Prof. Andreas Steffen Institute for Networked Solutions

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Guide to Network Defense and Countermeasures Second Edition
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
TNC Endpoint Compliance and Network Access Control Profiles TCG Members Meeting June 2014 Barcelona Prof. Andreas Steffen Institute for Internet Technologies.
Network Access Control for Education
Trusted Computing BY: Sam Ranjbari Billy J. Garcia.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing.
Andreas Steffen, , 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Cyber Security for Energy Delivery Systems NSTB What’s an ICP ? And why is it Useful for Utilities ? Dave Teumim, CISSP Teumim Technical, LLC.
1 IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
Wireless and Mobile Security
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
IPSec The Wonder Protocol Anurag Vij Microsoft IT.
Continuous Assessment Protocols for SACM draft-hanna-sacm-assessment-protocols-00.txt November 5, 20121IETF 85 - SACM Meeting.
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.
Computer and Network Security
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
Virtual Private Networks and IPSec
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter 5 Network Security Protocols in Practice Part I
Developing IoT endpoints with mbed Client
Analysis of secured VoIP services
Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.
CSE 4905 IPsec.
Encryption and Network Security
Virtual Private Networks
SECURING NETWORK TRAFFIC WITH IPSEC
CSE 4905 IPsec II.
Network Security: IPsec
IT443 – Network Security Administration Instructor: Bo Sheng
Mutual Attestation of IoT Devices Connect Security World September 2016 Marseille Prof. Andreas Steffen Institute for Internet Technologies and Applications.
UNIT.4 IP Security.
Outline What does the OS protect? Authentication for operating systems
Module 8: Securing Network Traffic by Using IPSec and Certificates
Mutual Attestation of IoT Devices and TPM 2
BINF 711 Amr El Mougy Sherif Ismail
Outline What does the OS protect? Authentication for operating systems
CS691 M2009 Semester Project PHILIP HUYNH
TCG’s Embedded System and IoT Focus
draft-fitzgeraldmckay-sacm-endpointcompliance-00
Trusted Network Connect: Open Standards for NAC
VPN-Implementation Using UBUNTU OS and OpenVPN and Hamachi in client-server environment. By Ruphin Byamungu, Kusinza United States International University-Nairobi.
2018 Real Cisco Dumps IT-Dumps
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
SECURING WIRELESS LANS WITH CERTIFICATE SERVICES
אבטחת ענן כמאל יאסין & סיון שני.
Seminar Class CS591 Presentation Topic: VPN
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Module 8: Securing Network Traffic by Using IPSec and Certificates
Open Automation Software
Intel Active Management Technology
Tero Kivinen, AuthenTec
Tero Kivinen, AuthenTec
B. R. Chandavarkar CSE Dept., NITK Surathkal
Remote ATtestation ProcedureS (RATS)
Presentation transcript:

TPM-Based Attestation of IoT Devices Cyber-Security Event Singapore, March 10 Prof. Andreas Steffen Institute for Networked Solutions HSR University of Applied Sciences Rapperswil andreas.steffen@hsr.ch

Where the heck is Rapperswil? HSR

HSR - Hochschule für Technik Rapperswil University of Applied Sciences with about 1500 students Faculty of Information Technology (300-400 students) Bachelor Course (3 years), Master Course (+1.5 years) Our Lab Research Building

strongSwan – the OpenSource VPN Solution Windows Active Directory Server Linux FreeRadius Server Corporate Network High-Availability strongSwan VPN Gateway Windows 7/8/10 Agile VPN Client strongSwan Linux Client N Rekeying Notification (optional) SAi Suite of cryptographic proposals for the Child SA (ESP and/or AH) Ni Initiator Nonce KEi Initiatior public factor for the Diffie-Hellman Key Exchange (optional PFS) TSi Initiator Traffic Selectors (subnets behind the Initiator) TSr Responder Traffic Selectors (subnets behind the Responder SA1r Selection of a cryptographic proposal for the IKE SA Nr Responder Nonce KEr Responder public factor for the Diffie-Hellman Key Exchange (optional PFS) Internet

Free Download from Google Play Store October 16, 2016: 21’816 installations

Attestation of IoT Devices based on Trusted Network Connect (TNC) TPM-Based Attestation of IoT Devices Cyber-Security Event Singapore, March 10 Attestation of IoT Devices based on Trusted Network Connect (TNC)

The Energy Grid Network devices and SCADA components controlling the energy grid are extremely vulnerable to cyber attacks! It is important to be able to detect malware embedding itself into IoT firmware. PA-TNC IF-TNCCS 2.0 Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close

RSA 2015 Security Conference San Francisco PA-TNC IF-TNCCS 2.0 Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close Cisco 1120 Connected Grid Router with strongSwan running on Linux Guest OS

