Device Identity as Yet Untold

%FWJDF*EFOUJUZ:FU6OUPME

ΤϯλʔϓϥΠζɾηΩϡϦςΟͱσόΠε*EFOUJUZ

View Slide

“時代の変化に伴い、(中略)
周辺の技術・ビジネスも⼤きく変化”
IUUQTXXXPQFOJEPSKQTVNNJU

View Slide

*EFOUJUZ'PS&OUFSQSJTF4FDVSJUZ NJO

%FWJDF*EFOUJUZ.BOBHFNFOU NJO

$IBMMFOHFT NJO

$PODMVTJPO NJO

໨࣍

View Slide

*EFOUJUZ'PS
&OUFSQSJTF4FDVSJUZ

View Slide

Ϗδωεͷ
มԽ ओ࣠Λ&OUJUZʹͨ͠
ΤϯλʔϓϥΠζ
ηΩϡϦςΟઃܭ
ͷมԽ
ڴҖͷ
มԽ

View Slide

Ϗδωε؀ڥͷมԽ

View Slide

業務データの分散
σʔλ
ॏཁͳ
σʔλ
ॏཁͳ
σʔλ
ۀ຿
ΞϓϦ
ۀ຿
ΞϓϦ
ॏཁͳ
σʔλ
ॏཁͳ
σʔλ
جװ
σʔλ
جװ
σʔλ
ॏཁͳσʔλ
0Oαʔόʔ
σʔλ
PO
֎෦αʔϏε
σʔλ
0O୺຤
σʔλ
PO
جװγεςϜ

View Slide

ڥքͷ࠷దԽ
ॏཁͳσʔλ
0Oαʔόʔ
σʔλ
PO
֎෦αʔϏε
σʔλ
0O୺຤
σʔλ
PO
جװγεςϜ

View Slide

業務データの分散の多様化に伴う技術標準

View Slide

ڴҖͷมԽ

View Slide

71/τϯωϧ ॏཁͳσʔλ
0Oαʔόʔ
ॏཁͳσʔλ
0Oαʔόʔ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ॏཁͳσʔλ
0Oαʔόʔ
σʔλ
PO
֎෦αʔϏε
σʔλ
0O୺຤
σʔλ
PO
جװγεςϜ
ڴҖͷ഑ૹख๏ͷଟ༷Խ

View Slide

࣌ؒܦաʹΑΔ৴པੑͷ௿Լ
ॏཁͳσʔλ
0O
σʔλ
ॏཁͳσʔλ
0Oαʔόʔ
σʔλ

View Slide

ηΩϡϦςΟઃܭͷมԽ

View Slide

࣮૷ͷมԽ
ॏཁͳσʔλ
0Oαʔόʔ
σʔλ
PO
֎෦αʔϏε
σʔλ
0O୺຤
σʔλ
PO
جװγεςϜ
w ΤϯςΟςΟݕূͱ૊Έ߹Θͤʮ*EFOUJUZ$FOUSJDʯʮ"MXBZT7FSJGZʯ
w ࠷খݖݶͷݪଇʮ-FBTU1SJWJMFHF"DDFTTʯ
w ৵֐ͷ૝ఆͱ෧͡ࠐΊʮ#SFBDI$POUBJONFOUʯ

View Slide

ຊ೔ͷϑΥʔΧε
ॏཁͳσʔλ
0Oαʔόʔ
σʔλ
PO
֎෦αʔϏε
σʔλ
0O୺຤
σʔλ
PO
جװγεςϜ
ͪ͜Β͸ྑ͘࿩͞ΕΔ

View Slide

ຊ೔ͷϑΥʔΧε
ॏཁͳσʔλ
0Oαʔόʔ
σʔλ
PO
֎෦αʔϏε
σʔλ
0O୺຤
σʔλ
PO
جװγεςϜ
σόΠε*EFOUJUZ
*O&OUFSQSJTF

View Slide

*NQMFNFOUBUJPOPG%FWJDF*EFOUJUZ.BOBHFNFOU
%FWJDF*EFOUJUZ*O3FBM-JGF
$IBMMFOHFJO%FWJDF*EFOUJUZ
,FZ5BLFBXBZ

View Slide

!LFOTDBM ,FOHP4V[VLJ

$BSFFS
4FDVSJUZ7FOEPSʢ.44ʣ
'JOUFDI4UBSUVQY
8PSLT
4FDVSJUZ *OGP4ZTUFN 43&
'PDVT
%JHJUBM*EFOUJUZ
#MPDLDIBJO
8IPBN*
09:44~10:00

