K21 and Automation System Architecture Matthew Burnside [email protected] MIT Laboratory for Computer...
-
Upload
neil-lambert -
Category
Documents
-
view
215 -
download
0
Transcript of K21 and Automation System Architecture Matthew Burnside [email protected] MIT Laboratory for Computer...
K21 and Automation System Architecture
Matthew [email protected]
MIT Laboratory for Computer Science
January 8, 2002
Jointly with: Dwaine Clarke, Todd Mills, Ali Tariq
Overview
• Problem• Naïve Solution• Our Solution
• 3 Layers• 2 Protocols
• Device-Proxy protocol• Proxy-Proxy protocol
Security Goals
• Identification and authentication of resources • What is this thing, and is it really what it says it is?• E.g., printers, light bulbs, speakers, coffee makers, etc.
• Secure communication with resources• E.g., I don’t want anyone to know I am watching “Jerry
Springer”
• Provide usage/access permissions• Access Control Lists (ACLs) for most resources
The Naïve Solution
Each device has a public key/private key pair. Communication to the device is encoded with
its public key– And signed with private key of initiator
Each transaction goes through a server Servers maintain ACLs for each device.
– Centralized, secure server handles all the traffic
Issues to Remember
Devices are dumb. – No public-key crypto on a light bulb.
Centralization is not necessarily a good idea– Problems with scalability and fault tolerance.– Makes ACL maintenance difficult.
Three layers
Modular architecture– Layers can be implemented differently without
affecting others
Our System
Security
Routing and Naming
Devicecommunication Scripting
Event-Based Communication
All messages are passed in the form of events. <STATUS_CHANGE_EVENT, light_bulb=on> <COMMAND_EVENT, play_tape=true>
Layer 1: Device Communication
DeviceWireless
Transceiver
DeviceWireless
Transceiver
DeviceWireless
Transceiver
EthernetCard
WirelessTransceiver
Proxy
Proxy
Proxy
A device may also contain a Cricket listener.
UDP/IP
One proxy for every device.
Each device may have a unique interface to its proxy.
Gateway
Proxy
Software representation of the device. Translates device actions into events other proxies can
interpret (and vice versa). Device security handled here; proxy runs on a trusted
computer.
Example:Information Appliance
WirelessComm.
WirelessComm. VCR ProxyVCR Proxy
Commands and status
The proxy has an ACL that limits who can control the VCR.
Example:Location-aware Mobile Speaker
Cricket Listener
Cricket Listener
WirelessComm.
WirelessComm.
SpeakerProxy
SpeakerProxy
Speaker can behave differently based on its location (which is only known to its proxy).
Location and audio data
Example:Badge (Key21) Device
Cricket Listener
Cricket Listener WirelessWireless
Key21
The proxy has an ACL that limits who else is allowed to know the person’s location.
ProxyProxy
•A repository for someone’s cryptographic key•Has understanding of Location•Wireless communication
(explained later on)
Automation Scripts
Each proxy can run multiple scripts. Each script generates new events based on input
events. For example:
– `Matt has walked into the room’ Turn on light– `It’s 6am and it’s a workday’ Turn on the coffee
machine
Layer 2: Routing/Naming Network
Routing/Naming Network
Proxy
K21
Proxy
Device K21
Proxy
Device
Proxy Farm Proxy Farm
ScriptingProxy
Scripting
ProxyScripting
Play TapeCommand
Example: user wants to play a tape
K21
Proxy
Name Resolution
Play TapeCommand
Routing
Naming
Distributed network of name resolvers/routers INS-style names:
– [id=spk03 [loc=ne43-226] [devtype=speaker]]– [id=* [loc=ne43-226] [devtype=speaker]]– [id=* [loc=ne43-226] [devtype=*]]
Layer 3: Proxy-Based Security
Naming/Routing Network
Naming/Routing Network
ProxyProxy
K21
Proxy
Device-to-Proxy Security Protocol
Proxy-to-Proxy Security Protocol
Device-to-Proxy Security Protocol
Proxy-to-Proxy Security Protocol
The two protocol architecture allows for simple devices to have a simple protocol, and complex devices to have a sophisticated protocol.
Device-Proxy Security
Cricket Listener
Cricket Listener
WirelessComm.
WirelessComm.
K21
K21 ProxyK21 Proxy
Secure Communication
1. Device-dependent protocol.
2. Device and Proxy share 128-bit symmetric keys.
3. Communication between device andproxy is encrypted and MAC’d.
4. Sequence numbers used for protection against replay attacks
Location
Proxy-Proxy Security
ProxyScripting
K21
Proxy
Name Resolution Routing
SPKI/SDSIOver SSL/TLS
SPKI/SDSIOver SSL/TLS
All proxies talk to each other with the same protocol.
Status
System design completed and largely implemented.
Being evaluated in terms of performance and scalability
Ongoing work: Security issues with anonymous computation
and/or minimally-trusted computers