Page 126 – Think Big

Cryptographic Security in IoT (III)

Florence Broderick 4 November, 2016

The proliferation of IoT services platforms and devices is occurring much faster than the adoption of security measures in its field. In the face of the urgent need for mechanisms that guarantee the authentication, integrity and confidentiality, of both communications and the devices themselves, the trend is to transfer cryptographic solutions contrasted in traditional IT, such as public key digital certificates over SSL/TLS protocols. We are moving forward in the state-of-the-art of cryptography solutions for IoT.

HMAC Calculation

Execution of the HMAC command, as with other ATSHA204A commands, must precede execution of the Nonce command.

The aim of the Nonce command is to populate the 32-byte internal register, called TempKey, by generating or loading a challenge, which will then be used in later commands.

The Nonce command has three operating modes. 0x00 and 0x01 are the most common modes. In these modes, the Nonce command is invoked, providing it with a number of 20 bytes as an entry, to which it responds by returning a random number of 32 bytes that are generated internally as a challenge.

The 20 received bytes are linked to the random number of 32 bytes, along with three more bytes: 0x16, the mode and 0x00. And based on the set of 55 bytes, the SHA-256 summary, which is stored in the TempKey, is calculated. Additionally, two binary registers are modified:

TempKey.SourceFlag to 0, meaning random origin.
TempKey.Valid, to 1, meaning that the TempKey is usable.

The difference between the 0x00 and 0x01 mode is that in the second case the seed of the random number generator does not update, something that Atmel does not recommend.

In 0x03 mode it is used to directly populate the TempKey, without generating a random number, or the SHA-256 calculation in bypass mode.

If the Nonce command has finished satisfactorily, setting the TempKey.Valid bit to value 1, it is then possible to invoke the HMAC command.

The call to the HMAC command is performed by providing as entry parameters only its mode of operation, and the slot number that contain the key to be used in the HMAC calculation. The response to this command will be the resulting number of 32 bytes from the HMAC-256 computation over a total of 88 bytes made up of:

Set of 0x00 value 32 bytes.
Content of 32 bytes from the TempKey.
Base of 24 bytes determined by the mode of operation.

The HMAC command presents multiple modes of operation, which will determine the content of the OPT zone and the series number (SN) for the device incorporated into the base. It is possible that none of these elements are incorporated, establishing the last 20 bytes of the base at 0x00.

The base of the HMAC calculation will always begin by the 0x11 byte, followed by the mode byte, and two more bytes indicating the slot which is occupied by the key that will perform the HMAC-SHA-256 calculation.

The third least significant bit of the byte mode must coincide with the TempKey.SourceFlag value previously established by the Nonce command.

For all communication with the ATSHA204A device, both incoming and outgoing, two CRC cyclical redundancy check bytes will be added to guarantee the integrity of both the command invocation and its response.

Web PoC

Although the literal description of the authentication commands may appear confusing, their use becomes very simple once implemented within a code library, as can be seen below:

As a simple proof of concept (PoC), we have implemented the practical use case of an IoT device that must be robustly authenticated by a web service, using cryptographic hardware.

For the example to be extended towards the general public, Arduino is used as development environment on an ESP8266 platform that facilitates web access through its WIFI interface.

Any ESP8266 module could be used; a NodeMCU v0.9 has been used in this case, loading a sketch generated from the ESP8266 core for Arduino. An Atmel SHA204A Cryto-Authenticator externally connected to the NodeMCU module has been chosen as the cryptographic hardware.

From the different libraries available for managing the SHA204A, the best adapted for this in general, and the most worked on, was the work of Nusku in 2013. However, it apparently did not work uniformly on different devices and presented some important shortcomings. We have solved these problems by publishing our own fork in Github.

The authentication in the web service is done by inserting an authentication token in the HTTP request (GET request). This is a very common and widespread practice among the most important web authentication services. The “Authorization” header, together with the adequate parameters, has been added for this purpose.

These should include the “11PATHS-HMAC-256” type token, together with the corresponding encoded values in Base64 format. To simplify the process, in addition to the “id” of the device, the header also includes the “nonce” (challenge) and the “base“, used to calculate the verification “signature“, although the protocol supports the challenge provided by the server.

Captured requests could be re-utilized by sending all this data in the request. In order to avoid this weakness, the timestamp is added in unix-time format as part of the request to be signed.

GET /?timestamp=1458647701 HTTP/1.1rn

In order to sign the HTTP request with the Atmel SHA204A, it is summarized to 20 bytes with the SHA-1 algorithm. The Arduino core for ESP8266 includes this function in the “Hash.h” library, but it can be added from the Arduino Crytosuite if another platform is used.