View Slide

%FWJDF*EFOUJUZ.HNU

View Slide

*40*&$"GSBNFXPSLGPSJEFOUJUZ
NBOBHFNFOU
8IJDIQBSUPG%FWJDF*EFOUJUZ.HNU
IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

View Slide

-JGFDZDMF

View Slide

w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
*EFOUJUZ3FHJTUFS
*OWFOUPSZ

View Slide

lUIFDSFBUJPOPGPOFPSNPSFJEFOUJUJFTGPSUIFFOUJUZz
UZQJDBMMZDPNQSJTFTUIFDPMMFDUJPOBOEWBMJEBUJPOPG
JEFOUJUZJOGPSNBUJPO
&OSPMMNFOU
IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&$

View Slide

w 3FHJTUSBUJPO
w *EFOUJUZ1SPPpOH

View Slide

4JNQMF3FHJTUSBUJPO
%FWJDF7FOEPS *5BENJO
1VSDIBTF
FOSPMM
SFHJTUSBUJPO
%FMJWFS
w BUUSJCVUF

w BUUSJCVUF
w BUUSJCVUF

w BUUSJCVUF
w BUUSJCVUF

w BUUSJCVUF

View Slide

#FUUFS3FHJTUSBUJPO1SPDFTT
7FOEPS
1VSDIBTF
FOSPMM
SFHJTUSBUJPO
%FMJWFS
w BUUSJCVUF

w BUUSJCVUF
w BUUSJCVUF

w BUUSJCVUF
w BUUSJCVUF

w BUUSJCVUF
*OJUJBM#PPU
3FHJTUSBUJPO
4FSWJDF
OPUJGZ

View Slide

&YBNQMFT

View Slide

⾒出し
IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO
Registration in Mac (DEP)

View Slide

Registration in Microsoft (Autopilot)
IUUQTNZJHOJUFUFDIDPNNVOJUZNJDSPTPGUDPNTFTTJPOT

View Slide

*EFOUJUZ1SPPpOH
%FWJDF7FOEPS *5BENJO
1VSDIBTF
FOSPMM
SFHJTUSBUJPO
%FMJWFS
w BUUSJCVUF

w BUUSJCVUF
w BUUSJCVUF

w BUUSJCVUF
w BUUSJCVUF

w BUUSJCVUF
1SPPG*EFOUJUZBUIFSF

View Slide

*EFOUJUZ"TTVSBODF-FWFM *"-
JO/*4541
FOUJUZͷΞΠσϯςΟςΟ৘ใ͕ਖ਼͔֬
*EFOUJUZ1SPPpOH3FRVJSFNFOU

View Slide

51. NBZCF5&&

- セキュアな暗号プロセッ
サーの国際標準
- ブート時のソフトウェア
監査(pltaform integrity)
- 機密データの保管、暗号
鍵の管理

View Slide

51. NBZCF5&&

View Slide

&OEPSTFNFOU,FZ
SPPUPG5SVTU
OFWFSMFBWFT51.
*EFOUJGZVOJRVF51.
51.BOE&OEPSTFNFOU,FZ

View Slide

&YBNQMFJO.JDSPTPGU

View Slide

IUUQTEPDTNJDSPTPGUDPNKBKQB[VSFJPUEQTDPODFQUTUQNBUUFTUBUJPO

View Slide

/*4541BIUUQTQBHFTOJTUHPWTQBIUNM

View Slide

*5BENJO0S
1SPWJTJPOJOH4FSWJDF

View Slide

*5BENJO0S
1SPWJTJPOJOH4FSWJDF
&OEPSTFNFOU
1VCMJD,FZ

View Slide

*5BENJO0S
1SPWJTJPOJOH4FSWJDF
$PNQBSFQSFSFHJTUFSFE
QVCLFZTJHOFECZWFOEPS
&OEPSTFNFOU
1VCMJD,FZ
7BMJEBUFEVTJOH
QVCLFZDFSUJpDBUF

