Secure enclaves are becoming a popular way to separate and protect sensitive code and data from other processes running on a system. A FIPS 140-2 validated cryptographic software module is currently required to run power-on self tests when loaded, but security of the module can be taken one step further by validating the module inside a secure enclave, such as Intel SGX.
wolfSSL has been working on FIPS 140-2 validating the wolfCrypt library running inside an Intel SGX enclave. This session will discuss the advantages, challenges, and process of FIPS 140-2 validating a cryptographic software module inside Intel SGX and how the same process could be applied to other secure enclave environments.
This document summarizes a talk given by Chris Conlon from wolfSSL on September 15, 2017 in Tokyo, Japan about TLS 1.3. It provides background on Chris Conlon and his role at wolfSSL, an overview of wolfSSL's products and services including their lightweight SSL/TLS library. It also discusses the history and components of the SSL/TLS protocol, common vulnerabilities, and the goals of the new TLS 1.3 specification.
This presentation covers the current status of TLS 1.3 in the wolfSSL embedded TLS library (as of the time it was presented). It talks about the Draft status of TLS 1.3, middlebox compatibility, extensions, RSA-PSS negotiation and the specification's progress in the TLSWG (TLS Working Group).
www.wolfssl.com
www.wolfssl.com/tls13
Introduction to the design principles behind SSL. This was a relatively basic talk since the audience was a networking class with no previous security experience. Talk given to Cal Poly networking class on November 29, 2007.
This document outlines an agenda for a webinar on IPsec on Mikrotik presented by GLC Networks. The agenda includes an introduction, reviewing basic networking and security concepts, discussing IPsec standards and how IPsec works on Mikrotik routers. It provides background on the presenter and invites attendees to introduce themselves. The document guides attendees on prerequisites and prepares them for a live demonstration and question/answer portion.
SSL is a secure protocol that runs above TCP/IP and allows users to encrypt data and authenticate server and client identities securely. It uses public key encryption to generate a shared secret and establish an encrypted connection. The SSL handshake process verifies the server's identity and allows the client and server to agree on encryption algorithms before exchanging data. This helps prevent man-in-the-middle attacks by authenticating servers and encrypting the connection.
This document provides an overview of Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It discusses the evolution of SSL/TLS, the SSL/TLS handshake process, common attacks like man-in-the-middle attacks using tools like SSLStrip, recent attacks on SSL/TLS like BEAST and CRIME, and security guidelines for configuring SSL/TLS on servers.
This document discusses IPSec and SSL/TLS as approaches to securing network communications at different layers of the protocol stack. It provides an overview of how IPSec operates at the network/IP layer using techniques like AH and ESP to provide authentication and encryption of IP packets. It also summarizes how SSL/TLS works at the transport layer to establish a secure connection and protect communications between applications using ciphersuites, handshaking, and record layer encryption. The document outlines some strengths and weaknesses of each approach.
Nate Lawson presents an overview of the TLS/SSL protocol design. He discusses the security goals of privacy, integrity, and authentication. He explains how these goals are achieved using cryptography primitives like symmetric encryption, public key encryption, certificates, message authentication codes, and secure PRNGs. He walks through the TLS handshake protocol in detail and discusses various attacks against SSL/TLS like side channel attacks, similarly-named certificate attacks, and data injection via renegotiation attacks.
This document summarizes a talk given by Chris Conlon from wolfSSL on September 15, 2017 in Tokyo, Japan about TLS 1.3. It provides background on Chris Conlon and his role at wolfSSL, an overview of wolfSSL's products and services including their lightweight SSL/TLS library. It also discusses the history and components of the SSL/TLS protocol, common vulnerabilities, and the goals of the new TLS 1.3 specification.
This presentation covers the current status of TLS 1.3 in the wolfSSL embedded TLS library (as of the time it was presented). It talks about the Draft status of TLS 1.3, middlebox compatibility, extensions, RSA-PSS negotiation and the specification's progress in the TLSWG (TLS Working Group).
www.wolfssl.com
www.wolfssl.com/tls13
Introduction to the design principles behind SSL. This was a relatively basic talk since the audience was a networking class with no previous security experience. Talk given to Cal Poly networking class on November 29, 2007.
This document outlines an agenda for a webinar on IPsec on Mikrotik presented by GLC Networks. The agenda includes an introduction, reviewing basic networking and security concepts, discussing IPsec standards and how IPsec works on Mikrotik routers. It provides background on the presenter and invites attendees to introduce themselves. The document guides attendees on prerequisites and prepares them for a live demonstration and question/answer portion.
SSL is a secure protocol that runs above TCP/IP and allows users to encrypt data and authenticate server and client identities securely. It uses public key encryption to generate a shared secret and establish an encrypted connection. The SSL handshake process verifies the server's identity and allows the client and server to agree on encryption algorithms before exchanging data. This helps prevent man-in-the-middle attacks by authenticating servers and encrypting the connection.
This document provides an overview of Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It discusses the evolution of SSL/TLS, the SSL/TLS handshake process, common attacks like man-in-the-middle attacks using tools like SSLStrip, recent attacks on SSL/TLS like BEAST and CRIME, and security guidelines for configuring SSL/TLS on servers.
