Java Solutions for Securing Edge-to-Enterprise

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 131
Java Solutions for Securing
Edge-to-Enterprise
Eric Vétillard
Sr. Principal Product Manager, Java Card
Oracle

Program Agenda
 Embedded security requirements
 Example: Smart Meter use cases
 Building trust with Secure Elements
 Java Card in embedded devices
 Edge-to-enterprise security

Device
Device
Device
Device
DeviceDevice
Standard Architecture
GatewayBackend Device
Device
Device
Storage
Java EE Java Embedded Suite Java ME Embedded
(optional)

 There are many of them
 They are the heart of business
 They are you
 You may have limited control
The devices are new
What’s New?
Device
Device
Device
Device
DeviceDevice
Device
Device
Device
Backend
Cloud
Server

 Attacking the device
– Tampering with the device
– Fake device
 Attacking the device link
– Stealing information
– Modifying information
New system entry point
What New Risks are Introduced?
DeviceDeviceDevice
Backend
Cloud
Server


Security is About Resistance to Attacks
 Attacks are intended to abuse the system for the benefit of the attacker
 Think about attackers, not only about users
– Possibly a user trying to abuse the system
– Possibly a terrorist trying to destroy the whole ecosystem
 Think about vulnerabilities, not bugs
– Vulnerabilities often start from features
– Bad specification is harder to fix than bad implementation

Main Security Requirements
 Safety: Do what you are supposed to do
 Privacy: Restrict access to user data
 Regulation: Abide to national/vertical rules
 Access control: Restrict access to authorized persons
 Accountability: Guarantee some traceability of other properties
High-level requirements
Even
under
attack

Main Security Functions
Data protection
Confidentiality
Encryption
Integrity
Signature
Authentication
Authorization
Authentication
Password
Biometry - Token
Authorization
Access rights
Logging & Auditing
Security log
Remember actions
Auditor access
Log interpretation
Provisioning
Code Update
System upgrade
App upgrade
Bug fixing
Software protection
Code Integrity
Code signature
Code verification
Runtime integrity

Smart metering: High-level View
Why move to smart meters?
 Better data collection
 Less manpower
 Accurate information
 Enable Smart Grid and Big Data
 Better grid control
 Feedback to users
(optional)

Smart metering: High-level View
Why move to smart meters?
 Better data collection
 Less manpower
 Acurate information
 Enable Smart Grid and Big Data
 Better grid control
 Feedback to users
What consequences?
 Less human control
 Fraud detection is difficult
 More data flowing
 Injection of wrong data
 Private consumer data leaks
(optional)

Smart metering: Environment and Details
(optional)
Main characteristics
 Owned/controlled by utility company
 Lifetime > 10 years
 No human intervention
 Tamper-resistant meter
 Limited price sensitivity
 Raw data is privacy-sensitive

Smart metering: Environment and Details
(optional)
Main characteristics
 Owned/controlled by utility company
 Lifetime > 10 years
 No human intervention
 Tamper-resistant meter
 Limited price sensitivity
 Raw data is privacy-sensitive
Threat analysis
 On the device
 Tampering with data collection
 Tampering with collected data
 Between the device and the backend
 Insert fake device
 Modify transferred data
 Steal transferred data

Smart Metering: Security Update
 Data collection
Before
Tamper-evidence
After
Tamper-resistance
 Data storage
New issue
Data integrity
Data confidentiality
 Fake device
New issue
Authentication
 Fake server
New issue
Authentication
 Man-in-the middle
New issue
Secure channel

 Tamper-proofing the device
 Securing the protocol
 Using a good software stack
 Adding a secure element
– Tamper-resistant hardware
– Small, isolated, certifiable
Many Levels of Security
Smart Meter: Designing Security In

3 Ways to Build Trust from Secure Elements
 Secure element as secure store
– Storing and handling important secrets
– Example: the satellite TV card
 Secure element as backend proxy
– Representing the service provider in the device
– Example: the SIM card
 Secure element as device root of trust
– Build trust in the device from a Secure Element
– Example: the Trusted Platform Module (TPM)

