《利用ISO&IEC TS 30168集成安全元件到OPC UA安全.pdf》由会员分享,可在线阅读,更多相关《利用ISO&IEC TS 30168集成安全元件到OPC UA安全.pdf(12页珍藏版)》请在三个皮匠报告上搜索。
1、Integration of secure elementsinto OPC UA Security using ISO/IEC TS 30168OPC DAY 2023,Markus HeintelUnrestricted|Siemens 2023|Markus Heintel|T CST SES-DE|2023-06-20Integration of secure elements into OPC UA Security using ISO/IEC TS 30168SpeakerUnrestricted|Siemens 2023|Markus Heintel|T CST SES-DE|2
2、023-06-20Page 2 Markus Heintel Working at Siemens Technology,Cybersecurity&Trust,Security for Embedded Systems asLead Architect for Smart Manufacturing Security Several years experience with integrated circuit cards andsmart card middleware Security expert in IEC TC65 WG23 and WG24 Editor for TS 301
3、68 at ISO/IEC JTC 1 SC41 WG3 Integration of secure elements into OPC UA Security using ISO/IEC TS 30168AgendaUnrestricted|Siemens 2023|Markus Heintel|T CST SES-DE|2023-06-20Page 3 OPC UA Security and secure elements Secure element technologies and capabilities ISO/IEC TS 30168“Generic Trust Anchor A
4、PIfor Industrial IoT Devices”Ongoing standardization activities for ISO/IEC TS 30168 and next stepsIntegration of secure elements into OPC UA Security using ISO/IEC TS 30168Use of secure elements within the OPC UA Security ArchitectureUnrestricted|Siemens 2023|Markus Heintel|T CST SES-DE|2023-06-20P
5、age 4secure elementsecure elementSource:OPC UA Part 2,Figure 2 OPC UA security architecturehttps:/reference.opcfoundation.org/Core/Part2/v104/docs/4.5passwordpassword verifierTC:Trusted CertificateEE:End EntityDCA ClientRegistrarCertificate ManagerProvideIdentitiesSelected DeviceIdentity Certificate
6、Create SecureChannel with Selected IdentityStartSigningRequest/FinishSigningRequestDCA CertificateGet TrustListDCA TrustListCreate SecureChannel with DCA Certifiateloop Until all applications registeredloop Until all application certificates updatedStartSigningRequest/FinishSigningRequestApplication
7、Instance CertificateGetTrustListTrustListIntegration of secure elements into OPC UA Security using ISO/IEC TS 30168Considering secure elements for OPC UA device onboardingUnrestricted|Siemens 2023|T CST SES-DEPage 55 Use of existing manufacturer credentials to authenticate devices(for example,IEEE 8
8、02.1AR IDevID)Secure on-device generation of new private keys Ensure only legitimate trust lists are accepted and installed on the deviceSimplified illustration according to OPC UA Part 21,Figure 4&5 Pull Managementhttps:/reference.opcfoundation.org/Onboarding/v105/docs/7.2Source:OPC UA Part 21,Figu
9、re 2Integration of secure elements into OPC UA Security using ISO/IEC TS 30168Secure element technologies and capabilitiesUnrestricted|Siemens 2023|Markus Heintel|T CST SES-DE|2023-06-20Page 6Different technologiesSoftware obfuscationImmutable memory(ROM,Fuses)Physical un-cloneable functions(PUFs)CP
10、U and SoC built-in functionalityTrusted Execution EnvironmentsFPGA design-IPsDedicated security controllers(ISO 7816,TCG TPM,Java Card)Different security capabilitiesIntegrity protected storage of dataProviding a single bootstrap secretConfidentiality protected storage of dataProtected use of keysIm
11、plementation of arbitrary security functions/servicesISO/IEC TS 30168(CD3):“component(typically a one chip secure microcontroller)capable of securely hosting functionalities and/or confidential and cryptographic data(for example cryptographic keys)in accordance with well-defined rules and security r
12、equirements”Integration of secure elements into OPC UA Security using ISO/IEC TS 30168Application Programming InterfaceA unified API will facilitate the integration of crypto-based security:Different secure element suppliers and technologies from multiple sources Increase market flexibility/Address
13、regional crypto requirements Crypto agility Long-term security/Migration to new generation of secure elementsUnrestricted|Siemens 2023|Markus Heintel|T CST SES-DE|2023-06-20Page 7Device Identitysecure elementSESEApplication Programming InterfaceIIoTApplicationDevice Manage-mentIntegration of secure
