Servicios de seguridad en ambientes computacionales altamente restringidos

1
Servicios de seguridad en ambientes
computacionales altamente restringidos
Francisco Rodríguez-Henríquez CINVESTAV-IPN Depto.
de Ingeniería Eléctrica Sección de Computación
2
Antecedents and Motivation
3
Security Systems by layers
Applications Secure e-mail, Digital Money, Smart
Cards, Firewalls, etc.
Communication Protocols SSL, TLS, WTLS, WAP,
etc.
Security Services Confidentiality, Data
Integrity, Data Authentication, Non-Repudiation
Crypto User Functions Encrypt/Decrypt,
Sign/verify
Public Key Crypto Algorithms RSA, ECC Symmetric
Crypto Algorithms AES, DES, RC4, etc.
Computer Arithmetic Addition, Squaring,
multiplication, inversion and exponentiation
4
Security Services

• Confidentiality - protect info value
• Authentication - protect info origin (sender)
• Identification - ensure identity of users
• Integrity - protect info accuracy
• Non-repudiation - protect from deniability
• Access control - access to info/resources
• Availability - ensure info delivery

5
Some Practical Applications

• "Any sufficiently advanced technology is
  indistinguishable from magic.
• Arthur C. Clarke.
• secure mail
• secure communications
• network authentication
• electronic voting
• electronic notary
• digital money (digital wallet)
• data distribution

6
Characteristics of Traditional IT Applications

• Mostly based on interactive ( traditional)
  computers
• One user one computer paradigm
• Static networks
• Large number of users per network
• Q How will the IT future look?

7
The IT Future

• Bridge sensors
• Cleaning robots
• Car with various IT services
• Networked robots
• Smart street lamps
• Pets with electronic sensors
• Smart windows

8
Characteristics of Ubiquitous Computing Systems

• Embedded nodes (no traditional computers)
• Connected through wireless, close-range network
  (Pervasive networks)!
• Ad-hoc networks Dynamic addition and deletion of
  nodes
• Power/computation/memory constrained!
• Vulnerable

9
Examples for Ubiquitous Computing

• PDAs, 3G cell phones, ...
• Living spaces will be stuffed with nodes
• So will cars
• Wearable computers (clothes, eye glasses, etc.)
• Household appliances
• Smart sensors in infrastructure (windows, roads,
  bridges, etc.)
• Smart bar codes (autoID)
• Smart Dust
• ...

10
Security and Economics of Ubiquitous Computing

• One-user many-nodes paradigm (e.g. 102-103
  processors per human)
• Many new applications we dont know yet
• Very high volume applications
• Very cost sensitive
• People wont be willing to pay for security per
  se
• People wont buy products without security

11
Where are the challenges for embedded security?

• Designers worry about IT functionality, security
  is ignored or an afterthought
• Attacker has easy access to nodes
• Security infrastructure (PKI etc.) is missing
  Protocols???
• Side-channel and tamper attacks
• Computation/memory/power constrained

12
Will that ever become reality??

• We dont know, but CPUs sold in 2000

13
Implementation Platforms
14
Platforms

• Cryptographic algorithms can be implemented
  through
• Software
• ASIC
• FPGAs
• Choice of platform depends upon
• Algorithm performance
• Cost
• Flexibility

15
Platform Implementation for Cryptographic
Algorithms
16
Platform Comparison
ASIC
Processor
Reconfigurable Hardware
Performance
Flexibility
Unit Cost
Development Cost
17
Platform Features

• Software
• Maximum flexibility ? Low Performance
• Low cost
• ASIC
• High performance ? No flexibility at all
• ? High cost
• FPGAs
• Reasonable flexibility
• Low cost
• High performance

18
Why Crypto-algorithms in Hardware

• Two main reasons
• Software implementations are too slow for some
  applications (symmetric alg encryption rates
  100 Mbit/sec public-key alg gt 10 msec)
• Hardware implementations are intrinsically more
  physically secure Key access and algorithm
  modication is considerably harder.

19
But why reconfigurable hardware?

• Potential advantages of crypto algorithms
  implemented on reconfigurable platforms
• Algorithm Agility
• Algorithm Upgrade
• Architecture Efficiency
• Resource Efficient
• Algorithm Modification
• (Throughput relative to software)
• (Cost Efficiency relative to ASICs)

20
Crypto and FPGAs Algorithm Agility

• Observation Modern security protocols are
  defined to
• be algorithm independent
• Encryption algorithm is negotiated on a
  per-session basis.
• Wide variety of ciphers can be required. Ex
  IPsec-allowed algorithms DES, 3DES, Blow-Fish,
  CAST, IDEA, RC4 and RC6, future extensions!
• Same holds for public-key algorithms, e.g.,
  Diffie-Hellman and ECDH.
• Recall that ASIC solutions can provide
  algorithm agility
• only at high costs.

