ElevenPaths and Symantec plan a joint offer Security Solutions for IoT environments

lunes, 31 de octubre de 2016

ElevenPaths collaborates with Symantec as technology provider for its Security certificate service for IoT.




Madrid, October 31 2016.- ElevenPaths, Telefónica Cyber Security Unit, announce our intends to collaborate with Symantec, as a global cybersecurity leader, on integrating Symantec Managed PKI Service in order to protect IoT environments against cyberattacks.

In the Internet of Things millions of different devices are interconnected in an open digital environment and need to communicate securely at all times in order to preserve the trustworthiness of the IoT applications. Identity and Authentication is a cornerstone of building such trust, therefore Telefonica is developing ways to securely and indisputably identify those devices and secure the data transmitted among them.

That is, as in the physical world our ID card or passport identify us as people, in the context of the IoT Telefónica is in the process of developing its Trusted Public Key Infrastructure service, and will be relying on best- in-class Symantec Managed PKI Certificate Technology to ensure that the connected devices are exactly what they claim to be and that code running on IoT devices is authorized.

The high-volume, high-performance managed certificate service Symantec offers will allow Telefónica to embed certificates on hardware or issue them in real time as required for their specific use case. These code signing certificates and cloud based signing-as-a-service will be part of Telefonica’s comprehensive offer for IoT environment.

With the new technology incorporated by Telefónica companies that require large-scale IoT deployments will be able to manage certificates’ lifecycle for auto enrollment, renew and revoke the certificates to secure the communication and provide mutual identification, encrypt communications end-to-end and guarantee the integrity and traceability of the transactions.

Trusted Public Key infrastructure service is integrated with other security and IoT managed connecting as smart M2M and is part of  IoT Security solutions currently on offer by Telefónica: such CyberThreats, capable of detecting and identifying the modus operandi of the cybercriminals and the methods used in attacks against IoT infrastructure; and Faast IoT technology specialised in detecting and analyzing vulnerabilities in IoT ecosystems.

ElevenPaths and Symantec intend their future collaboration to deliver on 4 key cornerstones that are drivers for the IoT and its security: the protection of communications, securing the identity and authentication of the IoT devices, the protection of devices themselves, including host-based protection and reputation based security, the management of the devices including OTA management, and the understanding of the IoT environment, through security analytics helping flag any anomaly.



More information:

ElevenPaths y Symantec ideamos una oferta conjunta de soluciones de autenticación y cifrado digital para entornos IoT

ElevenPaths colaborará con Symantec, como proveedor tecnológico, en un Servicio de Certificados de Seguridad para entornos IoT. 


Madrid, 31 de Octubre de 2016.- ElevenPaths, la unidad de Ciberseguridad de Telefónica, anunciamos nuestro acuerdo de colaboración con Symantec, líder global en certificados digitales/PKI, para integrar la tecnología Symantec Managed PKI Service en la protección entornos IoT frente a ciberataques.

En el “Internet de las Cosas” millones de dispositivos diferentes se interconectan en un entorno digital abierto y necesitan comunicarse de forma segura en todo momento para preservar la confianza en las aplicaciones IoT. La Identidad y la Autenticación son los pilares en los que se apoyan esta confianza, por tanto Telefónica está desarrollando formas de garantizar la seguridad, identificar inequívocamente dispositivos y salvaguardar toda la información transmitida.

En el mundo físico nuestro documento de identidad o pasaporte nos identifica como personas, en el contexto de IoT Telefónica está desarrollando su servicio Trusted PKI, apoyándose en la tecnología líder del mercado de Symantec Managed PKI Certificate, con el objetivo de asegurar que los dispositivos conectados son quienes dicen ser y que el código que ejecutan los dispositivo está autorizado.

La plataforma de gestión de certificados digitales de Symantec permitirá a Telefónica incluir certificados en la fase de fabricación del hardware o generarlos en tiempo real cuando sea necesario. Certificados para la firma de código y el servicio de firma en la nube serán parte de la amplia oferta de Telefónica para entornos IoT.

Con esta nueva tecnología incorporada por Telefónica, compañías que requieren implantaciones de IoT a gran escala serán capaces de gestionar el ciclo de vida de los certificados de sus dispositivos: inscripción automática, renovación y/o revocación para asegurar las comunicaciones extremo a extremo con el cifrado de las comunicaciones y garantizar la integridad y trazabilidad de las transacciones.

El servicio Trusted PKI está integrado junto al servicios de conectividad IoT gestionada de Telefónica como Smart M2M y forma parte de las soluciones de IoT Security ofrecidas actualmente por parte de Telefónica: como CyberThreats, capaz de detectar e identificar el modus operandi de los delincuentes y los métodos utilizados en los ataques contra infraestructura IoT; y la tecnología Faast IoT especializada en la detección y análisis de vulnerabilidades en los ecosistemas de la IoT.

ElevenPaths y Symantec sustentan su colaboración en cuatro pilares claves para la seguridad de entornos IoT: protección de las comunicaciones, asegurar la identidad y la autenticación de los dispositivos IoT, protección de los propios dispositivos, la gestión de los dispositivos, incluyendo la gestión OTA, y la monitorización del entorno IoT del cliente a través de análisis de seguridad que ayudan a revelar cualquier anomalía.

Más información:

Now you can use Latch with Dropbox, Facebook and others digital services

sábado, 29 de octubre de 2016

Many of you have asked us which services you can use Latch with, regretting that so far it could not be used in the more common services, such as Dropbox, Facebook or even Google itself. Well, the new version of Latch comes with a new functionality that will allow you to use Latch to protect your accounts in these and many other services. Now available for Android and Windows Phone, and coming soon the iPhone version.

What is this functionality about?
This new feature implements the TOTP protocol (Time-Based One Time Password), which generates a password valid for a period of time. This password may be requested to users by the services that support it (including the above) as a second factor authentication if the user specified so in the configuration. Thus, users of these services will receive this temporary code in the Latch application installed on their mobile phone, and use it as a second factor authentication (after having been authenticated with their user name and password) to access the services.

What’s new?
Apps already existing in the market for this purpose generate TOTPs associated with the mobile device so that if the user has a problem with it, such as loss or theft, or if they simply have to reset factory data for some reason, they will need to match the services protected with this second factor authentication with the application they use.

In Latch, we have created what we call Cloud TOTP, which consists in, instead of associating the TOTPs with the mobile device, associating them with the Latch account, thus simplifying the recovery process in case of loss of the device.

How can I use it?
To start using this new functionality, you just need to follow these steps:
  • First, create a Latch account and install the Latch app on your mobile device.
  • Then, go to the configuration of the service you want to protect with second factor authentication and enable it. If we take Dropbox as an example, you have to go to the Settings -> Security section, look for the “Two-step verification”, and enable it as shown below, after which you will be guided through a series of screens. When asked how you want to receive security codes, select “Use a mobile app”. 
Image 1. Enabling the two-step verification in Dropbox


Finally, add the new service to Latch capturing the QR code provided by Dropbox following the steps in the Latch app, as shown below.

Image 2. Dropbox QR Code
Image 3. Capturing the QR code with Latch

>>Stay tuned! We´ll post video tutorials using Cloud TOTP with services as Dropbox, GitHub, Facebook, Google, etc.

Find out much more about Latch!

