What Is Public Key Authentication? - Renesas e

Download Report

Transcript What Is Public Key Authentication? - Renesas e 

ID 930L: Board ID Embedded Security Lab
Renesas Electronics America Inc.
Shotaro Saito
Application Engineer
14 October 2010
© 2010 Renesas Electronics America Inc. All rights reserved.
Version: 1.1
Mr. Shotaro Saito
 Application Engineer, Secure MCU
 Responsible for development environment
of secure MCU product line.
 Developed the Board ID demo kit with
SH version of the Board ID Security Stack
PREVIOUS EXPERIENCE:
 10+ years of embedded programming and development
tools support at Yokogawa Electric Corp.
 3+ years of secure MCU application development with
biometrics enabled Smartcard
2
© 2010 Renesas Electronics America Inc.
All rights reserved.
Renesas Technology and Solution Portfolio
Microcontrollers
& Microprocessors
#1 Market share
worldwide *
ASIC, ASSP
& Memory
Advanced and
proven technologies
Solutions
for
Innovation
Analog and
Power Devices
#1 Market share
in low-voltage
MOSFET**
* MCU: 31% revenue
basis from Gartner
"Semiconductor
Applications Worldwide
Annual Market Share:
Database" 25
March 2010
** Power MOSFET: 17.1%
on unit basis from
Marketing Eye 2009
(17.1% on unit basis).
3
© 2010 Renesas Electronics America Inc.
All rights reserved.
Renesas Technology and Solution Portfolio
Microcontrollers
& Microprocessors
#1 Market share
worldwide *
Solutions
for
Innovation
ASIC, ASSP
& Memory
Advanced and
proven technologies
Analog and
Power Devices
#1 Market share
in low-voltage
MOSFET**
* MCU: 31% revenue
basis from Gartner
"Semiconductor
Applications Worldwide
Annual Market Share:
Database" 25
March 2010
** Power MOSFET: 17.1%
on unit basis from
Marketing Eye 2009
(17.1% on unit basis).
4
© 2010 Renesas Electronics America Inc.
All rights reserved.
Microcontroller and Microprocessor Line-up
Superscalar, MMU, Multimedia
High Performance CPU, Low Power
High Performance CPU, FPU, DSC
 Up to 1200 DMIPS, 45, 65 & 90nm process
 Video and audio processing on Linux
 Server, Industrial & Automotive
 Up to 500 DMIPS, 150 & 90nm process
 600uA/MHz, 1.5 uA standby
 Medical, Automotive & Industrial
 Up to 165 DMIPS, 90nm process
 500uA/MHz, 2.5 uA standby
 Ethernet, CAN, USB, Motor Control, TFT Display
 Legacy Cores
 Next-generation migration to RX
General Purpose
 Up to 10 DMIPS, 130nm process
 350 uA/MHz, 1uA standby
 Capacitive touch
5
© 2010 Renesas Electronics America Inc.
All rights reserved.
Ultra Low Power
Embedded Security
 Up to 25 DMIPS, 150nm process  Up to 25 DMIPS, 180, 90nm process
 190 uA/MHz, 0.3uA standby
 1mA/MHz, 100uA standby
 Application-specific integration  Crypto engine, Hardware security
Innovation
Contents Providers
Cloud
CD Player
Phonograph
Attack
Portable
Media
Player
VCR
6
© 2010 Renesas Electronics America Inc.
All rights reserved.
DVD
Blu-Ray
Our Secure MCU Solution
Renesas provides you practical secure MCU solutions for “Cloud
Age” of embedded products. The Board ID is very flexible
solution for retrofitting to your existing design and integrating
to your new robust design.
I’ll
Nohack
way!it
7
© 2010 Renesas Electronics America Inc.
All rights reserved.
Agenda
 Quick Test
 Embedded systems security overview
 Public key authentication for embedded systems
 Lab session




