embedded security introduction iot. - easyfairs · 2019-01-15 · embedded security introduction...
TRANSCRIPT
Embedded Security Introduction IoT. Nicholas Croudace CCS EMEA Technical Marketing Manager [email protected]
restricted
Agenda
IoT Mega Trend…What and Where?
IoT Threats
Intro to OPTIGA™ Embedded Security
Questions…
1
2
3
4
2 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Agenda
IoT Mega Trend…What and Where?
IoT Threats
Intro to OPTIGA™ Embedded Security
Questions…
1
2
3
4
3 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
The term "Internet of Things" was first termed by Kevin Ashton in the early ’90s, working at P&G
as brand manager describing a system where the Internet is connected to the physical world via
ubiquitous sensors. This first IoT system was P&G’s self replenishing inventory system using
RFID tags and Machine to Machine communication (M2M) for the humble…
IoT…Where did it all began
4
Lipstick
Todays simple description of IoT is the collection of
interconnected devices that make lives Smarter, Safer
and Simpler by providing CONFIDENTIALITY,
INTEGRITY, AUTHENTICITY.
2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
IoT connectivity How this is influencing our lives and Pockets…
$7 Trillion market
potential
40 Zettabytes
of data created
28 Billion Installed
IoT devices
5 Billion
connected people
How the IoT will develop over the coming years (Sources: UN/ITU/IDC)
IoT growth until 2020
5
Source: IC Insights
Update Report Nov.16
*Counting only Internet Connection Portion of Systems
2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
6
People
Vehicles
Homes
Commerce
Town & Cities
Industrial
Phones
Tablets
Wearables
Personal Health
Fitness & Diet
Health Care
Monitoring
Diagnostics
& Treatment
Education & Training
Cars / Truck / Bus
Engine & Drivetrain
Infotainment
Driver Aids
Auto-Drive
Smart Home
Safety & Security
Infotainment
Environment
Appliances
Smart Grid
Smart Roads
Smart Buildings
Traffic Flow
Lighting
Smart Meters
Infrastructures
eRetail
Smart Lables
Transit
Smart Office
Smart Store/Shelf
Smart Signage
Energy (Oil & Gas)
Pipelines
Power Generation
Manufacturing
Agriculture
Logistics
Health Care Delivery
Operational Automation
Performance Optimization
Preventative Maintenance
Capacity Planning
IoT Mega ‘SMART’ Trend and the Applications behind the headlines
2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Agenda
IoT Mega Trend…What and Where?
IoT Threats
Intro to OPTIGA™ Embedded Security
Questions…
1
2
3
4
7 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Jeep Cherokee
CAN-C
CAN-IHS
RADIO
Firmware
8 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Stuxnet
Breakers Operational Network
Cascade PLC
Engineering
9 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Accelerating IoT Attacks generating bad Press!
10 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Reverse Engineering Companies…Loss of IP
11 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
IoT Connectivity requires Security…Why
When a devices becomes connected, authenticity, integrity and confidentiality of Device & Messages have to be protected
12
Actors
Device
FW Update
iD
iD
Sensitive Data
Messages
Boot Process Host
or Cloud
Data
Actors
2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Agenda
IoT Mega Trend…What and Where?
IoT Threats
Intro to OPTIGA™ Embedded Security
Questions…
1
2
3
4
13 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
OPTIGA™ Embedded Security Family
OPTIGA™ Trust & TrustB
OPTIGA™ TPM OPTIGA™
Trust P OPTIGA™ Trust E
Security and Complexity
OPTIGA™ Trust X
Functionality Authentication TCG standard Programmable Authentication
* Based on certified HW
Security Level CC EAL 4+ CC EAL 5+ CC EAL 6+ Basic CC EAL 6+ * *
Type of Host System Embedded Linux
Windows / Linux
MCU without OS / proprietary OS / RTOS
Interface SWI I2C I2C UART I2C, SPI, LPC
Done by IFX Customer Implementation, support by IFX
System integration Platform vendor
Connected
device security
Cryptography Private key stored in secure HW
ECC163 ECC256 ECC384 ECC521
RSA2K
ECC256
RSA2K
NVM (Data) 6kByte 150kByte 3kByte 448Byte 10kByte
** Code & Data
**
*
14
SLS10ERE SLE95250
SLS32AIA SLS32AIA020x SLJ52ACA SLB96xx
2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Pre-provisioning of Device Keys and CA Using OPTIGATM Trust
Manufacturers can inject their on CA certificates
additionally if required.
Allow the servers to verify the authenticity of the gateway
cryptographically by challenging the TPM.
OPTIGA™ TPM leave Infineon factory pre-provisioned
with key pairs and certificates.
