Pervasive Computing and the Future of Crypto Engineering

Transcription

1 Pervasive Computing and the Future of Crypto Engineering I&C Seminar, EPFL December 15, 2003 Christof Paar Ruhr-Universität Bochum

2 Contents 1. Very Brief History of Crypto Applications 2. What is Pervasive Computing? 3. Security in Pervasive Applications 4. Challenges in Crypto Engineering 5. Related EUROBITS Activities I&C Seminar, EPFL

3 Contents 1. Very Brief History of Crypto Applications 2. What is Pervasive Computing?? 3. Security in Pervasive Applications 4. Challenges in Crypto Engineering 5. Related EUROBITS Activities I&C Seminar, EPFL

4 Do we really need security?

5 I&C Seminar, EPFL Cryptography, ca. 500 B.C Skytale of Sparta

6 I&C Seminar, EPFL Cryptography, ca German Enigma (Polish, British & US break crucial for allied victory in WWII)

7 I&C Seminar, EPFL Cryptography, ca Smart card for banking applications

8 Cryptography, ca Electronic road toll Cryptography: prevents cheating by drivers protects privacy of drivers I&C Seminar, EPFL

9 Cryptography, ca 2010 Brave new pervasive world #2 Bridge sensors #3 Cleaning robots #6 Car with Internet access #8 Networked robots #9 Smart street lamps #14 Pets with electronic sensors #15 Smart windows I&C Seminar, EPFL

10 Contents 1. Very Brief History of Crypto Applications 2. What is Pervasive Computing? 3. Security in Pervasive Applications 4. Challenges in Crypto Engineering 5. Related EUROBITS Activities I&C Seminar, EPFL

11 I&C Seminar, EPFL Pervasive Computing and Embedded Systems Important (yet trivial) observation from an engineering perspective: Pervasive computing is based on embedded systems

12 I&C Seminar, EPFL Is this really Important? Depends on your viewpoint, but: CPUs sold in 2000 Ex. high-end BMW appr. 80 CPUs

13 I&C Seminar, EPFL Characteristics of Traditional IT Applications Mostly based on interactive (= traditional) computers One user one computer paradigm Static networks Large number of users per network Q: How will the IT future look?

14 I&C Seminar, EPFL Examples for Pervasive Computing PDAs, 3G cell phones,... Living spaces will be stuffed with nodes (audio/video) Refrigerators will communicate as will milk bottles Smart sensors in infrastructure (windows, roads, bridges, etc.) Smart Dust Smart bar codes (autoid) Wearable computers (clothes, eye glasses, etc.)...

15 Pervasive Computing Case Study I: Radio Frequency ID (RFID) Smart tags with receiver & some processing Many applications in logisitics, consumer products,... MIT s AutoID Center: smart bar codes bar codes scans per day Cost goal: 5 cents

16 I&C Seminar, EPFL Pervasive Computing Case Study II: Smart Textiles (by Infineon) Sensors in textiles Self-organizing network: fabric can be cut etc. Appl.: fire, motion, and anti-theft sensor Future version will incorporate LEDs

17 Contents 1. Very Brief History of Crypto Applications 2. What is Pervasive Computing? 3. Security in Pervasive Applications 4. Challenges in Crypto Engineering 5. Related EUROBITS Activities I&C Seminar, EPFL

18 I&C Seminar, EPFL Security and Economics of Pervasive Applications One-user many-nodes paradigm (e.g processors per human) Many new applications we don t know yet Very high volume applications Very cost sensitive People won t be willing to pay for security per se People won t buy products without security

19 I&C Seminar, EPFL Security Concerns in Pervasive Applications Often wireless channels vulnerable Hacking into home devices, cars, Contents protection in many applications Pervasive nature and high-volume of nodes increase risk potential Privacy issues (geolocation, medical sensors, monitoring of home activities, etc.) Stealing of services (sensors etc.)

20 I&C Seminar, EPFL Why is Security in Pervasive Networks Difficult? Designers worry about IT functionality, security is ignored or an afterthought Security infrastructure (PKI etc.) is missing: Protocols? Secure embedded OS are difficult Attacker has easy access to nodes (side channel & tamper attacks) Computation/memory/power constrained (red = crypto engineering issues)

21 Do We Really Need Cryptography in Pervasive Applications? Crypto ops for identification is fundamental for embedded security Almost all ad-hoc protocols (even routing!) require crypto ops for every hop At least symmetric alg. are needed Asymmetric alg. allow fancier protocols fi Embedded crypto is enabling technology for pervasive applications. Q. What type of crypto can we do?

