Cryptography in Heavily Constraint Environments

1
Cryptography in Heavily Constraint Environments

• Christof Paar
• EUROBITS Center for IT Security
• COmmunication SecuritY (COSY) Group
• University of Bochum, Germany
• www.crypto.rub.de

2
Contents

• Pervasive computing and embedded systems
• Pervasive computing and security
• Constrained environments and crypto
• Research problems

3
Characteristics of Traditional IT Applications

• Mostly based on interactive ( traditional)
  computers
• One user one computer paradigm
• Static networks
• Large number of users per network
• Q How will the IT future look?

4
Examples for Pervasive Computing

• PDAs, 3G cell phones, ...
• Living spaces will be stuffed with nodes
• So will cars
• Wearable computers (clothes, eye glasses, etc.)
• Household appliances
• Smart sensors in infrastructure (windows, roads,
  bridges, etc.)
• Smart bar codes (autoID)
• Smart Dust
• ...

5
Will that ever become reality??

• We dont know, but CPUs sold in 2000

6
Security and Economics of Pervasive Networks

• One-user many-nodes paradigm (e.g. 102-103
  processors per human)
• Many new applications we dont know yet
• Very high volume applications
• Very cost sensitive
• People wont be willing to pay for security per
  se
• People wont buy products without security

7
Where are the challenges for embedded security?

• Designers worry about IT functionality, security
  is ignored or an afterthought
• Attacker has easy access to nodes
• Security infrastructure (PKI etc.) is missing
  Protocols???
• Side-channel and tamper attacks
• Computation/memory/power constrained

8
Why do constraints matter?

• Almost all ad-hoc protocols (even routing!)
  require crypto ops for every hop
• At least symmtric alg. are needed
• Asymmetric alg. allow fancier protocols
• Question What type of crypto can we do?

9
Classification by Processor Power

• Very rough classification of embedded processors
• Class speed high-end Intel
• Class 0 few 1000 gates ?
• Class 1 8 bit ?P, ? 10MHz ? 1 103
• Class 2 16 bit ?P, ? 50MHz ? 1 102
• Class 3 32 bit ?P, ? 200MHz ? 1 10

10
Case Study Class 0 RFID

• Recall Class 0 no ?P, few 1000 gates
• Goal RFID as bar code replacement
• Cost goal 5 cent (!)
• allegedly 500 x 109 bar code scans worldwide per
  day (!!)
• AutoID tag security with 1000 gates CHES 02
• Ell. curves (asymmetric alg.) need gt 20,000 gates
• DES (symmetric alg.) needs gt 5,000 gates
• Lightweight stream ciphers might work

11
Status Quo Crypto for Class 1

• Recall Class 1 8 bit ?P, ? 10MHz
• Symmetric alg possible at low data rates
• Asymm.alg very difficult without coprocessor

12
Status Quo Crypto for Class 2

• Recall Class 2 16 bit ?P, ? 50MHz
• Symmetric alg possible
• Asymm.alg possible if
• carefully implemented, and
• algorithms carefully selected (ECC feasible RSA
  DL still hard)

13
Status Quo Crypto for Class 3

• Recall Class 1 32 bit ?P, ? 200MHz
• Symmetric alg possible
• Asymm.alg full range (ECC, RSA, DL) possible,
  some care needed for implementation

14
Open (Research) Questions

• Symmetric algorithm for class 0 (e.g., 1000
  gates) which are secure and well understood?
• Alternative asymm. alg. for class 0 and class 1
  (8 bit ?P) with 10x time-area improvement over
  ECC?
• Are asymm. alg. which are too short (e.g., ECC
  with 100 bits) usable?
• Ad-hoc protocols without long-term security
  needs?
• Side-channel protection at very low costs?

15
Related Events at theEUROBITS Center in Bochum

• www.crypto.rub.de
• Workshop on Side-Channel Attacks on Smart
  CardsJanuary 30-31, 2003

16
Cryptographic Hardware and Embedded Systems
September 7-10
chesworkshop.org
17
Security Challenges Many Security Assumptions
Change

• No access to backbone PKI does not work
• New threats sleep deprivation attack
• Old threats (e.g., confidentiality) not always a
  problem
• Nodes have incentives to cheat in protocols
• Security protocols ???

18
Our Research

• Crypto algorithms in highly constrained
  environments
• Low-cost hardware for public-key algorithm
• Ultra low-cost hardware for symmetric algorithms
• Software for public-key, symmetric algorithms on
  low-end processors
• Protocols for ad-hoc networks
• Secure communication in complex technical systems
  (airplanes, cars, etc.)
• Establishing trust in networks

19
Traditional Security Applications

• Very often computer communication networks!
• (wireless) LAN / WLAN (Local Area Network)
• WAN (Wide Area Network)
• PKI (Public Key Infrastructure)

20
Traditional Security Applications

• (wireless) LAN / WLAN (Local Area Network)

21
Traditional Security Applications

• WAN
• (Wide Area Network)

22
Traditional Security Applications

• PKI (Public Key Infrastructure)
• enables secure LAN, WAN

23
Other Traditional Security Applications

• Antivirus
• Firewalls
• Biometrics

24
The IT Future

• 2. Bridge sensors
• 3. Cleaning robots
• 6. Car with various IT services
• 8. Networked robots
• 9. Smart street lamps
• 14. Pets with electronic sensors
• 15. Smart windows

25
Characteristics of Pervasive Computing Systems

• Embedded nodes (no traditional computers)
• Connected through wireless, close-range network
  (Pervasive networks)!
• Ad-hoc networks Dynamic addition and deletion of
  nodes
• Power/computation/memory constrained!
• Vulnerable

26
Why Security in Pervasive Applications?

• Pervasive nature and high-volume of nodes
  increase risk potential (e.g., hacking into a
  car)
• Wireless channels are vulnerable (passive and
  active attacks)
• Privacy issues (geo-location, medical sensors,
  monitoring of home activities, etc.)
• Stealing of services (sensors etc.)