Trusted Network Connect (TNC) Architecture RFC 5792 RFC 5793 RFC 6876 RFC 7171 Lying Endpoint Network Access Control Abbreviations • AR Access Requestor • IF Interface • IMC Integrity Measurement Collector • IMV Integrity Measurement Verifier • M Measurement • PDP Policy Decision Point • PEP Policy Enforcement Point • T Transport • TNC Trusted Network Connect PEP Policy Enforcement Point PDP Policy Decision Point VPN Client VPN Gateway

Layered TNC Protocol Stack TNC Measurement Data [IMV] operating system name is 'Android' from vendor Google [IMV] operating system version is '4.2.1‘ [IMV] device ID is cf5e4cbcc6e6a2db IF-M Measurement Protocol PA-TNC (RFC 5792) [TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 [IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 [TNC] processing PA-TNC message with ID 0xec41ce1d [TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 [TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004 [TNC} processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008 IF-TNCCS TNC Client-Server Protocol PB-TNC (RFC 5793) [TNC] received TNCCS batch (160 bytes) for Connection ID 1 [TNC] PB-TNC state transition from 'Init' to 'Server Working' [TNC] processing PB-TNC CDATA batch [TNC] processing PB-Language-Preference message (31 bytes) [TNC] processing PB-PA message (121 bytes) [TNC] setting language preference to 'en‘ IF-T Transport Protocol PT-EAP (RFC 7171) [NET] received packet: from 152.96.15.29[50871] to 77.56.144.51[4500] (320 bytes) [ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

Demo: Mutually Trusted Video Phones CeBIT 2016 Hannover: Raspberry Pi 2 IoT Platform Raspian OS (Debian 8) Intel TSS 2.0 Stack Infineon HW TPM 2.0 PA-TNC IF-TNCCS 2.0 Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close Raspi 3 Raspi 4

Mutual Attestation of IoT Devices DB Trusted Reference DB TLS DB DB Attestation IMV Attestation IMV TNC Server TNC Server PT-EAP PT-EAP TNC Client TNC Client IKEv2 OS IMC Attestation IMC Attestation IMC OS IMC Linux OS PA-TNC IF-TNCCS 2.0 Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close TPM TPM Linux OS Linux IMA* IPsec Linux IMA Video Link Video Link IoT Device 1 IoT Device 2 * IMA: Integrity Measurement Architecture

File Version Management using SWID Tags ISO/IEC 19770-2:2015 Software Asset Management Part 2: Software Identification Tag NISTIR 8060 Guidelines for the Creation of Interoperable SWID Tags <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" name="libssl1.0.0" tagId="Ubuntu_16.04-x86_64-libssl1.0.0-1.0.2g-1ubuntu4.6“ version="1.0.2g-1ubuntu4.6" versionScheme="alphanumeric"> <Entity name="strongSwan Project" regid="strongswan.org“ role="tagCreator"/> <Payload> <Directory name="/lib/x86_64-linux-gnu" > <File name="libcrypto.so.1.0.0" size=“2361856" SHA256:hash="879a98c17952cd00d20cf42e83b1c54b4187f48dccb06cc8cc80ac2505a4db56"/> <File name="libssl.so.1.0.0" size="42834“ SHA256:hash="b46a5c50ee77d7fe59fdb0eb1bae18a724c0e7962b5f228e2d901d6bff93be26"/> </Directory> <Directory name ="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines"> <File name="libatalla.so" size= "15488" SHA256:hash=" 3e3a07ac750d335555230c1b438c844f7983044a4efcf2c2564670d98549ca9c"/> ... </Directory> <Directory name ="/usr/share/doc/libssl1.0.0"> <File name="copyright" size= "6547" SHA256:hash="df574956b215bcdb0fb9e1b7b1562c9f172f1b5243d03b2f5bab5ecc68300ac5"/> ... </Directory> </Payload> </SoftwareIdentity>

Conclusion A Trusted Platform Module (TPM) allows the reliable detection of any unauthorized change in the BIOS and operating system of an IoT device, solving the lying endpoint problem. Attestation measurements are digitally signed by the TPM thus asserting the trustworthiness. Additionally a TPM offers a secure and trustworthy hardware identity derived from a unique Endorsement Seed permanently programmed into the TPM during the manufacturing or provisioning process. Modern Intel and ARM processors offer a built-in firmware TPM based on Intel Platform Trust Technology (PTT) and ARM TrustZone, respectively. The strongSwan open source project offers a full implementation of the Trusted Network Connect (TNC) Internet standards, allowing the remote or mutual attestation of IoT devices.

Thank you for your attention! Questions? www.strongswan.org/tnc/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.