Page 50

EETE JUNE 2013

Data Security To provide restrictions to specific page elements, such as removing tabs, disabling links, the only option is to use an agent on the device, alongside the browser – see figure 2. Agent-based browsers The agent-based approach not only allows highly granular control over access to individual page elements but also enables control over access to browser functions such as Print, Copy, Save As, View Source. It supports the option to take a screenshot of the browser content to provide a visual audit trail for compliance, eDiscovery and forensics. This approach can force users to always access applications via the agent. Whilst proxies can be bypassed if accessing applications outside of the corporate network, agents always require the user to authenticate to the agent first before accessing browser-based resources. This enables the delivery of single sign-on (SSO) across a wide range of devices, not just those known to, or owned by, the enterprise. The Cloud Application Manager interacts with existing enterprise directories to permit, or restrict access to Web application features, according to employees’ roles. An intuitive dashboard shows CIOs and IT Managers exactly how employees are interacting with Web applications and associated corporate data, regardless of whether employees are working on company or personally-owned devices. Detailed analytics provide managers with a complete overview of Web application use, with ability to drill down into reports for additional information. Activities that could compromise compliance with EU GDPR, PCI DSS or HIPAA Omnibus, such as exporting customer lists, or attaching sensitive files to Webmail, are tracked and clearly displayed, to enable organisations to prove that data access was appropriately governed. Ensuring IP protection at system level to prevent embedded software cloning By Min Wei Ang In today ’s chip business, one increasingly common market model involves an Original Equipment Manufacturers (OEM) buying microcontrollers from a chip supplier and then, engaging an Independent Design House (IDH) to develop custom embedded software (Intellectual Property – IP) for the chips used in the end product. The OEM pays royalties to the IDH depending on the volume of the end products that are using the IP. The OEM further engages an external programmer house to program the chips with the IP. Such a model illustrated in figure 1 carries some risks to the OEM and the IDH. For example, the IP could be leaked through grey channels to a pirate production plant and used to produce software clones. Also, since the volume of end product is not visible to the IDH, a less fair-minded OEM may attempt to pay less royalties by under-declaring the IP usage. Infineon’s XMC1000 microcontroller family addresses such risks by offering an IP protection option. The IDH will be empowered with the tools to encrypt the IP based on the 128-bit key Advanced Encryption Standard (AES) and the resulting encrypted IP only can be downloaded into authorized devices, where it will get decrypted and programmed into the devices’ Flash memory. This ensures that the IP is always transported in its encrypted form until it is downloaded into the device. The IDH will now also have the means to keep track of the number of end products that would be using the IP. Fundamental building blocks Such an IP protection scheme requires three basic building blocks, the XMC1000 device with Secure Loader, a software encryption tool and a programming tool supporting Secure Loader – see figure 2. The Secure Loader is a start-up mode and feature, introduced in XMC1000, to process 128-bit AES encrypted data. Based on a defined protocol and command set, the Secure Loader is able to receive the encrypted data, decrypt the data within the device and program the data into the Flash memory. Devices with the Secure Loader feature are grouped based on a pre-defined number of devices, termed a batch, and each batch of devices are assigned a unique identifier called SBSL ID. The PC-based software encryption tool is used to encrypt the IP based on 128-bit key AES (IP Key) and embed in the final output file, information to identify the SBSL ID of the target device. The above can be performed only after the encryption tool has received the IP, IP Key and SBSL ID of the target device. The IP key is generated from an Infineon smart card interfaced to the encryption tool through a PC/SC card reader. Both the encryption tool and the smart card are provided by Infineon to the IDH. A programming tool supporting Secure Loader is required to interface to the target device. When connected to a device, the programming tool sends a command to read the SBSL ID from the device and based on this SBSL ID, retrieve the matching output file containing the encrypted IP. The programming tool is also used to send the command to initiate the download of encrypted data and the subsequent programming of the IP into the device. Min Wei Ang is application and concept engineer at Infineon located in Singapore. He has more than 10 years of experience with embedded applications – www.infineon.com Fig. 1: Market model and possible risks. 42 Electronic Engineering Times Europe June 2013 www.electronics-eetimes.com


EETE JUNE 2013
To see the actual publication please follow the link above