21
Crypto and FPGAs Algorithm Upgrade

• Applications may need upgrade to a new algorithm
  because
• Current algorithms was broken (DES)
• Standard expired (again DES)
• New standard was created (AES)
• Algorithm list of algorithm independent protocol
  was extended
• Upgrade of ASIC-implemented algorithm is
  practically
• infeasible if many devices are affected or in
  applications
• such as satellite communications.

22
Crypto and FPGAs Architecture Efficiency

• In certain cases a hardware architecture can be
  much more efficient if it is designed for a
  specific set of parameters. Parameters for
  cryptographic algorithms can be for example the
  key, the underlying finite field, the coefficient
  used (e.g., the specific curve of an ECC system),
  and so on. Generally speaking, the more specific
  an algorithm is implemented the more efficient it
  can become.

23
Crypto and FPGAs Resource Efficiency

• Observation The majority of security protocols
  uses
• private-key as well as public-key algorithms
  during one session, but not simultaneous.
• Same FPGA device can be used for both through run
• time reconguration.

24
Crypto and FPGAs Algorithm Modification

• Some applications require Public algorithms (such
  as AES candidates) with proprietary modules,
  e.g., proprietary S-boxes or permutations.
• Change of modes of operations (feedback modes,
• counter mode, etc.)
• Crypto-analytical implementation, such as
  key-search
• machines, may use slightly altered version of the
• algorithms.
• With FPGAs, these changes can readily be
  implemented.

25
FPGA Field programmable Gate Arrays
26
Configurable Logic Block
4
Combinational Logic
16x1 RAM
4
1-bit reg
1-bit reg
1-bit reg
1-bit reg
4
Combinational Logic
16x1 RAM
4
Logic Mode
Memory Mode
27
Virtex-II Pro
Feature/Product XC2VP2 XC2VP4 XC2VP7 XC2VP20 XC2VP30 XC2VP40 XC2VP50 XC2VP70 XC2VP100 XC2VP125
EasyPath cost reduction - - - - XCE2VP30 XCE2VP40 XCE2VP50 XCE2VP70 XCE2VP100 XCE2VP125
Logic Cells 3,168 6,768 11,088 20,880 30,816 43,632 53,136 74,448 99,216 125,136
Slices 1,408 3,008 4,928 9,280 13,696 19,392 23,616 33,088 44,096 55,616
BRAM (Kbits) 216 504 792 1,584 2,448 3,456 4,176 5,904 7,992 10,008
18x18 Multipliers 12 28 44 88 136 192 232 328 444 556
Digital Clock Management Blocks 4 4 4 8 8 8 8 8 12 12
Config (Mbits) 1.31 3.01 4.49 8.21 11.36 15.56 19.02 25.6 33.65 42.78
PowerPC Processors 0 1 1 2 2 2 2 2 2 4
Max Available Multi-Gigabit Transceivers 4 4 8 8 8 12 16 20 20 24
Max Available User I/O 204 348 396 564 644 804 852 996 1164 1200
1 Logic Cell (1) 4-input LUT (1) FF (1)
Carry Logic 1 CLB (4) Slices
http//www.xilinx.com/products/tables/fpga.htmv2p
28
Wireless Ad-Hoc Network
29
Smart Cards
30
Smart Cards
31
Smart Cards
32
Smart Cards
33
Multi-hop cellular

• Set of base stations connected to a backbone
  (like in cellular)
• Potentially, multi-hop communication between the
  mobile station and the base station (unlike in
  cellular)

D
S
34
Multi-hop cellular

• Advantages
• Energy consumption of the mobile stations can be
  reduced
• Immediate side effect Reduced interference
• Number of base stations (fixed antennas) can be
  reduced
• Coverage of the network can be increased
• Closely located mobile stations can communicate
  independently from the infrastructure (ad hoc
  networking)
• Disadvantages
• Routing?
• Synchronization?

35
A model

• Multi-hop up-link
• Single-hop down-link
• Problem How to encourage the nodes to relay
  packets for the benefit of other nodes?

D
S
36
Where are the challenges for embedded security?

• Designers worry about IT functionality, security
  is ignored or an afterthought
• Attacker has easy access to nodes
• Security infrastructure (PKI etc.) is missing
  Protocols???
• Side-channel and tamper attacks
• Computation/memory/power constrained

37
Why do constraints matter?

• Almost all ad-hoc protocols (even routing!)
  require crypto ops for every hop
• At least symmetric alg. are needed
• Asymmetric alg. allow fancier protocols
• Question What type of crypto can we do?

