SlideShare a Scribd company logo

FIPS 140-2 Validations in a Secure Enclave

wolfSSL
wolfSSL

Secure enclaves are becoming a popular way to separate and protect sensitive code and data from other processes running on a system. A FIPS 140-2 validated cryptographic software module is currently required to run power-on self tests when loaded, but security of the module can be taken one step further by validating the module inside a secure enclave, such as Intel SGX. wolfSSL has been working on FIPS 140-2 validating the wolfCrypt library running inside an Intel SGX enclave. This session will discuss the advantages, challenges, and process of FIPS 140-2 validating a cryptographic software module inside Intel SGX and how the same process could be applied to other secure enclave environments.

1 of 39
Downloaded 15 times
FIPS 140-2 Validations In a Secure Enclave Chris Conlon ICMC18, May 8-11, 2018 Shaw Centre | Ottawa, Ontario, Canada
A. Overview of wolfSSL and wolfCrypt FIPS B. Secure Enclaves C. FIPS 140-2 Enclave Validations a. Advantages b. Challenges D. Validation Process inside Intel SGX Outline
Introduction to wolfSSL
Introduction to wolfSSL - Products
Introduction to wolfSSL - Open Source ● Dual Licensed - source code available as open source GPLv2 or commercial ● Available for download at: ○ wolfSSL website: www.wolfssl.com/download ○ GitHub: www.github.com/wolfSSL ● Professional support direct from engineers ● Consulting services for validations, integration, or new features
What is a Secure Enclave? ● A secure enclave can also be referred to as “Trusted Execution Environment (TEE)” ● Can be implemented through software or hardware, depending on the implementation ● Enclave is a protected area in the application’s address space ○ Separates and protects sensitive code / data from other processes ○ Provides a secure area where code can be stored and executed
What is a Secure Enclave? ● Intel Technologies ○ TXT (Trusted Execution Technology) uses a TPM and cryptographic algorithms to permit a verifiably secure installation, launch, and use of a hypervisor or operating system (OS) ■ Launched on Xeon 5600 series processors in 2010 ○ SGX (Software Guard Extensions) extensions allow an application to instantiate a protected container, which provides confidentiality and integrity ■ Launched on Intel 6th generation Skylake processors in 2015
What is a Secure Enclave? ● Other TEE Technologies ○ ARM TrustZone ○ AMD SME/SEV ○ Qualcomm QSEE/SecureMSM ○ Apple iPhone Secure Enclave ○ ...
Why would you want to FIPS 140-2 validate inside an TEE?
Traditional FIPS 140-2 Validations ● When software module is first loaded, two things happen: 1. Power-On Integrity Check ■ Guarantee object files have not changed between compile time and run time 2. Known Answer Tests ■ Verifies algorithm implementation is operating correctly ● Shared library default entry point is used to execute these #define INITIALIZER(f) static void __attribute__((constructor)) f(void)
Traditional FIPS 140-2 Validations
Traditional FIPS 140-2 Validations ● Traditional validation checks and tests work well, unless a malicious user or privileged process has physical access to the system’s memory ● Malicious actor could then potentially do any number of things: ■ Modify object files and change the comparison hash for the In-Core Integrity check ■ Modify the object code responsible for KAT’s ■ Modify the memory areas containing the core crypto code
to Enclave / TEE-based Validations Advantages
Advantages of Enclave-Based Validations ● Doing a validation INSIDE a secure enclave / TEE: ✓ Adds layer of protection for cryptographic module against privileged users (OS, BIOS, drivers, etc) ✓ Provides confidentiality of code and data - unable to view or analyze running cryptographic module memory ✓ Provides integrity assurance for the duration of the executable / enclave lifetime ✓ Allows use of enclave in government and DoD projects, since FIPS 140-2 is commonly a requirement
Advantages of Enclave-Based Validations ✓ Provides a more secure environment when running in an untrusted environment (cloud server, etc) ? ? ?
