FIDO Device Onboard (FDO)

FIDO Device Onboard (FDO)

FIDO Device Onboard (FDO) Geoffrey Cooper FIDO IoT Technical Working Group Principal Engineer, Intel Corporation February 2021 1 FIDO Alliance IOT Tech WG FIDO IOT Charter: “The IoT TWG has been established to develop use cases, …, automated onboarding, and binding of applications and/or users to IoT devices, …” Attendees: 4 CSP’s / 6 Chip companies Google Arm Lenovo First F2F meeting: July 2019 Microsoft Intel NXP RSA AWS eWBM 45 IoT Use Cases Presented Qualcomm Infineon Device Authority Alibaba Phoenix Technologies Plenary, September 2019 F2F meeting: Dec 2019 FIDO IOT TWG: Dec 2020 Derived Requirements from Use Cases SDO moved to working draft FIDO Device Onboard Review Draft released R1 Open Solution R2 Automatic Onboarding R3 Authorization (to onboard) is end-to-end FIDO Mods R4 Communications Independence R5 Late Binding GapTech R6 Permits Supply Chain Flexibility R7 Repurpose / Resale R8 Limit Correlation Attacks (Breadcrumbs) R9 Deferred Acceptance R15 Trusted and Untrusted Installer ExistTech R16 Localized authentication R17 Internet, Home, Enterprise & Closed networks SDO R18 IOT Owner need not be Network Owner R19 Target device range (CPU/RAM/UI/OS etc.) https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-RD-v1.0-20201202.html 2 FDO/SDO: LF-Edge project & Open Source The LF Edge SDO Project is an open source implementation of the SDO onboarding specification as a reference/gold implementation. https://www.lfedge.org/projects/securedeviceonboard/ ▪ Status • Open Source code at: https://github.com/secure-device-onboard • Now migrating development from SDO to FDO • Protocol testing release of FDO RD01 • Production release of FDO 1.0 projected for 2H21 (subject to finalization of FDO 1.0 spec) 3 Fast, Scalable & Secure1 Device Provisioning, Onboarding & Activation Device Drop ship device to Power-up & connect Auto-provisions, Onboards installation location to Network to Cloud BENEFITS1 • Zero touch onboarding – integrates readily with existing zero touch solutions • Fast & more secure1 – ~1 minute • Hardware flexibility – any hardware (from ARM MCU to Intel® Xeon® processors) • Any cloud – internet & on-premise • Late binding - of device to cloud greatly reduces number of SKUs vs. other zero touch offerings • Open - LF-Edge SDO project up and running, code now on GitHub • Industry standard - FIDO Alliance has released 1st spec draft 1. No product or component can be absolutely secure 4 FIDO Device Onboard: Late Binding in Supply Chain Binding info Customer 1 Zero Touch without FDO Devices IoT device software and security IoT Device Supply Chain Custom SKUs customization happens during manufacturing Build-to-order Customer 2 Result: Manufacturing Custom SKUs Complicated build-to-order Infrastructure Devices manufacturing infrastructure, many SKUs, small lot sizes, long lead times, higher cost Custom SKUs Customer n Devices Device Identity Zero Touch with FDO FDO Late Binding IoT device software and Binding info Customer 1 security customization happens at the end of the Devices IoT Device Supply Chain supply chain Device SKU 2 Device SKU 2 Device SKU 2 Benefits: Build-to-plan Device SKU 2 Customer 2 DeviceDevice SKU SKU 2 2 Simplified build-to-plan Manufacturing Device SKU Infrastructure Single SKU manufacturing infrastructure, Devices fewer SKUs, large lot sizes, enable stocking distributors, low customization cost Customer n Result: Increased supply chain volume and velocity Devices Late binding reduces costs & complexity in supply chain – a single device sku for all customers 5 Provisioning with FIDO IOT Target Cloud (Device Management System) Registration with integrated FIDO IOT 3 Owner Load Ownership Voucher at Procurement 10 01 Rendezvous 01 2 Late Binding 11 Cloud Managed, service 00 Single SKU – Provisioning 10 IoT data flows 01 01 Multiple