Mutual Attestation of IoT Devices Connect Security World September 2016 Marseille Prof. Andreas Steffen Institute for Internet Technologies and Applications.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
K. Salah1 Security Protocols in the Internet IPSec.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
TNC Endpoint Compliance and Network Access Control Profiles TCG Members Meeting June 2014 Barcelona Prof. Andreas Steffen Institute for Internet Technologies.
Network Access Control for Education
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Dec 5, 2007NEA Working Group1 NEA Requirement I-D IETF 70 – Vancouver Mahalingam Mani Avaya Inc.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
NEA Working Group IETF meeting July 27, 2011 Jul 27, 2011IETF 81 - NEA Meeting1.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
K. Salah1 Security Protocols in the Internet IPSec.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Continuous Assessment Protocols for SACM draft-hanna-sacm-assessment-protocols-00.txt November 5, 20121IETF 85 - SACM Meeting.
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
IP Security
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
Virtual Private Networks and IPSec
Prof. Andreas Steffen Institute for Networked Solutions
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
IPSec Detailed Description and VPN
CompTIA Security+ Study Guide (SY0-401)
Chapter 5 Network Security Protocols in Practice Part I
IPSecurity.
Virtual Private Networks
Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.
CSE 4905 IPsec.
Encryption and Network Security
Virtual Private Networks
Somesh Jha University of Wisconsin
SECURING NETWORK TRAFFIC WITH IPSEC
Internet and Intranet Fundamentals
CSE 4905 IPsec II.
IT443 – Network Security Administration Instructor: Bo Sheng
UNIT.4 IP Security.
Mutual Attestation of IoT Devices and TPM 2
Understand Networking Services
draft-fitzgeraldmckay-sacm-endpointcompliance-00
Trusted Network Connect: Open Standards for NAC
CompTIA Security+ Study Guide (SY0-401)
Securing Access to Mobile Operator Core Networks using IKEv2
VPN-Implementation Using UBUNTU OS and OpenVPN and Hamachi in client-server environment. By Ruphin Byamungu, Kusinza United States International University-Nairobi.
2018 Real Cisco Dumps IT-Dumps
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Network Security (contd.)
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Lecture 2: Overview of TCP/IP protocol
Introduction to Network Security
Virtual Private Networks (VPNs)
Intel Active Management Technology
Tero Kivinen, AuthenTec
Virtual Private Network zswu
Tero Kivinen, AuthenTec
B. R. Chandavarkar CSE Dept., NITK Surathkal
Presentation transcript:

Mutual Attestation of IoT Devices Connect Security World September 2016 Marseille Prof. Andreas Steffen Institute for Internet Technologies and Applications HSR University of Applied Sciences Rapperswil andreas.steffen@hsr.ch

HSR - Hochschule für Technik Rapperswil Swiss University of Applied Sciences with about 1500 students Faculty of Information Technology (300-400 students) Bachelor Course (3 years), Master Course (+1.5 years)

strongSwan – the OpenSource VPN Solution Windows Active Directory Server Linux FreeRadius Server Corporate Network High-Availability strongSwan VPN Gateway Windows 7/8/10 Agile VPN Client strongSwan Linux Client N Rekeying Notification (optional) SAi Suite of cryptographic proposals for the Child SA (ESP and/or AH) Ni Initiator Nonce KEi Initiatior public factor for the Diffie-Hellman Key Exchange (optional PFS) TSi Initiator Traffic Selectors (subnets behind the Initiator) TSr Responder Traffic Selectors (subnets behind the Responder SA1r Selection of a cryptographic proposal for the IKE SA Nr Responder Nonce KEr Responder public factor for the Diffie-Hellman Key Exchange (optional PFS) Internet

Mutual Attestation of IoT Devices Connect Security World September 2016 Marseille The Standards: IETF Network Endpoint Assessment (NEA) TCG Trusted Network Connect (TNC)

Network Access Control (NAC) allow NAC Policy Enforcement Point Corporate Network NAC Server block Policy Manager Policy Manager isolate Computer with NAC Client Attribute Requests Measurement Results Isolation Network Measurement Policy

