strong device identity for trust & security in iot · challenges faced in an iot system solving...

Authenticate Everything May 25, 2017 1May 25, 2017

Strong Device Identity for Trust & Security in IoTLancen LaChanceVice President Product Management, GlobalSign

Authenticate Everything May 25, 2017 2

The Fourth Industrial Revolution

The 4 Industrial Revolutions (by Christoph Roser at AllAboutLean.com)

Industrial Internet of Things

(IIoT)


Challenges faced in an IoT System

Solving these 3 key problems allows a secure implementation of an IoT System

Lifecycle Management

Identifying devices is necessary for LCM

Strongly Identifying devices is necessary

for effective LCM

Interoperability

Scaling an IoT system, needs inter-

connecting systems

Any solution should be platform-agnostic and

interoperable

Scalability

An IoT System needs to scale to billions of

devices

This scaling should happen securely


Need for Strong Identity

Spoofing

Occurs when one person or program successfully masquerades as another, by falsifying data, thereby gaining an illegitimate advantage

Migratable Identity

Is an identity that cannot be strongly tied, nor rendered irremovable, from the entity to which it is issued

Man-in-the-Middle

Occurs when the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other


What happens if you don’t have Strong ID?

Cloud

Endpoint

Gateway

Impersonation

Disclosure

Compromise

Control

• A rouge control node may send

unauthorized commands to an Endpoint

• An Endpoint may disclose false sensor

data to the edge device

• A Gateway device may impersonate

another

“Strong Identity is necessary,

but not sufficient”


Assurance of the Permeation of Trust

Permeation of Trust

Trust in all of the system elements, how these

elements are integrated and how they interact

with each other.


• Remember – the internet of things, is still the internet

• Internet, information security principles and best practices have matured over the past decade

• Things are just one part, we still have users, services, and organizations

• There are solutions and standards existing today succeeding in providing distributed trusted identity

Standing on the Shoulders of Giants


PKI: Technology of the Future, Now

• Proven mechanism for enabling information security principles

• Core Internet technology for over 3 decades

• Broad interoperability & compatibility with software and protocols

• Uses public and open standards

• Massively Scalable to Billions of Identities

In a nutshell: PKI is Strong, Effective and Future-proof


New Considerations for IoT

• Provisioning

–Key generation & unique identities

–Manufacturing lines

–Automation

–Size, scale, and scope of your ecosystem



• Provisioning

• Securing the keys

–Role of hardware & software

–Prevent identity migration and impersonation


Moving towards Higher Assurance Security

No Identity authentication for Endpoint

Gateway authentication for Endpoint using X.509 certificates

2-way authentication using mutual TLS

Strong authentication using PUF for key storage

Less Secure

More Secure



• Provisioning


• Diversity of devices and operating environments

–Software libraries may need augmentation due to constraints or compatibility

–No more “plug and play”

–Trust models – open vs. closed



• Provisioning


• Diversity of devices and operating environments

• Interoperability and complex ecosystems


IT

Privacy

OT

Safety

Security

Reliability

Resilience

PKI for IoT vs OT vs IT

• Physical components bring new security

challenges

–Proprietary protocols

–Traditionally occasional, if ever, patching/update

cycle

–Long device lifetimes

• OT involvement brings new concerns

–IT Priorities vs. OT priorities

–Physical security not enough for connected

ecosystems

–Cyber-physical systems risk life and limb

IoT


PUF and PKI: simple, secure and scalable

Secure

• No secrets stored in device

• No device-internal interfaces

need to be secured

• No central key programming

required

Scalable

• No additional hardware elements

• No changes to existing hardware

• Compatible with most smart chips

• Cloud service scales to Billions of

identities

Safest

Key Vault

No additional cost

and complexity


GlobalSign Private DataCenter

GlobalSign High Volume PKI

Supports a range of IoT use cases • Long lived certs for Off-grid uses

• Short duration certs for Object Signing

• Device Identity / IoT

• PUF Integration - Higher Security Assurance

Massive throughput issuance capability• Thousands of certificates/second

• Scalable to several Billions of devices

• Redundant data centers designed for FT, HA

GlobalSign

High Volume

PKI Platform Rapid issuance of X.509 Certificates

Secured by a Hardware Root of TrustStrong Device Identities


• Automated provisioning and enrolment• Integrates with existing manufacturing workflows

• Flexible implementation in firmware loading, functional test

• Automate IoT Cloud registration

• Scalable• GlobalSign High-Volume CA cloud services

• Intrinsic-ID universal SRAM PUF solution in hardware or firmware

• Throughput of x1000s certs/second

• Scales to Billions of devices per customer

Flexible integration into any supply chain


Strong Device Identity with IntrinsicID & PUFs

1. Derive unique fingerprint from SRAM for device.

2. The device fingerprint is used to derive an asymmetric public-private key pair.

3. The Provisioning PC reads the public key from the device over a simple serial interface. This step

could also be done over 3-pin header JTAG, USB, Ethernet, etc.

4. The Provisioning PC requests a device identity certificate from GlobalSign’s Managed PKI cloud

service.

5. GlobalSign’s Managed PKI cloud service issues the device identity certificate to the Provisioning PC.

6. The Provisioning PC sends the device certificate to the device for storage in non-volatile memory.

Device identity provisioning is now complete. The device identity certificate can now be used for

authentication in an SSL/TLS context.

7. Optionally, the Provisioning PC can be configured to automatically enroll a device in a cloud platform.


The Answer to Identity in IOT

• Implement security and identity from the outset

• Ensure service provides are capable of maintaining security & oversight

• Leverage established standards covering authentication, authorization,

encryption, and data integrity

• Each deployment is going to differ, need solutions that are flexible!


©

Thank you!

strong device identity for trust & security in iot · challenges faced in an iot system solving...

Documents