Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 2016 Renesas Electronics Corporation. All rights reserved.
RENESAS SYNERGY ENGINEERING CONFERENCE
LAKE GARDA
7-8 APRIL 2016
ADVANCED SYNERGY SECURITY
© 2016 Renesas Electronics Corporation. All rights reserved. Page 2
AGENDA
Understanding IoT Security Requirements
Solving IoT Security with Synergy
Confidentiality
Integrity
High Availability
Synergy platform resources
Crypto lib overview
Examples of usage
Summary
© 2016 Renesas Electronics Corporation. All rights reserved. Page 3
UNDERSTANDING IOT
SECURITY REQUIREMENTS
© 2016 Renesas Electronics Corporation. All rights reserved.
CRITICAL COMPONENTS OF IOT SECURITY
Page 4
• Employs cryptography to limit
access to information
Confidentiality
• Assures platform is trustworthy
and data is accurate
Integrity• Guarantees reliable performance
under all conditions
AvailabilityConfidentiality
© 2016 Renesas Electronics Corporation. All rights reserved.
FOCUSED SECURITY CHALLENGES FOR IOT
Page 5
Protect Data In Flight & At Rest
• Privacy• Confidentiality• Enable Big Data
Create Robust Foundations
• Root of Trust• Identity• Authentication• Authorisation
Protect Intellectual Property
• IP Theft• Cloning• Over-building
Separate Critical Functions
• Protected Mode• Fail Safe• Secure Services
Manage Device Lifecycle
• Lifetime Support• Critical Updates• Feature Enable
Confidentiality Integrity Availability
© 2016 Renesas Electronics Corporation. All rights reserved. Page 6
SOLVING IOT SECURITY WITH SYNERGY
CONFIDENTIALITY, INTEGRITY, AVAILABLITY
© 2016 Renesas Electronics Corporation. All rights reserved. Page 7
OBFUSCATION IS NOT A SOLUTION
Assume the attacker has all the documentation, all your code base, and infinite time
Security is inherently challenging
If you build it someone will try to break it
If you rely on secrets (algorithm, infrastructure, etc) someone will try to discover them
Continual escalation of attack and defence
To develop secure systems a broad understanding of concepts & limitations is useful
Development of cryptography
Ciphers
Standard solutions
Symmetric vs asymmetric encryption
Signatures & Certificates
Authentication & fingerprinting
© 2016 Renesas Electronics Corporation. All rights reserved.
SYNERGY HARDWARE SECURITY FEATURES
Page 8
Function Series 7 Series 5 Series 3 Series 1
Symmetric Cryptograph Accelerator
Asymmetric Cryptograph Accelerator
HASH Accelerator
True Random Number Generator
Asymmetric Key Generation Accelerator
Key Secure Storage
Limited JTAG access
Unique ID
© 2016 Renesas Electronics Corporation. All rights reserved.