This document discusses IPSec and SSL/TLS as approaches to securing network communications at different layers of the protocol stack. It provides an overview of how IPSec operates at the network/IP layer using techniques like AH and ESP to provide authentication and encryption of IP packets. It also summarizes how SSL/TLS works at the transport layer to establish a secure connection and protect communications between applications using ciphersuites, handshaking, and record layer encryption. The document outlines some strengths and weaknesses of each approach.
Nate Lawson presents an overview of the TLS/SSL protocol design. He discusses the security goals of privacy, integrity, and authentication. He explains how these goals are achieved using cryptography primitives like symmetric encryption, public key encryption, certificates, message authentication codes, and secure PRNGs. He walks through the TLS handshake protocol in detail and discusses various attacks against SSL/TLS like side channel attacks, similarly-named certificate attacks, and data injection via renegotiation attacks.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. This presentation is made as an assignment during our university course.
This document summarizes the design and implementation of proxy2, an HTTP proxy library written in Python. Proxy2 aims to be a simple yet fully customizable proxy. It uses standard Python modules and implements request, response, and save handlers that can be overridden by users to modify requests, responses, or perform long tasks. The document covers challenges like HTTP persistent connections, content encoding, and hop-by-hop headers that proxy2 addresses. It also explains how proxy2 supports HTTPS relay and interception using SSL/TLS.
The document discusses SSL/TLS (Secure Sockets Layer/Transport Layer Security), which are cryptographic protocols that provide secure communication over the internet. It covers SSL/TLS concepts like handshaking, encryption, authentication. It also describes JSSE (Java Secure Socket Extension), the Java implementation of SSL/TLS, including its architecture, classes and configuration. The document provides references for further reading on SSL/TLS and JSSE.
St Louis Linux Users Group Wireguard (for Fun and Networking)Andrew Denner
This document discusses different VPN protocols and presents Wireguard as a new option. It provides an overview of older protocols like PPTP and OpenVPN, noting their security weaknesses. The document then introduces Wireguard as very fast with low overhead, using standardized encryption algorithms and having no known major vulnerabilities. It demonstrates how to install and set up Wireguard on different platforms like the Raspberry Pi, Ubuntu, MacOS, and Android to securely connect networks.
Slides of the Webinar "SSL, impact and optimisation"
INTRODUCTION
What is SSL?
The purpose of SSL
History of SSL / TLS
Overview of a TLS connection
PART 1
What is the role of an SSL certificate?
Levels of validation
Options for certificates: SAN and Wildcard
The certificate ordering process
Certificate chain
SSL algorithms: encryption & authentication
Examples
PART 2
TLS and IPV4 exhaustion
HAProxy and SNI
TLS impacts
SSL offloading
SEO
Security of the SSL protocol
This document discusses web security and Secure Sockets Layer (SSL) / Transport Layer Security (TLS). It defines key web security terminology like hackers, viruses, worms, and Trojans. It then explains what SSL/TLS is, how it provides security for web communications through encryption, message authentication codes, and authentication. The document outlines the SSL/TLS architecture, components, sessions and connections. It also discusses how SSL/TLS has been widely implemented in applications like HTTPS to secure internet traffic.
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
The document summarizes the evolution of the Transport Layer Security (TLS) protocol from versions 1.0 to 1.2. It describes the key components of TLS including the record protocol for fragmenting and transmitting encrypted data, handshake protocol for authentication and key exchange, and cipher suites for encryption algorithms. The TLS protocol provides secure communication over the internet by preventing eavesdropping, tampering, and forgery of messages between client and server applications.
SSH is a protocol for secure remote access and file transfer that replaces insecure protocols like telnet. It uses encryption and authentication to securely transmit data, remote shell access, port forwarding, and file transfers between a client and server. Reasons to use SSH include enabling secure communication channels, arbitrary port redirection, optional compression, and protecting against spoofing and routing attacks.
Ведущий: Терренс Гаро
В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.
All you need to know about transport layer securityMaarten Smeets
Many people think that using HTTPS to offer your site or service to clients makes you secure from eavesdroppers and people trying to manipulate your network traffic. Think again! In this presentation I'll dive into transport layer security. I'll elaborate on what you can achieve with SSL such as authentication, encryption and integrity and how you can achieve it. I'll talk about the client-server handshake, identity and trust, one-way and two-way SSL, keys and keystores and cipher suite choice. By means of several examples, I'll show what it can mean if you make the wrong choices in on premises and cloud scenario's. This presentation is relevant for anyone involved in securing connections between client and server using TLS and people interested in learning more about the topic of TLS in general.
Secure Shell (SSH) is a cryptographic network protocol for secure data communication and remote shell services over an insecure network. SSH establishes an encrypted connection between a client and server, allowing for secure login, file transfer, port forwarding and tunneling. It uses public-key authentication and encryption to securely handle remote login and other network services between two networked computers.
Shell is a protocol that provides authentication, encryption and data integrity to secure network communications. Implementations of Secure Shell offer the following capabilities: a secure command-shell, secure file transfer, and remote access to a variety of TCP/IP applications via a secure tunnel. Secure Shell client and server applications are widely available for most popular operating systems.
This document summarizes SSL/TLS, including what it is, how it works, and where it fits. SSL/TLS uses cryptography like key exchange, privacy, and message integrity to encrypt network connections above the transport layer, securing protocols like HTTP, SMTP, and POP3. The handshake protocol is described, including the client hello, server hello, and key exchange steps. Applications that use SSL/TLS are discussed, such as HTTPS for secure web browsing and mail protocols like SSMTP and SPOP3.