of Enclave / TEE-based Validations Challenges
Challenges of Enclave-Based Validations ● Determining best enclave entry point structure ○ Where should untrusted code call into the enclave at? ● Passing data and files TO/FROM the enclave ○ Needed to run CAVP vector files through crypto module ● Limiting crypto module dependencies external to the enclave ○ Source of entropy? ○ System calls not available in enclave
FIPS 140-2 - Intel SGX Validation wolfCrypt
Intel SGX Overview ● Intel SGX Overview ○ Creates a protected container (enclave) where legitimate software can be sealed inside ( image source: https://software.intel.com/en-us/sgx/details )
Intel SGX ● Intel SGX Overview ○ Provides memory protection through encryption ○ Provides integrity of the enclave contents ○ Can generate enclave specific keys ○ Protects sensitive operations against outside inspection ( image source: https://software.intel.com/en-us/sgx/details )
Intel SGX ● Intel SGX Hardware Support ○ Hardware added in Intel’s 6th generation (Skylake) processors or later ○ To use the SGX feature it must be enabled in the BIOS ○ One Intel CPU can have multiple secure enclaves ○ Enclave physical memory is encrypted by processor
Current wolfCrypt FIPS OE List Operating System Processor Platform 1 Linux 3.13 (Ubuntu) Intel® Core™ i7-3720QM CPU @2.60GHz x 8 HP EliteBook 2 iOS 8.1 Apple™ A8 iPhone™ 6 3 Android 4.4 Qualcomm Krait 400 Samsung Galaxy S5 4 FreeRTOS 7.6 ST Micro STM32F uTrust TS Reader 5 Windows 7 (64-bit) Intel® Core™ i5 Sony Vaio Pro 6 Linux 3.0 (SLES 11 SP4, 64-bit) Intel® Xeon® E3-1225 Imprivata OneSign 7 Linux 3.0 (SLES 11 SP4, 64-bit) on Microsoft Hyper-V 2012R2 Core Intel® Xeon® E5-2640 Dell® PowerEdge™ r630 8 Linux 3.0 (SLES 11 SP4, 64-bit) on VMWare ESXi 5.5.0 Intel® Xeon® E5-2640 Dell® PowerEdge™ r630 9 Windows 7 (64-bit) on VMWare ESXi 5.5.0 Intel® Xeon® E5-2640 Dell® PowerEdge™ r630 Certificate #2425
Current wolfCrypt FIPS OE List Operating System Processor Platform 10 Android Dalvik 4.2.2 NXP i.MX6 MXT-700-NC 7” touch panel 11 Linux 4.1.15 NXP i.MX5 NX-1200 NetLinx NX Integrated Controller 12 Debian 8.8 Intel Xeon 1275v3 CA PAM 304L Server 13 Windows Server 2012R2 Intel Xeon E5335 Physical x64 Server(s) 14 Windows 7 Professional SP1 Intel Core i7-2640M Dell Latitude E6520 15 Debian 8.7.0 Intel Xeon E3 Family with SGX support Intel x64 Server System R1304SP 16 Windows 10 Pro Intel Core i5 with SGX support Dell Latitude 7480 17 NET+OS v7.6 Digi International NS9210 Sigma IV infusion pump Certificate #2425 - New OE’s in 2017-2018
Approved and Validated Crypto Algorithms Algorithm Description Cert # AES [FIPS 197, SP 800-38A] (Encryption, Decryption) Modes: CBC, CTR, Key sizes: 128, 192, 256 bits 3157, 3330, 3417, 3490, 3508, 4635, 4772, 5244, 5325 DRBG [SP 800-90A] (Hash_DRBG) Security Strengths: 256 bits 650, 775, 821, 863, 875, 1561, 1566, 1651, 2006, 2055 HMAC [FIPS 198-1] (Generation, Verification) SHA sizes: SHA-1, SHA-256, SHA-384, and SHA-512 1990, 2121, 2175, 2228, 2241, 3068, 3075, 3183, 3471, 3523 RSA [FIPS 186-4, and PKCS #1 v2.1 (PKCS1.5)] (Signature Generation, Signature Verification) Key sizes: 1024 (verification only), 2048 1602, 1710, 1749, 1791, 1803, 2530, 2534, 2612, 2804, 2853 SHA [FIPS 180-4] (Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications). SHA sizes: SHA-1, SHA-256, SHA-384, SHA-512 2614, 2763, 2823, 2882, 2893, 3799, 3806, 3915, 4222, 4277 Triple-DES (TDES) [SP 800-20] (Encryption, Decryption) Modes: TCBC, Key sizes: 3-key 1800, 1901, 1928, 1966, 1972, 2465, 2470, 2535, 2652, 2687
● Independent of SSL/TLS ● Design simplifies updates ● Most bugs and vulnerabilities happen in SSL/TLS, not crypto wolfCrypt FIPS Object Module
● SGX enclave structure with wolfCrypt only ● FIPS 140-2 boundary only around “wolfCrypt FIPS” wolfCrypt FIPS Object Module in SGX
● SGX enclave structure with wolfCrypt and wolfSSL SSL/TLS Library ● FIPS 140-2 boundary only around “wolfCrypt FIPS” wolfCrypt FIPS Object Module in SGX
