DE102018009365A1 - Secure element as an upgradable Trusted Platform Module - Google Patents

Abstract

The present invention is directed to a method for securely operating a terminal with updatable security software, which enables hardware structures to be provided which, on the one hand, enable data to be processed reliably and, on the other hand, are also updatable. As a result, the corresponding security software can be adapted to current threats. The present invention is also directed to a correspondingly set up secure element for use in the method and to a system arrangement which is set up to carry out the proposed method. In addition, a computer program product is proposed with control commands that execute the method or operate the proposed system arrangement.

Description

The present invention is directed to a method for securely operating a terminal with updatable security software, which enables hardware structures to be provided which, on the one hand, enable data to be processed reliably and, on the other hand, are also updatable. As a result, the corresponding security software can be adapted to current threats. The present invention is also directed to a correspondingly set up secure element for use in the method and to a system arrangement which is set up to carry out the proposed method. In addition, a computer program product is proposed with control commands that execute the method or operate the proposed system arrangement.

WO 2018/103 883 A1 shows a storage arrangement for secure authentication comprising a mass data storage and a security element.

DE 10 2014 002 603 A1 shows a method and system for remotely managing a data item stored on a security element.

US 2016/0 275 461 A1 shows a computer-implemented method for checking integrity using a block chain. Aspects related to the so-called Trusted Platform Module are discussed.

Various possibilities are known from the prior art for securing data communication and data processing, hardware structures also being used, for example. Corresponding hardware components can be present, for example, as a secure element SE and can be set up in terms of hardware or software in such a way that data is particularly protected against unauthorized access. While a secure element, also known as a secure element, is known from the prior art, this element is only used in application scenarios provided specifically for this purpose. It is typical that a secure element is used in a chip card or in a mobile phone.

In addition, hardware components or hardware environments are known which are set up in such a way that safety-critical functions can be carried out. This includes the so-called Trusted Platform Module, which is a hardware module that restricts or monitors the functionality of a computing unit. For example, it is possible that software can only be executed on a certain dedicated computer. This is intended to prevent the execution of malware. A disadvantage here, however, is that the control commands held are hard-coded in such a way that they cannot be overwritten. Consequently, the control commands themselves are safeguarded and protected against manipulation, and the desired updating of such control commands must also be negatively avoided.

In addition, the so-called Internet of Things is known, which is also referred to as the Internet of Things IoT. This is a communicative coupling of everyday objects, which then collaboratively exchange data. This makes it possible for conventional terminals to be provided with logic and thus to be remotely accessible via a data line.

The prior art also shows a so-called Basic Input / Output System BIOS. These are control commands that are used at the hardware level and mediate between the physical hardware components and higher application levels. For example, the hardware structure of the computing unit is initialized when a computing unit is started, also referred to as the boot process.

In the IT world, TPM (Trusted Platform Modules) are used as hardware security anchors, e.g. used for the secure storage of keys. Version 2.0, which is not backwards compatible, is current. Recently TPM chips have also been used in industry and mechanical engineering. There, too, TPM is to be used as a security anchor specifically for IoT and Industry 4.0 applications. However, the lifespan of a TPM follows the IT product lifecycle of three years. Cryptography technologies are also considered outdated and insecure after three years. In the industrial environment, however, much longer life cycles are necessary. Unfortunately, a TPM is static, i.e. not updateable. That goes up to the pin incompatibility of the chip generations. The TPM security level is therefore static and not very forward-looking.

In order to be able to secure security-related information such as keys, certificates and intellectual property in IT security devices (such as firewalls) or in machines, this information should not be stored in the file system, but in separate IT hardware anchors. These IT hardware anchors should be updateable, i.e. upgradeable, since crypto technology is faster-lived than the lifecycle of IT hardware anchors in IT security devices or even machines. All three The cryptographic algorithms should be exchanged for years, or longer keys should be used. With a TPM chip, this can only be done by replacing the chip itself.

In production systems that are designed for maximum production throughput and high availability over a very long life cycle, "Security by Design" is extremely difficult or almost impossible due to the lack of updates, discontinuations and the very fast-moving IT security world. This contradicts the approach that applies in the IT environment. E.g. a patch of security vulnerabilities is to be issued no later than 20 days after becoming known.

