Securing IoT applications with Mbed TLS Hannes Tschofenig

Similar documents
Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

MTAT Applied Cryptography

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

TLS 1.2 Protocol Execution Transcript

Advantech AE Technical Share Document

Internet security and privacy

CSCE 715: Network Systems Security

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

AN12120 A71CH for electronic anticounterfeit protection

Auth. Key Exchange. Dan Boneh

Transport Layer Security

How to Enable Client Certificate Authentication on Avi

CP860, SIP-T28P, SIP-T26P, SIP-T22P, SIP-T21P, SIP-T20P, SIP-T19P, SIP-T46G, SIP-T42G and SIP-T41P IP phones running firmware version 71 or later.

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Security Protocols and Infrastructures. Winter Term 2010/2011

Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices. Abstract

Securely Deploying TLS 1.3. September 2017

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Chapter 4: Securing TCP connections

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key

Security Protocols and Infrastructures. Winter Term 2015/2016

Cryptography (Overview)

Requirements from the. Functional Package for Transport Layer Security (TLS)

Internet Engineering Task Force. Intended status: Standards Track. December 26, 2018

Understanding Traffic Decryption

A71CH for secure connection to AWS

Internet Engineering Task Force (IETF) ISSN: January Suite B Profile for Transport Layer Security (TLS)

Security Protocols and Infrastructures

Certificate service - test bench. Project to establish the National Incomes Register

Internet Engineering Task Force (IETF) July Transport Layer Security (TLS) Cached Information Extension

Coming of Age: A Longitudinal Study of TLS Deployment

Request for Comments: 2712 Category: Standards Track CyberSafe Corporation October 1999

TLS Extensions Project IMT Network Security Spring 2004

CS 356 Internet Security Protocols. Fall 2013

Overview. SSL Cryptography Overview CHAPTER 1

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

Transport Layer Security

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

MTAT Applied Cryptography

HPE Knowledge Article

Connecting Securely to the Cloud

Bacula. Ana Emília Machado de Arruda. Protegendo seu Backup com o Bacula. Palestrante: Bacula Backup-Pt-Br/bacula-users/bacula-devel/bacula-users-es

mobilefish.com Create self signed certificates with Subject Alternative Names

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

CS 161 Computer Security

Practical Issues with TLS Client Certificate Authentication

concerto: A Methodology Towards Reproducible Analyses of TLS Datasets

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Was ist neu bei TLS 1.3?

Introducing Hardware Security Modules to Embedded Systems

DTLS over SNMP. Wes Hardaker. 14 November Wes Hardaker () DTLS over SNMP 14 November / 15

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Digital Certificates Demystified

Secure Socket Layer. Security Threat Classifications

BIG-IP System: SSL Administration. Version

New Generation Cryptosystems using Elliptic Curve Cryptography

Using EAP-TLS with TLS 1.3 draft-mattsson-eap-tls IETF 101, EMU, MAR John Mattsson, MOHIT sethi

Displaying SSL Configuration Information and Statistics

TLS authentication using ETSI TS and IEEE certificates

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Performance implication of elliptic curve TLS

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Performance Implications of Security Protocols

Information Security CS 526

FlexVPN Between a Router and an ASA with Next Generation Encryption Configuration Example

Network Working Group Requests for Commments: 2716 Category: Experimental October 1999

BIG-IP System: SSL Administration. Version

Securing Communications with your Apache HTTP Server. Lars Eilebrecht

Norbert Muehr (Siemens PLM GTAC EMEA)

SSL Accelerated Services. Feature Description

One Year of SSL Internet Measurement ACSAC 2012

White Paper for Wacom: Cryptography in the STU-541 Tablet

IBM Education Assistance for z/os V2R1

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

HOWTO: Setup FTP with TLS support

Secure Communication over MQTT. Ahmet Onat 2018

3GPP TSG SA WG3 Security SA3#33 S May 2004 Beijing, China

Public-key Infrastructure

Overview of TLS v1.3 What s new, what s removed and what s changed?

