Transcript Enjoy TPM security in your enterprise with the Vista
Trusted Computing Cooperative Research ETISS 2008, Oxford
Hans Brandl, [email protected]
Infineon Technologies AG, Germany
IT Security Research History
1st Generation
(Prevent Intrusions)
Trusted Computing Base Access Control & Physical Security Intrusions will Occur Multiple Levels of Security Cryptography 27-Apr-20
2nd Generation
(Detect Intrusions, Limit Damage)
Firewalls Intrusion Detection Systems Boundary Controllers Some Attacks will Succeed VPNs PKI
3rd Generation
(Operate Through Attacks)
Intrusion Tolerance Big Board View of Attacks Real-Time Situation Awareness & Response Graceful Degradation Copyright © Infineon Technologies 2006. All rights reserved.
Performance
Hardened Core
Functionality
Page 2
Trusted Computing Application Fields
Applications Credentials Operating Systems Web Services Mobile Phones PDAs
Trusted Platform Module
TCG Standards
secrets and prevents many common software attacks.
Storage Authentication Devices
TP M
27-Apr-20
Servers
TPM
Input Devices Security Hardware Desktops
Copyright © Infineon Technologies 2006. All rights reserved.
Notebooks
Page 3
Trusted Computing Research Areas Today: Supporting and enhancing existing technologies and applications:
Secure storage of critical data New authentication and communication supplements
New (TC based ) field of research:
27-Apr-20 Trusted OS: Virtualization, Microkernel Error tolerant New Hardware platform structures: Trusted embedded platforms (mobile phones, critical controllers (automotive), network boxes … Infrastructure: Public Testing capabilities, Remote TC management and network control Training: Making TC development much easier, SDK. Application Examples Copyright © Infineon Technologies 2006. All rights reserved. Page 4
Existing Trusted Computing R&D projects
OpenTC (EU-FP6) :
2006-2009, 24 partners, Basic TC Interfaces and APIs, Virtualization, Microkernel, Application examples, Standardization contributions http://www.OpenTC.net/
TECOM (Trusted Embedded Computing), EU-FP7 :
2008-2010, 8 partners, Embedded Hardware with integrated TC, Common criteria certification for integrated chips, Trusted OS for embedded: Virtualization, Microkernel, Security layers, Applications http://www.TECOM-project.eu
SECRICOM (Secure Crisis Communication), EU-Security:
2008-2011), 10 partners, first TC supported project ( TC is not anymore the main task, but is used for supporting the project targets). http://www.secricom.org
NADA (Nanodatacenters), EU-FP7: 2008-2011, 10 partners, distributed media systems with trust and security. www.nanodatacenters.eu
EVITA Automotive security , EU-FP7:
2008-2011, 14 partner www.evita.eu
Other national projects: France, USA, Spain, Germany, Japan, Malaysia, Austria
27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 5
Field of research #1: Trusted Hardware
Next generation TPMs Which additional functions are really required?
TPMs are already to complex, minimalistic TPM what is hw and what is software How many privacy on embedded TPM design complexity barrier (Turing-Goedel barrier).
How to verify the correctness of a TPM implementation itself ?
From 128 KB code for TPM 1.1 to about 512 KB in 2010 to 1MB in ?
Guaranteed Error free ?
TPM and host platform integration. E.g. TPM and ARM Trustzone on one chip: Advantages , System and interface requirements, bidirectional support of technologies.
27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 6
Field of research #2: Trusted Operating systems
Virtualisation for PC like systems Virtualization for embedded systems - Small code - e.g. real time behaviour Microkernel Other Trusted operating system concepts ?
Until now, no R&D project delivered an easy to use, just out of the box TOS!
27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 7
Field of research #3: Specific TPM use scenarios ,
Integrated Trusted Computing systems for next generations Automotive products: SW error resistant platforms, secure integrated authentication and communication, product copy prevention….
Secure car to car communication Mobile communications Separating critical and uncritical parts in the system Scalability and usability features Industrial plant control Critical infrastructures Single point of failure 27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 8
Field of research #4: Making TC development much easier,
Training examples for the newcomer Software Development Kits for special application fields and kernels Building blocks for training Surrounding Infrastructure missing 27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 9
Field of research #5: TPM platform management
A TPM may cost some 1 or 2 €.
