Post on 04-Jan-2017
IAEA International Atomic Energy Agency
The IAEA’s Universal Instrument Token
(UIT)
Andreas Schwier, Frank Thater, Christoph Brunhuber,
Keith Morgan, Ingo Naumann, Bernie Wishard
Symposium on International Nuclear Safeguards: Linking Strategy, Implementation and People
Vienna, Austria
20 -24 October 2014
IAEA
Context
The International Atomic Energy Agency (IAEA)
verifies through its safeguards system that States
comply with their commitments, under the Non-
Proliferation Treaty and other non-proliferation
agreements, to use nuclear material and facilities
only for peaceful purposes.
(Source: http://www.iaea.org/)
IAEA
Context
Safeguards Equipment
• Data-collecting devices installed in or taken into
nuclear facilities by the IAEA
• Especially designed for use in nuclear safeguards
• Very high security level required
• Examples: detectors, measurement and
monitoring devices, seals, cameras
IAEA
Context
• Data originating from safeguards equipment need
to be integrity-protected and verifiable
• Some devices are stand-alone in nuclear facilities
• Devices need to be tamper-resistant
• Secret/private keys need to be protected
• Data are stored in the secure LAN within the
Department of Safeguards
IAEA
Safeguards Equipment
Trusted environment Untrusted environment or partially trusted environment
Virtual Private Network
Internet
Data manipulation
Measuring equipment Physical data /
images
On-site review station
Secret/private key
Review station
Digital
data
Potential insider threat
Possible attacks on communication/measuring equipment
IAEA
• The Department needed a new cryptographic token engine which
increases the protection of instrument data in accordance with
departmental security policies
• Will be implemented across a wide range of hardware architectures and
operating systems, e.g. Windows, Linux, SMX
• Works in conjunction with RAINSTORM
The Universal Instrument Token (UIT)
“You can manage and use the keys,
but you can not touch them”
IAEA
The SmartCard-HSM
• Smart Card: Pocket-sized card with embedded secure integrated circuit (also known as Credit Card, National ID card or embedded in your Passport)1
• Hardware Security Module (HSM): A physical computing device that safeguards and manages digital keys for strong authentication and which provides cryptographic processing1
1) Source: Wikipedia
The SmartCard-HSM is a remotely manageable secure key store using smart card technology to protect RSA and ECC cryptographic keys
IAEA
SmartCard-HSM Features
• Up to 2048 bit RSA
• Up to 320 bit ECC
• On-board key generation
• Sign / Decrypt / Derive
• Authentication Code
• Backup / Restore
• Common Criteria (EAL4+)
• Open-Source Middleware
Various
form-factors
available
IAEA
Remote Management
• Built-in PKI provides for
• Key attestation
• Secure communication with remote devices
• Use Cases
• De-couple device handling and certificate issuance
• Certificate renewal
• PIN Unblock
For future use
IAEA
Software Stack - Requirements
• Many hardware platforms
• Windows XP, Windows 7 (32 and 64 bit),
different Linux kernels
• Embedded systems
• Small footprint
• Open-source a must
• Adhere to standards (i.e. CMS / PKCS#11)
IAEA
Architecture
• OpenSC
• Provides for device and key management
• Cryptlib
• Implementation of cryptographic processing, i.e. data formats
• RAINSTORM
• Communication with remote systems
• “Ultralite” driver
• Small footprint crypto lib for CMS generation
• sc-hsm-pkcs11
• Read/Only standard PKCS#11 interface
IAEA
Applications
• Laser Mapping System for containment
Verification (LMCV) • Windows 7 Embedded, implemented using cryptlib, OpenSC and RAINSTORM
• Online-Enrichment Monitor (OLEM) • Debian Sarge Linux, implemented using sc-hsm-ultralite, RAINSTORM
• Next Generation ADAM (NGAM) device • SDX real-time operating system, proprietary implementation
IAEA
Enrolment
• Automatic enrolment station within the
secure environment of Agency’s HQ
• Use of UIT for many safeguards applications
simplifies enrolment process
• Location and ownership of UITs is tracked
by the Agency’s equipment management
system (EQUIS)
IAEA
Summary I
• UIT constitutes the core element of the
architecture for signing safeguards data
• Certified, secure device
• Complex interaction of various hardware and
software components: token, drivers, middleware,
application and cryptographic libraries
• Compliant to open-source libraries
• Independent of hardware architecture and
operating system
IAEA
Summary II
Take-home Messages:
• Major step towards the harmonization of security
approaches for safeguards equipment
• The UIT has raised the overall security level of
safeguards equipment