2019-10-04-san19-411.md

youtube_video_url	amazon_s3_presentation_url	amazon_s3_video_url	categories	description	image	session_attendee_num	session_id	session_room	session_slot	session_speakers	session_track	tag	tags	title
https://www.youtube.com/watch?v=dD9yRX-p2BY	https://static.linaro.org/connect/san19/presentations/san19-411.pdf	https://static.linaro.org/connect/san19/videos/san19-411.mp4	san19	Till now all keys stored in OP-TEE secure storage are secured at rest by encrypting it with FEK.<br /> But when these keys are being used for operations these keys are kept in plain format in OP-TEE internal structures.<br /> <br /> This is because cryptographic operations in OP-TEE are currently done with software libraries(libtomcypt and mbedTLS), and cryptographic operations are nothing but mathematical operations, so software libraries need private keys in “plain format” for operations.<br /> <br /> Keeping these keys in plain format makes them vulnerable to following attacks with respect to confidentiality and integrity which is main objective of Trusted Execution Environment.<br /> - By exploiting any vulnerability in code such as buffer overrun or bugs like Heartbleed.<br /> - Using side channel attacks such as cold boot attack - in which an attacker with physical access to a computer performs a memory dump of a computers RAM by performing a hard reset of the target machine.<br /> <br /> Since nature of hardware-based cryptography ensures that the information stored in hardware is better protected from external attacks, so above issue can be fixed when these keys are backed by some hardware component. We need some mechanism in which the keys doesn’t exist in plain format in secure memory.<br /> <br /> Hardware component will export the private keys only in encrypted form to secure memory.<br /> During operations takes private keys in encrypted form and convert them into plain format internally and do operations with them.<br /> Even If attacker gets access to this key in secure memory somehow, will not be able to find out the actual key.	featured path true /assets/images/featured-images/san19/SAN19-411.png	45	SAN19-411	Sunset V (Session 1)	end_time start_time 2019-09-26 11:25:00 2019-09-26 11:00:00	speaker_bio speaker_company speaker_image speaker_location speaker_name speaker_position speaker_url speaker_username Having a total experience of 7 years in Embedded Programming.<br>Worked on various areas including PKCS#11, Arm TrustZone, OP-TEE, OpenSSL, Networking. NXP Semiconductors /assets/images/speakers/san19/sahil-malhotra.jpg Sahil Malhotra Lead Software Engineer sahil.malhotra	Security	session	Security IoT and Embedded IoT Fog/Gateway/Edge Computing	SAN19-411 - Runtime Secure Keys in OP-TEE