Patent Application
20150242614
This non-provisional patent application claims priority to Great Britain applications: GB 1412715.3, filed Jul. 17, 2014; GB 1405790.5, filed Mar. 31, 2014; GB 1403314.6, filed Feb. 25, 2014; GB 1405785.5, filed Mar. 31, 2014; GB 1405786.3, filed Mar. 31, 2014; GB 1405789.7, filed Mar. 31, 2014; GB 1403312.0, filed Feb. 25, 2014; GB 1405791.3, filed Mar. 31, 2014; GB 1405797.0, filed Mar. 31, 2014.
This invention relates to provisioning a device with a means for authenticating itself to other devices.
Security is of increasing concern in the so-called Internet of Things. The identity and integrity of an individual device is of paramount importance in a network of potentially thousands of cooperating elements. A typical approach is to provide specific hardware on the device to act as the root of trust and propagate that trust up to other firmware and applications executing on the device.
The root of trust is a fundamental concept from which the security of the whole device and the services provided to/by the device propagates. The component should be reliable, tamper-proof and consistently behave in an expected manner. It should provide the minimum set of functionality needed to assess the integrity of the platform and the associated trustworthiness such as: measurement/storage/reporting of a set of metrics describing the platform characteristics (e.g. signed firmware hashes), and access to data signing/encryption for authentication, integrity and confidentiality purposes.
At the heart of the root of trust is usually a secret. The secret may be a truly random number that represents or assists in the generation of a cryptographical secret, such as a symmetric key or an asymmetric key-set, embedded in a controlled environment into the hardware of the chip/device, which can be challenged later. The secret is usually generated outside the chip and later embedded in the chip. This creates a serious challenge in managing the secret, which must be tightly controlled and monitored all the way through. Information on the secret (such as a private key burnt into the chip/device) might leak before or after manufacturing, invalidate the scheme and expose the customer to the risk of cloning and theft of sensitive data. Thus safe rooms (or “cages”) are typically required during manufacture.
There is a need for an improved mechanism for provisioning a device with security details that will enable it to authenticate itself with another device.
According to a first embodiment, there is provided a security component for authenticating a device, within which it is incorporated, with another device, the security component comprising a root identity generator configured to generate a root identity comprising a public root identity and a private root identity and an output configured to output the public root identity for sharing with the other device and to not output the private root identity.
The root identity generator may be configured to generate, as part of the private root identity, a private key of an asymmetric key set.
The root identity generator may be configured to generate, as part of the public root identity, one or more of a unique identifier for the security component, a public key of an asymmetric key set and a symmetric key.
The root identity generator may be configured to generate multiple unique root identities for the security component.
The root identity generator may be capable of repeatably generating the root identity.
The security component may be configured not to store the root identity.
The root identity generator may be configured to, when the security component requires the root identity, regenerate the root identity.
The security component may comprise a memory configured to store the root identity and the security component may be configured to, when it requires the root identity, retrieve it from memory.
The security component may comprise an enrolment indicator and may be configured to, when the public root identity is shared with the other device, set the enrolment indicator.
The security component may be configured not to share the public root identity if the enrolment indicator is set.
The root identity generator may be configured to, each time that the security component is required to generate a root identity when the enrolment indicator is not set, generate a new root identity.
The root identity generator may be configured to, each time that the security component is required to generate a root identity when the enrolment indicator is set, regenerate a previously generated root identity.
The root identity generator may be configured to, each time that the security component is required to generate a root identity when the enrolment indicator is set, regenerate the root identity that comprises the public root identity shared with the other device.
The root identity generator may be configured to generate a root identity during a self-test of the security component.
The security component may be configured not to share the private root identity with parts of the device that are outside of the security component.
The security component may comprise an encryption unit configured to encrypt and/or decrypt communications with the other device using the private root identity.
The encryption unit may be configured to encrypt any data that it shares with the other device with a public key of the other device.
The output may be configured to output the public root identity for sharing with a certificate authority.
The root identity generator may comprise an entropy source.
The security component may be for incorporation in a wireless communication device.
According to a second embodiment, there is provided a method for provisioning a device with security credentials to enable it to authorise itself with another device, comprising incorporating a security component in the device, generating, by means of the security component, a root identity comprising a public root identity and a private root identity and the security component outputting the public root identity for sharing with the other device and not outputting the private root identity.
