Conferences and supporting programme
IoT-Security and Product Piracy: Smart Key Management Versus Secure Hardware
In the time of digitalization and the fear to lose against competitors, manufacturers of physical products are urgently searching for solution to “smartify” and digitalize their products, to establish new digital business models, and to offer new services. To them, digitalization means mainly the establishment of (Internet-) connectivity between their products and some digital service platform enabling data sharing and artificial intelligence. However, many business models build on top of digitalization might lose its competitive advantage for the manufacturer if the data are not secured (available, confidential, and integer). Simultaneously, for the consumer and society at large, it is important that the technology is privacy preserving. We present a detailed overview what is arguably the most difficult part in the majority of security systems, namely device authentication and key establishment. Today key establishment solutions for securing the IoT ecosystem are mainly dividable into three categories: - Master secrets (e.g., hard-coded, factory default keys, easy to guess passwords). - Device individual credentials integrated within the production (e.g., client certificates, symmetric token etc.). - Ad-hoc based key establishment (e.g., using the resurrecting duckling principal). Each approach has its advantages (e.g., a cheap production, solid security, or flexible production) as well as disadvantages (e.g., a serious undermining in the case of a hack, new complexities and expenses within the supply chain, or manual provisioning) and works with standard MCUs, secure-MCUs (e.g., with read-out protection), or even secure hardware. A common example of a secure elements are Trusted Platform Modules (TPMs). They usually contain a co-processor for energy-efficient computation of cryptographic primitives as well as a protected storage for keys). A major question of decision makers is: Which key establishment method and which (security) hardware solution reduces product piracy risk as well as cyber security risks sufficiently, is capable to start today with small charges and end up with a flexible long-term capable serial production, as well as provides a good cost-benefit ratio for new IoT products? In the present paper we focus on details to find a individual answer, while potential lock-in effects of suppliers and platform providers are out of scope.
--- Date: 28.02.2018 Time: 10:30 AM - 11:00 AM Location: Conference Counter NCC Ost