Security in sensors, an important requirement for embedded systems

Transcription

1 Security in sensors, an important requirement for embedded systems Georg Sigl Institute for Security in Information Technology Technical University Munich Fraunhofer AISEC Institute for Applied and Integrated Security

2 Contents Attack examples Security requirements in sensor systems Selected solutions Lightweight hardware crypto processors Physical Unclonable Functions Security test lab 2

3 Example Tire Pressure Measurement System [Rouf et all]: Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study by Ishtiaq Rouf et al.; IEEE Symposium on Security & Privacy; Oakland, May

4 Attack example [Rouf at al] Privacy: Unique Identification of Cars through Sensor IDs Attack on Safety-critical System 4

5 Requirements: Dependability needs Security Source: AVIZZIENIS ET AL.: BASIC CONCEPTS AND TAXONOMY OF DEPENDABLE AND SECURE COMPUTING IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 1, JANUARY-MARCH

6 Compromised sensors a risk for systems! 6

7 Nothing is too small to be hacked Hackers attacked a Wifi SD Card Running embedded Linux With a Wifi interface Root access Full remote control Reasons: Embedded Linux is everywhere. Simple software security rules are ignored. Neither software nor hardware security measures 7

8 Threats in both directions Background System Attacks on sensors Attacks on background system Sensor 8

9 What do we need in Sensors? Secure communication (often wireless) Integrity of sent information Authentication of device Timeliness of information Optional: Encryption (if privacy is a concern) Protection against modifications of the sensor device Hardware attacks Software attacks Sensors with integrated secure microcontroller 9

10 Sensors with secure microcontrollers Important components in the secure microcontroller Symmetric & asymmetric hardware crypto coprocessors Unique Identity Attack resistant hardware and software Related developments at AISEC Lightweight elliptic curve (asymmetric) cryptography Physical Unclonable Functions for authentication Labs to test hard- and software security 10

11 Lightweight elliptic curve cryptography (ECC) Authentication for car key 163 bit ECC crypto co-processor < 40 4 MHz for all computations 334 bits per transmission Gate complexity only < 7k gate equiv. Much more secure and robust than state-of-the art key systems for vehicles More information: Heyszl, Johann, and Frederic Stumpf. Efficient One-Pass Entity Authentication based on ECC for Constrained Devices. In IEEE Int. Symposium on Hardware-Oriented Security and Trust, pages 88 93, Anaheim, USA, June IEEE Computer Society. 11

12 PUFs as security primitive Unique Physical Property + Measurement = Method Authentication, Key Generation + = PUF Physical Unclonable Function 12

13 Example for a Silicon PUF: Ring Oscillator (RO) PUF Ring oscillator frequencies depend on manufacturing variations Two ROs are compared to obtain a response bit G. E. Suh and S. Devadas. Physical unclonable functions for device authentication and secret key generation Design Automation Conference, DAC th ACM/IEEE, pages 9 14,

14 Smart Card Body Technische Universität München Optical Smartcard PUF (BMBF project UMABASA) LEDs and light sensors in smartcard chip Measurement of unique properties of chip and card body Chip Surface Key generated from measured parameters depends on unique combination of chip and card body Source: Esbach et al., A New Security Architecture for Smartcards Utilizing PUFs,

15 Classes of physical attacks Fault Injection AISEC Security Labs Side channel Probing & Forcing Reverse Engineering 15

16 Conclusion Systems with sensors need security Integrity Security starts in the sensor Sensors need communication controllers with cryptography Solutions for low power and low cost are available Sensors can be used to increase security PUF Use of sensors for key generation Dedicated expertise is required for secure design Fraunhofer AISEC can support you during design and test of innovative solutions! 16