Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013.

Similar presentations


Presentation on theme: "1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013."— Presentation transcript:

1 1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013

2 2 Counterfeit Secure Boot Device Identity Authentication Counterfeiter Signing Key Identity Key and Certificate Identity Key and Certificate Signed Image TPM Network Authentication System

3 3 Protect network devices against counterfeit Strong identity using cryptographic techniques Protect software using cryptographic keys Image signing Ensure execution of trusted software Signed image validation at boot time (Secure Boot) Protect signing keys (Identity) in hardware Secure storage in Trusted Platform Module (TPM) Strong device authentication using certificates TPM NV storage provisioning at manufacturing time Authenticate network devices during operation Network authentication system Aggregation Enterprise Network Data Center Server Farm Access Core Services

4 4 Counterfeit and mitigation mechanisms Secure boot Device Identity and TPM Network authentication system 4 Company Culture Trusted Infrastructure Policies Processes Technologies Genuine Products with Embedded Security Supply Chain Security Solutions Individual and Group Threats Gray Market/ Counterfeit Software Manipulation Software Manipulation Espionage Hardware Tampering Disruption

5 5 There has been an increase in counterfeit, grey market and illegal product modification across the globe Industry estimates that up to 10% of electronic products worldwide are counterfeit, increasing the potential of multiple counterfeit devices within the network infrastructure Counterfeiters target hardware and software vulnerabilities, without any consideration of users business concerns, devices performance, devices safety or security Lost Revenue for OEM, Lost Security, Productivity, and Reputation for the Customer Example: Customs investigation lead to seizure of network gear having an estimated retail value of more than $143M (Operation Network Raider) Counterfeiters main motivation is driven by monetary gain Counterfeiters target OEM with high reputation, majority market share and leadership in IT equipment as high monetary opportunity

6 6 Reverse engineer equipment and build from lower cost and lower quality components Spoofing OEM serial numbers and product identifiers Change devices appearance outside of OEM manufacturing facility to make it appear like an enhanced or upgraded unit Build multilayer PCBs where only the outer layers look genuine and populated them using scrap parts Use modified boot code to bypass software interaction with the TPM resulting in: Inability to authenticate hardware Able to bypass software licensing checking

7 7

8 8 Secure boot Ensure boot of genuine code using image signing Device identity Establish device identity using cryptographic keys and certificates Authenticate devices in the network Verify device identity using keys and certificates Verify code licensing using certificates Verify product serial number, product identifier, electronic components serial number and others Verify device software, firmware, programmable devices image and configuration files

9 9 Counterfeit and mitigation mechanisms Secure boot Device Identity and TPM Network authentication system 9 Company Culture Trusted Infrastructure Policies Processes Technologies Genuine Products with Embedded Security Supply Chain Security Solutions Individual and Group Threats Gray Market/ Counterfeit Software Manipulation Software Manipulation Espionage Hardware Tampering Disruption

10 10 Immutable Root-of-Trust in hardware Typically a boot loader and cryptographic key residing in CPU ROM Root-of-Trust protects the initial boot process Authentication, integrity and confidentiality of boot image Root-of-Trust uses cryptographic keys to authenticate and validate the integrity of the boot image Boot image is signed using cryptographic keys Boot image could be encrypted to provide confidentiality Boot image resides typically in FLASH Root-of-Trust starts a secure boot chain by passing control to the boot image after authentication and integrity verification The boot image passes control to the OS after authentication

11 11 Step 3Step 2Step 1 CPU Immutable OS CPU ROM Boot Loader ROM Boot Loader Boot Image Boot Image CPU Authentication and integrity validation Root-of-Trust 1. Boot Loader authenticates and validates integrity of the Boot Image 2. Boot Image authenticates and validates integrity of the OS 3. OS is launched

12 12 Boot Image is authenticated and integrity verified using cryptographic keys Cryptographic keys are typically asymmetric RSA keys The Root-of-Trust is anchored in the OEM private key OEM private key is used to sign the boot image and kept secret The Boot Loader uses the OEM public key to authenticate and verify integrity of the boot image The OEM public key resides typically in FLASH The OEM public key is typically protected with an asymmetric key Provides biding of public key with the CPU The asymmetric key is CPU specific and OTP (fuses)