Ya puedes usar Latch con Dropbox, Facebook y muchos más servicios

viernes, 28 de octubre de 2016

Muchos sois los que nos habéis preguntado en qué servicios se puede utilizar Latch, lamentando que, hasta ahora, no se pudiera utilizar en aquellos servicios más comunes, como Dropbox, Facebook o el propio Google. Pues bien, la nueva versión de Latch trae una funcionalidad que os va permitir utilizar Latch para proteger vuestras cuentas en estos y otros muchos servicios. Ya está disponible para Android y Windows Phone, y próximamente también la versión para iPhone.

¿En qué consiste esta funcionalidad?
Esta nueva funcionalidad implementa el protocolo TOTP (Time-Based One Time Password), que permite generar una contraseña válida por un período de tiempo que los servicios que lo soporten (entre ellos los anteriormente mencionados) podrán requerir a los usuarios como segundo factor de autenticación si el usuario así lo ha configurado. De esta manera, los usuarios de estos servicios podrán recibir este código temporal en la aplicación Latch instalada en su móvil y utilizarlo como segundo factor de autenticación (después de haberse autenticado con su usuario y contraseña) para acceder a los servicios.

¿Qué tiene de nuevo?
Las aplicaciones que ya existen en el mercado para este fin, generan TOTPs asociados al terminal móvil del usuario de manera que, si el usuario tiene algún problema con el terminal, como pérdida, robo o simplemente tiene que restablecer los datos de fábrica por alguna razón, tendrá que volver a emparejar los servicios que esté protegiendo con este segundo factor de autenticación con la aplicación que utilice.

En Latch hemos creado lo que llamamos Cloud TOTP, que consiste en que, en lugar de asociar los TOTPs con el terminal móvil, se asocian con la cuenta de Latch, lo que simplifica el proceso de recuperación en caso de pérdida del terminal.

¿Cómo se puede utilizar?
Para empezar a utilizar esta nueva funcionalidad, hay que seguir los siguientes pasos:
  • En primer lugar, debemos haber creado una cuenta de Latch y tener instalada la aplicación en nuestro dispositivo móvil.
  • A continuación, hay que ir a la configuración del servicio que queremos proteger con segundo factor de autenticación y activarlo. Si tomamos como ejemplo Dropbox, tendrás que ir a la sección Configuración->Seguridad y buscar la opción “Verificación en dos pasos” y habilitarla como se muestra a continuación, tras lo cual se te guiará a través de una serie de pantallas. Cuando te pregunte cómo quieres recibir los códigos de seguridad, elige “Usar una aplicación móvil”.


Figura 1. Activación de la verificación en 2 pasos en Dropbox

Finalmente, añadimos el nuevo servicio en Latch capturando el código QR que muestra Dropbox siguiendo los pasos que se indican en la aplicación de Latch, tal y como se muestra a continuación.

Figura 2. Código QR en Dropbox
Figura 3. Captura del código QR en Latch


¡Estad atentos durante las próximas semanas! Publicaremos vídeo-tutoriales de cómo utilizar Cloud TOTP con servicios como Dropbox, GitHub, Facebook, Google, etc.

¿Quieres conocer más sobre Latch? ¡Visita su web!

Cryptographic Security in IoT (II)

The proliferation of IoT services platforms and devices is occurring much faster than the adoption of security measures in its field. In the face of the urgent need for mechanisms that guarantee the authentication, integrity and confidentiality, of both communications and the devices themselves, the trend is to transfer cryptographic solutions contrasted in traditional IT, such as public key digital certificates over SSL/TLS protocols. We are moving forward in the state-of-the-art of cryptography solutions for IoT.

Crypto-Authentication
Given Atmel’s long history of developing security elements with cryptographic abilities, such as TPM modules, microcontrollers for SmartCards, cryptographic accelerators, crypto-memories, comparators, etc. it is only natural that the IoT ecosystem begin to integrate its Crypto-Authenticators to add cryptographic abilities. These have three different available variants:
  • SHA204A: simple authenticator based on MAC/HMAC-SHA-256.
  • AES132A: authenticator and cipher based on the AES/CCM symmetric algorithm with 128-bit keys.
  • ECCx08A: authenticator and cipher based on ECDSA and ECDH elliptic curve asymmetric algorithms, with 256-bit keys.
Their physical characteristics are practically identical and are therefore compatible and interchangeable. Choosing one or the other will be determined by the needs of the device storing them, and though they incorporate numerous characteristics of some complexity, it is possible to use their  basic functions easily.

They can be used as highly versatile cryptographic security elements: from simple device authentication, mutual or reciprocal authentication, session key negotiation for integral encryption of a communication, code or data authenticity verification during secure start-up (SecureBoot) or remote firmware updating (OTA), etc. All this for less than 1 euro. If we meet the program’s requirements for “samples”, Atmel sends free samples at no extra cost.

I2C Bus
Different small sized formats are produced, all of which are surface-mounted. Though there is a version with only three pins that uses an SWI communication protocol, which for a time was sold by Sparkfun on a mini board, the 8-pin encapsulations are the most common, with SOIC-8 being the most manageable. For the evaluation and testing stages, using a DIP-8 adaptor is advised; there are different types, including the most popular GROVE modules, and you can even make your own.

Only four of its pins are in use. Two for its flexible power supply, of extremely low consumption, which can vary from 2.0 to 5.5 watts; two for the I2C bus, which enables connection to microcontrollers such as the popular Arduino, and even desktop systems and servers by means of adaptors, generally USB types.

The I2C bus is a standard for serial communication, widely used in the industry to interconnect integrated circuits. It uses two lines to transmit information: a data line (SDA) and a clock line (SCL), both with ground reference (GND).

In systems such as BeagleBone and Raspberry PI, the I2C is easily accessible both physically, as it is exposed, and logically, through numerous tools available in GNU/Linux.
If we want to use a conventional system, either Windows, Linux or Mac, that does not have an accessible I2C bus, the most simple option is to use an I2C USB adaptor. There are commercial ones, however it is possible to build your own thanks to the i2c-tiny-usb standard driver, which allows any system to use an Atmel ATtiny 45/85 microcontroller by way of interface USB to I2C. Only a few brave people dare to use the I2C bus present in the connector of video cards, even though it is technically possible. Although it doesn’t provide the same functionality, it is also possible to use firmware that uses the LUFA library in any compatible Atmel microcontroller, for example the ATmega32u4 from Arduino Leonardo, creating a "Serial to I2C" interface, which is accessible from Python, for example. With the USB adaptors included in the official Atmel development kits, the Microsoft Word tools that are included for free can be used.

Communication in the I2C bus is conducted in a “master-slave” manner. The master initiates the dialogue, obtaining a response from the slaves that are identified by their 7-bit I2C address. This address comes factory ready, though many devices have mechanisms to modify it, allowing several similar devices to connect to the same I2C bus.

The “host” systems can only be masters of the I2C bus, with the majority of I2C devices being slaves. Some microcontrollers, for example those used in Arduino, can be programmed to behave as masters or as slaves, though it is most common for them to act as masters.

Through the "i2cdetect" command in Linux, or with a simple sketch in Arduino, the I2C bus can be scanned to detect connected slave devices.


In this scanning example, performed in either Linux, with an "i2c-tiny-usb” adaptor, or in Arduino, the real I2C addresses (in 7-bit format) for the crypto-devices connected to the bus can be obtained. Many manufacturers, Atmel included, usually indicate the I2C addresses in 8-bit format in their specifications, which can result in some confusion.

