Considerations in Securing Connected Devices. Chris Conlon

Transcription

1

2 Considerations in Securing Connected Devices Chris Conlon

3 Where are we located? Seattle, WA Portland, OR Bozeman, MT San Jose, CA BRAZIL João Pessoa Tokyo, JP Open Source 10 employees worldwide Creating SSL/crypto since 2006

4 Outline 1. MITM Attacks 2. SSL/TLS a. Optimizing for resource-constrained devices b. Current Standards 3. IPSec 4. Hardware Cryptography 5. Random Number Generation 6. Code Signing / Secure Firmware Updates 7. Key Generation and Storage 8. Closing

5 Connected Device Security " Security should be high priority from the start. " Hear about exploits / vulnerabilities daily Stuxnet attack on SCADA systems [11] VxWorks vulnerability via open diagnostics service [8] Insulin pump hacked to dispense fatal dosage [4] Honeypot experiment shows attackers are targeting SCADA systems [12] Android app vulnerability due to underlying PRNG not seeded correctly [10]

6 Connected Device Security " Attack surface ever increasing 4 th phase of the evolution of the Internet [9] Phase 1: Connected Mainframe Computers Phase 2: E-commerce and on PCs/servers Phase 3: Social connectivity applications / Mobile devices Phase 4: Embedded Internet

7 Connected Device Security " Attack surface ever increasing Phase 4: Embedded Internet Billions of intelligent embedded devices will connect with larger computing systems, and to each other, without human intervention. ~ Intel [9] More than 16 Billion Internet-enabled devices by 2020 ~ The Telegraph [1]

8 MITM Attacks Device Server

9 MITM Attacks Device Server Attacker

10 MITM Attacks Device Server Attacker " What is a Man in the Middle attack? Form of active eavesdropping Attacker impersonates both sides of the connection Oftentimes with malicious intent " A common attack targeting connected systems

11 MITM Attacks Device Server Attacker

12 SSL / TLS (Secure Socket Layer / Transport Layer Security)

13 SSL / TLS " Paint the pipes opaque Frequently used to help prevent MITM attacks Uses authentication (client, server, or both) with encryption Client (unauthenticated) Server (unauthenticated) Client (optional auth) SSL / TLS Server (optional auth)

14 SSL / TLS " Provides secure client/server communication " With the following goals: Privacy + Prevent eavesdropping Authentication + Prevent impersonation Integrity + Prevent modification

15 SSL / TLS: Where does it fit? " Layered between Transport and Application layers Protocols Secured by SSL/TLS SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol HTTP LDAP, etc. HTTP SMTP, etc. SSL Record Layer Application Layer TCP IP Network Access Transport Layer Internet Layer Network Layer

16 SSL / TLS: Authentication " Do you know who you are talking with??? Alice Bob

17 SSL / TLS: Authentication " Generate a key pair (public and private) Private Public Public Private Alice Bob

18 SSL / TLS: Authentication " X.509 certificate == wrapper around public key Private X509 Cert Public Public X509 Cert Private Alice Bob

19 SSL / TLS: X.509 X509 Cert -----BEGIN CERTIFICATE-----! MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD! VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG! A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu! ewfzc2wuy29tmr0wgwyjkozihvcnaqkbfg5pbmzvqhlhc3nslmnvbtaefw0xmtew! MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE! CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS! BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ! KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP! ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE! ntsbsp0takklz7uhdcg2lersg/elus8n+e/s8yeee5sdr5q/zcx/zsrppuguivvk! NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+! v06x0bdoqagwga8gc0muxxrntdkcb42gwohamtaduh5aciix11jljhowzu8zza7/! egx7wbid1e5ydvbto6m7o5lencjzdiwz2yrzvcbbbfqsu/8ltmtrefrx04zagbow! Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU! M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w! J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x! ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv! Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW! DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG! 9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe! 4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q! P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR! /+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO! /easmvfd67tmrmsvgvrgyqjh9jndkktsxgov+efmsmogskwqoeu0w2fnmus2euua! cmynokp2j/4ivip927fvqe4fybfxfhsr4eovwa==! -----END CERTIFICATE-----!

20 SSL / TLS: X.509 X509 Cert Certificate:! Data:! Version: 3 (0x2)! Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1withrsaencryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN= Validity! Not Before: Oct 24 18:21: GMT! Not After : Jul 20 18:21: GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN= Subject Public Key Info:! Public Key Algorithm: rsaencryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4!!! Exponent: (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier:! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier:! keyid:33:d8:45:66:d7:68:87:18:7e:54:0d: 70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/ CN= serial:87:4a:75:be:91:66:d8:3d!! X509v3 Basic Constraints:! CA:TRUE! Signature Algorithm: sha1withrsaencryption! 1c:7c:42:81:29:9e:21:cf:d0:d8!