State of TLS usage current and future. Dave Thompson

ON THE SECURITY OF TLS RENEGOTIATION

IBM i Version 7.2. Security Digital Certificate Manager IBM

Transport Level Security

Security analysis of DTLS 1.2 implementations

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

DTLS-HIMMO: Efficiently Securing a PQ world with a fully-collusion resistant KPS

UG278: Zigbee Cluster Library over IP (ZCL/IP) User s Guide

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Chapter 8 Web Security

SSL/TLS CONT Lecture 9a

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

Transport Layer Security

Cryptology complementary. Introduction

Agenda. Make the Internet of Things Work to Cloud The Risks and Weakness Security on the IoT Building a Secure IoT Path from device to Cloud.

TABLE OF CONTENTS. INSIDE Secure All rights reserved

Transcription:

Securing IoT applications with Mbed TLS Hannes Tschofenig Part#2: Public Key-based authentication March 2018 Munich

Agenda For Part #2 of the webinar we are moving from Pre-Shared Secrets (PSKs) to certificated-based authentication. TLS-PSK ciphersuites have great performance, low overhead, small code size. Drawback is the shared key concept. Public key cryptography was invented to deal with this drawback (but itself has drawbacks). 2

Public Key Infrastructure and certificate configuration

Public Key Infrastructure Various PKI deployments in existence Structure of our PKI CA cert self-signed The client has to store: Client certificate plus corresponding private key. CA certificate, which serves as the trust anchor. Signed by CA Signed by CA The server has to store: Server certificate plus corresponding private key. 4 Client cert Server cert (Some information for authenticating the client)

Generating certificates (using OpenSSL tools) When generating certificates you will be prompted to enter info. The CA cert will end up in the trust anchor store of the client. The Common Name used in the server cert needs to be resolvable via DNS UNLESS you use the server name indication extension. If the information in the Common Name does not match what is expected in the TLS handshake (based on configuration) then the exchange will (obviously) fail. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:CA Email Address []:. 5

Generating CA certificate Listing supported curves > openssl ecparam -list_curves Self-signed CA Cert > openssl ecparam -genkey -name secp256r1 -out ca.key > openssl req -x509 -new -SHA256 -nodes -key ca.key -days 3650 -out ca.crt 6

Generating server certificate Generate Server Private Key Create CSR Print CSR: CA creates Server Cert > openssl ecparam -genkey -name secp256r1 -out server.key > openssl req -new -SHA256 -key server.key -nodes -out server.csr > openssl req -in server.csr -noout -text > openssl x509 -req -SHA256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt 7

Generating client certificate Generate Client Private Key Create CSR > openssl ecparam -genkey -name secp256r1 -out client.key > openssl req -new -SHA256 -key client.key -nodes -out client.csr CA creates Client Cert > openssl x509 -req -SHA256 -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt 8

Operational PKI challenges worth mentioning Certificates contain an expiry date, which needs to be checked. Certificates may also get revoked. Certificates and trust anchors may need to be replaced. These topics are not covered in this webinar. 9

TLS protocol

Public key crypto Two popular types of of asymmetric crypto systems emerged, namely RSA and Elliptic Curve Cryptography (ECC). The TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ciphersuite is recommended by many standards. It uses Ephemeral Elliptic Curve Diffie-Hellman (ECDHE), and The Elliptic Curve Digital Signature Algorithm (ECDSA). New to ECC? Talk: "A gentle introduction to elliptic-curve cryptography" by Tanja Lange and Dan Bernstein. Book: Guide to Elliptic Curve Cryptography by Vanstone, et al. 11

Recall: Key length Preferred for IoT security Symmetric ECC DH/DSA/RSA 80 163 1024 112 233 2048 128 283 3072 192 409 7680 256 571 15360 12

Two Phase Design of TLS Phase 1 Handshaking Protocols Phase 2 Record Protocol TLS-PSK Used symmetric keys for authentication Covered in 1st webinar AES-128-CCM-8 to protect HTTP TLS-ECDHE-ECDSA Uses public key cryptography and (in our case) certificates for authentication. Covered in today s webinar. 13

Full TLS handshake Client Server Certificate ClientHello Server Certificate requested by the server and provided by the client (optional msgs) Used when client provided certificate to demonstrate possession of private key. ServerHello, Certificate*, ServerKeyExchange*, CertificateRequest*, ServerHelloDone Certificate*, ClientKeyExchange, CertificateVerify*, [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Legend: *: optional message []: Not a handshake message. Used by some ciphersuites to convey information to generate the premaster secret. May need to be signed by the server. 14 Note: Most Web deployments use server-to-client authentication only.