The SHA204A Nonce command is invoked with the obtained 20 bytes, obtaining the 32 resulting bytes as the challenge, and they are stored.

The HMAC command is then invoked, indicating the slot number that contains the key with which the HMAC-SHA-256 will be calculated, together with the execution mode. Once these values (mode and slot) are known, the 24 byte base added to the calculation can be deduced. The result of this command will be the 32 bytes corresponding to the signature of the request.

These values, together with the “id” we assign to the device, will be the base64 parameters that will be included in the header. The base64 encoding is done using the Adam Rudd library.

Authorization: 11PATHS-HMAC-256
id=”EjEjEg==”,
nonce=”LmzzEpRnXvqmvnbOSobGp1VysR/wEpWoMNaY2Miew5g=”, base=”EQACAAAAAAAAAAAAAAAA7gAAAAABIwAA”, signature=”4qnOa5ZGecdzC+DscOSuOhJ64LeB1jTieJATUWPoIZE=”

The web service will be able to verify the authenticity of the IoT device that makes the request, performing the same calculations and comparing the results. To that end, it only needs to know the 32 byte key assigned to the device by its “id”.

The example web service has been published in the following url as part of the demonstration: http://sha204a.cf

This web service will respond with a JSON that contains information related to the authentication if it is valid, and failing this, with the details of the error that has occurred. It can be freely used for testing, because it answers to any id that has signed with the example key:

“EB0C68BF96E8C26635D3450293D2FC501A63A09924FE90A7BD916AC521FDE0AA“

A reciprocal authentication does not occur in this example; in other words, the web service’s answer does not contain any parameter aimed at verifying its own legitimacy, though incorporating it would have been easy. This condition is usually delegated by establishing a secure SSL (https) connection where the web service certificate is verified.

The code of the Arduino sketch is very simple. It manages the connection to the Internet with the “WiFiManager.h” library, which presents an AP with a captive portal from which to configure the Wifi network if the SSID has not been configured or is not available, or if its credential is not valid. Once the Internet connection is established, the current time is established through an NTP server.

An SHA204A authenticated request to the configured web service is made each time the FLASH button is pressed.

A simple Script in BASH can be used to test the connection to the web service; this simple script simulates the calculation of the signature the same way as the ATSHA204A would, and makes the web request.

The Shell Script, the Arduino code for the IoT module, and the PHP code of the web service are published in this Github space: https://github.com/latchdevel/crypto-iot

New tool: PinPatrol for Chrome. Something more than a plugin, a forensics toolThe Data Transparency Lab Conference 2016 kicks off tomorrow

LUCA and CARTO to work together bringing location to the next frontier of Big Data

AI of Things 2 November, 2016

The ability to derive actionable insights from analyzing Big Data is a huge component to success for any telecommunications company. Big Data is typically defined as having an inordinate amount of velocity, volume, and variety of data, which often contains a location element. Therefore, performing a holistic analysis requires location contextualization. We are now working with CARTO to do just that.

Figure 1: LUCA and CARTO’s alliance to provide location intelligence with a difference

Telefónica is collaborating with CARTO to add location intelligence to the wealth of data that Telefónica has access to. CARTO will work with Telefónica to develop new and integrated products within their newly announced Big Data business, LUCA. LUCA will enable Telefónica’s corporate clients to understand and derive value from their data, encouraging its transparent and responsible use.

One of the first examples of the partnership is this visualization showing international and national tourists attraction to Spain, which highlights tourism influx through visual-spatial representation (the more pronounced the point and line, the more tourists). The dashboard enables toggling between countries and temporal settings, which facilitates the descriptive analysis of nearly 90,000 records. Ultimately this data-driven analysis can lead to the simple prediction of when and where tourists are likely to come from in the future, providing valuable insights for businesses and public organizations.

Video: One of our Data Scientists shares a Tourism Visualization created in CARTO.

CARTO and Telefonica have a rich history of working together on other data-driven projects. For example, CARTO is used as an integrated intelligence layer to illuminate insights from Smart Steps’ aggregated behavioural data collected from anonymized mobile devices. The observation of behaviour based on billions of mobile interactions that occur daily enables analysis to be performed by transport operators, city planners, retailers, banking institutions, and marketers.

Telefónica’s development of the FIWARE connector for CARTO, has enabled many European Union cities to access CARTO’s visualization and analysis tools for sensor data, to promote the development of Smart Cities applications based on open standards and open source code.

In addition to this partnership and collaboration, CARTO is part of Open Future, which manages the portfolio of investments in startups and entrepreneurs made by Telefónica.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.7px Calibri; -webkit-text-stroke: #000000}
span.s1 {font-kerning: none}

Video: What is Telefónica Open Future?

