We have jointly developed with NEC a remote verification infrastructure capable of "remotely confirming the authenticity of computer equipment across an entire system."

Cyber Defense Institute supported the research and development of a "remote verification infrastructure"** conducted by NEC Corporation (hereinafter "NEC") at the Trusted Computing Group (TCG) Open Workshop held in February 2024.

The remote verification infrastructure was jointly developed by NEC's defense business division and Cyber Defense Institute, and is a security technology based on the concept of "Remote ATtestation ProcedureS (※2)" promoted by the Internet Engineering Task Force (※1). By leveraging this technology, it becomes possible to remotely verify the authenticity (※3) and integrity of a wide range of ICT devices, including servers, laptops, and IoT devices.

This infrastructure embeds platform certificates -- containing hardware and software information -- into a TPM (※4), and registers this information in the system as a verification baseline at the time of shipment. During system setup after shipment, tampering can be detected by comparing the platform certificate information against the data registered in the verification system. This enables automated remote verification of overall system integrity at the hardware level, protecting systems against supply chain threats such as firmware-level malware, unauthorized hardware modifications, and risks associated with unauthorized use of removed devices.

In particular, from the perspective of economic security, there is growing global importance in proving that ICT equipment has not been subject to unauthorized alterations in the supply chain at the time of procurement. This technology serves as one effective solution to address these requirements (※5).

(※1) Internet Engineering Task Force: An international voluntary organization that promotes the standardization of various technologies used on the Internet. Also known as IETF.*
(※2) Remote ATtestation ProcedureS: RFC9334 standardized by IETF (https://datatracker.ietf.org/doc/html/rfc9334)
(※3) Authenticity: The property of a computer, data, or other entity being genuine and verifiably not counterfeit.*
(※4) TPM: A hardware security module whose standards were developed by TCG, providing secure key management, encryption functions, and more.*
(※5) Requirements: The Unified Standards for Cybersecurity Measures for Government Agencies (FY2023 Edition) requires confirmation that equipment has not been subject to unauthorized modifications at the time of procurement. (https://www.nisc.go.jp/pdf/policy/general/rev_pointr5.pdf)

For more details on this technology, please also refer to NEC's press release: https://jpn.nec.com/press/202403/20240304_01.html

Cyber Defense Institute will continue to work with law enforcement agencies and private sector organizations worldwide to combat increasingly sophisticated, malicious, and globalized cybercrime, contributing to the improvement of security in cyberspace.