Open Source libraries
Together with detailed documentation, Atmel facilitates open source libraries for cryptographic device management from their line of micro-controllers and SoCs.


From these libraries, adaptations to different environments began to appear, once again emphasising Josh Datko’s work which, from Cryptotronix, facilitates numerous examples for both Linux and Arduino.

The Atmel SHA204A Linux driver, called Hashlet, particularly stands out, and has served as a starting point for many other developments.

There are different adaptations for the Arduino platform, each of which has its pros and cons, so a choice must be made to find the one that adapts best to each particular need.

Atmel SHA204A
The Atmel SHA204A is one of the simplest and most easy to use cryptographic devices, though it has a wide variety of functions in relation to its relative complexity.

Its functioning is based on the computing of SHA-256 summaries, used to generate MAC/HMAC (Message Authentication Code) from internally stored keys. It has 16 slots to store keys that are 256 bits (32 bytes) in length, and can, in turn, have different access and usage configurations, defined when personalising the device. Together with an 88 byte configuration zone and an OTP (One Time Programmable) zone that is 64 bytes in length.

It has a random number generator, with which it implements challenge-response operations without exposing keys (MAC, CheckMac, GenDig). Supporting "Key Rolling” mechanisms (DeriveKey). It is unequivocally identified by an unmodifiable, factory-defined 72 bit serial number (SN).

It has an abundance of official documentation which is available on the internet, as well as a large number of examples developed by the Open Source community. Though it implements 14 commands, it is possible to make complete functional use of it with only two of them, as we will see next.

Personalisation 
Before being able to use any cryptographic device, it is necessary to establish its unique keys and configuration options, and to lock the configuration and OTP zones. This process is known as "personalisation", and is irreversible; once this has been performed, there is no possibility of turning back, the established parameters will remain unchangeable.

ATSHA204A personalisation is easily performed through Linux by using the Cryptotronix “hashlet”, as described in the documentation. Once the personalisation command has been executed, the unique keys will be defined and configured in the following manner:


If you have an official Atmel development kit, it is possible to perform the personalisation process from the incorporated tools, but, in any event, it is essential to follow the manufacturer’s indications.


Stay tuned! In the following post about Cryptographic security in IoT, we will take a look at how the HMAC calculation works in technical terms in ATSHA204A. And as a proof of concept (PoC), we will implement the practical use case of an IoT device that must be robustly authenticated by a web service and using cryptographic hardware.

*Related Content:
Cryptographic Security in IoT (I)
Cryptographic Security in IoT (III)

Todo lo que presentamos en Security Innovation Day 2016 (II): Soluciones de Seguridad para controlar en todo momento tu negocio

jueves, 27 de octubre de 2016

Un punto de entrada único a todos tus servicios de seguridad.
Desde nuestros primeros servicios siempre hemos tenido como objetivo que su utilización resulte una experiencia sencilla a la vez que eficiente, y que en definitiva les proporcione una perspectiva diáfana e inmediata del estado general de su seguridad.

En nuestro afán de continua mejora y con el objetivo de proporcionar una visibilidad y control total, en Security Innovation Day 2016, hemos presentado la primera versión de lo que hemos denominado SandaS Unified Security Platform.

Esta plataforma pretende convertirse en el punto de entrada único de todos los servicios que el cliente tiene contratados con Telefónica. Permitiéndote una visión holística y contextualizada, ya que aglutina una serie de indicadores relevantes procedentes de nuestros servicios de seguridad y los combina con información de contexto que nos proporciona la tecnología Autofocus de Palo Alto Networks.




SandaS Unified Security Platform te ofrece:
  • Visión holística del estado de la seguridad de la organización, incluyendo incidentes de seguridad, situación comparativa respecto al contexto global e información acerca del impacto en el negocio.
  • Situación operativa de los servicios de seguridad contratados.
  • Acceso a los portales específicos de cada servicio.
  • Módulo de Data Management que almacena la información relevante de todos los servicios de seguridad
  • Sistema innovador de Machine Learning para el análisis combinado de todas las fuentes de información y detección avanzada de amenazas.
También presentamos dos servicios, CASB y Clean Pipes 2.0, los cuales se incluyen dentro del ecosistema de SandaS:
  • Los agentes de seguridad de acceso a la nube, CASB, que proporcionan visibilidad del riesgo que suponen las aplicaciones de nube. Detectando y analizando el uso de las aplicaciones de nube, autorizadas o no, desde dentro de las instalaciones de cliente. 
  • El servicio de Clean Pipes 2.0, tiene como propósito principal segurizar todas las comunicaciones corporativas independientemente desde donde se realicen –desde el cuartel general hasta el lugar más recóndito del mundo. 
David Prieto Marqués
Head of MSS & Network security.


Conoce el estado de Seguridad de tu organización en todo momento.
En un mundo cada vez más global, más intereconectado, más digital, la seguridad de nuestra organización ya no depende solo de lo que hacemos nosotros, sino también de lo que no hacen nuestros proveedores. Brechas como la de Target, Home Depot y el impacto de la brecha de Yahoo en casos de fraude de identidad etc. demuestran que los atacantes utilizan cada vez más vías indirectas para alcancar sus objetivos, buscando muchas veces el eslabón más débil de una cadena de suministro.

En Security Innovation Day 2016 anunciamos nuestra colaboración con BitSight, un partner tecnológico que propone algo diferente. Todos conocemos los ratings utilizados en el sector financiero para valorar de forma clara la calidad de inversiones, bancos, economías de países etc. ¿Podemos hacer lo mismo para reducir en una única nota el estado global de la ciberseguridad de una organización? La respuesta es sí.

El rating de Ciberseguridad que presentamos en el Security Innovation Day 2016 tiene la siguientes características:
  • Representa la visión que tienen nuestros colaboradores de nosotros. Se utilizan fuentes e información accesible fuera de nuestra organización. Es un enfoque de caja negra.
  • Es un rating objetivo que permite comparaciones entre organizaciones. Se miden variables de riesgo que aplican a cualquier empresa, independientemente de su negocio, sector, tamaño etc.
  • Es una solución escalable a cualquier empresa. Se han elegido variables de riesgo representativas de la seguridad de una organización, y se pueden medir de forma totalmente automatizada. 
  • Permite conocer el estado de seguridad de cualquier organización de forma continua. Al ser automatizada se puede aplicar de forma continua en gran escala. 
El servicio se ofrece como una herramienta SaaS que permite monitorizar la evolución de los ratings, recibir avisos de cambios bruscos y conocer también el por qué, para poder tomar acciones.



Con los ratings de Ciberseguridad podemos en primer lugar conocer cómo nos ven nuestros clientes y competidores y comparar nuestra organización con nuestro entorno, tanto en momentos puntuales como su evolución histórica. El primer pilar por tanto de la propuesta de valor es lo que llamamos benchmarking. El segundo pilar es la monitorización del rating de todos nuestros proveedores. Se puede hacer tanto individualmente como de forma agregada estimando el rating global de toda nuestra cadena de suministro.

Este servicio esta ya disponible a través de la fuerza de venta de Telefónica, pero nuestra alianza no acaba aquí. Por ello, estamos ahora trabajando para dar el primer paso integrando nuestros productos Tacyt y Path6 con Bitsight para añadir una variable de riesgo asociado al canal móvil de una empresa y de su cadena de suministro.