14、elements into OPC UA Security using ISO/IEC TS 30168Introducing ISO/IEC TS 30168“Generic Trust Anchor API for IIoT Devices”ISO/IEC TS 30168 “Generic Trust Anchor API for Industrial IoT Devices”is developed to provide such an application interface.Unrestricted|Siemens 2023|Markus Heintel|T CST SES-DE
15、|2023-06-20Page 8Device Identitysecure elementSESEGeneric Trust Anchor APIIIoTApplicationDevice Manage-mentCore security capabilities for IIoT devices:Know who it is the device knows its own identity and is able to prove it to others Know its partners the device is able to authenticate its peers Pro
16、tect itself-the device is able to ensure the integrity and confidentiality of its own genuine informationtrust anchoran essential security capability that,by definition,must be trustedIntegration of secure elements into OPC UA Security using ISO/IEC TS 30168Generic Trust Anchor API Design goalsUnres
17、tricted|Siemens 2023|Markus Heintel|T CST SES-DE|2023-06-20Page 9 Encapsulate storage and use of information critical for device trust into a secure element Provide central point for device trust management Allow easy implementation of functionality depending on trusted information Ensure consistent
18、 life-cycle management of IIoT device and security objects bound to its secure elementalong the supply chain Control access to secure element resourcesSeparation of stakeholders along the supply chainSupport unattended operationIsolation of applicationsApplication context bindingEffective use of nat
19、ive capabilities of actual secure elementInternational Standardization takes place in ISO/IEC SC41 WG3IEC JTC 1/SC 41/WG 3:IEC 30168 Project Editor:Markus Heintel(DE)IEC 30168 Co-Editors:Nobuaki Suzuki(JP),Bjoern Flubacher(DE),Detlef Tenhagen(DE),Dr.Wolfgang Klasen(DE)Project Dashboard:https:/www.ie
20、c.ch/dyn/www/f?p=103:23:200972840927191:FSP_ORG_ID,FSP_LANG_ID:20486,25Latest CD:https:/documents.iec.ch/ords/f?p=700:610:P610_DOCUMENT_FILE_ID:3093883German Mirror DIN NA 043-01-41-02 AKLead AK GTA API:Dr.Wolfgang Klasen Chairman of the DIN NA 043-01-41 IoT(AA):Detlef TenhagenLiaisons(initiated)tow
21、ardsOPC Foundation,JTC1 SC17,JTC1 SC27,ISO TC292Integration of secure elements into OPC UA Security using ISO/IEC TS 30168GTA API Standardization activitiesUnrestricted|Siemens 2023|Markus Heintel|T CST SES-DE|2023-06-20Page 10PWI11/2019JTC1-SC41/142/NP02/202105/2021 approvedInitNWIPWorking DraftCD1
22、JTC1-SC41/234A/CDCD1 for TS 3016807/2021-08/2021DOCCD2JTC1-SC41/268/CDCD2 for TS 3016801/2022-04/2022DOCDTSISO/IEC TS 30168OPC UA MOCAAGTA ProfiletodayCD3JTC1-SC41/268/CDCD3 for TS 3016810/2022-12/2022DOC04/2023Decision on DTS circulation06/2023Voting result08/2023NWIP:New Work Item ProposalCD:Commi
23、ttee DraftDOC:Disposition of CommentsDTS:Draft Technical Specification Integration of secure elements into OPC UA Security using ISO/IEC TS 30168GTA API-Cooperation between DIN and OPC UAUnrestricted|Siemens 2023|Markus Heintel|T CST SES-DE|2023-06-20Page 11MOCA ScopeThe project will define a UA com
24、panion specification and-if needed-other specifications.These willinclude the definition of GTA API profiles as introduced by ISO/IEC TS 30168 to facilitate the use of security information on secure elements from OPC UA applications.Example applications are:authentication,verification,and establishm
25、ent of security associations for OPC UA communicationuser authenticationTo prove and verify the conceptional and standardization work,there will be practical setups including software and tests of the specified details organized in parallel.Call for experts:June 2023Development of draft specification:planned till autumn 2024Development of demonstrator:planned till end of 2024MOCA:Multi-Oganization Collaboration AgreementThank YouContactSiemens AG Cybersecurity&TrustMarkus HeintelT CST SES-DE E-mail Unrestricted|Siemens 2023|Markus Heintel|T CST SES-DE|2023-06-20Page 12