Protecting the IoT with Secure Hardware
Sci. Akshay D. Shelke
B.E.
Electronics and telecommunication
Email:
akky487@gmail.com
Ref
(European Editors) 2017-03-07
The Internet of Things (IoT) needs to be protected against diverse
forms of abuse. These include not only familiar threats like financial fraud
and IP theft, but also sabotage of physical assets. Many of the billions of
connected devices expected to join the IoT over the next few years will be
associated with systems like traffic signals or street lighting, industrial
controls, safety mechanisms for important processes like power generation,
smart-grid management, home energy and security, or connected cars. Attackers
can try to disable or take over such devices, potentially aiming to cause
widespread disruption and inconvenience, or to attack specific individuals or
organizations by causing embarrassment, reputational damage or even bodily
harm. Such exploits could be launched simply for amusement, personal reasons,
commercial gain, or for political purposes and/or terrorism.
SECURITY THREATS TO IOT
DEVICES
IoT devices are designed to operate autonomously. Many are left
unattended for long periods, and sometimes for their entire operational
lifetime. Network connectivity leaves the devices vulnerable to remote attacks
that can be launched quickly from almost any geographical location without
having to overcome physical barriers such as a fence, a locked enclosure or a
security guard. An attack can be directed towards the device itself, or to use
it as a means to gain access to other assets connected to the same network,
such as data storage containing account-holder information or intellectual
property.
On the other hand, IoT endpoints are often required to be simple,
low-cost, low-power devices, designed to accomplish their intended task using
minimal resources. As such, the processing power and energy needed to implement
sophisticated security is not available. Unlike the case with a machine such as
a desktop computer, no human is routinely present to enter credentials such as
a username and password as authentication allowing the device to start up and
establish connections. However, the device must be able to resist various types
of attacks, and to authenticate itself and present its credentials autonomously
to other devices on the network.
If the device is not able to carry out these functions, attackers
may be able to erase or disable application software, alter the code, or
replace the legitimate application with rogue software. Alternatively, they may
attempt to eavesdrop on data exchanges. A range of security principles and
technologies need to be employed to help overcome these threats, but all need
to be usable in a small and resource-constrained embedded system. In addition
to established security practices such as minimizing access privileges for
networked devices, proper fire walling and traffic monitoring; these include
digital signing of software, data encryption using secure keys, and
establishing strong identities for connected devices.
VERIFYING SOFTWARE
AUTHENTICITY:
Digital signing provides a means of authenticating software to
verify its origin and prevent unauthorized alteration. A software publisher can
sign software independently or with the support of a third-party Certificate
Authority (CA) that provides services such as signing utilities, and
certificate and key management.
To digitally sign software, the publisher creates a hash of the
code using a hashing algorithm. Hashing works in one direction only, which
prevents hackers from reverse-engineering the process to produce an identical
hash from bogus code. The hash is then encrypted using a private key assigned
to the publisher. The code, its encrypted hash, and the publisher’s signing
certificate are distributed together.
The end user decrypts the hash using the publisher’s public key,
which is included as part of the signing certificate, and hashes the received
code using the publisher’s chosen hashing algorithm. If the two hashes match,
the code can be assumed to be genuine and unaltered. Figure 1 illustrates the
hashing and comparing processes used to verify code authenticity.
Figure 1: A Certificate Authority manages certificates and
provides tools for signing software.
Digital signing allows an IoT device to verify the authenticity
and integrity of software on power-up, thereby enabling secure booting: the
device will only load genuine, unaltered software signed by the authorized
publisher, thereby creating a foundation of trust. The system can also verify
digitally signed software such as updates or patches received via the network.
DATA ENCRYPTION:
Encryption using a combination of public and private keys can also
prevent eavesdroppers gathering intelligence from intercepted data
transmissions. The system of public and private keys provides a solution to the
challenges of sending encrypted data and preventing key interception. The
receiving device has its own private key, which is securely embedded at the
time of manufacture. At the same time, a public key is derived from the private
key using a one-way process that prevents the private key from being revealed
if the public key is intercepted. When a sending device sends data to a
recipient, it uses the public key for that recipient to encrypt the data. This
encrypted data is safe to transmit over the network, and can only be decrypted
using the private key securely stored at the receiving end. Figure 2 shows how
the keys are used to keep information secure when transmitted over an open
channel.