Intel SGX OE Validation Process ● Unique steps to SGX OE Validation: ○ Port wolfCrypt to run inside Intel SGX ○ Map system calls as SGX trusted entry points ○ Map wolfSSL and wolfCrypt API as SGX trusted entry points ○ Modify CAVP test harness to read vector files in untrusted section, pass via buffer into trusted enclave
Intel SGX OE Validation Process ● Port wolfSSL / wolfCrypt to run inside Intel SGX enclave ○ Modify random.c to get entropy from Intel SGX API ■ sgx_read_rand() ■ /dev/random, /dev/urandom would have been outside enclave ○ Use Intel intrinsics by default ■ _lrotr() ■ _lrotl()
Intel SGX OE Validation Process ● Map system calls as SGX trusted entry points (OCALLs) ○ printf() - for logging/debugging ■ ocall_print_string() ○ gettimeofday() - get the current time in seconds since Epoch ■ ocall_current_time() ○ get struct timeval seconds ■ ocall_low_res_time() ○ send() - network send function ■ ocall_send() ○ recv() - network recv function ■ ocall_recv()
Intel SGX OE Validation Process ● Map wolfSSL and wolfCrypt API as SGX trusted entry points ○ Add wrapper functions exposing wolfSSL and wolfCrypt API: ■ public int enc_wolfSSL_Init(void); ■ public WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void); ■ public WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void); ■ public int enc_wc_InitRng([user_check] WC_RNG* rng); ■ public int enc_wc_FreeRng([user_check] WC_RNG* rng); ■ public int enc_wc_InitRsaKey([user_check] RsaKey* key, [user_check] void* ptr); ■ etc...
Intel SGX OE Validation Process ● Modify CAVP test harness to read vector files in untrusted section, pass via buffer into trusted enclave
Intel SGX OE Demo! ● Demo of wolfSSL’s test app inside an SGX Enclave $ ./App Usage: -t Run wolfCrypt tests only -b Run wolfCrypt benchmarks in enclave -c Run a TLS client in enclave -s Run a TLS server in enclave Operating System Processor Platform 15 Debian 8.7.0 Intel Xeon E3 Family with SGX support Intel x64 Server System R1304SP
Intel SGX OE Demo! ● Demo of wolfSSL’s test app inside an SGX Enclave $ ./App -t Crypt Test: error test passed! base64 test passed! asn test passed! MD5 test passed! MD4 test passed! SHA test passed! SHA-256 test passed! ... ECC test passed! ECC buffer test passed! logging test passed! mutex test passed! memcb test passed! Crypt Test: Return code 0 $ ./App -b Benchmark Test: wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each) RNG 130 MB took 1.016 seconds, 127.979 MB/s AES-128-CBC-enc 255 MB took 1.004 seconds, 253.880 MB/s AES-128-CBC-dec 285 MB took 1.013 seconds, 281.257 MB/s AES-192-CBC-enc 225 MB took 1.013 seconds, 222.205 MB/s AES-192-CBC-dec 245 MB took 1.000 seconds, 244.950 MB/s AES-256-CBC-enc 200 MB took 1.015 seconds, 196.992 MB/s … ECC 256 key gen 1155 ops took 1.000 sec, avg 0.866 ms, 1154.727 ops/sec ECDHE 256 agree 1200 ops took 1.022 sec, avg 0.852 ms, 1173.816 ops/sec ECDSA 256 sign 1200 ops took 1.048 sec, avg 0.873 ms, 1145.563 ops/sec ECDSA 256 verify 600 ops took 1.023 sec, avg 1.705 ms, 586.548 ops/sec Benchmark Test: Return code 0
What’s up for the Future? ● Possibilities for the future, depending on customer demand: ○ More SGX Operating Environments ○ Expanded FIPS 140-2 algorithm boundary ○ FIPS 140-2 validations in other TEE environments ○ What do you want to see?
wolfSSL Library Makefile for SGX ● wolfSSL SGX Static Library Project ○ Creates a static wolfSSL library for use with SGX enclaves ○ Assumes user has already: ■ Enabled SGX in BIOS ■ Installed necessary software from Intel ○ Distributed with wolfSSL: ■ https://github.com/wolfSSL/wolfssl/tree/master/IDE/LINUX-SGX
wolfSSL SGX Examples ● Non-FIPS Examples Available on GitHub ○ Examples include: ■ TLS Client in an enclave ■ TLS Server in an enclave ■ wolfCrypt tests in an enclave ■ wolfCrypt benchmarks in an enclave ○ For Linux and Windows ■ https://github.com/wolfSSL/wolfssl-examples/tree/master/SGX_Linux ■ https://github.com/wolfSSL/wolfssl-examples/tree/master/SGX_Windows
A. Overview of Secure Enclaves a. Advantages b. Challenges B. FIPS 140-2 inside Intel SGX a. Intel SGX b. Changes required c. Validation Process Summary
Thanks! Questions? info@wolfssl.com www.wolfssl.com
Ad

