Device Identity as Yet Untold

%FWJDF*EFOUJUZ:FU6OUPME ΤϯλʔϓϥΠζɾηΩϡϦςΟͱσόΠε*EFOUJUZ

“時代の変化に伴い、(中略) 周辺の技術・ビジネスも⼤きく変化” IUUQTXXXPQFOJEPSKQTVNNJU

*EFOUJUZ'PS&OUFSQSJTF4FDVSJUZ NJO %FWJDF*EFOUJUZ.BOBHFNFOU NJO $IBMMFOHFT
NJO $PODMVTJPO NJO ໨࣍

*EFOUJUZ'PS &OUFSQSJTF4FDVSJUZ

Ϗδωεͷ มԽ ओ࣠Λ&OUJUZʹͨ͠ ΤϯλʔϓϥΠζ ηΩϡϦςΟઃܭ ͷมԽ ڴҖͷ มԽ

Ϗδωε؀ڥͷมԽ

業務データの分散 σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ ۀ຿ ΞϓϦ ۀ຿ ΞϓϦ
ॏཁͳ σʔλ ॏཁͳ σʔλ جװ σʔλ جװ σʔλ ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO جװγεςϜ

ڥքͷ࠷దԽ ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO
جװγεςϜ

業務データの分散の多様化に伴う技術標準

ڴҖͷมԽ

71/τϯωϧ ॏཁͳσʔλ 0Oαʔόʔ ॏཁͳσʔλ 0Oαʔόʔ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ
ϓϦ ۀ຿Ξ ϓϦ ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO جװγεςϜ ڴҖͷ഑ૹख๏ͷଟ༷Խ

࣌ؒܦաʹΑΔ৴པੑͷ௿Լ ॏཁͳσʔλ 0O σʔλ ॏཁͳσʔλ 0Oαʔόʔ σʔλ

ηΩϡϦςΟઃܭͷมԽ

࣮૷ͷมԽ ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO
جװγεςϜ w ΤϯςΟςΟݕূͱ૊Έ߹Θͤʮ*EFOUJUZ$FOUSJDʯ ʮ"MXBZT7FSJGZʯ w ࠷খݖݶͷݪଇʮ-FBTU1SJWJMFHF"DDFTTʯ w ৵֐ͷ૝ఆͱ෧͡ࠐΊʮ#SFBDI$POUBJONFOUʯ

ຊ೔ͷϑΥʔΧε ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO
جװγεςϜ ͪ͜Β͸ྑ͘࿩͞ΕΔ

ຊ೔ͷϑΥʔΧε ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO
جװγεςϜ σόΠε*EFOUJUZ *O&OUFSQSJTF

*NQMFNFOUBUJPOPG%FWJDF*EFOUJUZ.BOBHFNFOU %FWJDF*EFOUJUZ*O3FBM-JGF $IBMMFOHFJO%FWJDF*EFOUJUZ ,FZ5BLFBXBZ

!LFOTDBM ,FOHP4V[VLJ $BSFFS 4FDVSJUZ7FOEPSʢ.44ʣ 'JOUFDI4UBSUVQY
8PSLT 4FDVSJUZ *OGP4ZTUFN 43& 'PDVT %JHJUBM*EFOUJUZ #MPDLDIBJO 8IPBN* 09:44~10:00

%FWJDF*EFOUJUZ.HNU

*40*&$"GSBNFXPSLGPSJEFOUJUZ NBOBHFNFOU 8IJDIQBSUPG%FWJDF*EFOUJUZ.HNU IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D -JGFDZDMF

IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w
BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF *EFOUJUZ3FHJTUFS *OWFOUPSZ

lUIFDSFBUJPOPGPOFPSNPSFJEFOUJUJFTGPSUIFFOUJUZz UZQJDBMMZDPNQSJTFTUIFDPMMFDUJPOBOEWBMJEBUJPOPG JEFOUJUZJOGPSNBUJPO &OSPMMNFOU IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&$

IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D w 3FHJTUSBUJPO w *EFOUJUZ1SPPpOH

4JNQMF3FHJTUSBUJPO %FWJDF7FOEPS *5BENJO 1VSDIBTF FOSPMM SFHJTUSBUJPO %FMJWFS w BUUSJCVUF
w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF

#FUUFS3FHJTUSBUJPO1SPDFTT 7FOEPS 1VSDIBTF FOSPMM SFHJTUSBUJPO %FMJWFS w BUUSJCVUF w
BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF *OJUJBM#PPU 3FHJTUSBUJPO 4FSWJDF OPUJGZ

&YBNQMFT

⾒出し IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO Registration in Mac (DEP)

Registration in Microsoft (Autopilot) IUUQTNZJHOJUFUFDIDPNNVOJUZNJDSPTPGUDPNTFTTJPOT

*EFOUJUZ1SPPpOH %FWJDF7FOEPS *5BENJO 1VSDIBTF FOSPMM SFHJTUSBUJPO %FMJWFS w BUUSJCVUF
w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF 1SPPG*EFOUJUZBUIFSF