Secure Shell (SSH) is a protocol for secure network communication that provides encrypted transmission and authentication between devices. It was created as a secure replacement for insecure remote login protocols like Telnet. SSH operates using three main protocols - the transport layer protocol provides host authentication and encrypted data transmission. The user authentication protocol authenticates users through methods like passwords or public keys. The connection protocol runs on top of the encrypted transport layer and allows for multiplexed channels for remote sessions, file transfers, and other network functions through features like port forwarding.
This document provides an introduction to SSH and PGP protocols for secure communication. It discusses how SSH uses public-key cryptography to authenticate connections and encrypt data transmitted over untrusted networks, protecting against threats like IP spoofing. It also explains how SSH uses key pairs and configuration files. PGP is introduced as providing encryption, authentication and integrity for email through techniques like hashing, symmetric/asymmetric encryption and digital signatures. It describes how PGP handles the technical challenges of encoding encrypted data for transmission in email systems.
SSL and TLS provide end-to-end security for applications using TCP. They operate at the transport layer and provide services like data encryption, message integrity, and client/server authentication. The key components are the handshake protocol for negotiating encryption parameters and exchanging keys, the record protocol for fragmenting and encrypting application data, and alert and change cipher spec protocols for signaling errors and key changes. Common algorithms include RSA and Diffie-Hellman for key exchange, RC4, 3DES and AES for encryption, and MD5 or SHA for hashing. Sessions define a connection's cryptographic settings while connections are the actual data streams.
This slide help you about Security at the transport layer. In this slide we cover About Kerberos Model, Security of Kerberos Model and SSL/TLS Model and How it work and its SSL Architecture and its different phase .
Project Vault is a secure computing environment developed by Google's ATAP group. It uses a microSD card to provide an encrypted environment that works with any operating system. The project is open source and uses an FPGA-based hardware security module for encryption and decryption. It also uses a custom real-time operating system called microSEL and an OpenRISC 1200 processor. Project Vault aims to provide a portable secure computing solution.
Securing Your Resources with Short-Lived Certificates!All Things Open
Presented by: Allen Vailliencourt
Presented at the All Things Open 2021
Raleigh, NC, USA
Raleigh Convention Center
Abstract: There is a better way to manage access to servers, Databases, and Kubernetes than using passwords and/or public and private keys. Come and see how this is done with short-lived certificates and see a demo of Teleport!
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
Smart connected devices such as mobile phones, tablets and Digital TVs are required to handle data with strong security and confidentiality requirements. A “Trusted Execution Environment” (TEE) provides an environment for processing data securely, protected from normal platform applications. This talk is intended as an introduction to Trusted Execution, and the open-source Trusted Execution Environment OP-TEE in particular. It introduces the GlobalPlatform TEE Specifications, explains how Trusted Execution is implemented by ARM TrustZone and OP-TEE, and outlines how trusted boot software manages the secure boot of an ARM platform. Finally, it gives some pointers on how to get started with OP-TEE.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. This presentation is made as an assignment during our university course.
This document summarizes the design and implementation of proxy2, an HTTP proxy library written in Python. Proxy2 aims to be a simple yet fully customizable proxy. It uses standard Python modules and implements request, response, and save handlers that can be overridden by users to modify requests, responses, or perform long tasks. The document covers challenges like HTTP persistent connections, content encoding, and hop-by-hop headers that proxy2 addresses. It also explains how proxy2 supports HTTPS relay and interception using SSL/TLS.
The document discusses SSL/TLS (Secure Sockets Layer/Transport Layer Security), which are cryptographic protocols that provide secure communication over the internet. It covers SSL/TLS concepts like handshaking, encryption, authentication. It also describes JSSE (Java Secure Socket Extension), the Java implementation of SSL/TLS, including its architecture, classes and configuration. The document provides references for further reading on SSL/TLS and JSSE.
St Louis Linux Users Group Wireguard (for Fun and Networking)Andrew Denner
This document discusses different VPN protocols and presents Wireguard as a new option. It provides an overview of older protocols like PPTP and OpenVPN, noting their security weaknesses. The document then introduces Wireguard as very fast with low overhead, using standardized encryption algorithms and having no known major vulnerabilities. It demonstrates how to install and set up Wireguard on different platforms like the Raspberry Pi, Ubuntu, MacOS, and Android to securely connect networks.
Slides of the Webinar "SSL, impact and optimisation"
INTRODUCTION
What is SSL?
The purpose of SSL
History of SSL / TLS
Overview of a TLS connection
PART 1
What is the role of an SSL certificate?
Levels of validation
Options for certificates: SAN and Wildcard
The certificate ordering process
Certificate chain
SSL algorithms: encryption & authentication
Examples
PART 2
TLS and IPV4 exhaustion
HAProxy and SNI
TLS impacts
SSL offloading
SEO
Security of the SSL protocol
This document discusses web security and Secure Sockets Layer (SSL) / Transport Layer Security (TLS). It defines key web security terminology like hackers, viruses, worms, and Trojans. It then explains what SSL/TLS is, how it provides security for web communications through encryption, message authentication codes, and authentication. The document outlines the SSL/TLS architecture, components, sessions and connections. It also discusses how SSL/TLS has been widely implemented in applications like HTTPS to secure internet traffic.