“We are delighted to be working with CARTO to develop new capabilities together to offer to our customers that will enable them to become data-driven companies” said Philip Douty, LUCA Director of Alliances and Strategic Partnerships, “we strongly believe that through working with Alliance Partners such as CARTO we will enrich and broaden the LUCA portfolio and increase its appeal to our clients”

“It is wonderful to have Telefónica as a loyal partner throughout the years,” says Miguel Arias, COO of CARTO. “From the very beginning, Telefónica has believed in our team and product with their initial investment through Kibo Ventures, an Amerigo ventures fund. In addition to having the continuous support and guidance of their corporate development team in finding new business opportunities within such a huge organization.”

Big Data for Social Good: How 6 billion mobile phones are social sensors to save livesFighting Fraud: The $3.7 trillion black hole facing today’s organizations

New tool: PinPatrol for Chrome. Something more than a plugin, a forensics tool

Florence Broderick 2 November, 2016

Back in July, we created a new tool for improving the experience using HSTS and HPKP in Firefox. Now it’s time for Chrome. It shows this information in a human readable way. PinPatrol for Chrome is very easy to use and it can provide useful information about the HSTS and HPKP data stored by your browser… or any other. Porting it to Chrome, it has become not just a Chrome extension, but a simple forensic tool for interpreting HPKP and HSTS data from any Chrome’s user.

Just as Firefox, Chrome stores HPKP and HSTS information in a clear text file. But their strategies are quite different. The main ones are that:

Chrome stores the information in a Json file.
Instead of storing it in cleartext, it hashes the domains in a standard format, so there is some “privacy” for the users.
It uses report_uri from HPKP protocol (Firefox does not yet).

The way the domains are hashed is documented. An example is here. This is the way a raw Json looks like:

Chrome offers an integrated way (chrome://net-internals/#hsts) to check some HSTS and HPKP values, but definitely it is not the best way to watch your domains.

There is another difference in the way Chrome works. Chrome does not allow extensions to get to your profile files, so you have to drag and drop yourself the file where the information is stored (%localappdata%GoogleChromeUser DataDefaultTransportSecurity in the case of Windows). We can think of this as an advantage to use this extension as a forensic tool.

Another interesting thing the tool tries, is to “un-hash” the domains. If there is a domain in your HSTS and HPKP domains repository, it means you have visited it. So it should be in your History files. What the tool tries is get to your history of domains visited and hash them. If this hash matches with some of the hashes in HSTS/HPKP, the tool “translates” it so it is un-hashed.

PinPatrol takes history domains visited, hashes and compares them against HSTS and HPKP hashed domains

But, why are there so many domains that are not un-hashed? Some reasons:

Your history has been deleted and the domain is not there, but still in the HSTS/HPKP repository.
Some visits to some domains with HSTS and HPKP are done “in the background” of a webpage, as part of its APIs, advertising system, etc. And these are not stored in the History.

Here is a very short video about how to use the tool.

The tool is available from the official Chrome Extensions Store:
https://chrome.google.com/webstore/detail/pinpatrol/jenmooahjheolakpacikdlloalfaihef/

We hope you find it useful.

ElevenPaths and Symantec plan a joint offer Security Solutions for IoT environmentsCryptographic Security in IoT (III)

Big Data for Social Good: How 6 billion mobile phones are social sensors to save lives

AI of Things 1 November, 2016

Attending One Young World as a returning ambassadorthis year as one of the 40-strong delegation was an absolute privilege. Taking part alongside young employees from hundreds of public and private sector organizations was an eye-opener into the differentprofessional, personal and political situations we face, depending on the country in which we work or study. One Young World 2016, which was held in Ottawa, is a summit thatbrings together the brightest young leaders from around the world,empowering them to make lasting connections to create positive change with technology. The conference was opened on Parliament Hill by JustinTrudeau (the Canadian Prime Minister) and speakers over the three daysincluded Kofi Annan, Sir Bob Geldof, Professor Muhammad Yunus and Emma Watson. As you can see below, former Telefónica UK CEO Ronan Dunne also gave a keynote on the role ofMillennials in socially responsible businesses:

This unique global get-together of young talent attracts over 1300 delegates from 196 countries and Telefónica sends one of the largest delegations, alongside Siemens, KPMG, PepsiCo, Unilever and ABInBev. 30 of the 1300 participants are selected by the OYW committee to givespeeches within the plenary sessions, which cover Human Rights, Environment,Peace and Security, Education, Health and Global Business. This year I was lucky enough to be selectedas one of the 5 Global Business speakers to give an insight on what we aredoing in Telefónica in the area of Big Data for Social Good and how Millennialintrapreneurs can drive change within companies..

