View
205
Download
3
Category
Preview:
Citation preview
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 1
Java Solutions for Securing Edge-to-Enterprise
Eric Vétillard
Sr. Principal Product Manager, Java Card
Oracle
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 2
Program Agenda
Embedded security requirements
Example: Smart Meter use cases
Building trust with Secure Elements
Java Card in embedded devices
Edge-to-enterprise security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 3
Device
Device
Device
Device
Device Device
Standard Architecture
Gateway Backend Device
Device
Device
Storage
Java EE Java Embedded Suite Java ME Embedded
(optional)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 4
There are many of them
They are the heart of business
They are you
You may have limited control
The devices are new
What’s New?
Device
Device
Device
Device
Device Device
Device
Device
Device
Backend
Cloud
Server
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 5
Attacking the device
– Tampering with the device
– Fake device
Attacking the device link
– Stealing information
– Modifying information
New system entry point
What New Risks are Introduced?
Device Device Device
Backend
Cloud
Server
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 6
Security is About Resistance to Attacks
Attacks are intended to abuse the system for the benefit of the attacker
Think about attackers, not only about users
– Possibly a user trying to abuse the system
– Possibly a terrorist trying to destroy the whole ecosystem
Think about vulnerabilities, not bugs
– Vulnerabilities often start from features
– Bad specification is harder to fix than bad implementation
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 7
Main Security Requirements
Safety: Do what you are supposed to do
Privacy: Restrict access to user data
Regulation: Abide to national/vertical rules
Access control: Restrict access to authorized persons
Accountability: Guarantee some traceability of other properties
High-level requirements
Even
under
attack
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 8
Main Security Functions
Data protection
Confidentiality
Encryption
Integrity
Signature
Authentication
Authorization
Authentication
Password
Biometry - Token
Authorization
Access rights Logging & Auditing
Security log
Remember actions
Auditor access
Log interpretation
Provisioning
Code Update
System upgrade
App upgrade
Bug fixing
Software protection
Code Integrity
Code signature
Code verification
Runtime integrity
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 9
Smart metering: High-level View
Why move to smart meters?
Better data collection
Less manpower
Accurate information
Enable Smart Grid and Big Data
Better grid control
Feedback to users
(optional)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 10
Smart metering: High-level View
Why move to smart meters?
Better data collection
Less manpower
Acurate information
Enable Smart Grid and Big Data
Better grid control
Feedback to users
What consequences?
Less human control
Fraud detection is difficult
More data flowing
Injection of wrong data
Private consumer data leaks
(optional)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 11
Smart metering: Environment and Details
(optional)
Main characteristics
Owned/controlled by utility company
Lifetime > 10 years
No human intervention
Tamper-resistant meter
Limited price sensitivity
Raw data is privacy-sensitive
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 12
Smart metering: Environment and Details
(optional)
Main characteristics
Owned/controlled by utility company
Lifetime > 10 years
No human intervention
Tamper-resistant meter
Limited price sensitivity
Raw data is privacy-sensitive
Threat analysis
On the device Tampering with data collection
Tampering with collected data
Between the device and the backend Insert fake device
Modify transferred data
Steal transferred data
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 13
Smart Metering: Security Update
Data collection
Before
Tamper-evidence
After
Tamper-resistance
Data storage
New issue
Data integrity
Data confidentiality
Fake device
New issue
Authentication
Fake server
New issue
Authentication
Man-in-the middle
New issue
Secure channel
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 14
Tamper-proofing the device
Securing the protocol
Using a good software stack
Adding a secure element
– Tamper-resistant hardware
– Small, isolated, certifiable
Many Levels of Security
Smart Meter: Designing Security In
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 15
3 Ways to Build Trust from Secure Elements
Secure element as secure store
– Storing and handling important secrets
– Example: the satellite TV card
Secure element as backend proxy
– Representing the service provider in the device
– Example: the SIM card
Secure element as device root of trust
– Build trust in the device from a Secure Element
– Example: the Trusted Platform Module (TPM)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 16
Satellite TV good for hackers
– Content is broadcast
Content is encrypted
– Using a single key
– This key needs protection
Satellite TV
Secure Element as Secure Store
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 17
Tamper resistance is key
