Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mutual Attestation of IoT Devices and TPM 2

Published byKerry Ball Modified over 5 years ago

Similar presentations

Presentation on theme: "Mutual Attestation of IoT Devices and TPM 2"— Presentation transcript:

1 Mutual Attestation of IoT Devices and TPM 2
Mutual Attestation of IoT Devices and TPM 2.0 Support TCG Members Meeting June 2016 Vienna Prof. Andreas Steffen Institute for Internet Technologies and Applications HSR University of Applied Sciences Rapperswil

2 Where the heck is Rapperswil?
HSR

3 HSR - Hochschule für Technik Rapperswil
University of Applied Sciences with about 1500 students Faculty of Information Technology ( students) Bachelor Course (3 years), Master Course (+1.5 years)

4 strongSwan – the OpenSource VPN Solution
Windows Active Directory Server Linux FreeRadius Server Corporate Network High-Availability strongSwan VPN Gateway Windows 7/8/10 Agile VPN Client strongSwan Linux Client N Rekeying Notification (optional) SAi Suite of cryptographic proposals for the Child SA (ESP and/or AH) Ni Initiator Nonce KEi Initiatior public factor for the Diffie-Hellman Key Exchange (optional PFS) TSi Initiator Traffic Selectors (subnets behind the Initiator) TSr Responder Traffic Selectors (subnets behind the Responder SA1r Selection of a cryptographic proposal for the IKE SA Nr Responder Nonce KEr Responder public factor for the Diffie-Hellman Key Exchange (optional PFS) Internet

5 Mutual Attestation of IoT Devices and TPM 2
Mutual Attestation of IoT Devices and TPM 2.0 Support TCG Members Meeting June 2016 Vienna Trusted Network Communications (TNC) Current Use Cases: Network Access Control & Endpoint Compliance

6 Network Access Control
TNC Architecture RFC 5792 RFC 5793 RFC 6876 RFC 7171 Endpoint Compliance Lying Endpoint Network Access Control Abbreviations • AR Access Requestor • IF Interface • IMC Integrity Measurement Collector • IMV Integrity Measurement Verifier • M Measurement • PDP Policy Decision Point • PEP Policy Enforcement Point • T Transport • TNC Trusted Network Connect VPN Client VPN Gateway

7 Layered TNC Protocol Stack
TNC Measurement Data [IMV] operating system name is 'Android' from vendor Google [IMV] operating system version is '4.2.1‘ [IMV] device ID is cf5e4cbcc6e6a2db IF-M Measurement Protocol PA-TNC (RFC 5792) [TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x [IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 [TNC] processing PA-TNC message with ID 0xec41ce1d [TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x [TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x [TNC} processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x IF-TNCCS TNC Client-Server Protocol PB-TNC (RFC 5793) [TNC] received TNCCS batch (160 bytes) for Connection ID 1 [TNC] PB-TNC state transition from 'Init' to 'Server Working' [TNC] processing PB-TNC CDATA batch [TNC] processing PB-Language-Preference message (31 bytes) [TNC] processing PB-PA message (121 bytes) [TNC] setting language preference to 'en‘ IF-T Transport Protocol PT-EAP (RFC 7171) [NET] received packet: from [50871] to [4500] (320 bytes) [ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

8 TPM-based Attestation
2010 Implemented the TCG TNC IF-TNCCS 2.0 Client/Server and TCG TNC IF-M Measurement protocols. 2011 Implemented the TCG Attestation Protocol Binding to TNC IF-M using TrouSerS stack under Linux [later ported to Windows]. 2012 Implemented TPM 1.2 based attestation using the Linux Integrity Measurement Architecture (IMA). 2015 Implemented the TCG TNC IF-M Segmentation Protocol allowing the transport of huge IF-M attributes over IF-T for EAP Methods. IF-T for TLS transport also profits from large buffer savings. 2016 Implemented TPM 2.0 based Attestation using the Intel TSS2 SAPI under Linux and an Intel PTT firmware TPM. TSS 2.0 requires an update of the Attestation Binding to IF-M !!!

9 Mutual Attestation of IoT Devices and TPM 2
Mutual Attestation of IoT Devices and TPM 2.0 Support TCG Members Meeting June 2016 Vienna Trusted Network Communications (TNC) New Use Case: Mutual Measurements of Endpoints

10 PB-TNC / IF-TNCCS 2.0 State Machine
PA-TNC IF-TNCCS Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close Exchange of PB-TNC Client/Server Data Batches containing PA-TNC Messages

11 Mutual Measurements in Half-Duplex Mode
Initiator PB-TNC Batch[PB-TNC Messages] Responder TNC Client CDATA[PB-MUTUAL, PB-PA] TNC Server SDATA[PB-MUTUAL, PB-PA] SDATA[] CDATA[PB-PA] RESULT[PB-ASSESSMENT] SDATA[PB-PA] CLOSE[] The initiating TNC client sends CLOSE batch last Works over PT-EAP and PT-TLS

12 Example: Mutually Trusted Video Phones
PA-TNC IF-TNCCS Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close

13 Mutual Attestation of IoT Devices
DB Trusted Reference DB TLS DB DB Attestation IMV Attestation IMV TNC Server TNC Server PT-EAP PT-EAP TNC Client TNC Client IKEv2 OS IMC Attestation IMC Attestation IMC OS IMC Linux OS PA-TNC IF-TNCCS Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close TPM TPM Linux OS Linux IMA* IPsec Linux IMA Video Link Video Link IoT Device 1 IoT Device 2 * IMA: Integrity Measurement Architecture

14 File Version Management using SWID Tags
ISO/IEC :2015 Software Asset Management Part 2: Software Identification Tag: <SoftwareIdentity xmlns= name="libssl1.0.0" tagId="Ubuntu_14.04-x86_64-libssl f-1ubuntu2.15“ version="1.0.1f-1ubuntu2.15" versionScheme="alphanumeric"> <Entity name="strongSwan Project" regid="strongswan.org“ role="tagCreator"/> <Payload> <File location="/lib/x86_64-linux-gnu" name="libcrypto.so.1.0.0"/> <File location="/lib/x86_64-linux-gnu" name="libssl.so.1.0.0"/> <File location="/usr/share/doc/libssl1.0.0" name="copyright"/> <File location="/usr/share/doc/libssl1.0.0" name="changelog.Debian.gz"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libpadlock.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libcswift.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="lib4758cca.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libaep.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libubsec.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libchil.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libgost.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libgmp.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libcapi.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libnuron.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libsureware.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libatalla.so"/> </Payload> </SoftwareIdentity>

15 Thank you for your attention!
Questions?

Download ppt "Mutual Attestation of IoT Devices and TPM 2"

Similar presentations

November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna

November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.

IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
TNC Endpoint Compliance and Network Access Control Profiles TCG Members Meeting June 2014 Barcelona Prof. Andreas Steffen Institute for Internet Technologies.

TNC Endpoint Compliance and Network Access Control Profiles TCG Members Meeting June 2014 Barcelona Prof. Andreas Steffen Institute for Internet Technologies.
Network Access Control for Education

Network Access Control for Education
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Similar presentations

Ads by Google