SECURE ELEMENT THE CORNER STONE FOR A SAFE …
Transcript of SECURE ELEMENT THE CORNER STONE FOR A SAFE …
SECURE ELEMENT
THE CORNER STONE FOR A SAFE CONNECTED OBJECT
GUILLAUME CRINONBUSINESS DEV MANAGER
People6B
DataThings20-50B
INTERNET OF THINGS – OUR OPPORTUNITY
First step1990-
1G/2G/3G/4GxDSL/Fiber/Sat
Mature mkt
Second step1995-
Data centersCloud computing
Booming mkt
Third step2005-
M2M - IoTLower cost connection
Lower power connectionBooming mkt
Internet of Everything
May 15
• Connecting people was once luxury, a privilege reserved to the rich
• Connecting people is now a mature business reaching saturation
• Connecting “things” was once luxury reserved to high-end machines
• Expanding the market of connected “things” is simply pushing down the cost boundary
THE IOT IS OUR 2ND TELECOM REVOLUTION
Hardware value of the connected “thing”
Complex machine
Simple machine
Complex object
Simple object
Smart sensor
Disposable sensor
Connected
Not worth connecting
May 15
… you get exposed while poorly protected
4May 15
BEING CONNECTED IS GREAT UNLESS…
5
HOW SECURE ARE STANDARD MCUS ?
It takes 16min, a laptop, Matlab, a 150€ USB
oscilloscope & probe to extract an AES128 key
from any non-secure MCU
Courtesy of Driss Aboulkassimi – CEATech – FR – [email protected] 15
• Security requirements depend both on the value of what is being protected and the anticipated attacks
• Questions to ask• How valuable is the data or service being protected?• To whom is it valuable to?• Who does the system require me to trust?• What are the skills/time/resources necessary to attack the system?• What would the cost of compromise be, including loss of time and
manpower, loss of reputation, costs to fix already fielded systems?
6May 15
SPENDING MONEY ON SECURITY
7May 15
RISK ASSESSMENT MATRIX
$ $$$$ $$$$$$$ $$$$$$$$ $$$$$$$$$$
$ $$$$ $$$$ $$$$$$$ $$$$$$$$
$ $ $$$$ $$$$$ $$$$$$$
$ $ $$ $$$$ $$$$$$
$ $ $$ $$$ $$$$$$
Near certainty
Highly likely
Likely
Low likelihood
Not likely
Min
imal
Min
or
Mod
erat
e
Sign
ifica
nt
Seve
re
CONSEQUENCES
LIKE
LIHO
OD
8
SHIFTING RISK ASSESSMENT MATRIX
$ $$$$$$ $$$$$$$ $$$$$$$$ $$$$$$$$$$
$ $$$$$ $$$$$ $$$$$$$ $$$$$$$$
$ $$$ $$$$$ $$$$$ $$$$$$$
$ $ $$$ $$$$$ $$$$$$
$ $ $$ $$$$ $$$$$
Near certainty
Highly likely
Likely
Low likelihood
Not likely
Min
imal
Min
or
Mod
erat
e
Sign
ifica
nt
Seve
re
CONSEQUENCES
LIKE
LIHO
OD
May 15
9May 15
ATTACK TREE – COST OF ATTACK
Do not pay for water at home
Slow down meter
Alter electronics
Insert pulse divider between spinning
contact and counter
Alter mechanics
…
Alter firmware
Disassemble firmware and
reprogram
Fool data reporting to concentrator
Report fake water consumption with
dummy meter
Reverse engineer wireless protocol and security key
Hack my record @ water company
Find back-door on water company IT
systemBribe employee
10May 15
SECURE CONNECTIVITY PROTOCOL MODEL
Network association request
Object identity check
(Network identity check)
(Exchange of session key(s) and nonces)
Exchange of messagesEncryption - Integrity
11May 15
SECURITY TOOLBOX FOR CONNECTED OBJECTS= CRYPTOGRAPHY
Non-repudiation
Confidentiality
IP protection
Anti-cloning
Data integrity
Access control
Encryption
Securememory
Signature
Authentication
Signature
Authentication
• Authentication• Proving someone’s identity by
verifying the validity of identification parameters:• PIN code• Secret key• Password• Biometrics• Certificate
• Encryption• Encoding messages so that
unauthorized readers cannot understand them
• ≠ Steganography• Concealing the messages from
unauthorized readers12May 15
CRYPTOGRAPHY IS A SCIENCEDEFINITIONS 1/2
• Integrity• Providing evidence that a message
has not been altered by a third party• Checksum can be considered as a
very basic integrity algorithm
• Digital signature• Association of
• Authentication of sender• Integrity of message
• Secure Element• Crypto-dedicated IC• Tamper-resistant to side-channel
attacks• Vault for keeping secret keys
13May 15
CRYPTOGRAPHY IS A SCIENCEDEFINITIONS 2/2
STATE-OF-THE-ART CRYPTOGRAPHY IN HISTORYANTIQUITY TO MODERN TIMES
-700 -150 0 800 1500
Scytale –transposition
Bellaso, Vigenère, Gronsfeld –polyalphabeticsubstitutionCaesar’s substitution
