Challenges for a quantum-safe Internet of Things

Transcription

1 Challenges for a quantum-safe Internet of Things Oscar Garcia-Morchon, Ronald Rietman, Ludo Tolhuizen Philips 1

2 Agenda IoT: requirements and challenges Device lifecycle and security needs Architectural options HIMMO Conclusions 2

3 Internet of Things Some use cases and features Constrained links Device to device Large network Low power Long-term Identify devices Low power Robust Speed Robust architecture Small packets Private data Low power 3

4 Abstracting Server 1 Server 2 Server s Device 2 Device 1 Device 3 Device d 4

5 Device 2 Device 3 Device d 5

6 Many Requirements Energy efficiency Small and real-time Simple operation Manufacturing Distribution Installation Operation Re-configuration End-of-life Device lifecycle Long term security 6

7 Why Security in IoT? Your privacy & safety Company image and IPR National security Economy 7

8 Why is Security Challenging in IoT? Main reasons Business case budget constrains tight resources Application lifecycle operational constrains Lead to many challenges DoS resistance Protocol translation End-to-end security Bootstrapping security Network access control (IP networks) Group membership and security IP network dynamics Long term security Software upgrade Intrusion detection Penetration testing Fine grained access control Re-selling devices System heritage Crypto agility (limited resources) 8

9 Why is Security Challenging in IoT? Main reasons Business case budget constrains tight resources Application lifecycle operational constrains Lead to many challenges DoS resistance Protocol translation End-to-end security Bootstrapping security Network access control (IP networks) Group membership and security IP network dynamics Long term security Software upgrade Intrusion detection Penetration testing Fine grained access control Re-selling devices System heritage Crypto agility (limited resources) Quantum-resistance Challenge: Long term efficient and scalable management of keys/credentials of devices 9

10 Why is Security Challenging in IoT? Main reasons Business case budget constrains tight resources Application lifecycle operational constrains Lead to many challenges DoS resistance Protocol translation End-to-end security Bootstrapping security Network access control (IP networks) Group membership and security IP network dynamics Long term security Software upgrade Intrusion detection Penetration testing Fine grained access control Re-selling devices System heritage Crypto agility (limited resources) Quantum-resistance Challenge: Long term efficient and scalable management of keys/credentials of devices 10

11 Device Lifecycle and Security Needs Root of trust Root of trust Server 1 Server s Device 1 Device 2 Device 3 Device d 11

12 Device Lifecycle and Security Needs Security infrastructure Root of trust Root of trust Server 1 Server s Network access Device 1 Manufacturing Device 2 Device 3 Operation Device d 12

13 Device Lifecycle and Security Needs Security infrastructure Infrastructure Out-of-band (secure manufacturing) and in-band (Internet) provisioning Root of Efficient resistance to root capture trust Long term security Key escrow Root of trust Server 1 Server s Network access Device 1 Manufacturing Device 2 Device 3 Operation Device d 13

14 Device Lifecycle and Security Needs Security infrastructure Infrastructure Out-of-band (secure manufacturing) and in-band (Internet) provisioning Root of Efficient resistance to root capture trust Long term security Key escrow Root of trust Server 1 Server s Network access Backend authentication/authorization Device Device authentication/authorization 1 Device identification/blacklisting Manufacturing DoS prevention Network access Device 2 Operation Device d Device 3 14

15 Device Lifecycle and Security Needs Security infrastructure Infrastructure Out-of-band (secure manufacturing) and in-band (Internet) provisioning Root of Efficient resistance to root capture trust Long term security Key escrow Network access Backend authentication/authorization Device Device authentication/authorization 1 Device identification/blacklisting Manufacturing DoS prevention Root of trust Operation Key agreement Collusion resistance Server 1 Server s Quantum resistance Easy protocol integration Network access Forward security and key escrow Credential verification, e.g., public-keys Device 2 Operation Device 3 Device d 15

16 Architectural Options Configuration Operation KDC CA PGK TTP 16

17 Architectural Options Configuration Operation KDC CA PGK TTP 17

18 HIMMO Efficient Collusion- and Quantum-Resistant Key Pre-Distribution Scheme 1) Setup 2) Keying material extraction 3) Operational protocol TTP Secret R(x, y) TTP A K A,B ID G ID (x) E K A,B (m) Configuration parameters ID B K B,A Identity-based key exchange with implicit authentication 18