22 Classification by Processor Power Very rough classification of embedded processors Class speed : high-end Intel Class 0: few 1000 gates? Class 1: 8 bit µp, 10MHz 1: 10 3 Class 2: 16 bit µp, 50MHz 1: 10 2 Class 3: 32 bit µp, 200MHz 1: 10 I&C Seminar, EPFL

23 Case Study Class 0: RFID for Bar Codes Recall: Class 0 = no µp, few 1000 gates Goal: RFID as bar code replacement AutoID tag: security with 1000 gates [CHES 02] Ell. curves (asymmetric alg.) need > 10,000 gates DES (symmetric alg.) needs a few 1,000 gates Lightweight stream ciphers might work I&C Seminar, EPFL

24 Status Quo: Crypto for Class 1 Recall: Class 1 = 8 bit µp, 10MHz Symmetric alg: possible at low data rates Asymm.alg: very difficult without coprocessor I&C Seminar, EPFL

25 Status Quo: Crypto for Class 2 Recall: Class 2 = 16 bit µp, 50MHz Symmetric alg: possible Asymm.alg: possible if carefully implemented, and algorithms carefully selected (ECC feasible; RSA & DL still hard) I&C Seminar, EPFL

26 Status Quo: Crypto for Class 3 Recall: Class 1 = 32 bit µp, 200MHz Symmetric alg: possible Asymm.alg: full range (ECC, RSA, DL) possible, some care needed for implementation I&C Seminar, EPFL

27 I&C Seminar, EPFL Security and Economics of Pervasive Applications One-user many-nodes paradigm (e.g processors per human) Many new applications we don t know yet Very high volume applications Very cost sensitive People won t be willing to pay for security per se People won t buy products without security

28 I&C Seminar, EPFL Security Concerns in Pervasive Applications Often wireless channels vulnerable Hacking into home devices, cars, Contents protection in many applications Pervasive nature and high-volume of nodes increase risk potential Privacy issues (geolocation, medical sensors, monitoring of home activities, etc.) Stealing of services (sensors etc.)

29 I&C Seminar, EPFL Why is Security in Pervasive Networks Difficult? Designers worry about IT functionality, security is ignored or an afterthought Security infrastructure (PKI etc.) is missing: Protocols? Secure embedded OS are difficult Attacker has easy access to nodes (side channel & tamper attacks) Computation/memory/power constrained (red = crypto engineering issues)

30 Do We Really Need Cryptography in Pervasive Applications? Crypto ops for identification is fundamental for embedded security Almost all ad-hoc protocols (even routing!) require crypto ops for every hop At least symmetric alg. are needed Asymmetric alg. allow fancier protocols fi Embedded crypto is enabling technology for pervasive applications. Q. What type of crypto can we do?

31 Classification by Processor Power Very rough classification of embedded processors Class speed : high-end Intel Class 0: few 1000 gates? Class 1: 8 bit µp, 10MHz 1: 10 3 Class 2: 16 bit µp, 50MHz 1: 10 2 Class 3: 32 bit µp, 200MHz 1: 10 I&C Seminar, EPFL

32 Case Study Class 0: RFID for Bar Codes Recall: Class 0 = no µp, few 1000 gates Goal: RFID as bar code replacement AutoID tag: security with 1000 gates [CHES 02] Ell. curves (asymmetric alg.) need > 10,000 gates DES (symmetric alg.) needs a few 1,000 gates Lightweight stream ciphers might work I&C Seminar, EPFL

33 Status Quo: Crypto for Class 1 Recall: Class 1 = 8 bit µp, 10MHz Symmetric alg: possible at low data rates Asymm.alg: very difficult without coprocessor I&C Seminar, EPFL

34 Status Quo: Crypto for Class 2 Recall: Class 2 = 16 bit µp, 50MHz Symmetric alg: possible Asymm.alg: possible if carefully implemented, and algorithms carefully selected (ECC feasible; RSA & DL still hard) I&C Seminar, EPFL

35 Status Quo: Crypto for Class 3 Recall: Class 1 = 32 bit µp, 200MHz Symmetric alg: possible Asymm.alg: full range (ECC, RSA, DL) possible, some care needed for implementation I&C Seminar, EPFL

36 Challenges for Pervasive Crypto 1. Symmetric algorithm for class 0 (e.g., 1000 gates) which are secure and well understood? 2. Alternative asymm. alg. for class 0 and class 1 (8 bit µp) with 10x time-area improvement over ECC? 3. Are asymm. alg. which are too short (e.g., ECC with 100 bits) usable? 4. Ad-hoc protocols without long-term security needs? 5. Side-channel protection at very low costs? I&C Seminar, EPFL

37 Contents 1. Very Brief History of Crypto Applications 2. What is Pervasive Computing?? 3. Security in Pervasive Applications 4. Challenges in Crypto Engineering 5. Related EUROBITS Activities I&C Seminar, EPFL

38 What is crypto engineering anyway? Definition: The efficient and secure realization of cryptographic algorithms and protocols for applications in practice. (+ the study of special-purpose cryptanalytical designs) I&C Seminar, EPFL