Each delegate speaker was introduced by a “counselor” and I was fortunate enough thatmine was James Chen, a venture philanthropist and the founder of Clearly – a global organization whichbrings together some of the most creative and innovative minds in the world tosolve the challenge of helping the world to see by providing vision correction.Speaking alongside young professionals from Siemens, Deloitte,Barclays and Thomson Reuters, I gave a 5-minute speech, which you can see hereon the One Young World YouTube channel. My objective was to demonstrate how large corporations like Telefónicacan use their Big Data and technology (e.g. LUCA) to have a social impact,measuring progress on SustainableDevelopment Goals and helping governments and NGOs to deploy humanitarianresponse in a more efficient way

We also gave an internal “breakout session” to 120 delegates on thepower of networks in organizations, discussing how several ex-graduates inTelefónica founded the “MillennialNetwork”. After presenting how wemade this happen, attendees from companies such as Nestlé, BMW, UBS and Buhlerhave got in touch to see how we could work together in the future on socialprojects to have an impact in our communities. Inthe external “breakout session”, I was also lucky enough to attend a Q&Awith the Costa Rican ambassador to Canada where we discussed the effects ofclimate change and how young people and technology have a big role to play in changing behaviourand getting multinationals on board with the public sector. After that, I joined 20 Thai delegates fromthe Charoen Pokphand Group at the Thai ambassadors residence where we discussed the differences in how business is done inSouth East Asia vs. Europe.

Figure 2: Young employees from Telefónica and LUCA come together in Canada for One Young World.

Attending the summit this year wasan honor – and with this opportunity comes great responsibility. Telefónica is investing a great amount inyoung people and their development by being leaders in initiatives such as OneYoung World. This year’s agenda reallyopened my eyes on the world’s biggest issues including the refugeecrisis, climatechange and extremism, and I realized that as employees of one of the largesttelecommunications companies in the world, we are extremely well positioned to havean impact, doing well in our jobs but also doing good in our local and globalcommunities. We do not have to chooseone or the other, we can indeed “choose it all”.

By Florence Broderick, Strategic Marketing Manager at LUCA.

Telco Data Analytics: what’s next in Big Data for TelcosLUCA and CARTO to work together bringing location to the next frontier of Big Data

Telco Data Analytics: what’s next in Big Data for Telcos

Richard Benjamins 31 October, 2016

By Lora Mihova, Strategy Manager at LUCA and Richard Benjamins, Director External Positioning and Big Data for Social Good at LUCA.

The European version of Telco Data Analytics Conference took place on October 25 and 26 in Madrid. This annual event also takes places in the USA and this year there were approximately 100 participants from Operators, Vendors, Startups and OTTs. For the first time, Telefonica was the “host operator” of the event which was run by KNect 365.

Figure 1: TDA Europe, What’s next in Big Data for Telcos

Chema Alonso, Chief Data Officer of Telefonica, gave the opening keynote where he argued that taking data-driven decisions is now a must for all organizations, emphasizing the growing importance of security and privacy for any Big Data initiative.

Phil Douty, Director of Partnerships and Strategic Alliances of LUCA discussed the power of anonymized and aggregated telco data enabling the understanding of a representative cut of the population, which can be extrapolated flexibly to show real behaviours. Phil transparently talked about the learning curve for telcos in the Big Data business: it takes time, money and learnings from mistakes being
made. The accelerating pace of change in telco Data Analytics means that anyone
who is still learning now, will struggle to catch up.

Figure 2: Phil Douty discusses the power of anonymized ad aggregated telco – Photo by Lee Tucker

A panel discussion on how to create a first class Data Science team brought to bear that there are different types of data professionals including Data Engineers (Data Plumbing), Data Scientists (analytics) and data-savvy managers (turning insights into actions), and because those profiles are very hard to find in the market, training of existing employees is very important. It also became clear that creating a team of Data Scientists is not enough to ensure impact; the rest of the organization also needs to have the right “data-oriented culture” such that insights are put into action across the organization.

Another discussion, led by Dr. Sebastian Fisher, Data Scientist at Deutsche Telecom, reminded us that for machines to be truly intelligent, they must be able to perform Reasoning, Knowledge Representation, Planning, Natural Language Processing, Perception, and manifest General Intelligence. As on many events of Big Data nowadays, Artificial Intelligence is getting increasingly more attention.

