RuhrRuhrUniversityUniversityBochumBochum
Cryptography in Heavily Cryptography in Heavily
Constraint EnvironmentsConstraint Environments
Christof PaarChristof Paar
EUROBITS Center for IT SecurityEUROBITS Center for IT Security
COCOmmunication mmunication SSecuritecuritY Y (COSY) Group(COSY) Group
University of Bochum, GermanyUniversity of Bochum, Germany
www.crypto.rub.dewww.crypto.rub.de
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
ContentsContents
• Pervasive computing and embedded systems
• Pervasive computing and security• Constrained environments and crypto• Research problems
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Characteristics of Traditional Characteristics of Traditional IT ApplicationsIT Applications
• Mostly based on interactive (= traditional) computers
• „One user – one computer“ paradigm• Static networks• Large number of users per network
Q: How will the IT future look?
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Examples for Pervasive Examples for Pervasive ComputingComputing
• PDAs, 3G cell phones, ...• Living spaces will be stuffed with nodes• So will cars• Wearable computers (clothes, eye glasses, etc.)• Household appliances• Smart sensors in infrastructure (windows, roads,
bridges, etc.)• Smart bar codes (autoID)• “Smart Dust”• ...
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Will that ever become Will that ever become reality??reality??
We don’t know, but: CPUs sold in 2000
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Security and Economics of Security and Economics of Pervasive NetworksPervasive Networks
• „One-user many-nodes“ paradigm (e.g. 102-103 processors per human)
• Many new applications we don‘t know yet• Very high volume applications• Very cost sensitive• People won‘t be willing to pay for security
per se • People won‘t buy products without security
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Where are the challenges for Where are the challenges for embedded security?embedded security?
• Designers worry about IT functionality, security is ignored or an afterthought
• Attacker has easy access to nodes • Security infrastructure (PKI etc.) is missing:
Protocols???• Side-channel and tamper attacks• Computation/memory/power constrained
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Why do constraints matter?Why do constraints matter?
• Almost all ad-hoc protocols (even routing!) require crypto ops for every hop
• At least symmtric alg. are needed• Asymmetric alg. allow fancier protocols
Question: What type of crypto can we do?
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Classification by Processor PowerClassification by Processor Power
Very rough classification of embedded processors
Class speed : high-end Intel
Class 0: few 1000 gates ?
Class 1: 8 bit P, 10MHz 1: 103
Class 2: 16 bit P, 50MHz 1: 102
Class 3: 32 bit P, 200MHz 1: 10
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Case Study Class 0: RFIDCase Study Class 0: RFID
Recall: Class 0 = no P, few 1000 gates
• Goal: RFID as bar code replacement• Cost goal 5 cent (!)• allegedly 500 x 109 bar code scans worldwide per day
(!!)• AutoID tag: security “with 1000 gates” [CHES 02]
– Ell. curves (asymmetric alg.) need > 20,000 gates– DES (symmetric alg.) needs > 5,000 gates– Lightweight stream ciphers might work
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Status Quo: Crypto for Class 1Status Quo: Crypto for Class 1
Recall: Class 1 = 8 bit P, 10MHz
Symmetric alg: possible at low data rates
Asymm.alg: very difficult without coprocessor
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Status Quo: Crypto for Class 2Status Quo: Crypto for Class 2
Recall: Class 2 = 16 bit P, 50MHz
Symmetric alg: possible
Asymm.alg: possible if • carefully implemented, and • algorithms carefully selected (ECC feasible; RSA &
DL still hard)
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Status Quo: Crypto for Class 3Status Quo: Crypto for Class 3
Recall: Class 1 = 32 bit P, 200MHz
Symmetric alg: possible
Asymm.alg: full range (ECC, RSA, DL) possible, some care needed for implementation
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Open (Research) QuestionsOpen (Research) Questions
1. Symmetric algorithm for class 0 (e.g., 1000 gates) which are secure and well understood?
2. Alternative asymm. alg. for class 0 and class 1 (8 bit P) with 10x time-area improvement over ECC?
3. Are asymm. alg. which are “too short” (e.g., ECC with 100 bits) usable?
4. Ad-hoc protocols without long-term security needs?
5. Side-channel protection at very low costs?
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Related Events at theRelated Events at theEUROBITS Center in BochumEUROBITS Center in Bochum
www.crypto.rub.de
1. Workshop on Side-Channel Attacks on Smart CardsJanuary 30-31, 2003
Cryptographic Hardware and Embedded SystemsCryptographic Hardware and Embedded Systems
September7-10
chesworkshop.org
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Security Challenges: Many Security Challenges: Many Security Assumptions ChangeSecurity Assumptions Change
• No access to backbone: PKI does not work• New threats: sleep deprivation attack• Old threats (e.g., confidentiality) not always a
problem• Nodes have incentives to cheat in protocols • Security protocols ???
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Our Research Our Research
Crypto algorithms in highly constrained environments
• Low-cost hardware for public-key algorithm• Ultra low-cost hardware for symmetric algorithms• Software for public-key, symmetric algorithms on
low-end processors Protocols for ad-hoc networks
• Secure communication in complex technical systems (airplanes, cars, etc.)
• Establishing trust in networks
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Traditional Security Traditional Security ApplicationsApplications
Very often: computer & communication networks!
• (wireless) LAN / WLAN (Local Area Network)
• WAN (Wide Area Network)• PKI (Public Key Infrastructure)
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Traditional Security Traditional Security ApplicationsApplications
(wireless) LAN / WLAN (Local Area Network)
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Traditional Security Traditional Security ApplicationsApplications
WAN
(Wide Area Network)
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Traditional Security Traditional Security ApplicationsApplications
PKI (Public Key Infrastructure)
enables secure LAN, WAN
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Other Traditional Security Other Traditional Security ApplicationsApplications
• Antivirus• Firewalls• Biometrics
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
The IT FutureThe IT Future
• 2. Bridge sensors• 3. Cleaning robots• 6. Car with various IT services• 8. Networked robots• 9. Smart street lamps• 14. Pets with electronic
sensors• 15. Smart windows
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Characteristics of Pervasive Characteristics of Pervasive Computing SystemsComputing Systems
• Embedded nodes (no traditional computers)• Connected through wireless, close-range
network (“Pervasive networks”)!• Ad-hoc networks: Dynamic addition and
deletion of nodes• Power/computation/memory constrained!• Vulnerable
RuhrRuhrUniversityUniversityBochumBochum
Communication Security Communication Security (COSY) Group(COSY) Group
Workshop on Ad-Hoc Security 2002
Why Security in Pervasive Why Security in Pervasive Applications?Applications?
• Pervasive nature and high-volume of nodes increase risk potential (e.g., hacking into a car)
• Wireless channels are vulnerable (passive and active attacks)
• Privacy issues (geo-location, medical sensors, monitoring of home activities, etc.)
• Stealing of services (sensors etc.)