ECDHE-ECDSA Exchange Client Server Generate EC Diffie-Hellman key pair 2 Generate EC Diffie-Hellman key pair Place ephemeral ECDH public key in the ClientKeyExchange message CertificateVerify demonstrate possession of the long-term private key corresponding to the public key in the client's Certificate message. 1 Ephemeral ECDH public key is put in ServerKeyExchange message. Sign ServerKeyExchange message with long term private key. 3 ECDHE derived key becomes pre_master_secret, which is then used in master_secret calculation 15

Hands-on

Platform For this hands-on session we are using the Keil MCBSTM32F400 Evaluation Board, which uses the STM32F407IG MCU. This MCU uses an Arm Cortex M4 processor. More information can be found in this datasheet. Keil RTX5 serves as the real-time OS. Mbed TLS and networking middleware. 17

Demo setup TLS server Development laptop Keil MCBSTM32F400 18 TLS client

config.h settings for TLS-ECDHE-ECDSA According to RFC 7925 we use TLS 1.2: MBEDTLS_SSL_PROTO_TLS1_2 TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 as a ciphersuite, which requires MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED AES, CCM, and SHA256, (MBEDTLS_AES_C, MBEDTLS_CCM_C, MBEDTLS_SHA256_C) ECC support: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C MBEDTLS_ECP_C, MBEDTLS_BIGNUM_C ASN.1 and certificate parsing support NIST Curve P256r1 (MBEDTLS_ECP_DP_SECP256R1_ENABLED) Server Name Indication (SNI) extension (MBEDTLS_SSL_SERVER_NAME_INDICATION) We enable optimizations (MBEDTLS_ECP_NIST_OPTIM ) and deterministic ECDSA (RFC 6979) with MBEDTLS_ECDSA_DETERMINISTIC 19

Mbed TLS client application code 1. Initialize TLS session data 2. Initialize the RNG Parse CA certificate, client certificate and private key of client. 3. Establish TCP connection 4. Configure TLS 5. Run TLS handshake protocol 6. Exchange application data 7. Tear down communication and free state Load CA certificate Load client certificate and private key Configure SNI Configure curve(s) Verify the server certificate 20

Server-side command line Demands mutual authentication Server Certificate Server Private Key > programs/ssl/ssl_server2 auth_mode=required crt_file=server.crt key_file=server.key ca_file=ca.crt Parameters: CA certificate auth_mode determines the behaviour of a missing client certificate or a failed client authentication. Allowed values are none, optional and required. cert_file indicates the file that contains the server certificate. key_file indicates the file that contains the private key of the server. ca_file indicates the file that contains the CA certificate. 21

The cost of public key crypto

Handshake message size ClientHello Certificate 23 Client Server Size Client Key Exchange Certificate Verify Change Cipher Spec Protocol TLS Finished ServerHello Certificate Server Key Exchange Certificate Request Server Hello Done Change Cipher Spec TLS Finished 121 bytes 87 bytes 557 bytes 215 bytes 78 bytes 4 bytes 570 bytes 138 bytes 80 bytes 1 byte 40 bytes 1 byte 40 bytes Example assumes a ECC-based ciphersuite with a 256 bit curve. Only a single certificate is exchanged in the Certificate message. (But mutual authentication is used, i.e., client and server exchange certificates.) Result: 1932 bytes

Time (msec) Performance comparison: Signature generation ECDSA Performance (Signature Operation, w=7, NIST Optimization Enabled) 24 24 2000,00 1800,00 1600,00 1400,00 1200,00 1000,00 800,00 600,00 400,00 200,00 0,00 LPC1768, 96 MHz, Cortex M3 L152RE, 32 MHz, Cortex M3 Prototyping Boards F103RB, 72 MHz, Cortex M4 Performance data from a contribution to the NIST lightweight crypto workshop 2015. F401RE, 84 MHz, Cortex M4 secp192r1 secp224r1 secp256r1 secp384r1 secp521r1

Performance optimization impact Using ~50 % more RAM increases the performance by a factor 8 or more. 25 Performance data from a contribution to the NIST lightweight crypto workshop 2015.