Target clouds Discovery 4 5 11 6 00 Ownership 10 01 Voucher 01 11 1 00 Device 1011 IOT Device power on Device Manufacturer Device Recipient 1 2 3 4 5 6 Build and Ship FIDO IOT Register Ownership Register Device to Devices use FIDO IOT to Devices Authenticated Devices send sensor Enabled Devices to Target Platform Rendezvous Service find owner location and Provisioned data to IoT Platform FDO: Out of Box ➔ “in Service” CA’sCACA FDO Download: • Initialization/Hardening Scripts including Agent Device Manager OS • Crypto and other Credentials hardening, • Trust for local keys (CSR/Cert, firewall multiple CA’s) • Data files / programs (small, agent is most likely) Agent SW version Agent FOTA Credentials SW update Use FDO to set up: IOT Device Credentials Application • Agents TEE Apps in TEE Credentials • Software update (existing FOTA) • Connection to other IOT devices • FDO “Owner” to IOT devices • Keys in TEE (e.g., using CSR) • Devices in closed networks Other IOT Devices Internet / Intranet / Closed Network 7 Questions? 8 CONFIDENTIAL | © FIDO Alliance 2021 Tech Slide Requirements to achieve Late Binding Provisioning of Network Warehousing of Manufacturer Device. Topology. Credentials only Device. Kind and quantity used for Final destination Internet, of credentials onboarding may not be known Intranet, varies Closed Network Security of device identity Flexibility of supply chain Different clouds use Different destinations have different credentials different networks Ownership Voucher Separate authentication from Service / Info. Data Structure for Late Binding Flexibility of provisioning for Late Binding 9 Tech Slide FDO Ownership Voucher The Ownership Voucher is a digital textual message. It is cryptographically mated to the Device factory credentials, so that it allows the IOT Device to distinguish the late-bound Owner, even if both are in a closed network Ownership Voucher Manufacturer Supply Chain Credentials Onboarding Cloud Routing steps + (the “Owner”) Device Credentials Device (Signatures) FDO Protocols Credentials End of Chain (e.g., certificate) Manufacturer Key Supplier Key Owner Key Device Key 10 Aligning FDO to Use Case and Ecosystem Broad CSP & On-prem IoT Platform ISV Suite Silicon/device SI Ready Connectivity Support Ecosystem Support Good fit Poor fit ▪ Mass produced devices: ? ▪ Custom build-to-order devices: thermometers, sensors, actuators, controls, manufactured for specific customer lighting, medical, edge servers, etc. ▪ Single-ecosystem devices: ▪ Multi-ecosystem applications and services: manufactured for specific service not tied to specific cloud framework ▪ Extremely constrained platforms: ▪ Distributor sales : thresholds TBD deliver from stock, specify binding info after ▪ Deployments with no or inadequate connectivity: sale to customer specific use-cases TBD ▪ Device resale / redeploy: reset to factory conditions repeat onboarding process with new credentials Tech Slide FDO vs SDO Intel ® Secure Device Onboard (SDO) FDO/SDO Syntactic Differences was submitted to FIDO for consideration • CBOR • FDO is based on SDO, functionally • COSE - including authenticated very similar. encryption • FIDO plans to add “trusted installer” functionality – not available in FDO • EAT 1.0. FDO/SDO Functional differences • FIDO WD02 released 7/30/2020 • Crypto profile (one) • FIDO RD01 published 12/02/202 • ServiceInfo is one CBOR type (normative feature freeze) • Multi rounds of ServiceInfo • Message order, names changed to put SDO/FDO Differences in terminology all authentication first. • TEE → ROE • More crypto (COSE), better KDF • AppID → Multi Application ROE Prefix • Rendezvous bypass added (MAROEPrefix) • TBD: FDO IANA Assigned numbers FIDO Device Onboard 13 CONFIDENTIAL | © FIDO Alliance 2021.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    13 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us