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
The document summarizes the evolution of the Transport Layer Security (TLS) protocol from versions 1.0 to 1.2. It describes the key components of TLS including the record protocol for fragmenting and transmitting encrypted data, handshake protocol for authentication and key exchange, and cipher suites for encryption algorithms. The TLS protocol provides secure communication over the internet by preventing eavesdropping, tampering, and forgery of messages between client and server applications.
SSH is a protocol for secure remote access and file transfer that replaces insecure protocols like telnet. It uses encryption and authentication to securely transmit data, remote shell access, port forwarding, and file transfers between a client and server. Reasons to use SSH include enabling secure communication channels, arbitrary port redirection, optional compression, and protecting against spoofing and routing attacks.
Ведущий: Терренс Гаро
В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.
All you need to know about transport layer securityMaarten Smeets
Many people think that using HTTPS to offer your site or service to clients makes you secure from eavesdroppers and people trying to manipulate your network traffic. Think again! In this presentation I'll dive into transport layer security. I'll elaborate on what you can achieve with SSL such as authentication, encryption and integrity and how you can achieve it. I'll talk about the client-server handshake, identity and trust, one-way and two-way SSL, keys and keystores and cipher suite choice. By means of several examples, I'll show what it can mean if you make the wrong choices in on premises and cloud scenario's. This presentation is relevant for anyone involved in securing connections between client and server using TLS and people interested in learning more about the topic of TLS in general.
Secure Shell (SSH) is a cryptographic network protocol for secure data communication and remote shell services over an insecure network. SSH establishes an encrypted connection between a client and server, allowing for secure login, file transfer, port forwarding and tunneling. It uses public-key authentication and encryption to securely handle remote login and other network services between two networked computers.
Shell is a protocol that provides authentication, encryption and data integrity to secure network communications. Implementations of Secure Shell offer the following capabilities: a secure command-shell, secure file transfer, and remote access to a variety of TCP/IP applications via a secure tunnel. Secure Shell client and server applications are widely available for most popular operating systems.
This document summarizes SSL/TLS, including what it is, how it works, and where it fits. SSL/TLS uses cryptography like key exchange, privacy, and message integrity to encrypt network connections above the transport layer, securing protocols like HTTP, SMTP, and POP3. The handshake protocol is described, including the client hello, server hello, and key exchange steps. Applications that use SSL/TLS are discussed, such as HTTPS for secure web browsing and mail protocols like SSMTP and SPOP3.
Secure Shell (SSH) is a protocol for secure network communication that provides encrypted transmission and authentication between devices. It was created as a secure replacement for insecure remote login protocols like Telnet. SSH operates using three main protocols - the transport layer protocol provides host authentication and encrypted data transmission. The user authentication protocol authenticates users through methods like passwords or public keys. The connection protocol runs on top of the encrypted transport layer and allows for multiplexed channels for remote sessions, file transfers, and other network functions through features like port forwarding.
This document provides an introduction to SSH and PGP protocols for secure communication. It discusses how SSH uses public-key cryptography to authenticate connections and encrypt data transmitted over untrusted networks, protecting against threats like IP spoofing. It also explains how SSH uses key pairs and configuration files. PGP is introduced as providing encryption, authentication and integrity for email through techniques like hashing, symmetric/asymmetric encryption and digital signatures. It describes how PGP handles the technical challenges of encoding encrypted data for transmission in email systems.
SSL and TLS provide end-to-end security for applications using TCP. They operate at the transport layer and provide services like data encryption, message integrity, and client/server authentication. The key components are the handshake protocol for negotiating encryption parameters and exchanging keys, the record protocol for fragmenting and encrypting application data, and alert and change cipher spec protocols for signaling errors and key changes. Common algorithms include RSA and Diffie-Hellman for key exchange, RC4, 3DES and AES for encryption, and MD5 or SHA for hashing. Sessions define a connection's cryptographic settings while connections are the actual data streams.
This slide help you about Security at the transport layer. In this slide we cover About Kerberos Model, Security of Kerberos Model and SSL/TLS Model and How it work and its SSL Architecture and its different phase .
Project Vault is a secure computing environment developed by Google's ATAP group. It uses a microSD card to provide an encrypted environment that works with any operating system. The project is open source and uses an FPGA-based hardware security module for encryption and decryption. It also uses a custom real-time operating system called microSEL and an OpenRISC 1200 processor. Project Vault aims to provide a portable secure computing solution.
Securing Your Resources with Short-Lived Certificates!All Things Open
Presented by: Allen Vailliencourt
Presented at the All Things Open 2021
Raleigh, NC, USA
Raleigh Convention Center
Abstract: There is a better way to manage access to servers, Databases, and Kubernetes than using passwords and/or public and private keys. Come and see how this is done with short-lived certificates and see a demo of Teleport!
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
Smart connected devices such as mobile phones, tablets and Digital TVs are required to handle data with strong security and confidentiality requirements. A “Trusted Execution Environment” (TEE) provides an environment for processing data securely, protected from normal platform applications. This talk is intended as an introduction to Trusted Execution, and the open-source Trusted Execution Environment OP-TEE in particular. It introduces the GlobalPlatform TEE Specifications, explains how Trusted Execution is implemented by ARM TrustZone and OP-TEE, and outlines how trusted boot software manages the secure boot of an ARM platform. Finally, it gives some pointers on how to get started with OP-TEE.