 Satellite TV good for hackers
– Content is broadcast
 Content is encrypted
– Using a single key
– This key needs protection
Satellite TV
Secure Element as Secure Store


 Tamper resistance is key
– Device is “in the wild”
– Secrets have value
 Not just a store
– Secure elements have a CPU
– Core secrets never get out
Satellite TV Cards
Secure Element as Secure Store


 Access only for subscribers
– Bidirectional communication
– Authentication required
 System can be hacked
– Duplicating phone identity
Mobile telephony
Secure Element as Backend Proxy


 End-to-end security
– SIM interacts with backend
– Security is in the SIM
– Device is just a dumb pipe
 Limits trust requirements
– Untrusted device is OK
– BYOD is ultimate use case
Mobile telephony SIM
Secure Element as Backend Proxy


 Device can be compromised
– End user changing software
– External network attack
 Very dangerous on devices
– Consequences unknown
– Hard to fix directly on device
– Remote access can be
disabled by attacker
Protecting Device Integrity
Secure Element as Device Root of Trust
Device


 Provides good guarantees
– Tamper evidence
– Hardware integration
 Building from these properties
– TPM verifies the kernel
– Kernel starts, verifies OS, …
– Remote attestation possible
Using a TPM as root of trust
Secure Element as Device Root of Trust
Kernel
Apps
OS

Recap and value

Recap and value
Value for service provider
For unconnected models
Focus on local security
Value for service provider
For connected models
End-to-end security
Value for device provider
For all application models
Improves device security

 Mostly a backend proxy
– Authentication, secure channel
– Managing data for the provider
 Also a secure store
– If there is a local interface
 Could be a root of trust
– Protecting device integrity
Many Levels of Security
Smart Meter: What Secure Element Model?

Embedded Systems with Security Subsystems
A few examples available today
Smart cards
Mobile phones
SIM
POS terminals
EMV payment
Media players
DRM
Trusted Execution
Environment (TEE)
Mobile devices
DRM
Device integrity
Secure Elements
Wireless Modules
SIM / Authentication
NFC Phones
Mobile payment
Smart meters
Regulation, prepaid
TPM
ATM
System integrity
Media players
DRM

Java Card and Java in the Embedded Space
 Java Card is used to program secure elements
– Subset of Java, complemented with specific APIs
– Multi-tenant architecture with firewalled applications
– Dynamic application management
– Now available on embeddable secure microcontrollers
 Java APIs exist to communicate with secure elements on devices
– JSR-177 provides access to secure elements
– JSR-257 for using a contactless interface
Many links available

Edge-to-Enterprise Security
 First, identify the security requirements
– What security features are/will be required on edge devices?
– What kind of attacks need to be considered?
– What kind of assurance level is/will be required?
 Then, separate the security functions
– Think of it as a separate Security Subsystem
Including security in the process

Edge-to-Enterprise Security
 Embedded in the main code
– Providing a minimal assurance level
– Already much, much better than if not identified
 Using a dedicated secure element
– Improved traceability and highest assurance levels
– Improved asset protection and tamper resistance
 More options will become available
– From Trusted Computing to Trusted Execution Environments
– The Java Card team follows closely these initiatives
On-device implementation options

Don’t Forget Security Engineering!
 Compliance issues
– PCI compliance can be lost, and this is very bad publicity
– HIPAA compliance will not be easier
 Many embedded devices will need to be integrated
 Attacks happen, and devices will be targeted
– Attacks moving from desktop to mobile
– Hackers are realizing that many devices are poorly secured
Breaches are costly

Any questions?
Eric Vétillard
eric.vetillard@oracle.com

Java Solutions for Securing Edge-to-Enterprise

More Related Content

What's hot

Similar to Java Solutions for Securing Edge-to-Enterprise

More from Eric Vétillard

Recently uploaded

Java Solutions for Securing Edge-to-Enterprise