One of the more publicly acclaimed uses of the “Internet of Things” paradigm is in the area of smart buildings. Intelligent building management systems have the potential to reduce operating costs, improve individual use of resources, and ultimately minimize the building’s impact on the environment. IoT supported smart buildings can extend from the micro-scale, whereby sub-metering in commercial buildings can permit individualize monitoring and optimization of power consumption through macro-scale deployments. In particular, large scale regional control and monitoring, where the bulk consumption as well as parameters such as power factor control and mitigation have the potential to realize significant cost savings and efficiencies to both consumers and utilities and provide a resilient infrastructure in response to climactic events such as heat waves, power failures, and natural disasters.
Key to each of these applications are a widespread sensor grid, data concentrators and network cards, and secure communications which reach back to centralized data analytics platforms feeding into decision support systems. The highly distributed environment, much of which communicates over the internet and also legacy point to point communication, is subject to denial of service attacks, malware from spurious software updates, and fraudulent aggregation of data in general.
SPYRUS FIPS 140-2 Level 3 certified IoT security products with military grade high assurance, processor efficient cryptography, have the potential for securing endpoints for sensor data protection, rapid integration with data concentrators and gateways, and providing trusted execution environments for remote administration of infrastructure components. The Rosetta® Micro is ideal for embedded environments such as sensor nodes. The Rosetta microSDHC™ TrustedFlash™ is a combination of AES256 XTS encrypted storage and a EAL5+ tamper proof internal HSM, which is a perfect match for the rapidly growing family of single board computers being used for IoT gateways. The encrypted flash prevents tampering or exfiltration of sensitive data, while the internal PKI HSM secures keys for data transmission and provides an auditable endpoint for ensuring data security and provenance. These devices are complemented by the SPYRUS Windows To Go and LINUX2Go™ families that deliver a trusted execution environment for laptops and mobile platforms for use in administering the endpoints remotely and accessing functionality securely and manageable in a globally distributed environment.
The proliferation of the “Internet of Things” has resulted in opportunities across all verticals. One significant application is the use of IoT technologies for next generation payment solutions integrated with wearable computing, smart ATM technologies and non-traditional marketing means for payments. The immediate need for security is obvious, e.g. the use of cryptography and related technology for securing ATM functions and the access to sensitive personal information. Another less obvious means is the deployment of cash or cash equivalents in response to wearable computing. For example, a person’s mobile devices can be integrated by slipping them into a vest which constitutes a “Personal Area Network” which then permit the user to link together other devices in local use while walking, jogging, bicycling or even traveling on public transit. The person’s identity and location are all available from many of the internal devices and, without security, can be transmitted to remote “hackers” for use in various means. More importantly, a person using these devices to effect financial transactions, even as simple as purchasing a latte at a kiosk or coffee shop, can have the transaction intercepted and the information used maliciously.
SPYRUS security products have the potential to mitigate external threats at all areas of the transaction. The mobile devices can employ Rosetta USB and/or the SPYCOS® PKI HSM internal to the Rosetta microSDHC for secure storage of critical information as well as authentication to a remote gateway. At end user Point of Sale (POS) terminals, the SPYRUS Windows To Go and LINUX2Go devices can create a secure operating environment which minimizes the threat of malware injection into the device for capture and re-transmittal of sensitive financial information. The additional security extends to the secure signing of transmissions and also the secure validation of incoming information and software updates.
Recent estimates indicate that over 300 million stationary video cameras are installed globally with 25% or more of the installations being networked to central servers via the Internet, either via wireless or direct connection. This number is expected to be significantly increased as body worn and vehicular mounted cameras are rapidly added. Each of these devices poses a major security attack surface, which has been reported with increasing frequency in the literature. The simplest attack is disabling the camera or injecting spurious information. More malicious attacks involve the hijacking of cameras to provide distributed denial of service attacks, whereby large global groups of cameras are turned into “bots” for creating mass attacks on an internet based target of interest. Of increasing concern is also the forensic value of cameras in deployments for critical infrastructure, national security, and law enforcement in general. In these instances, the value of the camera data can be put into question unless there is a frame by frame digital signing to provide secure non-repudiation of data. In extremely sensitive situations, only authorized personnel should be permitted to view the data.