Serie dei nuovi processori Xeon Scalabili - Yashi ItaliaYashi Italia
The document discusses Intel's Xeon Scalable processors. It provides details on the different processor series including Bronze, Silver, Gold, and Platinum. The main points covered are:
- The processors deliver up to 1.65x average performance boost over prior generations.
- They support configurations ranging from 2 to 8 sockets.
- Each series provides different core counts, frequencies, and capabilities with Platinum being the highest performing.
- Features include support for Intel technologies like AVX-512, Optane SSDs, QuickAssist, and security features.
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebula Project
The document discusses disaggregated data centers using OpenNebula. It describes how OpenNebula allows for scalability through elasticity and avoids issues from human/configuration errors. It discusses types of scalability like predictable, mixed/emergency, and unpredictable scalability. It also briefly discusses provisioning tools like Oneprovision and using provision templates in YAML format.
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...Dmytro Korzhevin
Presentation covers various cyber security aspects that are stands behind the AAA-Level game projects. And what is most important it covers a practically proven way to provision own data (game services) in 22 geographical locations in 22 minutes, using opensource solution - OpenNebula and it's DDC features. During this 22 minutes you receive fully distributed mesh infrastructure, located in 22 different geo locations (datacenters) provisioned using only bare metal hardware servers, with preconfigured GNU/Linux OS and preconfigured VM on top of each server. Each server has own control server in own region with backconect to 'mother' server in central location with High Availability configured, own network segments in each datacenter, elastic IP's, Backend Transfer Facilities, Local BGP.
Secure Shell (SSH) is a protocol that provides secure remote access to devices. This document provides instructions for configuring SSH on Cisco switches including generating SSH keys, configuring the SSH server, and monitoring the SSH configuration. Key steps include generating an RSA key pair, configuring the SSH version, setting timeout values, and limiting network access to SSH-only connections.
DPDK Summit 2015 in San Francisco.
Intel's presentation by Keith Wiles.
For additional details and the video recording please visit www.dpdksummit.com.
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...Michelle Holley
Abstract: Intel® QuickAssist Technology improves performance and efficiency across the data center and other computing platforms by handling the compute-intensive operations of bulk cryptography, public key cryptography, and data compression. In this course, we will give an overview of the technology along with the summary of resources to get started with integrating Intel® QAT into your platform solutions. We will also demonstrate using Intel® QAT with applications such as OpenSSL, NGINX, and HAProxy, with a hands-on lab.
Speaker Bios:
Joel Auernheimer, a Platform Application Engineer at Intel, has been focused on enabling customers to integrate Intel® QuickAssist Technology in their platform solutions. Joel is a native of Phoenix, Arizona and enjoys hiking, basketball, soccer, singing, and spending time with friends and family.
Joel Schuetze has been with Intel since 1996. For the last 9+ years he has worked as Platform Application Engineer supporting customers with Intel QuickAssist Technology.
An overview of all things that can go wrong when developers attempt to implement a Chain of Trust also called "secure boot". Starting from design mistakes, we look at crypto problems, logical and debug problems and move towards Side Channel Attacks and Fault Injection.
Focused on Automotive, Pay-TV, Gaming and mobile devices.
Intels presentation at blue line industrial computer seminarBlue Line
This document provides an overview of Intel Corporation in 2014. It discusses Intel's mission to bring smart, connected devices to everyone using Moore's Law. Over 75% of Intel's business is outside the US, with key focus areas including data center, client, ultra-mobile, and wearables/IoT. Intel has a track record of executing Moore's Law and developing new process technologies like 14nm. The document outlines Intel's various business groups and labs focusing on areas like the internet of things. It provides a roadmap for Intel gateways for IoT and discusses Intel's history and position as the world's largest semiconductor manufacturer.
Example application providing guidelines for using the Cryptography Device Library framework.
Showcase DPDK cryptodev framework performance with a real world use case scenario.
Author: Georgi Tkachuk
This document provides an overview of securing data in transit using TLS in constrained devices. It begins with introducing the presenters from wolfSSL Inc. and the topics that will be covered, which include an introduction to wolfSSL, an overview of SSL/TLS and cryptography, enabling TLS for a simple HTTP client, emerging ciphers and algorithms, and time for Q&A. It then discusses wolfSSL's history and products. The remainder of the document focuses on explaining SSL/TLS protocols, cipher suites, X.509 certificates, implementing TLS on embedded devices using wolfSSL and the FRDM-K64F board as an example, and emerging ciphers like ChaCha20 and Poly1305.
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
MultiZone is an IoT firmware that provides a trusted execution environment (TEE) for securing IoT applications on RISC-V processors. It includes pre-integrated libraries for TCP/IP, TLS, ECC and FreeRTOS to handle basic and advanced IoT requirements. MultiZone provides four separated execution environments called zones that are enforced by hardware to isolate trusted applications from untrusted third party code and libraries. It allows for building secure IoT devices, remote firmware updates, and real-time device monitoring and management without needing proprietary hardware extensions.
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
This document discusses hardware-assisted isolated execution environments (HIEE) and trusted execution environments (TEE) on RISC-V processors. It describes how TEEs are implemented using privileges worlds on ARM TrustZone and Intel SGX. For RISC-V, it summarizes proposals for TEEs including Sanctum, MultiZone, and using seL4 microkernel to implement OP-TEE. It also briefly discusses TEE implementations on FPGAs, GPUs, virtualization, and the IETF's TEE provisioning protocol.
