Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jan Metzner, Anton Shmagin, AWS
Kerry Maletsky, ...
What to expect from the session
• System, transport and thing security
• Fine-grained authorization
• Thing management
• P...
Idea for this talk started from the quote …
“ Every IoT security article:
• IoT is big
• IoT security is bad
• Consequence...
All things around us are getting connected
Things will proliferate
2013 2015 2016 2020
Vertical Industry
Generic Industry
Consumer
Automotive
Many
Some
Lots
Many devices are not enforcing security
Mirai bot default passwords
Connected ≠ smart
Internet 1985 IoT 2015
Gopher HTTP
FTP MQTT
NNTP CoAP
Telnet XMPP
Archie AQMP
Not a typical apocalyptic IoT talk
IoT security needs to be effective yet simple
“ … pilots and race car drivers were
willing to put on almost anything to
ke...
Multiple attack vectors
System, transport, and thing security
System
Transport
Thing
Risk
Typical SoC
SoM
SoC
CPU/MCU
Memory
Baseband
Location
WLAN
BLE
LPWAN
NFC
HW
Crypto
Connectivity options
Direct Gateway
Satellite Wi-Fi Cellular LPWAN Bluetooth Other
IEEE 802.15.4
ZigBee
Z-Wave
Thread
AWS IoT
Incident response in AWS IoT
Incident response in AWS IoT
CWE Executes Lambda
Function to invalidate certificate
Time to connect someTHING …
One service, three protocols
MQTT + Mutual
Auth TLS
Websocket + AWS
Auth
HTTPS + AWS
Auth
Server auth TLS + cert TLS + cer...
Authentication
Certificate/private key
AWS IAM (user/role: API keys)
Amazon Cognito (role: API keys)
AWS IAM (role: API ke...
Authorization – IAM policies
IAM
unauthenticated
or authenticated
role
Amazon
Cognito
AWS credentials (services)
Temporary...
Authorization – IoT policies
Fine-grained access for each device with a single policy
{
"Version": "2012-10-17",
"Statemen...
Authorization – IoT policies
Fine-grained access with registry variables
{
"Version": "2012-10-17",
"Statement": [
{
"Acti...
Birth of a device
Strong thing identity
Manufacturing line
Provisioning of the Identities
retrieved from AWS IoT
Data connection
Create cert...
Strong thing identity
AWS-generated key pair
CreateKeysAndCertificate()
Customer-generated key pair
CreateCertificateFromC...
BYOB? Better - BYOC
Customer’s certificate authority
Manufacturing line
Provisioning of the Identities
signed with customer’s CA
Data connecti...
CSR
Bring your own certificate (BYOC)
Customers
Hardware
Security
Module
(HSM)
Demo
Embed Video from https://s3-eu-west-1.amazonaws.com/iot-
security.cloud/screencast/wo-jitr.mov
“Look ma, no hands!”
Just-in-time registration (JITR)
Just-in-time registration
Manufacturing line
Provisioning of the Identities
signed with customer’s CA
First data connectio...
Just-in-time registration – Provisioning
Customers
Hardware
Security
Module
(HSM)
CSR
CSR
CSR
Just-in-time registration – CA registration
getRegistrationCode()
Customers
Hardware
Security
Module
(HSM)
CSR
CSR
CSR
reg...
Just-in-time registration
Customers
Hardware
Security
Module
(HSM)
checkYourCRL()
updateCertificate(Cert, ACTIVE)
attachPr...
Demo
Embed Video from https://s3-eu-west-1.amazonaws.com/iot-
security.cloud/screencast/jitr.mov
“I am better than that THING”
User access
Unauthenticated (anonymous) user access
IAM
unauthenticated
role
Amazon
Cognito
Authenticated user access
IAM
authenticated
role
Amazon
Cognito
IoT policy
per user
Identity
provider
IoT security in the cloud scales
… and real hardware?
Strong device security
Atmel/Microchip AWS-ECC508
Straightforward provisioning
and secure key storage
Crypto-operations of...
Live demo
Cesanta Mongoose IoT Firmware (mongoose-iot.com)
• Hardware agnostic: ESP8266, TI CC3200 and other
• Secure: SSL...
Live demo
ATECC508A-AWS
ESP8266
Live demo
Point your browser:
https://iot-security.cloud/demo
Microchip/Atmel
ATECC508A-AWS
Encapsulate the entire provisioning
process into a turnkey IC
Focus design effort on custome...
Every device must have a Trustable Identity
Private key can never be revealed!!!
Authenticate every entity with which you ...
Perfect software exists in theory only
Never Mix Software
with Keys!
Attackers don’t need physical access!
Rowhammer
Modify DRAM state to gain kernel privileges
Acoustic Cryptanalysis
Listen ...
Root of trust for
secure code
High security
key storage
Less code
= Lower cost
10x-100x faster
than MCU
ATECC508A-AWS
Get ...
Advanced Security Circuitry
Active shield, internal
encryption, randomization,
tampers, no JTAG, …
Strong attack defenses
...
Keys never leave chip - No back
doors!
Software asks for keys to be used -
chip accelerates math using the key
Elliptic cu...
Private key generated entirely inside the ATECC508A
• Completely random
• NEVER readable
• NEVER known by anybody
Certific...
Secure Facilities
24/7 camera monitored, locked
cages, network isolation, physical
access control
Hardware Secure Modules ...
Reference design
• ARM® Cortex®-M4 microcontroller
• Wi-Fi® connectivity
• ATECC508A pre-configured for AWS IoT
• I/O modu...
IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM CA
Root CA
OEM’s AWS Account
Customer-Specific
Production S...
IoT OEM
Customer-Specific
Production Signers
Root of
Trust
OEM
Certificate
Root CA
1. Microchip ships ATECC508A
including ...
IoT Device #NN
OEM AWS Account
Customer-Specific
Production Signers
Device #NN
Device certificate automatically transferre...
IoT OEM
Root of
Trust
Root CA
1. Development kits readily
available from distributors
2. Includes turnkey USB dongles
set ...
Secure Keys - Ultimate protection for keys
to prevent any software attack,
accelerate ECC up to 100x faster
Fast Design - ...
Straightforward off-band certificate
management
• Bring your own certificates
• Just in time registration
• ECC certificat...
Fine-grained authorization at scale
• X.509 certificate policy variables
• Thing policy variables
End-to-end security
• Zero touch secure provisioning
• Mobile carriers secure tunnels to VPC
Now build a secure IoT solution!
Demos/resources from this session:
https://iot-security.cloud
Remember to complete
your evaluations!
Upcoming SlideShare
Loading in …5
×

AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)

2,598 views

Published on

Only year ago we launched AWS IoT, and at re:Invent we showed how AWS IoT makes it easy to secure millions of connected devices. However, we have learned from our customers that a number of unique security challenges for the Internet of Things (IoT) exist.

Published in: Technology

AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jan Metzner, Anton Shmagin, AWS Kerry Maletsky, Microchip/Atmel November 30, 2016 IOT302 IoT Security The New Frontiers @janmetzner @y0na75
  2. 2. What to expect from the session • System, transport and thing security • Fine-grained authorization • Thing management • Pub/sub data access • AWS services integration • Incident response • End-to-end IoT security (demo)
  3. 3. Idea for this talk started from the quote … “ Every IoT security article: • IoT is big • IoT security is bad • Consequences are scary • Change default settings • Buy my product • Problem not solved …“ Dr. Sarah Cooper June 2, 2016
  4. 4. All things around us are getting connected
  5. 5. Things will proliferate 2013 2015 2016 2020 Vertical Industry Generic Industry Consumer Automotive Many Some Lots
  6. 6. Many devices are not enforcing security Mirai bot default passwords
  7. 7. Connected ≠ smart Internet 1985 IoT 2015 Gopher HTTP FTP MQTT NNTP CoAP Telnet XMPP Archie AQMP
  8. 8. Not a typical apocalyptic IoT talk
  9. 9. IoT security needs to be effective yet simple “ … pilots and race car drivers were willing to put on almost anything to keep them safe in case of a crash, but regular people in cars don't want to be uncomfortable even for a minute. “ Nils Bohlin
  10. 10. Multiple attack vectors
  11. 11. System, transport, and thing security System Transport Thing Risk
  12. 12. Typical SoC SoM SoC CPU/MCU Memory Baseband Location WLAN BLE LPWAN NFC HW Crypto
  13. 13. Connectivity options Direct Gateway Satellite Wi-Fi Cellular LPWAN Bluetooth Other IEEE 802.15.4 ZigBee Z-Wave Thread
  14. 14. AWS IoT
  15. 15. Incident response in AWS IoT
  16. 16. Incident response in AWS IoT CWE Executes Lambda Function to invalidate certificate
  17. 17. Time to connect someTHING …
  18. 18. One service, three protocols MQTT + Mutual Auth TLS Websocket + AWS Auth HTTPS + AWS Auth Server auth TLS + cert TLS + cert TLS + cert Client auth TLS + cert AWS credentials (API keys) AWS credentials (API keys) Confidentiality TLS TLS TLS Protocol MQTT HTTP/WS HTTP Communication model Pub/sub Pub/sub REST Identification AWS ARNs AWS ARNs AWS ARNs Authorization AWS policy AWS policy AWS policy
  19. 19. Authentication Certificate/private key AWS IAM (user/role: API keys) Amazon Cognito (role: API keys) AWS IAM (role: API keys) Things Users AWS services
  20. 20. Authorization – IAM policies IAM unauthenticated or authenticated role Amazon Cognito AWS credentials (services) Temporary AWS credentials (users) Third-party service AWS service
  21. 21. Authorization – IoT policies Fine-grained access for each device with a single policy { "Version": "2012-10-17", "Statement": [ { "Action": "iot:Connect", "Resource": "arn:aws:iot:eu-west-1:1234567890:client/${iot:Certificate.Subject.CommonName.1}", "Effect": "Allow” }, { "Action": "iot:Publish", "Resource": [ "arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}", "arn:aws:iot:eu-west-1:1234567890:topic/sensordata/${iot:Certificate.Subject.CommonName.1}/*” ], "Effect": "Allow” } ] }
