Security in Heavily Constraint Environments

Francisco Rodríguez-HenríquezCINVESTAV-IPN

Sección de COmputación, Depto. De Ing. Eléctrica

IntroductionMobile Internet has made information

exchange a common practice among mobile-device users. Most of the times this

information is confidential, and that’s why we need to protect data more than ever.

The techniques needed to protect data are covered by the field of cryptography but

cryptography is only one part of computer security. WAP has a security layer called

WTLS where it is defined the protocols used to carry on the security issue in mobile

devices.

Background

Mobile Commerce requirements: Secure exchange of documents and

data via the Mobile Internet Secure payment transactions via the Mobile Internet

InternetMobileDevices

W P

@

Background (2)ComputerSecurity

Privacy/E2E-securityencryptiondecryption

AuthenticationPIN verificationdigital signatures

Integritydigital signaturesMAC

Non-repudiationdigital signatures

Cryptography

Cryptography

Public Key Algorithms RSA ECC

Private Key Algorithms AES DES

Characteristics of Traditional IT Applications Mostly based on interactive (=

traditional) computers „One user – one computer“ paradigm Static networks Large number of users per network

Q: How will the IT future look?

Traditional Security Applications (wireless) LAN / WLAN

(Local Area Network)

Traditional Security Applications WAN

(Wide Area Network)

Other Traditional Security Applications

AntivirusFirewallsBiometrics

The IT Future 2. Bridge sensors 3. Cleaning robots 6. Car with various IT

services 8. Networked robots 9. Smart street lamps 14. Pets with electronic

sensors 15. Smart windows

Characteristics of Pervasive Computing Systems

Embedded nodes (no traditional computers)

Connected through wireless, close-range network (“Pervasive networks”)!

Ad-hoc networks: Dynamic addition and deletion of nodes

Power/computation/memory constrained! Vulnerable

Why Security in Pervasive Applications?

Pervasive nature and high-volume of nodes increase risk potential (e.g., hacking into a car)

Wireless channels are vulnerable (passive and active attacks)

Privacy issues (geo-location, medical sensors, monitoring of home activities, etc.)

Stealing of services (sensors etc.)

Examples for Pervasive Computing

PDAs, 3G cell phones, ... Living spaces will be stuffed with nodes So will cars Wearable computers (clothes, eye glasses, etc.) Household appliances Smart sensors in infrastructure (windows, roads,

bridges, etc.) Smart bar codes (autoID) “Smart Dust” ...

Will that ever become reality??

We don’t know, but: CPUs sold in 2000

Security and Economics of Pervasive Networks „One-user many-nodes“ paradigm (e.g.

102-103 processors per human) Many new applications we don‘t know yet Very high volume applications Very cost sensitive People won‘t be willing to pay for security

per se People won‘t buy products without security

Where are the challenges for embedded security? Designers worry about IT functionality,

security is ignored or an afterthought Attacker has easy access to nodes Security infrastructure (PKI etc.) is

missing: Protocols??? Side-channel and tamper attacks Computation/memory/power

constrained

Why do constraints matter? Almost all ad-hoc protocols (even

routing!) require crypto ops for every hop At least symmtric alg. are needed Asymmetric alg. allow fancier protocols

Question: What type of crypto can we do?

Classification by Processor Power

Very rough classification of embedded processors

Class speed : high-end Intel

Class 0: few 1000 gates ?Class 1: 8 bit P, 10MHz 1: 103

Class 2: 16 bit P, 50MHz 1: 102

Class 3: 32 bit P, 200MHz 1: 10

Case Study Class 0: RFIDRecall: Class 0 = no P, few 1000 gates

Goal: RFID as bar code replacement Cost goal 5 cent (!) allegedly 500 x 109 bar code scans worldwide per day

(!!) AutoID tag: security “with 1000 gates” [CHES 02]

Ell. curves (asymmetric alg.) need > 20,000 gates DES (symmetric alg.) needs > 5,000 gates Lightweight stream ciphers might work

Status Quo: Crypto for Class 1

Recall: Class 1 = 8 bit P, 10MHz

Symmetric alg: possible at low data ratesAsymm.alg: very difficult without

coprocessor

Status Quo: Crypto for Class 2

Recall: Class 2 = 16 bit P, 50MHz

Symmetric alg: possibleAsymm.alg: possible if carefully implemented, and algorithms carefully selected (ECC

feasible; RSA & DL still hard)

Status Quo: Crypto for Class 3

Recall: Class 1 = 32 bit P, 200MHz

Symmetric alg: possibleAsymm.alg: full range (ECC, RSA, DL)

possible, some care needed for implementation

Open (Research) Questions

1. Symmetric algorithm for class 0 (e.g., 1000 gates) which are secure and well understood?

2. Alternative asymm. alg. for class 0 and class 1 (8 bit P) with 10x time-area improvement over ECC?

3. Are asymm. alg. which are “too short” (e.g., ECC with 100 bits) usable?

4. Ad-hoc protocols without long-term security needs?

5. Side-channel protection at very low costs?

Security Challenges: Many Security Assumptions Change

No access to backbone: PKI does not work New threats: sleep deprivation attack Old threats (e.g., confidentiality) not

always a problem Nodes have incentives to cheat in

protocols Security protocols ???

Our Research Crypto algorithms in highly constrained

environments Low-cost hardware for public-key algorithm Ultra low-cost hardware for symmetric algorithms Software for public-key, symmetric algorithms on

low-end processors Protocols for ad-hoc networks

Secure communication in complex technical systems (airplanes, cars, etc.)

Establishing trust in networks