Dec 15, 2003 ... 2. What is Pervasive Computing? 3. Security in Pervasive Applications. 4.
Challenges in Crypto Engineering. 5. Related EUROBITS Activities ...
Pervasive Computing and the Future of Crypto Engineering I&C Seminar, EPFL December 15, 2003 Christof Paar Ruhr-Universität Bochum www.crypto.rub.de
Contents 1. 2. 3. 4. 5.
Very Brief History of Crypto Applications What is Pervasive Computing? Security in Pervasive Applications Challenges in Crypto Engineering Related EUROBITS Activities
I&C Seminar, EPFL
Contents 1. 2. 3. 4. 5.
Very Brief History of Crypto Applications What is Pervasive Computing?? Security in Pervasive Applications Challenges in Crypto Engineering Related EUROBITS Activities
I&C Seminar, EPFL
Do we really need security?
Cryptography, ca. 500 B.C
Skytale of Sparta
I&C Seminar, EPFL
Cryptography, ca. 1940
German Enigma (Polish, British & US break crucial for allied victory in WWII)
I&C Seminar, EPFL
Cryptography, ca. 1990
Smart card for banking applications
I&C Seminar, EPFL
Cryptography, ca. 2000 Electronic road toll Cryptography: • prevents cheating by drivers • protects privacy of drivers
I&C Seminar, EPFL
Cryptography, ca 2010 Brave new pervasive world #2 Bridge sensors #3 Cleaning robots #6 Car with Internet access #8 Networked robots #9 Smart street lamps #14 Pets with electronic sensors #15 Smart windows
I&C Seminar, EPFL
Contents 1. 2. 3. 4. 5.
Very Brief History of Crypto Applications What is Pervasive Computing? Security in Pervasive Applications Challenges in Crypto Engineering Related EUROBITS Activities
I&C Seminar, EPFL
Pervasive Computing and Embedded Systems Important (yet trivial) observation from an engineering perspective: Pervasive computing is based on embedded systems
I&C Seminar, EPFL
Is this really Important? Depends on your viewpoint, but: CPUs sold in 2000
Ex. high-end BMW Þ appr. 80 CPUs
I&C Seminar, EPFL
Characteristics of Traditional IT Applications • Mostly based on interactive (= traditional) computers • „One user – one computer“ paradigm • Static networks • Large number of users per network Q: How will the IT future look?
I&C Seminar, EPFL
Examples for Pervasive Computing • • • • • • • • •
PDAs, 3G cell phones, ... Living spaces will be stuffed with nodes (audio/video) Refrigerators will communicate as will milk bottles Smart sensors in infrastructure (windows, roads, bridges, etc.) “Smart Dust “ Smart bar codes (autoID) Wearable computers (clothes, eye glasses, etc.) ... I&C Seminar, EPFL
Pervasive Computing Case Study I: Radio Frequency ID (RFID) • Smart tags with receiver & some processing • Many applications in logisitics, consumer products, ...
• MIT‘s AutoID Center: smart bar codes • 500·109 bar codes scans per day • Cost goal: 5 cents
Pervasive Computing Case Study II: Smart Textiles (by Infineon) • Sensors in textiles • Self-organizing network: fabric can be cut etc. • Appl.: fire, motion, and anti-theft sensor • Future version will incorporate LEDs
I&C Seminar, EPFL
Contents 1. 2. 3. 4. 5.
Very Brief History of Crypto Applications What is Pervasive Computing? Security in Pervasive Applications Challenges in Crypto Engineering Related EUROBITS Activities
I&C Seminar, EPFL
Security and Economics of Pervasive Applications • • • • • •
„One-user many-nodes“ paradigm (e.g. 102-103 processors per human) Many new applications we don‘t know yet Very high volume applications Very cost sensitive People won‘t be willing to pay for security per se People won‘t buy products without security I&C Seminar, EPFL
Security Concerns in Pervasive Applications Often wireless channels ⇒ vulnerable Hacking into home devices, cars, … Contents protection in many applications Pervasive nature and high-volume of nodes increase risk potential • Privacy issues (geolocation, medical sensors, monitoring of home activities, etc.) • Stealing of services (sensors etc.) • … • • • •
I&C Seminar, EPFL
Why is Security in Pervasive Networks Difficult? • Designers worry about IT functionality, security is ignored or an afterthought • Security infrastructure (PKI etc.) is missing: Protocols? • Secure embedded OS are difficult • Attacker has easy access to nodes (side channel & tamper attacks) • Computation/memory/power constrained (red = crypto engineering issues) I&C Seminar, EPFL
Do We Really Need Cryptography in Pervasive Applications? • Crypto ops for identification is fundamental for embedded security • Almost all ad-hoc protocols (even routing!) require crypto ops for every hop • At least symmetric alg. are needed • Asymmetric alg. allow fancier protocols → Embedded crypto is enabling technology for pervasive applications. Q. What type of crypto can we do?
