servicios de seguridad en ambientes computacionales...
TRANSCRIPT
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Servicios de seguridad en ambientes computacionales
altamente restringidos
Francisco Rodríguez-HenríquezCINVESTAV-IPN
Depto. de Ingeniería Eléctrica Sección de Computación
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Antecedents and Motivation
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Security Systems by layersApplications: Secure e-mail, Digital Money, Smart
Cards, Firewalls, etc.Applications: Secure e-mail, Digital Money, Smart
Cards, Firewalls, etc.
Communication Protocols : SSL, TLS, WTLS, WAP, etc.
Communication Protocols : SSL, TLS, WTLS, WAP, etc.
Security Services: Confidentiality, Data Integrity, Data Authentication, Non-Repudiation
Security Services: Confidentiality, Data Integrity, Data Authentication, Non-Repudiation
Crypto User Functions: Encrypt/Decrypt, Sign/verify
Crypto User Functions: Encrypt/Decrypt, Sign/verify
Public Key Crypto Algorithms: RSA, ECCSymmetric Crypto Algorithms: AES, DES, RC4, etc.
Public Key Crypto Algorithms: RSA, ECCSymmetric Crypto Algorithms: AES, DES, RC4, etc.
Computer Arithmetic : Addition, Squaring, multiplication, inversion and exponentiationComputer Arithmetic : Addition, Squaring, multiplication, inversion and exponentiation
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Security Services
• Confidentiality - protect info value
• Authentication - protect info origin (sender)
• Identification - ensure identity of users
• Integrity - protect info accuracy
• Non-repudiation - protect from deniability
• Access control - access to info/resources
• Availability - ensure info delivery
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Some Practical Applications
"Any sufficiently advanced technology is indistinguishable from magic.”
Arthur C. Clarke.• secure mail• secure communications• network authentication• electronic voting• electronic notary• digital money (digital wallet)• data distribution
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Characteristics of Traditional IT Applications
• Mostly based on interactive (= traditional) computers
• „One user – one computer“ paradigm
• Static networks
• Large number of users per network
Q: How will the IT future look?
The IT Future
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
• Bridge sensors• Cleaning robots• Car with various IT services• Networked robots• Smart street lamps• Pets with electronic sensors• Smart windows
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Characteristics of Ubiquitous Computing Systems
• Embedded nodes (no traditional computers)
• Connected through wireless, close-range network (“Pervasive networks”)!
• Ad-hoc networks: Dynamic addition and deletion of nodes
• Power/computation/memory constrained!
• Vulnerable
Examples for Ubiquitous Computing
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
• PDAs, 3G cell phones, ...• Living spaces will be stuffed with nodes• So will cars• Wearable computers (clothes, eye glasses,
etc.)• Household appliances• Smart sensors in infrastructure (windows,
roads, bridges, etc.)• Smart bar codes (autoID)• “Smart Dust”• ...
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Security and Economics of Ubiquitous Computing
• „One-user many-nodes“ paradigm (e.g. 102-103
processors per human)
• Many new applications we don‘t know yet
• Very high volume applications
• Very cost sensitive
• People won‘t be willing to pay for security per se
• People won‘t buy products without security
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Where are the challenges for embedded security?
• Designers worry about IT functionality, security is ignored or an afterthought
• Attacker has easy access to nodes
• Security infrastructure (PKI etc.) is missing: Protocols???
• Side-channel and tamper attacks
• Computation/memory/power constrained
Will that ever become reality??
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
We don’t know, but: CPUs sold in 2000
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Implementation Platforms
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
PlatformsCryptographic algorithms can be implemented through
SoftwareASICFPGAs
Choice of platform depends upon
Algorithm performanceCostFlexibility
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Platform Implementation for Cryptographic Algorithms
Software
General purpose µProcs, Embedded µProcs, etc.General purpose µProcs, Embedded µProcs, etc.
