Post on 08-Jul-2020
1 |www.insidesecure.com
D&R IP SOC Day
September 14, 2017
Security Solutions for IoT, Storage and Networking
Presented By:
Stephen Wu,
Senior Security IP and Software FAE
2 |
This presentation and the information it contains are not intended to constitute, and should not be construed as an offer to sell or a solicitation to buy orsubscribe to any INSIDE Secure securities, in any jurisdiction. Any public offering of INSIDE Secure securities would be made by means of a prospectuspreviously approved by the AMF that contains detailed information about INSIDE Secure. The disclosure, distribution and publication of this presentation maybe restricted by law in certain jurisdictions and persons into whose possession any document or other information referred to herein comes should informthemselves about and comply with any such restrictions. INSIDE Secure takes no responsibility for any violation of any restrictions by any person.This presentation contains certain forward-looking statements relating to the business of INSIDE Secure, which shall not be considered per se as historical facts,including the ability to manufacture, market, commercialize and achieve market acceptance for specific projects developed by INSIDE Secure, estimates forfuture performance and estimates regarding anticipated operating losses, future revenues, capital requirements, needs for additional financing. In addition,even if the actual results or development of INSIDE Secure are consistent with the forward-looking statements contained in this press release, those results ordevelopments of INSIDE Secure may not be indicative of their in the future. In some cases, you can identify forward-looking statements by words such as"could," "should," "may," "expects," "anticipates," "believes," "intends," "estimates," "aims," "targets," or similar words. Although the management of INSIDESecure believes that these forward-looking statements are reasonably made, they are based largely on the current expectations of INSIDE Secure as of the dateof this communication and are subject to a number of known and unknown risks and uncertainties and other factors that may cause actual results,performance or achievements to be materially different from any future results, performance or achievement expressed or implied by these forward-lookingstatements. In particular, the expectations of INSIDE Secure could be affected by, among other things, uncertainties involved in unexpected regulatory actionsor delays related notably to building and operating permits and renewable support policies, competition in general or any other risk and uncertaintiesdeveloped or identified in any public documents filed by INSIDE Secure with the AMF, included those listed in chapter 4 “Risk factors” of the 2014 “documentde reference” approved by the French financial market authority (the Autorité des marchés financiers – the “AMF”) on April 30, 2015 under number R.15-030.In light of these risks and uncertainties, there can be no assurance that the forward-looking statements made in this communication will in fact be realized.Notwithstanding the compliance with article 223-1 of the General Regulation of the AMF (the information disclosed must be “accurate, precise and fairlypresented“), INSIDE Secure is providing the information in these materials as of this communication, and disclaims any intention or obligation to publiclyupdate or revise any forward-looking statements, whether as a result of new information, future events, or otherwise.
©Inside Secure 2017. All Rights Reserved. Inside Secure,® Inside Secure logo and combinations thereof, and others are registered ® trademarks or tradenamesof Inside Secure or its subsidiaries. Other terms, logos and product names may be trademarks of others.
Disclaimer
3 |
Secure communication toolkits & cryptographic
modules certified with high interoperability and
portability
Widely used in security gateways, cloud
deployments, smartphones, printers and other IoT
devices
The largest silicon-proven security IP portfolio for SOC and ASIC designs
For high-speed networking, IoT, datacenters and content protection
Studios-approved, market leading solution
Allows secure distribution of premium content on all
OTT devices
Supports all major DRM schemes, advanced
playback functionalities, analytics
Comprehensive package of software protection
tools
Greatly simplifies integration of security for
mobile apps such as payment HCE, financial,
banking, retail, healthcare, and IoT
Inside Secure at a Glance
4 |
TRUSTED BY THE WORLD’S TOP COMPANIES
Banks and payment system
Content distributor
Top IT companies
Major semi conductor companies
We protect the solutions of the broadest range of customers: service providers, content distributors, security system integrators, device vendors, semiconductor manufacturers
5 |
A complete “Secure Architecture”
How do I ensure only authorized devices are
connected to the network?
Protect accessto the data
How do I prevent intrusions and spying of my communication?
Protect the data in transit
How can I make sure the device functions as intended?
Protect the software
How do I ensure critical assets in the device are not
compromised?
