU
Data/Keys
BIOS/FW
OS/VMM
Apps
Malware Protection- Intel® Platform Protection Technology with OS Guard
(privilege-escalation attacks), SMEP, SMAP
Virtualization & VM Isolation - Intel® VTx (CPU), Intel® VTd (I/O), VmFunc
(Hypervisor)
OS Hardening-Memory, Virtualization
8
Surface Area
Protected
BIOS/FW
OS/VMM
Apps
Data/Keys
TCG/ISO standard with open source SDK
Remotely attests device HW ID as part of
valid group without revealing identity
Removes Intel from directly authenticating
the device during the provisioning process
Unique, In-demand, Proven - 2.7 billion
keys distributed with IA & non-IA
platforms. Simplifies key management &
distribution
Enables zero touch device provisioning
with onboarding services Pvt-Key 1 Pvt-Key 2 Pvt-Key X …
Intel® EPID
EPID vs. PKI
Traditional PKI
1-to-1 key match,
standard signature
every time
Pvt-Key
1-to-many key match,
unique signature every
time, ANONYMOUS
Prevents Attack Mapping - Protects device
data vs PKI that reveals data to hack device
Immutable hardware root of trust for IoT networks to Identify devices & secure their communications
Base Platform Identity- Intel® Enhanced Privacy ID
9
Data/Keys
BIOS/FW
OS/VMM
Apps
Surface Area
Protected
Protected Boot Solutions for Platform Integrity
Ecosystem Firmware - Partner & TianoCore.org UEFI open source implementations
Intel® Platform Protection Technology with Boot Guard – Cryptographically verifies first portion of
OEM bios code executing out of reset.
Intel® Platform Protection Technology with BIOS Guard-protection against BIOS recovery attacks.
Ecosystem Values - OEMs & ISV’s like as Boot Guard adds robustness to chain of trust process where
UEFI boot process cryptographically verifies and/or measures each software module before executing it.
Enabling - Requires BIOS enabling and OEM support in signing of the policy manifests, hashing of BIOS
boot block module, programming the hash of OEM public key and boot policies in field programmable
fuses. Supports both TPM families TPM 1.2 and TPM2.0 and also PTT as part of measured boot
Boot Guard
Initial
Boot
Block
IBB
Scope of Coreboot
Scope Boot Guard
Boot Guard Component and Sequence
Reset
SW Stack
Surface Area
Protected
Data/Keys
BIOS/FW
OS/VMM
Apps
Payload:
UEFI
uboot
direct
Platform Trust Technology, firmware Trusted Platform Module (TPM) 2.0
Coreboot OS Loader OS
Operating System
Device Stack
Applications
T
ransitiv
e T
rust C
hain
Kernel
Boot Loader
Hardware RoT
Trusted Code CPU & Boot
Sequence
Fuses/
ROM Key
0011000101 1100010100
Intel
®
PTT
Trusted Storage
for Measurements
Firmware TPM - Intel® Platform Trust Technology
12
Intel® Platform Trust Technology (Intel® PTT)-
HW TPM 2.0 implementation integrated in Intel®
ME/CSME/TXE security engines for credential
storage and key management.
Secure trust element to meet requirements for
TPM 2.0
Measured Boot for remote attestation
Systems boot block is measured by HW/FW
and successfully attests if unaltered
No protection for applications
Surface Area
Protected
Measured Boot to TPM Flow
Data/Keys
BIOS/FW
OS/VMM
Apps
Trusted Execution Environment
9
Intel® Software Guard Extensions (Intel® SGX) –
memory-architecture extension designed to protect select
code or data from disclosure or modification. Enables
trusted in-app “enclaves”, which are protected areas of
execution in memory.
Intel® Dynamic Application Loader - Intel signed &
verified 3rd party java applets run in separate VM sand box
within ME/Intel® TXE security co-processor. Trusted apps
given controlled access to security resources and services.
Apollo Lake specific.
SNOOP
Surface Area
Protected
Protected App
Enclave
DA
TA TEE
CO
DE
Data/Keys
BIOS/FW
OS/VMM
Apps
SGX=on over 70 Ecosystem Platforms, Major CSP Blockchain Announcements-Azure, Alibaba, Fortranix
Wind River Helix* Device Cloud
14 14
Device OS
Device
Cloud Agent
Rest API
Device Management – Connect, Operate, Protect
Security Specific Capabilities
Secure Signed Update - OTA/FOTA integrity checked software or kernel
update over encrypted channel. Reconfigure anything to respond to
vulnerabilities
Security Monitoring - alerts, secure logs, & ability to remotely
decommission device
Management Server - DDOS, anti spoofing, script & forgery protection
Management
Console
Secure Update
Package
Customer’s IOT
Platform &
Apps
Full Device
Lifecycle
Manage
Deploy
Service
Decommission Monitor
Update
Intel® Secure Device Onboard
16
Ecosystem wants automated “SIM” like” approach that ties identity to platform initiated activation. No-one is solving.