19 HIMMO Efficient collusion- and quantum- resistant Easy protocol integration (TLS, MAC-layer level protocols, etc) Features Key exchange Identity-based Multiple TTP support Credential certification and verification One-way key exchange and authentication in 30 Bytes Advantages Low overhead Blacklisting feasible Secure out-of-the-box Resilient TTP infrastructure Supports both forward secrecy & key escrow Can fit Internet and Internet of Things use cases A TLS B 19

20 + Information and Contest for Open Verification 20

21 Conclusions The IoT covers a plethora of use cases with very diverse needs IoT has many security challenges ahead; many more in the advent of quantum computers: efficiency, transition, key/credential management The key challenge: efficient and scalable management of keys/credentials of devices through their lifecycle HIMMO is an efficient collusion- and quantum-resistant key predistribution scheme overcoming this problem 21

22

23 Key Pre-Distribution Scheme A key pre-distribution scheme involves a trusted third party TTP and nodes N 1,, N l and consists of the following three components. Setup. An algorithm run by TTP for generating secret root keying material R and public system parameter P, given a security parameter. Extract. An algorithm run by TTP for generating secret keying material s x for a given node N x, given root keying material R and system parameter P. Key establishment. A protocol run by node N x and N y for generating shared key k x,y, given secret keying material s x and s y, and system parameter P. 23

24 Rationale Features of KPS Efficient Any node can directly obtain a pairwise key with any other any node Based on identities so that it is possible to verify them Multiple TTP support so that a single TTP does not have access to all keys X KPS collusion resistance Our goal with HIMMO was to achieve collusion resistance while keeping the rest of nice features 24

25 HIMMO in Practice Extraction R TTP I s x x,s x 25

26 HIMMO in Practice One-way key exchange and entity authentication k x,y x,s x AE kx,y M, h y,s y k y,x 26

27 HIMMO in Practice Implicit certification and verification of parameters R TTP I x (and any parameters (e.g., access roles) in it) is implicitly verified k x,y x,s x AE kx,y M, h y,s y k y,x 27

28 HIMMO in Practice Multiple TTP support R I R II R III TTP I TTP II TTP III x (and any parameters (e.g., access roles) in it) is implicitly verified Single TTP does not have access to communication k x,y x,s x AE kx,y M, h y,s y k y,x O. Garcia-Morchon, R. Rietman, S. Sharma, L. Tolhuizen, J.L., Torre-Arce. DTLS-HIMMO Efficiently Securing a Post-Quantum World with a Fully- Collusion Resistant KPS. In ESORICS 2015; also presented at NIST workshop on Cybersecurity in a Post-Quantum World,

29 HIMMO in Practice HIMMO for certification of public-keys R I R II R III TTP I TTP II TTP III Single TTP cannot fake the MAC that verifies x s public key (pu x ) k pux,pu y pu x, s pux MAC kpu x,puy pu x, h pu y, s puy k pux,pu y O. Garcia-Morchon, R. Rietman, L. Tolhuizen, J.L. Torre-Arce, S. Bhattacharya and M. Bodlaender "Efficient quantum-resistant trust Infrastructure based on HIMMO", IACR eprint Archive, Report

30 Attacks Paths and Security Analysis Eve has any set of c compromised keying materials s x1,, s xc. Eve s goal is to find the key shared between Alice and Bob, k a,b. Attack paths: Try to recover k a,b by attacking the TTP: recovers R, s x, and any k x,y. Try to recover k a,b by attacking Alice s s a (or Bob): recovers s a, and any k a,y. Try to recover k a,b only. Security analysis for the above attack paths is described here O. Garcia-Morchon, R. Rietman, L. Tolhuizen, J.L. Torre-Arce, M.S. Lee, D. Gomez- Perez, J. Gutierrez, B. Schoenmakers, "Attacks and parameter choices in HIMMO", ", IACR eprint Archive, Report

31 About the HIMMO Contest No time limit, you can take as much time as you need Five challenges for b = Euros per solved challenge Challenge t HIMMO HIMMO HIMMO HIMMO HIMMO

32 Performance Classical Quantum Size of the generated key (bits) Target security level (bits) m b (bits) t (estimation based on BKZ2.0) Number of HIMMO instances 5 19 Identity size (Bytes) Signature size (Bytes) One-way key exchange (Bytes) One-way key exchange & entity authentication (Bytes) PC time (ms) NXP 120 MHz time (ms) Required Root Hermite factor (best attack) Pre-processing running time for LLL (years)