SYNERGY SOFTWARE SECURITY FEATURES
Page 9
Function Series 7 Series 5 Series 3 Series 1
Cryptograph Module Interface (Library in SSP)
Secure Boot Framework (QSA)
TLS 1.2/SSL LibraryVSA Component
IPSec via IPv6QSA Component
© 2016 Renesas Electronics Corporation. All rights reserved. Page 10
TRUE RANDOM NUMBER GENERATOR
Entropy is critical to secure systems
Cryptography relies on complex & variable keys
Repeated use of identical key leads to rapid breaks
Entropy source required to create seed for key
Unique every time & not subject to physical inhibitors (time, temperature)
SHA1/2MD5
GHASH
Syn
erg
y S
ecu
rity
En
gin
e
TRNG AES/ DES
RC4
RSA
Secure Key
Storage
NIST SP 800-90 Compliant Achieves latest specification for best in class entropy
Managed within SCE Software attacker cannot easily force or manipulate TRNG to enable exploit
Tight Accelerator Integration No opportunity for attacker to impact entropy injected into accelerators
True RNG Many alternative devices include pseudo-RNG subject to simple attacks
Simple to use Simple 128-bit RNG generation
R_SCE_TRNG_Read ( trng_ctrl_t *const p_ctrl , uint32_t *const p_dest ,uint32_t nwords )
© 2016 Renesas Electronics Corporation. All rights reserved. Page 11
SYMMETRIC CRYPTOGRAPHY
Symmetric Cryptography Accelerator supports mainstream ciphers
Focus should be on achieving NSA Suite B Compliance
AES-128 should be your baseline
Symmetric cryptography uses identical keys for encryption & decryption
Stakeholders must implicitly trust each other and keys are identical
Keys should be shared in advance to avoid attacker gaining access
SHA1/2MD5
GHASH
Syn
erg
y S
ecu
rity
En
gin
e
TRNG AES/ DES
RC4
RSA
Secure Key
Storage
Powerful Cipher Support AES ciphers sufficient for industrial applications for 20+ years
Secure Implementation Reduced attack surface & minimised side-channel attacks
Fast & Low Power Hardware vs software
© 2016 Renesas Electronics Corporation. All rights reserved. Page 12
ADVANCED ENCRYPTION STANDARD (AES)
Complexity is traditionally the largest barrier to adoption for AES
Move to simple Synergy API enables strong cryptography for every developer
Synergy AES Description Series 7 Series 5 Series 3 Series 1
Key Size 128 bit
192 bit
256 bit
Chaining Mode ECB (Electronic Codebook)
CBC (Cipher Block Chaining)
CTR (Counter)
GCM (Galois Chaining Mode) inc. Authentication
CCM (Counter w. CBC-MAC) inc. Authentication
XTS (XEX w. Ciphertext Stealing)
© 2016 Renesas Electronics Corporation. All rights reserved. Page 13
ASYMMETRIC CRYPTOGRAPHY
Asymmetric Cryptography Accelerator supports mainstream ciphers
Key for encryption & key for decryption are different
Generated as a pair through a “trapdoor” equation
Trapdoor equations are easy to solve if the coefficients are known, but otherwise extremely difficult to break
Like a diode, i.e. one-way: you can compute the output of a known input, but not the reverse
Public key may be known to a few people or many
Does not mean message came from a trusted source
SHA1/2MD5
GHASH
Syn
erg
y S
ecu
rity
En
gin
e
TRNG AES/ DES
RC4
RSA
Secure Key
Storage
Powerful Cipher Support RSA traditionally too computationally expensive for MCU
Secure Implementation Tight integration reduces attack surface & minimises side-channel data
Fast & Low Power Hardware vs Software
© 2016 Renesas Electronics Corporation. All rights reserved. Page 14
ASYMMETRIC & SYMMETRIC ENCRYPTION
Asymmetric encryption is critical for securing channels
Extremely computationally expensive
Significant timing impact on passing message
Focused on setting up channel as part of authentication / on-boarding
Symmetric encryption is ideal for fast / low-power encryption
Requires sharing of key and initialization points
