Transcript Slides - Trusted Infrastructure Workshop

Trusted Systems in
Networking Infrastructure
Rafael Mantilla Montalvo
Cisco Systems
June 2013
1
Counterfeiter
Counterfeit
Signing Key
Secure Boot
Signed
Image
Identity Key
and Certificate
Device Identity
TPM
Identity Key
and Certificate
Authentication
Network
Authentication
System
2
• Protect network devices against counterfeit
Enterprise
Network
• Strong identity using cryptographic techniques
• Protect software using cryptographic keys
Core
• Image signing
Aggregation
• Ensure execution of trusted software
• Signed image validation at boot time (Secure Boot)
Services
• Protect signing keys (Identity) in hardware
• Secure storage in Trusted Platform Module (TPM)
Access
Data Center
Server Farm
• Strong device authentication using certificates
• TPM NV storage provisioning at manufacturing time
• Authenticate network devices during operation
• Network authentication system
3
• Counterfeit and mitigation mechanisms
• Secure boot
• Device Identity and TPM
• Network authentication system
Hardware
Tampering
Gray Market/ Counterfeit
Individual and Group
Threats
Espionage
Trusted Infrastructure
Software
Manipulation
Disruption
Solutions
Genuine Products with Embedded Security
Supply Chain Security
Policies
Processes
Technologies
Company Culture
4
4
• There has been an increase in counterfeit, grey market and illegal
product modification across the globe
• Industry estimates that up to 10% of electronic products worldwide are
counterfeit, increasing the potential of multiple counterfeit devices within
the network infrastructure
• Counterfeiters target hardware and software vulnerabilities, without any
consideration of users business concerns, devices performance, devices
safety or security
•
Lost Revenue for OEM, Lost Security, Productivity, and Reputation for the Customer
•
Example: Customs investigation lead to seizure of network gear having an estimated
retail value of more than $143M (Operation Network Raider)
• Counterfeiters main motivation is driven by monetary gain
• Counterfeiters target OEM with high reputation, majority market share
and leadership in IT equipment as high monetary opportunity
5
• Reverse engineer equipment and build from lower cost and lower
quality components
• Spoofing OEM serial numbers and product identifiers
• Change devices appearance outside of OEM manufacturing
facility to make it appear like an enhanced or upgraded unit
• Build multilayer PCBs where only the outer layers look genuine
and populated them using scrap parts
• Use modified boot code to bypass software interaction with the
TPM resulting in:
• Inability to authenticate hardware
• Able to bypass software licensing checking
6
http://www.darkreading.com/vulnerability/bios-bummer-new-malware-can-bypass-bios/240155473?nomobile=1
7
• Secure boot
• Ensure boot of genuine code using image signing
• Device identity
• Establish device identity using cryptographic keys and certificates
• Authenticate devices in the network
• Verify device identity using keys and certificates
• Verify code licensing using certificates
• Verify product serial number, product identifier, electronic
components serial number and others
• Verify device software, firmware, programmable devices image and
configuration files
8
• Counterfeit and mitigation mechanisms
• Secure boot
• Device Identity and TPM
• Network authentication system
Hardware
Tampering
Gray Market/ Counterfeit
Individual and Group
Threats
Espionage
Trusted Infrastructure
Software
Manipulation
Disruption
Solutions
Genuine Products with Embedded Security
Supply Chain Security
Policies
Processes
Technologies
Company Culture
9
9
• Immutable Root-of-Trust in hardware
• Typically a boot loader and cryptographic key residing in CPU ROM
• Root-of-Trust protects the initial boot process
• Authentication, integrity and confidentiality of boot image
• Root-of-Trust uses cryptographic keys to authenticate and
validate the integrity of the boot image
• Boot image is signed using cryptographic keys
• Boot image could be encrypted to provide confidentiality
• Boot image resides typically in FLASH
• Root-of-Trust starts a secure boot chain by passing control to the
boot image after authentication and integrity verification
• The boot image passes control to the OS after authentication
10
Step 1
Step 2
Step 3
CPU
CPU
CPU
ROM
Boot
Loader
Boot
Image
OS
Root-of-Trust
Immutable
1.
Boot Loader
authenticates and
validates integrity
of the Boot Image
2.
Boot Image
authenticates and
validates integrity
of the OS
3.
