On March 4th, NEC announced that it has succeeded in enabling verification of the authenticity of computer hardware configurations and software in their normal state using "Remote Verification Platform," which enables the remote detection of computer device tampering. The company began applying this remote verification platform to its "Express5800 series" IA servers in April of this year, and will continue to apply it to its various ICT devices going forward. The Trusted Computing Group (TCG), an industrial group that establishes international industry standards to enhance the reliability and security of computer equipment, held an Open Workshop in February of this year, in which they provided the platform, which enables remote detection of tampering with computer equipment, as a cybersecurity measure in the supply chain. This system was used to remotely verify the operation of various computer devices, including servers, laptops, and IoT devices, of the companies and universities participating in this Open Workshop. The normal state of the hardware configuration and software of those computers was successfully confirmed. This is the first successful remote authenticity verification by a Japanese organization in a multivendor environment with equipment obtained from multiple manufacturers.
This remote verification platform is a security technology that implements the concept of Remote Attestation Procedures (RATS), which is being standardized by the Internet Engineering Task Force (IETF), an international voluntary organization that standardizes technologies used on the Internet, and was developed by the company's Defense Business Division and Cyber Defense Institute, Inc. (https://www.cyberdefense.jp/en.html) The platform uses hardware security technology named TPM (security module that provides secure key management and encryption functions), which has been specified and standardized by TCG, to securely manage computer equipment on the system, irrespective of the manufacturer. Platform certificates (device configuration certificates standardized by TCG) embedded with hardware and software information that serve as the basis of trust are stored in TPMs embedded in servers, laptops, and IoT devices. Simultaneously, the same information is registered in the verification system as the correct data (correct values) for the shipment.
By comparing the information in the platform certificate with the correct values pre-registered in the verification system in a system built after shipment, the system can verify the status of each step until the OS is booted and detect tampering. The system remotely checks the health of the entire configuration at the hardware level, making it extremely difficult to tamper with computer equipment. The authenticity of each computer device in the entire system can be automatically checked. This protects the entire system from threat risks that occur in the supply chain, including during production, especially from the infiltration of firmware-level malware and unauthorized hardware. Furthermore, by combining this remote verification platform with biometrics and other mechanisms, the company aims to achieve "zero-trust access," a system that does not place the same level of trust on all devices, applications, or users. Instead, it strictly analyzes each access request and decides whether to grant or deny access, thereby enhancing security. This will enhance protection against cyber attacks and reduce the cost of countermeasures to the Cyber Kill Chain (a series of steps that an attacker performs against a target in a cyber attack) compared to conventional methods. The company has already successfully conducted an in-house verification test and has begun offering proposals to some companies in advance.
This article has been translated by JST with permission from The Science News Ltd. (https://sci-news.co.jp/). Unauthorized reproduction of the article and photographs is prohibited.