Nikolaos Tsouroulas
Global Product Manager for Cybersecurity Services


No te pierdas el resto de la serie "Todo lo que vimos en Security Innovation Day 2016":
»Todo lo que presentamos en Security Innovation Day 2016 (I): Partners Program y Alianzas


ElevenPaths acquires Shadow technology from Gradiant

miércoles, 26 de octubre de 2016

Chema Alonso (Chief Data Officer of Telefónica and Chairman of ElevenPaths) announced during Security Innovation Day 2016, the purchase of the Gradiant's solution for document security, SHADOW.
The acquisition is one of the first derivatives of the recent agreement signed between Gradiant and ElevenPaths, the cybersecurity division of Telefonica worldwide. Both parties also stated that this acquisition is only the first step in what they hope will be a long history of mutual successes.

What is SHADOW?

More than half of the companies worldwide (54%, according to data from 2013 Nielsen Report) have had at some point losses or leaks of sensitive information. Despite the security measures currently available (DMS, access control mechanisms, firewalls), there are still security holes.
The strongest chain always break at the weakest link. And in documents security, that weak link is -very often- equal to the human factor.
The leaks of confidential documents, depending on their origin, leads to sensationalist or damaging public disclosures for companies victims of such leaks. In other cases, such information although not made public, ends up getting to competitors, or even worse, criminals.
The damages caused by leaks of documents are very visible, and almost always very serious. They can be financial, reputational or in competitiveness.
SHADOW is an automated tool that allows the traceability of documents by using techniques of digital watermarking. Shadow provides evidences in the event that confidential information leaks happen, helping to identify those responsible for the infringements. Converts each copy of a document through the insertion of invisible water marks. In this way, SHADOW ensures that each copy is unique and at the same time, virtually identical to the original document. This watermark -hidden information that identifies the owner or the recipient of the document- is resistant to distortions, such as those produced in the printing process or the scanning of documents.
It works as a deterrent against information leaks: it is perfect for hiding information on the origin and destination of confidential documents in order to identify those responsible if a leak occurs, once the documents are outside the trusted area for which they were created.
It also provides automatic classification of scanned documents: adding information about the contents of the documents, SHADOW can perform automatic classification.
It is a 100% compatible software solution with any printer or scanner devices. Ensures traceability in text documents, both digital and printed formats. The information associated with the watermark is fully configurable, being possible to establish a link to the document owner, to its receptor, or to the date and time when the document was printed. To retrieve that information afterwards, it is not necessary to be in possession of the original document.
In addition, SHADOW is resistant to distortions, printing and scanning, and is able to recover all the hidden information even from incomplete, broken, wrinkled or stained documents.
SHADOW family
SHADOW FILES: web platform that allows secure sharing fo documents. The platform allows sending documents to recipients previously registered in the system. Each recipient receives a single copy of the document containing hidden information that links the copy to the intended recipient.
SHADOW PRINT: Virtual Print Driver for Windows that allows automatic watermarking as soon as a document is sent to any printer. The printed document includes hidden information about the user account from which it is printed.
SHADOW READER: Tool for extracting information from the document’s watermark.

SHADOW MOBILE: Mobile application for extracting information from the document’s watermark.(available for iOS and Android).



ElevenPaths adquirimos la tecnología Shadow de Gradiant

Chema Alonso (Chief Data Officer de Telefónica, y Chairman de ElevenPaths) anunció durante el Security Innovation Day 2016, la compra de la tecnología de Gradiant para seguridad y trazabilidad documental SHADOW.

La adquisición es una de las primeras consecuencias del reciente acuerdo de colaboración firmado entre entre Gradiant, el Centro Tecnológico TIC de Galicia, y ElevenPaths, la división de ciberseguridad de Telefónica a nivel mundial. Ambas partes además, manifiestan que esta adquisición es solamente el primer paso en lo que esperan sea una larga historia de éxitos mutuos.

¿Qué es SHADOW?

Más de la mitad de las empresas a nivel mundial (54%, según datos del Informe Nielsen de 2013) ha sufrido en algún momento pérdidas o filtraciones de información sensible. Y es que a pesar de las medidas actualmente disponibles (DMS, mecanismos de control de acceso, firewalls) aún existen agujeros de seguridad.

Las cadenas más fuertes siempre se rompen por el eslabón más débil. Y en materia de seguridad de los documentos, ese eslabón suele ser el factor humano.

La filtración de documentos confidenciales, dependiendo de su origen, casi siempre da lugar a revelaciones públicas sensacionalistas o perjudiciales para las empresas víctimas de dichas filtraciones. Y en otros casos, esa información, aunque no se hace de dominio público, termina por llegar a competidores, o incluso a delincuentes.

Los daños causados por las filtraciones de documentos son muy visibles, y casi siempre muy graves. Pueden ser financieros, de imagen o de competitividad.



SHADOW es una herramienta automática que permite la trazabilidad de documentos mediante el uso de técnicas de marcas de agua digitales. Shadow proporciona evidencias en caso de que se produzcan fugas de información confidencial, ayudando a la identificación de los responsables de la infracción. Convierte cada copia de un documento en única gracias a la inserción de marcas de agua no perceptibles. De esta forma, consigue que cada copia sea singular y, al mismo tiempo, prácticamente idéntica al documento original. La información oculta –y que permite identificar al propietario o receptor del documento- es resistente a numerosas distorsiones, como las que se producen en el proceso de impresión y escaneado de documentos. SHADOW es integrable en aplicaciones de terceros de forma rápida, tanto en aplicaciones stand-alone como cliente/servidor. Funciona como un elemento disuasorio ante fugas de información: es ideal para ocultar información sobre el origen y destino de documentos confidenciales, permitiendo identificar a los responsables en caso de que se produzca una fuga de información, una vez los documentos se encuentran fuera del área de confianza para el que han sido creados.

Proporciona una clasificación automática de los documentos escaneados: añadiendo información sobre los contenidos de los documentos se puede realizar una clasificación automática cuando estos documentos son escaneados y la marca es extraída. De esta forma se facilita el archivado de documentos tras el escaneo.

Es una solución software, 100% compatible con cualquier impresora y escáner. Garantiza la trazabilidad en documentos de texto, tanto en formato digital como impreso. La información asociada a la marca de agua es configurable, pudiéndose vincular ésta al propietario del documento, a su receptor o a la fecha de impresión del documento. Para proceder a recuperar esa información no es necesario disponer del documento original. Además, SHADOW es resistente a distorsiones, impresión y escaneado, y es capaz de recuperar toda la información escondida, incluso a partir de documentos incompletos, rotos, arrugados o manchados.

Familia SHADOW

SHADOW FILES: Plataforma web que permite la compartición de documentación de forma segura. La plataforma permite el envío de documentos a destinatarios previamente registrados en el sistema. Cada destinatario recibe una copia única del documento, que contiene información oculta vinculando dicha copia con el destinatario específico.

SHADOW PRINT: Driver virtual de impresión para Windows que permite el marcado automático en cuanto un documento se envía a cualquier impresora. El documento impreso incluye información oculta relativa a la cuenta de usuario desde la que se imprime.

SHADOW READER: Herramienta que permite la extracción de la marca de agua de un documento.

SHADOW MOBILE: Aplicación móvil que permite la extracción de las marcas de agua de un documento (disponible para iOS y Android).

