Security in Heavily Constraint Environments
Francisco Rodríguez-HenríquezCINVESTAV-IPN
Sección de COmputación, Depto. De Ing. Eléctrica
IntroductionMobile Internet has made information
exchange a common practice among mobile-device users. Most of the times this
information is confidential, and that’s why we need to protect data more than ever.
The techniques needed to protect data are covered by the field of cryptography but
cryptography is only one part of computer security. WAP has a security layer called
WTLS where it is defined the protocols used to carry on the security issue in mobile
devices.
Background
Mobile Commerce requirements: Secure exchange of documents and
data via the Mobile Internet Secure payment transactions via the Mobile Internet
InternetMobileDevices
W P
@
Background (2)ComputerSecurity
Privacy/E2E-securityencryptiondecryption
AuthenticationPIN verificationdigital signatures
Integritydigital signaturesMAC
Non-repudiationdigital signatures
Cryptography
Cryptography
Public Key Algorithms RSA ECC
Private Key Algorithms AES DES
Characteristics of Traditional IT Applications Mostly based on interactive (=
traditional) computers „One user – one computer“ paradigm Static networks Large number of users per network
Q: How will the IT future look?
Traditional Security Applications (wireless) LAN / WLAN
(Local Area Network)
Traditional Security Applications WAN
(Wide Area Network)
Other Traditional Security Applications
AntivirusFirewallsBiometrics
The IT Future 2. Bridge sensors 3. Cleaning robots 6. Car with various IT
services 8. Networked robots 9. Smart street lamps 14. Pets with electronic
sensors 15. Smart windows
Characteristics of Pervasive Computing Systems
Embedded nodes (no traditional computers)
Connected through wireless, close-range network (“Pervasive networks”)!
Ad-hoc networks: Dynamic addition and deletion of nodes
Power/computation/memory constrained! Vulnerable
Why Security in Pervasive Applications?
Pervasive nature and high-volume of nodes increase risk potential (e.g., hacking into a car)
Wireless channels are vulnerable (passive and active attacks)
Privacy issues (geo-location, medical sensors, monitoring of home activities, etc.)
Stealing of services (sensors etc.)
Examples for Pervasive Computing
PDAs, 3G cell phones, ... Living spaces will be stuffed with nodes So will cars Wearable computers (clothes, eye glasses, etc.) Household appliances Smart sensors in infrastructure (windows, roads,
bridges, etc.) Smart bar codes (autoID) “Smart Dust” ...
Will that ever become reality??
We don’t know, but: CPUs sold in 2000
Security and Economics of Pervasive Networks „One-user many-nodes“ paradigm (e.g.
102-103 processors per human) Many new applications we don‘t know yet Very high volume applications Very cost sensitive People won‘t be willing to pay for security
per se People won‘t buy products without security
Where are the challenges for embedded security? Designers worry about IT functionality,
security is ignored or an afterthought Attacker has easy access to nodes Security infrastructure (PKI etc.) is
missing: Protocols??? Side-channel and tamper attacks Computation/memory/power
constrained
Why do constraints matter? Almost all ad-hoc protocols (even
routing!) require crypto ops for every hop At least symmtric alg. are needed Asymmetric alg. allow fancier protocols
Question: What type of crypto can we do?
Classification by Processor Power
Very rough classification of embedded processors
Class speed : high-end Intel
Class 0: few 1000 gates ?Class 1: 8 bit P, 10MHz 1: 103
Class 2: 16 bit P, 50MHz 1: 102
Class 3: 32 bit P, 200MHz 1: 10
Case Study Class 0: RFIDRecall: Class 0 = no P, few 1000 gates
Goal: RFID as bar code replacement Cost goal 5 cent (!) allegedly 500 x 109 bar code scans worldwide per day
(!!) AutoID tag: security “with 1000 gates” [CHES 02]
Ell. curves (asymmetric alg.) need > 20,000 gates DES (symmetric alg.) needs > 5,000 gates Lightweight stream ciphers might work
Status Quo: Crypto for Class 1
Recall: Class 1 = 8 bit P, 10MHz
Symmetric alg: possible at low data ratesAsymm.alg: very difficult without
coprocessor
Status Quo: Crypto for Class 2
Recall: Class 2 = 16 bit P, 50MHz
Symmetric alg: possibleAsymm.alg: possible if carefully implemented, and algorithms carefully selected (ECC
feasible; RSA & DL still hard)
Status Quo: Crypto for Class 3
Recall: Class 1 = 32 bit P, 200MHz
Symmetric alg: possibleAsymm.alg: full range (ECC, RSA, DL)
possible, some care needed for implementation
Open (Research) Questions
1. Symmetric algorithm for class 0 (e.g., 1000 gates) which are secure and well understood?
2. Alternative asymm. alg. for class 0 and class 1 (8 bit P) with 10x time-area improvement over ECC?
3. Are asymm. alg. which are “too short” (e.g., ECC with 100 bits) usable?
4. Ad-hoc protocols without long-term security needs?
5. Side-channel protection at very low costs?
Security Challenges: Many Security Assumptions Change
No access to backbone: PKI does not work New threats: sleep deprivation attack Old threats (e.g., confidentiality) not
always a problem Nodes have incentives to cheat in
protocols Security protocols ???
Our Research Crypto algorithms in highly constrained
environments Low-cost hardware for public-key algorithm Ultra low-cost hardware for symmetric algorithms Software for public-key, symmetric algorithms on
low-end processors Protocols for ad-hoc networks
Secure communication in complex technical systems (airplanes, cars, etc.)
Establishing trust in networks