210 likes | 297 Views
EMBEDDED SECURITY. EEN 417 Fall 2013. 9 /6/13, Dr. Eric Rozier , V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley. SECURITY. Compare with:
E N D
EMBEDDED SECURITY EEN 417 Fall 2013 9/6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and SanjitSeshia of UC Berkeley
Compare with: Reliability = the fraction of time that a system performs its specified function for a specified period of time under stated operating conditions ) What’s different: New kinds of functions Worst-case adversarial conditions What is Security?
Secrecy/Privacy Can secret data be leaked to an attacker? Integrity Can the system be modified by the attacker? Availability Is the system always able to perform its function? (Is “denial-of-service” possible?) What is Security?
Security is increasingly a major concern for embedded systems designers Voiced by representatives from GM, Boeing, and United Technologies in recent workshop in St. Louis Need to know about the security pitfalls in design & implementation of embedded systems Security is a full topic, we can’t do it justice in this course. EEN 595 – Computer Security – Dr. Zonouz About this Lecture
Authentication • For a user/process • Establish and verify identity • Make access control decisions • For a data stream • Validate integrity – Has it been modified by an untrusted actor?
General Process Get authentication information Validate Set access control restrictions Allow access
Authentication • Three factors • Something you have • Key, card • Something you know • Password • Something you are • Biometrics
Multi-Factor Authentication • Factors can be combined • ATM system: 2-factor • ATM card • PIN
Password Authentication Protocol • Reusable passwords • Database stores mappings • Username:password • Prompt client for key value pair • Look up in the database and see if they match
Challenge-Handshake Authentication Protocol • Shared secret • Hash of challenge and secret proves knowledge of the shared secret. Challenge Server Client Hash(Challenge, Secret) OK
Problems with PAP • What if the password file has insufficient protections? • Even if trusted sources see your password, it may be the key to several systems! • Hash passwords • Use salt on hashes to prevent dictionary attacks
Another Solution • One-time passwords • What if the user had a different password each time? • Generate a list of passwords!
Another Solution • One-time passwords • What if the user had a different password each time? • Generate a list of passwords! • Produces a limited number of authenticated sessions • Relies on one-way functions
One time passwords • Alice wants to get into Wonderland • Wonderland isn’t happy with reusable passwords. • Pick a random number, R and a one-way function f(x) • x1 = f(R) • x2 = f(x1) = f(f(R)) • … • x100 = f(x99) = f(f(x98)) = …
One time passwords • Store x101 in a database for Alice • Alice presents the last number on her list, x100. • Host computes and compares to x101. • Next time Alice gives x99. • Why do it this way?
RSA SecureID • Ask for password (something you know) • Ask for RSA SecureID value (something you have)
RSA SecureID • Token computes key • Time of day • Known seed • (shared secret!) • Server knows token given a user • Computers key fromseed and time of day
RSA SecureID • f(seed, PIN, time) • Intruders lack: seed, f(), PIN • Stealing card, or PINisn’t enough