427 research outputs found
Citizen Electronic Identities using TPM 2.0
Electronic Identification (eID) is becoming commonplace in several European
countries. eID is typically used to authenticate to government e-services, but
is also used for other services, such as public transit, e-banking, and
physical security access control. Typical eID tokens take the form of physical
smart cards, but successes in merging eID into phone operator SIM cards show
that eID tokens integrated into a personal device can offer better usability
compared to standalone tokens. At the same time, trusted hardware that enables
secure storage and isolated processing of sensitive data have become
commonplace both on PC platforms as well as mobile devices.
Some time ago, the Trusted Computing Group (TCG) released the version 2.0 of
the Trusted Platform Module (TPM) specification. We propose an eID architecture
based on the new, rich authorization model introduced in the TCGs TPM 2.0. The
goal of the design is to improve the overall security and usability compared to
traditional smart card-based solutions. We also provide, to the best our
knowledge, the first accessible description of the TPM 2.0 authorization model.Comment: This work is based on an earlier work: Citizen Electronic Identities
using TPM 2.0, to appear in the Proceedings of the 4th international workshop
on Trustworthy embedded devices, TrustED'14, November 3, 2014, Scottsdale,
Arizona, USA, http://dx.doi.org/10.1145/2666141.266614
Proceedings of the Workshop on web applications and secure hardware (WASH 2013).
Web browsers are becoming the platform of choice for applications that need to work across a wide range of different devices, including mobile phones, tablets, PCs, TVs and in-car systems. However, for web applications which require a higher level of assurance, such as online banking, mobile payment, and media distribution (DRM), there are significant security and privacy challenges. A potential solution to some of these problems can be found in the use of secure hardware – such as TPMs, ARM TrustZone, virtualisation and secure elements – but these are rarely accessible to web applications or used by web browsers. The First Workshop on Web Applications and Secure Hardware (WASH'13) focused on how secure hardware could be used to enhance web applications and web browsers to provide functionality such as credential storage, attestation and secure execution. This included challenges in compatibility (supporting the same security features despite different user hardware) as well as multi-device scenarios where a device with hardware mechanisms can help provide assurance for systems without. Also of interest were proposals to enhance existing security mechanisms and protocols, security models where the browser is not trusted by the web application, and enhancements to the browser itself
Blockchain-Based Services Implemented in a Microservices Architecture Using a Trusted Platform Module Applied to Electric Vehicle Charging Stations
Microservice architectures exploit container-based virtualized services, which rarely use
hardware-based cryptography. A trusted platform module (TPM) offers a hardware root for trust
in services that makes use of cryptographic operations. The virtualization of this hardware module
offers high usability for other types of service that require TPM functionalities. This paper proposes
the design of TPM virtualization in a container. To ensure integrity, different mechanisms, such as
attestation and sealing, have been developed for the binaries and libraries stored in the container
volumes. Through a REST API, the container offers the functionalities of a TPM, such as key
generation and signing. To prevent unauthorized access to the container, this article proposes an
authentication mechanism based on tokens issued by the Cognito Amazon Web Service. As a proof
of concept and applicability in industry, a use case for electric vehicle charging stations using a
microservice-based architecture is proposed. Using the EOS.IO blockchain to maintain a copy of
the data, the virtualized TPM microservice provides the cryptographic operations necessary for
blockchain transactions. Through a two-factor authentication mechanism, users can access the data.