  22. 22. Authorization – IoT policies Fine-grained access with registry variables { "Version": "2012-10-17", "Statement": [ { "Action": "iot:Connect", "Resource": ”*", "Effect": "Allow”, "Condition":{ "Bool":{ "iot:Connection.Thing.IsAttached ":["true"] } } }, { "Action": "iot:Publish", "Resource": [ "arn:aws:iot:eu-west-1:1234567890:topic/ ${iot:Connection.Thing.ThingTypeName}/${iot:Connection.Thing.ThingName}" ], "Effect": "Allow” } ] }
  23. 23. Birth of a device
  24. 24. Strong thing identity Manufacturing line Provisioning of the Identities retrieved from AWS IoT Data connection Create certificate (from CSR)
  25. 25. Strong thing identity AWS-generated key pair CreateKeysAndCertificate() Customer-generated key pair CreateCertificateFromCSR(CSR) CSR CSR CSR
  26. 26. BYOB? Better - BYOC
  27. 27. Customer’s certificate authority Manufacturing line Provisioning of the Identities signed with customer’s CA Data connection async registration
  28. 28. CSR Bring your own certificate (BYOC) Customers Hardware Security Module (HSM)
  29. 29. Demo Embed Video from https://s3-eu-west-1.amazonaws.com/iot- security.cloud/screencast/wo-jitr.mov
  30. 30. “Look ma, no hands!” Just-in-time registration (JITR)
  31. 31. Just-in-time registration Manufacturing line Provisioning of the Identities signed with customer’s CA First data connection JIT registration
  32. 32. Just-in-time registration – Provisioning Customers Hardware Security Module (HSM) CSR CSR CSR
  33. 33. Just-in-time registration – CA registration getRegistrationCode() Customers Hardware Security Module (HSM) CSR CSR CSR registerCACertificate(CACert,RegCert)
  34. 34. Just-in-time registration Customers Hardware Security Module (HSM) checkYourCRL() updateCertificate(Cert, ACTIVE) attachPrincipalPolicy(Cert, IoTPolicy) updateERP() Function handling PENDING_ACTIVATION State
  35. 35. Demo Embed Video from https://s3-eu-west-1.amazonaws.com/iot- security.cloud/screencast/jitr.mov
  36. 36. “I am better than that THING” User access
  37. 37. Unauthenticated (anonymous) user access IAM unauthenticated role Amazon Cognito
  38. 38. Authenticated user access IAM authenticated role Amazon Cognito IoT policy per user Identity provider
  39. 39. IoT security in the cloud scales … and real hardware?
  40. 40. Strong device security Atmel/Microchip AWS-ECC508 Straightforward provisioning and secure key storage Crypto-operations offloading for constrained hardware
  41. 41. Live demo Cesanta Mongoose IoT Firmware (mongoose-iot.com) • Hardware agnostic: ESP8266, TI CC3200 and other • Secure: SSL/TLS, Microchip ATECC508A crypto-chip support • Develop in C, or JavaScript, or both • Networking: MQTT, WebSocket, COAP, HTTP/ HTTPS and other • Mongoose Embedded Web Server and Networking Library Customers: NASA, Dell, Samsung, HP and many others
  42. 42. Live demo ATECC508A-AWS ESP8266
  43. 43. Live demo Point your browser: https://iot-security.cloud/demo
  44. 44. Microchip/Atmel ATECC508A-AWS Encapsulate the entire provisioning process into a turnkey IC Focus design effort on customer experience Strong turnkey security
  45. 45. Every device must have a Trustable Identity Private key can never be revealed!!! Authenticate every entity with which you communicate Authentication Process must be trusted IoT device identity requirements
  46. 46. Perfect software exists in theory only Never Mix Software with Keys!
  47. 47. Attackers don’t need physical access! Rowhammer Modify DRAM state to gain kernel privileges Acoustic Cryptanalysis Listen to component vibration across room, extract keys http://www.tau.ac.il/~tromer/acoustic/ Timing Attack (First published in 1996) Extract confidential data based on response delay
  48. 48. Root of trust for secure code High security key storage Less code = Lower cost 10x-100x faster than MCU ATECC508A-AWS Get critical stuff out of the micro!