Recommended

wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
wolfSSL
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018
wolfSSL
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
Nate Lawson
 
IPsec on Mikrotik
IPsec on MikrotikIPsec on Mikrotik
IPsec on Mikrotik
GLC Networks
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
Nishant Pahad
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
Nate Lawson
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
Mehedi Farazi
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
SSH.ppt
SSH.pptSSH.ppt
SSH.ppt
joekr1
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Dr Anjan Krishnamurthy
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
Andrew Denner
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
SSL247®
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
Nate Lawson
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal Wadhwa
Mrinal Wadhwa
 
Secure shell
Secure shellSecure shell
Secure shell
Arjun Aj
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
Positive Hack Days
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
Çağrı Çakır
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
Baspally Sai Anirudh
 
SSL
SSLSSL
SSL
Duy Do Phan
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
Pina Parmar
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
Sarang Ananda Rao
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
security in transport layer ssl
security in transport layer ssl security in transport layer ssl
security in transport layer ssl
STUDENT
 
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
Vivek Kumar
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdfBKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
satyabratmallaBujarb
 
Ad

More Related Content

What's hot (19)

Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
Mehedi Farazi
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
SSH.ppt
SSH.pptSSH.ppt
SSH.ppt
joekr1
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Dr Anjan Krishnamurthy
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
Andrew Denner
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
SSL247®
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
Nate Lawson
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal Wadhwa
Mrinal Wadhwa
 
Secure shell
Secure shellSecure shell
Secure shell
Arjun Aj
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
Positive Hack Days
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
Çağrı Çakır
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
Baspally Sai Anirudh
 
SSL
SSLSSL
SSL
Duy Do Phan
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
Pina Parmar
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
Sarang Ananda Rao
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
security in transport layer ssl
security in transport layer ssl security in transport layer ssl
security in transport layer ssl
STUDENT
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
Mehedi Farazi
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
SSH.ppt
SSH.pptSSH.ppt
SSH.ppt
joekr1
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Dr Anjan Krishnamurthy
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
Andrew Denner
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
SSL247®
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
Nate Lawson
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal Wadhwa
Mrinal Wadhwa
 
Secure shell
Secure shellSecure shell
Secure shell
Arjun Aj
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
Positive Hack Days
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
Çağrı Çakır
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
Baspally Sai Anirudh
 
SSL
SSLSSL
SSL
Duy Do Phan
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
Pina Parmar
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
Sarang Ananda Rao
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
security in transport layer ssl
security in transport layer ssl security in transport layer ssl
security in transport layer ssl
STUDENT
 

Similar to FIPS 140-2 Validations in a Secure Enclave (20)

ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
Vivek Kumar
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdfBKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
satyabratmallaBujarb
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 
Serie dei nuovi processori Xeon Scalabili - Yashi Italia
Serie dei nuovi processori Xeon Scalabili - Yashi ItaliaSerie dei nuovi processori Xeon Scalabili - Yashi Italia
Serie dei nuovi processori Xeon Scalabili - Yashi Italia
Yashi Italia
 
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
Dmytro Korzhevin
 
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebula Project
 
Configure ssh cell
Configure ssh cellConfigure ssh cell
Configure ssh cell
Andre Septian
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
 
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Michelle Holley
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
Justin Black
 
