26
Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Embed Size (px)

Citation preview

Page 1: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Hardware-Rooted Security in Mobile Devices

Andrew RegenscheidLead, Hardware-Rooted Security

Computer Security Division

Page 2: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

About NIST

6/3/2013

● Computer Security Division ●Slide 2

• NIST's Mission Statement:To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

• Information Technology Laboratory Mission Statement:To promote US innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology, mathematics, and statistics.

• CSD Mission Statement:Conduct research, development and outreach necessary to provide standards and guidelines, mechanisms, tools, metrics and practices to protect our nation’s information and information systems.

Page 3: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Disclaimer

Certain commercial entities, equipment, or materials may be identified in this presentation in order to describe an experimental procedure or

concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply

that the entities, materials, or equipment are necessarily the best available for the purpose.

6/3/2013

● Computer Security Division ●Slide 3

Page 4: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Mobility

• Mobile technologies have potential to:– Improve productivity– Facilitate teleworking– Provide mobile workforce access to data

anytime/anywhere

• Digital Government Strategy recognizes this potential and the unique security and privacy challenges

6/3/2013

● Computer Security Division ●Slide 4

Page 5: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

NIST Standards and Guidelines

Key NIST standards and guidelines relevant to mobile security:

• SP800-53, Recommended Security Controls for Federal Information Systems and Organizations

• Cryptographic Modules and Algorithms• SP800-124rev1, Guidelines for Managing and

Securing Mobile Devices in the Enterprise• FIPS 201-2, Personal Identity Verification of Federal

Employees and Contractors• NIST SP800-157, Guidelines on Derived PIV

Credentials• Upcoming Mobile App Vetting Guidelines

6/3/2013

● Computer Security Division ●Slide 5

Page 6: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Technology Gaps

• Key security functions were not rooted in trustworthy, well-protected components

• Data protection capabilities varied greatly by platform

• Need stronger mechanisms for maintaining data and application separation

• Current MDM solutions provide limited insight into security state of a device

6/3/2013

● Computer Security Division ●Slide 6

Page 7: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

BYOD

6/3/2013

● Computer Security Division ●Slide 7

Page 8: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Information Owners & Contexts

6/3/2013

● Computer Security Division ●Slide 8

Page 9: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Mobile Device Security

• NIST SP800-164, Guidelines on Hardware-Rooted Security In Mobile Devices

• Focus on three key capabilities:– Device Integrity: Software, firmware,

and hardware configurations are in a trusted state

– Isolation: Sandbox apps and separate data to control information and confine vulnerabilities

– Protected Storage: Protect confidentiality and integrity of sensitive data on the device

6/3/2013

● Computer Security Division ●Slide 9

Page 10: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

What is a Root of Trust?

• A root of trust (RoT) is a set of hardware, firmware, and/or software that is inherently trusted to perform a vital security function.– Key Storage RoT for Storage– Health Assertions RoT for Integrity– Digital Signing RoT for Reporting– Signature Verification RoT for Verification– Hashing Code RoT for Measurement

• RoTs are closely tied to the logic and environment on which it performs its trusted actions.

6/3/2013

● Computer Security Division ●Slide 10

Page 11: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Trust Chains

• A RoT may directly provide a function, or verifiably and reliably spawn agents that provide that function.

• The RoT is (generally) the smallest distinguishable component that must be inherently trusted.

• Complicates discussions over RoT definitions– Discussions over the “fundamental” RoTs quickly devolve to

metaphysics.– For clarify, we’ll identify RoTs based on the security function they

provide with no implications on implementation.

