NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Platform Module) for IoST, Internet of Secure Things (KO)

NEOS-IoTSPIoTSecurityPlatformbasedonNEOSRTOS™supportingWiFiandTPM(TrustedPlatformModule)

2016.12

http://www.neosrtos.com/neosp1email:[email protected]

©2016MDSTechnologyCo.,Ltd..

FeaturesofNEOSIoTSecurityPlatform

● FullFeaturedSolutionPackage:SecureRTOSSoftware,IntegratedDevelopmentEnvironmentSoftware,System-on-module,andDevelopmentKit

● CryptoLibrary● SecureBoot● SecureFirmwareUpdate● TPMSupport● DeviceManagementSolution,Integrated● KeyManagementSystemforIoT,Integrated

ConfigurationofNEOSIoTSecurityPlatform

SecureRTOSSW

SecureBoot SecureFirmwareUpdate CryptoAPI

NEOS™RTOS

KeyManager

IoTAgentCrypto-library

Neo-SP1(System-On-Module)

Cortex-M4MCU

WiFi

DeviceManager

TPM

DVMS(DevelopmentKit+Sensors)

SerialtoUSB(monitor)

SWD(debug)

AccelerometerMagneticField

NEOSPACE™IDE

USB(Serial,SWD)

Internet/Intranet

Temperature&Humidity

Light&UV

HostComputer

■ Softwares:SecureRTOSSoftware,IDE(IntegratedDevelopmentEnvironment)■ ReferenceHardwares:System-on-module,andDevKit

3<NEOS-IoTSP>http://www.neosrtos.com/neosp1

4

A.SecureRTOSSWPlatform

■ SecureBoot■ SecureFirmwareUpdate■ StandardCryptographicLibraryforend-to-endSecurity■ SecureKeyManagementonTPM(TrustedPlatformModule)■ StandardbasedDeviceManagementSolution(NEO-IDM™)Integrated■ StandardbasedKeyManagementSolution(iKMS)Integrated

SecureRTOSSW


NEOS™RTOS

KeyManager


DeviceManager

5

B.IDE(NEOSPACE)

■ CompleteIntegratedDevelopmentEnvironmentbasedoneclipsedevelopmentplatform■ ProjectManagement■ Buildingtargetsoftware:compiler,linker■ DebuggingandFlashProgrammingthroughSerialWireDebug(SWD)

USB(Serial,SWD)

• Neo-SP1Module– HardwareRootofTrustbyTPM(TrustedPlatformModule)– UsercanprogramIoTapplicationonthemodule

• DVMS:FullFeaturedDevelopmentKit– Neo-SP1Mounted– SWDSTLink-v2DebugInterfacereadyforDebuggingandFlashProgramming– Sensors:Accelerometer/Magnetometer,Temperature/Humidity,Light/UV– ConfigurableExternalPortswithI2C,ADC,UARTinterfaces

6

C.ReferenceHardware

JTAGTrace32

SWD- USB

Serial- USB

Temp./Humidity

Accel./mageto.Neo-SP1

Light/UVExternalPorts

DVMS(DevKit)

Function Specification

MCU STM32F415

TPM InfineonSLB9670VQ1.2

Connectivity WiFi802.11b/g/n:ESP8266

Dimension 25mmx35mm

● Neo-SP1

Applications

● EdgeDevice,ConnectivityModule,orSecureMediaConverter● Readyforvariouswirelessconnection

■ BootonlyOEMprovidedsoftwareonly■ DownloadfirmwarefromUpdateServerandverifytheSignature

8

SecureBoot,SecureFirmwareUpdate

DevicePowerOn

Firmwarebootloader

BootManagerverifiesSignature

BoottoMainOS

BoottoUpdate

bootconfigurationdatabase

Internet/Intranet

UpdateServer Signing(OSandHash)

PublickeyofupdateServer

Downloadfromupdateserver

Neo-IDM Service UI

• StandardIoTDeviceManagementPlatformbasedonLwM2Mprotocol• TwoOperationModels:IoTEdgeDeviceandConnectivityModule

9

IntegrationwithNeo-IDM

NEOS IoT SP

EdgeDeviceNeo-IDM CoAPServer

IoTGatewayNeo-IDMLwM2M

Client

CoAP

InterworkingProxy

LwM2MIoTServer

Azure,ThingWorx,...