21 SSL / TLS: Authentication " Exchange CA-signed public keys Private X509 Cert CA Public Public X509 Cert CA Private Alice Bob

22 SSL / TLS: Encryption " Uses variety of encryption algorithms to secure data Hash Functions Block and Stream Ciphers Public Key Algorithms MD5, SHA, SHA256 DES, 3DES, AES, RC4 RSA, ECC, DSS CIPHER SUITE

23 SSL / TLS: Encryption " Common cipher suite is negotiated Protocol_keyexchange_WITH_bulkencryp7on_mode_messageauth SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA

24 SSL / TLS: Handshake Client Server 1 Client Hello Cryptographic Info (SSL version, supported ciphers, etc.) 3 Verify server cert, check crypto parameters 2 Server Hello Cipher Suite Server Certificate Server Key Exchange (public key) ( Client Certificate Request ) Server Hello Done 4 Client Key Exchange ( Certificate Verify ) ( Client Certificate ) 5 Verify client cert (if required) 6 Change Cipher Spec Client Finished 7 Change Cipher Spec Server Finished 8 Exchange Messages (Encrypted)

25 SSL / TLS: Standards " Protocol versions SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 DTLS 1.0 Notes: SSL 2.0 is insecure SSL = Secure Sockets Layer TLS = Transport Layer Security DTLS = Datagram TLS 2012 DTLS 1.2

26 SSL / TLS: Standards " Public key operations RSA ECC PSK + Well established + Shorter keys w/ same security + Lower CPU usage + Lower memory usage + Avoid expensive PK ops + Key management convienence

27 SSL / TLS: Standards NIST Recommended Key Sizes Bits of Security Symmetric Key Algorithm Hash Function RSA Key Size ECC Key Size 80 3DES (2 keys) SHA DES (3 keys) SHA AES-128 SHA AES-192 SHA AES-256 SHA NIST Special Publication

28 SSL / TLS: Standards " How widespread is SSL usage? SSL Pulse ( pulse) Published: October 2, 2013 Total sites surveyed: 163,030 Insecure sites: 82,516 Secure sites: 80, % secure sites

29 Optimizing SSL / TLS For resource constrained devices.

30 Optimizing SSL " Challenges when using SSL on devices: Some devices are very small (memory) Some devices are very slow (CPU) " And possibly more No OS, file system, custom transport layers,

31 Optimizing SSL So, what can we do about this?

32 Optimizing SSL " Memory Constraints Compile-out features, protocol versions (SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2) Choose a limited set of cipher suites (ex: RSA vs. ECC vs. PSK) Take advantage of hardware cryptography

33 Optimizing SSL " Memory Constraints Use compiler and toolchain optimizations (ex: gcc -Os, ARM thumb mode, strip library, etc.) Choose smaller key sizes (ex: RSA 1024 vs. 2048) Do you control both sides of the connection? Possible to decrease maximum SSL record size (default: 16kB)

34 Optimizing SSL " Performance Constraints Prioritize faster algorithms over slower ones '#!!" '!!!" &!!"!"#$% %!!" $!!" #!!"!" ()*+,-." /0)*" ()*+--." " ()*" 678).0" *9(" :;(<)#=" (6-$" 6(::7>".0?" 9-+'#&"

35 Optimizing SSL " Performance Constraints Use a faster math library (balancing stack vs. heap usage) Hardware crypto (or assembly) when available (we ll look at a performance comparison later on) PSK when public key operations not possible

36 IPSec (Internet Protocol Security)

37 IPSec " What is IPSec Like SSL, provides confidentiality, integrity, authentication Operates at Layer 3 of OSI model Originally developed in 1998, updated in 2005 (Ref: RFC 4301) Works with IKE (Internet Key Exchange)

38 IPSec " Where does it operate? Application Presentation Session Transport Network Data Link Physical SSL/TLS IPSec

39 IPSec " Integrated vs. Bump-in-the-stack (BITS) Application Presentation Session Transport Network (IPSec) Data Link Physical Application Presentation Session Transport Network IPSec (BITS) Data Link Physical

40 IPSec " Two variants AH (Authentication Header) RFC 4302 Used to authenticate (but not encrypt) IP traffic ESP (Encapsulating Security Payload) RFC 4303 Used for encryption + authentication

41 IPSec vs. SSL / TLS Choosing what s best for your project.

42 IPSec vs. SSL " How they compare: Both fulfill high-level goals ( Confidentiality, Integrity, Authentication ) Major difference is where each sits in network stack SSL/TLS: Layer 5 IPSec: Layer 3

43 IPSec vs. SSL SSL / TLS " Can take advantage of TCP s robustness " Apps can select when they want security " Less resource intensive, smaller footprint IPSec " Apps get security benefits without needing modifications " More complex than SSL must make up for lack of TCP robustness " IPSec / IKE implementation may not fit in low-resource devices

