what is a secure element
SECURE ELEMENT THE CORNER STONE FOR A SAFE CONNECTED OBJECT GUILLAUME CRINON BUSINESS DEV MANAGER INTERNET OF THINGS – OUR OPPORTUNITY Internet of Everything People 6B Third step 2005M2M - IoT Lower cost connection Lower power connection Booming mkt May 15 Things 20-50B Data First step 19901G/2G/3G/4G xDSL/Fiber/Sat Mature mkt Second step 1995Data centers Cloud computing Booming mkt THE IOT IS OUR 2ND TELECOM REVOLUTION • Connecting people was once luxury, a • Connecting “things” was once luxury • Connecting people is now a mature • Expanding the market of connected privilege reserved to the rich business reaching saturation reserved to high-end machines “things” is simply pushing down the cost boundary Complex machine Simple machine Hardware value of the connected “thing” Complex object Simple object Smart sensor Disposable sensor May 15 Connected Not worth connecting BEING CONNECTED IS GREAT UNLESS… … you get exposed while poorly protected May 15 4 HOW SECURE ARE STANDARD MCUS ? It takes 16min, a laptop, Matlab, a 150€ USB oscilloscope & probe to extract an AES128 key from any non-secure MCU May 15 Courtesy of Driss Aboulkassimi – CEATech – FR – [email protected] 5 SPENDING MONEY ON SECURITY • Security requirements depend both on the value of what is being protected and the anticipated attacks • Questions to ask • How valuable is the data or service being protected? • To whom is it valuable to? • Who does the system require me to trust? • What are the skills/time/resources necessary to attack the system? • What would the cost of compromise be, including loss of time and manpower, loss of reputation, costs to fix already fielded systems? May 15 6 RISK ASSESSMENT MATRIX LIKELIHOOD Near certainty $ $$$$ $$$$$$$ $$$$$$$$ $$$$$$$$ $$ $ $$$$ $$$$ $$$$$$$ $$$$$$$$ $ $ $$$$ $$$$$ $$$$$$$ $ $ $$ $$$$ $$$$$$ $ $ $$ $$$ $$$$$$ Highly likely Likely Low likelihood May 15 CONSEQUENCES Severe Significant Moderate Minor Minimal Not likely 7 SHIFTING RISK ASSESSMENT MATRIX LIKELIHOOD Near certainty $ $$$$$$ $$$$$$$ $$$$$$$$ $$$$$$$$ $$ $ $$$$$ $$$$$ $$$$$$$ $$$$$$$$ $ $$$ $$$$$ $$$$$ $$$$$$$ $ $ $$$ $$$$$ $$$$$$ $ $ $$ $$$$ $$$$$ Highly likely Likely Low likelihood May 15 CONSEQUENCES Severe Significant Moderate Minor Minimal Not likely 8 ATTACK TREE – COST OF ATTACK Do not pay for water at home Fool data reporting to concentrator Slow down meter Alter electronics Alter mechanics Alter firmware Report fake water consumption with dummy meter Insert pulse divider between spinning contact and counter … Disassemble firmware and reprogram Reverse engineer wireless protocol and security key May 15 Hack my record @ water company Find back-door on water company IT system Bribe employee 9 SECURE CONNECTIVITY PROTOCOL MODEL Network association request Object identity check (Network identity check) (Exchange of session key(s) and nonces) Exchange of messages Encryption - Integrity May 15 10 SECURITY TOOLBOX FOR CONNECTED OBJECTS = CRYPTOGRAPHY Access control Non-repudiation Authentication Signature Authentication Secure memory Signature Data integrity Anti-cloning IP protection Encryption Confidentiality May 15 11 CRYPTOGRAPHY IS A SCIENCE DEFINITIONS 1/2 • Authentication • Proving someone’s identity by verifying the validity of identification parameters: • • • • • PIN code Secret key Password Biometrics Certificate • Encryption • Encoding messages so that unauthorized readers cannot understand them • ≠ Steganography • Concealing the messages from unauthorized readers May 15 12 CRYPTOGRAPHY IS A SCIENCE DEFINITIONS 2/2 • Integrity • Providing evidence that a message has not been altered by a third party • Checksum can be considered as a very basic integrity algorithm • Digital signature • Association of • Authentication of sender • Integrity of message • Secure Element • Crypto-dedicated IC • Tamper-resistant to side-channel attacks • May 15 Vault for keeping secret keys 13 STATE-OF-THE-ART CRYPTOGRAPHY IN HISTORY ANTIQUITY TO MODERN TIMES Scytale – transposition