The Public Key Infrastructure (PKI) is maintained by an
independent third-party organization that handles generation and distribution
of keys, and binds public keys to the identities of their respective users.
Figure 2: Data encryption and decryption using public and private
keys.
MAINTAINING STRONG
IDENTITY:
The IoT device also needs to be able to authenticate itself when
connecting to the network. This is equivalent to entering a username and
password to login manually to an online account.
The device needs an efficient secure processor to store its
identity and handle authentication, and to store public and private encryption
keys, and to store keys and run hashing algorithms for verifying software
signatures to be able to verify software signatures.
EMBEDDED SECURITY IN A
CHIP:
The Trusted Platform Module (TPM) has evolved to provide a secure
environment for key and data storage and executing security algorithms. These
devices contain a secure processor running a secure operating system, as well
as secure storage and other resources such as a random number generator and a
hardware-based cryptographic engine (Figure 3). Additional security circuitry
protects against physical attacks. The details of secure operating systems are
deliberately kept secret to prevent would-be hackers learning information
needed to launch an attack. TPMs are commonly used in commercial-grade IT
equipment such as desktop PCs. On the other hand, devices such as the Atmel/MicrochipAT97SC3205T are designed for embedded applications and can be
used in various types of IoT equipment.
Figure 3: The Atmel AT97SC3205T embedded TPM integrates resources
for secure processing and key storage.
The AT97SC3205T meets the Trusted Computing Group (TCG) TPM
Version 1.2 Specification. Devices are usually delivered in Compliance mode,
which enables manufacturers to immediately begin testing the TPM. As the TPM is
embedded into the IoT equipment, it should be changed to Real mode to set flags
permanently and allow generation of a unique private and public Endorsement Key
(EK) pair for use in transactions that require signing of data used by other
components. The private part of the endorsement key is kept secret inside the
TPM, and the public part is used by other components to verify the authenticity
of data from the TPM. Generating the EK pair can take several seconds. To
simplify manufacturing and reduce the time required for device initialization,
devices can be delivered in Real mode if required. In this case, the EK pair is
pre-generated by Atmel.
TPM_Startup(ST_CLEAR)
Incoming Operands and Sizes:
00 C1 00 00 00 0C 00 00 00 99 00 01
tag 2 Bytes, Offset 0: 00 C1
paramSize 4 Bytes, Offset 2: 00 00 00 0C
ordinal 4 Bytes, Offset 6: 00 00 00 99
startupType 2 Bytes, Offset 10: 00 01
TPM_Startup(ST_CLEAR)
Outgoing Operands and Sizes:
00 C4 00 00 00 0A 00 00 00 00
tag 2 Bytes, Offset 0: 00 C4
paramSize 4 Bytes, Offset 2: 00 00 00 0A
returnCode 4 Bytes, Offset 6: 00 00 00 00 [TPM_SUCCESS]
Listing 1: Sample startup commands for initializing the TPM.
The TPM can be made fully operational by booting up the equipment
and sending a TPM startup command (Listing 1) to prepare the device for
configuration. Configuration involves setting permanent flags as appropriate
for the intended application. Atmel has published a sample manufacturing
sequence that sets TPM flags as shown in Listing 2.
Compliance Mode: Cleared
physicalPresenceHWEnable: False
physicalPresenceCMDEnable: True
physicalPresenceLifetimeLock: True
Endorsement Key Pair: Generated
Enable/Disable: Disabled
Activated/Deactivated: Activated until the next reset,
deactivated at the next power-up or reset is requested.
Physical Presence: Not Present
NV_Locked True
Listing 2: Sample TPM flag settings.
The physical presence settings in the sample are designed to
permanently disable hardware access and prevent software from losing control of
the device if the settings are inadvertently or deliberately altered. Setting
NV_Locked = True prevents unauthorized access to user-accessible non-volatile
memory, and should only be set after the manufacturer no longer needs to access
the non-volatile memory.
CONCLUSION:-
As the Internet of Things continues to grow and it becomes more of
a reality to the general public, the importance of securing the billions of
remote, connected objects against cyber-attack becomes increasingly clear.
Trusted Platform Modules (TPMs) that provide secure resources
needed to authenticate the system’s hardware and software are small, low-power
devices that are suitable for embedded applications. In conjunction with
key-management and device-signing services, they can provide an efficient
hardware-based security solution
.jpg)
0 Comments