SPIRAL Protocol Family Xiaoyu Ruan and Will Stevens

  • Slides: 16
Download presentation
SPIRAL Protocol Family Xiaoyu Ruan and Will Stevens {xiaoyu. ruan; william. a. stevens}@intel. com

SPIRAL Protocol Family Xiaoyu Ruan and Will Stevens {xiaoyu. ruan; william. a. stevens}@intel. com For OCP security forum Jan. 29, 2019

USB Type-C Authenticatio n Protocol and Its Application in Cerberus Image credit: Project Cerberus

USB Type-C Authenticatio n Protocol and Its Application in Cerberus Image credit: Project Cerberus Challenge Protocol

• Authentication and key agreement require (expensive) asymmetric key operation every boot –

• Authentication and key agreement require (expensive) asymmetric key operation every boot – RSA or ECC. Not prefect for performance sensitive applications, e. g. , secure boot. A Good and straightforwar d Protocol. But Anything to Improve? • Easy problem! Just save the shared secret in secure NVM on both sides for future use. • What if responder does not have secure NVM? e. g. , CPU Our Goal: Design a protocol that - Does not require asymmetric operation after initial pairing between initiator and responder - Does not require secure NVM on responder

• Primary idea: responder wraps shared secret (SK) with its own secret key

• Primary idea: responder wraps shared secret (SK) with its own secret key (SSTn) and sends to initiator to store. The Main Idea • Prerequisite: responder FW has a secret key from ROM. The secure key changes per FW security version SVN. Responder flow during boot * The fuse / PUF used for private credential derivation is leveraged for SSTn derivation.

SPIRALOne. Way : Initiator Authenticate s Responder See Backup for flow when responder does

SPIRALOne. Way : Initiator Authenticate s Responder See Backup for flow when responder does not have DRNG

SPIRALTwo. Way: Mutual Authenticatio n Responder is required to have DRNG in order to

SPIRALTwo. Way: Mutual Authenticatio n Responder is required to have DRNG in order to authenticate initiator.

• Use one reserved bit in Device Capabilities Request and Response to indicate

• Use one reserved bit in Device Capabilities Request and Response to indicate if SPIRAL is supported Cerberus: Backward Compatibilit y/ Discovery

Review at OCP, DMTF, and PCIe forums and discuss adoptions in their specifications. Forum

Review at OCP, DMTF, and PCIe forums and discuss adoptions in their specifications. Forum Next Steps Date DMTF 1/22/2019 OCP 1/29/2019 PCIe ? ? Status Done. Reviewers from Intel, Lenovo, Cisco, HPE, Mellanox, Dell, Microchip, ARM, Marvell, Broadcom

Backup

Backup

SPIRALOne. Way : When Responder Doesn’t Have DRNG

SPIRALOne. Way : When Responder Doesn’t Have DRNG

SPIRALLite: For Constraine d Responder Using Hash Certificate

SPIRALLite: For Constraine d Responder Using Hash Certificate

Responder Credential – Seed, Seed Password, and Touchstone Example for max responder SVN n

Responder Credential – Seed, Seed Password, and Touchstone Example for max responder SVN n = 3 and max Initiator SVN m = 4 hash hash hash hash Creden tial Seed SP_3_4 SP_3_3 SP_3_2 SP_3_1 SP_2_4 SP_2_3 SP_2_2 SP_2_1 SP_1_4 SP_1_3 SP_1_2 SP_1_1 Touchs tone n - 3 3 2 2 1 1 - m - 4 3 2 1 - Respo nder ROM passes Not passe s to FW to n=3 respo nder FW Respo nder FW sends to m=4 initiat or FW to n=2 respo nder FW to m=3 initiat or FW to m=2 initiat or FW to m=1 initiat or FW to m=4 initiat or FW to n=1 respo nder FW to m=3 initiat or FW to m=2 initiat or FW to m=1 initiat or FW to m=4 initiat or FW Public value signed by CA to m=3 initiat or FW to m=2 initiat or FW to m=1 initiat or FW to initiat or

SPIRAL vs. USB Authentication Protocol Property SPIRAL USB Auth Protocol Asymmetric operation at every

SPIRAL vs. USB Authentication Protocol Property SPIRAL USB Auth Protocol Asymmetric operation at every boot No Responder credential May be X. 509 or hash- X. 509 based* X. 509 Secure storage on responder Not required Required * See SPIRAL-Lite slides and whitepaper. Yes USB Auth Protocol w. shared secret Not required No

Spiral Dynamics What is Spiral Dynamics Spiral DynamicsSpiral Dynamics What is Spiral Dynamics Spiral Dynamics
Stevens and Frost Wallace Stevens 1879 1955 RobertStevens and Frost Wallace Stevens 1879 1955 Robert
Lake Stevens School District Lake Stevens High SchoolLake Stevens School District Lake Stevens High School
Lake Stevens School District Lake Stevens High SchoolLake Stevens School District Lake Stevens High School
Lake Stevens School District Lake Stevens High SchoolLake Stevens School District Lake Stevens High School
Lake Stevens School District Lake Stevens High SchoolLake Stevens School District Lake Stevens High School
1 Spiral Galaxies Spiral Pattern Galactic Shock Galactic1 Spiral Galaxies Spiral Pattern Galactic Shock Galactic
Pembalutan simple spiral Pembalutan simple spiral TUJUAN nPembalutan simple spiral Pembalutan simple spiral TUJUAN n
Spiral Dynamics https store theartofservice comthespiraldynamicstoolkit html SpiralSpiral Dynamics https store theartofservice comthespiraldynamicstoolkit html Spiral
The Spiral of Silence Theory Teori Spiral KeheninganThe Spiral of Silence Theory Teori Spiral Keheningan
1 SPIRAL DYNAMICS Harald Hutterer Spiral Dynamics Basics1 SPIRAL DYNAMICS Harald Hutterer Spiral Dynamics Basics
spiral path Slipring Data acquisition CT spiral CTspiral path Slipring Data acquisition CT spiral CT
Intro to Knowledge management Spiral of knowledge SpiralIntro to Knowledge management Spiral of knowledge Spiral
PLANAR SPIRAL Equiangular plane spiral curve Derivative SinglePLANAR SPIRAL Equiangular plane spiral curve Derivative Single
SPIRAL TRAINING PRESENTATION OF THE SPIRAL METHODOLOGY fromSPIRAL TRAINING PRESENTATION OF THE SPIRAL METHODOLOGY from