Network Access Control TCG TNC Architecture RFC 5792 RFC 5793 RFC 6876 RFC 7171 Endpoint Compliance Lying Endpoint Network Access Control Abbreviations • AR Access Requestor • IF Interface • IMC Integrity Measurement Collector • IMV Integrity Measurement Verifier • M Measurement • PDP Policy Decision Point • PEP Policy Enforcement Point • T Transport • TNC Trusted Network Connect VPN Client VPN Gateway

Network Endpoint Assessment (RFC 5209) NEA Client NEA Server Posture Collectors (1 .. N) Posture Collectors (1 .. N) Posture Collectors (1 .. N) Posture Collectors (1 .. N) Posture Collectors (1 .. N) Posture Validators (1 .. N) PA RFC 5792 PA-TNC Posture Broker Client Posture Broker Server PB RFC 5793 PB-TNC Posture Transport Clients (1 .. K) Posture Transport Clients (1 .. K) Posture Transport Clients (1 .. K) Posture Transport Clients (1 .. K) Posture Transport Clients (1 .. K) Posture Transport Servers (1 .. K) PT Abbreviations • PA Posture Attribute Protocol • PB Posture Broker Protocol • PT Posture Transport Protocol PA Subtypes • 0 Testing • 1 Operating System (OS) • 2 Anti-Virus • 3 Anti-Spyware • 4 Ant-Malware • 5 Firewall • 6 Intrusion Detection and/or Prevention (IDPS) Software • 7 Virtual Private Network (VPN) Software • 8 NEA Client Software PT Protocols • e.g. EAP-TLS via 802.1X (Layer 2) or IKEv2 (Layer 3) RFC 6876 PT-TLS RFC 7171 PT-EAP

Layered TNC Protocol Stack TNC Measurement Data [IMV] operating system name is 'Android' from vendor Google [IMV] operating system version is '4.2.1‘ [IMV] device ID is cf5e4cbcc6e6a2db IF-M Measurement Protocol PA-TNC (RFC 5792) [TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 [IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 [TNC] processing PA-TNC message with ID 0xec41ce1d [TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 [TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004 [TNC} processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008 IF-TNCCS TNC Client-Server Protocol PB-TNC (RFC 5793) [TNC] received TNCCS batch (160 bytes) for Connection ID 1 [TNC] PB-TNC state transition from 'Init' to 'Server Working' [TNC] processing PB-TNC CDATA batch [TNC] processing PB-Language-Preference message (31 bytes) [TNC] processing PB-PA message (121 bytes) [TNC] setting language preference to 'en‘ IF-T Transport Protocol PT-EAP (RFC 7171) [NET] received packet: from 152.96.15.29[50871] to 77.56.144.51[4500] (320 bytes) [ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

strongSwan supports TPM-based Attestation 2010 Implemented the TCG TNC IF-TNCCS 2.0 Client/Server and TCG TNC IF-M Measurement protocols. 2011 Implemented the TCG Attestation Protocol Binding to TNC IF-M using TrouSerS stack under Linux [later ported to Windows]. 2012 Implemented TPM 1.2 based attestation using the Linux Integrity Measurement Architecture (IMA). 2015 Implemented the TCG TNC IF-M Segmentation Protocol allowing the transport of huge IF-M attributes over IF-T for EAP Methods. IF-T for TLS transport also profits from large buffer savings. 2016 Implemented TPM 2.0 based Attestation using the Intel TSS2 SAPI under Linux and an Intel PTT Firmware TPM. 2016 Implemented TPM 2.0 based Attestation using the Intel TSS2 SAPI under Linux and an Infineon Hardware TPM.

