Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
FIDOAlliance
417 views
29 slides
May 20, 2024
Slide 1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
About This Presentation
FIDO Taipei Workshop: Securing the Edge with FDO
Slide Content
FIDO Taipei Workshop: Securing the Edge with FDO1
© FIDO Alliance 2024
An introduction to FDO:
How it works & example
FDO applications
Richard Kerslake
FIDO Alliance
© FIDO Alliance 2024
An introduction to FDO:
How it works & example
FDO applications
Richard Kerslake
FIDO Alliance
FIDO Taipei Workshop: Securing the Edge with FDO2
What problem does FDO solve?
When a new enterprise, edge or IOT solution is being
installed in a facility (factory, hospital, car, store etc.),
the device must be “onboarded” to its management
platform (on-premise or cloud)
FDO provides secure “plug and play” onboarding for
almost any device/network.
What problem does FDO solve?
When a new enterprise, edge or IOT solution is being
installed in a facility (factory, hospital, car, store etc.),
the device must be “onboarded” to its management
platform (on-premise or cloud)
FDO provides secure “plug and play” onboarding for
almost any device/network.
FIDO Taipei Workshop: Securing the Edge with FDO3
Manual Vs FDO onboarding
Manual
Slow –often 20 mins/device
Poor security
Need skilled technician
Expensive
FDO
Fast –about 1 min/device
High security
No skills needed for installation
Lower installation costs
Open standard
Manual Vs FDO onboarding
Manual
Slow –often 20 mins/device
Poor security
Need skilled technician
Expensive
FDO
Fast –about 1 min/device
High security
No skills needed for installation
Lower installation costs
Open standard
FIDO Taipei Workshop: Securing the Edge with FDO4
FDO: Fast, Scalable Device Provisioning, Onboarding & Activation
Zero touch onboarding –integrates with existing zero touch solutions
Fast & more secure –~1 minute
Hardware flexibility –any hardware -ARM MCU to Intel
®
Xeon
®
Any cloud –internet, intranet & closed network, multi-tenant
Late binding –reduces number of product SKUs needed
Multiple implementations –5 implementations in various programming languages
Certification program –Available from FIDO Alliance
4
1. Drop ship device to
installation location
2. Power-up & connect
to Network 3. Auto-provisions, Onboards
to Device Management
Service
4
1. No product or component can be absolutely secure
FDO: Fast, Scalable Device Provisioning, Onboarding & Activation
Zero touch onboarding –integrates with existing zero touch solutions
Fast & more secure –~1 minute
Hardware flexibility –any hardware -ARM MCU to Intel
®
Xeon
®
Any cloud –internet, intranet & closed network, multi-tenant
Late binding –reduces number of product SKUs needed
Multiple implementations –5 implementations in various programming languages
Certification program –Available from FIDO Alliance
4
1. Drop ship device to
installation location
2. Power-up & connect
to Network 3. Auto-provisions, Onboards
to Device Management
Service
4
1. No product or component can be absolutely secure
FIDO Taipei Workshop: Securing the Edge with FDO5
How FDO works
Device Manufacturer
3
Load Ownership
Voucher (OV) to
Cloud
Device in box shipped
to installation location
1
Ownership
Voucher (OV)
FDO
Manufacturing
tool
FDO Client, Credentials
path to RV server
a.FDO agent & FDO credentials
places in device.
b.Ownership Voucher (OV)
created
87
a.Mutual authentication
takes place
b.Secure channel is
established
c.Onboarding takes place
using FSIM’s
Device given network
connectivity and powers up
Target Cloud
Application Data / Control
→
Cloud Managed,
Device data flows
FDO owner
5
Device contacts RV
and is re-directed to
Cloud
6
Rendezvous
server (RV)
4
Register OV
with
Rendezvous
Server
FDO Client &
credentials
2
Onboarding Data
→
How FDO works
Device Manufacturer
3
Load Ownership
Voucher (OV) to
Cloud
Device in box shipped
to installation location
1
Ownership
Voucher (OV)
FDO
Manufacturing
tool
FDO Client, Credentials
path to RV server
a.FDO agent & FDO credentials
places in device.
b.Ownership Voucher (OV)
created
87
a.Mutual authentication
takes place
b.Secure channel is
established
c.Onboarding takes place
using FSIM’s
Device given network
connectivity and powers up
Target Cloud
Application Data / Control
→
Cloud Managed,
Device data flows
FDO owner
5
Device contacts RV
and is re-directed to
Cloud
6
Rendezvous
server (RV)
4
Register OV
with
Rendezvous
Server
FDO Client &
credentials
2
Onboarding Data
→
FIDO Taipei Workshop: Securing the Edge with FDO6
How FDO works (with spec terms)
Device Manufacturer
Ownership
Voucher (OV)
FDO
Manufacturing
tool
FDO Client &
Credentials
Device Initialization (DI)
•Places FDO device credentials in Device
•Creates FDO Ownership Voucher
Target Cloud
FDO owner
Rendezvous
server (RV)
FDO Client &
credentials
T00/T01 protocols
•The interaction between Device and
Rendezvous Server
•Device identifies itself to the
Rendezvous Server. Obtains mapping to
connect to the Owner’s IP address.