44 Hardware Crypto Size and speed advantages.

45 Hardware Crypto " Many vendors now integrate crypto modules: and others " Hardware RNG " Common algorithms and ciphers Hash Functions: MD5, SHA, SHA256 Block Ciphers: AES, DES, 3DES

46 Hardware Crypto STM32F217 (ARM Cortex-M3, 120 MHz) MB/sec Software Crypto Hardware Crypto AES DES 3DES MD5 SHA

47 Random Number Generation True entropy is important.

48 Random Number Generation " True entropy is important Security of crypto algorithms depend on having good random numbers Can be difficult to gather a good random seed Many hardware vendors now include RNG module

49 Random Number Generation " Recent Android security compromise (08/2013) Apps improperly initialize PRNG before use are vulnerable PRNG wasn t being initialized Result: key generation, signing, PRNG may not receive cryptographically-strong values Fix: Google recommends using /dev/random, dev/urandom

50 Random Number Generation " Terminology TRNG = True Random Number Generator PRNG = Pseudo-random Number Generator DRBG = Deterministic Random Bit Generator

51 Random Number Generation " TRNG = True Random Number Generator Usually derived from natural entropy source in hardware Uses unpredictable process to produce output (ex: ring oscillators, noise diodes, radioactive decay, atmospheric noise, etc.) Critically important to higher-level PRNG/DRBG Recommended to use hardware-based TRNG

52 Random Number Generation " PRNG = Pseudo-random Number Generator Output based on specific algorithm Yields output that is predictable given a known initial state Must be seeded by a true random input

53 Random Number Generation " DRBG = Deterministic Random Bit Generator FIPS term for PRNG FIPS = Federal Information Processing Standards NIST Special Publication Hash_DRBG 2. HMAC_DRBG 3. CTR_DRBG 4. Dual_EC_DRBG (possible backdoor)

54 Code Signing & Secure Firmware Updates Leveraging public key cryptography.

55 Code Signing / SFU " Normal (unsecured) firmware update process New Firmware Embedded Device Firmware Repository Firmware

56 Code Signing / SFU " How to defend against this? Embedded Device Firmware Repository Firmware Malicious Firmware Attacker

57 Code Signing / SFU " How it works: (server side) Public key Private key H = SHA256( New Firmware ) Signature Private key = RSA Private Encrypt(H) = (H) New Firmware Signature

58 Code Signing / SFU " How it works: (client side) New Firmware Signature Transfer to device H1= SHA256( New Firmware ) Get public key from server Public key Public key H2= RSA Public Decrypt( Signature ) = ( Signature ) H1 == H2? YES Embedded Device New Firmware

59 Code Signing / SFU " Tools needed for the job: Hash algorithm (SHA, SHA-256, etc.) Public key algorithm (RSA) Server-side tool Way for device to get public key

60 Key Management Keep your private keys private.

61 Key Management " Security of system depends on private key security " Private keys Embedded in firmware from factory Transferred to embedded device from secure key server Generated on device (always stays on device) " Good Practices Different keys should be used for different functions Keys should change often, to minimize vulnerability

62 Key Management " Key Storage Non-volatile memory: should be encrypted upon storage Secure element (TPM, HSM): Ideal From Embedded Systems Security (Kleidermacher) If attended, can require user input to decrypt keys If unattended, device must implement countermeasures Zeroing out keys if tampered with Failsafe crypto subsystem (automatically zeros keys)

63 In Closing

64 Closing " Current Events (NSA Bullrun, Dual_EC_DRBG) " Where can you learn more? Our white paper which matches this presentation

65 References [1] 16bn devices online by 2020, says report. The Telegraph, 30 Oct < [2] Appendix A: SSL/TLS Overview. wolfssl, < [3] Chapter 12: Best Practices for Embedded Devices. wolfssl, < [4] Hacker Shows Off Lethal Attack By Controlling Wireless Medical Device. Bloomberg, 29 Feb, < [5] Kleidermacher, David, and Mike Kleidermacher. Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development. Waltham: Elsevier, Print. [6] Recommendation for Key Management (Special Publication ). NIST, Mar [7] Recommendation for Random Number Generation Using Deterministic Random Bit Generators (NIST Special Publication ). NIST, Mar [8] Researcher Pinpoints Widespread Common Flaw Among VxWorks Devices. Dark Reading, 20 July, < [9] Rise of the Embedded Internet. Intel, < [10] Some SecureRandom Thoughts. Google, 14 Aug < some-securerandom-thoughts.html> [11] The Real Story of Stuxnet. IEEE Spectrum, 26 Feb < [12] Who s Really Attacking Your ICS Equipment?. Trend Micro, <

66 Chris Conlon wolfssl

67