OS is launched
Authentication and
integrity validation
11
• Boot Image is authenticated and integrity verified using
cryptographic keys
• Cryptographic keys are typically asymmetric RSA keys
• The Root-of-Trust is anchored in the OEM private key
• OEM private key is used to sign the boot image and kept secret
• The Boot Loader uses the OEM public key to authenticate and
verify integrity of the boot image
• The OEM public key resides typically in FLASH
• The OEM public key is typically protected with an asymmetric key
• Provides biding of public key with the CPU
• The asymmetric key is CPU specific and OTP (fuses)
12
• Public Root-of-Trust Key
• Resides in ROM
• Used to Authenticate and Verify Boot Image Public Key
• Owned by the OEM
• Public Boot Image Key
•
•
•
•
Resides in FLASH
Used to Authenticate and Verify Boot Image
Signed with Private Root-of-Trust Key
Owned by the OEM
• Boot Image signed using private key
13
Flash
Processor
RAM
Core
Core
Authenticate
SPI Interfaces
ROM
Boot Loader
Root-of-Trust Key
Boot Image
Public Key
Digital Signature
Authenticate
Boot Image
Digital Signature
14
Step 1
Step 2
Step 3
• Boot Loader in ROM
initializes device
CPU
CPU
ROM
Boot
Loader
Boot
Image
CPU
• Establish Public Root-
of-Trust key in ROM
OS
• Loads and
Authenticates from
FLASH Public Boot
Image Key
Root-of-Trust
Immutable
• Loads and
Authentication and
integrity validation
Authenticate from
FLASH Boot Image
• Passes control to Boot
Image
15
• Ensures only authentic OEM software boots up on
an OEM Device
• Anchored in hardware (ROM CPU)
• As the boot image is created, the signature is
installed using a secure private key
• As the software boots, the system checks to ensure
the installed signature is authentic
• Same process is repeated to boot the platform OS
16
• Counterfeit and mitigation mechanisms
• Secure boot
• Device Identity and TPM
• Network authentication system
Hardware
Tampering
Gray Market/ Counterfeit
Individual and Group
Threats
Espionage
Trusted Infrastructure
Software
Manipulation
Disruption
Solutions
Genuine Products with Embedded Security
Supply Chain Security
Policies
Processes
Technologies
Company Culture
17
17
• The device identity is cryptographically represented by a key pair
and a certificate
• The key pair and the certificate are owned by the OEM
• The OEM generates an asymmetric RSA key pair and signs a
certificate with the private part of the RSA key
• The RSA key pair is inserted in the TPM and protected in TPM
shielded location
• The OEM certificate is permanently stored in a TPM NV Index
location
• The NV Index is locked after the certificate is stored to make it
permanent and immutable for the life of the platform
18
• After Secure Boot, the OS verifies the authenticity of the
certificate pre-provisioned in the TPM
• The identity is in the form of a X.509 certificate
• The certificate is an assertion by the OEM relating the platform
identity with the OEM public key
• The assertion is validated using asymmetric cryptographic means
• The TPM contains the OEM identity key pair and the certificate as
a unique, permanent and immutable objects
• The OS uses the identity public key to validate the authenticity of
the identity certificate
• The identity certificate maybe chained to a root certificate (OEM)
19
Secure Device Identity (TPM)
Secure Boot
Step 1
Step 2
Step 3
Step 4
Step 5
CPU
CPU
CPU
CPU
OS
CPU
OS
ROM
Boot
Loader
Boot
Image
OS
TPM
Identity
TPM
Identity
Root-of-Trust
Immutable
Identity Authentication
Authentication and
Integrity Validation
Other TPM Services
20
Request Certificate
Chain
TPM
Verify Certificate
Chain
OS
Return Certificate
Chain
Identity Certificate
Sub-CA
CA
TPM_NV_ReadValue()
21
Verify Signature
Send Challenge
With Nonce
TPM
OS
Send Response
With Signature
Sign
Nonce
TPM_Sign()
Signed Nonce
with Private
Identity Key
Identity
Authenticated!