T02 protocol
•The interaction between
Device and Owner.
•Device contacts Owner.
Establishes trust and then
performs onboarding
Application Data / Control
→
Onboarding Data
→
Final State
Cloud Managed,
Device data flows
How FDO works (with spec terms)
Device Manufacturer
Ownership
Voucher (OV)
FDO
Manufacturing
tool
FDO Client &
Credentials
Device Initialization (DI)
•Places FDO device credentials in Device
•Creates FDO Ownership Voucher
Target Cloud
FDO owner
Rendezvous
server (RV)
FDO Client &
credentials
T00/T01 protocols
•The interaction between Device and
Rendezvous Server
•Device identifies itself to the
Rendezvous Server. Obtains mapping to
connect to the Owner’s IP address.
T02 protocol
•The interaction between
Device and Owner.
•Device contacts Owner.
Establishes trust and then
performs onboarding
Application Data / Control
→
Onboarding Data
→
Final State
Cloud Managed,
Device data flows
FIDO Taipei Workshop: Securing the Edge with FDO7
FIDO Device Onboard: Late Binding in Supply Chain
Customer 1
Build-to-order
Manufacturing
Infrastructure
•Zero Touch without FDO
Device software and security
customization happens at manufacture
•➔ Complicated manufacturing
infrastructure, many SKUs, higher cost
Customer 1
Customer 2
Customer 3
Build-to-plan
Manufacturing
Infrastructure
•Zero Touch with FDO
Device software and security
customization happens at installation
•➔ Simplified supply chain, lower costs
FDO reduces costs & complexity in supply chain – a single device SKU for all customers
Customer 1
Customer 1
Customer 2
Customer 3
FDO late
binding
FIDO Device Onboard: Late Binding in Supply Chain
Customer 1
Build-to-order
Manufacturing
Infrastructure
•Zero Touch without FDO
Device software and security
customization happens at manufacture
•➔ Complicated manufacturing
infrastructure, many SKUs, higher cost
Customer 1
Customer 2
Customer 3
Build-to-plan
Manufacturing
Infrastructure
•Zero Touch with FDO
Device software and security
customization happens at installation
•➔ Simplified supply chain, lower costs
FDO reduces costs & complexity in supply chain – a single device SKU for all customers
Customer 1
Customer 1
Customer 2
Customer 3
FDO late
binding
FIDO Taipei Workshop: Securing the Edge with FDO8
Authors of the FDO specification
The FDO spec was written by
technology leaders:
•Intel
•Amazon
•Google
•Microsoft
•Qualcomm
•ARM
Link to FDO 1.1 specification
Authors of the FDO specification
The FDO spec was written by
technology leaders:
•Intel
•Amazon
•Microsoft
•Qualcomm
•ARM
Link to FDO 1.1 specification
FIDO Taipei Workshop: Securing the Edge with FDO9
Why adopt an onboarding standardlike FDO?
Open standards are built on the contribution of security experts from multiple companies –
this often brings broader expertise and ideas than an individual company
As security threats evolve, the standard can evolve to address them
The standard expands over times to add more capabilities, while keeping backward
compatibility as a critical element. It can therefore meet short term and long term needs.
Ability to mix and match with confidence solutions from different vendors –via FIDO FDO
interoperability testing
Simplifies system security analysis
Users don’t need to own the upkeep of their solution as this is handled by open source or
commercial companies
With proprietary solutions, if the in-house expert leaves, that can create a long term support
issue
Why adopt an onboarding standardlike FDO?
Open standards are built on the contribution of security experts from multiple companies –
this often brings broader expertise and ideas than an individual company
As security threats evolve, the standard can evolve to address them
The standard expands over times to add more capabilities, while keeping backward
compatibility as a critical element. It can therefore meet short term and long term needs.