SPYRUS IoT derived security products an provide FIPS 140-2 Level 3 certified security along with military grade encryption and signing and authentication functions to ensure the confidentiality and non-repudiation of data. For video cameras, the Rosetta microSDHC TrustedFlash with its internal SPYCOS HSM can provide a trusted execution environment for the camera software to prevent hijacking and creation of a “bot swarm.” The AES 256 XTS encryption in the TrustedFlash device prevents tampering or exfiltration of data. The internal SPYCOS HSM securely manages keys and communication with a central site. Depending on the overall topology of the surveillance network, the Rosetta microSDHC can serve as an element in the NcryptNshare™ collaboration, information sharing, and signing suite to permit secure sharing of forensic data coupled with non-repudiation.
The Rosetta HSM genesis dates back to 1996 as one of the first, if not the very first, RSA-based smartcard device that has become a universal standard that can be used with a wide variety of applications used in desktop and embedded environments:
ECDH-AES Secure Channel
The secured channel is based on using the ECDH shared secret algorithm along with the KDF function to derive a AES session key for encrypting and decrypting supports of the APDU command and response between the host and the Rosetta FIPS module. The ECDH-KDF operation would take in ECC keys from each end (the host and the Rosetta FIPS module) along with a random nonce data generating from the SPYCOS to generate an AES256 encryption key. The same key is generated in both ends to support the encryption of the security data being transmitted between the host and the Rosetta FIPS module.
- Protect access to your desktop infrastructure by using the Rosetta HSM as the “something you have” form with the “something you know” password to authenticate to Windows accounts using smartcard logon.
- The unique “K of N” feature designed into Rosetta can provide extensions of this concept to logon not only to a defined set of computing platforms, but also to networks.
Secure Web Authentication and Login
- Increase the security assurance to access data on website by using the Rosetta HSM FIPS 140-2 Level 3 secure channel operations with TLS/SSL that will always protect critical security parameters such as passwords from the end point to the website.
E-Mail S/MIME Encryption
- Secure your communications using Office Outlook by using the Rosetta HSM with the MiniDriver (available from Windows Update) or Thunderbird and Firefox by using SPYRUS PKCS#11 driver to encrypt and sign your e-mail.
File Signing and Encryption
- Use Rosetta HSM’s military grade security with the SPYRUS NcryptNshare file sharing applications to not only to provide data confidentiality but uniquely file validation and verification of authentication WITHOUT having to first decrypt the file.
- Rosetta NcryptNshare (RES) applications include RES4Office™, RES Pro™, and RESDisk™ virtual vault that were each created using the SPYRUS RES SDK.
- KeyWitness® Mode provides non-repudiation of data shared between parties.
- Protect your Cisco, Juniper, or DirectAccess VPN network keys for remote access to your corporate network using the Rosetta HSM. Support a multitude of other VPN products using the industry standard’s based SPYRUS PKCS#11 driver.
- You can also deploy defense in depth remote access solutions by using the Rosetta HSM’s algorithm agility a VPN using RSA and a second VPN using the military standard elliptic curve cryptography.
- The Rosetta NcryptNshare (RES) Disk application provides a hardware-based key management solution to safeguard all your files and folders on a single or multiple vaults with the Rosetta HSM. Create your own RESDisk application by using the RESSDK.
- A Rosetta HSM is located on the WorkSafe™ and WorkSafe Pro™ live drives used to boot Windows or Linux operating environments from a USB 3.0 SSD. When you provision of the industry standard solutions such as EJBCA, XCA, or even Windows Server CA, you have an integrated CA in a Box® solution that is very affordable.
Electronically Sign Documents
- Electronic document workflows require electronic signatures to prove who created or approved a document, and more importantly, proving that the document has not been altered during transit from the originator to the receiver.
- Use the Rosetta HSM KeyWitness Mode to not only digitally sign documents, but also verify the sender and validate the document was not altered providing non-repudiation.
- Why not use the world’s first hardware code signing HSM! The Rosetta HSM CSP was developed in partnership with Microsoft to support Authenticode and PKCS#11 to support Netscape. Always safeguard your code signing keys on the Rosetta HSM and lock it away when not in use.
- Better yet, use a WorkSafe or WorkSafe Pro for development of the code and the embedded Rosetta HSM to sign the code when you are ready to sign the code!