Contenido relacionado:
ElevenPaths y Gradiant juntos para innovar en seguridad

ElevenPaths Talks: Cifrado asimétrico en IoT

martes, 25 de octubre de 2016





El próximo jueves 27 de octubre nuestro compañero Jorge Rivera impartirá la charla Cifrado asimétrico en IoT en la que te mostrará nuevas facetas del cifrado en el mundo de IoT, dada la proliferación de dispositivos y plataformas de este tipo de servicios que está siendo muy rápida.

La duración de la charla de Jorge será de unos 30 minutos, divididos entre 20 y 25 minutos de exposición y de 5 a 10 minutos de preguntas y respuestas. El horario de la charla será a las 15.30h (Madrid) y estará disponible al termina ésta en nuestro canal de YouTube. La ponencia se llevará a cabo por Hangouts y se impartirá en castellano.

Si quieres saber más acerca del tema, no dudes en pasarte por nuestra Comunidad, donde nuestros compañeros hablan sobre éste y otros temas de interés en el mundo de la Seguridad. Puedes consultar el calendario de talks para ver los webcasts que aún quedan por celebrarse. Recuerda, tienes una cita el próximo 27 de octubre a las 15.30h (Madrid). Para registrarte debes usar el siguiente formulario de ElevenPaths Talks.

Más información en:
talks.elevenpaths.com

Así fue nuestra participación en CELAES 2016

lunes, 24 de octubre de 2016

CELAES 2016 es la Principal Conferencia de Seguridad Financiera en Latinoamérica, este año fue hospedada y organizada por FIBA (una asociación gremial sin fines de lucro y un centro internacional de excelencia financiera) en Miami, USA.

Durante dos intensas jornadas, donde se dieron cita los principales Bancos de Latinoamérica y Centroamérica, se celebraron diversas actividades enfocadas en la Ciberseguridad y el Fraude en entornos transaccionales.  En este contexto estratégico con más 500 asistentes, fuimos patrocinadores Platinium junto con Kaspersky y Logtrust.

Durante estas jornadas presentamos en exclusiva al sector financiero nuestra nueva Solución Antifraude: Fraud Management & Intelligence (FMI). Una solución cuyo objetivo es minimizar las pérdidas y riesgos derivados del fraude y, consecuentemente, maximizar los beneficios y la resiliencia del negocio.

Además, gracias al enfoque estratégico de FMI, es posible realizar un diagnóstico de la situación actual del Fraude en línea con los objetivos del Negocio (Situation Analysis, Gap Analysis), y definir un plan estratégico de gestión integral del fraude (Fraud Action Plan) para poder llegar a alcanzar el nivel de madurez adecuado para la organización. Para ello, FMI ha definido un marco metodológico que se centra en 7 dominios funcionales (Plan, Assess, Prevent, Detect, Respond, Investigate, Discover).


Los asistentes que nos visitaron estos días pudieron comprobar “in situ” la solución mediante demos interactivas, ejemplo de las capacidades y valor añadido que la solución ofrece, ayudándoles a ver el fraude desde un punto de vista holístico. 

Además fueron entregados informes preliminares y personalizados a entidades bancarias interesadas, que contemplaban diferentes amenazas (Threat Insights), apoyadas por una muestra de resultados e inteligencia de fraude determinantes para la toma de decisiones directas por parte de la entidad. 

En conjunto, las entidades bancarias presentes pudieron ver de primera mano, y con datos reales, información personalizada sobre el fraude a su entidad y ver en las demo en tiempo real la velocidad de procesamiento de la plataforma, su alto nivel de granularidad por región o tipo y ejemplos de integración con el transaccional (FMI Swarm) un consolidado del fraude en números (Nº operaciones y Monto total vs Fraude y % fraude en respecto al monto total, etc.).


Además tuvimos presencia en la agenda del evento con la ponencia de Claudio Caracciolo, CSA (Chief Security Ambassador) de ElevenPaths, que nos dio un entretenida y afilada charla acerca de: “Advanced Banking Security in the Digital Age”, aportando una visión completa sobre los nuevos desafíos (certificados, apps mobiles, etc.) a los que se enfrentan las entidades bancarias.


Para nuestro equipo fue todo un éxito participar de nuevo en un entorno privilegiado, que nos permitió contactar con numerosos clientes potenciales, promocionando la nueva solución FMI para el sector financiero; así como, mostrando otras soluciones disruptivas como Faast dentro de VAMPS y nuestro servicio de CyberThreats.

ElevenPaths participará en la Conference on Cryptology and Network Security (CANS) con una investigación sobre HPKP y HSTS

Una investigación sobre HSTS y HPKP realizada desde el área de innovación y laboratorio de ElevenPaths, ha sido aceptada para participar en la International Conference on Cryptology and Network Security (CANS) 2016 que tendrá lugar en noviembre en Milán y donde se presentarán los resultados.



La International Conference on Cryptology and Network Security (CANS) es una conferencia anual que se centra en todos los aspectos de la criptología, datos, redes y seguridad informática e intenta reunir los resultados más recientes en ese campo que provengan científicos de todo el mundo.

Esta edición número 15 tendrá lugar en Milán, del 14 al 16 de noviembre. Otras ediciones de CANS se han celebrado en Taipei (2001), San Francisco (2002), Miami (2003), Xiamen (2005), Suzhou (2006), Singapur (2007), Hong Kong (2008), Kanazawa (2009), Kuala Lumpur (2010), Sanya (2011), Darmstadt (2012), Parary (2013), Creta (2014), y Marrakesh (2015). CANS 2016 coopera con la International Association of Cryptologic Research (IACR).

La investigación presentada indaga sobre la implementación de HPKP y HSTS tanto en el entorno servidor como cliente, y demuestra con pruebas de concepto algunos potenciales problemas que pueden derivarse del análisis realizado.

Fruto de esta investigación se espera no solo entender y mejorar la ciberseguridad en general sino integrar este conocimiento generado para potenciar e innovar en los productos y servicios más representativos desarrollados por ElevenPaths. 

ElevenPaths en Navaja Negra

sábado, 22 de octubre de 2016

Del 29 de septiembre al 1 de octubre tuvo lugar la conferencia de seguridad Navaja Negra. Una de las más importante en el panorama nacional de las conferencias de ciberseguridad y que reúne a 600 profesionales del ámbito. Además de charlas, también hubo talleres, aportando un enfoque más pragmático. Tanto Pablo González como yo tuvimos el placer de estar allí compartiendo conocimiento con un gran elenco de profesionales.

En este post me gustaría compartir nuestra experiencia en el taller que presentamos y que lleva por título “HSTS y HPKP: Los Batman y Robin de la seguridad web”.

El título de la charla viene motivado por la capa de protección adicional que aportan estos dos protocolos sobre TLS/SSL.  HSTS es un protocolo destinado a forzar la conexión por HTTPS, de modo que la conexión se realice de modo seguro incluso cuando se accede por HTTP. Por su parte, HPKP nace con el objetivo de detectar modificaciones en la cadena de certificación de modo que, por ejemplo, se puedan detectar modificaciones debidas a un ataque MiTM.  Ambos se pueden consultar en los RFC 7469 y 6797.

Para el funcionamiento de estos protocolos es necesario que estén implicados tanto el cliente como el servidor, y se implementan añadiendo una cabecera en la respuesta del servidor. En el caso de HSTS la cabecera se llama “Strict-Transport-Security” y en HPKP “Public-Key-Pins”.

En el taller se explicó el funcionamiento de ambos protocolos y de qué manera es posible implementarlos en el servidor. Además, se mostraron las diferentes directivas, como preload, max-age, includeSubdomains y pins (ésta última en el caso de HPKP).