Can be implemented in parallel
Modes can be used to implement message authentication
Asymmetric and Symmetric Cryptography is likely an “AND” not an “OR”
Both required to solve complex security problems
Synergy is the first platform to deliver high performance accelerators for both
© 2016 Renesas Electronics Corporation. All rights reserved. Page 15
HASH
HASHs are used for Authentication of messages
Creates a unique fingerprint of the input data
Small variance in input delivers significant variance of output
HASH used to prevent unauthorised modification of data:
Injection of false information from 3rd party
Content Modification (Injection Attack)
Sequence Modification (Man In The Middle)
Timing Modification (Replay Attacks)
Synergy integration of HASH Accelerator
The Red Fox jumps over the Blue dog
The Red Fox jumps ouer the Blue dog
0086 46BB FB7D CBE2 823C ACC7 6CD1 90B1 EE6E 3ABC
8FD8 7558 7851 4F32 D1C676B1 79A9 0DA4 AEFE 4819
SHA1/2MD5
GHASH
Syn
erg
y S
ecu
rity
En
gin
e
TRNG AES/ DES
RC4
RSA
Secure Key
Storage
Powerful HASH Features An exciting range of capabilities & flexibility not seen in standard microcontrollers
Secure Implementation Operation cannot be intercepted or interfered with
Fast Operation Single cycle hardware operation vs. many thousands of cycles for software
© 2016 Renesas Electronics Corporation. All rights reserved. Page 16
ENABLING INTEGRITY
Integrity is critical in ensuring a device remains trustworthy and that data can be trusted
Traditional embedded systems were not connected and hence had a far lower risk of attack
IoT systems are permanently connected and therefore must be designed to be robust against consistent attacks
Synergy has been designed to enable a robust system
Device Personalization
Protected Memory
Management of Certificates
© 2016 Renesas Electronics Corporation. All rights reserved. Page 17
SECURING MEMORY
Synergy is designed to isolate and protect critical memory
Memory Protection Units (MPU) firewalls areas of memory
Isolation and protection of memory, ensure secure boot is immutable
Separation between application and device management
Malicious attacks contained
Malware spread constrained
Code injection more challenging
Invalid images inhibited
Synergy MPU delivers in-depth system security
Cortex-M Memory Protection Unit (standard from ARM architecture)
Bus Master Protection Unit
Bus Slave Protection Unit
Synergy Boot
Protecting Boot
Protecting Memory
Protect Identifiers
Authenticate Image
Supervisor Mode
User Mode
Application
Data
RTOS
Device Management
© 2016 Renesas Electronics Corporation. All rights reserved. Page 18
RENESAS SYNERGY – OBSTRUCT CLONING
Lim
ite
d D
eb
ug
Me
mo
ryP
rote
cti
on
Un
it
As
ym
me
tric
Ke
y
Ge
n
As
ym
me
tric
Ac
c.
Sym
me
tric
Ac
c.
TR
NG
HA
SH
Ac
c.
Se
cu
re S
tora
ge
Un
iqu
e I
D
TL
S
Cry
pto
Lib
Personalization
Encrypt Application
Secure Manufacturing
Encrypt
Validate Device Validate
Device Provisioning
ApplicationPackaging
Kpub
ProgramSecure Program
© 2016 Renesas Electronics Corporation. All rights reserved. Page 19
SYNERGY – SAFEGUARDING AVAILABILITY
Availability of systems is critical in connected systems
M2M Industrial Internet
Failsafe Mechanisms
Safety Criteria
Authorization & Authentication
Synergy supports four key availability requirements:
Separation of Critical Systems System MPUs enable secure modularization of software
Operation under DDoS Attacks RTOS and Memory Protection prevent thread starvation
Inhibits spread of malware Memory isolation ensures any downloaded malware is isolated
Managed Updates & Patches Critical system infrastructure errata can be remediated securely
© 2016 Renesas Electronics Corporation. All rights reserved.