Sign
Verify Signature
with Public
Identity Key
22
• In order to verify the authenticity of the device the TPM needs to
be provisioned with Identity Key and Certificate
• The OEM is responsible for initially provisioning the TPM
• In this context, provisioning refers to allocating part of the TPM’s
NVRAM and writing data to the NVRAM
• OEM provisioning can be used to store identity and other
(licensing) certificates in NV Indexes
TPM_NV_DefineSpace()
TPM_NV_WriteValue()
23
• A new TPM comes in a state that makes it very easy for the OEM
to provision
• The OEM can create TPM NV Indexes to store certificates
• The OEM creates a certificate and writes the certificate to NV
Index
• Once the certificate is correct, the OEM write-protects the
certificate Index and then performs an OEM Lock on the TPM
• The lock terminates the “easy provisioning” state and forces the
TPM to enforce access permission
• It prevents anyone from altering the OEM’s indexes
TPM_NV_DefineSpace()
TPM_NV_WriteValue()
24
• The OEM may wish to create several indexes and if so they must
be created before asserting the OEM Lock
• NV Indexes have a “D” bit in the Attribute
• The TPM Lock operation sets the “D” bit in the Attribute
• It is impossible to create or redefine an Index after the “D” bit is
set
• Indexes must be properly defined before the Lock operation
• Failure to do so requires replacing the TPM
• Locking is not recommended until manufacturing (i.e. not during
development and debug)
TPM_NV_WriteValue(Length = 0)
25
• Endorsement Key (EK)
• Unique TPM identity
• Created by the TPM manufacture in a secure environment
• Non-migratable, store inside the chip, cannot be remove
• Storage Root Key (SRK)
• It is the top level element of TPM key hierarchy
• Created during take ownership
• Non-migratable, store inside the chip, can be remove
• Storage Keys
• Keys used to wrap (encrypt) other elements in the TPM key hierarchy
• Created during user initialization
• Signature Keys
• Keys used for signing operations (Identity)
• Must be a leaf in the TPM key hierarchy
26
• The EK is an asymmetric, typically RSA, key unique for every
TPM and therefore uniquely identifies a TPM
• Generation of the TPM EK is usually done during manufacturing
• The EK is backed by a certificate typically issued by the TPM
manufacturer
• The EK certificate guarantees that the key actually is an EK and
is protected by a genuine TPM
• The EK can not be changed or removed
TPM_CreateEndorsementKeyPair()
27
• Taking ownership of a TPM is the process of inserting a shared
secret into a TPM shielded location
• Any entity that knows the shared secret is a TPM Owner
• To provide confidentiality the proposed TPM Owner encrypts the
shared secret using the public part of the EK
• This requires the private part EK to decrypt the value
• As the private part of the EK is only available in the TPM the
encrypted shared secret is only available to the intended TPM
• Typically the TPM ships with no Owner installed
TPM_TakeOwnership(OwnerAuth)
28
• Taking Ownership of the TPM creates an SRK
• SRK is the top level element of TPM key hierarchy
• After taking Ownership, the Owner has the public part of the SRK
• It follows that objects owned by a previous owner will not be
inherited by a new owner
• The SRK key is deleted from the TPM when a new Owner is
established
• Notice that EK and SRK are the only keys permanently stored in
the TPM and not lost during reset
• All other keys (Identity) must be restored after a reset cycle
TPM_TakeOwnership()
29
• It is desirable that he device identity keys for Network
Infrastructure Devices be created outside the TPM by the OEM
back-end system
• The private part of the identity key is encrypted with the public
part of the SRK by the OEM back-end system
• The identity key can then be loaded and stored in the SRK
hierarchy and used to proof the identity of the device
• Notice that if the Ownership changes, a new SRK is created by
the new Owner and the private part of the identity key must be
encrypted with the new public part of the SRK before loading
TPM_MakeIdentity()
TPM_ActivateIdentity()
TPM_LoadContext()
30
• Opportunity to assure users have Authentic OEM devices
• Opportunity for users to Identify and Replace Non Compliant
and Inferior Counterfeit devices within their network
• Opportunity for users to confirm their suppliers are providing
authentic OEM devices
• Opportunity for users to confirm their procurement practices
are providing the quality devices they are paying for
• Assure users their devices will be serviceable under OEM
Services
31
• Counterfeit and mitigation mechanisms
• Secure boot
• Device Identity and TPM
• Network authentication system
Hardware
Tampering
Gray Market/ Counterfeit
Individual and Group
Threats
Espionage
Trusted Infrastructure
Software
Manipulation
Disruption
Solutions
Genuine Products with Embedded Security
Supply Chain Security
Policies
Processes
Technologies
Company Culture
32
32
Non-Suspicious
Missing
Data
Suspicious
• Network authentication helps identify suspicious devices in users
networks
• Network authentication validates the collected data from the
network against the OEM backend manufacturing/shipping
database
• Network authentication identify the devices as genuine or not-
genuine
• Network authentication processes the device secure identifier,
MAC addresses, serial number and Product ID among other
parameters
• The end user is provided with a report indicating if the device is
suspicious, non-suspicious or missing data
33
Non-Suspicious
Missing
Data
Suspicious
1. OEM Discovery Services
performs devices discovery
and inventory
OEM
Discovery
Services
2. OEM Discovery Services
transfers collected data to
the OEM where data is
analyzed
3. Analyzed data is returned to
OEM
Analytics
WAN
Cus
Discovery
tom
er
Net
wor
k Network
Reports
OEM Discovery Services to
produce vendor reports
(suspicious, non-suspicious
or missing data)
34
• Counterfeit issues require new technologies to mitigate hardware
and software attacks
• Secure Boot ensures execution of genuine software from the boot
loader to the OS
• Trusted OS authenticate the hardware using identity held by the
TPM
• Strong identity can be used by Network Authentication tools to
validate the Network Infrastructure Devices as genuine OEM
devices
• Network Authentication tools can be used to provide deeper
attestation analysis to determine the Trustworthiness of the
Network Infrastructure
35
Thank you.