Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRUST and STANDARDIZATION

Published byLeslie Cameron Modified over 9 years ago

Similar presentations

Presentation on theme: "TRUST and STANDARDIZATION"— Presentation transcript:

1 TRUST and STANDARDIZATION
ITU Workshop on "Future Trust and Knowledge Infrastructure", Phase 1 Geneva, Switzerland, 24 April 2015 PLATFORM INTEGRITY TRUST and STANDARDIZATION Alec Brusilovsky Co-chair of TCG TMS WG and Manager, Security Standardization, Interdigital

2 Agenda Problem Statement Foundation of Trust TCG Overview
Scope, Members, Platforms, Liaisons, Meetings, Work Groups TCG Technologies TPM, TNC, SED, Mobile Summary Acknowledgements

3 Problem Statement Migration of network core functionality to the cloud introduces new security vulnerabilities due to loss of the security provided by the physical protection and isolation of traditional network systems When moving functionality to the Cloud, scalable security controls and tools to provide MNO/enterprise with trust and assurance that their data and computing will remain private and uncompromised do not exist There is a need for explicit and verifiable ways of protecting software components (guest OS, applications/library code and data) that reside in the Cloud (a virtual machine or a container) Trust in computing platform (boot, runtime, crash, and storage integrity) as well as security automation have to be defined and standardized to ensure interoperability

4 Presentation Title Foundation of Trust Trust is the belief that a person or system will behave predictably, even under stress It is based on experience and/or evidence It is based on fundamental properties (identity, integrity) It is easy to lose and hard to regain A trusted system is… predictable, even under stress trusted based on experience and/or evidence based on fundamental properties (identity, integrity) © 2015 Trusted Computing Group

5 TCG – Trusted Computing Group
Presentation Title TCG – Trusted Computing Group TCG is one of the principal standards bodies focused on trusted computing standards and platform integrity TPM 1.2 and TPM 2.0 specs are ISO 11889:2009/2015 and are implemented in more than two billion devices Servers, PCs, tablets, smartphones, printers, kiosks, industrial systems, and many embedded systems Trusted Computing includes more than secure boot Security Automation Secure Cloud Secure Storage Secure Mobile Devices Secure Legacy Devices © 2015 Trusted Computing Group

6 TCG – Trusted Computing Group
Presentation Title TCG – Trusted Computing Group The Trusted Computing Group (TCG) is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, global industry standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms. Members include manufacturers, governments, and academics – cloud computing, operating systems, security research, aerospace, automotive, SoC, IoT, embedded systems, mobile phones, servers, PCs, laptops, tablets, memory, hard drives, and more © 2015 Trusted Computing Group

7 100+ Members: Chips, Cloud, Embedded, IoT, Mobile, PC
TCG – Members 100+ Members: Chips, Cloud, Embedded, IoT, Mobile, PC Complete Membership List Available:

8 TCG – Where trust begins…
Trusted Computing Technologies Trusted Platform Module (TPM) – hardware root-of-trust & key storage Trusted Network Connect (TNC) – access control & endpoint compliance Self-Encrypting Drive (SED) – hardware encryption & fine-grained locking PC Client, Mobile, Automotive – Profiles of TPM 2.0 Library Spec Trusted Computing Platforms Interfaces across multiple platforms for trusted data, devices, and networks Automobiles, Embedded Systems, Internet of Things, Cloud/SDN, Virtual Machines, Servers, Desktops, Laptops, Tablets, Mobile Phones, and more Formal Liaisons ETSI, Global Platform, Mobey Forum, ISO, IEEE, IETF, OASIS, and more Next TCG Member Meetings 15-19 June 2015 in Edinburgh, Scotland 19-23 October 2015 in Montreal, Canada