– Device is “in the wild”
– Secrets have value
Not just a store
– Secure elements have a CPU
– Core secrets never get out
Satellite TV Cards
Secure Element as Secure Store
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 18
Access only for subscribers
– Bidirectional communication
– Authentication required
System can be hacked
– Duplicating phone identity
Mobile telephony
Secure Element as Backend Proxy
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 19
End-to-end security
– SIM interacts with backend
– Security is in the SIM
– Device is just a dumb pipe
Limits trust requirements
– Untrusted device is OK
– BYOD is ultimate use case
Mobile telephony SIM
Secure Element as Backend Proxy
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 20
Device can be compromised
– End user changing software
– External network attack
Very dangerous on devices
– Consequences unknown
– Hard to fix directly on device
– Remote access can be disabled by attacker
Protecting Device Integrity
Secure Element as Device Root of Trust
Device
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 21
Provides good guarantees
– Tamper evidence
– Hardware integration
Building from these properties
– TPM verifies the kernel
– Kernel starts, verifies OS, …
– Remote attestation possible
Using a TPM as root of trust
Secure Element as Device Root of Trust
Kernel
Apps
OS
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 22
3 Ways to Build Trust from Secure Elements
Secure element as secure store
– Storing and handling important secrets
– Example: the satellite TV card
Secure element as backend proxy
– Representing the service provider in the device
– Example: the SIM card
Secure element as device root of trust
– Build trust in the device from a Secure Element
– Example: the Trusted Platform Module (TPM)
Recap and value
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 23
3 Ways to Build Trust from Secure Elements
Secure element as secure store
– Storing and handling important secrets
– Example: the satellite TV card
Secure element as backend proxy
– Representing the service provider in the device
– Example: the SIM card
Secure element as device root of trust
– Build trust in the device from a Secure Element
– Example: the Trusted Platform Module (TPM)
Recap and value
Value for service provider
For unconnected models
Focus on local security
Value for service provider
For connected models
End-to-end security
Value for device provider
For all application models
Improves device security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 24
Mostly a backend proxy
– Authentication, secure channel
– Managing data for the provider
Also a secure store
– If there is a local interface
Could be a root of trust
– Protecting device integrity
Many Levels of Security
Smart Meter: What Secure Element Model?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 25
Embedded Systems with Security Subsystems A few examples available today
Smart cards
Mobile phones
SIM
POS terminals
EMV payment
Media players
DRM
Trusted Execution
Environment (TEE)
Mobile devices
DRM
Device integrity
Secure Elements
Wireless Modules
SIM / Authentication
NFC Phones
Mobile payment
Smart meters
Regulation, prepaid
TPM
ATM
System integrity
Media players
DRM
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 26
Java Card and Java in the Embedded Space
Java Card is used to program secure elements
– Subset of Java, complemented with specific APIs
– Multi-tenant architecture with firewalled applications
– Dynamic application management
– Now available on embeddable secure microcontrollers
Java APIs exist to communicate with secure elements on devices
– JSR-177 provides access to secure elements
– JSR-257 for using a contactless interface
Many links available
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 27
Edge-to-Enterprise Security
First, identify the security requirements
– What security features are/will be required on edge devices?
– What kind of attacks need to be considered?
– What kind of assurance level is/will be required?
Then, separate the security functions
– Think of it as a separate Security Subsystem
Including security in the process
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 28
Edge-to-Enterprise Security
Embedded in the main code
– Providing a minimal assurance level
– Already much, much better than if not identified
Using a dedicated secure element
– Improved traceability and highest assurance levels
– Improved asset protection and tamper resistance
More options will become available
– From Trusted Computing to Trusted Execution Environments
– The Java Card team follows closely these initiatives
On-device implementation options
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 29
Don’t Forget Security Engineering!
Compliance issues
– PCI compliance can be lost, and this is very bad publicity
– HIPAA compliance will not be easier
Many embedded devices will need to be integrated
Attacks happen, and devices will be targeted
– Attacks moving from desktop to mobile
– Hackers are realizing that many devices are poorly secured
Breaches are costly
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 30
Any questions?
Eric Vétillard
eric.vetillard@oracle.com
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 31
Recommended