Figure 3: Chema Alonso opening a session of TDA Europe

BigML, one of the companies present at the conference, is a startup whose mission is to make Machine Learning easy. BigML offers a tool with several Data Science algorithms so that non-data scientists can execute clustering or predictive algorithms on (quality) data. BigML won the Partnership Award for its collaboration with Teléfonica Open Future_ in creating PreSeries, which uses BigML’s algorithms to predict which startups will be successful; a truly data-driven approach!

Another question which was discussed on the IOT analytics panel was: if you had $100 million to invest in IoT, what would you invest in? All panel members agreed that part should be invested in security: when everything (people and things) are connected to the Internet, the risk for abuse and disasters increases significantly. Several studies have shown that security in IoT requires more attention. Another suggestion was to invest in “innovation at the edge”, that is, to invest some of the money in IoT-related startups so that the projects are not hindered by the rules of large organizations, which can hinder progress. Finally, for IoT Analytics to really take of, thriving ecosystems are fundamental, probably around a few main platforms in the world that will host a large share of the IoT data available. Such platforms would then give secure and “permissioned” access to data to developers, startups and businesses in order to create value.

The last topic which was discussed was Big Data for Social Good, explaining how Big Data, and more specifically telco data, can help measure progress on the 17 Sustainable Development Goals of the United Nations. More details can be read in this post.

Can Big Data reshape the Outdoor Media sector?Big Data for Social Good: How 6 billion mobile phones are social sensors to save lives

ElevenPaths and Symantec plan a joint offer Security Solutions for IoT environments

Florence Broderick 31 October, 2016

ElevenPaths collaborates with Symantec as technology provider for its Security certificate service for IoT.

Madrid, October 31 2016.- ElevenPaths, Telefónica Cyber Security Unit, announce our intends to collaborate with Symantec, as a global cybersecurity leader, on integrating Symantec Managed PKI Service in order to protect IoT environments against cyberattacks.

In the Internet of Things millions of different devices are interconnected in an open digital environment and need to communicate securely at all times in order to preserve the trustworthiness of the IoT applications. Identity and Authentication is a cornerstone of building such trust, therefore Telefonica is developing ways to securely and indisputably identify those devices and secure the data transmitted among them.

That is, as in the physical world our ID card or passport identify us as people, in the context of the IoT Telefónica is in the process of developing its Trusted Public Key Infrastructure service, and will be relying on best- in-class Symantec Managed PKI Certificate Technology to ensure that the connected devices are exactly what they claim to be and that code running on IoT devices is authorized.

The high-volume, high-performance managed certificate service Symantec offers will allow Telefónica to embed certificates on hardware or issue them in real time as required for their specific use case. These code signing certificates and cloud based signing-as-a-service will be part of Telefonica’s comprehensive offer for IoT environment.

With the new technology incorporated by Telefónica companies that require large-scale IoT deployments will be able to manage certificates’ lifecycle for auto enrollment, renew and revoke the certificates to secure the communication and provide mutual identification, encrypt communications end-to-end and guarantee the integrity and traceability of the transactions.

Trusted Public Key infrastructure service is integrated with other security and IoT managed connecting as smart M2M and is part of IoT Security solutions currently on offer by Telefónica: such CyberThreats, capable of detecting and identifying the modus operandi of the cybercriminals and the methods used in attacks against IoT infrastructure; and Faast IoT technology specialised in detecting and analyzing vulnerabilities in IoT ecosystems.

ElevenPaths and Symantec intend their future collaboration to deliver on 4 key cornerstones that are drivers for the IoT and its security: the protection of communications, securing the identity and authentication of the IoT devices, the protection of devices themselves, including host-based protection and reputation based security, the management of the devices including OTA management, and the understanding of the IoT environment, through security analytics helping flag any anomaly.

» Download press release

More information:

www.elevenpaths.com

Now you can use Latch with Dropbox, Facebook and others digital servicesNew tool: PinPatrol for Chrome. Something more than a plugin, a forensics tool

Now you can use Latch with Dropbox, Facebook and others digital services

Florence Broderick 29 October, 2016

Many of you have asked us which services you can use Latch with, regretting that so far it could not be used in the more common services, such as Dropbox, Facebook or even Google itself. Well, the new version of Latch comes with a new functionality that will allow you to use Latch to protect your accounts in these and many other services. Now available for Android and Windows Phone, and coming soon the iPhone version.

What is this functionality about?
This new feature implements the TOTP protocol (Time-Based One Time Password), which generates a password valid for a period of time. This password may be requested to users by the services that support it (including the above) as a second factor authentication if the user specified so in the configuration. Thus, users of these services will receive this temporary code in the Latch application installed on their mobile phone, and use it as a second factor authentication (after having been authenticated with their user name and password) to access the services.