Protect the data at rest
INSIDE SecurePacket Engine IP or
Guard SW
INSIDE SecureVaultIP and
Secure Boot SW
INSIDE SecureVaultIP & Device
Authentication SW
INSIDE SecureVaultIP & Secure
Storage SW
6 |
Control plane secure tunnel establishment & key management: Key refresh and tunnel setup rates matching 100Gbps and beyond Efficient , area optimized Public Key Accelerators & True Random Number Generators needed
Platform security Secure Boot and Secure Debug Trusted Execution Environment, Trust Anchor, Key Vault
Mass adoption of standards based security protocols SSL/TLS (Device/Server), IPsec (Client/Server), MACsec (Device) Wireless – Zigbee, WPA, CAPWAP, LTE/3G Baseband, Platform – Data Storage, Asset Protection
Data plane performance continues to increase: Not only client to cloud traffic increases but also inter cloud traffic, specifically server to data center and data
center to data center bandwidth increase quickly. L2: MACsec, many ports 400G Ethernet, 600Gbps FAT pipe & FlexE, multiport 100G, 1G, 10, 25G, 40G, 50G line
speeds L3: IPsec, 100Gbps and higher, L4: SSL/TLS/DTLS, 40Gbps and higher
Security Requirements for Connected SystemsFrom Core to Cloud
7 |
Security Anchor into your SoC
OS
Vault-IP
Vault-IPDriver
HSM without TEE
OTP
Mailbox
CPU
SW
HW
External RAM (data) Secure DMA CryptosArray
Secure FLASH (keys)RAM / ROM
Asset Store
TRNGµC
Vault-IP
CPUsCPUs
TEE SWVault-IPDriver
HSM with TEE and multiple CPUs
OTP
OS
Vault-IPDriver
OS
Vault-IPDriver
OS
Vault-IPDriver
MailboxmboxmboxMailbox
TEE CPUCPUs
External RAM (data) Secure DMA CryptosArray
Secure FLASH (keys)RAM / ROM
Asset Store
TRNGµC
SW
HW
8 |
Vault-IP Integration
Vault-IP
Crypto data plane
Master i/fSlave i/f
Secure DMA
AES
SHA
…
ECC
Secure Mailbox
µC
Prog. Memory
Data RAM
TCM i/f
NVM-OTP(fuse/anti-fuse)
TRNG
System Bus (AXI, AHB, APB)
Timers
IRQ
CPUCPUCPUCPU
Debug/Test controller
HDMIHDCP
GPI
OC
o-Pr
oc I/
F
Crypto FarmCrypto Farm
DiskEncryption
Crypto FarmPacket Engine
Packet Engine
RAM
FLASH
FIPS-140-2 level 2 certified Side Channel Protection Anti Tampering HW Protection for keys Even if Kernel breached Anti Cloning
Scalable Crypto Accelerators Internal and External
TLS Device Authentication Secure debug enablement PKCS#11 API – Simplified Easy to integrate
Built-in provisioning Life-cycle management
9 |www.insidesecure.com
NETWORKSECURITY
10 |
Security Challenges in the NetworkSolution: Strong encryption, authentication, and platform integrity
2-WayCommunication
2-WayCommunication
Server
Data Management
Take control of the Device or Application
Insert Non-Authorized Devices
Man in The Middle: (Are we talking to the expected endpoint?)• Spy the line• Hijack network• Broadcast private information
Take Control of the Routers/Servers
Gateways / Router
Rogue or Personal Devices
11 |
Security Protocols: Which security protocol will each application use?
Examples: IPsec (gateway/gateway), SSL/TLS (client/server), DTLS (client/server) for SSL VPNs, VoIP, and CAPWAP for Wireless AP Provisioning, MACsec (Ethernet)
Performance: What is the network bandwidth of the device? Do you require line rate security performance?
CPU Utilization: How compute intensive is the protocol implementation?
What is your power budget? (Battery, AC powered?)How many CPU cycles are available for security?
(Is this a forwarding device or is data initiated/terminated by apps on the local CPUs)
Application Concurrency Will multiple applications in the system all require security services? Is there a requirement to isolate crypto keys & operations from other applications running in the system? Is there a trusted execution environment present such as ARM TrustZone?
The solution to all these questions is a dedicated HW resource to accelerate all crypto functions
System considerations when selecting a security architecture
12 |
Architectural choices of implementing Security Protocols (IPSEC,SSL/TLS)
CPUARMv7
memory interface
System Bus
1. Security & CryptoGeneric SW Only
memory interface
System Bus
NetworkInterface
3. Standalone AES & SHA cores
HashCrypto
memory interface
System Bus
NetworkInterface
4. Protocol aware Look AsideSecurity Packet Engine
CryptoPacketEngine
NetworkInterface
CPU CPU memory interface
System Bus
NetworkInterface
CPU
5. Protocol aware Look AsideSecurity Packet Engine with Classifiers
In line Crypto Engine With Classifiers
memory interface
System Bus
2. Security & Crypto SWARMv8 AES & SHA Crypto Extensions
NetworkInterface
Security Protocol Control PlaneSecurity Protocol Data PlaneData Plane Crypto OperationsCPU
ARMv8
Legend
Security Protocol Control PlaneSecurity Protocol Data Plane
---
Data Plane Crypto OperationsSecurity Protocol Control Plane
---
Security Protocol Data PlaneData Plane Crypto Operations
Most Efficient and Scalable Architecture
13 |
System tradeoffs for each architecture (IPSEC, SSL/TLS)
HW Crypto Accelerator
Security Data planeStacks
Packet EngineSecurity Data planeStacks
Security Data planeStacks
Security Control plane
Security Control plane
Security Control plane
Packet Engine & Classifier
Security Data planeStacks (incl SW crypto)
Security Control plane#1 & #2SW only Security
Protocol
SW complexityPerformance
Host utilization
low high
Power dissipation
SW complexityPerformance
Host utilization
low high
Power dissipation
SW complexityPerformance
Host utilization
low high
Power dissipation
SW complexityPerformance
Host utilization
low high
Power dissipation
#4 Using a HWCrypto Packet
Engine
#3 Using HWAES & HASH
cores
#5 HW SecurityPacket Engine /w
classifier
More Energy &
Performance EfficiencyMost Efficient and Scalable
Architecture
14 |
Manufacturers are liable when hacks succeed
Power efficiency lowers cost
High speed network systems continue to drive best profits
Why choose inside secure
INSIDE Secure has a complete suite of Silicon IP for all your design points, with the available protocol source code for a complete system implementation
Protocols
Performance
Power
Risk
SSL/TLS, DTLS, IPSec, MacSec, VPN’s, HDCP, DTCP
Hardware acceleration enables the fastest systems
Hardware acceleration decreases power
Effective security keeps your company out of the news
Security already pervasive and required
15 |
THANK YOU!
Stephen Wu Senior Security Silicon IP and Software FAE
swu@insidesecure.com