También se describió cómo los navegadores más populares (Firefox y Chrome) almacenan los dominios visitados por el usuario y protegidos con estos protocolos. Pin Patrol es un plugin de Firefox desarrollado en ElevenPaths que resulta de gran utilidad para una visualización mucho más cómoda de este tipo de información.

Pero estos protocolos no están exentos de puntos débiles. Se mostró tres maneras de atacar estos protocolos. En particular, por medio de versiones antiguas de los navegadores, usando el framework MiTMf y aplicando el ataque a NTP con Delorean.

Posteriormente se propuso “el juego de los dominios”, que consistía en que los asistentes averiguaran cuál de los protocolos usaba cada uno de los protocolos propuestos.  Para finalizar se expusieron algunas conclusiones, así como medidas de seguridad que deben tenerse en cuanta a la hora de implementar correctamente estos protocolos.

Por nuestra parte fue un placer impartir el taller y desde aquí nos gustaría dar las gracias tanto a la organización como a los asistentes.  Esperamos que lo disfrutarais tanto como nosotros.

Aquí os dejamos la presentación para que les echéis un vistazo.

¡Esperamos veros pronto de nuevo!

Carmen Torrano




“State-of-the-art” Partners to tackle the new NIS and GDPR legislation

viernes, 21 de octubre de 2016

With a continued rise in cybercrime, and considering our global economy is dependent on data driven decision-making, the EU has published new legislation that will have an impact on every business: the new Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR).

The NIS Directive is focused purely on security, to promote a culture of risk management and ensure that the most serious incidents are reported, and applies to (i) “operators of essential services”- organisations that provide elements of a country’s critical national infrastructure – i.e. operators in energy, transport, health, banking …; and (ii) “digital service providers” - Cloud providers, internet exchanges, online marketplaces, which are not micro- and small enterprises.

The GDPR is focused on data privacy, aiming to bring data protection legislation up-to-date and into the modern age, and applies to all companies that process EU citizen data, except organisations with fewer than 250 employees with regard to record-keeping, and some exceptions that relate to national security.

By the end of May 2018, the NIS Directive (as it is an EU directive, rather than a regulation, needs to be implemented as local legislation before 9th May 2018 in each EU member state) and the GDPR will have entered into force in the European Union, giving organisations covered by these pieces of legislation until this date to establish compliance. Till then, organizations need urgently to plan and improve its overall security strategy to comply or potentially, in the event of a breach (NIS has notification requirements around security incidents, whereas GDPR on personal data breaches) an entity will likely have to defend its use — or lack of use — of a range of technologies and procedures.

The penalties for non-compliance are substantial, the primary effect of which will be to raise network information security and data protection as a business risk attention directly into the boardroom. No board member will want to have to explain to shareholders why profits and stock price have fallen due to a security or data breach resulting in a substantial fine. In the case of the NIS Directive, it is the responsibility of each EU member state to determine penalties, but the Directive does specify that penalties must be “effective, proportionate and dissuasive”. NIS grants authorities the power to initiate audits of private industry for suspected non-compliance. Enforcement will be combined with related regulations, in particular the penalties and fine included in the GDPR: dependant of the type of infringement, the fine will reach up to €10m or 2% of global turnover; or up to €20m or 4% of its annual worldwide turnover.

Security Requirements: “State of the Art”
NIS and GDPR have different rules and scope, but regarding their respective security requirements stated for the operators of essential services, digital services providers, data controller or data processors, both pieces of legislation require public or private entities to “have regard to1  and “take into account2  state of the art (NIS and GDPR, respectively) for their cybersecurity. Organisations must therefore take into account technologies and practices that are state of the art in security in deciding how to invest in mitigating risks associated with the protection of essential services that have a dependency on network and information systems (in the case of the NIS directive), and with data protection (in the case of GDPR).

However, neither piece of legislation defines clearly the term or explicitly requires use of specific technologies. Surely the reason is because security capabilities and IT evolve and mature relatively quickly, while legislation is typically long term.

As the NIS Directive requires each EU member state to implement it locally, maybe we could expect greater precision in future legislation. The NIS Directive indicates3  that member states shall encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems, and that ENISA, in collaboration with member states, shall draw up advice and guidelines regarding the technical and security requirements. In the case of GDPR4 , associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation. It seems you would need to continuously monitor such standards and codes of conduct, or to follow ISO standards, PCI DSS…, to obtain some kind of guidance and be compliant.

Companies must therefore have a view on what “state of the art” means to them and be prepared to conclude that they don't need to deploy it based on an assessment of risk, or to defend that view in the event of a breach, aiming to avoid the penalties and fine, and more importantly, not to harm your customers and Brand Reputation.

This is what IDC and Palo Alto Networks have recently called the “State of the Art Paradox”, a research on how businesses in Europe perceive the upcoming EU requirements of “state of the art” cybersecurity. The study found that many companies don’t have a clear understanding of the concept of state of the art, have no processes or metrics in place to measure their alignment with it, and lack a form of review of their position on it with sufficient frequency. IDC conducted research into companies with more than 250 employees based in France, Germany, Italy, Spain and the United Kingdom.

Moreover, if you don’t know how to tackle the security requirements of GDPR, so do as well the 82 percent of global IT and business professionals responsible for data security at both SMBs and enterprises, according to Dell global survey on the European Union’s new General Data Protection Regulation (GDPR), revealing that organizations ‒ both SMBs and large enterprises ‒ lack general awareness of the requirements of the new regulation, how to prepare for it, and the impact of non-compliance on data security and business outcomes. 97% said their companies didn’t have a plan in place to implement the new privacy law.

Be prepared and know how to address “state of the art” at your organization is critical: in any post-breach investigation a company will have to defend its use — or lack of use — of a range of technologies or procedures. You need to have a view on what “state of the art” means to your organisation, and be prepared to defend that viewpoint.

Boardroom issue: what should CEOs, CIOs, CISOs, CDOs, CPOs or DPOs do to incorporate “state of the art” into your cybersecurity/data privacy strategy?
Urgently build a Readiness Plan in order to address this knowledge gap, asking some fundamental questions about your companies’ readiness for NIS Directive and/or GDPR, as suggested by IDC/Palo Alto Networks Call to Action recommendations – Download the full report from IDC.

Basically, as recommended also by Palo Alto Networks Executive Advisory Report, ask your CISO and Chief Privacy Officer (or Digital Protection Officer (DPO)5 - new data-focused post required by GDPR) these questions:
  • Does GDPR or the NIS Directive, or both, apply to our company? Who in the business is accountable for these legislative requirements?
  • What is the company view on state-of-the-art security? How did we define it, and who advised us on this?
  • What is the timescale for us to reach compliance, and what actions need to be taken now in order to achieve compliance by the deadlines?
  • How will the business continue to maintain compliance, and what metrics will the business use to validate this to itself and, when required, to any third parties?

This new regulation provides uniform data protection rights across the EU, and, to be in compliance, both European organizations and those outside of Europe that do business there must adopt an adaptive, user-centric, layered security model approach around the tenets of predict, prevent, detect and respond. To be NIS and GDPR-compliant, you will need “state of the art” security solutions and Partners that enable you to predict and prevent attacks, detect a potentially dangerous presence in your networks, respond quickly to that threat, and analyze and report on the health of your networks in real time. By 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk – Gartner, June 2016.