Bellaso, Vigenère, Gronsfeld – polyalphabetic substitution Caesar’s substitution cipher -700 -150 0 800 Birth of private key 1500 Plaintext A V N E T M E M E C T E C H D A Y T E C Key Ciphertext T Z P L W M C F I E Polybius square May 15 Abu Yusuf Al-Kindi, invents frequency analysis and breaks Caesar’s cipher STATE-OF-THE-ART CRYPTOGRAPHY IN HISTORY CONTEMPORARY PERIOD Diffie-Hellman invention of public key 1880 Sir William Herschel fingerprints 1900 1920 First transatlantic radio transmission SSH PGP 1945 AES WEP Radio ENIGMA May 15 RSA Rivest, Shamir, Adleman Alan Turing Claude Shannon Modern cryptography Franck Miller One-Time-Pad – Polyalphabetic substitution “Perfect secrecy” Wireless www & IoT www 1975 EMVco UWB CDMA 1990 DES WPA 2000 IPv6 SHA-0 Banking smart card SIM card SSL TLS ECC Koblitz, Miller Cheap Secure Element WPA2 2010 SHA-2 802.15.4 iPhone SHA-3 LWC CRYPTOGRAPHY IS MATURE • Since RSA, AES, ECC, SHA, cryptography has reached maturity • “Cryptography is now by far the best settled part of Information Security” (Whitfield Diffie, 2005) • Computational complexity for brute-force attack ~ 2^length(key) • 2048-bit key takes 2^2048 ~ 10^600 steps to solve • 10^82 atoms in universe • Assuming // computing with 1 computer per atom still takes > 10^500 steps per computer • • May 15 Assuming lightning-fast computing with 10^100 steps per second Computation would take 10^400 seconds >> life-time of galaxy 16 SO WHY IS NOTHING SECURE ? • Human factor • Strange tendency to use “home-brewed” cryptosystems • Misunderstanding properties of crypto components • Easy to get implementation wrong – many subtleties • Combining secure primitives in insecure way • Strict efficiency requirements for crypto/security: The cost is visible but benefit invisible • Compatibility issues, legacy systems • Cryptography is only part of designing secure systems • Chain is only as strong as weakest link • A “dormant bug” is often a security hole • Many subtle issues (e.g., caching & virtual memory, side channel attacks) • Key storage and protection issues May 15 17 BUILDING AN UNSECURE SYSTEM WITH ALBEIT SECURE ELEMENTS May 15 18 WHAT IS A UICC (SIM CARD) ? Customized and personalized by the MNO/VNO for the subscriber MNO profiles SMS & directory storage Crypto Library Key Management 32 bit CPU SHA ECC RSA AES 3DES Phone locking Hidden MNO functions JavaCard OS Applet Management Secure Storage Applet Installer TIMER True Random Gen. Flash RAM JavaCard Applets ISO7816 protocols Secure Firmware I/O Secure Hardware Interface May 15 19 WHAT IS A SECURE ELEMENT ? Customized and personalized by AVNET for the client Crypto Library Key Management 32 bit CPU Counterfeiting applet Usage Control applet Tracking applet SHA ECC RSA AES 3DES IP protection applet I²C & ISO7816 protocols Applet Management Secure Storage Applet Installer TIMER True Random Gen. Flash RAM I/O Applets Secure Firmware Secure Hardware Interface May 15 20 2G/3G/4G CONNECTIVITY PROTOCOL (SIMPLIFIED) Network association request Object identity check Network identity check Exchange of session key(s) and nonces Exchange of messages Encryption - Integrity May 15 21 2G/3G/4G HW SECURITY HANDLED BY UICC (SIM CARD) unique ID and keys safely locked inside UICC (SIM card) Network association request Object identity check Network identity check Exchange of session key(s) and nonces Exchange of messages Encryption - Integrity May 15 22 OTHER LAN AND WAN SAME CONNECTIVITY PROTOCOL MODEL Network association request Object identity check (Network identity check) (Exchange of session key(s) and nonces) Exchange of messages Encryption - Integrity May 15 … 23 OTHER LAN AND WAN HW SECURITY HANDLED BY SECURE ELEMENT unique ID and keys locked in Secure Element by AVM Factory Network association request Object identity check (Network identity check) (Exchange of session key(s) and nonces) Exchange of messages Encryption - Integrity May 15 … 24 100% SECURE SUPPLY CHAIN Supply chain is EMV Co compliant Customer Secure boot-loader Chip is « unlocked » Firmware & Applet are loaded Chip is personalized with secret keys Every chip is unique Secure logistics User keys and certificates are generated by Avnet’s secure servers May 15 25 BEYOND WIRELESS APPLICATIONS OF A SECURE ELEMENT Authentication of removable part, consumable, electronic board…. Protection against unauthorized modifications of software Integrity control of every node of a network Sensitive data secure storage Usage control of peripherals (medical) Secure login to remote system Anti-Cloning May 15 Secure tracking IP protection Usage control 26 COST EFFECTIVE SAFETY IS REALITY SECURITY LEVEL Do not dive here Ask our experts COST May 15 27 GLOSSARY • AES: Advanced Encryption Standard • CBC-MAC: Cipher Block Chaining Message Authentication Code • CCM*: Counter with CBC-MAC • CDMA: Code Division Multiple Access • DES: Data Encryption Standard • ECC: Elliptic Curve Cryptography • LWC: Lightweight Cryptography • MAC: Message Authentication Code • PGP: Pretty Good Privacy May 15 • PKI: Public Key Infrastructure • PRF: Pseudo-Random Function • PRNG: Pseudo-Random Number Generator • RSA: Rivest, Shamir, Adleman • SHA: Secure Hash Algorithm • SSL: Secure Sockets Layer • TLS: Transport Layer Security • UWB: Ultra-Wide Band • WEP: Wired Equivalent Privacy • WPA: WiFi Protected Access 28 BIBLIOGRAPHY – FURTHER READING CREDITS TO… • Boaz Barak course @ Princeton http://www.cs.princeton.edu/courses/archive/spr10/cos433/ • Bruce Schneier https://www.schneier.com/ • Simon Singh http://simonsingh.net/books/the-code-book/the-book/ • Whitfield Diffie – Before and After Public-Key Cryptography http://www.youtube.com/watch?v=1BJuuUxCaaY [email protected] May 15 29 Thank you May 15 30 PRIVATE KEY – SYMMETRIC ALGORITHMS AES • Alice & Bob want to exchange messages without Eve understanding • Private key Same key shared by Alice & Bob, unknown to Eve EVE ALICE BOB Shares with Bob a secret key k Shares with Alice a secret key k Encodes m into c=m⊕k c=m⊕k Decodes c into m=c⊕k Not secure in the long-term because key k is re-used EVE will eventually guess it May 15 31 PRIVATE KEY – SYMMETRIC ALGORITHMS AES IMPROVEMENT WITH RAND NUMBER GENERATOR • Alice & Bob want to exchange messages without Eve understanding • Private key Same key shared by Alice & Bob, unknown to Eve ALICE BOB EVE Shares with Bob a secret key k and PRF Fk Shares with Alice a secret key k and PRF Fk Generates random number r Computes Fk(r) Computes Fk(r) Decodes c into m = c ⊕ Fk(r) Encodes m into c = m ⊕ Fk(r) Secure because key Fk(r) is randomized for every message May 15 32 DIFFIE HELLMAN KEY CONTRACT • Is it possible to exchange privately between 2 entities not requiring them trusting each other, ie not having them disclose any secret ? PUBLIC P very large prime number (2048 bits) – g primitive root mod P Group theory – Arithmetic modulo P ALICE EVE BOB Has a secret x Calculates g^x Has a secret y Calculates g^y Calculates key (g^y)^x = g^xy Calculates key (g^x)^y = g^xy Encodes m into c = m.g^xy c = m.g^xy Decodes c into m = c.(g^x)^(|G|-b) • Eve eavesdropping has a very complex maths problem to solve !! May 15 Discrete logarithm problem 33 PUBLIC KEY – ASYMMETRIC ALGORITHMS RSA • Application: 1 public key used for encryption paired with 1 private key for decryption PUBLIC n=prime_1 x prime_2 ; e coprime with (prime_1-1)x(prime_2-1) Group theory – Arithmetic modulo P ALICE EVE Uses public key e to encode m Encodes m into c = (m^e)mod n c = (m^e)mod n BOB Knows prime_1 & prime_2 Calculates p=(prime_11)x(prime_2-1) Calculates d=e^-1 mod p Decodes c into m = (c^d) mod n • Eve eavesdropping has a very complex maths problem to solve !! May 15 Discrete logarithm problem 34 AUTHENTICATION SHA INTEGRITY • Alice sends Bob a message with a digital signature proving: The message comes from her The message has not been altered by a third party ALICE BOB Shares with Bob a secret key k Shares with Alice a secret key k Computes M=MAC(k,m) m, M Computes MAC(k,m) If MAC(k,m)=M then message and sender are authenticated May 15 35
© Copyright 2024