Allow Gateway to use the OPTIGA™ TPM as a root of
Trust to authenticate servers.
Further key pairs can be generated and signed by TPM.
Secure storage allows TPM to bind allowed devices to the
gateway.
Key pairs and CA certs are loaded into the OPTIGA™
Trust before leaving Infineon factory
Allow device to authenticate to servers and prove their
identity.
Customer does not have to invest in costly key injection
facilities for handling the key injection process.
Host/Gateway
Appliance/Node
Back End Servers
Standard GW /
Router App
Processor OPTIGATM TPM
MCU OPTIGATM
Trust
OEM Root CA
15 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Smart Home Example typical Architecture
Smart Home Gateway
IP Camera Sensors
Smart Home
Gateway OPTIGATM TPM
MCU MCU MCU OPTIGATM
Trust E
OPTIGATM
Trust X
OPTIGATM
Trust X
OPTIGATM
Trust X
OPTIGATM
Trust X
OPTIGATM
Trust X
OPTIGATM
Trust X
Smart Lock
Router
Smart Home Console
Security Use Cases
Pre-provisioned keys and certificates
Device Identity Authentication.
Mutual Authentication and Secure Communication
Software Firmware Updates
Platform Integrity
16 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Smart Use Case Basic Devices – Device Identity Authentication
Devices may connect directly to the internet using WIFI thru the home router.
The end destination could either be the control devices such as smart phones, or the vendor database.
OPTIGATM Trust act as trust anchor for the Gateway to cryptographically verify the device identity that is joining the network.
It is also important for vendor servers to be able to securely verify whether the devices are authentic devices manufactured by them.
Smart Home Gateway
Internet Gateway / Router
OPTIGATM Trust B/E
OPTIGATM Trust B/E OPTIGATM Trust B/E
OPTIGATM TPM
17 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Smart Home Use Case Mutual Authentication and Secure Communication
Smart Home Gateway
These are smart home devices which effect some actions or provide more sensitive data.
Such devices require mutual authentication for in coming commands and secure communication to secure the data transmission.
OPTIGATM Trust X
Internet Gateway / Router
OPTIGATM Trust provide the Trust Anchor to perform mutual authentication and establish session communication with GW/Phones/Tablets/Servers.
OPTIGATM Trust X OPTIGATM Trust X
OPTIGATM Trust X
18 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
The Future of Lighting is Smart! Infineon & Partners displaying Smart Street Lighting
19 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
IoT Appliances Require Secure FW Update
› Common Threats:
– Modified image of the FW.
– Intercept and reverse engineer the FW image
– Downgrade to older (vulnerable) version.
– Unverified (malicious) version from hackers.
› Objectives:
– Encrypt FW image.
– HASH to protect image integrity
– Signature to verify FW authenticity.
– Version checking to prevent rollback.
20
Home Gateway
Appliance
Back End Servers
Standard GW /
Router App
Processor OPTIGATM TPM
MCU OPTIGATM
Trust
New Firmware
OPTIGATM Trust X
2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Security Toolbox
Symmetric Encryption Asymmetric Encryption Hash Algorithm
Certificates
PKI
ECDH Key Exchange
Protect integrity & authenticity of info
Structured method to handle Public Keys
Securely establish shared symmetric key
Fast Easily Implemented
Secure Key Flexibility
Space Efficient One-way
& Use Cases
Key Generation and Management
Boot Protection Platform Integrity
Stored Data Protection
Secure Communications
Authentication Secure Updates
21 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
OPTIGA™ Product Family
OPTIGA™ Trust E
Design in complexity
Feature set
Certification Level
OPTIGA™ TPM
-- CC EAL 4+
low medium
OPTIGA™ Trust P
CC EAL 5+
medium
OPTIGA™ Trust X1
CC EAL 6+*
low
One-way Authentication
One-way Authentication
with PKI Support
Encrypted
Storage
*Using EAL 6+ certified HW
22
OPTIGA™ Trust / B
low
CC EAL 6+*
SP001185804 €40
SP001601016 (B) €40
SP007398818 €60 TBC Launch Jan.18 SP001596596 V.1.2 SP001880816 €130
SP001596592 V.2.0 Development Tools
2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
23
Avnet’s Industrial IoT Starter Platform + TPM
Additional
I/O Expansion
MicroZed
System-on-Module Arduino Carrier
Card
Arduino Shield
Expansion
Sensors / Actuators /
HMI / Communication
Pmod™
Expansion
Pmod™
Expansion
Pmod™
Expansion
SLB9670
2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.
Agenda
IoT Mega Trend…What amd Where?
IoT Threats
Intro to OPTIGA™ Embedded Security
Questions…
1
2
3
4
24 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.