Post on 25-Jul-2020
Michael Hutter
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
1
Sophia Antipolis, 2009 IAIK
VLSI
Michael Hutter IAIK – Graz University of Technology
Michael.Hutter@iaik.tugraz.at www.iaik.tugraz.at
Security in the Internet of Things BUILDING THE INTERNET OF THINGS
From vision to business opportunities
Module 3, Smart Event 2009, Sophia Antipolis, France
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
2
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Contents IT Security
Motivation Cryptographic services Protocols, schemes, and primitives Threats and attacks
The Internet of Things Evolution and technologies in the IoT PCs vs. sensor nodes vs. RFID Why security in the IoT? Killer applications of the IoT
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
3
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Contents Security & Privacy
New attacking scenarios Fault attacks on RFID Side-channel attacks on RFID Emulation of devices
Conclusions Security as enabler Light-weight security Security for passive devices
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
4
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
IT Security ATM System
Clients withdraw money using a smart card
System components Client Smart card ATM machine Banking network GSM System
Mobile phones connect to different network stations
System components Client Mobile phone, SIM card Network station Roaming operator
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
5
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Internet Security Confidential communication
Encrypted email, PGP, transfer of payment details Electronic banking over https eGovernment (online tax declaration)
Integrity of information Signed pdf documents Flight information, …
Access control Gmail, GMX, facebook, …
Commercial servers are protected
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
6
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Security Overview NetworkSecurity
Implementation Security
Organizational Security
Cryptology
OperatingSystemSecurity
SecurityPolicies
IntrusionDetection/
Audit
PersonnelSecurity
HardwareSecurity
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
7
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Cryptographic Services Confidentiality
Integrity
Authentication
Entity Message
Non-repudiation
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
8
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Confidentiality (1) Encryption
Ensures that illicit parties cannot eavesdrop communication
Alice Bob
Internet
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
9
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Confidentiality (2)
Symmetric Same key for both entities
KA=KB
Key distribution problem Key management difficulties Fast and efficient Closed systems (offline)
Asymmetric Public key and private key
KA≠KB
Certificate management Slow and complex Open systems (online
certificates)
Internet
secret key
Internet
Private key Public key
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
10
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Integrity Hash functions provide integrity
Input: message of arbitrary length Output: Fixed length “hash value”
Requirements One-way function: impossible to generate a valid message for a given hash value Impossible to find two messages with the same hash value
Used for Digital signatures Generation of random numbers
Examples SHA-1, SHA-256, MD5 SHA-3 competition (14 submissions in round 2)
2389 ...
Input Data
Fingerprint
AK
CLE
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
11
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Authentication Entity authentication
At least two entities involved Real-time process: offers a timeliness guarantee (through random
numbers or timestamps) Often no meaningful message involved
Message authentication Provided by digital signatures Can be a one-way process (e.g. Internet) Provides a transferable proof Provides additional cryptographic services
Non-repudiation and data integrity
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
12
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Protocols, Schemes, and Primitives Protocols
Used to provide cryptographic services
Sequence of steps
Schemes Basic building blocks of protocols Provide a set of cryptographic
methods (sign, verify, encrypt, decrypt, …)
Primitives Algorithms that rely on
mathematically hard problems Intractability is exploited to provide security
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
13
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Protocol Example Entity authentication protocol ISO/IEC 9798-2 B proofs to A the knowledge of a secret
Challenge-response protocol (unilateral or mutual) Based on an encryption scheme Function f as a cryptographic primitive (using key K)
A
B
RA
f(RA)K
Key K Key K
A
B
RA
f(RA)K , RB
f(RB)K Key K Key K
Unilateral authentication Mutual authentication
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
14
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Threats and Attacks Mathematical attacks: Cryptanalysis
Brute force attacks Factorization attacks, …
Protocol attacks Man-in-the-middle attacks Impersonation, replay, relay, reflection…
Implementation attacks Fault attacks Side-channel attacks
Attacks and analyses constitute an important phase during the design of secure IT systems
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
15
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
The Internet of Things Definitions
…network of physical objects… ... system [...] able to instantaneously identify any kind of object … number of technologies […] that enable the Internet to reach
out into the real world of physical objects…
Characteristics Pervasive Ubiquitous Dynamic and self organizing Heterogeneous and very high number of participants
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
16
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Evolution and Technologies
RFID is one of many enablers for the Internet of things
© www.ariva.de num
ber o
f obj
ects
Time
“Smart things”
Smart cards
PCs
ENIAC
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
17
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Power Supply of Smart Things
Reading range ~ 10 cm
Security high
Price/tag some €
Power cons. < 10mA
Reading range ~ 1-5m
Security Not yet
Price/tag Minimal +-0
Power cons. < 5-10µA
Reading range ~ 100 m
Security well
Price/tag Some 10 €
Power cons. ~ 50mA
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
18
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Do we need Security for Passive RFID?