I.e. Today's IT security concepts and products such as a TPM are unusable for such industrial applications and the associated very long life cycle. Standard hardware products last a maximum of three years. A TPM that was specified in 2014 and will be available in 2016 is already considered unsafe from 2017 (BSI). The standard is to replace the cryptographic procedures every three years.

So far, smart cards have not been used in an industrial environment or as a TPM replacement. The reasons are, on the one hand, contacting via card reader or USB, or, in the case of TPM, because old BIOS or newer EFI / UEFI cannot yet address the smart card, or simply no focus has been placed on the industrial / machine or PC market. A TPM has a static security level by design, and the versions are not backwards compatible and cannot be updated.

According to the invention, the secure element in chip form should act as a TPM with the appropriate applet and, among other things, via EFI / UEFI. be used for secure boot. At the same time, the system identity and the “secret” to system integrity and communication can be stored in the secure element. Contrary to the TPM, the SE can be managed centrally and, if necessary, supplied with updates to applets, cryptography and OS levels.

In summary, it can be concluded that the prior art proposes secure hardware structures, which, however, cannot be updated, since they are written into a permanent memory or else provide updatable control commands which can then be manipulated.

Accordingly, it is an object of the present invention to propose a method for safely operating a terminal with updatable security software. In general, existing end devices should be able to be adapted and the control commands used should be updateable if necessary and still be protected by hardware. Furthermore, it is an object of the present invention to propose a correspondingly set up secure element and a system arrangement which is designed analogously to the proposed method. Furthermore, it is an object of the present invention to propose a computer program product with control commands which execute the method or operate the proposed system arrangement.

The object is achieved with the features of the independent claims. Further advantageous refinements are specified in the subclaims.

Accordingly, a method for securely operating a terminal with updatable security software is proposed, comprising providing control commands that implement a trusted platform module functionality, storing the provided control commands on a secure element, communicatively coupling the secure element with the securely operated terminal , execution of at least part of the control commands and adaptation of the control commands on the secure element by the terminal.

The person skilled in the art recognizes that the individual method steps can be carried out iteratively and / or in a different order. In addition, the individual process steps partially include sub-steps. Control commands can thus be provided iteratively and after a control command has been provided, it can be stored. Further control commands can then be made available and also stored. The adjustment of the control commands can also be carried out repeatedly.

The proposed method enables a terminal to be operated safely since the functionality of the so-called Trusted Platform Module TPM is provided. This is a functionality that is used for the safe processing of control commands. For example, cryptographic functions are provided that secure data communication and data processing. Overall, the so-called Trusted Platform Module TPM extends conventional end devices with a security function. The security function can relate, among other things, to which software can and cannot be executed on the corresponding end device. In addition, communication with hardware components can be restricted. In addition, various software-related precautions have been taken, which secure the confidentiality of data by means of encryption. In addition is provided that the data to be processed cannot be manipulated. This relates in particular to cryptographic keys, which are used to encrypt and decrypt data communication. These are specially secured so that they can neither be read out nor manipulated.

The underlying security software can be updated because it is stored on the secure element, which has a persistent memory that can be rewritten. The security software is the control commands that implement a Trusted Platform Module functionality. As a result, a physical trusted platform module is not provided, as is shown in the prior art, but rather only the control commands which emulate a so-called trusted platform module are used. Consequently, the functionality of this module is provided without the hardware structure of the Trusted Platform Module having to be used. Protection is ensured by the fact that the control commands are managed by the secure element and, if necessary, executed.

For this purpose, the secure element can provide specially secured hardware or software measures. So it is possible that separate memories are implemented, so that access to sensitive data is not possible. In addition, the secure element can be secured, particularly in terms of software, by means of cryptographic methods. The secure element thus represents an extension to the end device, which is particularly secured. In this way, the end device can outsource particularly sensitive data to the secure element. The secure element, on the other hand, can hold the control commands and execute them or transmit them to the terminal for execution.

Control commands which implement a trusted platform module functionality can be provided in such a way that an existing module is read out and the control commands are then stored on the secure element. In addition, the control commands can be provided by means of an interface, for which purpose, for example, a manufacturer provides corresponding implementations. The control commands implement the functionality and hold source code, for example. It is also possible that the control commands are already compiled. For this purpose, it is advantageous to provide a so-called image, which is then persistently stored on the secure element.