TPM enterprise total cost of ownership may be in the range of 200-300€ per year (installation, Training, helpdesk, IT visits….) Authentication by exiting idm structures(kerberos, X509, PK…) TPM management via existing network management capabilities?
Silent installation Roaming, automatic and remote key migration, extended certificate store TPM migration, backup Embedding into existent IT security structures Are there more market oriented application scenarios than just platform security and certificate management ?
27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 10
Field of research #6: Infrastructure
Public research on advanced Compliance and testability Public research on advanced Conformance evaluation (Security evaluation) , Advanced and fast TOE description and testing methods Handling TOE changes fast and with low effort Complex reduction for software/hardware systems 27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 11
Field of research #7: applications Specific ,
High level applications 27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 12
Preview EU FP7 Security Research call 2008
A new Call for Proposals for Security Research (FP7-SEC-2009-1) under the Seventh Framework Programme for Research and Technological Development (FP7) is planned to be published on 4 September 2008.
Security research does not mean IT research !
Comparable to homeland security
http://ec.europa.eu/enterprise/security/index_en.htm
27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 13
Preview EU FP7 call 2008
IST: Future of the Internet TC as support feature: Building and managing trustworthy network infrastructures as well as communication, computing and storage infrastructures in the context of the development of the Future Internet as conglomerate of heterogeneous networks and systems. This will include novel architectures with built-in security, dependability and privacy; secure interfaces and scalable dynamic security policies across networks. It will also include the trustworthy management of billions of networked devices, "things" and virtual entities connected in the Future Internet. http://ec.europa.eu/information_society/activities/foi/index_en.h
tm Next full blown Trusted computing call: IST 2009 27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 14
Objective ICT-2009.1.4: Trustworthy ICT
a) Trustworthy Network Infrastructures Trustworthy platforms and frameworks for autonomously monitoring and managing threats, which are typically cross-border, cross-organisational, scalable, distributed, dynamically evolving and collaborative.
Experimentation and demonstration of trustworthiness of network infrastructures Projects should give adequate attention to usability, societal acceptance and economic and legal viability of the technologies developed b) Trustworthy Service Infrastructures Research projects should include in addition to technology development, attention to aspects of usability, legislation, human behaviour, privacy and principles of human rights . This could involve research in other relevant disciplines or demonstrating trustworthiness properties in the proposed frameworks.
c) Technology and Tools for Trustworthy ICT For user-centric and privacy preserving identity management, including for management of risks and policy compliance verification.
Management and assurance of security, integrity and availability, also at very long term, of data and knowledge in business processes and services.
In enabling technologies for trustworthy ICT, this includes cryptography, biometrics; trustworthy communication; virtualisation; metrics and certification methodologies.
27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 15
Objective ICT-2009.1.4: Trustworthy ICT
d)
Networking, Coordination and Support
Networks of Excellence could be particularly relevant for the areas of (i), (ii) and (iii).
Expected Impact:
For trustworthy network and service infrastructures: Demonstrable improvement (i) of the trustworthiness of the future European network infrastructures consisting of various heterogeneous communication networks and systems and (ii) in handling network threats and attacks and reduction of security incidents.
Significant contribution to the development of trustworthy European infrastructures and frameworks for network services; improved interoperability and standardisation supporting usability and user-centricity in the handling of information and privacy.
For all IP/STREP projects: Improving European industrial competitiveness in markets of trustworthy ICT by offering business opportunities and consumer choice in usable innovative technologies; increased awareness of the potential and relevance of trustworthy ICT. For networking, coordination and support actions (NoE/CSA): Improved coordination of research and integration of research activities in areas where that is beneficial for European research and innovation capacity. Indicative budget distribution: 90 M€ 27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 16
Artemis program for embedded platforms: 20.5.2008
The ARTEMIS Joint Undertaking has launched its first Call for proposal with a total public funding of 99 Million €. This happen because of a unique collaboration between industry and public authorities.
Please look at: https://www.artemis-ju.eu/call_2008 Tom Bo CLAUSEN European Commission DG Information Society E-mail: [email protected]
http://cordis.europa.eu/ist/embedded/ 27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 17
27-Apr-20 Copyright © Infineon Technologies 2006. All rights reserved. Page 18