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...mjos
Presenter: Markku-Juhani O. Saarinen
Talk: Design and implementation of the WhirlBob and Keyak/WhirlBob embedded FPGA System-on-Chip co-processor for the second round of the CAESAR competition
Conference: TrustED 2014 - Arizona, USA, 03 November 2014,
http://th.informatik.uni-mannheim.de/trusted-workshop/2014/
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
The document provides information about Intel's Perceptual Computing SDK and related hardware and software. It discusses the Creative Interactive Gesture Camera that can be used with the SDK for close-range interactivity. It also outlines key upcoming products, an overview of perceptual computing capabilities like facial tracking and gesture recognition, hardware and software requirements, supported programming languages and frameworks, and resources for using the SDK.
Similar to FIPS 140-2 Validations in a Secure Enclave (20)
The wolfSSL team meeting discussed performance enhancements to wolfSSL including single precision implementations of asymmetric algorithms, Intel assembly optimizations, and benchmarking improvements. Single precision implementations reduce code size but improve performance for embedded systems that only use one key size. Benchmarking was updated to match OpenSSL for apples-to-apples comparisons. Intel assembly optimizations were shown to significantly speed up algorithms like AES-GCM, ChaCha20, SHA-2, and Curve25519 compared to the C implementations. Future work may include more algorithm optimizations and exploiting new Intel instruction sets.
wolfSSL, author of the open source CyaSSL embedded SSL library has made significant progress in 2013 towards bringing the community a more usable, feature-rich, and better supported library for use in an ever-growing range of embedded platforms and environments. This talk will provide an overview of technical progress in the last year and news on the current state of wolfSSL. Details on what's new include the addition of new crypto ciphers and algorithms, better hardware cryptography support, more flexible abstraction layers, a JNI wrapper, new platform support, and better development tool integration. www.wolfssl.com
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
Network-related applications and devices often use secure communication. Although keeping network communications safe should be a top priority to all developers and engineers, it often gets left behind due to lack of understanding, insufficient funding, or looming deadlines.
Securing a project with SSL shouldn?t have to include a steep learning curve, deep pockets, or an unlimited time frame. By learning a few basics of how things work, where the technology is best used, and what features to look for when trying to choose the right SSL implementation, a developer or engineer can easily, simply, and quickly secure their project - putting both themselves and their employer?s minds at ease.
This presentation will introduce SSL - including why secure communication is important, introductory details about SSL, x509, and the underlying cryptography. It will give an overview of where SSL is used today - including Home Energy, Gaming, Databases, Sensors, VoIP, and more. A description of important items to look for when trying to choose an SSL implementation will give developers and engineers a solid foundation to begin securing their projects with SSL and will enable them to have more informed discussions with potential vendors.
Learn more at www.yassl.com.
Slides from Chris Conlon's presentation about yaSSL's work porting the CyaSSL embedded SSL library, the MIT Kerberos library, and the Kerberos GSS-API to the Android platform.
To learn more, visit www.yassl.com.
yaSSL 2010-2011 Technical and Community UpdatewolfSSL
View slides from Chris Conlon's presentation about yaSSL's progress in the 2010-2011 year at FOSDEM in Brussels, Belgium.
To learn more about yaSSL's product or the CyaSSL embedded SSL library, visit www.yassl.com.
This document discusses securing MySQL databases using SSL/TLS. It begins with an overview of MySQL security best practices, such as keeping the database updated, using strong passwords, and restricting privileges. It then covers SSL/TLS, explaining how it provides privacy, authentication and integrity for client-server communication. The document delves into X.509 certificates and how they are used in the SSL handshake process. Finally, it addresses how to configure and build MySQL with SSL support.
Slides from Todd Ouska's presentation on Secure Memcache at OSCON 2010. To learn more about secure memcache or the CyaSSL embedded SSL library, visit www.yassl.com.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
FIPS 140-2 Validations in a Secure Enclave
1. FIPS 140-2 Validations
In a Secure Enclave
Chris Conlon
ICMC18, May 8-11, 2018
Shaw Centre | Ottawa, Ontario, Canada
2. A. Overview of wolfSSL and wolfCrypt FIPS
B. Secure Enclaves
C. FIPS 140-2 Enclave Validations
a. Advantages
b. Challenges
D. Validation Process inside Intel SGX
Outline
5. Introduction to wolfSSL - Open Source
● Dual Licensed - source code available as open source GPLv2 or commercial
● Available for download at:
○ wolfSSL website: www.wolfssl.com/download
○ GitHub: www.github.com/wolfSSL
● Professional support direct from engineers
● Consulting services for validations, integration, or new features
6. What is a Secure Enclave?
● A secure enclave can also be referred to as
“Trusted Execution Environment (TEE)”
● Can be implemented through software or
hardware, depending on the implementation
● Enclave is a protected area in the
application’s address space
○ Separates and protects sensitive code / data
from other processes
○ Provides a secure area where code can be
stored and executed
7. What is a Secure Enclave?
● Intel Technologies
○ TXT (Trusted Execution Technology) uses a TPM and
cryptographic algorithms to permit a verifiably secure
installation, launch, and use of a hypervisor or
operating system (OS)
■ Launched on Xeon 5600 series processors in 2010
○ SGX (Software Guard Extensions) extensions allow
an application to instantiate a protected container,
which provides confidentiality and integrity
■ Launched on Intel 6th generation Skylake processors in 2015
8. What is a Secure Enclave?
● Other TEE Technologies
○ ARM TrustZone
○ AMD SME/SEV
○ Qualcomm QSEE/SecureMSM
○ Apple iPhone Secure Enclave
○ ...