HTTP/MQTT

LwM2MServer

NEOS IoT SP

ConnectivityModuleNeo-IDM LwM2M

Client&CoAPServer

LwM2M

LwM2MServer

SecureRTOSSW


NEOS™RTOS

KeyManager


DeviceManager

• Keydistributionfunctionandmanagementscheme• KeyInjectionforIoTDevice• ThusprovidingEnd-to-EndSecurity

10

IntegrationwithiKMS(KeyManagementSystem)

NEOS IoT SP

iKMSAgent

Secure Key Distribution

iKMSServer(HancomSecureCo.)

SecureRTOSSW


NEOS™RTOS

KeyManager

IoTAgentCrypto-library DeviceManager

IoTServerLwM2M,Azure,...

Secure Key Distribution

CryptographicLibrary

11

Function Algorithm Description

BlockCipher

ARIA 128,192,256bitsSEED 128,256bitsLEA 128,192,256bits

HIGHT 64bitsBlockCipher

OperatingModeConfidentiality ECB,CBC,CFB,OFB,CTR BlockCipher:ARIA,SEED,LEA,HIGHT

Confidentiality/Authentication CCM,GCM BlockCipher:ARIA,SEED,LEA,HIGHT

RandomNumberGeneratorHASH_DRBG Hash:SHA-224/256/384/512CTR_DRBG BlockCipher:ARIA,SEED,LEA,HIGHT

HMAC_DRBG Hash:SHA-224/256/384/512PublicKeyCryptography RSAES PublicKey:2048,3072 bits

KeyManagementDH Public/PrivateKey:(2048,256)

ECDH B-233,K-233,P-224B-283,K-283,P-256

HashFunction SHA-2 OutputLength:224,256,384,512bits

MessageAuthenticationCode

HashBased HMAC KeyLength:128,256bits

Block CMAC BlockCipher:ARIA,SEED,LEA,HIGHTGMAC BlockCipher:ARIA,SEED,LEA,HIGHT

DigitalSignature

RSA-PSS PublicKey:2048,3072bitsKCDSA PublicKey:1024,2048,3072bits

ECDSA B-233,K-233,P-224B-283,K-283,P-256

ECKCDSA B-233,K-233,P-224B-283,K-283,P-256

■ cryptographicalgorithms■ light-weighted,andoptimizedforembeddedsystem

12

ConnectionTypes

Neo-SP1

IoTGateWay

IoTServer

AsaConnectivityModuleConnecttoServerwithoutIoTGateway

Neo-SP1

WirelessAccessPoint

AsanEdgeDeviceConnecttoServerthroughIoTGateway

Internet/Intranet

Internet/Intranet

IoTServer

Neo-SP1

Device-to-deviceSecurityConnecttootherdevices

Internet/Intranet

■ ToprovideSecureChannelforsystemswithLegacyDevices■ MinimalornomodificationtoLegacySystemforeasydeployment

13

SecureMediaConverter

LegacyDevices LegacyDevices

Trans-ceiver

Trans-ceiver

UnsecureMedia:ethernet,

RS485,RS422,...

SecureChannels

WiredorWireless

UnsecureMedia:ethernet,

RS485,RS422,...

■ ReadyforConnectivityModules:Bluetooth,Zigbee,LoRa,WISUN,LTE,etc

14

ReadyforVariousWirelessConnectionsExtension

RFModule

Zigbee

Bluetooth

WISUN

LoRa

Sensors

Internet/Intranet

15

Applicable

■ Toprotectpublicsafetydata,environmentdata,smartgriddata,etc,whereSecurityismandatorybylaw

■ ToprotectdataforMilitaryIoT■ ToprotectPrivateSensitivedata,suchasWellnessinformationorMedical(Health)data■ ToprotectDeviceConfigurationData,ManufacturingTechnology

AboutNEOSRTOS

16

■ NEOS™RTOSisareal-timeoperatingsystemforembeddedsystemdevelopedbyMDSTechnology

■ DO-178BLevelACertifiableKernel■ Multi-threadKernelwithfastanddeterministicperformance■ Preemptiverealtimescheduling■ POSIXstandardAPIadd-on(POSIX1003.13PSE52)■ Fieldproveninaerospaceandmilitaryforsafetycriticalandmissioncriticalsystem■ http://www.neosrtos.com