What’s new?
Apps already existing in the market for this purpose generate TOTPs associated with the mobile device so that if the user has a problem with it, such as loss or theft, or if they simply have to reset factory data for some reason, they will need to match the services protected with this second factor authentication with the application they use.

In Latch, we have created what we call Cloud TOTP, which consists in, instead of associating the TOTPs with the mobile device, associating them with the Latch account, thus simplifying the recovery process in case of loss of the device.

How can I use it?
To start using this new functionality, you just need to follow these steps:

First, create a Latch account and install the Latch app on your mobile device.
Then, go to the configuration of the service you want to protect with second factor authentication and enable it. If we take Dropbox as an example, you have to go to the Settings -> Security section, look for the “Two-step verification”, and enable it as shown below, after which you will be guided through a series of screens. When asked how you want to receive security codes, select “Use a mobile app”.

Image 1. Enabling the two-step verification in Dropbox

• Finally, add the new service to Latch capturing the QR code provided by Dropbox following the steps in the Latch app, as shown below.

Image 2. Dropbox QR Code

Image 3. Capturing the QR code with Latch

>>Stay tuned! We´ll post video tutorials using Cloud TOTP with services as Dropbox, GitHub, Facebook, Google, etc.

Find out much more about Latch!

Cryptographic Security in IoT (II)ElevenPaths and Symantec plan a joint offer Security Solutions for IoT environments

Cryptographic Security in IoT (II)

Florence Broderick 28 October, 2016

Crypto-Authentication

Given Atmel’s long history of developing security elements with cryptographic abilities, such as TPM modules, microcontrollers for SmartCards, cryptographic accelerators, crypto-memories, comparators, etc. it is only natural that the IoT ecosystem begin to integrate its Crypto-Authenticators to add cryptographic abilities. These have three different available variants:

SHA204A: simple authenticator based on MAC/HMAC-SHA-256.
AES132A: authenticator and cipher based on the AES/CCM symmetric algorithm with 128-bit keys.
ECCx08A: authenticator and cipher based on ECDSA and ECDH elliptic curve asymmetric algorithms, with 256-bit keys.

Their physical characteristics are practically identical and are therefore compatible and interchangeable. Choosing one or the other will be determined by the needs of the device storing them, and though they incorporate numerous characteristics of some complexity, it is possible to use their basic functions easily.

They can be used as highly versatile cryptographic security elements: from simple device authentication, mutual or reciprocal authentication, session key negotiation for integral encryption of a communication, code or data authenticity verification during secure start-up (SecureBoot) or remote firmware updating (OTA), etc. All this for less than 1 euro. If we meet the program’s requirements for “samples”, Atmel sends free samples at no extra cost.

I2C Bus

Different small sized formats are produced, all of which are surface-mounted. Though there is a version with only three pins that uses an SWI communication protocol, which for a time was sold by Sparkfun on a mini board, the 8-pin encapsulations are the most common, with SOIC-8 being the most manageable. For the evaluation and testing stages, using a DIP-8 adaptor is advised; there are different types, including the most popular GROVE modules, and you can even make your own.

Only four of its pins are in use. Two for its flexible power supply, of extremely low consumption, which can vary from 2.0 to 5.5 watts; two for the I2C bus, which enables connection to microcontrollers such as the popular Arduino, and even desktop systems and servers by means of adaptors, generally USB types.

The I2C bus is a standard for serial communication, widely used in the industry to interconnect integrated circuits. It uses two lines to transmit information: a data line (SDA) and a clock line (SCL), both with ground reference (GND).

In systems such as BeagleBone and Raspberry PI, the I2C is easily accessible both physically, as it is exposed, and logically, through numerous tools available in GNU/Linux.

If we want to use a conventional system, either Windows, Linux or Mac, that does not have an accessible I2C bus, the most simple option is to use an I2C USB adaptor. There are commercial ones, however it is possible to build your own thanks to the i2c-tiny-usb standard driver, which allows any system to use an Atmel ATtiny 45/85 microcontroller by way of interface USB to I2C. Only a few brave people dare to use the I2C bus present in the connector of video cards, even though it is technically possible. Although it doesn’t provide the same functionality, it is also possible to use firmware that uses the LUFA library in any compatible Atmel microcontroller, for example the ATmega32u4 from Arduino Leonardo, creating a “Serial to I2C” interface, which is accessible from Python, for example. With the USB adaptors included in the official Atmel development kits, the Microsoft Word tools that are included for free can be used.

