At a Sensors Expo 2018 workshop in San Jose, CA, with Embedded Computing Design, Trusted Computing Group (TCG) work group members presented information about TCG’s TPM for network security, the DICE lightweight root of trust and the Trusted Software Stack. As a follow-up to Secure your Industrial IoT sensors, or else!, this article provides greater details about designing in security from these presentations in a three-part series. This first installment addresses the TPM.
For connected devices, low protected edge nodes, such as sensors, provide entry points to high value targets and sophisticated attacks. Sensor designers who want to add security to their designs need to know how to secure them, how much security is required, how to implement security efficiently and what to look out for. As shown in Figure 1, each layer in a connected system is a target for attacks.
[Figure 1 | Cyber-attacks can target various layers of the system.]
To provide strong isolation of security boundaries, TCG has developed open standards that address security in device, network, mobile, storage, cloud, Internet of Things (IoT) applications and more, with currently over 90 specification and/or guidance documents for building trust.
The ability to trust a connected thing, including a sensor, starts with a basis for, or root of trust. For TCG, a hardware (HW)-based root of trust called the Trusted Platform Module or TPM provides a standards-based foundation for trust that provides substantially more protection than software (SW) only approaches that can be easily compromised.
Two fundamental aspects of the HW-Based root of trust include (1) Trusted Boot to securely measure, store, and report platform integrity metrics and (2) strong attestation for verifying both local and remote access. Protected capabilities provided by the TPM include secure key-generation and storage, random number generation, cryptographic primitives and cryptographic services.
Specific TPM implementations have been evaluated and certified (Common Criteria EAL4+ and FIPS 140-2) to verify their security capabilities. Since the threats continually evolve, the secure firmware update provides the capability to keep the TPM-secured device prepared for the latest attacks.
TPM 2.0 Capabilities and Benefits
With the latest TPM 2.0, TCG now has standards for discrete, integrated, firmware and software and even virtual TPMs (listed in decreasing security order). These variations address the different tradeoffs between cost, features, and security for numerous applications.
The capabilities and benefits of a Common Criteria EAL4+ and FIPS 140-2 certified security module (TPM 2.0) are shown in Figure 2.
[Figure 2 | With its numerous security functions, the TPM 2.0 provides multiple valuable security and commercial benefits.]
With independently evaluated and certified security for TPM 2.0, additional security benefits include high resistance against:
- Fault attacks
- Side-channel and semi-invasive attacks
- Invasive attacks (tamper resistance)
From an engineering risk mitigation perspective, leveraging TPM functions reduces the need to implement these functions on the main application controller with the associated risk of injecting security flaws.
The commercial benefits of the functions provided by a completely standardized and preprogrammed functional module include:
- Compliance tested for functionality and security
- 15 years of proven and matured technology
- Vendor agnostic, interoperability
- COTS: high volumes, cost efficient
- High reuse of TPM-aware SW and as a result engineering efficiency
The superior tamper and attack resistance of the HW TPM 2.0 over similar SW cryptographic functions and certified security as well as secure manufacturing and shipping add even more benefits and reasons to implement TPM 2.0 security in current and next-generation networked sensor designs.
A presentation and more info on the Sensors workshop is available here.