Intels presentation at blue line industrial computer seminar
Intels presentation at blue line industrial computer seminarIntels presentation at blue line industrial computer seminar
Intels presentation at blue line industrial computer seminar
Blue Line
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
Michelle Holley
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 
Caliptra silicon Root-of-Trust IP introduction
Caliptra silicon Root-of-Trust IP introductionCaliptra silicon Root-of-Trust IP introduction
Caliptra silicon Root-of-Trust IP introduction
Chiawei Wang
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology Overview
Michelle Holley
 
Secure IoT Firmware for RISC-V
Secure IoT Firmware for RISC-VSecure IoT Firmware for RISC-V
Secure IoT Firmware for RISC-V
RISC-V International
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Kuniyasu Suzaki
 
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
mjos
 
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
Vivek Kumar
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdfBKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
satyabratmallaBujarb
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 
Serie dei nuovi processori Xeon Scalabili - Yashi Italia
Serie dei nuovi processori Xeon Scalabili - Yashi ItaliaSerie dei nuovi processori Xeon Scalabili - Yashi Italia
Serie dei nuovi processori Xeon Scalabili - Yashi Italia
Yashi Italia
 
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
Dmytro Korzhevin
 
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebula Project
 
Configure ssh cell
Configure ssh cellConfigure ssh cell
Configure ssh cell
Andre Septian
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
 
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Michelle Holley
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
Justin Black
 
Intels presentation at blue line industrial computer seminar
Intels presentation at blue line industrial computer seminarIntels presentation at blue line industrial computer seminar
Intels presentation at blue line industrial computer seminar
Blue Line
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
Michelle Holley
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 
Caliptra silicon Root-of-Trust IP introduction
Caliptra silicon Root-of-Trust IP introductionCaliptra silicon Root-of-Trust IP introduction
Caliptra silicon Root-of-Trust IP introduction
Chiawei Wang
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology Overview
Michelle Holley
 
Secure IoT Firmware for RISC-V
Secure IoT Firmware for RISC-VSecure IoT Firmware for RISC-V
Secure IoT Firmware for RISC-V
RISC-V International
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Kuniyasu Suzaki
 
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
mjos
 
Ad

More from wolfSSL (7)

wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018
wolfSSL
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013
wolfSSL
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLS
wolfSSL
 
Kerberos + Android: A Tale of Opportunity
Kerberos + Android: A Tale of OpportunityKerberos + Android: A Tale of Opportunity
Kerberos + Android: A Tale of Opportunity
wolfSSL
 
yaSSL 2010-2011 Technical and Community Update
yaSSL 2010-2011 Technical and Community UpdateyaSSL 2010-2011 Technical and Community Update
yaSSL 2010-2011 Technical and Community Update
wolfSSL
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSL
wolfSSL
 
Securing memcache
Securing memcacheSecuring memcache
Securing memcache
wolfSSL
 
wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018
wolfSSL
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013
wolfSSL
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLS
wolfSSL
 
Kerberos + Android: A Tale of Opportunity
Kerberos + Android: A Tale of OpportunityKerberos + Android: A Tale of Opportunity
Kerberos + Android: A Tale of Opportunity
wolfSSL
 
yaSSL 2010-2011 Technical and Community Update
yaSSL 2010-2011 Technical and Community UpdateyaSSL 2010-2011 Technical and Community Update
yaSSL 2010-2011 Technical and Community Update
wolfSSL
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSL
wolfSSL
 
Securing memcache
Securing memcacheSecuring memcache
Securing memcache
wolfSSL
 
Ad

Recently uploaded (20)

Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 

FIPS 140-2 Validations in a Secure Enclave

  • 1. FIPS 140-2 Validations In a Secure Enclave Chris Conlon ICMC18, May 8-11, 2018 Shaw Centre | Ottawa, Ontario, Canada
  • 2. A. Overview of wolfSSL and wolfCrypt FIPS B. Secure Enclaves C. FIPS 140-2 Enclave Validations a. Advantages b. Challenges D. Validation Process inside Intel SGX Outline
  • 5. Introduction to wolfSSL - Open Source ● Dual Licensed - source code available as open source GPLv2 or commercial ● Available for download at: ○ wolfSSL website: www.wolfssl.com/download ○ GitHub: www.github.com/wolfSSL ● Professional support direct from engineers ● Consulting services for validations, integration, or new features
  • 6. What is a Secure Enclave? ● A secure enclave can also be referred to as “Trusted Execution Environment (TEE)” ● Can be implemented through software or hardware, depending on the implementation ● Enclave is a protected area in the application’s address space ○ Separates and protects sensitive code / data from other processes ○ Provides a secure area where code can be stored and executed
  • 7. What is a Secure Enclave? ● Intel Technologies ○ TXT (Trusted Execution Technology) uses a TPM and cryptographic algorithms to permit a verifiably secure installation, launch, and use of a hypervisor or operating system (OS) ■ Launched on Xeon 5600 series processors in 2010 ○ SGX (Software Guard Extensions) extensions allow an application to instantiate a protected container, which provides confidentiality and integrity ■ Launched on Intel 6th generation Skylake processors in 2015
  • 8. What is a Secure Enclave? ● Other TEE Technologies ○ ARM TrustZone ○ AMD SME/SEV ○ Qualcomm QSEE/SecureMSM ○ Apple iPhone Secure Enclave ○ ...
  • 9. Why would you want to FIPS 140-2 validate inside an TEE?
  • 10. Traditional FIPS 140-2 Validations ● When software module is first loaded, two things happen: 1. Power-On Integrity Check ■ Guarantee object files have not changed between compile time and run time 2. Known Answer Tests ■ Verifies algorithm implementation is operating correctly ● Shared library default entry point is used to execute these #define INITIALIZER(f) static void __attribute__((constructor)) f(void)
  • 11. Traditional FIPS 140-2 Validations
  • 12. Traditional FIPS 140-2 Validations ● Traditional validation checks and tests work well, unless a malicious user or privileged process has physical access to the system’s memory ● Malicious actor could then potentially do any number of things: ■ Modify object files and change the comparison hash for the In-Core Integrity check ■ Modify the object code responsible for KAT’s ■ Modify the memory areas containing the core crypto code
  • 13. to Enclave / TEE-based Validations Advantages
  • 14. Advantages of Enclave-Based Validations ● Doing a validation INSIDE a secure enclave / TEE: ✓ Adds layer of protection for cryptographic module against privileged users (OS, BIOS, drivers, etc) ✓ Provides confidentiality of code and data - unable to view or analyze running cryptographic module memory ✓ Provides integrity assurance for the duration of the executable / enclave lifetime ✓ Allows use of enclave in government and DoD projects, since FIPS 140-2 is commonly a requirement
  • 15. Advantages of Enclave-Based Validations ✓ Provides a more secure environment when running in an untrusted environment (cloud server, etc) ? ? ?
  • 16. of Enclave / TEE-based Validations Challenges
  • 17. Challenges of Enclave-Based Validations ● Determining best enclave entry point structure ○ Where should untrusted code call into the enclave at? ● Passing data and files TO/FROM the enclave ○ Needed to run CAVP vector files through crypto module ● Limiting crypto module dependencies external to the enclave ○ Source of entropy? ○ System calls not available in enclave
  • 18. FIPS 140-2 - Intel SGX Validation wolfCrypt
