Embedded TCP/IP-Security - Hitex: Start · 2017-11-20 · TCP/IP Stack Security TCP/IP-Stack...
Transcript of Embedded TCP/IP-Security - Hitex: Start · 2017-11-20 · TCP/IP Stack Security TCP/IP-Stack...
Embedded TCP/IP-Security
Agenda
What is security?
A look into a security data sheet
Symmetric vs. asymmetric cryptography
TCP/IP security
SSL/TLS
CB uSSL
SSH
CB uSSH
Demo
Summary
Page 2 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
What is security?
ITU-T Recommendation X.805: Security architecture for systems providing end-to-end communications
Security dimensions: Security measures designed to address a particular aspect of network security
Access control
Authentication
Non-repudiation
Data confidentiality
Communication security
Data integrity
Availability
Privacy
Page 3 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
Security threats
Destruction of information and other resources
Corruption or modification of information
Theft, removal or loss of information and other resources
Disclosure of information
Interruption of services
Look into a security data sheet
Page 4 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
Symmetric Cryptography
Symmetric encryption = private key cryptography
Algorithms
Data Encryption Standard (DES)
Triple DES (3DES)
Advanced Encryption Standard (AES)
Advantage: Low computational complexity
Disadvantage: Communication partners share private key
How can keys securely be exchanged??
Page 5 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
Source: The Globus Toolkit 4
Programmer's Tutorial,
University of Chicago
Source: Wikipedia
Asymmetric Cryptography I
Asymmetric encryption = public key cryptography
Algorithms
RSA: Security due to cost of factoring a product of two large prime numbers
ElGamal
…
Advantages:
Private key never needs to be transmitted
Provides a method for digital signatures
Disadvantage: High computational complexity
Page 6 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
Source: The Globus Toolkit 4
Programmer's Tutorial,
University of Chicago
Source: Raj Jain, Washington University, Network security lectures on youtube
Public Key Private Key
Asymmetric Cryptography II: Digital signatures and X.509 certificate authentication
Applications:
Message Integrity
Non-repudiation
Algorithms:
Secure Hash (SHA)
Message Digest (MD)
Problem: To whom belongs the public key?
Public key infrastructure (PKI)
CA
X.509 certificates
Page 7 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
Source: http://docs.oracle.com/cd/E19656-01/821-1507/images/digsgn.gif
Certification Authority (CA)
Hash
Hash
Decryption
Hashing Algorithm
Public Key CA
TCP/IP Stack Security
TCP/IP-Stack
Application Layer
SSH FTP
HTTP
POP3
SNMP SMTP
DNS
Telnet
TFTP
DHCP
UDP SSL/TLS TCP Transport Layer
IPv4 ICMP ARP Network Layer
Ethernet
PPP
WLAN
UART Physical Layer
Data Link Layer
SNTP
IMAP4
NAT
KEYGEN
PPP over Ethernet
CTP
IPsec
SSH server and client for secure interactive shell
Secure end to end connection for embedded devices
Point to point security for IP packet networking
Page 8 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
SSL/TLS I
Sits on top of TCP protocol
HTTPS (HyperText Transfer Protocol Secure) = HTTP over SSL/TLS
SSL/TLS services
Crypto negotiation
Secret key exchange
Privacy/Encryption
Integrity
TLS 1.2 (= SSL 3.3)
TLS 1.2 is described in RFC 5246 of The Internet Engineering Task Force (IETF)
TLS consists of five protocols
TCP/IP-Stack
SSH FTP
HTTP
POP3
SNMP SMTP
DNS
Telnet
TFTP
DHCP
UDP SSL/TLS TCP
IPv4 ICMP ARP
Ethernet
PPP
WLAN
UART
SNTP
IMAP4
NAT
KEYGEN
PPP over Ethernet
CTP
IPsec
Page 9 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
SSL/TLS II: Protocols/Layers
SSL/TLS
Handshake Protocol
Change Cypher Spec
Protocol Alert Protocol
Application Data Protocol
Record Protocol
Application Layer
Transport Layer
TCP
HTTP
Symmetric encryption algorithms (AES, DES, 3DES, …) and Message Authentication Codes (SHA, MD5)