13 13 Public Root-of-Trust Key Resides in ROM Used to Authenticate and Verify Boot Image Public Key Owned by the OEM Public Boot Image Key Resides in FLASH Used to Authenticate and Verify Boot Image Signed with Private Root-of-Trust Key Owned by the OEM Boot Image signed using private key

14 14 ROM Boot Loader Root-of-Trust Key ROM Boot Loader Root-of-Trust Key Processor Core SPI Interfaces Boot Image Public Key Digital Signature Boot Image Digital Signature Authenticate Flash RAM

15 15 Step 3Step 2Step 1 CPU Immutable OS CPU ROM Boot Loader ROM Boot Loader Boot Image Boot Image CPU Authentication and integrity validation Root-of-Trust Boot Loader in ROM initializes device Establish Public Root- of-Trust key in ROM Loads and Authenticates from FLASH Public Boot Image Key Loads and Authenticate from FLASH Boot Image Passes control to Boot Image

16 16 Ensures only authentic OEM software boots up on an OEM Device Anchored in hardware (ROM CPU) As the boot image is created, the signature is installed using a secure private key As the software boots, the system checks to ensure the installed signature is authentic Same process is repeated to boot the platform OS

17 17 Counterfeit and mitigation mechanisms Secure boot Device Identity and TPM Network authentication system 17 Company Culture Trusted Infrastructure Policies Processes Technologies Genuine Products with Embedded Security Supply Chain Security Solutions Individual and Group Threats Gray Market/ Counterfeit Software Manipulation Software Manipulation Espionage Hardware Tampering Disruption

18 18 The device identity is cryptographically represented by a key pair and a certificate The key pair and the certificate are owned by the OEM The OEM generates an asymmetric RSA key pair and signs a certificate with the private part of the RSA key The RSA key pair is inserted in the TPM and protected in TPM shielded location The OEM certificate is permanently stored in a TPM NV Index location The NV Index is locked after the certificate is stored to make it permanent and immutable for the life of the platform

19 19 After Secure Boot, the OS verifies the authenticity of the certificate pre-provisioned in the TPM The identity is in the form of a X.509 certificate The certificate is an assertion by the OEM relating the platform identity with the OEM public key The assertion is validated using asymmetric cryptographic means The TPM contains the OEM identity key pair and the certificate as a unique, permanent and immutable objects The OS uses the identity public key to validate the authenticity of the identity certificate The identity certificate maybe chained to a root certificate (OEM)

20 20 Step 3Step 2Step 1 CPU Immutable OS CPU ROM Boot Loader ROM Boot Loader Boot Image Boot Image CPU Authentication and Integrity Validation Root-of-Trust Secure Boot Step 4 OS CPU Identity TPM Step 5 OS CPU Identity TPM Secure Device Identity (TPM) Identity Authentication Other TPM Services

21 21 TPM OS Request Certificate Chain Return Certificate Chain Verify Certificate Chain CA Sub-CA Identity Certificate TPM_NV_ReadValue()

22 22 Send Challenge With Nonce Send Response With Signature Verify Signature TPM OS Nonce Sign Signed Nonce with Private Identity Key Sign Verify Signature with Public Identity Key Identity Authenticated! TPM_Sign()

23 23 In order to verify the authenticity of the device the TPM needs to be provisioned with Identity Key and Certificate The OEM is responsible for initially provisioning the TPM In this context, provisioning refers to allocating part of the TPM’s NVRAM and writing data to the NVRAM OEM provisioning can be used to store identity and other (licensing) certificates in NV Indexes TPM_NV_DefineSpace() TPM_NV_WriteValue()

24 24 A new TPM comes in a state that makes it very easy for the OEM to provision The OEM can create TPM NV Indexes to store certificates The OEM creates a certificate and writes the certificate to NV Index Once the certificate is correct, the OEM write-protects the certificate Index and then performs an OEM Lock on the TPM The lock terminates the “easy provisioning” state and forces the TPM to enforce access permission It prevents anyone from altering the OEM’s indexes TPM_NV_DefineSpace() TPM_NV_WriteValue()

25 25 The OEM may wish to create several indexes and if so they must be created before asserting the OEM Lock NV Indexes have a “D” bit in the Attribute The TPM Lock operation sets the “D” bit in the Attribute It is impossible to create or redefine an Index after the “D” bit is set Indexes must be properly defined before the Lock operation Failure to do so requires replacing the TPM Locking is not recommended until manufacturing (i.e. not during development and debug) TPM_NV_WriteValue(Length = 0)