To store the control commands provided, the secure element has a separate memory, which is consequently separated from the memory of the terminal. A security functionality is thus implemented and, in addition, at least some of the control commands provided can be cryptographically secured. It is therefore advantageous to encrypt the control commands together with other parameters. Such parameters can be keys or other confidential information.

The communicative coupling of the secure element with the securely operated terminal can be done via a conventional interface. It is possible here for the secure element to be removably connected to the operable terminal or for the secure element to be formed in one piece with the terminal to be operated. The communicative coupling can also be a logical measure, such that an interface is operated and the secure element identifies itself to the terminal. Consequently, communicative coupling is the establishment of a communication line between the secure element and the terminal in such a way that control commands can be exchanged. The terminal is preferably a computing unit such as a server or a conventional personal computer. This terminal can provide an interface with which the secure element is connected to the terminal. A plug connection is given here only by way of example, so that the secure element can be plugged into a connection of the terminal.

Then at least some of the control commands are executed. This can be done in such a way that the control commands are carried out by the secure element per se or else that the terminal loads the control commands and then executes them. It is also possible that some of the control commands are carried out by the secure element and another part by the terminal. For this purpose, the secure element can have a processing unit ready, which reads out the control commands from the data memory and then executes them. If the control commands are executed by the terminal, this implies that the control commands are transmitted from the secure element to the terminal via the interface. However, there is the possibility that the control commands are manipulated on the terminal, and it may therefore be advantageous to leave the control commands on the secure terminal and to execute them there. It is thus possible for the terminal to be started in such a way that the control commands on the secure terminal initialize the hardware of the terminal or for an operating system to be started and possibly loaded using the control commands.

It is particularly advantageous that, according to the invention, the control commands are adapted to what done by the secure device. The control commands can thus be downloaded from the terminal and then provided to the secure element. Since the secure element has a writable memory, the control commands can then be loaded into the secure element. For this purpose, it is advantageous to secure the control commands or the acquisition of the control commands in terms of software and hardware. For example, the same method steps can be carried out to adapt the control commands as are carried out when providing control commands. The adaptation of the control commands can thus branch out again the provision of control commands and updated control commands can be stored on the safe element. In general, the adaptation of the control commands is an update of the control commands, which relates to all control commands or at least a part thereof. In this way, new application scenarios can be taken into account and the control commands can prevent new attacks.

According to one aspect of the present invention, the trusted platform module functionality is provided in accordance with the specifications of the trusted computing group. This has the advantage that clearly specified control commands can be used that provide safety functionality. Existing control commands can thus be reused and an already tested system can advantageously be used in a new context. Corresponding specifications can u. a. on the Trusted Computing Group website at www.trustedcomputinggroup.org.

According to a further aspect of the present invention, the Trusted Platform Module functionality is provided in accordance with the specification “TPM Main Specification Level 2 Version 1.2, Revision 116”. This has the advantage that the Trusted Platform Module functionality is clearly defined for the specialist and extensive specifications are available. In general, it is possible to design the Trusted Platform Module functionality in accordance with a further specification of the Trusted Computing Group, only one specification being mentioned here as an example.

According to a further aspect of the present invention, at least some of the control commands are carried out by the terminal and / or by the secure element. This has the advantage that the control commands can be executed both in a secure environment and by the terminal device itself. It may therefore be necessary for individual commands relating to hardware initialization to be executed on the terminal device itself. Consequently, it is possible that a first part is carried out on the terminal, a second part is carried out on the secure element, or that both parts are carried out entirely on the secure element or on the terminal.

According to a further aspect of the present invention, the communicative coupling takes place by means of a contact-based interface, such as e.g. Serial Peripheral Interface SPI, Universal Serial Bus USB, I2C, GPIO, ISO interface, etc. or a contactless interface, e.g. NFC, BLE, SWP, etc. This has the advantage that standardized interfaces can be reused, and thus the secure element can also be provided separately. The communicative coupling is then carried out in such a way that the secure element is connected to the terminal by means of the standardized interface.

According to a further aspect of the present invention, the interfaces are used in parallel or pseudo-parallel and possibly simultaneously or in pseudo-simultaneous fashion. This has the advantage of accelerated data transmission.

According to a further aspect of the present invention, at least some of the control commands are loaded onto the terminal. This has the advantage that the terminal can select individual control commands and can save them for further processing or execution. According to the invention, it is also possible for individual parameters to be loaded onto the terminal. These can be keys that are used in cryptographic processes.