Additionally, every organisation should consider taking out a cyber-security insurance policy. GDPR introduces the concept of continuous compliance, in which an organization must regularly carry out audits of compliance. This means not once a year, or even once every six months, but arguably on a weekly or even daily basis. At any point an auditor can ask your company to demonstrate compliance, and your company must be able to do that more or less immediately. Insurers will demand a certain standard of security and may be unable to quote you properly if you cannot demonstrate the greater consistency of your security framework. A £5 million indemnity limit is common and it is yet to be seen if the insurance industry increases it to cover the potential €20 million fines, which data protection regulators will be able to impose from 2018.

In summary, you will need to launch a Readiness Plan, be sure you have the most modern (state of the art) technology and processes to address the NIS Directive and GDPR legislation, work with the best (state of the art) Partners, and take out a cyber-security insurance policy, so that it can be proven to whomever needs to know that your organization is doing it all correctly.

ElevenPaths Partners Program: State of the Art Partners
We have recently announced during our Security Innovation Day 2016 the launch of our ElevenPaths Partners Program, as we believe in the idea that “together we are stronger", aiming to continue and to innovate together in the fields of security and privacy. We have defined five Type of Partners, and we are continuously evaluating the market to partner with those ones that better will help us to integrate our experienced security services with your security strategies, in order to help you to keep your critical information safe and your business resilient while you focus on your business.

At ElevenPaths we strive to partner with state-of the art technologic and start-ups companies, aiming to develop and combine together modern, innovative and disruptive security products, helping you to ensure the security of your network and information systems, to report your incidents, and to manage your data privacy, as required by NIS Directive and GDPR respectively. This is what we call our Paths, on which we work every day to offer security today and in the future for these challenges:
  1. Identity and Privacy: To give people control over their personal information and privacy in their digital lives. Identity and access management (IAM) is an important category of technology in the delivery of GDPR compliance, because through effective IAM an organization is able to show who has or had access to what, why, when, and what they did with that access; it is a core principle of defense of important data;
  2. Data Protection: A data protection solution which achieves compliance with GDPR and covers the lifecycle of your company’s information, both in cloud and hybrid or private environments, helping to protect the most valuable asset: information;
  3. Mobility: A secure mobility solution designed to help companies manage and secure access to corporate information from anywhere, at any time and from any device;
  4. Risks and Security Management: A comprehensive and efficient managed security solution for security governance from strategic business units, to help you address the GDPR concept of continuous compliance, in which an organization must regularly carry out audits of compliance;
  5. AntiFraud: A comprehensive, convergent and adaptive solution based on the application of intelligence to detect digital fraud, both in advance and at the moment it is being committed;
  6. CyberThreats:  A solution which helps you continuously prevent, detect and respond to potential cyber-threats that can have a major impact on your organizations' business model, addressing therefore the adaptive security approach suggested by the NIS Directive;
  7. Vamps: A Persistent Vulnerability Assessment & Management solution to help you identify security threats and potential attack methods against your network and systems and allowing a quick management of their correction;
  8. Sandas: A behavioural analysis solution which categorizes and reports incidents and allows you to visualize that information, providing you with automatic responses in real time; and
  9. Sandas GRC: A Government, Risks and Compliance solution which helps you to support your business strategy, to increase your visibility of risk assessment and improve your operational performance, reduce operational risks and ensure regulatory compliance with NIS Directive and GDPR.

Conclusion
As the NIS Directive and GDPR will enter into force soon, time is running out to get your house in order. The timescale for achieving compliance is tight, and we think that organizations of any sizeable scale and complexity will struggle with even the first steps in compliance, such as understanding what information security technologies and procedures should be implemented, and what data they have and its sensitivity. Don't put off early consideration of NIS Directive and GDPR by the less than two-year implementation period. The scale, complexity, cost and business criticality of both legislation means that it will take (at least) two years for most companies to achieve full compliance. You need to start now.

Although both laws may require substantial investments for companies to reach compliance, both the NIS Directive and GDPR represent an opportunity for your Boardroom to re-build your security capabilities with a focus on better mitigating cyber risks, become cyber-resilience, and together create a safer digital world.

Pablo Alarcón Padellano, Alliances & Partnerships


1Arts. 14.1 and 16.1 of NIS Directive
2Arts. 25.1 and 32.1 GDPR
3Standardisation Art.19.1 NIS Directive
4Codes of Conduct Art. 40.2 h) GDPR
5The DPO is responsible for conducting regular audits of GDPR compliance, which means that firms will have to demonstrate their compliance on a regular basis. The DPO's job will be to watch over in an independent manner how data is stored, used and shared and to advise their organisation on data protection issues.

Cryptographic Security in IoT (I)

The proliferation of IoT services platforms and devices is occurring much faster than the adoption of security measures in its field. In the face of the urgent need for mechanisms that guarantee the authentication, integrity and confidentiality, of both communications and the devices themselves, the trend is to transfer cryptographic solutions contrasted in traditional IT, such as public key digital certificates over SSL/TLS protocols.

But the main problem with this approach is to be found in the storage of these certificates on the device. In traditional IT, the operating system is generally responsible for this task. Both Microsoft Windows and Mac OS X, or Linux/UNIX, and their mobile variants (Windows Phone, iOS and Android) have a software tool for this purpose (KeyStore), that generally comes pre-loaded with multiple trust certificates, at least, for the operating system manufacturer.

Microsoft Windows Certificate Manager

Cryptography in IT
But these software storage systems present several weaknesses due to their very nature, and so, in IT settings where security is a priority, the current trend is to use a cryptographic hardware element called a TPM (Trusted Platform Module).

The technical specifications of the TPM module are set forth in an open standard defined by the Trusted Computing Group (TCG). The TCG is a non-profit organisation made up of the main market manufacturers of software and hardware, whose goal is to define, develop and promote open specifications and standards for “secure and reliable computing”.

The TCG started its work in 2003, following in the footsteps of the Trusted Computing Platform Alliance, created in 1999. Since its beginnings, the organisation has been mired in controversy. The free software community, with Richard Stallman at the forefront, has been particularly critical, as the original motivation for it was to protect intellectual property via digital rights management, or DRM.

The TPM module is based on a crypto-processor (discrete chip) that provides advanced security capabilities. It enables the generation and storage of cryptographic keys and operations to be performed on them, in such a way that the keys never abandon the chip, which is specifically protected against physical attacks (tampering).

Produced by different manufacturers (Infineon, Atmel, STMicro, Broadcom, etc.), alongside protection against physical attacks, they include security mechanisms to withstand logical attacks. The NIST accredits them with level 4 certification FIPS 140-2. The use of TPM modules presents restrictions in several countries such as China, Russia, Belarus and Kazakhstan.

Many desktops, business range laptops and servers incorporate a default TPM module (estimated at over 300 million), though it is also possible to incorporate one separately through the connector that the LPC bus presents in a wide variety of post 2004 domestic machines.


TPM modules can securely store a large variety of objects: digital certificates, asymmetric keys, symmetric keys, credentials, cookies, signatures, audit logs, etc.

These are integrated at the BIOS/UEFI level of the machine, and enable certain security criteria to be added in the system pre-start, such as integrity check for configuration changes. These mechanisms are known as “Platform Configuration Registers” or PCRs. One interesting and highly useful function is that it offers the option to authenticate the device rather than the user. Thus, it is possible to establish network access policies in AP wireless, firewalls, routers, switches, etc. compatible with standard 802.1x.