Cryptographic Algorithms
Classic Hardware Reconfigurable HW
•
FPGAsFPGAsVLSI ASIC chips VLSI ASIC chips
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Platform Comparison
ASIC Reconfigurable Hardware
Processor
Performance
Flexibility
Unit Cost
Development Cost
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Platform Features
SoftwareMaximum flexibility Low PerformanceLow cost
ASICHigh performance No flexibility at all
High costFPGAs
Reasonable flexibilityLow costHigh performance
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Why Crypto-algorithms in Hardware
Two main reasons:
1. Software implementations are too slow for some applications (symmetric alg: encryption rates 100 Mbit/sec public-key alg: > 10 msec)
2. Hardware implementations are intrinsically more physically secure: Key access and algorithm modication is considerably harder.
But why reconfigurable hardware?
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Potential advantages of crypto algorithms implemented on reconfigurable platforms:
1. Algorithm Agility2. Algorithm Upgrade3. Architecture Efficiency4. Resource Efficient5. Algorithm Modification6. (Throughput relative to software)7. (Cost Efficiency relative to ASICs)
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Crypto and FPGAs: Algorithm Agility
Observation: Modern security protocols are defined tobe algorithm independent:• Encryption algorithm is negotiated on a per-session
basis.• Wide variety of ciphers can be required. Ex: IPsec-
allowed algorithms: DES, 3DES, Blow-Fish, CAST, IDEA, RC4 and RC6, & future extensions!
• Same holds for public-key algorithms, e.g., Diffie-Hellman and ECDH.
Recall that: ASIC solutions can provide algorithm agilityonly at high costs.
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Crypto and FPGAs: Algorithm Upgrade
Applications may need upgrade to a new algorithm because:• Current algorithms was broken (DES)• Standard expired (again DES)• New standard was created (AES)• Algorithm list of algorithm independent protocol was
extended
Upgrade of ASIC-implemented algorithm is practicallyinfeasible if many devices are affected or in applicationssuch as satellite communications.
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Crypto and FPGAs: Architecture Efficiency
In certain cases a hardware architecture can be much more efficient if it is designed for a specific set of parameters. Parameters for cryptographic algorithms can be for example the key, the underlying finite field, the coefficient used (e.g., the specific curve of an ECC system), and so on. Generally speaking, the more specific an algorithm is implemented the more efficient it can become.
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Crypto and FPGAs: Resource Efficiency
Observation: The majority of security protocols usesprivate-key as well as public-key algorithms during
one session, but not simultaneous.
Same FPGA device can be used for both through runtime reconguration.
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Crypto and FPGAs: Algorithm Modification
• Some applications require Public algorithms (such as AES candidates) with proprietary modules, e.g., proprietary S-boxes or permutations.
• Change of modes of operations (feedback modes,• counter mode, etc.)• Crypto-analytical implementation, such as key-search• machines, may use slightly altered version of the• algorithms.
With FPGAs, these changes can readily be implemented.