SYNERGY PLATFORM RESOURCES
Page 20
© 2016 Renesas Electronics Corporation. All rights reserved. Page 21
SECURE CRYPTO ENGINE 7
Provides several security features and NIST-compliant, primitive
cryptographic algorithms
Typical application use cases:
Authentication and secure channel communication between the MCU
and an external communication device
Encryption of confidential and sensitive data for storage in the MCU
Simplified implementation of
Secure Crypto Engine 7Typical application of security and encryption block
Secure Channel Communication
Plain Data
Encryption Key
CipherAlgorithm
Transmitter
Decrypted Data
Decryption Key
CipherAlgorithm
Receiver
Encrypted Data and Key11101010100001110
Flash RAM
Firmware
Secure Data
Data
Secure Firmware
RSA DSA
Asymmetric Algorithms
Symmetric Algorithms
Secure Crypto Engine 7
ARC4AES ARC43DES
TRNGCryptographic Hash
Functions
Bus
Clock
DMA
INT
MPU
CPU
Unique ID
© 2016 Renesas Electronics Corporation. All rights reserved. Page 22
SECURE CRYPTO ENGINE 7
Unique ID
128-bit identification word unique per device
True RNG (TRNG)
Generates cryptographically secure 128-bit random numbers at the
rate of 0.1 Mbps to 5 Mbps
Use as seed to other deterministic RNGs (e.g. NIST SP800-90A DRBG)
Cryptographic Hash functions
Generates hash values that provide a digital fingerprint of data
Hash Function Data Block Length* Clock Cycles/Data Block
SHA1 512 bits 80
SHA224, SHA256 512 bits 64
GHASH 128 bits 9
Throughput of generating hash functions
Flash RAM
Data
RSA DSA
Asymmetric Algorithms
Symmetric Algorithms
Secure Crypto Engine 7
AES ARC4AES ARC43DES
TRNG
Bus
Clock
Cryptographic Hash Functions
Firmware
Secure Data
Secure Firmware DMA
INT
MPU
CPU
Unique ID
Simplified implementation of
Secure Crypto Engine 7
© 2016 Renesas Electronics Corporation. All rights reserved. Page 23
SECURE CRYPTO ENGINE 7 SYMMETRIC ALGORITHMS
Symmetric-key cryptography
Encryption/decryption key that is secretly shared between transmitter and receiver
Advanced Encryption Standard (AES)
Supports 128-bit, 192-bit, and 256-bit key lengths
Supports various chaining modes: ECB, CBC, CTR, GCM, GCTR, and XTS
Throughput for 128-bit data
For 128-bit key, 11 clocks/data block; for 256-bit key, 15 clocks/data block
3 Data Encryption Standard (3DES)
Supports 56-bit key length, operates on a fixed 8-byte block of data
Supports ECB and CBC chaining modes
Used in legacy secure socket layer (SSL) and transport layer security (TLS) protocols
Throughput for 64-bit data (for 3DES): for 56-bit key, 16 clocks/data block
Alleged RC4 (ARC4)
Supports 2048-bit key length, Used in TLS and wired equivalent privacy (WEP)
Throughput for 128-bit data: for 2048-bit key, 16 clocks/data block Simplified implementation of SCE7
Flash RAM
Data
RSA DSA
Asymmetric Algorithms
Symmetric Algorithms
Secure Crypto Engine 7
3DES
TRNGCryptographic Hash
Functions
Bus
Clock
AES ARC4
Firmware
Secure Data
Secure Firmware DMA
INT
MPU
CPU
Unique ID
© 2016 Renesas Electronics Corporation. All rights reserved. Page 24
SECURE CRYPTO ENGINE 7 ASYMMETRIC ALGORITHMS
Public-key cryptography
Generates two keys: public and private
Transmitter encrypts using the public key
Receiver decrypts using the private key
Rivest, Shamir, and Adleman (RSA)
Supports up to 2048-bit key length
Used in digital verification for authentication, signature generation and verification,
encryption/decryption for key exchange and wrapping, etc.