9 TCG – Work Groups Technical Work Groups – Specifications & Guidelines
Embedded Systems – auto, IoT, financial, industrial, medical, SmartGrid Infrastructure – integrating TCG technologies into enterprises & Internet Mobile – phones, PDAs, eReaders, etc. PC Client – desktop/laptop/tablet interfaces & profiles for security & trust Server – server requirements, guidelines, and specifications Software Stack – standard APIs for accessing the functions of a TPM Storage – standards for security services on dedicated storage systems Trusted Network Connect – endpoint integrity and access control Trusted Platform Module – hardware root-of-trust, crypto, key management Virtualized Platform – virtual TPM, multi-persona, isolation, migration Solutions Work Groups – Use Cases & Best Practices Trusted Mobility Solutions – end-to-end mobile ecosystems & solutions Trusted Multitenant Infrastructure – Cloud trust models & best practices

10 Platform security for NFV (boot, crash, and runtime)
TCG – Key Technologies Platform security for NFV (boot, crash, and runtime)

11 Trusted Platform Module (TPM)
Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a random number generator. It also includes capabilities such as remote attestation and sealed storage, as follows: Remote attestation – creates a nearly unforgeable hash summary of the hardware and software configuration. The program hashing the configuration data determines the extent of the summary of the software. This allows a third party to verify that the software has not been changed. Binding – encrypts data using TPM bind key, a unique RSA key descended from a storage key. Sealing – encrypts data in a similar manner to binding, but in addition specifies a state in which TPM must be in order for the data to be decrypted (unsealed). Software can use a Trusted Platform Module to authenticate hardware devices. Since each TPM chip has a unique and secret RSA key burned in as it is produced, it is capable of performing platform authentication. TPM components (figure by Guillaume Piolle).

12 TCG – Trusted Platform Module
TPM 2.0 Library Spec – Revision – October Part 1: Architecture – concepts, roots-of-trust, features, authorizations Part 2: Structures – types, constants, handles, interfaces, structures Part 3: Commands – startup, self-test, sessions, objects, crypto, attestation, signatures, audit, integrity, authorization, key hierarchies, dictionary attack defense, field upgrade, context mgmt, clocks & timers, capabilities, NVRAM Part 4: Supporting Routines – automation, header files, execute, sessions, attestation, context mgmt, policies, NVRAM, objects, crypto, audit, etc. TPM 2.0 Library Errata – Version 1.2 – February 2015 sessions, authorizations, quotes, signatures, NVRAM, etc. TCG Algorithm Registry – Rev – February RSA, ECC Curves, Hash Algorithms, Symmetric Block Ciphers, etc.

13 TCG – Trusted Platform Module
A Practical Guide to TPM 2.0 – February Will Arthur (Intel) and David Challener (Johns Hopkins University) with Ken Goldman (IBM) eBook version is FREE for download TPM history, basic concepts, quick tutorial, TPM 2.0 Library spec overview TPM Software Stack 2.0 (TSS) – high-level and low-level APIs TPM entities, hierarchies, keys, NV indices Platform configuration registers (PCRs) – for secure and measured boot Authorizations, sessions, enhanced authorization (EA) policies Key management, auditing, encryption, decryption, context management Startup, shutdown, and provisioning, debugging, applications

14 Trusted Network Connect – attestation and security automation
Trusted Network Connect (TNC) network security architecture and open standards enable intelligent policy decisions, dynamic security enforcement, and communication between security systems. TNC provides pervasive security, Network Access Control (NAC) and interoperability in multi-vendor environments. IETF "Posture Attribute (PA) Protocol Compatible with Trusted Network Connect" (PA-TNC) defined by RFC 5792 IETF "Posture Broker (PB) Protocol Compatible with Trusted Network Connect" (PB-TNC) defined by RFC 5793. Both RFCs are part of the IETF's "Network Endpoint Assessment" (NEA) framework defined by RFC 5209.