Setup
Use case tryouts
Setting up the authentication parameters
Porting the authentication firmware
 Q&A
8
© 2010 Renesas Electronics America Inc.
All rights reserved.
Key Takeaways
By the end of this session you will be able to:
 Think as hackers do (a little)
 Identify the security threats against your design
 Identify how the Board ID secures your products
9
© 2010 Renesas Electronics America Inc.
All rights reserved.
Quick Test
 I change my password at least every three months
 Company policy forces me to do so but I never change ones for my personal
accounts even my banking accounts
 My passwords consist of at least ten characters including
upper-case letters, numbers and symbols
 And it is written on a Post-it and attached on my LCD monitor
 I always lock my PC when I leave my cubicle/office
 But going to bathroom is an exception
 I know how SSL works during my online shopping
 And I believe any online shopping site with SSL is safe for shopping
 I always read terms and conditions / EULA before I ‘agree’
 And you click ‘agree’ button for “Death and Repudiation” license…
 I always check all doors and windows before I leave home
 And just in case for my kids, I leave the key under the door mat
 If you say ‘yes’ for more than three times, you are ready to
go forward
10
© 2010 Renesas Electronics America Inc.
All rights reserved.
Embedded Systems Security Overview
11
© 2010 Renesas Electronics America Inc.
All rights reserved.
Secure Mindset And Trusted Entity
 I think, therefore I am
 No security exists unless you are aware of it
 Being paranoid – the first step
 Don’t trust even your colleagues
 “Being skeptical” is the key = Hacker’s mentality
 Nothing is too extreme to secure your system (but it costs)
 Defining the security perimeter
 Don’t design a vault with unbreakable padlock without reinforced
drywall
 PLM (Product life-cycle management) with proper security measures
 Trusted Entities
 A chain of trust (Security is a process, not a product)
– From device to enclosure, supply chain and sales channel
– Key generation, insertion and management
12
© 2010 Renesas Electronics America Inc.
All rights reserved.
Security Threats And Countermeasures
 Clone and counterfeit products – Anti Cloning
 Mandate physical existence of the Board ID for proper operation
 Any system without proper key pairs will be rejected
 Genuine yet unauthorized products (1) – Anti Cloning
 Overproducing – Order for 10K units: 50K units in the market
– Restrict the number of products with Board ID devices
 Genuine yet unauthorized products (2) – Secure Tracking
 Importing/Exporting genuine peripheral from cheaper region
– Authentication with country (region) code
– ‘Oversea’ peripherals won’t work with local host system
 Overuse or misuse of product – Usage control
 Restrict the number of use in the product lifecycle
 Hacking – IP protection
 Escalation – Purchase low-end product, hack and make it a high-end
– Authentication with ‘feature’ code
13
© 2010 Renesas Electronics America Inc.
All rights reserved.
Public Key Authentication for Embedded System
14
© 2010 Renesas Electronics America Inc.
All rights reserved.
What Is Public Key Authentication?
 Bases on asymmetrical cryptography (i.e. RSA)
 Utilizes a pair of ‘public’ and ‘private’ key
 Digital signature = Encrypting a message digest with a
private key
 Signature verification = Decrypting the signature with a
public key
 Authentication
if (Decrypted signature == original message digest)
{
Ownership of the private key is proven;
}
15
© 2010 Renesas Electronics America Inc.
All rights reserved.
Why Public Key, Not Symmetrical Key?
 Sharing identical key everywhere = higher risk
 Compromise one = compromise all
 Key delivery is always an issue
 All entities must be secured
 In the real world
 Symmetrical cryptography (i.e. AES) is used as a part of SSL
– Asymmetrical cryptography for exchanging session keys
– AES for stream cipher
 For low-cost consumables
– Where cost for security does matter
16
© 2010 Renesas Electronics America Inc.
All rights reserved.
Pros And Cons of Public Key Authentication
 Pros
 No key distribution issue
 No need to hold ‘secret’ key on the host side
 Proven technology with daily on-line transaction (SSL)
 Cons
 Computing power intensive = more resource requirements
– Embedded hardware accelerator
 Requires infrastructure (PKI)
– Trusted entity (Avnet) takes care of it
 However, the Board ID solution eliminate all cons
17
© 2010 Renesas Electronics America Inc.
All rights reserved.
Lab Session with The Demo Kit
18
© 2010 Renesas Electronics America Inc.
All rights reserved.
Start the Lab
 Keep your dice turned to the section
of the lab you are on. (Instructions
are provided in the lab handout)
 Please refer to the Lab Handout and let’s get started!
19
© 2010 Renesas Electronics America Inc.
All rights reserved.
Checking Progress
 We are using the dice to keep track of where everyone is in
the lab. Make sure to update it as you change sections.
 When done with the lab, your dice will have the 6 pointing
up as shown here.
20
© 2010 Renesas Electronics America Inc.
All rights reserved.
Questions?
21
© 2010 Renesas Electronics America Inc.
All rights reserved.
Innovation
Contents Providers
Cloud
CD Player
Phonograph
Attack
Portable
Media
Player
VCR
22
© 2010 Renesas Electronics America Inc.
All rights reserved.
DVD
Blu-Ray
Thank You!
23
© 2010 Renesas Electronics America Inc.
All rights reserved.
Renesas Electronics America Inc.