9. Why would you want to FIPS
140-2 validate inside an TEE?
10. Traditional FIPS 140-2 Validations
● When software module is first loaded, two things happen:
1. Power-On Integrity Check
■ Guarantee object files have not changed between compile time and run
time
2. Known Answer Tests
■ Verifies algorithm implementation is operating correctly
● Shared library default entry point is used to execute these
#define INITIALIZER(f) static void __attribute__((constructor)) f(void)
12. Traditional FIPS 140-2 Validations
● Traditional validation checks and tests work well, unless a malicious user
or privileged process has physical access to the system’s memory
● Malicious actor could then potentially do any number of things:
■ Modify object files and change the comparison hash for the In-Core
Integrity check
■ Modify the object code responsible for KAT’s
■ Modify the memory areas containing the core crypto code
14. Advantages of Enclave-Based Validations
● Doing a validation INSIDE a secure enclave / TEE:
✓ Adds layer of protection for cryptographic module against privileged
users (OS, BIOS, drivers, etc)
✓ Provides confidentiality of code and data - unable to view or
analyze running cryptographic module memory
✓ Provides integrity assurance for the duration of the executable /
enclave lifetime
✓ Allows use of enclave in government and DoD projects, since FIPS
140-2 is commonly a requirement
15. Advantages of Enclave-Based Validations
✓ Provides a more secure environment when running in an untrusted
environment (cloud server, etc)
?
?
?
17. Challenges of Enclave-Based Validations
● Determining best enclave entry point structure
○ Where should untrusted code call into the enclave at?
● Passing data and files TO/FROM the enclave
○ Needed to run CAVP vector files through crypto module
● Limiting crypto module dependencies external to the enclave
○ Source of entropy?
○ System calls not available in enclave
19. Intel SGX Overview
● Intel SGX Overview
○ Creates a protected container (enclave) where legitimate software can
be sealed inside
( image source: https://software.intel.com/en-us/sgx/details )
20. Intel SGX
● Intel SGX Overview
○ Provides memory protection through
encryption
○ Provides integrity of the enclave contents
○ Can generate enclave specific keys
○ Protects sensitive operations against outside
inspection
( image source: https://software.intel.com/en-us/sgx/details )
21. Intel SGX
● Intel SGX Hardware Support
○ Hardware added in Intel’s 6th generation (Skylake) processors or
later
○ To use the SGX feature it must be enabled in the BIOS
○ One Intel CPU can have multiple secure enclaves
○ Enclave physical memory is encrypted by processor
22. Current wolfCrypt FIPS OE List
Operating System Processor Platform
1 Linux 3.13 (Ubuntu) Intel® Core™ i7-3720QM CPU @2.60GHz x 8 HP EliteBook
2 iOS 8.1 Apple™ A8 iPhone™ 6
3 Android 4.4 Qualcomm Krait 400 Samsung Galaxy S5
4 FreeRTOS 7.6 ST Micro STM32F uTrust TS Reader
5 Windows 7 (64-bit) Intel® Core™ i5 Sony Vaio Pro
6 Linux 3.0 (SLES 11 SP4, 64-bit) Intel® Xeon® E3-1225 Imprivata OneSign
7 Linux 3.0 (SLES 11 SP4, 64-bit) on
Microsoft Hyper-V 2012R2 Core
Intel® Xeon® E5-2640 Dell® PowerEdge™ r630
8 Linux 3.0 (SLES 11 SP4, 64-bit) on
VMWare ESXi 5.5.0
Intel® Xeon® E5-2640 Dell® PowerEdge™ r630
9 Windows 7 (64-bit) on VMWare ESXi 5.5.0 Intel® Xeon® E5-2640 Dell® PowerEdge™ r630
Certificate #2425
23. Current wolfCrypt FIPS OE List
Operating System Processor Platform
10 Android Dalvik 4.2.2 NXP i.MX6 MXT-700-NC 7” touch panel
11 Linux 4.1.15 NXP i.MX5 NX-1200 NetLinx NX Integrated
Controller
12 Debian 8.8 Intel Xeon 1275v3 CA PAM 304L Server
13 Windows Server 2012R2 Intel Xeon E5335 Physical x64 Server(s)
14 Windows 7 Professional SP1 Intel Core i7-2640M Dell Latitude E6520
15 Debian 8.7.0 Intel Xeon E3 Family with SGX support Intel x64 Server System R1304SP
16 Windows 10 Pro Intel Core i5 with SGX support Dell Latitude 7480
17 NET+OS v7.6 Digi International NS9210 Sigma IV infusion pump
Certificate #2425 - New OE’s in 2017-2018
25. ● Independent of SSL/TLS
● Design simplifies updates
● Most bugs and
vulnerabilities happen in
SSL/TLS, not crypto
wolfCrypt FIPS Object Module
26. ● SGX enclave structure with
wolfCrypt only
● FIPS 140-2 boundary only
around “wolfCrypt FIPS”
wolfCrypt FIPS Object Module in SGX