Mutual Attestation of IoT Devices Connect Security World September 2016 Marseille Trusted Network Communications (TNC) New Use Case: Mutual Measurements of Endpoints

PB-TNC / IF-TNCCS 2.0 State Machine PA-TNC IF-TNCCS 2.0 Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close Exchange of PB-TNC Client/Server Data Batches containing PA-TNC Messages

Why do Mutual TNC Measurements work? Definition of PB-TNC Batch Header in RFC 5793 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version |D| Reserved | B-Type| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Batch Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Directionality (D) (1 bit) When a Posture Broker Client is sending this message, the Directionality bit MUST be set to 0. When a Posture Broker Server is sending this message, the Directionality bit MUST be set to 1. This helps avoid any situation where two Posture Broker Clients or two Posture Broker Servers engage in a dialog. It also helps with debugging. Idea: Use the Directionality Flag to multiplex two IF-TNCCS 2.0 connections in opposite directions over a common IF-T transport channel.

Mutual Measurements in Half-Duplex Mode Initiator PB-TNC Batch[PB-TNC Messages] Responder TNC Client  CDATA[PB-MUTUAL, PB-PA] TNC Server  SDATA[PB-MUTUAL, PB-PA] SDATA[] CDATA[PB-PA] RESULT[PB-ASSESSMENT] SDATA[PB-PA] CLOSE[] The initiating TNC client sends CLOSE batch last Works over PT-EAP and PT-TLS

Example: Mutually Trusted Video Phones Demo Setup: Raspberry Pi 2 IoT Platform Raspian OS (Debian 7/8) Infineon HW TPM: TPM 1.2 with TrouSerS TPM 2.0 with Intel TSS 2.0 PA-TNC IF-TNCCS 2.0 Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close Raspi 3 Raspi 4

Mutual Attestation of IoT Devices DB Trusted Reference DB TLS DB DB Attestation IMV Attestation IMV TNC Server TNC Server Policy Manager Policy Manager PT-EAP PT-EAP TNC Client TNC Client IKEv2 OS IMC Attestation IMC Attestation IMC OS IMC Linux OS PA-TNC IF-TNCCS 2.0 Batch Types • CDATA ClientData • SDATA ServerData • CRETRY ClientRetry • SRETRY ServerRetry • RESULT Result • CLOSE Close TPM TPM Linux OS Linux IMA* IPsec Linux IMA Video Link Video Link IoT Device 1 IoT Device 2 * IMA: Integrity Measurement Architecture

strongTNC Open Source Policy Manager

List of Measured Devices

End Point Raspi 4: Session Details

End Point Raspi 3: Session Details

File Version Management using SWID Tags ISO/IEC 19770-2:2015 Software Asset Management Part 2: Software Identification Tag: <SoftwareIdentity xmlns=http://standards.iso.org/iso/19770/-2/2015/schema.xsd name="libssl1.0.0" tagId="Ubuntu_14.04-x86_64-libssl1.0.0-1.0.1f-1ubuntu2.15“ version="1.0.1f-1ubuntu2.15" versionScheme="alphanumeric"> <Entity name="strongSwan Project" regid="strongswan.org“ role="tagCreator"/> <Payload> <File location="/lib/x86_64-linux-gnu" name="libcrypto.so.1.0.0"/> <File location="/lib/x86_64-linux-gnu" name="libssl.so.1.0.0"/> <File location="/usr/share/doc/libssl1.0.0" name="copyright"/> <File location="/usr/share/doc/libssl1.0.0" name="changelog.Debian.gz"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libpadlock.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libcswift.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="lib4758cca.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libaep.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libubsec.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libchil.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libgost.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libgmp.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libcapi.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libnuron.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libsureware.so"/> <File location="/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines" name="libatalla.so"/> </Payload> </SoftwareIdentity>

SWID Tag Support

Raspi 3 Session Details

Statistics: Two IoT Clients run over 5 Months

Conclusions Attestation of IoT devices using either a TPM 1.2 or TPM 2.0 is feasible and takes less than 60 seconds. The regular use case is periodic reporting of attestation results by all IoT devices to a central Policy Decision Point. IF-T transport is usually based on TLS. Mutual attestation can be used e.g. by mission-critical routers in the energy grid in order to establish mutual trust into the hardware identity and integrity of the IoT devices. IF-T transport can be based on IKEv2-EAP if IPsec is used to protect the traffic exchanged by the devices anyway. Using the strongSwan and strongTNC open source software, IoT attestation solutions can be easily implemented!

Thank you for your attention! Questions? www.strongswan.org/tnc/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.