Agree on TLS protocol versions and cipher suite, exchange certificates and pre-master secret (RSA, DH)
Start encoding
Warnings, fatal errors
Application data partitioning, compression
Page 10 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
SSL/TLS III: Handshake Protocol
Client Server
Verify Certificate
Generate MS and security parameters
Generate MS and security parameters
Page 11 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
uSSL I
SSL/TLS implementation for embedded MCUs
Supports protocol versions SSL 3, TLS 1.0, TLS 1.1, TLS 1.2
Server and Client
Typical memory requirements
ROM: 60-70 kB
RAM:
― 12-16 kB
― 2.5 kB for additional session
Supported devices: Cortex-M3, Cortex-M4, …
Supported TCP/IP stacks: Keil, FreeRTOS, CMX-MicroNet, Micrium, ThreadX, …
TCP/IP-Stack
SSH FTP
HTTP
POP3
SNMP SMTP
DNS
Telnet
TFTP
DHCP
UDP uSSL TCP
IPv4 ICMP ARP
Ethernet
PPP
WLAN
UART
SNTP
IMAP4
NAT
KEYGEN
PPP over Ethernet
CTP
IPsec
Page 12 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
uSSL II: Architecture and Integration
Application Layer
Transport Layer
TCP
HTTP
net
libs
apps
BSP TCP stack abstraction layer
BSP chipglue
HW
BSP Memory Manager
uSSL
usslsockapi interface (closely matches BSD)
Key exchange, crypto, hash, certificate management, random number generation
BSD compatible interface
Proprietary TCP/IP stack interface
Self-contained dynamic memory byte pool
System timer access for seeding random number generation and session expiration
Page 13 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
SSL/TLS protocol implemen-tation
SSH I
Secure Shell
Provides secure remote logon facility and secure file transfer
SSH1 replaced Telnet
SSH2 documented in RFCs 4250-4256
Organized as three protocols
Transport layer protocol
Authentication protocol
Connection protocol
TCP/IP-Stack
SSH FTP
HTTP
POP3
SNMP SMTP
DNS
Telnet
TFTP
DHCP
UDP SSL/TLS TCP
IPv4 ICMP ARP
Ethernet
PPP
WLAN
UART
SNTP
IMAP4
NAT
KEYGEN
PPP over Ethernet
CTP
IPsec
Page 14 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
SSH II: Protocols/Layers
“Core” SSH
Authentication Protocol Connection Protocol
Transport Layer Protocol
Application Layer
Transport Layer
TCP
Shell, File Transfer
Server authentication, data confidentiality, data integrity, compression
Authenticates the user to the server
Page 15 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
Multiplexes multiple logical communications over a single underlying SSH connection
uSSH
SSH and Secure Tunnel (also called port forwarding)
Server and Client
Secure Remote Access, Management & File Transfer
Interactive Shell
Secure File SCP
Typical memory requirements on Cortex-M3
ROM: 50 kB
RAM: 14 kB
TCP/IP-Stack
uSSH FTP
HTTP
POP3
SNMP SMTP
DNS
Telnet
TFTP
DHCP
UDP SSL/TLS TCP
IPv4 ICMP ARP
Ethernet
PPP
WLAN
UART
SNTP
IMAP4
NAT
KEYGEN
PPP over Ethernet
CTP
IPsec
Page 17 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
uSSL: Demo with MDK-ARM
MCBSTM32F200 board with Cortex-M3 from STMicroelectronics runs embedded web server
Web server waits for HTTPS requests
Keil MDK-ARM project based on uSSL, Keil RTX RTOS and TCP/IP stack
Page 19 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
Client (192.168.1.13) Server (192.168.1.14)
uSSH: Demo with MDK-ARM
Client (192.168.1.13) Server (192.168.1.14)
Page 20 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
MCBSTM32F200 board with Cortex-M3 from STMicroelectronics runs uSSH server
uSSH server waits for requests on port 22
Keil MDK-ARM project based on uSSH, Keil RTX RTOS and TCP/IP stack
Server Shell Command Handler
Summary
Symmetric vs. asymmetric cryptography
TCP/IP security
SSH
SSL/TLS
IPsec
Implementations for embedded system: uSSH, uSSL, uVPN
Demos with Keil MDK-ARM, RTX RTOS and Keil TCP/IP stack
Page 21 2014-07-18 Copyright © Hitex Development Tools 2014. All rights reserved.
TCP/IP-Stack
SSH FTP
HTTP
POP3
SNMP SMTP
DNS
Telnet
TFTP
DHCP
UDP SSL/TLS TCP
IPv4 ICMP ARP
Ethernet
PPP
WLAN
UART
SNTP
IMAP4
NAT
KEYGEN
PPP over Ethernet
CTP
IPsec
Fragen? [email protected] http://www.hitex.de