Communication in the I2C bus is conducted in a “master-slave” manner. The master initiates the dialogue, obtaining a response from the slaves that are identified by their 7-bit I2C address. This address comes factory ready, though many devices have mechanisms to modify it, allowing several similar devices to connect to the same I2C bus.

The “host” systems can only be masters of the I2C bus, with the majority of I2C devices being slaves. Some microcontrollers, for example those used in Arduino, can be programmed to behave as masters or as slaves, though it is most common for them to act as masters.

Through the “i2cdetect” command in Linux, or with a simple sketch in Arduino, the I2C bus can be scanned to detect connected slave devices.

In this scanning example, performed in either Linux, with an “i2c-tiny-usb” adaptor, or in Arduino, the real I2C addresses (in 7-bit format) for the crypto-devices connected to the bus can be obtained. Many manufacturers, Atmel included, usually indicate the I2C addresses in 8-bit format in their specifications, which can result in some confusion.

Open Source libraries
Together with detailed documentation, Atmel facilitates open source libraries for cryptographic device management from their line of micro-controllers and SoCs.

From these libraries, adaptations to different environments began to appear, once again emphasising Josh Datko’s work which, from Cryptotronix, facilitates numerous examples for both Linux and Arduino.

The Atmel SHA204A Linux driver, called Hashlet, particularly stands out, and has served as a starting point for many other developments.

There are different adaptations for the Arduino platform, each of which has its pros and cons, so a choice must be made to find the one that adapts best to each particular need.

Atmel SHA204A

The Atmel SHA204A is one of the simplest and most easy to use cryptographic devices, though it has a wide variety of functions in relation to its relative complexity.

Its functioning is based on the computing of SHA-256 summaries, used to generate MAC/HMAC (Message Authentication Code) from internally stored keys. It has 16 slots to store keys that are 256 bits (32 bytes) in length, and can, in turn, have different access and usage configurations, defined when personalising the device. Together with an 88 byte configuration zone and an OTP (One Time Programmable) zone that is 64 bytes in length.

It has a random number generator, with which it implements challenge-response operations without exposing keys (MAC, CheckMac, GenDig). Supporting “Key Rolling” mechanisms (DeriveKey). It is unequivocally identified by an unmodifiable, factory-defined 72 bit serial number (SN).

It has an abundance of official documentation which is available on the internet, as well as a large number of examples developed by the Open Source community. Though it implements 14 commands, it is possible to make complete functional use of it with only two of them, as we will see next.

Personalisation

Before being able to use any cryptographic device, it is necessary to establish its unique keys and configuration options, and to lock the configuration and OTP zones. This process is known as “personalisation“, and is irreversible; once this has been performed, there is no possibility of turning back, the established parameters will remain unchangeable.

ATSHA204A personalisation is easily performed through Linux by using the Cryptotronix “hashlet”, as described in the documentation. Once the personalisation command has been executed, the unique keys will be defined and configured in the following manner:

If you have an official Atmel development kit, it is possible to perform the personalisation process from the incorporated tools, but, in any event, it is essential to follow the manufacturer’s indications.

Stay tuned! In the following post about Cryptographic security in IoT, we will take a look at how the HMAC calculation works in technical terms in ATSHA204A. And as a proof of concept (PoC), we will implement the practical use case of an IoT device that must be robustly authenticated by a web service and using cryptographic hardware.

ElevenPaths acquires Shadow technology from GradiantNow you can use Latch with Dropbox, Facebook and others digital services

Can Big Data reshape the Outdoor Media sector?

AI of Things 26 October, 2016

Out-of-home (OOH) adspend in the UK rose to £1 billion 2014, and is predicted to grow by 4.8% in 2016 according to a recent report. To ensure they benefit from this growth, Outdoor Media players are looking to embrace top technological trends such as Big Data and the Internet of Things, allowing them to sell audiences: moving from panels to people.

At the same time, global spend for programmatic digital display advertising is estimated to reach $53 billion by 2018 and OOH will play a big part in that growth. So what does this shift closer towards near real-time mean when it comes to data? How can leading companies in the sector adapt their data strategy to get closer to their audiences and communicate in the most digital way possible? How do they propel themselves from the realms of traditional Business Intelligence into the world of Big Data?

As well as more traditional data sources such as surveys and panels, the mobile phone and its corresponding mobile event data offers a unique opportunity to organisations who want to understand their users (or audiences) better, with 90% of people keeping their phone within 1 metre reach, 24 hours day. Using anonymized and aggregated data, our Smart Steps solution allows OOH decision makers to understand their audiences by converting mobile event data into actionable insights to help them bring more value to their customers, enabling them to sell inventory in a more data-driven way.

