embedded security introduction iot. - easyfairs · 2019-01-15 · embedded security introduction...

Embedded Security Introduction IoT. Nicholas Croudace CCS EMEA Technical Marketing Manager [email protected]

restricted

mailto:[email protected]



Agenda

IoT Mega Trend…What and Where?

IoT Threats

Intro to OPTIGA™ Embedded Security

Questions…

1

2

3

4

2 2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.

Agenda


IoT Threats


Questions…

1

2

3

4


The term "Internet of Things" was first termed by Kevin Ashton in the early ’90s, working at P&G

as brand manager describing a system where the Internet is connected to the physical world via

ubiquitous sensors. This first IoT system was P&G’s self replenishing inventory system using

RFID tags and Machine to Machine communication (M2M) for the humble…

IoT…Where did it all began

4

Lipstick

Todays simple description of IoT is the collection of

interconnected devices that make lives Smarter, Safer

and Simpler by providing CONFIDENTIALITY,

INTEGRITY, AUTHENTICITY.

2017-05-22 restricted Copyright © Infineon Technologies AG 2017. All rights reserved.

https://en.wikipedia.org/wiki/Internet_of_Things

IoT connectivity How this is influencing our lives and Pockets…

$7 Trillion market

potential

40 Zettabytes

of data created

28 Billion Installed

IoT devices

5 Billion

connected people

How the IoT will develop over the coming years (Sources: UN/ITU/IDC)

IoT growth until 2020

5

Source: IC Insights

Update Report Nov.16

*Counting only Internet Connection Portion of Systems


6

People

Vehicles

Homes

Commerce

Town & Cities

Industrial

Phones

Tablets

Wearables

Personal Health

Fitness & Diet

Health Care

Monitoring

Diagnostics

& Treatment

Education & Training

Cars / Truck / Bus

Engine & Drivetrain

Infotainment

Driver Aids

Auto-Drive

Smart Home

Safety & Security

Infotainment

Environment

Appliances

Smart Grid

Smart Roads

Smart Buildings

Traffic Flow

Lighting

Smart Meters

Infrastructures

eRetail

Smart Lables

Transit

Smart Office

Smart Store/Shelf

Smart Signage

Energy (Oil & Gas)

Pipelines

Power Generation

Manufacturing

Agriculture

Logistics

Health Care Delivery

Operational Automation

Performance Optimization

Preventative Maintenance

Capacity Planning

IoT Mega ‘SMART’ Trend and the Applications behind the headlines


Agenda


IoT Threats


Questions…

1

2

3

4


Jeep Cherokee

CAN-C

CAN-IHS

RADIO

Firmware


Stuxnet

Breakers Operational Network

Cascade PLC

Engineering


Accelerating IoT Attacks generating bad Press!


Reverse Engineering Companies…Loss of IP


IoT Connectivity requires Security…Why

When a devices becomes connected, authenticity, integrity and confidentiality of Device & Messages have to be protected

12

Actors

Device

FW Update

iD

iD

Sensitive Data

Messages

Boot Process Host

or Cloud

Data

Actors


Agenda


IoT Threats


Questions…

1

2

3

4


OPTIGA™ Embedded Security Family

OPTIGA™ Trust & TrustB

OPTIGA™ TPM OPTIGA™

Trust P OPTIGA™ Trust E

Security and Complexity

OPTIGA™ Trust X

Functionality Authentication TCG standard Programmable Authentication

* Based on certified HW

Security Level CC EAL 4+ CC EAL 5+ CC EAL 6+ Basic CC EAL 6+ * *

Type of Host System Embedded Linux

Windows / Linux

MCU without OS / proprietary OS / RTOS

Interface SWI I2C I2C UART I2C, SPI, LPC

Done by IFX Customer Implementation, support by IFX

System integration Platform vendor

Connected

device security

Cryptography Private key stored in secure HW

ECC163 ECC256 ECC384 ECC521

RSA2K

ECC256

RSA2K

NVM (Data) 6kByte 150kByte 3kByte 448Byte 10kByte

** Code & Data

**

*

14

SLS10ERE SLE95250

SLS32AIA SLS32AIA020x SLJ52ACA SLB96xx


Pre-provisioning of Device Keys and CA Using OPTIGATM Trust

Manufacturers can inject their on CA certificates

additionally if required.

Allow the servers to verify the authenticity of the gateway

cryptographically by challenging the TPM.

OPTIGA™ TPM leave Infineon factory pre-provisioned

with key pairs and certificates.

Allow Gateway to use the OPTIGA™ TPM as a root of

Trust to authenticate servers.