38
Security on Different Embedded Processors
39
Classification by Processor Power

• Very rough classification of embedded processors
• Class speed high-end Intel
• Class 0 few 1000 gates ?
• Class 1 8 bit ?P, ? 10MHz ? 1 103
• Class 2 16 bit ?P, ? 50MHz ? 1 102
• Class 3 32 bit ?P, ? 200MHz ? 1 10

40
Case Study Class 0 RFID
41
Case Study Class 0 RFID

• Recall Class 0 no ?P, few 1000 gates
• Goal RFID as bar code replacement
• Cost goal 5 cent (!)
• allegedly 500 x 109 bar code scans worldwide per
  day (!!)
• AutoID tag security with 1000 gates CHES 02
• Ell. curves (asymmetric alg.) need gt 20,000 gates
• DES (symmetric alg.) needs gt 5,000 gates
• Lightweight stream ciphers might work

42
RFIDs Applications

• Expired Milk Reported
• Within two decades, the minuscule transmitters
  are expected to replace the familiar product bar
  codes
• Alerting consumers
• help you manage your inventory a lot better
• tell you that a prescription is in the waiting
  bin
• provide details to marketers about a family's
  eating
• the technology raises privacy concerns

43
Status Quo Crypto for Class 1

• Recall Class 1 8 bit ?P, ? 10MHz
• Symmetric alg possible at low data rates
• Asymm.alg very difficult without coprocessor

44
Status Quo Crypto for Class 2

• Recall Class 2 16 bit ?P, ? 50MHz
• Symmetric alg possible
• Asymm.alg possible if
• carefully implemented, and
• algorithms carefully selected (ECC feasible RSA
  DL still hard)

45
Status Quo Crypto for Class 3

• Recall Class 3 32 bit ?P, ? 200MHz
• Symmetric alg possible
• Asymm.alg full range (ECC, RSA, DL) possible,
  some care needed for implementation

46
Our Research
47
Our Research

• Crypto algorithms in highly constrained
  environments
• Reconfigurable hardware implementation for
  public-key algorithms Symmetric Algorithms.
• Crypto algorithms in mobile constrained
  environments
• Software for public-key Cryptography Symmetric
  algorithms on mobile processors

48
Advanced Encryption Standard (AES)
49
AES Advanced Encryption Standard (Rijndael)
With Nazar A. Saqib
Plain Text
128
AES
Key
128

• AES Processes
• Key Scheduling
• Encryption
• Decryption

128
Cipher Text
50
AES Advanced Encryption Standard (Rijndael)
With Nazar A. Saqib
USER KEY
SUB KEY
SUB KEY
IN
OUT
ARK
BS
ARK
BS
SR
ARK
(ROUND-1)
SR
MC
BS Byte Substitution SR Shift Rows MC Mix
Column ARK Add Round Key
51
Data Path for Encryption/Decryption
Encryption MI AF SR MC ARK Decryption
ISR IAF MI ModM MC ARK
52
AES Performance Figures
Design Device CLB Slices Throughput (Mbits/sec)
Ichikawa et al4 VLSI ------- 1950
Weeks et al 5 VLSI ------- 5163
Lutz et a 7 VLSI ------- 2260
Elbirt et al 6 XCV1000 9004 1940
McLoone et al 3 XCV3200E 7576 3239
This design XCV2600E 5677 4121
53
Elliptic Curve Cryptography (ECC)
54
Elliptic Curve Cryptography With Nazar A. Saqib
Scalar Multiplication Q k P
Elliptic Curve Operation
Point doubling Q2P Point addition RPQ
Multiplication Squaring,Addition etc.
GF(2m) Arithmetic
55
Karatsuba Multiplier GF(2191)
56
Point Addition and Point Doubling
57
Scalar Point Multiplication
Reference Field Platform kP (in ?Sec)
Satoh et al GF(2160) 0.13 ? CMOS 190
Orlando Paar GF(2167) XCV400E 210
Gura et al GF(2163) XCV2000E 143
Bednara et al GF(2191) XCV1000BG 270
This Work GF(2191) XCV3200E 57
58
Wireless Authentication Protocols
59
Seguridad en WAPcon Laura Itzelt Reyes Montiel
En el caso de WAP, los servicios de seguridad son
proporcionados por la capa WTLS
60
Versión Robusta
AES TDES CAST IDEA Twofish
IDEA
Se busca en el anillo de claves públicas del
emisor
RSA
CCE
61
Versión compacta
RC4 RC5 A5 SEAL
IDEA
Se busca en el anillo de claves públicas del
emisor
CCE
RSA
62
Protocolo de Negociación Completo
Fase 1
Fase 2
Fase 3
Fase 4
63
Niveles de Seguridad en WTLS
El nivel de seguridad ofrecido con una llave RSA
de 1024 bits es comparable al nivel ofrecido por
CCE con las curvas 160P,163K,163R asimismo, las
curvas 224P,233K,233R exhiben un n nivel de
seguridad comparable con una clave RSA de 2048
bits.
64
Tiempos Obtenidos WTLS -Clase 1
65
Tiempos Obtenidos WTLS -Clase 2