39 I&C Seminar, EPFL Why don t we leave it to the engineers anyway? (or: Why crypto engineering really is important) 1. Many real-world attacks exploit implementation weaknesses Ex. Side channel attack, fault injection attack 2. Often, new schemes only practical if eff. implemented Ex. early days of elliptic curves & (until very recently) hyperelliptic curves 3. Interaction between implementation and alg.design Ex. Arithmetic choice has major impact on implementation and security Crypto engineering is integral part of cryptography

40 I&C Seminar, EPFL What s so difficult about crypto engineering? 1. Cultural differences: Cryptographers Engineers 2. Interdisciplinary knowledge required Cryptography Mathematics (number theory, abstract algebra) & Algorithms Engineering stuff: Computer arch., micro electronic, 3. Implementation methods often demanding Ex bit arithmetic (with low power) Ex. Gbit/sec throughput without parallelization 4. Unusual rules: A working implementation is not enough, should also be secure

41 I&C Seminar, EPFL Future Challenges for Crypto Engineering 1. Challenges in pervasive applications 2. Speed Optimization is not everything 3. Side channel attacks 4. Interdisciplinary work 5. Dissemination of results

42 I&C Seminar, EPFL Challenges (1): Crypto in Pervasive Applications 1. Symmetric algorithm for class 0 (e.g., 1000 gates) which are secure and well understood? 2. Alternative asymm. alg. for class 0 and class 1 (8 bit µp) with 10x time-area improvement over ECC? 3. Are asymm. alg. which are too short (e.g., ECC with 100 bits) usable? 4. Ad-hoc protocols without long-term security needs? 5. Side channel protection at very low costs?

43 Chaellenges (2): Speed Optimization is not everything Past attitude: As fast as possible, costs did not matter (e.g., RSA modular multipl. Arch., DES hardware) But: 1. Moore s Law makes speed easy in SW and HW 2. Wide-spread commercial use of crypto makes cost optimization (power, code size, area, bandwidth) crucial Research Challenge: Develop techniques which optimize cost-performance ratio for given platform (SW, embedded, ASIC, FPGA)

44 I&C Seminar, EPFL Challenges (3): Side Channel Attacks (very brief) Status Quo: Timing, fault induction, power analysis attacks, etc. proved powerful against unprotected hardware Software countermeasure work reasonably well Research Challenges 1. Some important side channels (e.g., RF) and fault induction (e.g., optical) are poorly understood 2. Hardware counter measures are just emerging 3. Automation of countermeasure in design process

45 I&C Seminar, EPFL Challenges (4): Interdisciplinary Work Crypto engineering benefits from other disciplines, e.g., TRNG are poorly understood HW / SW co-design has barely been addressed Challenges 1. Educate crypto people about other disciplines (e.g., novel VLSI technologies) 2. Entice people from other disciplines (e.g., novel VLSI technologies) to do crypto work 3. Encourage Ph.D. students to work interdisciplinary

46 Challenges (5): Dissemination of Results Observations More and more products integrate cryptography Often non-optimum methods are used The wheel tends to get re-invented in industry at the same time: More and more researchers are working on implementations (110 CHES 2003) Challenges 1. Make research results accessible for engineers without training in pure mathematics! 2. Organize the research results (books, courses)

47 Contents 1. Very Brief History of Crypto Applications 2. What is Pervasive Computing?? 3. Brief Introduction to Modern Cryptography 4. Security in Pervasive Applications 5. Related EUROBITS Activities I&C Seminar, EPFL

48 E U R O B I T S European Competence Center for IT Security + HGI Horst Görtz Institute for IT Security ISEB Institute for ebusiness Security GITS AG Corp. for IT Security (training & research transfer) escrypt Embedded Security (consulting & products) GITS Projekt GmbH House for IT Security

49 I&C Seminar, EPFL EUROBITS Research: Lightweight Crypto 1. Elliptic curves on smart card without coprocessor 2. Hyperelliptic curves acceleration & implementation on large range of embedded µp 3. Public-key enabling instruction set extension for lowend 8 bit µp

50 EUROBITS Research: Embedded Security 1. Side channel attacks against smart cards Ex: New collission attack against DES, AES, Security in ad-hoc networks Ex: New protocol family 3. Contents protection in embedded application Digital rights managment in cars 4. New application domains Embedded security in cars Embedded security in geoinformation systems I&C Seminar, EPFL

51 Research Events (see also Cryptographic Hardware and Embedded Systems (CHES) August 2003 ESCAR (Embedded Security in Cars) November 2003 AES 4 How Secure is the Advanced Encryption Standard? April 2004 ESAS 1 st European Workshop on Security in Ad-Hoc and Sensor Networks (Heidelberg) August 2004 Summer School ECC for Engineers September 2004 Elliptic Curve Cryptography (ECC 2004) September 2004