*EFOUJUZ"TTVSBODF-FWFM *"- JO/*4541 FOUJUZͷΞΠσϯςΟςΟ৘ใ͕ਖ਼͔֬ *EFOUJUZ1SPPpOH3FRVJSFNFOU

51. NBZCF5&& - セキュアな暗号プロセッサーの国際標準 - ブート時のソフトウェア監査(pltaform integrity) -
機密データの保管、暗号鍵の管理

51. NBZCF5&&

&OEPSTFNFOU,FZ SPPUPG5SVTU OFWFSMFBWFT51. *EFOUJGZVOJRVF51. 51.BOE&OEPSTFNFOU,FZ

&YBNQMFJO.JDSPTPGU

IUUQTEPDTNJDSPTPGUDPNKBKQB[VSFJPUEQTDPODFQUTUQNBUUFTUBUJPO

/*4541BIUUQTQBHFTOJTUHPWTQBIUNM

/*4541BIUUQTQBHFTOJTUHPWTQBIUNM *5BENJO0S 1SPWJTJPOJOH4FSWJDF

/*4541BIUUQTQBHFTOJTUHPWTQBIUNM *5BENJO0S 1SPWJTJPOJOH4FSWJDF &OEPSTFNFOU 1VCMJD,FZ

/*4541BIUUQTQBHFTOJTUHPWTQBIUNM *5BENJO0S 1SPWJTJPOJOH4FSWJDF $PNQBSFQSFSFHJTUFSFE QVCLFZTJHOFECZWFOEPS &OEPSTFNFOU 1VCMJD,FZ 7BMJEBUFEVTJOH QVCLFZDFSUJpDBUF

/*4541BIUUQTQBHFTOJTUHPWTQBIUNM *5BENJO0S 1SPWJTJPOJOH4FSWJDF $IBMMFOHFBOE3FTQPOTF &OEPSTFNFOU 1VCMJD,FZ $IBMMFOHFBOE3FTQPOTF

<?xml version="1.0"?> <HardwareReport> <HardwareInventory> (தུ) <p n="TPMVersion" v="TPM- Version:2.0 -Level:0-Revision:1.16-VendorID:'MSFT'-
Firmware:538247443.1394722" /> <p n="TPM EkPub" v="s7+hJsgnlFQ+Jf4O7WZEh9AcZcJ9EXIBGeUSkzRXDkrSt2UBJ0P 1FmA8V8PTp/ TbY3dmn5IG1Z2spHlrGmu1AshGHlZyIMFPUeMN91/+mM3lqWsHOrOM HjGvZrdMCJxi3sXAqs16bo5BFoNWXHXZyCwWQ3204chGlOzm309hKV +l90t7ciqzfpaA2D7UcyYy8xHm0qbuI1pNaHYkP5mmdyKn5eoHtpNT Y0zjVf+ZtZIJ6N2/ VydcZ5olmSG2BRe5xxZhbYILkprzyit5ayPXmUlTYm5MV6zbuZYMeU 0hu4HetDAL6G0XZQz+UH/ufuvEBCe44Q/uz2UdXlgQ0cfpTQ==" /> (தུ) https://www.anoopcnair.com/windows-autopilot-behind-the-scenes-secrets/ .JDSPTPGU*OUVOF"VUPQJMPU

&YBNQMFJO"QQMF

/PUFYBDUMZ51.CVUTIBSFT TJNJMBSGVODUJPOBMJUJFT lUIFIBSEXBSFSPPUPGUSVTU GPSTFDVSFCPPUl lUIFMPXFTUMFWFMPGTPGUXBSF BSFO`UUBNQFSFEXJUIz "QQMF54FDVSJUZ5JQ
IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG

"QQMF54FDVSJUZ5JQ IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG NBJOUBJOTUIFJOUFHSJUZ PGJUTTFDVSJUZ GVODUJPOTFWFOJGUIF NBD04LFSOFMIBT CFFODPNQSPNJTFE

"QQMF54FDVSJUZ5JQ IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG .BDVOJRVF*% 6*% "&4CJU LFZCVSOFEBUNBOVGBDUVSF

⾒出し IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO Not quite sure how DEP uses UID

.BJOUFOBODF lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS GPSBOFOUJUZz

IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

- repository of identities - more like inventory - continuously
monitor and record state of the device Identity Register (Inventory) w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF

Diﬀerent characteristics from human!