  49. 49. Advanced Security Circuitry Active shield, internal encryption, randomization, tampers, no JTAG, … Strong attack defenses Microprobe, Timing, Emissions, Faults, Glitches, Temperature Standard Devices Microchip Security Devices What makes ATECC508A a vault?
  50. 50. Keys never leave chip - No back doors! Software asks for keys to be used - chip accelerates math using the key Elliptic curve algorithm in hardware – can’t exploit software bugs! Comprehensive thing security
  51. 51. Private key generated entirely inside the ATECC508A • Completely random • NEVER readable • NEVER known by anybody Certificates generated by world-class HSMs at Microchip • Protected in State-of-the-art Secure Facilities No special equipment or procedures required in the OEM factory Secure in the factory
  52. 52. Secure Facilities 24/7 camera monitored, locked cages, network isolation, physical access control Hardware Secure Modules (HSM) Highly secure computers, World class certifications : FIPS 140-2, CC EAL 4+, … Microchip’s factory provisioning
  53. 53. Reference design • ARM® Cortex®-M4 microcontroller • Wi-Fi® connectivity • ATECC508A pre-configured for AWS IoT • I/O module • Root CA & Intermediate CA demo dongles • FreeRTOS • WolfSSL TLS 1.2 • MQTT client • JSON library • Example Application with 6 I/Os Source code & Documentation on GitHub: https://github.com/MicrochipTech/AWS-Secure-Insight Easy to get started
  54. 54. IoT OEM Customer-Specific Production Signers Root of Trust OEM CA Root CA OEM’s AWS Account Customer-Specific Production Signers 1. OEM creates AWS IoT account, sets up OEM CA Existing OEM capability, 3rd party Trusted CA, Microchip CA kit 2. OEM creates certificates for Microchip production signers 3. OEM registers production signer certificates into their AWS account Easy OEM setup
  55. 55. IoT OEM Customer-Specific Production Signers Root of Trust OEM Certificate Root CA 1. Microchip ships ATECC508A including certificates to board shop 2. IoT provisioning easy : assemble ATECC508A into IoT product 3. Final product ships with little or no cloud enrollment instructions or actions needed Zero touch provisioning - Manufacture
  56. 56. IoT Device #NN OEM AWS Account Customer-Specific Production Signers Device #NN Device certificate automatically transferred to AWS and registered on first connection Zero touch provisioning - Field
  57. 57. IoT OEM Root of Trust Root CA 1. Development kits readily available from distributors 2. Includes turnkey USB dongles set up to model the OEM CA and the Microchip production signers 3. Use to create demonstration systems and alpha units for testing and qualification Signing USB Dongle OEM Lab OEM USB Dongle Easy prototyping
  58. 58. Secure Keys - Ultimate protection for keys to prevent any software attack, accelerate ECC up to 100x faster Fast Design - Prototyping kits available now, complete reference design on the web, tiny package fits any system Easy Manufacturing - Secure and seamless manufacturing logistics. JITR means Ready-to-Go with AWS out of the box ATECC508A-AWS Easily secure your AWS IoT device
  59. 59. Straightforward off-band certificate management • Bring your own certificates • Just in time registration • ECC certificate support
  60. 60. Fine-grained authorization at scale • X.509 certificate policy variables • Thing policy variables
  61. 61. End-to-end security • Zero touch secure provisioning • Mobile carriers secure tunnels to VPC
  62. 62. Now build a secure IoT solution! Demos/resources from this session: https://iot-security.cloud
  63. 63. Remember to complete your evaluations!

×