Let us think 15 years back?
What do we learn?
We cannot predict the “killer applications” of the future
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
19
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Security and Privacy Challenges (1) Devices interact in networks without human
observers Passwords or PINs are inappropriate (undetected eavesdropping)
Different or even new attacks will come up Phishing will not work High potential of new attacks
Stealing nodes Tag cloning Clandestine readers
Implementation attacks pose a serious threat in the IoT
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
20
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
An Example: Fault Attacks on RFID We injected faults during the writing of data Analyzed commercially available HF and UHF
tags Faulty values could be written – undetected!
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
21
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Another Example: Extract Secrets We performed power and EM analysis attacks on
different RFID tags Power analysis
Separated the chip from its antenna Measured the power consumption over a resistor
EM analysis Measured the direct chip emanations
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
22
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Security and Privacy Challenges (2) Emulation of devices and networks of devices
Real time emulation of tags Real time emulation of readers/networks
Lifetime of devices No firmware update for remote devices Not often in the field, but for very long time (> 15 years)
Effects of attacks Pervasive network – people are not aware of the network Remember the year 2000 problem
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
23
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
State of the Art Security Crypto implementation
Tag costs
Communication overhead
Reading distance
Infrastructure overhead
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
24
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Implementation Challenges Limitations of crypto hardware
Chip area ~0.33 mm2
0.35 µm CMOS: 6,000 GE 0.18 µm CMOS: 25,000 GE Die size is proportional to silicon costs Power supply <15µA @ 1.5V
Optimizations Low die-size (area) Low power
Energy consumption per cycle
RF fieldRF field
Vdd
IIC
ISupply
VddMIN
Vdd
IIC
ISupply
VddMIN
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
25
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
An Example: AES on a passive RFID Tag
Features 128-bit Encryption and Decryption Round-key generation included
Architecture 8-bit datapath 256-bit RAM storage
32x8-bit organization
Implementation Details On 0.35 µm CMOS Proven suitability for RFID
0.25 mm2
3,400 GE chip area
3 µA @1.5V at 106 kHz 1,032 clock cycles
AES-128
Con
trolle
r
RAM32 x 8-bit
Data Unit
startread
finished
data_out
data_in
reset
enc
TINA
Secure
TINA
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
26
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Another Example: ECC for RFID Features
163-bit Elliptic-Curve Cryptography on a Chip (ECCON) Based on asymmetric cryptography over GF(2m)
Architecture 16-bit datapath 163x7-bit RAM storage
Implementation Details On 180 nm CMOS ISO 15693 RFID interface Proven suitability for RFID
13,685 GE chip area
6 µA @1.8V at 106 kHz 306,000 clock cycles
TINA
Secure
TINA
ECCON
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
27
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Comparison of Implementations Implemented on same platform Optimized using same methods
Algorithm Chip area [GEs]
Imean [µA @
100kHz, 1.5V]
# Clock cycles
AES-128 3,400 3.0 1,032
SHA-256 10,868 5.83 1,128
SHA-1 8,120 3.93 1,274
MD5 8,001 3.16 712
Trivium 3,090 0.68 (1,603) + 176
Grain 3,360 0.80 (130) + 104
ECC-192 23,600 13.3 500,000
TEA 2,633 3.79 289
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
28
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Secure RFID – Where is it? Crypto implementation
Tag costs
Communication overhead
Reading distance
Infrastructure overhead
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
29
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Requirements for a Successful Launch of a Secure Internet of Things
Education Realistic assumptions Service oriented approach Patience
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
30
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Conclusions Internet of Things and open
RFID infrastructures are meaningless without protection of data
Authentication and data integrity solutions for RFID tags will enable new applications
Heterogeneous networks require the same security level on each part of the network
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
31
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
Conclusions Light-weight security means
“lightweight implementation of secure primitives”
Standardization and use of standardized approaches helps to avoid security holes
Implementation of modern cryptographic primitives is technically possible on passive RFID tags
http://www.iaik.tugraz.at
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
32
Michael Hutter IAIK
VLSI
Sophia Antipolis, 2009
The Future … Attacks on passive RFID recently started TI DST (2006) Keeloq (2008) Mifare (2009)
The Internet of Things a secure network of objects a [..] secure system [...] able to instantaneously and
trustfully identify any kind of object