Ruhr University Bochum Cryptography in Heavily Constraint Environments

Ruhr University Bochum Cryptography in Heavily Constraint Environments Christof Paar EUROBITS Center for IT Security COmmunication Securit. Y (COSY) Group University of Bochum, Germany 07. 11. 2002 Courtois, Daum, Felke: On the www. crypto. rub. de Security of HFE, HFEv- and Quartz

Contents Ruhr University Bochum Communication Security (COSY) Group • Pervasive computing and embedded systems • Pervasive computing and security • Constrained environments and crypto • Research problems Workshop on Ad-Hoc Security 2002

Characteristics of Traditional IT Applications Ruhr University Bochum Communication Security (COSY) Group • Mostly based on interactive (= traditional) computers • „One user – one computer“ paradigm • Static networks • Large number of users per network Q: How will the IT future look? Workshop on Ad-Hoc Security 2002

Examples for Pervasive Computing • • • Ruhr University Bochum Communication Security (COSY) Group PDAs, 3 G cell phones, . . . Living spaces will be stuffed with nodes So will cars Wearable computers (clothes, eye glasses, etc. ) Household appliances Smart sensors in infrastructure (windows, roads, bridges, etc. ) • Smart bar codes (auto. ID) • “Smart Dust” • . . . Workshop on Ad-Hoc Security 2002

Will that ever become reality? ? We don’t know, but: CPUs sold in 2000 Workshop on Ad-Hoc Security 2002 Ruhr University Bochum Communication Security (COSY) Group

Security and Economics of Pervasive Networks • • • Ruhr University Bochum Communication Security (COSY) Group „One-user many-nodes“ paradigm (e. g. 102103 processors per human) Many new applications we don‘t know yet Very high volume applications Very cost sensitive People won‘t be willing to pay for security per se People won‘t buy products without security Workshop on Ad-Hoc Security 2002

Where are the challenges for embedded security? Ruhr University Bochum Communication Security (COSY) Group • Designers worry about IT functionality, security is ignored or an afterthought • Attacker has easy access to nodes • Security infrastructure (PKI etc. ) is missing: Protocols? ? ? • Side-channel and tamper attacks • Computation/memory/power constrained Workshop on Ad-Hoc Security 2002

Why do constraints matter? Ruhr University Bochum Communication Security (COSY) Group • Almost all ad-hoc protocols (even routing!) require crypto ops for every hop • At least symmtric alg. are needed • Asymmetric alg. allow fancier protocols Question: What type of crypto can we do? Workshop on Ad-Hoc Security 2002

Classification by Processor Power Ruhr University Bochum Communication Security (COSY) Group Very rough classification of embedded processors Class speed : high-end Intel Class 0: few 1000 gates Class 1: 8 bit P, 10 MHz Class 2: 16 bit P, 50 MHz Class 3: 32 bit P, 200 MHz Workshop on Ad-Hoc Security 2002 ? 1: 103 1: 102 1: 10

Case Study Class 0: RFID Ruhr University Bochum Communication Security (COSY) Group Recall: Class 0 = no P, few 1000 gates • Goal: RFID as bar code replacement • Cost goal 5 cent (!) • allegedly 500 x 109 bar code scans worldwide per day (!!) • Auto. ID tag: security “with 1000 gates” [CHES 02] – Ell. curves (asymmetric alg. ) need > 20, 000 gates – DES (symmetric alg. ) needs > 5, 000 gates – Lightweight stream ciphers might work Workshop on Ad-Hoc Security 2002

Status Quo: Crypto for Class 1 Recall: Class 1 = 8 bit P, 10 MHz Symmetric alg: possible at low data rates Asymm. alg: very difficult without coprocessor Workshop on Ad-Hoc Security 2002 Ruhr University Bochum Communication Security (COSY) Group

Status Quo: Crypto for Class 2 Ruhr University Bochum Communication Security (COSY) Group Recall: Class 2 = 16 bit P, 50 MHz Symmetric alg: possible Asymm. alg: possible if • carefully implemented, and • algorithms carefully selected (ECC feasible; RSA & DL still hard) Workshop on Ad-Hoc Security 2002