Classification by Processor Power Very rough classification of embedded processors Class
speed : high-end Intel
Class 0: few 1000 gates Class 1: 8 bit µP, ≤ 10MHz Class 2: 16 bit µP, ≤ 50MHz Class 3: 32 bit µP, ≤ 200MHz
I&C Seminar, EPFL
? ≈ 1: 103 ≈ 1: 102 ≈ 1: 10
Case Study Class 0: RFID for Bar Codes Recall: Class 0 = no µP, few 1000 gates • Goal: RFID as bar code replacement • AutoID tag: security “with 1000 gates” [CHES 02] – Ell. curves (asymmetric alg.) need > 10,000 gates – DES (symmetric alg.) needs a few 1,000 gates – Lightweight stream ciphers might work
I&C Seminar, EPFL
Status Quo: Crypto for Class 1 Recall: Class 1 = 8 bit µP, ≤ 10MHz Symmetric alg: possible at low data rates Asymm.alg: very difficult without coprocessor
I&C Seminar, EPFL
Status Quo: Crypto for Class 2 Recall: Class 2 = 16 bit µP, ≤ 50MHz Symmetric alg: possible Asymm.alg: possible if • carefully implemented, and • algorithms carefully selected (ECC feasible; RSA & DL still hard)
I&C Seminar, EPFL
Status Quo: Crypto for Class 3 Recall: Class 1 = 32 bit µP, ≤ 200MHz Symmetric alg: possible Asymm.alg: full range (ECC, RSA, DL) possible, some care needed for implementation
I&C Seminar, EPFL
Security and Economics of Pervasive Applications • • • • • •
„One-user many-nodes“ paradigm (e.g. 102-103 processors per human) Many new applications we don‘t know yet Very high volume applications Very cost sensitive People won‘t be willing to pay for security per se People won‘t buy products without security I&C Seminar, EPFL
Security Concerns in Pervasive Applications Often wireless channels ⇒ vulnerable Hacking into home devices, cars, … Contents protection in many applications Pervasive nature and high-volume of nodes increase risk potential • Privacy issues (geolocation, medical sensors, monitoring of home activities, etc.) • Stealing of services (sensors etc.) • … • • • •
I&C Seminar, EPFL
Why is Security in Pervasive Networks Difficult? • Designers worry about IT functionality, security is ignored or an afterthought • Security infrastructure (PKI etc.) is missing: Protocols? • Secure embedded OS are difficult • Attacker has easy access to nodes (side channel & tamper attacks) • Computation/memory/power constrained (red = crypto engineering issues) I&C Seminar, EPFL
Do We Really Need Cryptography in Pervasive Applications? • Crypto ops for identification is fundamental for embedded security • Almost all ad-hoc protocols (even routing!) require crypto ops for every hop • At least symmetric alg. are needed • Asymmetric alg. allow fancier protocols → Embedded crypto is enabling technology for pervasive applications. Q. What type of crypto can we do?
Classification by Processor Power Very rough classification of embedded processors Class
speed : high-end Intel
Class 0: few 1000 gates Class 1: 8 bit µP, ≤ 10MHz Class 2: 16 bit µP, ≤ 50MHz Class 3: 32 bit µP, ≤ 200MHz
I&C Seminar, EPFL
? ≈ 1: 103 ≈ 1: 102 ≈ 1: 10
Case Study Class 0: RFID for Bar Codes Recall: Class 0 = no µP, few 1000 gates • Goal: RFID as bar code replacement • AutoID tag: security “with 1000 gates” [CHES 02] – Ell. curves (asymmetric alg.) need > 10,000 gates – DES (symmetric alg.) needs a few 1,000 gates – Lightweight stream ciphers might work
I&C Seminar, EPFL
Status Quo: Crypto for Class 1 Recall: Class 1 = 8 bit µP, ≤ 10MHz Symmetric alg: possible at low data rates Asymm.alg: very difficult without coprocessor
I&C Seminar, EPFL
Status Quo: Crypto for Class 2 Recall: Class 2 = 16 bit µP, ≤ 50MHz Symmetric alg: possible Asymm.alg: possible if • carefully implemented, and • algorithms carefully selected (ECC feasible; RSA & DL still hard)
I&C Seminar, EPFL
Status Quo: Crypto for Class 3 Recall: Class 1 = 32 bit µP, ≤ 200MHz Symmetric alg: possible Asymm.alg: full range (ECC, RSA, DL) possible, some care needed for implementation
I&C Seminar, EPFL
Challenges for Pervasive Crypto 1. 2. 3. 4. 5.
Symmetric algorithm for class 0 (e.g., 1000 gates) which are secure and well understood? Alternative asymm. alg. for class 0 and class 1 (8 bit µP) with 10x time-area improvement over ECC? Are asymm. alg. which are “too short” (e.g., ECC with 100 bits) usable? Ad-hoc protocols without long-term security needs? Side-channel protection at very low costs? I&C Seminar, EPFL
Contents 1. 2. 3. 4. 5.
Very Brief History of Crypto Applications What is Pervasive Computing?? Security in Pervasive Applications Challenges in Crypto Engineering Related EUROBITS Activities
I&C Seminar, EPFL
What is crypto engineering anyway? Definition: The efficient and secure realization of cryptographic algorithms and protocols for applications in practice. (+ the study of special-purpose cryptanalytical designs)
I&C Seminar, EPFL
Why don´t we leave it to the engineers anyway? (or: Why crypto engineering really is important) 1. Many real-world attacks exploit implementation weaknesses •
Ex. Side channel attack, fault injection attack
2. Often, new schemes only practical if eff. implemented •
Ex. early days of elliptic curves & (until very recently) hyperelliptic curves
3. Interaction between implementation and alg.design •
Ex. Arithmetic choice has major impact on implementation and security
⇒ Crypto engineering is integral part of cryptography I&C Seminar, EPFL
What’s so difficult about crypto engineering? 1. Cultural differences: Cryptographers ↔ Engineers 2. Interdisciplinary knowledge required •
Cryptography
•
Mathematics (number theory, abstract algebra) & Algorithms
•
Engineering stuff: Computer arch., micro electronic, …
3. Implementation methods often demanding •
Ex. 2048 bit arithmetic (with low power)
•
Ex. Gbit/sec throughput without parallelization
4. Unusual rules: A „working“ implementation is not enough, should also be secure I&C Seminar, EPFL
Future Challenges for Crypto Engineering 1. 2. 3. 4. 5.
Challenges in pervasive applications Speed Optimization is not everything Side channel attacks Interdisciplinary work Dissemination of results
I&C Seminar, EPFL
Challenges (1): Crypto in Pervasive Applications 1. 2. 3. 4. 5.
Symmetric algorithm for class 0 (e.g., 1000 gates) which are secure and well understood? Alternative asymm. alg. for class 0 and class 1 (8 bit µP) with 10x time-area improvement over ECC? Are asymm. alg. which are “too short” (e.g., ECC with 100 bits) usable? Ad-hoc protocols without long-term security needs? Side channel protection at very low costs? I&C Seminar, EPFL
Chaellenges (2): Speed Optimization is not everything Past attitude: As fast as possible, costs did not matter (e.g., RSA modular multipl. Arch., DES hardware) But: 1. 2.
Moore´s Law makes speed easy in SW and HW Wide-spread commercial use of crypto makes cost optimization (power, code size, area, bandwidth) crucial
Research Challenge: Develop techniques which optimize cost-performance ratio for given platform (SW, embedded, ASIC, FPGA)
Challenges (3): Side Channel Attacks (very brief) Status Quo: • Timing, fault induction, power analysis attacks, etc. proved powerful against unprotected hardware • Software countermeasure work reasonably well Research Challenges 1. Some important side channels (e.g., RF) and fault induction (e.g., optical) are poorly understood 2. Hardware counter measures are just emerging 3. Automation of countermeasure in design process I&C Seminar, EPFL
Challenges (4): Interdisciplinary Work Crypto engineering benefits from other disciplines, e.g., • TRNG are poorly understood • HW / SW co-design has barely been addressed Challenges 1. Educate crypto people about other disciplines (e.g., novel VLSI technologies) 2. Entice people from other disciplines (e.g., novel VLSI technologies) to do crypto work 3. Encourage Ph.D. students to work interdisciplinary I&C Seminar, EPFL
Challenges (5): Dissemination of Results Observations • More and more products integrate cryptography • Often non-optimum methods are used • The wheel tends to get re-invented in industry •
at the same time: More and more researchers are working on implementations (110 submissions @ CHES 2003)
Challenges 1. Make research results accessible for engineers without training in pure mathematics! 2. Organize the research results (books, courses)
Contents 1. 2. 3. 4. 5.
Very Brief History of Crypto Applications What is Pervasive Computing?? Brief Introduction to Modern Cryptography Security in Pervasive Applications Related EUROBITS Activities
I&C Seminar, EPFL
EUROBITS European Competence Center for IT Security
+
HGI – Horst Görtz Institute for IT Security
GITS AG – Corp. for IT Security (training & research transfer)
ISEB – Institute for eBusiness Security
escrypt – Embedded Security (consulting & products) GITS Projekt GmbH – House for IT Security
EUROBITS Research: Lightweight Crypto 1.
Elliptic curves on smart card without coprocessor
2.
Hyperelliptic curves acceleration & implementation on large range of embedded µP
3.
Public-key enabling instruction set extension for lowend 8 bit µP
I&C Seminar, EPFL
EUROBITS Research: Embedded Security 1.
Side channel attacks against smart cards • Ex: New collission attack against DES, AES, ...
2.
Security in ad-hoc networks • Ex: New protocol family
3.
Contents protection in embedded application • Digital rights managment in cars
4.
New application domains • Embedded security in cars •
Embedded security in geoinformation systems I&C Seminar, EPFL
Research Events (see also www.crypto.rub.de)
• Cryptographic Hardware and Embedded Systems (CHES) August 2003 • ESCAR (Embedded Security in Cars) November 2003 • AES 4 – How Secure is the Advanced Encryption Standard? April 2004 • ESAS – 1st European Workshop on Security in Ad-Hoc and Sensor Networks (Heidelberg) August 2004 • Summer School “ECC for Engineers” September 2004 • Elliptic Curve Cryptography (ECC 2004) September 2004