Digital Signature Algorithm (DSA)
Supports up to 2048-bit key length
Used in authentication applications for digital signature generation and verification
Supports Diffie-Hellman key exchange
Simplified implementation of SCE7
Flash RAM
Data
RSA DSA
Asymmetric Algorithms
Symmetric Algorithms
Secure Crypto Engine 7
AES ARC4AES ARC43DES
TRNGCryptographic Hash
Functions
Bus
Clock
Firmware
Secure Data
Secure Firmware DMA
INT
MPU
CPU
Unique ID
© 2016 Renesas Electronics Corporation. All rights reserved. Page 25
SECURE CRYPTO ENGINE 5 (SCE5)
Unique ID
True RNG (TRNG)
Generates cryptographically secure 128-bit random numbers at
0.1 Mbps to 5 Mbps rate
Seed to other deterministic random number generators (like NIST SP800-90A DRBG)
Cryptographic GHASH function
Used with AES-GCTR algorithm in authenticated encryption applications
Throughput for 128-bit data: 33 clocks/data block
Advanced Encryption Standard (AES)
Supports 128-bit and 256-bit keys, various chaining modes:
ECB, CBC, CTR, GCTR, and XTS
Throughput for 128-bit data:
for 128-bit key, 44 clocks/data block, for 256-bit key, 61 clocks/data block
Simplified implementation of SCE5
Flash RAM
Data
Secure Crypto Engine 5
Clock
TRNGCryptographic
GHASH Function
Symmetric Algorithm
AESAES
Bus
Firmware
Secure Data
Secure Firmware DMA
INT
MPU
CPU
Unique ID
© 2016 Renesas Electronics Corporation. All rights reserved. Page 26
SECURITY & ENCRYPTION
Unique ID
128-bit identification word unique per device
True RNG (TRNG)
Generates cryptographically secure 128-bit random numbers
at 0.1 Mbps to 5 Mbps
Seed to other deterministic RNGs (like NIST SP800-90A DRBG)
Advanced Encryption Standard (AES)
Supports 128-bit and 256-bit keys, various chaining modes:
ECB, CBC, CTR, GCTR, XTS
Throughput for 128-bit data
for 128-bit key, 44 clocks/data block
for 256-bit key, 61 clocks/data block
Security and encryption
Flash RAM
Data
Security and Encryption
Clock
TRNG
Symmetric Algorithm
AESAES
Bus
Firmware
Secure Firmware
Secure Data
INT
CPU
Unique D
© 2016 Renesas Electronics Corporation. All rights reserved.
CRYPTO LIB OVERVIEW
Page 27
© 2016 Renesas Electronics Corporation. All rights reserved. Page 28
APIS MADE AVAILABLE BY THE CRYPTO LIB (ON SSP 1.X)
All APIs have one common set of functions:
Open
Close
VersionGet
These have the same structure as the overall SSP APIs
Requires a control and a configuration structure as parameters
The TRNG features:
uint32_t(* read )(trng_ctrl_t *const p_ctrl, uint32_t *const p_rngbuf, uint32_t nwords)
The HASH features:
uint32_t(* updateHash )(const uint32_t *p_source, uint32_t num_words, uint32_t *p_dest)
© 2016 Renesas Electronics Corporation. All rights reserved. Page 29
APIS MADE AVAILABLE BY THE CRYPTO LIB (ON SSP 1.X)
Symmetric encryption, AES
uint32_t(* createKey )(aes_ctrl_t *const p_ctrl, uint32_t num_words, uint32_t *p_key)
uint32_t(* encrypt )(aes_ctrl_t *const p_ctrl, const uint32_t *p_key, uint32_t *p_iv, uint32_t num_words, uint32_t
*p_source, uint32_t *p_dest)
uint32_t(* addAdditionalAuthenticationData )(aes_ctrl_t *const p_ctrl, const uint32_t *p_key, uint32_t *p_iv,
uint32_t num_words, uint32_t *p_source)
uint32_t(* encryptFinal )(aes_ctrl_t *const p_ctrl, const uint32_t *p_key, uint32_t *p_iv, uint32_t input_num_words,
uint32_t *p_source, uint32_t output_num_words, uint32_t *p_dest)
uint32_t(* decrypt )(aes_ctrl_t *const p_ctrl, const uint32_t *p_key, uint32_t *p_iv, uint32_t imaxcnt, uint32_t
*p_source, uint32_t *p_dest)
uint32_t(* setGcmTag )(aes_ctrl_t *const p_ctrl, uint32_t num_words, uint32_t *p_source)