Figure 2: Insights provided by our Smart Steps solution

In the UK, our team of expert Data Scientists and Data Engineers use the Smart Steps platform to process and analyze over 4 billion mobile data events per day, providing extrapolated data so that our insights represent the entire population – giving an accurate picture of the behaviour of users in the area of study to a range of clients in different sectors.

Recently, our team have been working with Exterion Media, the largest privately owned Outdoor Media company in Europe. Exterion’s data strategy team were keen to move from static and modelled information to more dynamic, mobile-based audience-led data.

To do this, we have worked together to develop a world-class analytics tool which is on the desktops of all of Exterion’s sales team. This software empowers them to optimize their sales to clients demonstrating insights on how their audiences travel throughout the London Underground network, showing them where they can find them and when they can find them – which is particularly relevant for retail clients who want to drive footfall, targeting their audience at the right time in the right place.

Figure 3: Our Smart Steps Insights Viewer

Data Strategy Director Mick Ridley said: “this has really given us the opportunity to speak confidently about our audiences and how we engage with our media throughout the day, giving clients the ability to target more effectively.” For the full interview, visit our YouTube channel here:

To accelerate our digital transformation, expanding and diversifying our data sources in all industries is fundamental. This groundbreaking project with Exterion clearly shows their commitment to being a data-driven company, leading innovation in their space to bring even greater benefits to their customers.

Are you interested in how our mobile insight products could help you disrupt your sector? Drop us an email here to start your Big Data journey.

Big Data Week 2016: Forget Big Data, Artificial Intelligence is the new kid on the blockTelco Data Analytics: what’s next in Big Data for Telcos

ElevenPaths acquires Shadow technology from Gradiant

Florence Broderick 26 October, 2016

Chema Alonso (Chief Data Officer of Telefónica and Chairman of ElevenPaths) announced during Security Innovation Day 2016, the purchase of the Gradiant’s solution for document security, SHADOW.

The acquisition is one of the first derivatives of the recent agreement signed between Gradiant and ElevenPaths, the cybersecurity division of Telefonica worldwide. Both parties also stated that this acquisition is only the first step in what they hope will be a long history of mutual successes.

What is SHADOW?

More than half of the companies worldwide (54%, according to data from 2013 Nielsen Report) have had at some point losses or leaks of sensitive information. Despite the security measures currently available (DMS, access control mechanisms, firewalls), there are still security holes.

The strongest chain always break at the weakest link. And in documents security, that weak link is -very often- equal to the human factor.

The leaks of confidential documents, depending on their origin, leads to sensationalist or damaging public disclosures for companies victims of such leaks. In other cases, such information although not made public, ends up getting to competitors, or even worse, criminals.

The damages caused by leaks of documents are very visible, and almost always very serious. They can be financial, reputational or in competitiveness.

SHADOW is an automated tool that allows the traceability of documents by using techniques of digital watermarking. Shadow provides evidences in the event that confidential information leaks happen, helping to identify those responsible for the infringements. Converts each copy of a document through the insertion of invisible water marks. In this way, SHADOW ensures that each copy is unique and at the same time, virtually identical to the original document. This watermark -hidden information that identifies the owner or the recipient of the document- is resistant to distortions, such as those produced in the printing process or the scanning of documents.

It works as a deterrent against information leaks: it is perfect for hiding information on the origin and destination of confidential documents in order to identify those responsible if a leak occurs, once the documents are outside the trusted area for which they were created.

It also provides automatic classification of scanned documents: adding information about the contents of the documents, SHADOW can perform automatic classification.

It is a 100% compatible software solution with any printer or scanner devices. Ensures traceability in text documents, both digital and printed formats. The information associated with the watermark is fully configurable, being possible to establish a link to the document owner, to its receptor, or to the date and time when the document was printed. To retrieve that information afterwards, it is not necessary to be in possession of the original document.

In addition, SHADOW is resistant to distortions, printing and scanning, and is able to recover all the hidden information even from incomplete, broken, wrinkled or stained documents.

SHADOW family

SHADOW FILES: web platform that allows secure sharing fo documents. The platform allows sending documents to recipients previously registered in the system. Each recipient receives a single copy of the document containing hidden information that links the copy to the intended recipient.

SHADOW PRINT: Virtual Print Driver for Windows that allows automatic watermarking as soon as a document is sent to any printer. The printed document includes hidden information about the user account from which it is printed.

SHADOW READER: Tool for extracting information from the document’s watermark.

SHADOW MOBILE: Mobile application for extracting information from the document’s watermark.(available for iOS and Android).

The 6 challenges of Big Data for Social GoodCryptographic Security in IoT (II)