strong device identity for trust & security in iot · challenges faced in an iot system solving...
TRANSCRIPT
Authenticate Everything May 25, 2017 1May 25, 2017
Strong Device Identity for Trust & Security in IoTLancen LaChanceVice President Product Management, GlobalSign
Authenticate Everything May 25, 2017 2
The Fourth Industrial Revolution
The 4 Industrial Revolutions (by Christoph Roser at AllAboutLean.com)
Industrial Internet of Things
(IIoT)
Authenticate Everything May 25, 2017 3
Challenges faced in an IoT System
Solving these 3 key problems allows a secure implementation of an IoT System
Lifecycle Management
Identifying devices is necessary for LCM
Strongly Identifying devices is necessary
for effective LCM
Interoperability
Scaling an IoT system, needs inter-
connecting systems
Any solution should be platform-agnostic and
interoperable
Scalability
An IoT System needs to scale to billions of
devices
This scaling should happen securely
Authenticate Everything May 25, 2017 4
Need for Strong Identity
Spoofing
Occurs when one person or program successfully masquerades as another, by falsifying data, thereby gaining an illegitimate advantage
Migratable Identity
Is an identity that cannot be strongly tied, nor rendered irremovable, from the entity to which it is issued
Man-in-the-Middle
Occurs when the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other
Authenticate Everything May 25, 2017 5
What happens if you don’t have Strong ID?
Cloud
Endpoint
Gateway
Impersonation
Disclosure
Compromise
Control
• A rouge control node may send
unauthorized commands to an Endpoint
• An Endpoint may disclose false sensor
data to the edge device
• A Gateway device may impersonate
another
“Strong Identity is necessary,
but not sufficient”
Authenticate Everything May 25, 2017 6
Assurance of the Permeation of Trust
Permeation of Trust
Trust in all of the system elements, how these
elements are integrated and how they interact
with each other.
Authenticate Everything May 25, 2017 7
• Remember – the internet of things, is still the internet
• Internet, information security principles and best practices have matured over the past decade
• Things are just one part, we still have users, services, and organizations
• There are solutions and standards existing today succeeding in providing distributed trusted identity
Standing on the Shoulders of Giants
Authenticate Everything May 25, 2017 8
PKI: Technology of the Future, Now
• Proven mechanism for enabling information security principles
• Core Internet technology for over 3 decades
• Broad interoperability & compatibility with software and protocols
• Uses public and open standards
• Massively Scalable to Billions of Identities
In a nutshell: PKI is Strong, Effective and Future-proof
Authenticate Everything May 25, 2017 9
New Considerations for IoT
• Provisioning
–Key generation & unique identities
–Manufacturing lines
–Automation
–Size, scale, and scope of your ecosystem
Authenticate Everything May 25, 2017 10
New Considerations for IoT
• Provisioning
• Securing the keys
–Role of hardware & software
–Prevent identity migration and impersonation
Authenticate Everything May 25, 2017 11
Moving towards Higher Assurance Security
No Identity authentication for Endpoint
Gateway authentication for Endpoint using X.509 certificates
2-way authentication using mutual TLS
Strong authentication using PUF for key storage
Less Secure
More Secure
Authenticate Everything May 25, 2017 12
New Considerations for IoT
• Provisioning
• Securing the keys
• Diversity of devices and operating environments
–Software libraries may need augmentation due to constraints or compatibility
–No more “plug and play”
–Trust models – open vs. closed
Authenticate Everything May 25, 2017 13
New Considerations for IoT
• Provisioning
• Securing the keys
• Diversity of devices and operating environments
• Interoperability and complex ecosystems
Authenticate Everything May 25, 2017 14
IT
Privacy
OT
Safety
Security
Reliability
Resilience
PKI for IoT vs OT vs IT
• Physical components bring new security
challenges
–Proprietary protocols
–Traditionally occasional, if ever, patching/update
cycle
–Long device lifetimes
• OT involvement brings new concerns
–IT Priorities vs. OT priorities
–Physical security not enough for connected
ecosystems
–Cyber-physical systems risk life and limb
IoT
Authenticate Everything May 25, 2017 15
PUF and PKI: simple, secure and scalable
Secure
• No secrets stored in device
• No device-internal interfaces
need to be secured
• No central key programming
required
Scalable
• No additional hardware elements
• No changes to existing hardware
• Compatible with most smart chips
• Cloud service scales to Billions of
identities
Safest
Key Vault
No additional cost
and complexity
Authenticate Everything May 25, 2017 16
GlobalSign Private DataCenter
GlobalSign High Volume PKI
Supports a range of IoT use cases • Long lived certs for Off-grid uses
• Short duration certs for Object Signing
• Device Identity / IoT
• PUF Integration - Higher Security Assurance
Massive throughput issuance capability• Thousands of certificates/second
• Scalable to several Billions of devices
• Redundant data centers designed for FT, HA
GlobalSign
High Volume
PKI Platform Rapid issuance of X.509 Certificates
Secured by a Hardware Root of TrustStrong Device Identities
Authenticate Everything May 25, 2017 17
• Automated provisioning and enrolment• Integrates with existing manufacturing workflows
• Flexible implementation in firmware loading, functional test
• Automate IoT Cloud registration
• Scalable• GlobalSign High-Volume CA cloud services
• Intrinsic-ID universal SRAM PUF solution in hardware or firmware
• Throughput of x1000s certs/second
• Scales to Billions of devices per customer
Flexible integration into any supply chain
Authenticate Everything May 25, 2017 18
Strong Device Identity with IntrinsicID & PUFs
1. Derive unique fingerprint from SRAM for device.
2. The device fingerprint is used to derive an asymmetric public-private key pair.
3. The Provisioning PC reads the public key from the device over a simple serial interface. This step
could also be done over 3-pin header JTAG, USB, Ethernet, etc.
4. The Provisioning PC requests a device identity certificate from GlobalSign’s Managed PKI cloud
service.
5. GlobalSign’s Managed PKI cloud service issues the device identity certificate to the Provisioning PC.
6. The Provisioning PC sends the device certificate to the device for storage in non-volatile memory.
Device identity provisioning is now complete. The device identity certificate can now be used for
authentication in an SSL/TLS context.
7. Optionally, the Provisioning PC can be configured to automatically enroll a device in a cloud platform.
Authenticate Everything May 25, 2017 19
The Answer to Identity in IOT
• Implement security and identity from the outset
• Ensure service provides are capable of maintaining security & oversight
• Leverage established standards covering authentication, authorization,
encryption, and data integrity
• Each deployment is going to differ, need solutions that are flexible!
Authenticate Everything May 25, 2017 20
©
Thank you!