6/3/2013

● Computer Security Division ●Slide 11

Root of Trust

Component-1 Component-2

Verify Verify

Execute

Execute

Page 12: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Properties of Roots of Trust

• By definition, misbehavior of a RoT cannot be detected, so it must be secure by design

• Desirable properties:– Resistance to software-based and physical tampering– Isolated and trusted operating environment– Small, simple implementation– Limited interface with small attack surface

• Hardware support can help provide these properties

6/3/2013

● Computer Security Division ●Slide 12

Page 13: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Examples of RoTs

• Trusted Platform Modules (TPM)– RoT for Storage– RoT for Integrity– RoT for Reporting

• System BIOS/boot firmware– RoT for Measurement– RoT for Verification

• Hardware AES engine in Chipsets– RoT for Storage

6/3/2013

● Computer Security Division ●Slide 13

Page 14: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

RoT for Storage

Foundation for Security

6/3/2013

● Computer Security Division ●Slide 14

RoT for Verification

RoT for Measurement

RoT for Reporting

RoT forIntegrity

Protected Storage

IsolationDevice

Integrity

Roots of Trust

Security Capabilities

Operating System

App

App

App App

Page 15: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Device Integrity

• Devices must provide information regarding source, authenticity, and version of firmware and OS.– Verified boot required through OS and PEnE– Support for device integrity policies– Apps verified at install, and should be verified at launch

• Assertions– Recommended, but not required– Highly-flexible, robust model for device integrity– May appear in future revisions

6/3/2013

● Computer Security Division ●Slide 15

Page 16: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Protected Storage

• Keys (and credentials, etc.) stored in RTS or protected by key hierarchies rooted in RTS

• Section provides basic requirements for generating, storing, and using keys

• Must support authentication factors to govern release/use of a key

• Must allow IOs to creates policies governing release/use of a key

6/3/2013

● Computer Security Division ●Slide 16

Page 17: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Isolation

• Data isolation at rest expected to accomplished through protected storage services

• Emphasis is on runtime application/process isolation

• Based on best commercial practices• Section provides a low bar that we hope

will be exceeded

6/3/2013

● Computer Security Division ●Slide 17

Page 18: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Policy Enforcement

• Supports organizations’ security policy requirements• The “device-side” of MDM• PEnE broken into 3 logical components:

– Policy Delivery Mechanism– Policy Management Mechanism– Policy Enforcement Mechanism

• Policies must be:– Protected in transit, storage– Verified and associated with an IO– Enforced according to the most restrictive policy

• Device Owner retains control

6/3/2013

● Computer Security Division ●Slide 18

Page 19: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Notional Architecture

6/3/2013

● Computer Security Division ●Slide 19

Page 20: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

RoT as Enabling Technologies

• Roots of Trust can enable new security capabilities and use cases

• Examples:– BYOD– Comply-to-Connect– Data Protection– Derived Credentials

6/3/2013

● Computer Security Division ●Slide 20

Page 21: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Data Protection

• An organization must encrypt sensitive data stored on a mobile device.

• Data at Rest: An application could use Root of Trust for Storage to securely store the encryption key. To use the key:– The device could be required to be in a known-good state.– Root of Trust for Storage could require a passcode/PIN.

• Data in Transit: RTS could also store VPN credentials.• Selective Wipe: If a device is lost, an MDM could

instruct the RTS to delete the encryption key.

6/3/2013

● Computer Security Division ●Slide 21

Page 22: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Derived Credentials

Mobile Device

PIVCard

MobileDevice

Manager

Provisioning Actions

Derived Credential

App

API

Protocol

RoTReporting

RoT Storage

● Computer Security Division ●Slide 22

• Use PIV to authorize a derived credential for mobile devices.

• Protect and use credential using RoTs

6/3/2013

Page 23: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Adoption

• Roots of Trust are being deployed in mobile devices

• R&D activities on-going in some technologies:– TPMs in current/upcoming mobile phones/tablets– GlobalPlatform Trusted Execution Environment– Secure Element– ARM TrustZone

• More granular policy enforcement in MDMs

● Computer Security Division ●Slide 236/3/2013

Page 24: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Next Steps

• We received ~200 comments from ~30 commenters

• Recurrent themes– Concerns over architectural specificity– Questions on its relationship to GP TEE and

TrustZone– Concerns over remote attestation

• Updated draft in coming weeks

● Computer Security Division ●Slide 246/3/2013

Page 25: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

Contact Information

Andrew Regenscheid

[email protected]

[email protected]

More Information

Draft SP800-164 and other NIST security publications available at:

csrc.nist.gov

Page 26: Hardware-Rooted Security in Mobile Devices Andrew Regenscheid Lead, Hardware-Rooted Security Computer Security Division

10/15/2012

● Computer Security Division ●Slide 26