Security in Heavily Constraint Environments

1. Security in Heavily Constraint Environments Francisco Rodríguez-Henríquez CINVESTAV-IPN Sección de COmputación, Depto. De Ing. Eléctrica

2. Introduction Mobile Internet has made information exchange a common practice among mobile-device users. Most of the times this information is confidential, and that’s why we need to protect data more than ever. The techniques needed to protect data are covered by the field of cryptography but cryptography is only one part of computer security. WAP has a security layer called WTLS where it is defined the protocols used to carry on the security issue in mobile devices.

3. Internet Mobile Devices @ W P Background Mobile Commerce requirements: • Secure exchange of documents and data via the Mobile Internet • Secure payment transactions via the Mobile Internet

4. Computer Security Privacy/E2E-security encryption decryption Cryptography Authentication PIN verification digital signatures Integrity digital signatures MAC Non-repudiation digital signatures Background (2)

5. Cryptography • Public Key Algorithms • RSA • ECC • Private Key Algorithms • AES • DES

6. Characteristics of Traditional IT Applications • Mostly based on interactive (= traditional) computers • „One user – one computer“ paradigm • Static networks • Large number of users per network Q: How will the IT future look?

7. Traditional Security Applications (wireless) LAN / WLAN (Local Area Network)

8. Traditional Security Applications WAN (Wide Area Network)

9. Other Traditional Security Applications • Antivirus • Firewalls • Biometrics

10. The IT Future • 2. Bridge sensors • 3. Cleaning robots • 6. Car with various IT services • 8. Networked robots • 9. Smart street lamps • 14. Pets with electronic sensors • 15. Smart windows

11. Characteristics of Pervasive Computing Systems • Embedded nodes (no traditional computers) • Connected through wireless, close-range network (“Pervasive networks”)! • Ad-hoc networks: Dynamic addition and deletion of nodes • Power/computation/memory constrained! • Vulnerable

12. Why Security in Pervasive Applications? • Pervasive nature and high-volume of nodes increase risk potential (e.g., hacking into a car) • Wireless channels are vulnerable (passive and active attacks) • Privacy issues (geo-location, medical sensors, monitoring of home activities, etc.) • Stealing of services (sensors etc.)

13. Examples for Pervasive Computing • PDAs, 3G cell phones, ... • Living spaces will be stuffed with nodes • So will cars • Wearable computers (clothes, eye glasses, etc.) • Household appliances • Smart sensors in infrastructure (windows, roads, bridges, etc.) • Smart bar codes (autoID) • “Smart Dust” • ...

14. Will that ever become reality?? We don’t know, but: CPUs sold in 2000

15. Security and Economics of Pervasive Networks • „One-user many-nodes“ paradigm (e.g. 102-103 processors per human) • Many new applications we don‘t know yet • Very high volume applications • Very cost sensitive • People won‘t be willing to pay for security per se • People won‘t buy products without security

16. Where are the challenges for embedded security? • Designers worry about IT functionality, security is ignored or an afterthought • Attacker has easy access to nodes • Security infrastructure (PKI etc.) is missing: Protocols??? • Side-channel and tamper attacks • Computation/memory/power constrained

17. Why do constraints matter? • Almost all ad-hoc protocols (even routing!) require crypto ops for every hop • At least symmtric alg. are needed • Asymmetric alg. allow fancier protocols Question: What type of crypto can we do?

18. Classification by Processor Power Very rough classification of embedded processors Class speed : high-end Intel Class 0: few 1000 gates ? Class 1: 8 bit P,  10MHz  1: 103 Class 2: 16 bit P,  50MHz  1: 102 Class 3: 32 bit P,  200MHz  1: 10

19. Case Study Class 0: RFID Recall: Class 0 = no P, few 1000 gates • Goal: RFID as bar code replacement • Cost goal 5 cent (!) • allegedly 500 x 109 bar code scans worldwide per day (!!) • AutoID tag: security “with 1000 gates” [CHES 02] • Ell. curves (asymmetric alg.) need > 20,000 gates • DES (symmetric alg.) needs > 5,000 gates • Lightweight stream ciphers might work

20. Status Quo: Crypto for Class 1 Recall: Class 1 = 8 bit P,  10MHz Symmetric alg: possible at low data rates Asymm.alg: very difficult without coprocessor

21. Status Quo: Crypto for Class 2 Recall: Class 2 = 16 bit P,  50MHz Symmetric alg: possible Asymm.alg: possible if • carefully implemented, and • algorithms carefully selected (ECC feasible; RSA & DL still hard)

22. Status Quo: Crypto for Class 3 Recall: Class 1 = 32 bit P,  200MHz Symmetric alg: possible Asymm.alg: full range (ECC, RSA, DL) possible, some care needed for implementation

23. Open (Research) Questions • Symmetric algorithm for class 0 (e.g., 1000 gates) which are secure and well understood? • Alternative asymm. alg. for class 0 and class 1 (8 bit P) with 10x time-area improvement over ECC? • Are asymm. alg. which are “too short” (e.g., ECC with 100 bits) usable? • Ad-hoc protocols without long-term security needs? • Side-channel protection at very low costs?

24. Security Challenges: Many Security Assumptions Change • No access to backbone: PKI does not work • New threats: sleep deprivation attack • Old threats (e.g., confidentiality) not always a problem • Nodes have incentives to cheat in protocols • Security protocols ???

25. Our Research Crypto algorithms in highly constrained environments • Low-cost hardware for public-key algorithm • Ultra low-cost hardware for symmetric algorithms • Software for public-key, symmetric algorithms on low-end processors Protocols for ad-hoc networks • Secure communication in complex technical systems (airplanes, cars, etc.) • Establishing trust in networks