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
FPGA: Field programmable Gate Arrays
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Configurable Logic Block
CombinationalLogic
CombinationalLogic
1-bitreg
1-bitreg
16x1RAM
4
16x1RAM
4
1-bitreg
1-bitreg4
4
Logic Mode Memory Mode
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Virtex-II Pro
Feature/Product XC2VP2
XC2VP4
XC2VP7
XC2VP20
XC2VP30
XC2VP40
XC2VP50
XC2VP70
XC2VP100
XC2VP125
EasyPath cost reduction - - - - XCE2VP30
XCE2VP40
XCE2VP50
XCE2VP70
XCE2VP100
XCE2VP125
Logic Cells 3,168 6,768 11,088 20,880 30,816 43,632 53,136 74,448 99,216 125,136
Slices 1,408 3,008 4,928 9,280 13,696 19,392 23,616 33,088 44,096 55,616BRAM (Kbits) 216 504 792 1,584 2,448 3,456 4,176 5,904 7,992 10,00818x18 Multipliers 12 28 44 88 136 192 232 328 444 556Digital Clock Management Blocks 4 4 4 8 8 8 8 8 12 12
Config (Mbits) 1.31 3.01 4.49 8.21 11.36 15.56 19.02 25.6 33.65 42.78
PowerPC Processors 0 1 1 2 2 2 2 2 2 4
Max Available Multi-Gigabit Transceivers* 4 4 8 8 8 12* 16* 20 20* 24*
Max Available User I/O* 204 348 396 564 644 804 852 996 1164 1200
1 Logic Cell = (1) 4-input LUT + (1) FF + (1) Carry Logic1 CLB = (4) Slices
http://www.xilinx.com/products/tables/fpga.htm#v2p
Wireless Ad-Hoc Network
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Smart Cards
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Smart Cards
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Smart Cards
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Smart Cards
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Multi-hop cellular
S
D
• Set of base stations connected to a backbone (like in cellular)
• Potentially, multi-hop communication between the mobile station and the base station (unlike in cellular)
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Multi-hop cellular• Advantages:
– Energy consumption of the mobile stations can be reduced– Immediate side effect: Reduced interference– Number of base stations (fixed antennas) can be reduced– Coverage of the network can be increased– Closely located mobile stations can communicate
independently from the infrastructure (ad hoc networking)
• Disadvantages:– Routing?– Synchronization?
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
A model
• Multi-hop up-link• Single-hop down-link S
D
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Where are the challenges for embedded security?
• Designers worry about IT functionality, security is ignored or an afterthought
• Attacker has easy access to nodes • Security infrastructure (PKI etc.) is
missing: Protocols???• Side-channel and tamper attacks• Computation/memory/power
constrained
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Why do constraints matter?
• Almost all ad-hoc protocols (even routing!) require crypto ops for every hop
• At least symmetric alg. are needed• Asymmetric alg. allow fancier protocols
Question: What type of crypto can we do?
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Security on Different Embedded Processors
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Classification by Processor PowerVery rough classification of embedded processors
Class speed : high-end Intel
Class 0: few 1000 gates ?Class 1: 8 bit µP, ≤ 10MHz ≈ 1: 103
Class 2: 16 bit µP, ≤ 50MHz ≈ 1: 102
Class 3: 32 bit µP, ≤ 200MHz ≈ 1: 10
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Case Study Class 0: RFID
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Case Study Class 0: RFID
Recall: Class 0 = no µP, few 1000 gates
• Goal: RFID as bar code replacement• Cost goal 5 cent (!)• allegedly 500 x 109 bar code scans worldwide per day
(!!)• AutoID tag: security “with 1000 gates” [CHES 02]
– Ell. curves (asymmetric alg.) need > 20,000 gates– DES (symmetric alg.) needs > 5,000 gates– Lightweight stream ciphers might work
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
RFIDs Applications• Expired Milk Reported
• Within two decades, the minuscule transmitters are expected to replace the familiar product bar codes
• Alerting consumers
• help you manage your inventory a lot better
• tell you that a prescription is in the waiting bin
• provide details to marketers about a family's eating
• the technology raises privacy concerns
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Status Quo: Crypto for Class 1
Recall: Class 1 = 8 bit µP, ≤ 10MHz
Symmetric alg: possible at low data rates
Asymm.alg: very difficult without coprocessor
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Status Quo: Crypto for Class 2
Recall: Class 2 = 16 bit µP, ≤ 50MHz
Symmetric alg: possible
Asymm.alg: possible if
• carefully implemented, and
• algorithms carefully selected (ECC feasible; RSA & DL still hard)
Seguridad en Sistemas de Información
Verano 2004Francisco Rodríguez Henríquez
Status Quo: Crypto for Class 3
Recall: Class 3 = 32 bit µP, ≤ 200MHz
Symmetric alg: possible
Asymm.alg: full range (ECC, RSA, DL) possible, some care
needed for implementation