cipher
Abu Yusuf Al-Kindi, invents frequency analysis and breaks Caesar’s cipher
Polybius square
Plaintext A V N E T M E M E C
Key T E C H D A Y T E C Ciphertext T Z P L W M C F I E
Birth of private key
May 15
LWC
1880 1900 1920 1945 1975 1990 2000 2010
STATE-OF-THE-ART CRYPTOGRAPHY IN HISTORYCONTEMPORARY PERIOD
Franck MillerOne-Time-Pad –Polyalphabeticsubstitution“Perfect secrecy”
RSARivest, Shamir, Adleman
Alan TuringClaude ShannonModern cryptography
ENIGMA
Diffie-Hellman invention of public key
AES
DES
SSLTLS
WEP
WPA WPA2SSH
SHA-0 SHA-3Sir William Herschel -fingerprints
ECCKoblitz, Miller
CDMA
UWB
PGP
Banking smart cardSIM card
IPv6
iPhone802.15.4
www Wirelesswww& IoT
Cheap Secure Element
EMVco SHA-2First transatlantic radio transmission
Radio
May 15
• Since RSA, AES, ECC, SHA, cryptography has reached maturity
• “Cryptography is now by far the best settled part of Information Security” (Whitfield Diffie, 2005)
• Computational complexity for brute-force attack ~ 2^length(key)• 2048-bit key takes 2^2048 ~ 10^600 steps to solve• 10^82 atoms in universe• Assuming // computing with 1 computer per atom still takes > 10^500
steps per computer• Assuming lightning-fast computing with 10^100 steps per second• Computation would take 10^400 seconds >> life-time of galaxy
16May 15
CRYPTOGRAPHY IS MATURE
• Human factor
• Strange tendency to use “home-brewed” cryptosystems
• Misunderstanding properties of crypto components
• Easy to get implementation wrong – many subtleties
• Combining secure primitives in insecure way
• Strict efficiency requirements for crypto/security: The cost is visible but benefit invisible
• Compatibility issues, legacy systems
• Cryptography is only part of designing secure systems
• Chain is only as strong as weakest link
• A “dormant bug” is often a security hole
• Many subtle issues (e.g., caching & virtual memory, side channel attacks)
• Key storage and protection issues
17May 15
SO WHY IS NOTHING SECURE ?
18May 15
BUILDING AN UNSECURE SYSTEMWITH ALBEIT SECURE ELEMENTS
19
WHAT IS A UICC (SIM CARD) ?
32 bitCPU
SHAECCRSA
AES3DES
True Random
Gen.TIMER Flash RAM
Interface
I/O
Crypto LibraryKey Management
ISO7816protocols
JavaCard OSApplet Management
Secure StorageApplet Installer
SMS & directory storageMNO profiles Phone locking Hidden MNO
functions
Secure Hardware
Secure Firmware
JavaCard Applets
May 15
Customized and personalized by the MNO/VNO for the subscriber
20
WHAT IS A SECURE ELEMENT ?
32 bitCPU
SHAECCRSA
AES3DES
True Random
Gen.TIMER Flash RAM
Interface
I/O
Crypto LibraryKey Management
I²C&
ISO7816protocols
Applet ManagementSecure StorageApplet Installer
Usage Controlapplet
Trackingapplet
Counterfeitingapplet
IP protectionapplet
Secure Hardware
Secure Firmware
Applets
May 15
Customized and personalized by AVNET for the client
21May 15
2G/3G/4GCONNECTIVITY PROTOCOL (SIMPLIFIED)
Network association request
Object identity check
Network identity check
Exchange of session key(s) and nonces
Exchange of messagesEncryption - Integrity
22May 15
2G/3G/4GHW SECURITY HANDLED BY UICC (SIM CARD)
unique ID and keyssafely locked insideUICC (SIM card)
Network association request
Object identity check
Network identity check
Exchange of session key(s) and nonces
Exchange of messagesEncryption - Integrity
23May 15
OTHER LAN AND WANSAME CONNECTIVITY PROTOCOL MODEL
Network association request
Object identity check
(Network identity check)
(Exchange of session key(s) and nonces)
Exchange of messagesEncryption - Integrity …
24May 15
OTHER LAN AND WANHW SECURITY HANDLED BY SECURE ELEMENT
unique ID and keys locked in Secure Element by AVM Factory
Network association request
Object identity check
(Network identity check)
(Exchange of session key(s) and nonces)
Exchange of messagesEncryption - Integrity …
25
100% SECURE SUPPLY CHAIN
Secure boot-loader
Secure logistics
Chip is « unlocked »
Firmware & Applet are
loaded
Chip is personalized with secret keys
Every chip is unique
Customer
Supply chain is EMV Co compliant
User keys and certificates are generated by Avnet’s secure servers
May 15
26
BEYOND WIRELESSAPPLICATIONS OF A SECURE ELEMENT
Authentication of removable part,
consumable, electronic board….
Protection against unauthorized
modifications of software
Integrity control of every node of a
network
Sensitive data secure storage
Usage control of peripherals (medical)
Secure login to remote system
Anti-Cloning Secure tracking IP protection Usage control
May 15
27May 15
COST EFFECTIVE SAFETY IS REALITY
COST
SECURITYLEVEL
Do not dive hereAsk our experts
• AES: Advanced Encryption Standard
• CBC-MAC: Cipher Block Chaining Message Authentication Code
• CCM*: Counter with CBC-MAC
• CDMA: Code Division Multiple Access
• DES: Data Encryption Standard
• ECC: Elliptic Curve Cryptography
• LWC: Lightweight Cryptography
• MAC: Message Authentication Code
• PGP: Pretty Good Privacy
• PKI: Public Key Infrastructure
• PRF: Pseudo-Random Function
• PRNG: Pseudo-Random Number Generator
• RSA: Rivest, Shamir, Adleman
• SHA: Secure Hash Algorithm
• SSL: Secure Sockets Layer
• TLS: Transport Layer Security
• UWB: Ultra-Wide Band
• WEP: Wired Equivalent Privacy
• WPA: WiFi Protected Access
28May 15
GLOSSARY
• Boaz Barak course @ Princeton http://www.cs.princeton.edu/courses/archive/spr10/cos433/
• Bruce Schneier https://www.schneier.com/
• Simon Singh http://simonsingh.net/books/the-code-book/the-book/
• Whitfield Diffie – Before and After Public-Key Cryptography http://www.youtube.com/watch?v=1BJuuUxCaaY
29May 15
BIBLIOGRAPHY – FURTHER READINGCREDITS TO…
Thank you
30May 15
• Alice & Bob want to exchange messages without Eve understanding
• Private key Same key shared by Alice & Bob, unknown to Eve
Not secure in the long-term because key k is re-used EVE will eventually guess it
31May 15
PRIVATE KEY – SYMMETRIC ALGORITHMS AES
ALICEShares with Bob a secret key k
Encodes m into c = m ⊕ k
BOBShares with Alice a secret key k
Decodes c into m = c ⊕ k
c = m ⊕ k
EVE
• Alice & Bob want to exchange messages without Eve understanding
• Private keySame key shared by Alice & Bob, unknown to Eve
Secure because key Fk(r) is randomized for every message32May 15
PRIVATE KEY – SYMMETRIC ALGORITHMS AESIMPROVEMENT WITH RAND NUMBER GENERATOR
ALICEShares with Bob a secret key k and PRF Fk
Generates random number r
Computes Fk(r)
Encodes m intoc = m ⊕ Fk(r)
BOBShares with Alice a secret key k and PRF Fk
Computes Fk(r)
Decodes c into m = c ⊕ Fk(r)
EVE
EVE
• Is it possible to exchange privately between 2 entities not requiring them trusting each other, ie not having them disclose any secret ?
• Eve eavesdropping has a very complex maths problem to solve !! Discrete logarithm problem 33May 15
DIFFIE HELLMAN KEY CONTRACT
ALICEHas a secret xCalculates g^x
Calculates key(g^y)^x = g^xy
Encodes m into c = m.g^xy
BOBHas a secret yCalculates g^y
Calculates key(g^x)^y = g^xy
Decodes c into m = c.(g^x)^(|G|-b)
PUBLICP very large prime number (2048 bits) – g primitive root mod P
Group theory – Arithmetic modulo P
c = m.g^xy
EVE
• Application: 1 public key used for encryption paired with 1 private key for decryption
• Eve eavesdropping has a very complex maths problem to solve !! Discrete logarithm problem 34May 15
PUBLIC KEY – ASYMMETRIC ALGORITHMS RSA
ALICEUses public key e to encode m
Encodes m into c = (m^e)mod n
BOBKnows prime_1 & prime_2Calculates p=(prime_1-1)x(prime_2-1)Calculates d=e^-1 mod pDecodes c into m = (c^d) mod n
PUBLICn=prime_1 x prime_2 ; e coprime with (prime_1-1)x(prime_2-1)
Group theory – Arithmetic modulo P
c = (m^e)mod n
• Alice sends Bob a message with a digital signature proving: The message comes from her The message has not been altered by a third party
35May 15
AUTHENTICATION SHAINTEGRITY
ALICEShares with Bob a secret key k
Computes M=MAC(k,m)
BOBShares with Alice a secret key k
Computes MAC(k,m)
If MAC(k,m)=M then message and sender are authenticated
m, M