- Observed attributes - Manually conﬁgured attributes Two types of
attributes

- Observed attributes - automatically collected/programmatically generated attributes - Manually
Conﬁgured attributes Two types of attributes

- Enrolled time - last time checked in - logged
in users - HW Info - OS version - installed SW and its version - Disk Encryption Recovery Key Examples of Observed Attributes

- Observed data - Manually conﬁgured attributes Two types of
attributes

- type of device - personally assigned, kiosk, special-case -
owner of the device - vendor/OEM - purchased data (asset management related data) - device name Examples of Manually Conﬁgured Attributes

Data Sources IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

&YBNQMFT

Observed Attributes Collection from Agent IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

- リスト - リスト - リスト - リストの強調⽂字 - リスト
Intune (HW Observed Attributes)

Intune (SW Observed Attributes)

Jamf (HW Observed Attributes)

Jamf (SW Observed Attributes)

Manually Conﬁgured Attributes(JAMF)

Attributes From EDR IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

Attributes from Asset Mgmt IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

*EFOUJUZ"EKVTUNFOU lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS GPSBOFOUJUZ XIFSFUIFOFXJOGPSNBUJPOHJWFTSJTF UPUIFNPEJpDBUJPOPGBDUJWBUJPOJOGPSNBUJPOz

IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

*T%FWJDF4UJMM5SVTUGVM ॏཁͳσʔλ 0O 5SVTUPWFSFMBQTFEUJNF 5SVTUQIZTJDBMMPDBUJPO

%FWJDF)FBMUI$IFDLJOH - Veriﬁed Boot - Measured Boot QTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIFXJOEPXTCPPUQSPDFTT

- Secure Boot - Trusted Boot - ELAM Veriﬁed Boot
IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT

- Secure Boot - Check integrity of OS Bootloader -
Check certiﬁcate signed to Bootloader - Trusted Boot - ELAM Veriﬁed Boot IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT

- Secure Boot - Trusted Boot - a series of
signature checking - ELAM Veriﬁed Boot IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT

- Secure Boot - Trusted Boot - ELAM - Early
Launch Anti-Malware - examine every boot driver - “determine it is on the list of trusted drivers” Veriﬁed Boot IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT

- Secure Boot - Trusted Boot - ELAM Veriﬁed Boot
IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT $IBJOPG5SVTU $IBJOPG5SVTU $IBJOPG5SVTU

Measured Boot - Generates “measurable” artifacts while booting - Can
be remotely veriﬁed IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

Measured Boot - Each boot components takes the hash of
the next component - store the hash in Platform Conﬁguration Registers (PCRs) - this “measurement” is recorded by Trusted Computing Group(TCG) log - Send PCR and TCG logs to veriﬁcation component (remote health attestation) IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

Measured Boot - Each boot components takes the hash of
the next component - store the hash in Platform Conﬁguration Registers (PCRs) - this “measurement” is recorded by Trusted Computing Group(TCG) log - Send PCR and TCG logs to veriﬁcation component (remote health attestation) - PCR is digitally signed (PCR Quote) IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

&YBNQMFT

Microsoft (TPM and Intune) - Secure Boot (Verified Boot) -
Just like normal secure boot - Measured Boot - integrate with Windows 10 Device Guard - Uses AIK(Attestation Identity Key)/AK(Attestation Key) certificate to form PCR quote - certificate is issued by Microsoft Cloud - Intune(UEM/MDM) has own remote health attestation service - Parses the properties of TCG logs and compare to signed PCR values IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

7FSJGZJOUFHSJUZPGOFYU CPPUJOHDPNQPOFOUT NPSFMJLFUSVTUFECPPU TPGBSOPTJHOPGNFBTVSFE CPPU "QQMF 5DIJQ
IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG

4VNNBSZ %FWJDF*EFOUJUZ.BOBHFNFOUVTJOH*40*&$ &OSPMMNFOU 3FHJTUSBUJPOTFSWJDFT 51.GPSJEFOUJUZQSPPpOH
.BJOUFOBODF "UUSJCVUFTGPSNBJOUFOBODF *EFOUJUZ"EKVTUNFOU 4FDVSF#PPU .FBTVSF#PPU

$IBMMFOHFT

-BDLPGTUBOEBSEHVJEFMJOFT -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE JOWFOUPSZ 6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF -JGFDZDMF .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
PSHDPNNVOJUJFT $IBMMFOHFT

-BDLPGTUBOEBSEHVJEFMJOFT -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE JOWFOUPSZ 6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF -JGFDZDMF .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUP
NVMUJQMFPSHDPNNVOJUJFT $IBMMFOHFT

$PODMVTJPO

5IF$IBOHFEFNBOETVTUPGPDVTPO*EFOUJUZ JODMVEJOHUIF%FWJDF EFWJDFJEFOUJUZJOFOUFSQSJTFTFDVSJUZOFFETUPCF NBOBHFEUIPSPVHIMZBOEGSFRVFOUMZ FTQFDJBMMZEVSJOHFOSPMMNFOUBOENBJOUFOBODF
%FWFMPQJOHTUBOEBSETJTUIFOFYUTUFQ -FUNFLOPX $PODMVTJPO

5IBOLZPV

Device Identity as Yet Untold

Device Identity as Yet Untold

More Decks by Kengo Suzuki

Other Decks in Technology

Featured

Transcript