According to a further aspect of the present invention, adapting the control commands includes updating, overwriting, supplementing, deleting and / or changing the control commands. This has the advantage that any writing operations can be carried out on the control commands, and it is therefore also possible at any time to adapt the control commands to current application scenarios. Consequently, the advantage over the prior art is provided that the control commands are not stored hard-coded in a memory, but rather the life cycle of products is extended. This is the case because if a security gap arises, the hardware does not have to be replaced, but rather the control commands can be adapted in an advantageous manner.

According to a further aspect of the present invention, a driver, middleware and / or another software component is provided for executing at least some of the control commands. This has the advantage that everyone Levels of the terminal are addressed. For example, it is possible to execute the control commands close to the hardware or to provide a software component at the application level. Based on the proposed middleware, the existing hardware is also abstracted and compatibility is thus also guaranteed.

According to a further aspect of the present invention, the communicative coupling comprises providing an interface, a Unified Extensible Firmware Interface UEFI, an Extensible Firmware Interface EFI and / or a switching component. This has the advantage that existing interfaces are reused, and this ensures that the secure element can communicate with the terminal and can exchange control commands. In addition, the control commands must also be triggered if they are executed on the safe element. This is done by the terminal, which uses an appropriate interface.

In accordance with another aspect of the present invention, the secure element performs cryptographic functions. This has the advantage that not only can the control commands be secured, but rather communication with the terminal can also be secured. The proposed method is therefore particularly secure against manipulation and data is also treated confidentially.

According to a further aspect of the present invention, the execution of at least some of the control commands comprises starting the terminal. This has the advantage that a boot method can also be carried out using the proposed method. It is thus possible according to the invention that the terminal can be started on the basis of the control commands provided, and the underlying hardware components can be initialized. Thus, it is a matter of booting a terminal, which is particularly advantageously secured according to the invention.

The object is also achieved by a secure element for use in the proposed method. This has the advantage that the secure element stores the control commands that implement a trusted platform module functionality. According to the prior art, there is no secure element to be provided for this, but it is proposed there that the trusted platform module represents an independent hardware component. It is disadvantageous in the prior art that the so-called trusted platform module is provided as read-only memory, which is prevented according to the invention in that the secure element has a rewritable data memory.

According to a further aspect of the present invention, the secure element is present as a Universal Integrated Circuit Card UICC or an embedded Universal Integrated Circuit Card eUICC or an embedded Secure Element eSE. This has the advantage that existing secure elements, so-called secure elements, can advantageously be reused in a new context. Corresponding components already offer sufficient protection, but can still be rewritten. This offers an advantage over the well-known Trusted Platform Module.

The object is also achieved by a system arrangement for the safe operation of a terminal with updatable security software, comprising an interface unit set up to provide control commands that implement a trusted platform module functionality, a storage unit set up to store the control commands provided on a secure element, and a coupling unit for communicatively coupling the secure element to the terminal to be operated securely, an execution unit configured to execute at least some of the control commands, and an update unit configured to adapt the control commands on the secure element by the terminal.

The person skilled in the art recognizes here that individual units can be provided as a structural unit which provides logically different functionality. In addition, some of the units can be implemented as interfaces, which can be implemented as separate interfaces or as a single interface. For example, the proposed system arrangement can include the secure element and the terminal. In addition, network technology components may have to be provided to ensure communication between the secure element and the end device.

The task is also solved by a computer program product, e.g. software, middleware, an application, etc., with control commands which implement the method or operate the proposed system arrangement.

According to the invention, it is particularly advantageous that the method maintains method steps which can be functionally simulated by structural features of the system arrangement. The system arrangement is also suitable for carrying out the proposed method. Method steps are thus proposed which can be structurally simulated by the system arrangement and the structural features of the System arrangements can be implemented functionally using method steps.

• 1: ein schematisches Ablaufdiagramm eines Verfahrens zum sicheren Betreiben eines Endgeräts mit aktualisierbarer Sicherheitssoftware gemäß einem Aspekt der vorliegenden Erfindung.

Further advantageous embodiments are explained in more detail with reference to the attached figure. It shows:

• 1 a schematic flow diagram of a method for the safe operation of a terminal with updatable security software according to an aspect of the present invention.