Further key pairs can be generated and signed by TPM.

Secure storage allows TPM to bind allowed devices to the

gateway.

Key pairs and CA certs are loaded into the OPTIGA™

Trust before leaving Infineon factory

Allow device to authenticate to servers and prove their

identity.

Customer does not have to invest in costly key injection

facilities for handling the key injection process.

Host/Gateway

Appliance/Node

Back End Servers

Standard GW /

Router App

Processor OPTIGATM TPM

MCU OPTIGATM

Trust

OEM Root CA


Smart Home Example typical Architecture

Smart Home Gateway

IP Camera Sensors

Smart Home

Gateway OPTIGATM TPM

MCU MCU MCU OPTIGATM

Trust E

OPTIGATM

Trust X

OPTIGATM

Trust X

OPTIGATM

Trust X

OPTIGATM

Trust X

OPTIGATM

Trust X

OPTIGATM

Trust X

Smart Lock

Router

Smart Home Console

Security Use Cases

Pre-provisioned keys and certificates

Device Identity Authentication.

Mutual Authentication and Secure Communication

Software Firmware Updates

Platform Integrity


Smart Use Case Basic Devices – Device Identity Authentication

Devices may connect directly to the internet using WIFI thru the home router.

The end destination could either be the control devices such as smart phones, or the vendor database.

OPTIGATM Trust act as trust anchor for the Gateway to cryptographically verify the device identity that is joining the network.

It is also important for vendor servers to be able to securely verify whether the devices are authentic devices manufactured by them.

Smart Home Gateway

Internet Gateway / Router

OPTIGATM Trust B/E

OPTIGATM Trust B/E OPTIGATM Trust B/E

OPTIGATM TPM


Smart Home Use Case Mutual Authentication and Secure Communication

Smart Home Gateway

These are smart home devices which effect some actions or provide more sensitive data.

Such devices require mutual authentication for in coming commands and secure communication to secure the data transmission.

OPTIGATM Trust X

Internet Gateway / Router

OPTIGATM Trust provide the Trust Anchor to perform mutual authentication and establish session communication with GW/Phones/Tablets/Servers.

OPTIGATM Trust X OPTIGATM Trust X

OPTIGATM Trust X


The Future of Lighting is Smart! Infineon & Partners displaying Smart Street Lighting


IoT Appliances Require Secure FW Update

› Common Threats:

– Modified image of the FW.

– Intercept and reverse engineer the FW image

– Downgrade to older (vulnerable) version.

– Unverified (malicious) version from hackers.

› Objectives:

– Encrypt FW image.

– HASH to protect image integrity

– Signature to verify FW authenticity.

– Version checking to prevent rollback.

20

Home Gateway

Appliance

Back End Servers

Standard GW /

Router App

Processor OPTIGATM TPM

MCU OPTIGATM

Trust

New Firmware

OPTIGATM Trust X


Security Toolbox

Symmetric Encryption Asymmetric Encryption Hash Algorithm

Certificates

PKI

ECDH Key Exchange

Protect integrity & authenticity of info

Structured method to handle Public Keys

Securely establish shared symmetric key

Fast Easily Implemented

Secure Key Flexibility

Space Efficient One-way

& Use Cases

Key Generation and Management

Boot Protection Platform Integrity

Stored Data Protection

Secure Communications

Authentication Secure Updates


OPTIGA™ Product Family

OPTIGA™ Trust E

Design in complexity

Feature set

Certification Level

OPTIGA™ TPM

-- CC EAL 4+

low medium

OPTIGA™ Trust P

CC EAL 5+

medium

OPTIGA™ Trust X1

CC EAL 6+*

low

One-way Authentication

One-way Authentication

with PKI Support

Encrypted

Storage

*Using EAL 6+ certified HW

22

OPTIGA™ Trust / B

low

CC EAL 6+*

SP001185804 €40

SP001601016 (B) €40

SP007398818 €60 TBC Launch Jan.18 SP001596596 V.1.2 SP001880816 €130

SP001596592 V.2.0 Development Tools


23

Avnet’s Industrial IoT Starter Platform + TPM

Additional

I/O Expansion

MicroZed

System-on-Module Arduino Carrier

Card

Arduino Shield

Expansion

Sensors / Actuators /

HMI / Communication

Pmod™

Expansion

Pmod™

Expansion

Pmod™

Expansion

SLB9670


Agenda

IoT Mega Trend…What amd Where?

IoT Threats


Questions…

1

2

3

4


Questions…


Thank You

embedded security introduction iot. - easyfairs · 2019-01-15 · embedded security introduction...

Documents