260 likes | 348 Views
Cryptography in Heavily Constraint Environments. Christof Paar EUROBITS Center for IT Security CO mmunication S ecurit Y (COSY) Group University of Bochum, Germany www.crypto.rub.de. Contents . Pervasive computing and embedded systems Pervasive computing and security
E N D
Cryptography in Heavily Constraint Environments Christof Paar EUROBITS Center for IT Security COmmunication SecuritY (COSY) Group University of Bochum, Germany www.crypto.rub.de
Contents • Pervasive computing and embedded systems • Pervasive computing and security • Constrained environments and crypto • Research problems Workshop on Ad-Hoc Security 2002
Characteristics of Traditional IT Applications • Mostly based on interactive (= traditional) computers • „One user – one computer“ paradigm • Static networks • Large number of users per network Q: How will the IT future look? Workshop on Ad-Hoc Security 2002
Examples for Pervasive Computing • PDAs, 3G cell phones, ... • Living spaces will be stuffed with nodes • So will cars • Wearable computers (clothes, eye glasses, etc.) • Household appliances • Smart sensors in infrastructure (windows, roads, bridges, etc.) • Smart bar codes (autoID) • “Smart Dust” • ... Workshop on Ad-Hoc Security 2002
Will that ever become reality?? We don’t know, but: CPUs sold in 2000 Workshop on Ad-Hoc Security 2002
Security and Economics of Pervasive Networks • „One-user many-nodes“ paradigm (e.g. 102-103 processors per human) • Many new applications we don‘t know yet • Very high volume applications • Very cost sensitive • People won‘t be willing to pay for security per se • People won‘t buy products without security Workshop on Ad-Hoc Security 2002
Where are the challenges for embedded security? • Designers worry about IT functionality, security is ignored or an afterthought • Attacker has easy access to nodes • Security infrastructure (PKI etc.) is missing: Protocols??? • Side-channel and tamper attacks • Computation/memory/power constrained Workshop on Ad-Hoc Security 2002
Why do constraints matter? • Almost all ad-hoc protocols (even routing!) require crypto ops for every hop • At least symmtric alg. are needed • Asymmetric alg. allow fancier protocols Question: What type of crypto can we do? Workshop on Ad-Hoc Security 2002
Classification by Processor Power Very rough classification of embedded processors Class speed : high-end Intel Class 0: few 1000 gates ? Class 1: 8 bit P, 10MHz 1: 103 Class 2: 16 bit P, 50MHz 1: 102 Class 3: 32 bit P, 200MHz 1: 10 Workshop on Ad-Hoc Security 2002
Case Study Class 0: RFID Recall: Class 0 = no P, few 1000 gates • Goal: RFID as bar code replacement • Cost goal 5 cent (!) • allegedly 500 x 109 bar code scans worldwide per day (!!) • AutoID tag: security “with 1000 gates” [CHES 02] • Ell. curves (asymmetric alg.) need > 20,000 gates • DES (symmetric alg.) needs > 5,000 gates • Lightweight stream ciphers might work Workshop on Ad-Hoc Security 2002
Status Quo: Crypto for Class 1 Recall: Class 1 = 8 bit P, 10MHz Symmetric alg: possible at low data rates Asymm.alg: very difficult without coprocessor Workshop on Ad-Hoc Security 2002
Status Quo: Crypto for Class 2 Recall: Class 2 = 16 bit P, 50MHz Symmetric alg: possible Asymm.alg: possible if • carefully implemented, and • algorithms carefully selected (ECC feasible; RSA & DL still hard) Workshop on Ad-Hoc Security 2002
Status Quo: Crypto for Class 3 Recall: Class 1 = 32 bit P, 200MHz Symmetric alg: possible Asymm.alg: full range (ECC, RSA, DL) possible, some care needed for implementation Workshop on Ad-Hoc Security 2002
Open (Research) Questions • Symmetric algorithm for class 0 (e.g., 1000 gates) which are secure and well understood? • Alternative asymm. alg. for class 0 and class 1 (8 bit P) with 10x time-area improvement over ECC? • Are asymm. alg. which are “too short” (e.g., ECC with 100 bits) usable? • Ad-hoc protocols without long-term security needs? • Side-channel protection at very low costs? Workshop on Ad-Hoc Security 2002
Related Events at theEUROBITS Center in Bochum www.crypto.rub.de • Workshop on Side-Channel Attacks on Smart CardsJanuary 30-31, 2003 Workshop on Ad-Hoc Security 2002
Cryptographic Hardware and Embedded Systems September 7-10 chesworkshop.org
Security Challenges: Many Security Assumptions Change • No access to backbone: PKI does not work • New threats: sleep deprivation attack • Old threats (e.g., confidentiality) not always a problem • Nodes have incentives to cheat in protocols • Security protocols ??? Workshop on Ad-Hoc Security 2002
Our Research Crypto algorithms in highly constrained environments • Low-cost hardware for public-key algorithm • Ultra low-cost hardware for symmetric algorithms • Software for public-key, symmetric algorithms on low-end processors Protocols for ad-hoc networks • Secure communication in complex technical systems (airplanes, cars, etc.) • Establishing trust in networks Workshop on Ad-Hoc Security 2002
Traditional Security Applications Very often: computer & communication networks! • (wireless) LAN / WLAN (Local Area Network) • WAN (Wide Area Network) • PKI (Public Key Infrastructure) Workshop on Ad-Hoc Security 2002
Traditional Security Applications (wireless) LAN / WLAN (Local Area Network) Workshop on Ad-Hoc Security 2002
Traditional Security Applications WAN (Wide Area Network) Workshop on Ad-Hoc Security 2002
Traditional Security Applications PKI (Public Key Infrastructure) enables secure LAN, WAN Workshop on Ad-Hoc Security 2002
Other Traditional Security Applications • Antivirus • Firewalls • Biometrics Workshop on Ad-Hoc Security 2002
The IT Future • 2. Bridge sensors • 3. Cleaning robots • 6. Car with various IT services • 8. Networked robots • 9. Smart street lamps • 14. Pets with electronic sensors • 15. Smart windows Workshop on Ad-Hoc Security 2002
Characteristics of Pervasive Computing Systems • Embedded nodes (no traditional computers) • Connected through wireless, close-range network (“Pervasive networks”)! • Ad-hoc networks: Dynamic addition and deletion of nodes • Power/computation/memory constrained! • Vulnerable Workshop on Ad-Hoc Security 2002
Why Security in Pervasive Applications? • Pervasive nature and high-volume of nodes increase risk potential (e.g., hacking into a car) • Wireless channels are vulnerable (passive and active attacks) • Privacy issues (geo-location, medical sensors, monitoring of home activities, etc.) • Stealing of services (sensors etc.) Workshop on Ad-Hoc Security 2002