Ability to mix and match with confidence solutions from different vendors –via FIDO FDO
interoperability testing
Simplifies system security analysis
Users don’t need to own the upkeep of their solution as this is handled by open source or
commercial companies
With proprietary solutions, if the in-house expert leaves, that can create a long term support
issue
FIDO Taipei Workshop: Securing the Edge with FDO10
Example FDO applications
Example FDO applications
FIDO Taipei Workshop: Securing the Edge with FDO11
Potential application of FDO to
Manufacturing Applications
Manufacturing Cloud
Local Server (ACP)
PLC/DCN
Potential application of FDO to
Manufacturing Applications
Manufacturing Cloud
Local Server (ACP)
PLC/DCN
FIDO Taipei Workshop: Securing the Edge with FDO12
Potential application of FDO to
Retail Applications
Retail Cloud
Local Server
POS
Security
Camera
Cloud
Potential application of FDO to
Retail Applications
Retail Cloud
Local Server
POS
Security
Camera
Cloud
FIDO Taipei Workshop: Securing the Edge with FDO13
Potential application of FDO to
Medical Applications
Cloud
Local Server
Potential application of FDO to
Medical Applications
Cloud
Local Server
FIDO Taipei Workshop: Securing the Edge with FDO14
Potential application of FDO to
Automotive Applications
Software update
Potential application of FDO to
Automotive Applications
Software update
FIDO Taipei Workshop: Securing the Edge with FDO15
Potential application of FDO to
In-vehicle Automotive Applications
Vehicle
computerZone
controller
Potential application of FDO to
In-vehicle Automotive Applications
Vehicle
computerZone
controller
FIDO Taipei Workshop: Securing the Edge with FDO16
Example FDO architectures
Example FDO architectures
FIDO Taipei Workshop: Securing the Edge with FDO17
FDO is highly flexible and therefore can users can choose the architecture that
best meets there needs
As a users needs evolved, FDO can be extended without breaking backwards
compatibility
single cloud ➔multi-cloud ➔closed network ➔‘bring your own devices’
Choosing the right FDO deployment model for
your application
FDO is highly flexible and therefore can users can choose the architecture that
best meets there needs
As a users needs evolved, FDO can be extended without breaking backwards
compatibility
single cloud ➔multi-cloud ➔closed network ➔‘bring your own devices’
Choosing the right FDO deployment model for
your application
FIDO Taipei Workshop: Securing the Edge with FDO18
Scenario 1: Onboarding devices withdirect internet access,
single cloud/platform
Cloud 1
Scenario 1: Onboarding devices withdirect internet access,
single cloud/platform
Cloud 1
FIDO Taipei Workshop: Securing the Edge with FDO19
Scenario 2: Onboarding devices with directinternet access,
multiple clouds
Cloud 1 Cloud 2
Clouds could be
different geographies
Same type of
hardware is
deployed to
different Clouds
Scenario 2: Onboarding devices with directinternet access,
multiple clouds
Cloud 1 Cloud 2
Clouds could be
different geographies
Same type of
hardware is
deployed to
different Clouds
FIDO Taipei Workshop: Securing the Edge with FDO20
Scenario 3: Onboarding devices withoutdirect internet access
(On-premise/Closed Network)
Scenario 3: Onboarding devices withoutdirect internet access
(On-premise/Closed Network)
FIDO Taipei Workshop: Securing the Edge with FDO21
Scenario 4: Onboarding devices –some with and some without
direct internet access
Cloud 1 Cloud 2
Cloud 3
Scenario 4: Onboarding devices –some with and some without
direct internet access
Cloud 1 Cloud 2
Cloud 3
FIDO Taipei Workshop: Securing the Edge with FDO22
Scenario 5: Onboarding devices withdirect internet access,
singlecloud/platform, multi-tenant
Cloud 1
Tenant 1
Tenant 2
Tenant 3
Customer 1
Customer 2
Customer 3
Scenario 5: Onboarding devices withdirect internet access,
singlecloud/platform, multi-tenant
Cloud 1
Tenant 1
Tenant 2
Tenant 3
Customer 1
Customer 2
Customer 3
FIDO Taipei Workshop: Securing the Edge with FDO23
Scenario 6: Onboarding devices withinternetaccess and
ClosedNetwork, singlecloud/platform, Roaming customers
and multi-tenant
Cloud 1
Tenant 1
Tenant 2
Tenant 3
Customer 1
Customer 2
Cloud 2
Roaming
Customer 3
Scenario 6: Onboarding devices withinternetaccess and
ClosedNetwork, singlecloud/platform, Roaming customers
and multi-tenant
Cloud 1
Tenant 1
Tenant 2
Tenant 3
Customer 1
Customer 2
Cloud 2
Roaming
Customer 3
FIDO Taipei Workshop: Securing the Edge with FDO24
FDO –A Flexible and extensible
solution
FDO –A Flexible and extensible
solution
FIDO Taipei Workshop: Securing the Edge with FDO25
FDO Deployment Flexibility
Architectural Sophistication
Single Internet
Cloud
Internet Cloud
& On-
prem/Closed
Single Cloud
with Multi-
tenant
Multi-Cloud,
Internet and
closed network
with Multi-
tenant
FDO Deployment Flexibility
Architectural Sophistication
Single Internet
Cloud
Internet Cloud
& On-
prem/Closed
Single Cloud
with Multi-
tenant
Multi-Cloud,
Internet and
closed network
with Multi-
tenant
FIDO Taipei Workshop: Securing the Edge with FDO26
ExxonMobil
ExxonMobil is a leader in the move to standards-based, open,
secure, interoperable process control solutions (OPAF)
ExxonMobil and Yokogawa successfully used FDO in their
Texas testbed.