This scenario shows the potential of using blockchain technologies in microservice-based architectures,
where microservices such as the virtualized TPM fill a security gap in these architectures.Infineon TechnologiesProgram “Digitalisierung der EnergiewendeBundesministeriums für
Wirtschaft und EnergieTrusted Blockchains fur das offene, intelligente
Energienetz der Zukunft (tbiEnergy)FKZ 03EI6029DEuropean Health and Digital Executive Agency (HaDEA) program under Grant
Agreement No 101092950 (EDGELESS project)FEDER/Junta de
Andalucia-Consejeria de Transformacion Economica, Industria, Conocimiento y Universidades under
Project B-TIC-588-UGR20
Security, Trust and Privacy (STP) Model for Federated Identity and Access Management (FIAM) Systems
The federated identity and access management systems facilitate the home domain
organization users to access multiple resources (services) in the foreign domain
organization by web single sign-on facility. In federated environment the user’s
authentication is performed in the beginning of an authentication session and allowed
to access multiple resources (services) until the current session is active. In current
federated identity and access management systems the main security concerns are: (1)
In home domain organization machine platforms bidirectional integrity measurement
is not exist, (2) Integrated authentication (i.e., username/password and home domain
machine platforms mutual attestation) is not present and (3) The resource (service)
authorization in the foreign domain organization is not via the home domain machine
platforms bidirectional attestation
A novel architecture to virtualise a hardware-bound trusted platform module
Security and trust are particularly relevant in modern softwarised infrastructures, such as cloud environments, as applications are deployed on platforms owned by third parties, are publicly accessible on the Internet and can share the hardware with other tenants. Traditionally, operating systems and applications have leveraged hardware tamper-proof chips, such as the Trusted Platform Modules (TPMs) to implement security workflows, such as remote attestation, and to protect sensitive data against software attacks. This approach does not easily translate to the cloud environment, wherein the isolation provided by the hypervisor makes it impractical to leverage the hardware root of trust in the virtual domains. Moreover, the scalability needs of the cloud often collide with the scarce hardware resources and inherent limitations of TPMs. For this reason, existing implementations of virtual TPMs (vTPMs) are based on TPM emulators. Although more flexible and scalable, this approach is less secure. In fact, each vTPM is vulnerable to software attacks both at the virtualised and hypervisor levels. In this work, we propose a novel design for vTPMs that provides a binding to an underlying physical TPM; the new design, akin to a virtualisation extension for TPMs, extends the latest TPM 2.0 specification. We minimise the number of required additions to the TPM data structures and commands so that they do not require a new, non-backwards compatible version of the specification. Moreover, we support migration of vTPMs among TPM-equipped hosts, as this is considered a key feature in a highly virtualised environment. Finally, we propose a flexible approach to vTPM object creation that protects vTPM secrets either in hardware or software, depending on the required level of assurance
FlexiChain 2.0: NodeChain Assisting Integrated Decentralized Vault for Effective Data Authentication and Device Integrity in Complex Cyber-Physical Systems
Distributed Ledger Technology (DLT) has been introduced using the most common
consensus algorithm either for an electronic cash system or a decentralized
programmable assets platform which provides general services. Most established
reliable networks are unsuitable for all applications such as smart cities
applications, and, in particular, Internet of Things (IoT) and Cyber Physical
Systems (CPS) applications. The purpose of this paper is to provide a suitable
DLT for IoT and CPS that could satisfy their requirements. The proposed work
has been designed based on the requirements of Cyber Physical Systems.
FlexiChain is proposed as a layer zero network that could be formed from
independent blockchains. Also, NodeChain has been introduced to be a
distributed (Unique ID) UID aggregation vault to secure all nodes' UIDs.
Moreover, NodeChain is proposed to serve mainly FlexiChain for all node
security requirements. NodeChain targets the security and integrity of each
node. Also, the linked UIDs create a chain of narration that keeps track not
merely for assets but also for who authenticated the assets. The security
results present a higher resistance against four types of attacks. Furthermore,
the strength of the network is presented from the early stages compared to
blockchain and central authority. FlexiChain technology has been introduced to
be a layer zero network for all CPS decentralized applications taking into
accounts their requirements. FlexiChain relies on lightweight processing
mechanisms and creates other methods to increase security
Multiprotocol Authentication Device for HPC and Cloud Environments Based on Elliptic Curve Cryptography
Multifactor authentication is a relevant tool in securing IT infrastructures combining two or
more credentials. We can find smartcards and hardware tokens to leverage the authentication process,
but they have some limitations. Users connect these devices in the client node to log in or request access
to services. Alternatively, if an application wants to use these resources, the code has to be amended
with bespoke solutions to provide access. Thanks to advances in system-on-chip devices, we can
integrate cryptographically robust, low-cost solutions. In this work, we present an autonomous device
that allows multifactor authentication in client–server systems in a transparent way, which facilitates
its integration in High-Performance Computing (HPC) and cloud systems, through a generic gateway.
The proposed electronic token (eToken), based on the system-on-chip ESP32, provides an extra layer
of security based on elliptic curve cryptography. Secure communications between elements use
Message Queuing Telemetry Transport (MQTT) to facilitate their interconnection. We have evaluated
different types of possible attacks and the impact on communications. The proposed system offers an
efficient solution to increase security in access to services and systems.Spanish Ministry of Science, Innovation and Universities (MICINN)
PGC2018-096663-B-C44European Union (EU
- …