1 / 21

EMBEDDED SECURITY

EMBEDDED SECURITY. EEN 417 Fall 2013. 9 /6/13, Dr. Eric Rozier , V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley. SECURITY. Compare with:

ivo
Download Presentation

EMBEDDED SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EMBEDDED SECURITY EEN 417 Fall 2013 9/6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and SanjitSeshia of UC Berkeley

  2. SECURITY

  3. Compare with: Reliability = the fraction of time that a system performs its specified function for a specified period of time under stated operating conditions ) What’s different: New kinds of functions Worst-case adversarial conditions What is Security?

  4. Secrecy/Privacy Can secret data be leaked to an attacker? Integrity Can the system be modified by the attacker? Availability Is the system always able to perform its function? (Is “denial-of-service” possible?) What is Security?

  5. Security is increasingly a major concern for embedded systems designers  Voiced by representatives from GM, Boeing, and United Technologies in recent workshop in St. Louis Need to know about the security pitfalls in design & implementation of embedded systems Security is a full topic, we can’t do it justice in this course. EEN 595 – Computer Security – Dr. Zonouz About this Lecture

  6. Authentication • For a user/process • Establish and verify identity • Make access control decisions • For a data stream • Validate integrity – Has it been modified by an untrusted actor?

  7. General Process Get authentication information Validate Set access control restrictions Allow access

  8. Authentication • Three factors • Something you have • Key, card • Something you know • Password • Something you are • Biometrics

  9. Multi-Factor Authentication • Factors can be combined • ATM system: 2-factor • ATM card • PIN

  10. Password Authentication Protocol • Reusable passwords • Database stores mappings • Username:password • Prompt client for key value pair • Look up in the database and see if they match

  11. Challenge-Handshake Authentication Protocol • Shared secret • Hash of challenge and secret proves knowledge of the shared secret. Challenge Server Client Hash(Challenge, Secret) OK

  12. Problems with PAP • What if the password file has insufficient protections? • Even if trusted sources see your password, it may be the key to several systems! • Hash passwords • Use salt on hashes to prevent dictionary attacks

  13. Another Solution • One-time passwords • What if the user had a different password each time? • Generate a list of passwords!

  14. Another Solution • One-time passwords • What if the user had a different password each time? • Generate a list of passwords! • Produces a limited number of authenticated sessions • Relies on one-way functions

  15. One time passwords • Alice wants to get into Wonderland • Wonderland isn’t happy with reusable passwords. • Pick a random number, R and a one-way function f(x) • x1 = f(R) • x2 = f(x1) = f(f(R)) • … • x100 = f(x99) = f(f(x98)) = …

  16. One time passwords • Store x101 in a database for Alice • Alice presents the last number on her list, x100. • Host computes and compares to x101. • Next time Alice gives x99. • Why do it this way?

  17. RSA SecureID

  18. RSA SecureID • Ask for password (something you know) • Ask for RSA SecureID value (something you have)

  19. RSA SecureID • Token computes key • Time of day • Known seed • (shared secret!) • Server knows token given a user • Computers key fromseed and time of day

  20. RSA SecureID • f(seed, PIN, time) • Intruders lack: seed, f(), PIN • Stealing card, or PINisn’t enough

  21. More in Laboratory 1!

More Related