Summary of 2016 International Trusted Computing and Cloud Security Summit

1)      Welcome Remarks

2)      The advancement of Cloud Computing and Tursted Computing national standard

Speaker:  Xiangang Liu, Deputy Secretary of TC260, CESI

TC260 have released 3 standards: a) GB/T 29829-2013: Specification of functionalities and interfaces of trusted computing password support platform; b) GB/T 29827-2013 Interface of motherboard of trusted platform; 3) GB/T 29828-2013: Trusted Connected architecture and is creating one standard: Test specification of trusted connectivity

3)      Trusted Computing Group vision and Strategy

Speaker: Mark Schiller, Executive Director of TCG

4)      SMx support in ISO/IEC 11889 TPM2.0

Speaker: Liu Xin, Director, NationZ Technologies

TPM2.0 supports SMx (cryption algorithm created by China): SM4, SM2 and SM3

5)      China Trusted Cloud Computing Community

Speaker: Prof. Zhang HuanGuo, WuHan university

He mentioned security issues specific to Cloud computing: 1) Basically these issues are caused by Resource sharing: almost unlimited resource, but user don’t know whether these resources are trusted; almost existing-in-everywhere services but users don’t know whether it is trusted; almost unlimited storage space, but users don’t feel the existence of their data and don’t know whether their data is secure and furthermore, they cannot control their data as per their will. 2) User worries about the following items: security(system crash, malware/virus, data loss, data tampered), privacy leaking, not able to sense their own data, not able to control their data, lack of insurance of incidents.

In 2012, China Sig TC is founded to address the above issues. The founders are WuHan university, Intel, NationZ, Huawei, CS2C, Daoli Cloud, BaiAo. The roadmap is “Trusted Cloud server -> Trusted Cloud Terminal -> Trusted Network connectivity -> Typical Trusted application”.

He mentioned that in 2013, HuaWei released a trusted server, which support trusted boot, TXT to measure, support TPM2.0/TCM, support China business password, support trusted boot/running/migration of virtual machines.

6)      Securing IoT with Trusted Computing (including Demo)

Speaker: Stefan Thom, Principal Engineer, Windows Division, Microsoft

There are a lot of improvements of security and trust in windows 10, comparing with win7, which can also be leveraged in IoT.

There are some security issues specific to IoT: a) Deployed on unsecure location; b) requires long-period security; c) Too many sensors/clients to be managed one by one; d) remote management; e)  intermittent connectivity; f) requires firmware/embedded os upgrade to keep secure; g) store confidential data.

Give a demo using Raspberry motherboard with NationZ’s TPM2.0 chipset connected through I2C, use TPM to protect symmetric key of Azure Central devices ‘s identity. It demonstrates that it can create and protect the identity of devices and that keep confidential data even if malware intruded in.

There are a lot of use cases which TPM can work: a) create and protect hardware identity; b) defends malwares intruding including protecting confidential data after malware intrudes in; c) prevent hardwares from being tampered; d) meet the requirements of encryption protocols

7)      Trusted IoT

Speaker: Intel China

It basically introduces how TCG standards are used in IoT (It is nothing special, so I don’t mentioned here)

8)      Thinking about Beijing municipal government cloud

9)      Secure “Industry 4.0” with TPM

Speaker: Amy Yu, marketing manager for Platform Security, Infineon

There are 3 basic layers in industry 4.0 architecture: Server, devices, network. Each layers can be attacked. So Trusted anchors/key integrity are essential for system security, which includes 3 aspects: key store, Crypto operation, key management.

There are 6 basic security use cases:

a) authentication to address who am I talking to;

b) Secured Communication to address the question that whether software or data can be secured during transferring;

c) Confidentiality with secured storage to address the question that whether my data or credential can be accessed by an attacker;

d) System&Data integrity: to address the question that whether my system and data is not manipulated and whether a 3^rd party can verify that information;

e) Value chain support(dedicated functionalities for manufacturerers, platform owners, OS providers and more): to address the question whether security can be transported through the lifecycle and whether each owner can take ownership

f) Software/firmware upgrade: to address the question whether the software/firmware be secured during transfer

So a basic secure industry 4.0 by TPM contains TPM-enabled server, TPM enabled Gateway and TPM enabled Control equipment(main MCU).

10)    Trusted Computing based Next Generation Secure Cloud Framework

Speaker: Chi Zheng, Deputy General Manager of Trusted computing section, DaTao GoHigh

CTrust Servers are invented by DaTao GoHigh(at least they claimed) and actively-immune architecture based on x86 and supports TCM and ISO/IEC11889-2015(TPM2.0). It is embedded with domestic-produced trusted module which is certified by National Encryption  Bureau and use TCM and TPCM to implement the functionality of security from CPU power-on point.

They also introduce a system which can show the turst status and asset/geography tagging, which is very similar with Intel OAT/CIT.

11)   SOTP-mobile trusted cloud security support technology

Speaker: Qiang Zhou, CSO of Peoplenet

It is about Single-one-tome password.

12)   Innovation Strategy for Cross Platform Trusted Computing Solutions

Speaker:  Dr. Gongyuan Zhuang, Security Architect, AMD Corp.

There is a new Security processor, which should exists in the same AMD SoC with AMD64/ARMv8.  It is 32-bit microprocessor and it use separated ROM/SRAM in SoC, and be able to access main system’s memory and resources.

There are 3 TPM solutions: 1) Separated TPM: Use 3^rd-party vendor’s TPM chips; 2) Solid-state software TPM; 3) Software TPM.

13)    Inspur Trusted Computing Technology Research and Applications

Speaker: Gang Liu, manager of Software security Division, Inspur Electronics Industry Ltd.

3 measurements to build trusted relationship: a) reliable technology system(computing security/network security, …), b) proper management system(certification, audit, governance, …), c) healthy law insurance. Then the speaker introduces Inspurs’ InCloud manager and there is Trusted Management Platform in InCloud Manager which can shows the trusted status in hosts and virtual machines.

There are 3 main features for Trusted Management Platform:

a)       It can detects any tamper of server hardwares and vritual machine softwares during boot up;

b)       ensure that critical virtual machines are launched on trusted hosts.

c)       security-label-based access control: the label is based on grade, scope and location

Inspurs also has an innovation on actively measuring trusted status based on BMC.

14)   A new Model for Enterprise Cloud Security

Qiang Du, Directory of network Security Technology Research

The basic idea is Software-Defined Security and it collects all network flow information and uses Enforce Learning to get a model for normal network flow and then will give alert if any innormal network flow occurs.

15)   Trusted Computing Application in Telecommunication Devices

Rui Zhang, Director of Security technology Research, HuaWei Group

TPM chip as hardware trusted root is the base of software integrity measurement.

How to ensure that VSS software stack security: introduce grsecurity, TDCLI, TCSI(TSS Core Service Interface) aTSPI.

How to Resovle integrity measurement of 7*24 running devices? Periodically measure.

In NFV area, the current TPM doesn’t support virtualization and hence we have to depend on vTPM  and the security of vTPM depends on the security of virtualization.

He also mentioned how to deal with virtual machine escape.

16)   TPM 2.0 Application in CS2C NeoKylin Trusted Operating System

Weijian Zhu, Director of Security Business, ZHong Biao Ruan Jian

NeoKylin OS introduction:  a) system security grade meets GB/T20272-2006 the fourth grade; b) integrity TPM2.0 and TSS2 software stack; c) support TXT/tboot to trusted boot and configuration tools; d) trusted running control; e) trusted white-list management.