Trademark, reputation and human health
The concept of IoT (Internet of Things) is entering our lives, and it will change the way we work, travel, and live. New businesses will be created, and others terminated.
Devices with software are everywhere and, in many cases, suppliers have significant responsibility for them throughout the whole lifecycle. This is particularly true for solutions that have a safety or security critical function. A security breach can harm trademarks and reputation of both suppliers and their customers, or in the worst case – human health and life. Other applications may support significant business functions and therefore be associated with high economic values. In general, it is essential for virtually all products that they protect data, user privacy, and safety.
In the current global economy, suppliers often involve external parties to provide specialized services in the production and delivery of their products to end users. Typically, such specialized services would, for example, include the manufacturing in an external partner’s factory as well as utilizing partners for logistics services, with the consequence that the supplier does not have full physical control over the product in its journey from manufacturer to the end user.
There is also a similar situation after delivery when, in operation, new software is downloaded to the product by either the user or a service partner.
Authenticity and availability
IoT products are particularly exposed to tampering as they often reside in unattended locations with limited network protection. At all times it’s essential to know that the product is authentic and not compromised, i.e., that it continues to be a product that the supplier can maintain his responsibility for.
While there are a number of known methods for authentication, there is still a need for improvements concerning the balance between security and convenience in operation. The latter concept also includes the idea of availability, which is used herein to refer to the ability to distribute and give service to a large number of units, efficiently and cost-effectively.
Id-bundle utilizes asymmetrical cryptography to ensure the identity and authenticity of the software and hardware in a product. All parties involved in the supply, operational and maintenance processes can control and authenticate their part and still enabling the product owner to guarantee the product authenticity.
The solution is based on the establishment of a plurality of identifiers associated with an individual computer-related product unit and generated in different phases of the manufacturing and provisioning chain of the product. The identifiers are cryptographically protected through asymmetric cryptography and are embedded in an identification entity, also called an ID bundle.
The Id-bundle and its associated certificates enable the product owner to maintain full control over the product by means of its configuration and authenticity during its lifetime and still allow a distributed and connected manufacturing, operation, and maintenance of the product.
A generated private/public key pair from the product owner enables a secured and distributed SW installation process where only certified software can be executed on the product. This applies to both manufacturing and deployment as well as during operation and maintenance.
Another certificate generated from unique production data and a private/public key pair, generated from an onboard RSA device, guarantee that no other or additional hardware than the approved can be used. (anticloning).
The Id-bundle also enables an escrow arrangement where encrypted operational data can be recovered in case of a hardware crash. A copy of the encryption private-key is kept in an escrow vault and can be released only by providing a combination of keys and certificates in the Id-bundle.
To stay in control
The cyber threat is a continuously increasing issue in computer security. Many of the existing efforts to improve security have been directed towards software protection and fighting threats such as viruses, “Trojan horse” attacks and other malicious software. Solutions have been put forth to deal with software protection, such as the concept of “trusted software” and to obtain “software integrity” to ensure reliable systems that operate under an established security policy.
Although many software security products do effectively detect, prevent, and remove viruses, they do so while running on top of the operating system (OS), and the confidence that security is maintained depends on whether it can be reasonably established that the OS has not been compromised during the startup phase.
There are several described methods to provide a secure bootstrap process using public key cryptography where the integrity is ensured by the initializing architecture. However, these methods presume that the device is delivered to the customer with trusted software and intact security from time of manufacturing or later, i.e., during software updates and maintenance.
Secure & Fail-Safe Boot principles
Secure boot is based on a modified BIOS where it, upon power-up, directs the system to initially boot from a secondary media, i.e., from an inserted USB memory, another external device or an online remote service.
The BIOS contains services for digital signature verification and loading of drivers for file system access capabilities, rather than the typical master boot record accessing on a boot and sector basis.
The secondary media includes an operating system (OS) image and related bootstrap files, digitally signed with a private key by the image originator. The corresponding public key is stored on a non-volatile parameter memory on the unit.
If the OS image on the secondary media is verified, it is loaded into the system, and a code jump is executed from the secondary OS image to an appropriate kernel of the primary operating system. The jump is transparent, and the operating system continues to run as if it has been running from the primary memory. If the verification fails the system attempts a number of reboots up to a maximum number of predetermined attempts, after which it tries to boot from the internal primary media.
The system is resilient to a power failure during software upgrades of the secondary media where the state is stored in the programmable read-only parameter memory and the where the watchdog assures the state of the system is secured.
The method enables software upgrades to occur virtually unattended since it does not require significant intervention by support personnel. Security and trust are maintained throughout the production chain via the use of digital signatures on the image files regardless of the media carrier and who handles it.
In short Secure Boot provides a controlled and secure boot process which also enables software upgrades without shutting down the system and is resilient to power shut down during the load process. Moreover, it also allows a secure and economical upgrade of widely deployed systems.