Universelle Referenzarchitektur für eine sichere cloudbasierte Automation
Kenntnisfreie Erstanmeldung von ressourcenbeschränkten IoT-Geräten mit symbiotischer Sicherheit
DOI:
https://doi.org/10.17560/atp.v61i9.2428Schlagworte:
sichere Architektur für eingebettete Systeme, sichere kryptografische Schlüsselverwaltung, sichere Fernautomatisierung, symbiotische Sicherheit, sichere ErstanmeldungAbstract
In the first of a series of articles, we introduce the term “Symbiotic Security” to denote an ideal architecture where all essential components (e.g. hardware, software or networks) contribute to raising the architectural security bar. The growing importance of cloud computing for secure and resilient automation and its intended independence from hardware to accommodate all platforms have led us to observe a disconnect between well-known cloud service providers and manufacturers of embedded devices or IoT: the unsolved problem of initial enrolment. After elaborating on the root cause of this gulf we present a non-invasive
extension and implementation of a cloud IoT reference architecture for an automated, mutually authenticated and encrypted roll-out of IoT nodes. To also enable automated key management without human intervention, the system refrains from using any static secrets usually employed by the hardware vendors – a longstanding point of criticism. Despite our practical choice of a target platform, the idea itself is uniform across such environments given their inherent similarities.
Literaturhinweise
Yang, X. (2017). LoRaWan: Vulnerability analysis and practical exploitation. Delft University of Technology.
PointBlank Security by Steen Harbach AG. (2018). Security for Internet-enabled Products “Made in Germany”. Abgerufen von: https://www.pointblank.de/de/?file=files/assets/downloads/PointBlank-Security_pbTLS_sS2E-Module_Leaflet.pdf
PointBlank Security by Steen Harbach AG. (2018). sS2E Module Manual. Abgerufen von: https://www.pointblank.de/de/?file=files/assets/downloads/MS500_SS2E_MODULE_User_Manual_V1.0.pdf
Gartner Inc. (2013). Magic Quadrant for Cloud Infrastructure as a Service. Abgerufen von: https://web.archive.org/web/20130825054202/http://www.gartner.com/technology/reprints.do?id=1-1IMDMZ5&ct=130819&st=sb
Amazon Web Services. (2018). Getting Started with Amazon FreeRTOS. Abgerufen von: https://aws.amazon.com/freertos/getting-started/
Amazon Web Services. (2018). Amazon FreeRTOS Qualification Program Developer Guide. Abgerufen von: https://d1.awsstatic.com/product-marketing/iot/Amazon-FreeRTOS-Qualification-Program-Developer-Guide-V1.0.0.pdf
Skorobogatov, S. P. (2000). Copy Protection in Modern Microcontrollers. Abgerufen von: https://web.archive.org/web/20190228185532/https://www.cl.cam.ac.uk/~sps32/mcu_lock.html
Fielding, R. T. (2000). Architectural Styles and the Design of Network-based Software Architectures. Abgerufen von: https://web.archive.org/web/20190314180316/https://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm
Skyhigh Networks, Coles, C. (2019). Cloud Market in 2018 and Predictions for 2021. Abgerufen von: https://web.archive.org/web/20190121190318/https://www.skyhighnetworks.com/cloud-security-blog/microsoft-azure-closes-iaas-adoption-gap-with-amazon-aws/
Microsoft Azure, Berdy, N. (2017). Device provisioning: Identity attestation with TPM. Abgerufen von: https://web.archive.org/web/20190316221710/https://azure.microsoft.com/de-de/blog/device-provisioning-identity-attestation-with-tpm/
Bundesamt für Sicherheit in der Infromationstechnik. (2013). Report on Microsoft Windows 8 and TPM. Abgerufen von: https://web.archive.org/web/20160304004000/https:
//www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2013/Windows_TPM_Pl_21082013.html
Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V. (2017). The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli. In ACM Conference on Computer and Communications Security (CCS) 2017. Abgerufen von: https://web.archive.org/web/20171102170138/https://acmccs.github.io/papers/p1631-nemecA.pdf
Microsoft Corporation. (2018). Control access to IoT Hub. Abgerufen von: https://web.archive.org/web/20180921103416/https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security
Microsoft Corporation. (2017). Support additional protocols for IoT Hub. Abgerufen von: https://web.archive.org/web/20181208124323/https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-protocol-gateway
Microsoft Corporation. (2017). Provisioning devices with Azure IoT Hub Device Provisioning Server. Abgerufen von: https://web.archive.org/web/20190108164849/https://docs.microsoft.com/en-us/azure/iot-dps/about-iot-dps
Microsoft Corporation. (2017). Conceptual understanding of X.509 CA certificates in the IoT industry. Abgerufen von: https://web.archive.org/web/20190316220629/https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-x509ca-concept
Microsoft Corporation. (2018). Get started with Key Vault certificates. Abgerufen von: https://web.archive.org/web/20190108051426/https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql
Wu, T. (1998). SRP Protocol Design. Abgerufen von: https://web.archive.org/web/20190201161506/http://srp.stanford.edu/design.html
Misra, S., Goswami, S., Taneja, C., Mukherjee, A., Obaidat, M. S. (2015). A PKI adapted model for secure information dissemination in industrial control and automation 6LoWPANs. IEEE Access, 3, 875-889.
Chen, L., Li, J. (2010). A note on the Chen–Morrissey–Smart DAA scheme. Information Processing Letters, 110(12-13), (pp. 485-488).
Downloads
Veröffentlicht
Ausgabe
Rubrik
Lizenz
Die Zeitschrift und alle in ihr enthaltenen Beiträge und Abbildungen sind urheberrechtlich geschützt. Jede Verwertung außerhalb der engen Grenzen des Urheberrechtsgesetzes ist ohne Zustimmung des Verlages unzulässig und strafbar. Das gilt insbesondere für Vervielfältigungen, Übersetzungen, Mikroverfilmungen und die Einspeicherung und Bearbeitung in elektronischen Systemen. Auch die Rechte der Wiedergabe durch Vortrag, Funk- und Fernsehsendung, im Magnettonverfahren oder ähnlichem Wege bleiben vorbehalten.