Re: Intel EPID For Device Onboarding


Zolfonoon, Riaz
 

At RSA, we have also looked into Intel SDO both jointly with Dell and separately before our merging. We came to the same conclusion as Jason mentioned. The solution solves a real need, but due to impact on the entire chain, from manufacturing to deployment, it will take time to gain traction in the market.

FYI, another option that RSA has looked into is FIDO and its attestation technique. Recently, FIDO formed a study group to explore the applicability and use cases for FIDO in IoT space. The objective was to explore if there are opportunities for FIDO to consider making the necessary changes to its specs to make them applicable to authentication of devices (in addition to today's focus which is user authentication). RSA was involved in this exercise. Among areas that the study group identified, one was FIDO attestation for IoT device onboarding. In this case, similar to EPID, silicon manufacturers need to engage as well, but the rest of the process is simpler than SDO. This work is still in progress and FIDO board is considering the recommendations from the study group.

I've also heard of some other proprietary methods discussed by vendors, but I'm not aware of any other standards. Does anyone know if OMA's LWM2M or other standards offer any secure onboarding solution that may already be implemented/deployed?

Riaz

Riaz Zolfonoon | Distinguished Engineer | RSA | www.rsa.com | o: +1 781-515-7168 | c: +1 617-283-4822

-----Original Message-----
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Jason.A.Shepherd@...
Sent: Tuesday, October 31, 2017 8:47 AM
To: drasko@...; edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Boran.Car@...
Subject: Re: [Edgex-tsc-security] Intel EPID For Device Onboarding

Dell - Internal Use - Confidential

Hi Drasko -

We actually aren't leveraging EPID on our gateway hardware today (just TPM) but are looking at it as part of the overall solution stack. FYI, the solution that Jennifer talks about in that video from about a year ago is Intel's Secure Device Onboard (SDO) which they just announced at Solutions World Congress: https://www.intel.com/content/www/us/en/internet-of-things/secure-device-onboard.html

Simplifying how devices are securely on-boarded is definitely key for deployment scale, however the way these types of solutions typically address the issue is to push the problem up the supply chain. So, in order for them to work the manufacturer/OEM has to program a unique identifier into every device that leaves their factory which is a major undertaking. Considerations also have to be made in the channel as devices inevitably pass through multiple levels of ownership before hitting the end user. While all possible, this will only be attractive to lots of device makers if the solution is pervasive and therefore really valuable to their customers.

I believe the interoperability between sensors and applications facilitated by the EdgeX ecosystem is key to the success of this type of solution because it will make it worthwhile for OEMs to do the extra work. EdgeX could potentially also be used to federate various ecosystems for this type of onboarding.

In any event, simple and secure onboarding is a key market need and we'll want to make sure we address it one way or another. We're in the process of re-engaging with a number of the major silicon providers (including Intel) on the heels of the Barcelona release and this will be a point of discussion.

Would be good to make this a topic in an upcoming security working group meeting.

-Jason



-----Original Message-----
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Drasko DRASKOVIC
Sent: Tuesday, October 31, 2017 3:33 AM
To: edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Car, Boran <Boran.Car@...>
Subject: [Edgex-tsc-security] Intel EPID For Device Onboarding

HI all,
during the last f2f meeting in Barcelona, we mentioned problem of device onboarding, and problem of dedicating a distinctive asymmetric key to each device during manufacturing phase.

I was looking yesterday a video on edge security:
https://www.youtube.com/watch?v=A6KoS7CQaqs, and saw that there are already implementation of Intel's EPID
(https://en.wikipedia.org/wiki/Enhanced_privacy_ID) used on Dell's gateways.

On a very fast glance
(https://img.en25.com/Web/McAfeeE10BuildProduction/%7Ba6dd7393-63f8-4c08-b3aa-89923182a7e5%7D_EPID_Overview_Public_2016-02-08.pdf?elqTrackId=48387d7899274c7985c6ac808d6ecbac&elqaid=7811&elqat=2),
I like the idea of having one-to-many mapping of public-private keys, at least for two reasons:
1) It is easier to keep just one public on a server and not to have quaries each time a device onboards to find it's public key (although probably query for the group must be done) 2)You can keep anonymity on a group level


I was wondering - did anybody had experience with EPID before? I see that it is open standard, I saw even some Apache-2.0 device-side implementations (https://github.com/Intel-EPID-SDK/epid-sdk), but I was wondering how open it is and can it be useful for EdgeX case?

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security
_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security

Join EdgeX-TSC-Security@lists.edgexfoundry.org to automatically receive all group messages.