  • 19. Intel SGX Overview ● Intel SGX Overview ○ Creates a protected container (enclave) where legitimate software can be sealed inside ( image source: https://software.intel.com/en-us/sgx/details )
  • 20. Intel SGX ● Intel SGX Overview ○ Provides memory protection through encryption ○ Provides integrity of the enclave contents ○ Can generate enclave specific keys ○ Protects sensitive operations against outside inspection ( image source: https://software.intel.com/en-us/sgx/details )
  • 21. Intel SGX ● Intel SGX Hardware Support ○ Hardware added in Intel’s 6th generation (Skylake) processors or later ○ To use the SGX feature it must be enabled in the BIOS ○ One Intel CPU can have multiple secure enclaves ○ Enclave physical memory is encrypted by processor
  • 22. Current wolfCrypt FIPS OE List Operating System Processor Platform 1 Linux 3.13 (Ubuntu) Intel® Core™ i7-3720QM CPU @2.60GHz x 8 HP EliteBook 2 iOS 8.1 Apple™ A8 iPhone™ 6 3 Android 4.4 Qualcomm Krait 400 Samsung Galaxy S5 4 FreeRTOS 7.6 ST Micro STM32F uTrust TS Reader 5 Windows 7 (64-bit) Intel® Core™ i5 Sony Vaio Pro 6 Linux 3.0 (SLES 11 SP4, 64-bit) Intel® Xeon® E3-1225 Imprivata OneSign 7 Linux 3.0 (SLES 11 SP4, 64-bit) on Microsoft Hyper-V 2012R2 Core Intel® Xeon® E5-2640 Dell® PowerEdge™ r630 8 Linux 3.0 (SLES 11 SP4, 64-bit) on VMWare ESXi 5.5.0 Intel® Xeon® E5-2640 Dell® PowerEdge™ r630 9 Windows 7 (64-bit) on VMWare ESXi 5.5.0 Intel® Xeon® E5-2640 Dell® PowerEdge™ r630 Certificate #2425
  • 23. Current wolfCrypt FIPS OE List Operating System Processor Platform 10 Android Dalvik 4.2.2 NXP i.MX6 MXT-700-NC 7” touch panel 11 Linux 4.1.15 NXP i.MX5 NX-1200 NetLinx NX Integrated Controller 12 Debian 8.8 Intel Xeon 1275v3 CA PAM 304L Server 13 Windows Server 2012R2 Intel Xeon E5335 Physical x64 Server(s) 14 Windows 7 Professional SP1 Intel Core i7-2640M Dell Latitude E6520 15 Debian 8.7.0 Intel Xeon E3 Family with SGX support Intel x64 Server System R1304SP 16 Windows 10 Pro Intel Core i5 with SGX support Dell Latitude 7480 17 NET+OS v7.6 Digi International NS9210 Sigma IV infusion pump Certificate #2425 - New OE’s in 2017-2018
  • 24. Approved and Validated Crypto Algorithms Algorithm Description Cert # AES [FIPS 197, SP 800-38A] (Encryption, Decryption) Modes: CBC, CTR, Key sizes: 128, 192, 256 bits 3157, 3330, 3417, 3490, 3508, 4635, 4772, 5244, 5325 DRBG [SP 800-90A] (Hash_DRBG) Security Strengths: 256 bits 650, 775, 821, 863, 875, 1561, 1566, 1651, 2006, 2055 HMAC [FIPS 198-1] (Generation, Verification) SHA sizes: SHA-1, SHA-256, SHA-384, and SHA-512 1990, 2121, 2175, 2228, 2241, 3068, 3075, 3183, 3471, 3523 RSA [FIPS 186-4, and PKCS #1 v2.1 (PKCS1.5)] (Signature Generation, Signature Verification) Key sizes: 1024 (verification only), 2048 1602, 1710, 1749, 1791, 1803, 2530, 2534, 2612, 2804, 2853 SHA [FIPS 180-4] (Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications). SHA sizes: SHA-1, SHA-256, SHA-384, SHA-512 2614, 2763, 2823, 2882, 2893, 3799, 3806, 3915, 4222, 4277 Triple-DES (TDES) [SP 800-20] (Encryption, Decryption) Modes: TCBC, Key sizes: 3-key 1800, 1901, 1928, 1966, 1972, 2465, 2470, 2535, 2652, 2687
  • 25. ● Independent of SSL/TLS ● Design simplifies updates ● Most bugs and vulnerabilities happen in SSL/TLS, not crypto wolfCrypt FIPS Object Module
  • 26. ● SGX enclave structure with wolfCrypt only ● FIPS 140-2 boundary only around “wolfCrypt FIPS” wolfCrypt FIPS Object Module in SGX
  • 27. ● SGX enclave structure with wolfCrypt and wolfSSL SSL/TLS Library ● FIPS 140-2 boundary only around “wolfCrypt FIPS” wolfCrypt FIPS Object Module in SGX
  • 28. Intel SGX OE Validation Process ● Unique steps to SGX OE Validation: ○ Port wolfCrypt to run inside Intel SGX ○ Map system calls as SGX trusted entry points ○ Map wolfSSL and wolfCrypt API as SGX trusted entry points ○ Modify CAVP test harness to read vector files in untrusted section, pass via buffer into trusted enclave
