Towards practical PKC for IoT - RIOT - The friendly...
15
April 18, 2017 Towards practical PKC for IoT Benjamin Smith (GRACE: INRIA Saclay & ´ Ecole polytechnique)
Transcript of Towards practical PKC for IoT - RIOT - The friendly...
April 18, 2017
Towards practical PKC for IoTBenjamin Smith(GRACE: INRIA Saclay & Ecole polytechnique)
Secure (adj.) Source: wiktionary.org
1. Free from attack or danger; protected.2. Free from the danger of theft; safe.3. Free from the risk of eavesdropping, interception
or discovery; secret.4. Free from anxiety or doubt; unafraid.5. Firm and not likely to fail; stable.6. Free from the risk of financial loss; reliable.7. Confident in opinion; not entertaining, or not
having reason to entertain, doubt; certain; sure;8. Overconfident; incautious; careless.
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 1
Traditional view of crypto:the science of secrecy.Modern view of crypto:secrecy and authenticity.Authenticate devices, data, connections, identities...
Trusting IoT: “Positive progress”?Security “partially solved”?...For cryptographers: more like “worst nightmare”.
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 2
IoT = a ubiquitous, pervasive, embedded,decentralised distributed computing platform.
Virtually unsecured, and mostly unmaintained.Society is totally exposed, totally vulnerable.
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 3
When it comes to security, there is no “half a sofa”.
IoT needs full-sized security, simply because our adversaries donot have the same constraints on power, time, memory, access.
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 4
My research interests:developing more streamlined, aerodynamic sofas.
Also, more efficient public-key crypto algorithms.Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 5
Symmetric cryptosystemsI Encryption: Message + key −→ ciphertextI Decryption: Ciphertext + key −→ messageI Authentication: Message + key −→ MAC,
Message + MAC + key −→ {Accept|Reject}Symmetric = same key everywhere.
Basic support for strong symmetric crypto in RIOT:I I found AES (standard), ChaCha20 (cool), 3DES (wtf?!)I Lots of tools missing (hash functions, authenticators), butI Good news: these should not be hard to port and,I Great news: these should not be hard to actually run.
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 6
All symmetric cryptosystems havea built-in logistical problem: key distribution.
1. Every pair of communicating entities needsa unique shared secret key
2. Sharing secret keys: needs a trusted middleman,or secure communication =⇒ chicken/egg.
The traditional lightweight solution, pre-shared keys,is problematic and often impossible.
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 7
Public-key cryptography1. Solves the key distribution problem
(eg. ECDH = Elliptic Curve Diffie–Hellman)2. Permits digital signatures (eg. ECDSA, EdDSA)
Bad news: all public-key systems arebased on hard mathematical problems
(eg. factorisation, discrete logarithms, lattices...)=⇒ Each cryptographic operation requires
an intensive algebraic computation.=⇒ serious space/time overhead—and this is why
IoT is a public-key cryptographer’s worst nightmare.Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 8
µKummer: PKC for microcontrollersWith J. Renes, P. Schwabe, L. Batina (Radboud U. Nijmegen)
Targeting 128-bit security level (∼ AES).Starting-point: elliptic curve-based systems, whichat least have small enough keys (32 bytes) for IoT.Existing implementations tend to be (necessarily)
slow and stack-heavy.Our approach: use number theory and algebraicgeometry to improve the underlying algorithms,
then write efficient C/assembly implementations.
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 9
What a Kummer surface looks like
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 10
µKummer softwareFree, public domain C/assembly implementation of
Diffie–Hellman key exchange and Schnorr signaturestargeting the 128-bit security level on
AVR ATMega (8-bit architecture)ARM Cortex M0 (32-bit architecture)
Presented at CHES 2016.Download it: http://www.cs.ru.nl/~jrenes
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 11
Comparison for 8-bit architecture (AVR ATmega):Protocol Object kCycles Stack bytes
Diffie–Hellman Curve25519 13900 494µKummer 9513 (68%) 99 (20%)
Schnorr signing Ed25519 19048 1473µKummer 10404 (55%) 926 (63%)
Schnorr verifying Ed25519 30777 1226µKummer 16241 (53%) 992 (75%)
Comparison for 32-bit architecture (ARM Cortex M0):Multiplication for Object kCycles Stack bytes
Diffie–Hellman Curve25519 3590 548µKummer 2634 (73%) 248 (45%)
Schnorr NIST-P256 10730 540µKummer 2709 (25%) 968 (179%)
Curve25519=Dull-Haase-Hinterwalder-Hutter-Paar-Sanchez-Schwabe ’15Ed25519 = Nascimento-Lopez-Dahab ’15
NIST-P256 = Wenger-Unterluggauer-Werner ’13
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 12
Next...Current work: new signature schemes with
same (or better) speed, but much less stack usage.
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 13
Take-homeI Strong symmetric crypto for IoT is ready,
but needs to be ported and used.I Until now, public key has been way too heavy
(and the keys way too big) to use...I We’re developing useable public-key algorithms.I It would be great to see them available in RIOT.
Towards practical public-key crypto for IoT / Benjamin Smith (GRACE) 8/10/2014 - 14