HardwareSecurity
Device
INTEL® SECUREDEVICE ONBOARD
Intel® Secure Device Onboard drives scalability to move POCs to production. Increases devices in use.
IoTPlatformProvider
Zero-touch
Automation - Takes seconds at power on
Security - Unique HW protected onboarding w/privacy
Dynamic – Provisioning to customer’s IoT platform of choice
Scale - 1-to-many enablement for device makers
Device
Intel® EPID SDK
TEE
Onboard
Client
Mgr Agent
IoT Platform
Service Provider
Device Mgt Service
Onboard API
Platform Registration
Service
Enabling Tools
17
Initial Device
Identification
(EPID
Attestation) SDO Service
Identification
1 2
Take Ownership
3
Device securely on-boarded
under Normal Platform Control
4
ATTEST
ONBOARD
New Owner
Supplier
Ownership
Proxy
Silicon Providers
– EPID SDK
CSP/ISV Toolkit -
integrate onboard API
into their IoT Platform
Intel® Secure Device
Onboard
OEM Credential
Toolkit - board and
gateways - integrate
client software into
their platfrom
Supply Chain -
traceability signing
tool
Unsigned firmware 1
Network Video
Recorder
Intel® Boot Guard Enforced secure boot allowing
only signed & untampered
firmware to run
Intel® secure device onboard
Provides service that uses HW
key to secure the rendezvous
of device to its owner
Intel® AES-NI Enable AES computation without
compromising performance
Intel® Enhanced Privacy ID
Wind River® Helix device cloud
Utilize unique HW based key for
secure channel establishment
1
2
3
5
6
Automate FW/SW over-the-air
update & full device lifecycle
management
Intel® Platform Trust Technology
fTPM enables cryptographic
keys to be securely stored in
tampered-resistant keys vault
4
Allows hacker to easily break the integrity
of the boot firmware and OS image.
Hacker infiltrates the system by
subverting execution flow.
Intel© Security Essentials API
7
Abstracted, simplified HW
security development
4
Leaves the cryptographic keys used to protect platform
and owner secrets easily recovered by hacker
Insecure key storage
7
Weak P2P (Cloud) Link Weakness may grant remote
hacker access to the local network
from any remote location
5
Sending unencrypted video
streams in the clear increases
data privacy risks
3 Insecure data-in-transit
7
?
Secure IoT Smart Camera – Mitigated Attacks
</>
Missed FW/SW Update Not updated or
older FW leaves
device vulnerable to
known exploits.
6
Camera
plugin
Web
App
CGI
process
P2P
(Cloud)
Agent
SRAM HW
FW
SOC eMMC/
SDXC COMMS
Bootloader
Linux Kernel
Services (telnet, httpd, sshd, etc)
Kernel
Services
App
2 Default Credential Leave device vulnerable to cyber-
attacks. In 2014-73,011 security
cameras were “secured” only by
default credentials (i.e User: admin,
Password: admin)
IoT Security Ecosystem
Equipment
Providers
HWROT Silicon
Providers
IoT Platforms & Solution Providers
Telit - HDC
Oracle - HDC
Intel EPID Intel SDO
Devices
Intel SDO
Platforms
Device Cloud
Partners
FPGA Crypto
Providers
Portfolio Solutions to Secure Entire Device Lifecycle
Develop, Attest, Onboard
Manufacture FAB/OEM/ODM
Configure OEM/ODM
Onboard Installer
Provision System Integrator
Operate IT & OT
Decommission Admin/End User
Operational Security Management
IA-enabled
IoT Security ISVs
Root of Trust
Technologies
Ecosystem
Enabling Tools
</>
Gateway/Fog Edge
Security
Intel® Security Essentials
core security capabilities/
technologies
Intel® Security Essentials API
Intel® Platform Protection
Technology
TianoCore UEFI Firmware
Coreboot and FSP
Intel® EPID Identity SDK
Enhanced Security for
Gateways
Platform Trust
Services
Intel® Secure Device
Onboard Services
Device
Management
Wind River*
Helix* Device Cloud
5
ATTE
ST
ONBOA
RD
• Proven open-source Device
Identity with
Intel© Enhanced Privacy ID
(Intel© EPID)
• Mature Technology for
multiple applications
• BSP/FSP enabling UEFI
Secure Boot, Protected
Boot or Measured Boot on
all supported platforms
• Intel© Software Guard Extensions (SGX)
• Intel© Dynamic Application Loader applets
• Protected Execution and Encrypted
Storage
• Firmware based Trusted Platform Model
(TPM 2.0) – Intel© Platform Trust Technology
(PTT)
• Secure and Accelerated Cryptographic
operations – AES-NI, SHA-NI, TrueKey®