PRPv2 Architecture and Security SDN & TPM

Pacific Research PlatformUniversity of California, San Diego

La Jolla, CAOctober 16, 2015

John GrahamSenior Development Engineer

Calit2/Qualcomm Institute, UCSD

Rocks for secure deployment

Creating a trusted computing environment from the ground Up

Trusted Platform Modules (TPM)

Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a random number generator.

● Remote attestation – creates a nearly unforgeable hash key summary of the hardware and software configuration. The program hashing the configuration data determines the extent of the summary of the software. This allows a third party to verify that the software has not been changed.

● Binding – encrypts data using TPM bind key, a unique RSA key descended from a storage key.

● Sealing – encrypts data in a similar manner to binding, but in addition specifies a state in which TPM must be in order for the data to be decrypted (unsealed).[7]

https://en.wikipedia.org/wiki/Trusted_Platform_Module

Inside the TPM

The diagrams show the major components of a TPM.

C0 I/OC1 Cryptographic Co-ProcessorC2 RSA Key GenerationC3 HMAC EngineC4 Random Number GeneratorC5 SHA-1 EngineC6 Power DetectionC7 Opt-InC8 Execution EngineC9 Persistent Storage ( non-volatile )C10 Versatile Storage ( volatile )

Image Signing and Trust Chains

● Digital signing: (often called code or image signing) involves creating a unique digital signature for a given block of data such as software code.

● Trusted element: in the scope of system software is a piece of code that is known to be authentic.

● Root of trust: is the anchor for the system at which a guaranteed trusted element exists. If the first code running on a system is immutable, it becomes the root of trust in that system.

● Chain of trust: exists when the integrity of each element of code on a system is validated before that piece of code is allowed to run. A chain of trust starts with a root of trust element. The root of trust validates the next element in the chain (usually firmware) before it is allowed to start, and so on.

● High Quality Random Number Generator

https://www.cisco.com/web/about/doing_business/trust-center/docs/trust-anchor-technologies-ds-45-734230.pdf

SDN to secure FIONAsONOS SDN Controller ApplicationsAndrew Prudhomme ( IRNC SDX )https://docs.google.com/document/d/1eU5xCrFOrBHX-y-IaKbmajqtDv3wRoXzCUAioMdKQvw/edit

● SDNAnn SDN Annotation Application adding information to ONOS about the flows

● SDNTest VLAN remapperARP remapperGlobus Connect REST API

● Mininet modification to allow link speed simulation

Experimenting with New Release!● OPNFV ( Feb 2016 ONOSFW+OPNFV )

https://wiki.onosproject.org/display/ONOS/ONOS+Framework+(ONOSFW)+for+OPNFV

● Openstack○ Federated Keystone○ Federated Barbican ( with TPM )

October 1st 2015 SDSC Announces new OpenStack Services

OpenStack and TPM

● Support for using the TPM to provide remote attestation has been merged into OpenStack in the form of Trusted Compute Pools● TPMs can be used with disk encryption● TPMs can be used with Barbican

https://www.openstack.org/summit/vancouver-2015/summit-videos/presentation/using-tpms-for-the-benefit-of-the-entire-cloud

Data Oasis Future( SDN / TPM / OpenStack ? )

UCSD-Jupyter FIONADual 40 GbE

Tesla K80 GPGPU

Globus Connect Server

UCLA 100GbE perfSONARUCLA 40GbE DTN FIONA

UCSC 100GbE perfSONARUCSC 40 GbE DTN FIONA

SC15 InfiniFIONA1PB SanDisk InfiniFlash

CALTECH 100GbE perfSONARCALTECH DTN

UCB-Jupyter FIONADual 40 GbE

Tesla K80 GPGPU

inCommon CILogonGlobus and XSEDE have CILogon authentication services

http://cilogon.org/

UC-Jupyter on Comet with CILogon

JupyterHub authenticates a user with CILogon and spawns kernels on CometWe use a Trusted Platform Modules (TPM) on the JupyterHub FIONAs to secure the keys we get from the CILogon member organization.These keys are used to connect jupyter.calit2.optiputer.net to comet.sdsc.edu.

“JupyterHub iPython notebook” (March 12 )Email to Larry describing iPython update to multi user JupyterHub

Andrea Zonca from SDSC “Run Jupyterhub on a Supercomputer” ( April )http://zonca.github.io/2015/04/jupyterhub-hpc.html

Fernando Perez visits UCSD ( May 11-12 )UC-Jupyter Meeting UCSD@BIDS Lab ( June 19 )

“IPython/Jupyter notebook setup on SDSC Comet” ( September )http://zonca.github.io/2015/09/ipython-jupyter-notebook-sdsc-comet.html

Min Ragan-Kelley from UC-BerkeleyAndrea Zonca from SDSC “CILogon module for the Jupyter OAuthenticator” ( October )https://github.com/jupyter/oauthenticator

UC-Berkeley added to the list of CILogon organizations !

https://github.com/zonca/remotespawner/wiki/setup-Jupyterhub-Comet-with-CILogonhttps://jupyter.calit2.optiputer.net:9090/hub/login ( now )

UC-Jupyter on Comet using Trusted Platform Modules (TPM)

UCB-Jupyter FIONATesla K80 GPGPU

UCSD-Jupyter FIONATesla K80 GPGPU