Java Solutions for Securing Edge-to-Enterprise

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13 1

Java Solutions for Securing Edge-to-Enterprise

Eric Vétillard

Sr. Principal Product Manager, Java Card

Oracle


Program Agenda

Embedded security requirements

Example: Smart Meter use cases

Building trust with Secure Elements

Java Card in embedded devices

Edge-to-enterprise security


Device

Device

Device

Device

Device Device

Standard Architecture

Gateway Backend Device

Device

Device

Storage

Java EE Java Embedded Suite Java ME Embedded

(optional)


There are many of them

They are the heart of business

They are you

You may have limited control

The devices are new

What’s New?

Device

Device

Device

Device

Device Device

Device

Device

Device

Backend

Cloud

Server


Attacking the device

– Tampering with the device

– Fake device

Attacking the device link

– Stealing information

– Modifying information

New system entry point

What New Risks are Introduced?

Device Device Device

Backend

Cloud

Server


Security is About Resistance to Attacks

Attacks are intended to abuse the system for the benefit of the attacker

Think about attackers, not only about users

– Possibly a user trying to abuse the system

– Possibly a terrorist trying to destroy the whole ecosystem

Think about vulnerabilities, not bugs

– Vulnerabilities often start from features

– Bad specification is harder to fix than bad implementation


Main Security Requirements

Safety: Do what you are supposed to do

Privacy: Restrict access to user data

Regulation: Abide to national/vertical rules

Access control: Restrict access to authorized persons

Accountability: Guarantee some traceability of other properties

High-level requirements

Even

under

attack


Main Security Functions

Data protection

Confidentiality

Encryption

Integrity

Signature

Authentication

Authorization

Authentication

Password

Biometry - Token

Authorization

Access rights Logging & Auditing

Security log

Remember actions

Auditor access

Log interpretation

Provisioning

Code Update

System upgrade

App upgrade

Bug fixing

Software protection

Code Integrity

Code signature

Code verification

Runtime integrity


Smart metering: High-level View

Why move to smart meters?

Better data collection

Less manpower

Accurate information

Enable Smart Grid and Big Data

Better grid control

Feedback to users

(optional)


Smart metering: High-level View

Why move to smart meters?

Better data collection

Less manpower

Acurate information

Enable Smart Grid and Big Data

Better grid control

Feedback to users

What consequences?

Less human control

Fraud detection is difficult

More data flowing

Injection of wrong data

Private consumer data leaks

(optional)


Smart metering: Environment and Details

(optional)

Main characteristics

Owned/controlled by utility company

Lifetime > 10 years

No human intervention

Tamper-resistant meter

Limited price sensitivity

Raw data is privacy-sensitive


Smart metering: Environment and Details

(optional)

Main characteristics

Owned/controlled by utility company

Lifetime > 10 years

No human intervention

Tamper-resistant meter

Limited price sensitivity

Raw data is privacy-sensitive

Threat analysis

On the device Tampering with data collection

Tampering with collected data

Between the device and the backend Insert fake device

Modify transferred data

Steal transferred data


Smart Metering: Security Update

Data collection

Before

Tamper-evidence

After

Tamper-resistance

Data storage

New issue

Data integrity

Data confidentiality

Fake device

New issue

Authentication

Fake server

New issue

Authentication

Man-in-the middle

New issue

Secure channel


Tamper-proofing the device

Securing the protocol

Using a good software stack

Adding a secure element

– Tamper-resistant hardware

– Small, isolated, certifiable

Many Levels of Security

Smart Meter: Designing Security In


3 Ways to Build Trust from Secure Elements

Secure element as secure store

– Storing and handling important secrets

– Example: the satellite TV card

Secure element as backend proxy

– Representing the service provider in the device

– Example: the SIM card

Secure element as device root of trust

– Build trust in the device from a Secure Element

– Example: the Trusted Platform Module (TPM)


Satellite TV good for hackers

– Content is broadcast

Content is encrypted

– Using a single key

– This key needs protection

Satellite TV

Secure Element as Secure Store


Tamper resistance is key

– Device is “in the wild”

– Secrets have value

Not just a store

– Secure elements have a CPU

– Core secrets never get out

Satellite TV Cards

Secure Element as Secure Store


Access only for subscribers

– Bidirectional communication

– Authentication required

System can be hacked

– Duplicating phone identity

Mobile telephony

Secure Element as Backend Proxy


End-to-end security

– SIM interacts with backend

– Security is in the SIM

– Device is just a dumb pipe

Limits trust requirements

– Untrusted device is OK

– BYOD is ultimate use case

Mobile telephony SIM

Secure Element as Backend Proxy


Device can be compromised

– End user changing software

– External network attack

Very dangerous on devices

– Consequences unknown

– Hard to fix directly on device

– Remote access can be disabled by attacker

Protecting Device Integrity

Secure Element as Device Root of Trust

Device


Provides good guarantees

– Tamper evidence

– Hardware integration

Building from these properties

– TPM verifies the kernel

– Kernel starts, verifies OS, …

– Remote attestation possible

Using a TPM as root of trust

Secure Element as Device Root of Trust

Kernel

Apps

OS












Recap and value












Recap and value

Value for service provider

For unconnected models

Focus on local security

Value for service provider

For connected models

End-to-end security

Value for device provider

For all application models

Improves device security


Mostly a backend proxy

– Authentication, secure channel

– Managing data for the provider

Also a secure store

– If there is a local interface

Could be a root of trust

– Protecting device integrity

Many Levels of Security

Smart Meter: What Secure Element Model?


Embedded Systems with Security Subsystems A few examples available today

Smart cards

Mobile phones

SIM

POS terminals

EMV payment

Media players

DRM

Trusted Execution

Environment (TEE)

Mobile devices

DRM

Device integrity

Secure Elements

Wireless Modules

SIM / Authentication

NFC Phones

Mobile payment

Smart meters

Regulation, prepaid

TPM

ATM

System integrity

Media players

DRM


Java Card and Java in the Embedded Space

Java Card is used to program secure elements

– Subset of Java, complemented with specific APIs

– Multi-tenant architecture with firewalled applications

– Dynamic application management

– Now available on embeddable secure microcontrollers

Java APIs exist to communicate with secure elements on devices

– JSR-177 provides access to secure elements

– JSR-257 for using a contactless interface

Many links available


Edge-to-Enterprise Security

First, identify the security requirements

– What security features are/will be required on edge devices?

– What kind of attacks need to be considered?

– What kind of assurance level is/will be required?

Then, separate the security functions

– Think of it as a separate Security Subsystem

Including security in the process


Edge-to-Enterprise Security

Embedded in the main code

– Providing a minimal assurance level

– Already much, much better than if not identified

Using a dedicated secure element

– Improved traceability and highest assurance levels

– Improved asset protection and tamper resistance

More options will become available

– From Trusted Computing to Trusted Execution Environments

– The Java Card team follows closely these initiatives

On-device implementation options


Don’t Forget Security Engineering!

Compliance issues

– PCI compliance can be lost, and this is very bad publicity

– HIPAA compliance will not be easier

Many embedded devices will need to be integrated

Attacks happen, and devices will be targeted

– Attacks moving from desktop to mobile

– Hackers are realizing that many devices are poorly secured

Breaches are costly


Any questions?

Eric Vétillard

[email protected]


Technology

Java Solutions for Securing Edge-to-Enterprise