15 TCG – Trusted Network Connect
TNC FAQs, Specifications, Developer Tools, Resources admission control, endpoint integrity verification, endpoint compliance IF-TNCCS TLV Binding – Version 2.0 – May TNC Client/Server – endpoint integrity measurement collection Posture Broker – technically aligned with IETF NEA PB-TNC – RFC 5793 IF-M TLV Binding – Version 1.0 – May Posture Attribute – technically aligned with IETF NEA PA-TNC – RFC 5792 IF-T Tunneled EAP Methods – Version 2.0 – May Posture Transport – technically aligned with IETF NEA PT-EAP – RFC 7171 IT-T TLS Binding – Version 2.0 – February Posture Transport – technically aligned with IETF NEA PT-TLS – RFC 6876

16 Self-Encrypting Storage
‘Data at rest’ solution for data protection Self-encrypting drives have integrated encryption hardware. The result: Zero performance impact. Software full disk encryption/decryption is processor intensive and is performed by the main processor of the personal computer. During periods of high data usage this can have a major negative performance impact. For data intensive applications such as scans, backup, and large file operations, self-encrypting drives can provide more than double the drive performance of software FDE products All encryption and decryption is done in the protected hardware of the self-encrypting drive Encryption keys are generated in the controller hardware of the self-encrypting drive, never leave the drive, and are not accessible outside of the drive Integrated Authentication User authentication is performed by the self-encrypting drive in order to unlock the drive Authentication is performed by a protected pre-boot OS which is the only software in the system when authentication of the user is performed by the drive Authentication cannot be separated from the drive Rapid cryptographical data destruction

17 TCG – Self-Encrypting Drive
Storage FAQs, Specifications, Developer Tools, Resources ATA, SATA, SCSI, FibreChannel, USB, IEEE 1394, NAS, iSCSI Storage Security Subsystem Class: Opal v2.0 – Feb Core specification for Opal self-encrypting drives (desktops/laptops) Storage Security Subsystem Class: Enterprise v1.0 – Jan Core specification for enterprise self-encrypting drives (servers)

18 TCG – Mobile Mobile FAQs, Specifications, Developer Tools, Resources ATA, SATA, SCSI, FibreChannel, USB, IEEE 1394, NAS, iSCSI TPM 2.0 Mobile Reference Architecture – 16 December Secure boot, measured boot, protected environment, security requirements, and implementation examples for all mobile devices TPM 2.0 Mobile CRB Interface – 16 December TPM 2.0 kernel command/response buffer interface TPM 2.0 Mobile Common Profile – 3 February 2015 – DRAFT Medium subset of TPM 2.0 – for feature phone or basic phone

19 Summary Platform integrity can be provided by standardized solutions for Hardware Root of Trust Security Automation Secure Cloud Secure Storage Secure Mobile Devices Secure Legacy Devices

20 Acknowledgements Much gratitude goes to my colleagues from TCG TMS, Ira McDonald and Carlin Covey

21 Thank you

Download ppt "TRUST and STANDARDIZATION"

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary December 2010 Irvine, CA – PWG Meeting Ira McDonald (High.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary December 2010 Irvine, CA – PWG Meeting Ira McDonald (High.
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary and IDS WG TCG Activity Summary August 2010 Bagsvaerd, Denmark – PWG Meeting.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary and IDS WG TCG Activity Summary August 2010 Bagsvaerd, Denmark – PWG Meeting.
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 10 June 2010 Rochester, NY – PWG F2F Meeting Ira McDonald.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 10 June 2010 Rochester, NY – PWG F2F Meeting Ira McDonald.
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 7 April 2010 Camas, WA – PWG F2F Meeting Ira McDonald (High.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 7 April 2010 Camas, WA – PWG F2F Meeting Ira McDonald (High.
1Copyright © 2011, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary May 2011 Webster, NY – PWG Meeting Ira McDonald (High North.

1Copyright © 2011, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary May 2011 Webster, NY – PWG Meeting Ira McDonald (High North.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
 What Is Desktop Virtualization?  How Does Application Virtualization Help?  How does V3 Systems help?  Getting Started AGENDA.

 What Is Desktop Virtualization?  How Does Application Virtualization Help?  How does V3 Systems help?  Getting Started AGENDA.
Vpn-info.com.

Vpn-info.com.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
Dongyan Wang GlobalPlatform Technical Program Manager

Dongyan Wang GlobalPlatform Technical Program Manager
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Similar presentations

Ads by Google