Difference between revisions of "Hardware Protection"
From MgmtWiki
(→References) |
(→Other Material) |
||
| (18 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
[[Hardware Protection]] offered by Hardware Security Modules (HSM see [[FIPS 140]]) or management chips. | [[Hardware Protection]] offered by Hardware Security Modules (HSM see [[FIPS 140]]) or management chips. | ||
==Context== | ==Context== | ||
| − | *Latest version as of 2019-05-22 is [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3], version 3. | + | * This wiki page focuses on [[Hardware Protection]] of cryptographic keying materiel where all secret cryptographic operations occur without releasing any private cryptographic materiel. |
| − | * The TPM (Trusted Platform Module) version 1 was a purely hardware version of protection that was offered only as a stand alone chip. With version 2 defined as software, it can be (and is) included in any [[Trusted Execution Environment]]. | + | * On 2020-11-17 <ref>Lily Hay Newman ''Microsoft Is Making a Secure PC Chip—With Intel and AMD's Help''. (2020-11-17) Wired https://www.wired.com/story/microsoft-pluton-secure-processor</ref> Microsoft announced that they planned to enable the Pluton design on chips from Intel and AMD. |
| + | * Both Intel and ARM enable secure enclaves on their Microprocessor to protect security. | ||
| + | * Latest version as of 2019-05-22 is [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3], version 3. Future versions will likely be issued as [[Common Criteria]]. | ||
| + | * The [https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/ TPM (Trusted Platform Module)] version 1 was a purely hardware version of protection that was offered only as a stand-alone chip. With version 2 defined as software, it can be (and often is) included in any [[Trusted Execution Environment]]. | ||
| + | * The first on-board Hardware Protection was provided by a product from the Intel Data Security Operation that was built, but never shipped. The DSO was disbanded on 1996-01-11. The devices was based on the i386 design with full memory bus encryption so that it could use the normal memory bus in DMA mode. Paul England made it clear in 2010 that Microsoft fought to prevent Hewlett Packard from implementing a board with the chip installed. | ||
| + | * HSM modules were created in the early 1990's to be installed in IBM and other mainframe computers. | ||
| + | * Original Hardware protection was on dedicated data transmission devices with the symmetric keys delivered by hand to each device. This was the basis for FIPS 140 first issue and the Trusted Network Interpretation for the National Computer Security Center MCSC-TG-005 dated 1987-07-31. | ||
| + | |||
| + | ===Broad Categories=== | ||
| + | # [[Smart Card]]s use a 6 or 8 pin silicon chip to create and protect private key material. They typically only support one [[Cryptography]] algorithm and one user. | ||
| + | # [https://www.securities.io/the-best-hardware-wallets-to-keep-your-crypto-safe-in-2021/ Hardware Wallets] typically support the [[Cryptography]] algorithms used by [[Bitcoin]] and similar digital currencies. | ||
| + | # Hardware Security Modules have a variety of designs, but typically sit in computer centers connected to one hardware processor, often on the memory buss. They have rich support paradigms. | ||
| + | |||
==Problems== | ==Problems== | ||
| − | When hardware contains software, and particularly when it contains firmware, it no longer has the same level of protection that a purely hardware solution offers. For example the Apple T2 chip has been hacked and cannot be fixed in the field.<ref>Lily | + | When hardware contains software, and particularly when it contains firmware, it no longer has the same level of protection that a purely hardware solution offers. For example the Apple T2 chip has been hacked and cannot be fixed in the field.<ref>Lily Hay Newman, ''Apple's T2 Security Chip Has an Unfixable Flaw'' (2020-10-05) Wired https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/</ref> |
==References== | ==References== | ||
| − | <references> | + | <references /> |
===Other Material=== | ===Other Material=== | ||
| Line 14: | Line 26: | ||
[[Category: Security]] | [[Category: Security]] | ||
| + | [[Category: Cryptography]] | ||
[[Category: Best Practice]] | [[Category: Best Practice]] | ||
Latest revision as of 11:38, 7 June 2022
Full Title
Hardware Protection offered by Hardware Security Modules (HSM see FIPS 140) or management chips.
Context
- This wiki page focuses on Hardware Protection of cryptographic keying materiel where all secret cryptographic operations occur without releasing any private cryptographic materiel.
- On 2020-11-17 [1] Microsoft announced that they planned to enable the Pluton design on chips from Intel and AMD.
- Both Intel and ARM enable secure enclaves on their Microprocessor to protect security.
- Latest version as of 2019-05-22 is FIPS 140-3, version 3. Future versions will likely be issued as Common Criteria.
- The TPM (Trusted Platform Module) version 1 was a purely hardware version of protection that was offered only as a stand-alone chip. With version 2 defined as software, it can be (and often is) included in any Trusted Execution Environment.
- The first on-board Hardware Protection was provided by a product from the Intel Data Security Operation that was built, but never shipped. The DSO was disbanded on 1996-01-11. The devices was based on the i386 design with full memory bus encryption so that it could use the normal memory bus in DMA mode. Paul England made it clear in 2010 that Microsoft fought to prevent Hewlett Packard from implementing a board with the chip installed.
- HSM modules were created in the early 1990's to be installed in IBM and other mainframe computers.
- Original Hardware protection was on dedicated data transmission devices with the symmetric keys delivered by hand to each device. This was the basis for FIPS 140 first issue and the Trusted Network Interpretation for the National Computer Security Center MCSC-TG-005 dated 1987-07-31.
Broad Categories
- Smart Cards use a 6 or 8 pin silicon chip to create and protect private key material. They typically only support one Cryptography algorithm and one user.
- Hardware Wallets typically support the Cryptography algorithms used by Bitcoin and similar digital currencies.
- Hardware Security Modules have a variety of designs, but typically sit in computer centers connected to one hardware processor, often on the memory buss. They have rich support paradigms.
Problems
When hardware contains software, and particularly when it contains firmware, it no longer has the same level of protection that a purely hardware solution offers. For example the Apple T2 chip has been hacked and cannot be fixed in the field.[2]
References
- ↑ Lily Hay Newman Microsoft Is Making a Secure PC Chip—With Intel and AMD's Help. (2020-11-17) Wired https://www.wired.com/story/microsoft-pluton-secure-processor
- ↑ Lily Hay Newman, Apple's T2 Security Chip Has an Unfixable Flaw (2020-10-05) Wired https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/
Other Material
- See wiki page Smart Phone for a discussion of hardware versus software protection within a modern ARM based Trusted Execution Environment.