View Slide

*5BENJO0S
1SPWJTJPOJOH4FSWJDF
$IBMMFOHFBOE3FTQPOTF
&OEPSTFNFOU
1VCMJD,FZ
$IBMMFOHFBOE3FTQPOTF

View Slide

(தུ)

v="s7+hJsgnlFQ+Jf4O7WZEh9AcZcJ9EXIBGeUSkzRXDkrSt2UBJ0P
1FmA8V8PTp/
TbY3dmn5IG1Z2spHlrGmu1AshGHlZyIMFPUeMN91/+mM3lqWsHOrOM
HjGvZrdMCJxi3sXAqs16bo5BFoNWXHXZyCwWQ3204chGlOzm309hKV
+l90t7ciqzfpaA2D7UcyYy8xHm0qbuI1pNaHYkP5mmdyKn5eoHtpNT
Y0zjVf+ZtZIJ6N2/
VydcZ5olmSG2BRe5xxZhbYILkprzyit5ayPXmUlTYm5MV6zbuZYMeU
0hu4HetDAL6G0XZQz+UH/ufuvEBCe44Q/uz2UdXlgQ0cfpTQ==" />
(தུ)
https://www.anoopcnair.com/windows-autopilot-behind-the-scenes-secrets/
.JDSPTPGU*OUVOF"VUPQJMPU

View Slide

&YBNQMFJO"QQMF

View Slide

/PUFYBDUMZ51.CVUTIBSFT
TJNJMBSGVODUJPOBMJUJFT
lUIFIBSEXBSFSPPUPGUSVTU
GPSTFDVSFCPPUl
lUIFMPXFTUMFWFMPGTPGUXBSF
BSFO`UUBNQFSFEXJUIz
"QQMF54FDVSJUZ5JQ
IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"[email protected]@[email protected][email protected]

View Slide

"QQMF54FDVSJUZ5JQ
NBJOUBJOTUIFJOUFHSJUZ
PGJUTTFDVSJUZ
GVODUJPOTFWFOJGUIF
NBD04LFSOFMIBT
CFFODPNQSPNJTFE

View Slide

"QQMF54FDVSJUZ5JQ
.BDVOJRVF*% 6*%
"&4CJU
LFZCVSOFEBUNBOVGBDUVSF

View Slide

⾒出し
IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO
Not quite sure how DEP uses UID

View Slide

.BJOUFOBODF
lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS
GPSBOFOUJUZz

View Slide


View Slide

- repository of identities
- more like inventory
- continuously monitor and record
state of the device
Identity Register (Inventory)
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF
w BUUSJCVUF

View Slide

Diﬀerent characteristics from human!

View Slide

- Observed attributes
- Manually conﬁgured attributes
Two types of attributes

View Slide

- Observed attributes
- automatically collected/programmatically
generated attributes
- Manually Conﬁgured attributes

View Slide

- Enrolled time
- last time checked in
- logged in users
- HW Info
- OS version
- installed SW and its version
- Disk Encryption Recovery Key
Examples of Observed Attributes

View Slide

- Observed data
- Manually conﬁgured attributes

View Slide

- type of device
- personally assigned, kiosk, special-case
- owner of the device
- vendor/OEM
- purchased data (asset management related data)
- device name
Examples of Manually Conﬁgured Attributes

View Slide

Data Sources
IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

View Slide

&YBNQMFT

View Slide

Observed Attributes Collection from Agent

View Slide

- リスト
- リスト
- リスト
- リストの強調⽂字
- リスト
Intune (HW Observed Attributes)

View Slide

Intune (SW Observed Attributes)

View Slide

Jamf (HW Observed Attributes)

View Slide

Jamf (SW Observed Attributes)

View Slide

Manually Conﬁgured Attributes(JAMF)

View Slide

- リスト
- リスト
- リスト
- リスト
Attributes From EDR

View Slide

- リスト
- リスト
- リスト
- リスト
Attributes from Asset Mgmt

View Slide

*EFOUJUZ"EKVTUNFOU
lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS
GPSBOFOUJUZ XIFSFUIFOFXJOGPSNBUJPOHJWFTSJTF
UPUIFNPEJpDBUJPOPGBDUJWBUJPOJOGPSNBUJPOz

View Slide


View Slide

*T%FWJDF4UJMM5SVTUGVM
ॏཁͳσʔλ
0O
5SVTUPWFSFMBQTFEUJNF 5SVTUQIZTJDBMMPDBUJPO

View Slide

%FWJDF)FBMUI$IFDLJOH
- Veriﬁed Boot
- Measured Boot
QTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIFXJOEPXTCPPUQSPDFTT

View Slide

- Secure Boot
- Trusted Boot
- ELAM
Veriﬁed Boot
IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
XJOEPXTCPPUQSPDFTT

View Slide

- Secure Boot
- Check integrity of OS Bootloader
- Check certiﬁcate signed to
Bootloader
- Trusted Boot
- ELAM
Veriﬁed Boot
XJOEPXTCPPUQSPDFTT

View Slide

- Secure Boot
- Trusted Boot
- a series of signature checking
- ELAM
Veriﬁed Boot
XJOEPXTCPPUQSPDFTT

View Slide

- Secure Boot
- Trusted Boot
- ELAM
- Early Launch Anti-Malware
- examine every boot driver
- “determine it is on the list of trusted
drivers”
Veriﬁed Boot
XJOEPXTCPPUQSPDFTT

View Slide

- Secure Boot
- Trusted Boot
- ELAM
Veriﬁed Boot
XJOEPXTCPPUQSPDFTT
$IBJOPG5SVTU
$IBJOPG5SVTU
$IBJOPG5SVTU

View Slide

Measured Boot
- Generates “measurable”
artifacts while booting
- Can be remotely veriﬁed
IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

View Slide

Measured Boot
- Each boot components takes the hash of
the next component
- store the hash in Platform Conﬁguration
Registers (PCRs)
- this “measurement” is recorded by Trusted
Computing Group(TCG) log
- Send PCR and TCG logs to veriﬁcation
component (remote health attestation)

View Slide

Measured Boot
- Each boot components takes the hash of the
next component
Registers (PCRs)

View Slide

Measured Boot
- Each boot components takes the hash of the
next component
Registers (PCRs)
- this “measurement” is recorded by
Trusted Computing Group(TCG) log

View Slide

Measured Boot
- Each boot components takes the hash of the next
component
- store the hash in Platform Conﬁguration Registers
(PCRs)
- PCR is digitally signed (PCR Quote)

View Slide

&YBNQMFT

View Slide

Microsoft (TPM and Intune)
- Secure Boot (Verified Boot)
- Just like normal secure boot
- Measured Boot
- integrate with Windows 10 Device Guard
- Uses AIK(Attestation Identity Key)/AK(Attestation Key)
certificate to form PCR quote
- certificate is issued by Microsoft Cloud
- Intune(UEM/MDM) has own remote health attestation service
- Parses the properties of TCG logs and compare to signed PCR
values

View Slide

7FSJGZJOUFHSJUZPGOFYU
CPPUJOHDPNQPOFOUT
NPSFMJLFUSVTUFECPPU
TPGBSOPTJHOPGNFBTVSFE
CPPU
"QQMF 5DIJQ


View Slide

4VNNBSZ
%FWJDF*EFOUJUZ.BOBHFNFOUVTJOH*40*&$
&OSPMMNFOU
3FHJTUSBUJPOTFSWJDFT
51.GPSJEFOUJUZQSPPpOH
.BJOUFOBODF
"UUSJCVUFTGPSNBJOUFOBODF
*EFOUJUZ"EKVTUNFOU
4FDVSF#PPU
.FBTVSF#PPU

View Slide

$IBMMFOHFT

View Slide

-BDLPGTUBOEBSEHVJEFMJOFT
-BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
JOWFOUPSZ
6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
-JGFDZDMF
.BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
PSHDPNNVOJUJFT
$IBMMFOHFT

View Slide

-BDLPGTUBOEBSEHVJEFMJOFT
-BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
JOWFOUPSZ
6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
-JGFDZDMF
.BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUP
NVMUJQMFPSHDPNNVOJUJFT
$IBMMFOHFT

View Slide

$PODMVTJPO

View Slide

5IF$IBOHFEFNBOETVTUPGPDVTPO*EFOUJUZ
JODMVEJOHUIF%FWJDF
EFWJDFJEFOUJUZJOFOUFSQSJTFTFDVSJUZOFFETUPCF
NBOBHFEUIPSPVHIMZBOEGSFRVFOUMZ
FTQFDJBMMZEVSJOHFOSPMMNFOUBOENBJOUFOBODF
%FWFMPQJOHTUBOEBSETJTUIFOFYUTUFQ -FUNFLOPX
$PODMVTJPO

View Slide

5IBOLZPV

View Slide

View Slide

Device Identity as Yet Untold

Device Identity as Yet Untold

Kengo Suzuki

More Decks by Kengo Suzuki

Other Decks in Technology

Featured

Transcript