They expect to start running a field trial in the next year at an
ExxonMobil Manufacturing facility in Baton Rouge, LA
ExxonMobil’s integrator, Yokogawa, has integrated FDO to
automate device installation.
ExxonMobil’s collaborators for the field trial include various IT
and OT suppliers
Source: Yokogawa
FDO demo on LinkedIn
ExxonMobil
ExxonMobil is a leader in the move to standards-based, open,
secure, interoperable process control solutions (OPAF)
ExxonMobil and Yokogawa successfully used FDO in their
Texas testbed.
They expect to start running a field trial in the next year at an
ExxonMobil Manufacturing facility in Baton Rouge, LA
ExxonMobil’s integrator, Yokogawa, has integrated FDO to
automate device installation.
ExxonMobil’s collaborators for the field trial include various IT
and OT suppliers
Source: Yokogawa
FDO demo on LinkedIn
FIDO Taipei Workshop: Securing the Edge with FDO27
FDO Business FAQ
1. Do I need to join the FIDO Alliance to use the FDO specification?
➢No. FDO is an open standard. The spec can be downloaded from the FIDO Alliance web site.
➢Joining the FIDO Alliance will allow you to impact the evolution of FDO and learn from other users and ecosystem
partners
2. What is the license agreement for the FDO technical specification
➢The FIDO Alliance IPR terms can be found here:
https://media.fidoalliance.org/wp-content/uploads/2019/12/FIDO-IPR-flowchart-v4-W3C.pdf
3. Do I need to pay for certification?
➢The FIDO Alliance does offer a paid FDO Certification program.
➢There is no obligation for members to certify their products, however if companies want to use a FIDO FDO certification
logo then certification of the product is required.
➢Members do receive a discount on Certification costs.
3. Is there software available that implements FDO? Do I need to pay for them?
➢Yes, multiple versions. Some are open source, some are commercial version.
FDO Business FAQ
1. Do I need to join the FIDO Alliance to use the FDO specification?
➢No. FDO is an open standard. The spec can be downloaded from the FIDO Alliance web site.
➢Joining the FIDO Alliance will allow you to impact the evolution of FDO and learn from other users and ecosystem
partners
2. What is the license agreement for the FDO technical specification
➢The FIDO Alliance IPR terms can be found here:
https://media.fidoalliance.org/wp-content/uploads/2019/12/FIDO-IPR-flowchart-v4-W3C.pdf
3. Do I need to pay for certification?
➢The FIDO Alliance does offer a paid FDO Certification program.
➢There is no obligation for members to certify their products, however if companies want to use a FIDO FDO certification
logo then certification of the product is required.
➢Members do receive a discount on Certification costs.
3. Is there software available that implements FDO? Do I need to pay for them?
➢Yes, multiple versions. Some are open source, some are commercial version.
FIDO Taipei Workshop: Securing the Edge with FDO28
Extending FDO applications with FSIMs
Hardware ships
with FDO only
Software deployed
at facility via FDORemote SW deployment
Firmware update
deployed at facility
via FDO
Remote firmware updated
Hardware ships with
FDO and SW load
FSIM protocols
•Embedded
protocols within
FDO that perform
onboarding
actions
•Examples: File
transfers, key
generation, shell
commands
Extending FDO applications with FSIMs
Hardware ships
with FDO only
Software deployed
at facility via FDORemote SW deployment
Firmware update
deployed at facility
via FDO
Remote firmware updated
Hardware ships with
FDO and SW load
FSIM protocols
•Embedded
protocols within
FDO that perform
onboarding
actions
•Examples: File
transfers, key
generation, shell
commands
FIDO Taipei Workshop: Securing the Edge with FDO29
Conclusion
FDO is highly flexible and extensible
A wide range of deployment architectures are supported
Customers can evolve their architecture over time while retaining compatibility
FDO has been developed to offer a high degree of security
Customers can further extend the security as needed in their application
Users can mix-and-match their credential storage approach as needed
FDO can be used with a wide range of processors and Operating systems
In conclusion, FDO meets your onboarding needs for today and the future
Conclusion
FDO is highly flexible and extensible
A wide range of deployment architectures are supported
Customers can evolve their architecture over time while retaining compatibility
FDO has been developed to offer a high degree of security
Customers can further extend the security as needed in their application
Users can mix-and-match their credential storage approach as needed
FDO can be used with a wide range of processors and Operating systems
In conclusion, FDO meets your onboarding needs for today and the future
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 417
- Slides 29
- Age 572 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
39 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
42 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
38 views
14
Fertility awareness methods for women in the society
Isaiah47
36 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
34 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
37 views