26 26 Endorsement Key (EK) Unique TPM identity Created by the TPM manufacture in a secure environment Non-migratable, store inside the chip, cannot be remove Storage Root Key (SRK) It is the top level element of TPM key hierarchy Created during take ownership Non-migratable, store inside the chip, can be remove Storage Keys Keys used to wrap (encrypt) other elements in the TPM key hierarchy Created during user initialization Signature Keys Keys used for signing operations (Identity) Must be a leaf in the TPM key hierarchy

27 27 The EK is an asymmetric, typically RSA, key unique for every TPM and therefore uniquely identifies a TPM Generation of the TPM EK is usually done during manufacturing The EK is backed by a certificate typically issued by the TPM manufacturer The EK certificate guarantees that the key actually is an EK and is protected by a genuine TPM The EK can not be changed or removed TPM_CreateEndorsementKeyPair()

28 28 Taking ownership of a TPM is the process of inserting a shared secret into a TPM shielded location Any entity that knows the shared secret is a TPM Owner To provide confidentiality the proposed TPM Owner encrypts the shared secret using the public part of the EK This requires the private part EK to decrypt the value As the private part of the EK is only available in the TPM the encrypted shared secret is only available to the intended TPM Typically the TPM ships with no Owner installed TPM_TakeOwnership(OwnerAuth)

29 29 Taking Ownership of the TPM creates an SRK SRK is the top level element of TPM key hierarchy After taking Ownership, the Owner has the public part of the SRK It follows that objects owned by a previous owner will not be inherited by a new owner The SRK key is deleted from the TPM when a new Owner is established Notice that EK and SRK are the only keys permanently stored in the TPM and not lost during reset All other keys (Identity) must be restored after a reset cycle TPM_TakeOwnership()

30 30 It is desirable that he device identity keys for Network Infrastructure Devices be created outside the TPM by the OEM back-end system The private part of the identity key is encrypted with the public part of the SRK by the OEM back-end system The identity key can then be loaded and stored in the SRK hierarchy and used to proof the identity of the device Notice that if the Ownership changes, a new SRK is created by the new Owner and the private part of the identity key must be encrypted with the new public part of the SRK before loading TPM_MakeIdentity() TPM_ActivateIdentity() TPM_LoadContext()

31 31 Opportunity to assure users have Authentic OEM devices Opportunity for users to Identify and Replace Non Compliant and Inferior Counterfeit devices within their network Opportunity for users to confirm their suppliers are providing authentic OEM devices Opportunity for users to confirm their procurement practices are providing the quality devices they are paying for Assure users their devices will be serviceable under OEM Services

32 32 Counterfeit and mitigation mechanisms Secure boot Device Identity and TPM Network authentication system 32 Company Culture Trusted Infrastructure Policies Processes Technologies Genuine Products with Embedded Security Supply Chain Security Solutions Individual and Group Threats Gray Market/ Counterfeit Software Manipulation Software Manipulation Espionage Hardware Tampering Disruption

33 33 Network authentication helps identify suspicious devices in users networks Network authentication validates the collected data from the network against the OEM backend manufacturing/shipping database Network authentication identify the devices as genuine or not- genuine Network authentication processes the device secure identifier, MAC addresses, serial number and Product ID among other parameters The end user is provided with a report indicating if the device is suspicious, non-suspicious or missing data Suspicious Non-Suspicious Missing Data

34 34 Suspicious Non-Suspicious Missing Data 1. OEM Discovery Services performs devices discovery and inventory 2. OEM Discovery Services transfers collected data to the OEM where data is analyzed 3. Analyzed data is returned to OEM Discovery Services to produce vendor reports (suspicious, non-suspicious or missing data)

35 35 Counterfeit issues require new technologies to mitigate hardware and software attacks Secure Boot ensures execution of genuine software from the boot loader to the OS Trusted OS authenticate the hardware using identity held by the TPM Strong identity can be used by Network Authentication tools to validate the Network Infrastructure Devices as genuine OEM devices Network Authentication tools can be used to provide deeper attestation analysis to determine the Trustworthiness of the Network Infrastructure

36 Thank you.


Download ppt "1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013."

Similar presentations


Ads by Google