  • 29. Intel SGX OE Validation Process ● Port wolfSSL / wolfCrypt to run inside Intel SGX enclave ○ Modify random.c to get entropy from Intel SGX API ■ sgx_read_rand() ■ /dev/random, /dev/urandom would have been outside enclave ○ Use Intel intrinsics by default ■ _lrotr() ■ _lrotl()
  • 30. Intel SGX OE Validation Process ● Map system calls as SGX trusted entry points (OCALLs) ○ printf() - for logging/debugging ■ ocall_print_string() ○ gettimeofday() - get the current time in seconds since Epoch ■ ocall_current_time() ○ get struct timeval seconds ■ ocall_low_res_time() ○ send() - network send function ■ ocall_send() ○ recv() - network recv function ■ ocall_recv()
  • 31. Intel SGX OE Validation Process ● Map wolfSSL and wolfCrypt API as SGX trusted entry points ○ Add wrapper functions exposing wolfSSL and wolfCrypt API: ■ public int enc_wolfSSL_Init(void); ■ public WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void); ■ public WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void); ■ public int enc_wc_InitRng([user_check] WC_RNG* rng); ■ public int enc_wc_FreeRng([user_check] WC_RNG* rng); ■ public int enc_wc_InitRsaKey([user_check] RsaKey* key, [user_check] void* ptr); ■ etc...
  • 32. Intel SGX OE Validation Process ● Modify CAVP test harness to read vector files in untrusted section, pass via buffer into trusted enclave
  • 33. Intel SGX OE Demo! ● Demo of wolfSSL’s test app inside an SGX Enclave $ ./App Usage: -t Run wolfCrypt tests only -b Run wolfCrypt benchmarks in enclave -c Run a TLS client in enclave -s Run a TLS server in enclave Operating System Processor Platform 15 Debian 8.7.0 Intel Xeon E3 Family with SGX support Intel x64 Server System R1304SP
  • 34. Intel SGX OE Demo! ● Demo of wolfSSL’s test app inside an SGX Enclave $ ./App -t Crypt Test: error test passed! base64 test passed! asn test passed! MD5 test passed! MD4 test passed! SHA test passed! SHA-256 test passed! ... ECC test passed! ECC buffer test passed! logging test passed! mutex test passed! memcb test passed! Crypt Test: Return code 0 $ ./App -b Benchmark Test: wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each) RNG 130 MB took 1.016 seconds, 127.979 MB/s AES-128-CBC-enc 255 MB took 1.004 seconds, 253.880 MB/s AES-128-CBC-dec 285 MB took 1.013 seconds, 281.257 MB/s AES-192-CBC-enc 225 MB took 1.013 seconds, 222.205 MB/s AES-192-CBC-dec 245 MB took 1.000 seconds, 244.950 MB/s AES-256-CBC-enc 200 MB took 1.015 seconds, 196.992 MB/s … ECC 256 key gen 1155 ops took 1.000 sec, avg 0.866 ms, 1154.727 ops/sec ECDHE 256 agree 1200 ops took 1.022 sec, avg 0.852 ms, 1173.816 ops/sec ECDSA 256 sign 1200 ops took 1.048 sec, avg 0.873 ms, 1145.563 ops/sec ECDSA 256 verify 600 ops took 1.023 sec, avg 1.705 ms, 586.548 ops/sec Benchmark Test: Return code 0
  • 35. What’s up for the Future? ● Possibilities for the future, depending on customer demand: ○ More SGX Operating Environments ○ Expanded FIPS 140-2 algorithm boundary ○ FIPS 140-2 validations in other TEE environments ○ What do you want to see?
  • 36. wolfSSL Library Makefile for SGX ● wolfSSL SGX Static Library Project ○ Creates a static wolfSSL library for use with SGX enclaves ○ Assumes user has already: ■ Enabled SGX in BIOS ■ Installed necessary software from Intel ○ Distributed with wolfSSL: ■ https://github.com/wolfSSL/wolfssl/tree/master/IDE/LINUX-SGX
  • 37. wolfSSL SGX Examples ● Non-FIPS Examples Available on GitHub ○ Examples include: ■ TLS Client in an enclave ■ TLS Server in an enclave ■ wolfCrypt tests in an enclave ■ wolfCrypt benchmarks in an enclave ○ For Linux and Windows ■ https://github.com/wolfSSL/wolfssl-examples/tree/master/SGX_Linux ■ https://github.com/wolfSSL/wolfssl-examples/tree/master/SGX_Windows
  • 38. A. Overview of Secure Enclaves a. Advantages b. Challenges B. FIPS 140-2 inside Intel SGX a. Intel SGX b. Changes required c. Validation Process Summary