We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKayla Preston
Modified over 2 years ago
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies
© Copyright 2004 Phoenix Technologies Ltd 2 Objectives for DevID Provide strong means to identify and authenticate the identity of devices in a network – including during initial provisioning (possibly remotely) Identity is permanently bound to device Each identity is unique Centralized infrastructure not required for DevID to be usable
© Copyright 2004 Phoenix Technologies Ltd 3 Phoenix Security Architecture Security Architecture provides secure cryptographic operations and the ability to bind applications and data to a specific device Operations done in Secure SMI Environment Caller Validation provides extra protection Binding to device via Secure Storage
© Copyright 2004 Phoenix Technologies Ltd 4 Phoenix Security Framework Core System Software Power-on Application OS Kernel Application Ring 3 Application privilege Ring 0 OS privilege System Management Mode (Highest privilege on the CPU) Security Driver SMM CSS privilege Caller Validation Device Key in Secure Silicon
© Copyright 2004 Phoenix Technologies Ltd 5 Secure Storage Nonvolatile memory Hardware-Based OAR-Locking (Open at Reset) Offline storage of Device Key (DK) 20 Bytes = 16 byte DK + 4 byte status Retrieved at BIOS reset Contents transferred to SMRAM Locked until next reset Examples – CMOS, FWH, EC, …
© Copyright 2004 Phoenix Technologies Ltd 6 Device Key (DK) 128-bit Advanced Encryption Standard (AES) Systems typically ship with no DK DK randomly generated on first use of a cME Security application DK unique to that specific device (motherboard) Never exposed outside of SMI for StrongROM
© Copyright 2004 Phoenix Technologies Ltd 7 Device Key Handling
© Copyright 2004 Phoenix Technologies Ltd 8 StrongROM Embedded Crypto Engine StrongROM provides: Secure Storage and DK access General Crypto Caller Validation Runs in SMM (System Management Mode) SMRAM (Locked, Paged in by hardware) Time-slicing for compute-intensive operations
© Copyright 2004 Phoenix Technologies Ltd 9 StrongROM Algorithms SHA bit AES 128-bit HMAC-SHA RSA bit PRNG SHA-1 Based NIST Approved
© Copyright 2004 Phoenix Technologies Ltd 10 Caller Validation Inter-module communication involves checking caller against a signature driver-to-StrongROM application-to-driver Requires that calling applications are Signed Authorized Undamaged Protects against debug attacks
© Copyright 2004 Phoenix Technologies Ltd 11 Caller Validation (cont.) Portion of executables in-memory image is hashed into an Owners Code Digest (OCD) OCD is signed by Phoenix Phoenix maintains hierarchy of keys in a secure location with root key protected by Verisign Caller validation compares in-memory image of calling application against signature
© Copyright 2004 Phoenix Technologies Ltd 12 Caller Validation
© Copyright 2004 Phoenix Technologies Ltd 13 Security Services Data Protection and Binding to Device Seal / Unseal AppContainer using Device Key Data accessed by authorized application on authorized platform RSA Key Protection and Binding to Device Special AppContainer storing keys Private Keys are not exposed outside of SMM Platform Identifier Platform ID = HMAC (DK, OCD || Usage Flags)
© Copyright 2004 Phoenix Technologies Ltd 14 Phoenix Security Strengths Unique DK – limits class attacks DK Handled in a secure environment Secure Storage variety (as opposed to homogenous storage) Caller validation Privacy – Limited exposure of the DK Basic building blocks for applications (ex. Client-server application)
© Copyright 2004 Phoenix Technologies Ltd 15 DevID with Phoenix Framework Use the Platform ID as a DevID Statistically unique credential bound to the device Derive a new credential unique to DevID, unrelated to the Device Key except by platform association presumably stored as a protected BLOB outside of StrongROM
© Copyright 2004 Phoenix Technologies Ltd 16 Summary Phoenix Security Framework provides the necessary components to implement DevID strong asymmetric crypto secure hashing integrated secure storage Platform ID by itself meets the needs of DevID Phoenix Security Framework could be optimized for variety device classes
1 Information Security – Theory vs. Reality , Winter 2011 Lecture 10: Trusted Computing Architecture Eran Tromer Slides credit: Dan Boneh,
Peer-to-Peer Access Control Architecture Using Trusted Computing Technology Ravi Sandhu and Xinwen Zhang George Mason University SACMAT05, June 1--3, 2005,
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
© 2006 IBM Corporation Introduction to z/OS Security Lesson 4: There’s more to it than RACF.
Virtual Private Networks (VPNs) VPNs allow secure, remote, connections… but they don’t protect you from a compromised remote PC.
Chapter 8 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Sample U.S. Government Cryptography and Key Management Methods and Policies Information Security Management Spring 2005 Presented by Ling Wang.
Mr. Deven Patel, AITS, Rajkot. 1 Process Description and Control Chapter 3.
FIPS 201 Framework: Special Pubs ,76,78 Jim Dray HSPD-12 Workshop May 4/5, 2005.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Windows Vista Security Tidbits Steve Lamb Technical Security Microsoft Ltd
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Secure Storage 1. Lost Laptops Lost and stolen laptops are a common occurrence – Estimated occurrences in US airports every week: 12,000 Average cost.
Chapter 2: Operating-System Structures. 2.2 Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls.
Md. Kamrul Hasan Assistant Professor and Chairman Computer and Communication Engineering Dept. Network Security.
Tuomas Aura T Information security technology Encrypting stored data Aalto University, autumn 2011.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee University of Pennsylvania Fall 2003 Lecture Note 1: Introduction.
Silberschatz, Galvin and Gagne ©2010 Operating System Concepts Essentials – 8 th Edition Chapter 16: Windows 7.
Cerner Presentation to S&I esMD Workgroup – Industry Scan Senior Director and Solution Strategist – Compliance John Travis.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 2: Operating-System Structures.
1 A Tutorial on Web Security for E-Commerce. 2 Web Concepts for E-Commerce Client/Server Applications Communication Channels TCP/IP.
14 Copyright © 2005, Oracle. All rights reserved. System Management Tasks and Techniques.
GENI Distributed Services Preliminary Requirements and Design Tom Anderson and Amin Vahdat (co-chairs) David Andersen, Mic Bowman, Frans Kaashoek, Arvind.
1 A Cloud Reference Framework … for discussion only … Please send comments and suggestions to Bhumip Khasnabish Friday,
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: Operating-System Structures.
© 2016 SlidePlayer.com Inc. All rights reserved.