1 / 22

Bring Your Own Key for the Industrial Internet of Things

This research paper explores the concept of "Bring Your Own Key" (BYOK) for the Industrial Internet of Things (IIoT) to enhance security and key distribution. It discusses hardware and software enhancements, threat analysis, and proposes a prototype for secure key transfer using NFC. The paper concludes with future work and suggestions for further research.

cadams
Download Presentation

Bring Your Own Key for the Industrial Internet of Things

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bring Your Own Key for theIndustrial Internet of Things Thomas Ulz, Thomas Pieber, Christian Steger1 Sarah Haas, Holger Bock, Rainer Matischek2

  2. Introduction Industry 4.0 / Smart Factory • Smart Factory Use Case • Bring Your Own Key • Hardware Enhancement • Protocol • Prototype • Threat Analysis • Conclusion Outline Institute for Technical Informatics

  3. Connect everything • Suppliers, production devices, customers, products Industry 4.0 / Smart Factory Institute for Technical Informatics

  4. Connect everything • Suppliers, production devices, customers, products • But how? Industry 4.0 / Smart Factory Institute for Technical Informatics

  5. Smart Factory Scenario Institute for Technical Informatics

  6. Smart Factory Scenario Institute for Technical Informatics

  7. Smart Factory Scenario Institute for Technical Informatics

  8. Data distribution: • MQTT (Message Queue Telemetry Transport) • Publish / Subscribe principle • Secured transfer of data (TLS) • But how to exchange keys? • Broker would be MITM Smart Factory Institute for Technical Informatics

  9. Concept from cloud computing • Allows customers to choose encryption keys • And the applied encryption (BYOE) • Applied to industrial IoT devices • Keys need to be transported to machines • Keys need to be stored securely • Ease of use for workers Bring Your Own Key Institute for Technical Informatics

  10. Use NFC for key transfer • Security by proximity • “Touching” easy to understand principle • Configuration interface not exposed to network • Hardware-based secured element • Secure key storage, tamper resistant • Powered by NFC field BYOK for IIoT - Hardware Institute for Technical Informatics

  11. Is the key applying user and the mobile device trustworthy? • Either generate Keys at • Backend • Mobile device • Secure transferred keys BYOK for IIoT - Software Institute for Technical Informatics

  12. Requirements • Suitable for new and legacy devices • Tamper resistant • NFC Interface • Networking Interface BYOK Enhancement Institute for Technical Informatics

  13. Requirements • Suitable for new and legacy devices • Tamper resistant • NFC Interface • Networking Interface BYOK Enhancement Institute for Technical Informatics

  14. Requirements • Confidentiality, Integrity, and Authenticity • Replay Resistant • Scalable Protocol Institute for Technical Informatics

  15. Requirements • Confidentiality, Integrity, and Authenticity • Replay Resistant • Scalable • Authenticated Encryption over NDEF Protocol Institute for Technical Informatics

  16. Infineon XMC4500, SLE78 • Nexus S Mobile • Key transfer: ~200ms for 128bit AES key Prototype Institute for Technical Informatics

  17. 9 threats identified • 7 mitigated by our BYOK approach • 2 residual risks are DoS attacks Threat Analysis Institute for Technical Informatics

  18. T1: Backdoors in device • C1: Common Criteria certification • T2: Weak cryptography • C2: Common Criteria certification • T3: Loss of keys by device vendor • C3: Keys changed using BYOK Threat Analysis Institute for Technical Informatics

  19. T4: Malicious mobile device or user • C4: Keys transported using AE, generated at backend • T5: Wrong or no keys deployed • R5: DoS attack by user, remote attestation needed • T6: Key loss or no update by device owner • R6: Can not be mitigated by our approach Threat Analysis Institute for Technical Informatics

  20. T7: Remote attacks targeting IIoT device • C7a: Short range of NFC interface • C7b: AE • T8: Physical attacks targeting IIoT device • C8: Tamper resistance of Secure Element • T9: DoS attacks at NFC interface • C9: All operations done at Secure Element Threat Analysis Institute for Technical Informatics

  21. Key distribution approach for IIoT • New and legacy devices • Near field communication • Secured hardware • Secured protocol • Future work • Arbitrary payload (device configuration) • Key update attestation Conclusion and future work Institute for Technical Informatics

  22. Thanks for your attention! Questions? Institute for Technical Informatics

More Related