TPM settings in an American Megatrends BIOS
TPM integration with the Operating System provides a complete API of cryptographic services that can be widely exploited with Microsoft Windows from the Vista version and Server 2008. Worth particular mention is its ease of use with BitLocker to encrypt disc units, with Outlook for encrypting and/or signing emails, in the storage of digital certificates and VPN credentials, and with different group policies for the Active Directory on Windows Server. For its part, Apple briefly included TPM modules in their first Intel processor MacBook in 2006, but official support is practically non-existent these days.

On the GNU/Linux side of things, different drivers and tools have been developed for the use of TPM modules. Its support is included in the Linux kernel starting with version 2.6, along with the possibility of housing SSH keys and establishing security policies for system start-up through Trusted GRUB and U-boot.

Google distributes its Chromebooks with a default pre-activated TPM, as indicated, due to security questions that have been analysed by MIT researchers.

TPM specifications are set down, as of 2009, in the ISO/IEC standard 11889. The most recent version (TPM v2.0) is from 2014 and incorporates numerous advances, such as the possibility to use multiple Root Keys, SHA-256 overviews and elliptic curve cryptography “ECC” algorithms. But the most significant advance is the possibility to implement the TPM module in firmware mode (fTPM), executed within a Trusted Execution Environment (TEE). It is provided at a hardware level in the most recent Intel, AMD and Qualcomm processors, and is omnipresent in ARM architecture where it is called TrustZone.

Microsoft Windows TPM management component
Thus, the hardware security characteristics provided by TEE make up the foundation of the cryptographic security that most modern smart phones are implementing, both in the biometric authentication process and it their use as a payment method. However Apple has its own development of similar characteristics known as "Secure Enclave", integrated into its new A7 processors.

Cryptography before IoT
When we browse the Internet of Things, we find tiny embedded systems that, with any luck, manage to execute reduced versions of Linux as an operating system because, in many cases, they only have an SoC (System On a Chip) type microcontroller.

Though every new SoC generation is stronger than the previous one, they are still far from having the characteristics needed to transfer over cryptographic solutions from traditional IT, such as keystore software or conventional TPM hardware. Small IoT devices require cryptographic solutions that are adapted to their own dimensions, as well as capacity, complexity, usage, cost, etc. Though this may seem it, it really isn’t that new. This need has been a reality for quite some time, as have the solutions. A worthy example would be how naturally we have accepted, for the past 25 years, cryptographic security in our mobile phones. We assume, simply because we have a SIM in our possession, that the operator can unequivocally authenticate us with no risk for error, interference or identity theft, and that our voice and data communication travels through the air meticulously encrypted without any possibility for third party interception.

This, a reality in our day-to-day lives, has been achieved by establishing a shared secret between the operator and ourselves, as simple as a 128-bit symmetric key known as "Ki", jealously guarded in the operator’s infrastructure and sturdily stored within our SIM, from where it will never leave.
In this case, the SIM acts as a cryptographic device, storing the symmetric key, performing the necessary cryptographic operations without ever abandoning the SIM, and implementing additional protective measures against both physical and logical attacks.

And so the various challenges of symmetric and asymmetric key management emerge, in devices that, in general, will be remote, autonomous or unattended. Special importance is given to the “personalisation” phase in device production or post-production, along with deployment techniques or mechanisms or enrolment in their respective service platforms.

Hardware cryptography for IoT
It is possible to find different cryptographic devices similar to the SIM, with both symmetric and asymmetric keys and in different discrete formats. The ATMEL cryptographic hardware family particularly stands out, due to both its ease of use and documentation as well as the accessibility to development kits and open source libraries.

These took on special relevance when Sparkfun joined several of them in a card as an accessory to the BeagleBone board, highly used by Josh Datko in his 2014 book BeagleBone for Secret Agents. That year, he gave a demonstration at the prestigious DEF CON 22 conference.

Similar gadgets began to appear shortly afterwards, particularly boards such as the Raspberry PI, due to its accessibility to the I2C bus and SPI through which these devices usually communicate. Lastly, it was Sparkfun who once again joined all these elements in a Crypto Shield for Arduino, which can be used in a conventional UNO.
In addition to a real-time clock (RTC), it incorporates four cryptographic elements:
  • A TPM Atmel AT97SC3204T, for encryption and RSA asymmetric signing. 
  • An Atmel ATAES132 authenticator, for authentication and AES symmetric encryption. 
  • An Atmel ATSHA204 authenticator, for MAC/HMAC SHA-256 authentication. 
  • An Atmel ATECC108 authenticator, for authentication and encryption via ECDSA Elliptic Curve algorithms.
The presence of a cryptographic hardware device based on hyperbolic curve algorithms, specifically on ECDSA Elliptic Curve ones, seems to indicate the road to go down.

Elliptic Curve Cryptography
Hyperbolic curves have been known about and studied for over a century. Though their application in cryptography initially had its detractors, today it is one of the most promising fields within modern asymmetric encryption techniques.

Though its theoretical complexity is relatively high, it presents certain advantages versus traditional algorithms based on factorisation, such as RSA. Its implementation is very efficient due to the same arithmetic of the elliptic curves and, above all, it manages to reach optimum security levels with significantly reduced key sizes. This property makes elliptic curve cryptography (“ECC”) the ideal candidate for implementation in devices with small capacity for calculation, such as those found in the IoT ecosystem.
These days, elliptic curve algorithms are, by and large, set out in the main international regulations and certifications.


In fact, the most popular cryptographic software, OpenSSL, supports ECDH and ECDSA elliptic curve algorithms for key exchange, encryption and digital signatures, from its v0.9.8 version and through a wide variety of curves. They can be consulted with command:

openssl ecparam -list_curves


As ECC algorithms are already fully compatible with the majority of servers and browser of the World Wide Web, reputed certification entities such as DigiCert, Entrust, GlobalSign and particularly Symantec, have root certificates signed with ECC algorithms, as well as full capacity for their issuance and distribution.
Yet the first large-scale use of elliptic curve cryptography can be found in the crypto-currency Bitcoin, which has been using ECDSA for transactions signatures since its appearance in 2009.



IoT Devices
The need to provide cryptographic capacities in the IoT world is leading manufacturers to include specific hardware in their general use devices destined for the makers’ ecosystem.

One of the first to do so was the Italian firm Axel Electtronica which, with its Smarteverything, managed to unite a large number of sensors and a SIGFOX (868 Mhz) wireless network module, in addition to a Crypto-Authenticator Atmel SHA204a
In the same vein, the official Arduino matrix has announced a new model that is specially conceived for IoT and known as MKR1000, which, among other characteristics such as a WIFI 802.11 b/g/n network module, will have an Elliptic Curve Crypto-Authenticator Atmel ECC508a.
Added to the natural tendency to facilitate wireless connection mechanisms is the trend for including cryptographic authentication elements. It will be some time yet before this practice is generally applied and until it becomes an essential requirement. While this takes place, it will be common to connect them discretely as independent modules.
This is possible via accessible communication standards that generally use an I2C or SPI bus, and the abundant documentation that the manufacturers publish. Practically any system or platform that has an I2C bus can easily incorporate cryptographic hardware; for example, all those based on the Arduino system shown in the following table:



In the following section we will elaborate on other interesting aspects regarding cryptography and IoT hardware and describing the libraries and hardware available practicing with cryptography in IoT.