Improving performance with TLS extensions

Session resumption exchange First phase Client Server ClientHello (+empty session ID) ServerHello (+Session ID), Certificate*, ServerKeyExchange*, CertificateRequest*, ServerHelloDone Certificate*, ClientKeyExchange, CertificateVerify*, [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data A session ID is allocated by the server. 27

Session resumption exchange Second phase Security state established with full exchange and indexed with session identifier. Client Server ClientHello (+SessionID) Benefits: Few message exchanged Less bandwidth consumed Lower computational overhead ServerHello [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished Application Data 28

Session resumption without server-side state First phase Client Server ClientHello (+empty SessionTicket) ServerHello (+empty SessionTicket), Certificate*, ServerKeyExchange*, CertificateRequest*, ServerHelloDone Certificate*, ClientKeyExchange, CertificateVerify*, [ChangeCipherSpec], Finished NewSessionTicket, [ChangeCipherSpec], Finished Application Data Negotiating the SessionTicket extension and issuing a ticket with the NewSessionTicket message. The client caches the ticket along with the session information. 29

Session resumption without server-side state Second phase Client Server ClientHello (+SessionTicket extension) Benefits: Same as session resumption. Increased scalability due to distributed session state storage ServerHello (empty SessionTicket extension) NewSessionTicket [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished Application Data Ticket stores the session state including the master_secret, client authentication type, client identity, etc. Specified in RFC 5077. 30

TLS cached info ClientHello Certificate 31 Client Server Size Client Key Exchange Certificate Verify Change Cipher Spec Protocol TLS Finished ServerHello Certificate Server Key Exchange Certificate Request Server Hello Done Change Cipher Spec TLS Finished 121 bytes 87 bytes 557 bytes 215 bytes 78 bytes 4 bytes 570 bytes 138 bytes 80 bytes 1 byte 40 bytes 1 byte 40 bytes TLS exchanges lots of fairly static information. Certificates List of acceptable certification authorities Idea: Cache information on the client and avoid sending it unless it changes. TLS Cached Info specification is published in RFC 7924. Allows to cache server certificate and certificate request. Client-side certificate can be omitted by sending a Certificate URI extension instead, which is specified in RFC 6066.

Further TLS extensions for performance improvement Raw public key (RPK) extension (RFC 7250) re-uses the existing TLS Certificate message to convey the raw public key encoded in the SubjectPublicKeyInfo structure. Maximum Fragment Length (MFL) extension (RFC 6066) allows the client to indicate to the server how much maximum memory buffers it uses for incoming messages. Trusted CA Indication extension (RFC 6066) allows clients to indicate what trust anchor they support. Note: Re-using TLS code at multiple layers helps to lower the overall code requirements. 32

Hands-on (Session Resumption)

config.h settings for session resumption No additions needed for plain session resumption. Only one parameter for RFC 5077 session resumption without server-side state: MBEDTLS_SSL_SESSION_TICKETS 34

Mbed TLS client application code Initial exchange Initialize session resumption state Configure session resumption without server-side state Subsequent exchanges 1. Initialize TLS session data 2. Initialize the RNG 3. Establish TCP connection 4. Configure TLS 5. Run full TLS handshake protocol 6. Exchange application data 7. Encounter error 8. Set session state 9. Establish TCP connection 10. Run TLS session resumption 11. Exchange application data 12. Tear down communication and free state Free session resumption state 35

Conclusion

Summary PSK-based ciphersuites provide great performance. Certificate-based ciphersuites provide an alternative where the private key is not shared. Public key crypto is more challenging to performance. This performance impact can partially be mitigated using TLS extensions, such as session resumption. 37

The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners. www.arm.com/company/policies/trademarks 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback