A Series of Secret Keys in a Key Distribution Protocol | SpringerLink

Chapter 43

A Series of Secret Keys in a Key Distribution Protocol Mohd Anuar Mat Isa, Habibah Hashim, Jamalul-lail Ab Manan, Syed Farid Syed Adnan, and Ramlan Mahmod Abstract In this chapter, we present a series of secret keys distribution in a key exchange protocol that incorporates protection against side channel attacks using Indistinguishability Experiment (modified) for Adaptive Chosen Ciphertext Attack (CCA2). We also present a security analysis and a new attack model for a secure Chain Key Exchange Protocol with an integration of TFTP protocol in the UBOOT firmware. To enable RasberberryPi “system on chip” (SoC) to perform cryptographic computation, we modified the GNU GMP Bignum library to support a simple primitive cryptographic computation in the UBOOT firmware. We suggest using our key exchange protocol for a secure key distribution in the UBOOT’s TFTP protocol. Latter, the TFTP protocol can use the secure key which has been distributed by our key exchange protocol to encrypt the TFTP’s data using another symmetric encryption scheme such as AES256. Lastly, we introduce a variance of adversary model in IND-CCA2-(TA, PA, TPA) which may be considered as a more realistic and practical model because it incorporates timing attack and power attack. Keywords Adversary model • Adaptive chosen ciphertext attack • Cryptography • Embedded Raspberry Pi • Indistinguishability • Power attack • Provable security • Random oracle model • Trivial file transfer protocol • Timing attack

1 Introduction This chapter describes an extension of our previous work [1] that is related to a security for a new key exchange protocol against side-channel attack. The state

M.A. Mat Isa () • H. Hashim • S.F. Syed Adnan Universiti Teknologi MARA, Shah Alam, Selangor 40450, Malaysia e-mail: [email protected]; [email protected]; [email protected] J.A. Manan MIMOS Berhad, Technology Park Malaysia, Kuala Lumpur 57000, Malaysia e-mail: [email protected] R. Mahmod Universiti Putra Malaysia, Serdang, Selangor 43400, Malaysia e-mail: [email protected] © Springer Science+Business Media Dordrecht 2015 G.-C. Yang et al. (eds.), Transactions on Engineering Technologies, DOI 10.1007/978-94-017-9804-4_43

615

616

M.A. Mat Isa et al.

of art for key exchange protocol is based on 1976 paper “New Directions in Cryptography” [2], Diffie and Hellman Key Exchange (DHKE) present a secure key agreement protocol that can be carried out over unsecure public communication channels. This protocol seems quite simple to be implemented; but it can be vulnerable to many types of attacks that are based on Number Theory. In this work, we propose a series of keys distribution in a Chain Key Exchange Protocol which is intended to be used as a case study to explore cryptographic computation capability of embedded system on chip (SoC) and its protection against timing and power analysis attack.

2 Motivation The objective of this chapter is to explore cryptographic computation and security assessment for a series of keys distribution in Chain Key Exchange [1] scheme. The proposed protocol was intended for an implementation in a system on chip (SoC) with constrained environment consideration. Our main motivation in proposing the Chain Key Exchange scheme is to explore the computation capability of embedded microcontrollers such as ARM6 RaspberryPi board in performing cryptographic computation. To explore the possible constraints in the theoretical and experimental designs, we have decided to only use the RaspberryPi board and a USB debug/console cable as experimental setup for the experiment. The RaspberryPi board can support extra I/O functions (add-on card) including sensors, Wi-Fi, camera, sub controllers (e.g., random number generator and customized FPGA with cryptographic functions) and etc. However, we omitted these extra I/O features because we want to study a plain embedded board to perform cryptographic functions.

2.1 Target Application This study will attempt to establish a secure and trust based key exchange protocol in the embedded controller. The term of “trust” is based on our previous work in Trusted Computing wherein “How can we be assured device(s) and system(s) are trusted if we use trusted computing platform (e.g., TPM) as root of trust?” [3]. For this experiment, we do not use Trusted Platform Modules (TPM), but rather, we explore the concept of “chain of trust” in the cryptographic scheme, i.e. chain of trust of secret keys. The “chain of trust of series secret keys” allows our protocol to verify that new communication with third parties is the same as previous communication through secure transitive sessions. The proposed protocol would be useful for lightweight or smart embedded device to identify whether an adversary is trying to intrude into the confidential communication. Energy usage becomes major factor for operational consideration by lightweight devices especially for

43 A Series of Secret Keys in a Key Distribution Protocol

617

deployment without compromising on security. In our proposal, we will use minimal I/O peripheral to reduce energy consumption, and at the same time yield high cryptographic computation in the autonomous environment. We implement this key exchange protocol in a UBOOT firmware; which gives advantage that key exchange protocol has a fairly quick boot (less than 5 s) to activate and perform key exchange process. In the long term run, our scheme will provide an implementation of Secure Trivial File Transfer Protocol (TFTP) application in the UBOOT firmware. It will ensure remote system updates and patching (e.g., firmware, kernel or application) processes are secure from attacks which aim to eavesdrop and modify the TFTP packet. The target employment of Secure TFTP protocol is in the Wi-Fi Access Points, remote base stations, wireless sensor nodes and etc.

3 Experiment Setup 3.1 Embedded System We decided to use RasberberryPi Model B (Fig. 43.1) with specifications: BCM2835 (ARMv7) 700 MHz, 512 MB RAM, 16GB SD memory card, 10/100 Ethernet port. This board is widely used for system prototyping or experiment, system controller, surveillance system, cluster nodes, embedded programming etc. We have done literature review on past works and we found that it is not well explored yet. From here, we decided to conduct cryptographic primitive computation using this board. Among the major issues need to be considered when Fig. 43.1 Experimental testbed

618

M.A. Mat Isa et al.

using this board are GCC ARM compiler and GMP Bignum [4] library to compute numbers beyond 32-bit integers (e.g., exponential, modular, etc.). We conducted an experiment to evaluate the Chained Key Exchange scheme. The first test group was conducted in application layer (user space) through Linux Raspbian “wheezy” Kernel using precompiled image “2013-07-26-wheezyraspbian.zip” [5]. The second test group was conducted in firmware layer (bare metal) using Denx U-Boot [6] as platform for bare metal execution of our scheme. U-Boot provides cross platform execution because it supports multiple embedded architecture such as ARM, MIPS, PPC, x86, 68 k, Nios and etc. Therefore, we are confident that with a very minimal configuration, our protocol can be deployed in multiple embedded systems. To enable RasberberryPi “system on chip” (SoC) to perform cryptographic computation, we modified the GMP Bignum version gmp-5.1.0 [4] library for a simple primitive cryptographic library. However, major modification is required in a bare metal system because of missing C library and its dependencies in the U-Boot. We noted that most of standard C libraries are meant for application and kernel layers, but not in firmware layer. This means that most of C libraries in firmware programming are minimal for the purpose of startup for the device and loading an operating system kernel for a system to boot up. To reduce the complexity, we modified the “mini-gmp” section to diminish the dependency problems. The modified “mini-gmp” is encoded in the first and second group experiments for fairness of execution and timing measurements. Our new “mini-gmp” library support the major functions for cryptographic computations such as mpz_init(), mpz_clear(), mpz_t, mpz_set_str(), mpz_powm(), mpz_get_str(), mpz_cmp(), mpz_sub(), mpz_add(), mpz_ui_pow_ui(), mpz_gcdext(), mpz_invert() clock(), SHA512(), and etc. Based on our previous work, we work on the communication protocol for two sets of RasberberryPi board using a secure TFTP protocol for smart environment [7]. The previous work [7] discussed the modification of U-Boot’s TFTP protocol to support a secure key exchange and data encryption.

4 Chain Key Exchange Scheme We divided the Chain Key Exchange into three major stages (refer Fig. 43.2).

4.1 Stage 1: Initialization of Pre-shared Knowledge Between Two Parties This pre-shared knowledge must happen during production, physical exchange or through a trusted communication. Let assume these two parties names are Along and Busu. Let observe a Fig. 43.2 for a visualization of this stage. This initialization of crt key is less likely to be computed compared to the series of chain session key. We assumed Keycrt computation happens only in safe environments (e.g., during

43 A Series of Secret Keys in a Key Distribution Protocol

619

Fig. 43.2 A simplified protocol of chain key exchange scheme

production of embedded device) and no integrity verification of the messages is required. Furthermore, an adversary would not be able to eavesdrop this information because it happens in close environments. This initialization scheme has been originated from DHKE [2] scheme.

4.2 Stage 2: Initialization and Series of “Chained of Series Session Key” Between Two Parties In this scenario, the “chain of series session key” occurs in open communication channel; hence it is still vulnerable to adversary’s attacks. Figure 43.3 shows the first chain of series session key; such that the initial session chain number is i D 0. Figure 43.4 shows the next series session key (e.g. let i D 1). The series session key i D 1 can be generated after the previous key (let the previous key is i D 0) has successfully been verified in Stage 3. For the next session of key computation, we use key derivative function to derive KeyiD0 from KeyiD0 . Therefore, we conclude that the KeyiD1 as follow: Key1  g1 a1 : g1 b1 : g1 Key0 .mod p1 / However, there is no guarantee that Keyi in Figs. 43.4 and 43.5 will be the size of large n-key size after the successful key exchange process. In worst case scenario, it produces a weak key with a short length. Therefore, Keyi needs to be

620

M.A. Mat Isa et al.

Fig. 43.3 Stage 1: generation of a “chain root trust” (CRT) key

Fig. 43.4 Stage 2: initialization of “chained of series session key”, i D 0

checked1 /discarded before we can proceed to the verification process as it will be explained next. 1 We can use generated key with a key length less than n (e.g. (n – 2) length); but we need to use a secure one way key expander/derivation function to fill-up (or padding)   the less significant part of number in (n – 2) length. However this is very risky when the n – n2 length is too short.

43 A Series of Secret Keys in a Key Distribution Protocol

621

Fig. 43.5 Stage 2: next series session key, i D 1

4.3 Verification of “Chain of Series Session Key” The purpose of verification is to ensure that both parties will synchronize a correct secret key with a Message Authentication Code (MAC). This will ensure that both parties are communicating with the right intended one. If successful, both parties will store the matching secret Keyi in the non-volatile memory equipped with physical tamper resistant technology wherein the secret key is protected using user authentication. The previous Keyi1 (if it still exists) is safely wiped out from nonvolatile memory. Figure 43.5 shown the verification in initialization of chain series session key (this is for i D 0). Figure 43.6 shown the verification in next of chain series session key (this is for i D 1). Observe that in hashing function between Along and Busu, the sequence of hashing function is different in the first parameter and the second parameter for the hashing input. This will guarantee that the hashing digests of Along and Busu are different for the MAC authentication process. A good hashing function provides random values for blinding and masking [8] process to a key exchange process. A strong collusion resistance hashing function is can also help to secure the key exchange process against CCA2 [9] and timing attack if we use it correctly. To protect from an attack based on Number Theory, such as “degenerate message attack” [10], we need to ensure random secrets, public parameters and Keyi are not recycled numbers. For the next session, we must use a secure one way key derivation function (e.g. hashing) to derive Keyi from Keyi to avoid using previous key.

622

M.A. Mat Isa et al.

Fig. 43.6 Stage 3: verification for Initialization of “chained of series session key”, i D 0

After that, both parties store Keyi that has been successfully verified. In case of failure, the digest need to be retransmitted (retry) because errors may happen in communication medium when using non-reliable network. Failure to do correction and verification within the allowed number of retries, the verification process is considered invalid and the chain of session i must be dropped. All temporary data in Stage 2 must also be safely wiped out from volatile memory. If this problem happens, we can consider that there are problems: (i) an error in the communication channel, (ii) an active adversary is impersonating either parties, or (iii) an active adversary has tampered the digest or data stream in the Stage 2 (Fig. 43.7).

5 Security Analysis 5.1 Previous Work The underlying security for a Series Keys Distribution in key exchange protocol are based on two principles; (i) Decisional Diffie-Hellman Problem (DDHP) [11] and (ii) a secure one way hash function [12]. We have previously discussed some security analysis in our earlier publications [1, 13] such as session state reveal attack,

43 A Series of Secret Keys in a Key Distribution Protocol

623

Fig. 43.7 Stage 3: verification for the next series session key, i D 1

forward secrecy, key independence and Burmester triangle attack. Readers may refer to our previous publications for further details.

5.2 Side Channel Adversary Model: Timing and Power Attacks We have also introduced an adversary model Indistinguishability-Adaptive ChosenCiphertext (IND-CCA2) with timing attack in our previous work [13]. It uses the same indistinguishability challenge2 in our general model [14]. However, in this chapter we use a different adversary model from the original one because we have not done any implementation of challenge ciphertext c* in the indistinguishability experiment that is corresponding to Goldwasser-Micali [15], Naor-Yung [16] and Rackoff-Simon [17]. Furthermore, our new adversary model incorporates protection against timing attacks and power attacks in IND-CCA2. We believe that, it is essential to change the adversary model to allow for adaptation and protection against timing attack (TA) and power analysis attack (PA) in the indistinguishability experiment.

2

We also present the latest work on adversary model in another chapter of this book.

624

M.A. Mat Isa et al.

Fig. 43.8 IND-CCA2-(TA) experiment

To simulate the new proposed adversary model (TA, PA), we use indistinguishability test by letting an adversary to choose two ciphertexts (c0 , c1 ) " C where .c0 ¤ c1 / and length jc0 j D jc1 j. Both ciphertext (c0 , c1 ) are freely chosen by an adversary with an intelligence of the best choices. The adversary is given the public key to encrypt any message for both chosen ciphertexts such that c0 D E .pk; m0 / and c1 D E .pk; m1 / in an encryption scheme … D .K; E; D; H / as shown in Fig. 43.8. The encryption/signature scheme … is CCA2-TA secure, if and only if, any probabilistic polynomial-time (PPT) algorithm that was used in the adversary model to determine a correct timing from message mb with a negligible probability such that: jP r Œsuccess  P r Œf ai lurej