Re: Intel EPID For Device Onboarding
Hello Drasko,toggle quoted messageShow quoted text
We have looked into EPID also. It is interesting if the customer is concerned about privacy (consumer). The issues with the system is you must get all your keys from Intel as they are the only EPID key provider today. For the ICS use case, privacy is not a big driving factor and the complexity of the supply chain signing equipment at transfer points is not currently used. In general, we are monitoring EPID but have no plans to add it to our products and have no customers requesting EPID. Most of our customers want support for normal PKI certificates and PKI CA for identity management.
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Jason.A.Shepherd@...
Sent: Tuesday, October 31, 2017 8:47 AM
To: drasko@...; edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Boran.Car@...
Subject: Re: [Edgex-tsc-security] Intel EPID For Device Onboarding
Dell - Internal Use - Confidential
Hi Drasko -
We actually aren't leveraging EPID on our gateway hardware today (just TPM) but are looking at it as part of the overall solution stack. FYI, the solution that Jennifer talks about in that video from about a year ago is Intel's Secure Device Onboard (SDO) which they just announced at Solutions World Congress: https://www.intel.com/content/www/us/en/internet-of-things/secure-device-onboard.html
Simplifying how devices are securely on-boarded is definitely key for deployment scale, however the way these types of solutions typically address the issue is to push the problem up the supply chain. So, in order for them to work the manufacturer/OEM has to program a unique identifier into every device that leaves their factory which is a major undertaking. Considerations also have to be made in the channel as devices inevitably pass through multiple levels of ownership before hitting the end user. While all possible, this will only be attractive to lots of device makers if the solution is pervasive and therefore really valuable to their customers.
I believe the interoperability between sensors and applications facilitated by the EdgeX ecosystem is key to the success of this type of solution because it will make it worthwhile for OEMs to do the extra work. EdgeX could potentially also be used to federate various ecosystems for this type of onboarding.
In any event, simple and secure onboarding is a key market need and we'll want to make sure we address it one way or another. We're in the process of re-engaging with a number of the major silicon providers (including Intel) on the heels of the Barcelona release and this will be a point of discussion.
Would be good to make this a topic in an upcoming security working group meeting.
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Drasko DRASKOVIC
Sent: Tuesday, October 31, 2017 3:33 AM
To: edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Car, Boran <Boran.Car@...>
Subject: [Edgex-tsc-security] Intel EPID For Device Onboarding
during the last f2f meeting in Barcelona, we mentioned problem of device onboarding, and problem of dedicating a distinctive asymmetric key to each device during manufacturing phase.
I was looking yesterday a video on edge security:
https://www.youtube.com/watch?v=A6KoS7CQaqs, and saw that there are already implementation of Intel's EPID
(https://en.wikipedia.org/wiki/Enhanced_privacy_ID) used on Dell's gateways.
On a very fast glance
I like the idea of having one-to-many mapping of public-private keys, at least for two reasons:
1) It is easier to keep just one public on a server and not to have quaries each time a device onboards to find it's public key (although probably query for the group must be done) 2)You can keep anonymity on a group level
I was wondering - did anybody had experience with EPID before? I see that it is open standard, I saw even some Apache-2.0 device-side implementations (https://github.com/Intel-EPID-SDK/epid-sdk), but I was wondering how open it is and can it be useful for EdgeX case?
Mainflux Author and Technical Advisor
www.mainflux.com | Industrial IoT Cloud
Engineering Division | Paris, France
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security mailing list