© 2016 Renesas Electronics Corporation. All rights reserved. Page 30
APIS MADE AVAILABLE BY THE CRYPTO LIB (ON SSP 1.X)
Asymmetric encryption, RSA
uint32_t(* encrypt )(rsa_ctrl_t *const p_ctrl, const uint32_t *p_key, const uint32_t *p_domain, uint32_t
num_words, uint32_t *p_source, uint32_t *p_dest)
decrypt
decryptCrt
uint32_t(* verify )(rsa_ctrl_t *const p_ctrl, const uint32_t *p_key, const uint32_t *p_domain, uint32_t
num_words, uint32_t *p_signature, uint32_t *p_padded_hash)
sign
signCrt
Asymmetric encryption, DSA (digital signature)
uint32_t(* verify )(const uint32_t *p_key, const uint32_t *p_domain, uint32_t num_words, uint32_t *p_signature,
uint32_t *p_paddedHash)
uint32_t(* sign )(const uint32_t *p_key, const uint32_t *p_domain, uint32_t num_words, uint32_t
*p_paddedHash, uint32_t *p_dest)
© 2016 Renesas Electronics Corporation. All rights reserved.
EXAMPLES OF USAGE
Page 31
© 2016 Renesas Electronics Corporation. All rights reserved. 32
PROBLEMS
Connected devices are under security threats, such as “Hijacking system and causing secondary damage”
Connected devices communicate data, which may include secret information, privacy information. Those information
must be protected from “Eavesdropping” or “Privacy stolen”
OEM invests in the software (Intellectual Property) to add value, which may be stolen during manufacturing or even
after shipment
A stolen IP may be re-used in another product, which may be competing against OEM’s product
Update or upgrade firmware features in field is getting popular (as OS/App update is very much popular in mobile,
consumer products), so need to deploy update or upgraded features in field
© 2016 Renesas Electronics Corporation. All rights reserved. 33
SECURE MANUFACTURING Firmware Server
Secure Mastering Tool
OEM
RenesasHSM
Synergy Programmer
Contract ManufacturerR
R R
OEM
Secure Boot Ready MCU
HSM
OEM
Count number of programmed MCU
© 2016 Renesas Electronics Corporation. All rights reserved. 34
SECURE FIRMWARE UPDATE
34
End User
Firmware Server
Secure Mastering Tool
OEM
OEM
© 2016 Renesas Electronics Corporation. All rights reserved. 35
SECURED RENESAS SYNERGY BENEFITS
Secure Manufacturing & Protection of Intellectual Property
Encrypt software master binary, therefore OEM can protect IPs and keys from malicious access
even at the contract manufacturer
Ensures production(programming flash) is performed correctly
OEM can monitor production status through Firmware Server
Guarantees the originality and integrity of Synergy MCU
Solution for 1,3,4: “Product disrupting”, Intellectual Property stolen , stolen IP re-used in competition product
Secure Updates & Device Lifecycle Management
Encrypt update firmware, therefore OEM can safely distribute the update
Remote Update is monitored by OEM through Firmware Server
Solution for 5: Update or upgrade firmware
Secure Communication
Solution for 2: secret information, privacy information
3535
© 2016 Renesas Electronics Corporation. All rights reserved.
SUMMARY
Page 36
© 2016 Renesas Electronics Corporation. All rights reserved. 37
RENESAS SYNERGY – INTEGRATED SECURITY TO ENABLE IOT
IoT Security is far more than cryptography
Confidentiality, Integrity and Availability are all key requirements
Synergy delivers a unique set of security capabilities to meet these requirements
Synergy enables protection over products entire lifecycle
Performance
Platform
Simplicity
3737
© 2016 Renesas Electronics Corporation. All rights reserved. Page 38
Thank you for your attention
PLEASE REMEMBER TO COMPLETE THE FEEDBACK SURVEY IN YOUR SMARTPHONE APP