The present invention will now be described by way of example with reference to the accompanying drawings. In the drawings:
a and 4b show examples of security components.
The following description is presented to enable any person skilled in the art to make and use the invention, and is provided in the context of a particular application. Various modifications to the disclosed embodiments will be readily apparent to those skilled in the art.
The general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the present invention. Thus, the present invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
An example of a method for generating an identity certificate for a device is shown in
The root identity may comprise some components that are “public” in the sense that, while they should be exposed as little as possible, some public exposure is necessary to authenticate the device. The public parts of a root identity may include, for example, one or more of a unique identifier for the security component, a symmetric key, and a public key. The public root identity typically includes information that has to be exposed to a certificate authority to record a Root Identity Certificate that can later be used to authorise the security component. Other parts of the root identity can be considered “private” because they do not need to be exposed during any authentication procedure and should be kept secret by the device. An example of a private part of a root identity is a private key from an asymmetric key pair. The security component may generate both public and private parts of its root identity internally.
The security component can be requested to provide its root identity (step S102). The security component determines whether it is currently operating in an enrolment phase (step S103). If yes, the security component returns its public root identity to the requester (step S104). If no, the security component does not provide its public root identity to the requester (step S105). The private root identity is not provided to the requester.
A more detailed example of a chip generating an identity certificate is shown in
The certificate authority (203) will still need to know the public root identity of the chip before it is deployed, however, so that it can authenticate the chip later. One possible opportunity for obtaining this information is at the end of manufacture, during chip testing. The root identity encrypted with the public key of a certification authority may be exposed to firmware and retrieved by a manufacturing testing JIG, for example. The root identity may then be safely stored on a local or remote server as a Root Identity Certificate before the chip is shipped to a customer.
The public root identity may only be able to be exposed to the manufacturer until the manufacturing process is finished. One way of achieving this is to include one or more “enrolled fuses” on the chip. Once the enrolled fuse is blown, the root identity can no longer be read from the chip. If the manufacturer's certificate authority will be storing the Root Identity Certificate, only one enrolled fuse is required. Alternatively, the manufacturer could sell chips to customers with their own certificate authority. To enable this, some chips may have an extra enrolment fuse. This is termed “UseOtherCAPubKeyFuse” (see
The chip may generate its root identity during a self-test procedure, as mentioned above. The chip may go through multiple self-tests during manufacture. The chip may generate one or more root identities during each of these self-tests. These root identities may be different from one another, because the chip only needs to be able to re-generate an existing root identity after that root identity has been passed to a certificate authority. The chip may therefore be configured to generate new root identities until the enrolment phase is complete (e.g. the fuse has blown) and thereafter either re-generate the root identities that have been passed to the certificate authority or retrieve them from memory (if the chip is configured to store its root identities). The re-generated identities may be the same as those that the chip previously generated, and the same as the identities shared with the certificate authority.
An advantage of the method described above is that the private root identity, such as the private keys of the asymmetric key sets, are internally generated in the chip. The initial generation of the private root identity is thus independent of any external input, so the manufacturer is freed from having to protect cryptographic secrets. The root identity is additionally not exposed to the rest of the chip, and particularly not to firmware, after enrolment has been completed. Indeed most the information released by the chip during enrolment will be publicly exposed during use of the device anyway. The exception is any symmetric keys (SymKey), although the risk that these might fall into the wrong hands can be reduced by encrypting RIchip with CAPubKey. If the reduced level of security is unacceptable, then symmetric keys need not be exchanged as part of the enrolment process. Thus, the exact contents of the “private” and “public” parts of the root identity may depend on the context. In some implementations a symmetric key may not be exchanged at enrolment, so that it forms part of the private root identity, and at other times it may be exchanged at enrolment, and form part of the public root identity.
The Root Identity Certificates stored by the certificate authority can later be used to authenticate the chip's identity and integrity following a challenge in the field. An example of this is shown as part of the “deployment process” in
In a further development the chip may autonomously re-generate its root identity. This is represented in
Specific examples of a security component are shown in
The root identity generator may also be configured to generate an asymmetric private/public key set associated with each unique identifier: {PrivateKeyi, PublicKeyi} The root identity generator may also be configured to generate a symmetric key associated with each unique identifier: {SymKeyi}.
The root identity generator may be capable of the following:
The security component may comprise an output for sharing some security information with another device, so that the other device may authenticate it. This shared information is likely to include a unique identifier, public key of an asymmetric key pair and possibly a symmetric key pair. This information is suitably only shared during the enrolment phase, however. The security bit may therefore comprise an indicator such as an enrolment fuse or bit in OTP, which can be blown/set when the enrolment phase is completed.
If the indicator is not set, the security component may be configured to share the following with the other device:
RIchip={(UUID1: PublicKey1,SymKey1),(UUID2: PublicKey2,SymKey2), . . . }
The security component may comprise an encryption unit for encrypting the information to be shared with the public key of the other device (which is likely to be associated with a certification authority). The information may be shared with the other device by being exposed to the firmware of the device within which the security component is incorporated, from which it can be transferred to the other device via a wired or wireless connection.
If the indicator is set, the security component may be configured to regenerate the set of identifiers and keys (or of a part of it), in the same way as at initial switch on, at power up and/or on-demand, but the set is not exposed to any other part of the device (e.g. firmware).
Examples of two different security components are shown in
Crypto-block 401 comprises a cryptographic engine 402. The entropy source 403 is configured to seed the generation of a root identity by providing a seed to the cryptographic engine. The entropy source may generate the same or different seed for each functional unit in the cryptographic engine that generates a respective element of the root identity. Examples of suitable functional units include:
1. an Elliptical Curve Cryptography (ECC) multiplier to generate the public/private key pair as a set of asymmetric elliptic cryptographic keys {PrKey, PubKey};
2. a key derivation function to generate a symmetric key {SymKey}; and
3. a hashing function to generate a unique identifier {UUID}.
The cryptoblock 401 is managed by trusted processor block 404 that has exclusive access to the configuration registers 405 of the crypto-block. The processor block may be configured to coordinate entropy source operation and RIchip extraction. It may also coordinate Root of Trust activities.
The security component also comprises an output represented by bus 408 for sharing its public root identity with other parts of the device or a certificate authority. Bus 408 is merely an example, and any suitable wired or wireless output means might be employed. The security component also comprises an enrolment fuse 407 for preventing transfer of the public root key after the enrolment process is complete.
The structures shown in
The provisioning methods and security component described above invert the role between originator and receiver of the cryptographical secret: the secret is generated on the chip and only public data is exposed during the enrolment process to the manufacturer. Private data is retained on the chip. If public data is leaked for a batch of chips, the manufacturer might lose income associated with providing a recurring identification and integrity verification service to a customer of those chips, but data confidentiality has not been compromised nor impersonation allowed. The prospect of external secret-leaking before, during and after manufacture is avoided since the focus has shifted from the securely storing keys externally provided by the manufacturer to chip internal, autonomous (re)generation of cryptographical secrets. Thus, provided that side-attacks are prevented, impersonation and sensitive data stealing are not possible unless the chip's private keys are extracted from the crypto-block using lab-attacks. This is theoretically impossible with a PUF since accessing the PUF structure by definition alters its behaviour. It is also highly unlikely with OTP.
The applicant hereby discloses in isolation each individual feature described herein and any combination of two or more such features, to the extent that such features or combinations are capable of being carried out based on the present specification as a whole in the light of the common general knowledge of a person skilled in the art, irrespective of whether such features or combinations of features solve any problems disclosed herein, and without limitation to the scope of the claims. The applicant indicates that aspects of the present invention may consist of any such individual feature or combination of features. In view of the foregoing description it will be evident to a person skilled in the art that various modifications may be made within the scope of the invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| 1403312.0 | Feb 2014 | GB | national |
| 1403314.6 | Feb 2014 | GB | national |
| 1405785.5 | Mar 2014 | GB | national |
| 1405786.3 | Mar 2014 | GB | national |
| 1405789.7 | Mar 2014 | GB | national |
| 1405790.5 | Mar 2014 | GB | national |
| 1405791.3 | Mar 2014 | GB | national |
| 1405797.0 | Mar 2014 | GB | national |
| 1412715.3 | Jul 2014 | GB | national |