Status Quo: Crypto for Class 3 Ruhr University Bochum Communication Security (COSY) Group Recall: Class 1 = 32 bit P, 200 MHz Symmetric alg: possible Asymm. alg: full range (ECC, RSA, DL) possible, some care needed for implementation Workshop on Ad-Hoc Security 2002

Open (Research) Questions 1. 2. 3. 4. 5. Ruhr University Bochum Communication Security (COSY) Group Symmetric algorithm for class 0 (e. g. , 1000 gates) which are secure and well understood? Alternative asymm. alg. for class 0 and class 1 (8 bit P) with 10 x time-area improvement over ECC? Are asymm. alg. which are “too short” (e. g. , ECC with 100 bits) usable? Ad-hoc protocols without long-term security needs? Side-channel protection at very low costs? Workshop on Ad-Hoc Security 2002

Related Events at the EUROBITS Center in Bochum Ruhr University Bochum Communication Security (COSY) Group www. crypto. rub. de 1. Workshop on Side-Channel Attacks on Smart Cards January 30 -31, 2003 Workshop on Ad-Hoc Security 2002

Cryptographic Hardware and Embedded Systems chesworkshop. org September 7 -10 Workshop on Ad-Hoc Security 2002

Security Challenges: Many Security Assumptions Change • • • Ruhr University Bochum Communication Security (COSY) Group No access to backbone: PKI does not work New threats: sleep deprivation attack Old threats (e. g. , confidentiality) not always a problem Nodes have incentives to cheat in protocols Security protocols ? ? ? Workshop on Ad-Hoc Security 2002

Our Research • • • Ruhr University Bochum Communication Security (COSY) Group Crypto algorithms in highly constrained environments Low-cost hardware for public-key algorithm Ultra low-cost hardware for symmetric algorithms Software for public-key, symmetric algorithms on low-end processors Protocols for ad-hoc networks Secure communication in complex technical systems (airplanes, cars, etc. ) Establishing trust in networks Workshop on Ad-Hoc Security 2002

Traditional Security Applications Ruhr University Bochum Communication Security (COSY) Group Very often: computer & communication networks! • (wireless) LAN / WLAN (Local Area Network) • WAN (Wide Area Network) • PKI (Public Key Infrastructure) Workshop on Ad-Hoc Security 2002

Traditional Security Applications Ruhr University Bochum Communication Security (COSY) Group (wireless) LAN / WLAN (Local Area Network) Workshop on Ad-Hoc Security 2002

Traditional Security Applications Ruhr University Bochum Communication Security (COSY) Group WAN (Wide Area Network) Workshop on Ad-Hoc Security 2002

Traditional Security Applications Ruhr University Bochum Communication Security (COSY) Group PKI (Public Key Infrastructure) enables secure LAN, WAN Workshop on Ad-Hoc Security 2002

Other Traditional Security Applications • Antivirus • Firewalls • Biometrics Workshop on Ad-Hoc Security 2002 Ruhr University Bochum Communication Security (COSY) Group

The IT Future • • Ruhr University Bochum Communication Security (COSY) Group 2. Bridge sensors 3. Cleaning robots 6. Car with various IT services 8. Networked robots 9. Smart street lamps 14. Pets with electronic sensors 15. Smart windows Workshop on Ad-Hoc Security 2002

Characteristics of Pervasive Computing Systems Ruhr University Bochum Communication Security (COSY) Group • Embedded nodes (no traditional computers) • Connected through wireless, close-range network (“Pervasive networks”)! • Ad-hoc networks: Dynamic addition and deletion of nodes • Power/computation/memory constrained! • Vulnerable Workshop on Ad-Hoc Security 2002

Why Security in Pervasive Applications? Ruhr University Bochum Communication Security (COSY) Group • Pervasive nature and high-volume of nodes increase risk potential (e. g. , hacking into a car) • Wireless channels are vulnerable (passive and active attacks) • Privacy issues (geo-location, medical sensors, monitoring of home activities, etc. ) • Stealing of services (sensors etc. ) Workshop on Ad-Hoc Security 2002