1 shows the proposed method for the safe operation of a terminal with updatable security software, comprising a provision 100 of control commands which implement a Trusted Platform Module functionality 101 of the 100 control commands provided on a secure element, a communicative coupling 102 the secure element with the terminal to be operated safely, executing 103 at least part of the control commands, and adapting 104 the control commands on the safe element by the terminal.

A smart card in chip design (e.g. Sm @ rtCafe Expert, SkySIM "Hercules", these are registered trademarks) can be inventively used via a standard interface (e.g. SPI, USB, ISO, I2C, GPIO etc.), If necessary, contactless interfaces (e.g. NFC, BLE, SWI, SWP etc.) can also be connected to the system. An applet is loaded, which takes over the TPM function. With the appropriate “driver” in the EFI / UEFI BIOS, the system can interact with the smart card. At the operating system level, drivers and middleware can access and interact with the other functions that are loaded as applets. This also includes the update function. All smart cards, their content and security can be managed centrally via a management platform, similar to subscription management.

For mechanical engineering (Industrial IoT, Industry 4.0) and PCs in a security-critical environment, it is imperative to keep the security level very high, and also to manage it. The long lifecycle in the industrial environment prohibits fast-moving IT standard technology like a TPM. A smart card in chip design (e.g. Sm @ rtCafe Expert, SkySIM "Herkules" ", these are registered trademarks) can be updated, can perform various functions via applets, and has a standard interface (SPI, USB, ISO ) and is available for a long time. In addition to the large number of loadable functions (applets) and the ability to update, the greatest advantage is the central manageability of such a smart card solution. In this way, "Security by Design" can also be implemented in mechanical engineering for Industrial IoT and Industry 4.0 use cases.

QUOTES INCLUDE IN THE DESCRIPTION

This list of documents listed by the applicant has been generated automatically and is only included for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Patent literature cited

• WO 2018/103883 A1 [0002]
• DE 102014002603 A1 [0003]
• US 2016/0275461 A1 [0004]

Claims (15)

A method for the safe operation of a terminal with updatable security software, comprising: - Providing (100) control commands that implement a Trusted Platform Module functionality; - storing (101) the provided (100) control commands on a secure element; - Communicative coupling (102) of the secure element with the terminal to be operated safely; - executing (103) at least part of the control commands; and - Adaptation (104) of the control commands on the safe element by the terminal. Procedure according to Claim 1 , characterized in that the Trusted Platform Module functionality is provided in accordance with the specifications of the Trusted Computing Group. Procedure according to Claim 1 or 2nd , characterized in that the Trusted Platform Module functionality is provided in accordance with the specification "TPM Main Specification Level 2 Version 1.2, Revision 116". Method according to one of the preceding claims, characterized in that the execution (103) of at least part of the control command is carried out by the terminal and / or the secure element. Method according to one of the preceding claims, characterized in that the communicative coupling (102) takes place by means of a serial peripheral interface SPI, universal serial bus USB or an ISO interface. Method according to one of the preceding claims, characterized in that at least some of the control commands are loaded onto the terminal. Method according to one of the preceding claims, characterized in that the adaptation (104) of the control commands comprises updating, overwriting, supplementing, deleting and / or changing the control commands. Method according to one of the preceding claims, characterized in that a driver, middleware and / or a further software component is provided for executing (103) at least some of the control commands. Method according to one of the preceding claims, characterized in that the communicative coupling (102) comprises providing an interface, a unified extensible firmware interface, an extensible firmware interface and / or a switching component. Method according to one of the preceding claims, characterized in that the secure element carries out cryptographic functions. Method according to one of the preceding claims, characterized in that executing (103) at least part of the control commands comprises starting the terminal. Safe element for use in the method according to any one of the preceding claims. Safe element after Claim 12 , characterized in that the secure element is present as a Universal Integrated Circuit Card UICC or an embedded Universal Integrated Circuit Card eUICC. System arrangement for the safe operation of a terminal with updatable security software, comprising: - An interface unit set up to provide (100) control commands that implement a trusted platform module functionality; - A storage unit configured to store (101) the provided (100) control commands on a secure element; - A coupling unit set up for communicative coupling (102) of the secure element with the terminal to be operated safely; - An execution unit set up for executing (103) at least part of the control commands; and - An update unit set up to adapt (104) the control commands on the secure element by the terminal. Computer program product with control commands which implement the method according to one of the Claims 1 to 11 execute when executed on a computer.

Images