Upload
lyminh
View
221
Download
3
Embed Size (px)
Citation preview
PRPv2 Architecture and Security SDN & TPM
Pacific Research PlatformUniversity of California, San Diego
La Jolla, CAOctober 16, 2015
John GrahamSenior Development Engineer
Calit2/Qualcomm Institute, UCSD
Rocks for secure deployment
Creating a trusted computing environment from the ground Up
Trusted Platform Modules (TPM)
Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a random number generator.
● Remote attestation – creates a nearly unforgeable hash key summary of the hardware and software configuration. The program hashing the configuration data determines the extent of the summary of the software. This allows a third party to verify that the software has not been changed.
● Binding – encrypts data using TPM bind key, a unique RSA key descended from a storage key.
● Sealing – encrypts data in a similar manner to binding, but in addition specifies a state in which TPM must be in order for the data to be decrypted (unsealed).[7]
https://en.wikipedia.org/wiki/Trusted_Platform_Module
Inside the TPM
The diagrams show the major components of a TPM.
C0 I/OC1 Cryptographic Co-ProcessorC2 RSA Key GenerationC3 HMAC EngineC4 Random Number GeneratorC5 SHA-1 EngineC6 Power DetectionC7 Opt-InC8 Execution EngineC9 Persistent Storage ( non-volatile )C10 Versatile Storage ( volatile )
Image Signing and Trust Chains
● Digital signing: (often called code or image signing) involves creating a unique digital signature for a given block of data such as software code.
● Trusted element: in the scope of system software is a piece of code that is known to be authentic.
● Root of trust: is the anchor for the system at which a guaranteed trusted element exists. If the first code running on a system is immutable, it becomes the root of trust in that system.
● Chain of trust: exists when the integrity of each element of code on a system is validated before that piece of code is allowed to run. A chain of trust starts with a root of trust element. The root of trust validates the next element in the chain (usually firmware) before it is allowed to start, and so on.
● High Quality Random Number Generator
https://www.cisco.com/web/about/doing_business/trust-center/docs/trust-anchor-technologies-ds-45-734230.pdf
SDN to secure FIONAsONOS SDN Controller ApplicationsAndrew Prudhomme ( IRNC SDX )https://docs.google.com/document/d/1eU5xCrFOrBHX-y-IaKbmajqtDv3wRoXzCUAioMdKQvw/edit
● SDNAnn SDN Annotation Application adding information to ONOS about the flows
● SDNTest VLAN remapperARP remapperGlobus Connect REST API
● Mininet modification to allow link speed simulation
Experimenting with New Release!● OPNFV ( Feb 2016 ONOSFW+OPNFV )
https://wiki.onosproject.org/display/ONOS/ONOS+Framework+(ONOSFW)+for+OPNFV
● Openstack○ Federated Keystone○ Federated Barbican ( with TPM )
October 1st 2015 SDSC Announces new OpenStack Services
OpenStack and TPM
● Support for using the TPM to provide remote attestation has been merged into OpenStack in the form of Trusted Compute Pools● TPMs can be used with disk encryption● TPMs can be used with Barbican
https://www.openstack.org/summit/vancouver-2015/summit-videos/presentation/using-tpms-for-the-benefit-of-the-entire-cloud
Data Oasis Future( SDN / TPM / OpenStack ? )
UCSD-Jupyter FIONADual 40 GbE
Tesla K80 GPGPU
Globus Connect Server
UCLA 100GbE perfSONARUCLA 40GbE DTN FIONA
UCSC 100GbE perfSONARUCSC 40 GbE DTN FIONA
SC15 InfiniFIONA1PB SanDisk InfiniFlash
CALTECH 100GbE perfSONARCALTECH DTN
UCB-Jupyter FIONADual 40 GbE
Tesla K80 GPGPU
inCommon CILogonGlobus and XSEDE have CILogon authentication services
http://cilogon.org/
UC-Jupyter on Comet with CILogon
JupyterHub authenticates a user with CILogon and spawns kernels on CometWe use a Trusted Platform Modules (TPM) on the JupyterHub FIONAs to secure the keys we get from the CILogon member organization.These keys are used to connect jupyter.calit2.optiputer.net to comet.sdsc.edu.
“JupyterHub iPython notebook” (March 12 )Email to Larry describing iPython update to multi user JupyterHub
Andrea Zonca from SDSC “Run Jupyterhub on a Supercomputer” ( April )http://zonca.github.io/2015/04/jupyterhub-hpc.html
Fernando Perez visits UCSD ( May 11-12 )UC-Jupyter Meeting UCSD@BIDS Lab ( June 19 )
“IPython/Jupyter notebook setup on SDSC Comet” ( September )http://zonca.github.io/2015/09/ipython-jupyter-notebook-sdsc-comet.html
Min Ragan-Kelley from UC-BerkeleyAndrea Zonca from SDSC “CILogon module for the Jupyter OAuthenticator” ( October )https://github.com/jupyter/oauthenticator
UC-Berkeley added to the list of CILogon organizations !
https://github.com/zonca/remotespawner/wiki/setup-Jupyterhub-Comet-with-CILogonhttps://jupyter.calit2.optiputer.net:9090/hub/login ( now )
UC-Jupyter on Comet using Trusted Platform Modules (TPM)
UCB-Jupyter FIONATesla K80 GPGPU
UCSD-Jupyter FIONATesla K80 GPGPU