27. ● SGX enclave structure with
wolfCrypt and wolfSSL
SSL/TLS Library
● FIPS 140-2 boundary only
around “wolfCrypt FIPS”
wolfCrypt FIPS Object Module in SGX
28. Intel SGX OE Validation Process
● Unique steps to SGX OE Validation:
○ Port wolfCrypt to run inside Intel SGX
○ Map system calls as SGX trusted entry points
○ Map wolfSSL and wolfCrypt API as SGX trusted entry points
○ Modify CAVP test harness to read vector files in untrusted section,
pass via buffer into trusted enclave
29. Intel SGX OE Validation Process
● Port wolfSSL / wolfCrypt to run inside Intel SGX enclave
○ Modify random.c to get entropy from Intel SGX API
■ sgx_read_rand()
■ /dev/random, /dev/urandom would have been outside enclave
○ Use Intel intrinsics by default
■ _lrotr()
■ _lrotl()
30. Intel SGX OE Validation Process
● Map system calls as SGX trusted entry points (OCALLs)
○ printf() - for logging/debugging
■ ocall_print_string()
○ gettimeofday() - get the current time in seconds since Epoch
■ ocall_current_time()
○ get struct timeval seconds
■ ocall_low_res_time()
○ send() - network send function
■ ocall_send()
○ recv() - network recv function
■ ocall_recv()
31. Intel SGX OE Validation Process
● Map wolfSSL and wolfCrypt API as SGX trusted entry points
○ Add wrapper functions exposing wolfSSL and wolfCrypt API:
■ public int enc_wolfSSL_Init(void);
■ public WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void);
■ public WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void);
■ public int enc_wc_InitRng([user_check] WC_RNG* rng);
■ public int enc_wc_FreeRng([user_check] WC_RNG* rng);
■ public int enc_wc_InitRsaKey([user_check] RsaKey* key, [user_check]
void* ptr);
■ etc...
32. Intel SGX OE Validation Process
● Modify CAVP test harness to read vector files in untrusted section,
pass via buffer into trusted enclave
33. Intel SGX OE Demo!
● Demo of wolfSSL’s test app inside an SGX Enclave
$ ./App
Usage:
-t Run wolfCrypt tests only
-b Run wolfCrypt benchmarks in enclave
-c Run a TLS client in enclave
-s Run a TLS server in enclave
Operating System Processor Platform
15 Debian 8.7.0 Intel Xeon E3 Family with SGX support Intel x64 Server System R1304SP
34. Intel SGX OE Demo!
● Demo of wolfSSL’s test app inside an SGX Enclave
$ ./App -t
Crypt Test:
error test passed!
base64 test passed!
asn test passed!
MD5 test passed!
MD4 test passed!
SHA test passed!
SHA-256 test passed!
...
ECC test passed!
ECC buffer test passed!
logging test passed!
mutex test passed!
memcb test passed!
Crypt Test: Return code 0
$ ./App -b
Benchmark Test:
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
RNG 130 MB took 1.016 seconds, 127.979 MB/s
AES-128-CBC-enc 255 MB took 1.004 seconds, 253.880 MB/s
AES-128-CBC-dec 285 MB took 1.013 seconds, 281.257 MB/s
AES-192-CBC-enc 225 MB took 1.013 seconds, 222.205 MB/s
AES-192-CBC-dec 245 MB took 1.000 seconds, 244.950 MB/s
AES-256-CBC-enc 200 MB took 1.015 seconds, 196.992 MB/s
…
ECC 256 key gen 1155 ops took 1.000 sec, avg 0.866 ms, 1154.727 ops/sec
ECDHE 256 agree 1200 ops took 1.022 sec, avg 0.852 ms, 1173.816 ops/sec
ECDSA 256 sign 1200 ops took 1.048 sec, avg 0.873 ms, 1145.563 ops/sec
ECDSA 256 verify 600 ops took 1.023 sec, avg 1.705 ms, 586.548 ops/sec
Benchmark Test: Return code 0
35. What’s up for the Future?
● Possibilities for the future, depending on customer demand:
○ More SGX Operating Environments
○ Expanded FIPS 140-2 algorithm boundary
○ FIPS 140-2 validations in other TEE environments
○ What do you want to see?
36. wolfSSL Library Makefile for SGX
● wolfSSL SGX Static Library Project
○ Creates a static wolfSSL library for use with SGX enclaves
○ Assumes user has already:
■ Enabled SGX in BIOS
■ Installed necessary software from Intel
○ Distributed with wolfSSL:
■ https://github.com/wolfSSL/wolfssl/tree/master/IDE/LINUX-SGX
37. wolfSSL SGX Examples
● Non-FIPS Examples Available on GitHub
○ Examples include:
■ TLS Client in an enclave
■ TLS Server in an enclave
■ wolfCrypt tests in an enclave
■ wolfCrypt benchmarks in an enclave
○ For Linux and Windows
■ https://github.com/wolfSSL/wolfssl-examples/tree/master/SGX_Linux
■ https://github.com/wolfSSL/wolfssl-examples/tree/master/SGX_Windows
38. A. Overview of Secure Enclaves
a. Advantages
b. Challenges
B. FIPS 140-2 inside Intel SGX
a. Intel SGX
b. Changes required
c. Validation Process
Summary