Michael Hutter

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

1

Sophia Antipolis, 2009 IAIK

VLSI

Michael Hutter IAIK – Graz University of Technology

Michael.Hutter@iaik.tugraz.at www.iaik.tugraz.at

Security in the Internet of Things BUILDING THE INTERNET OF THINGS

From vision to business opportunities

Module 3, Smart Event 2009, Sophia Antipolis, France

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

2

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Contents IT Security

Motivation Cryptographic services Protocols, schemes, and primitives Threats and attacks

The Internet of Things Evolution and technologies in the IoT PCs vs. sensor nodes vs. RFID Why security in the IoT? Killer applications of the IoT

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

3

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Contents Security & Privacy

New attacking scenarios Fault attacks on RFID Side-channel attacks on RFID Emulation of devices

Conclusions Security as enabler Light-weight security Security for passive devices

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

4

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

IT Security ATM System

Clients withdraw money using a smart card

System components Client Smart card ATM machine Banking network GSM System

Mobile phones connect to different network stations

System components Client Mobile phone, SIM card Network station Roaming operator

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

5

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Internet Security Confidential communication

Encrypted email, PGP, transfer of payment details Electronic banking over https eGovernment (online tax declaration)

Integrity of information Signed pdf documents Flight information, …

Access control Gmail, GMX, facebook, …

Commercial servers are protected

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

6

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Security Overview NetworkSecurity

Implementation Security

Organizational Security

Cryptology

OperatingSystemSecurity

SecurityPolicies

IntrusionDetection/

Audit

PersonnelSecurity

HardwareSecurity

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

7

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Cryptographic Services Confidentiality

Integrity

Authentication

Entity Message

Non-repudiation

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

8

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Confidentiality (1) Encryption

Ensures that illicit parties cannot eavesdrop communication

Alice Bob

Internet

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

9

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Confidentiality (2)

Symmetric Same key for both entities

KA=KB

Key distribution problem Key management difficulties Fast and efficient Closed systems (offline)

Asymmetric Public key and private key

KA≠KB

Certificate management Slow and complex Open systems (online

certificates)

Internet

secret key

Internet

Private key Public key

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

10

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Integrity Hash functions provide integrity

Input: message of arbitrary length Output: Fixed length “hash value”

Requirements One-way function: impossible to generate a valid message for a given hash value Impossible to find two messages with the same hash value

Used for Digital signatures Generation of random numbers

Examples SHA-1, SHA-256, MD5 SHA-3 competition (14 submissions in round 2)

2389 ...

Input Data

Fingerprint

AK

CLE

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

11

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Authentication Entity authentication

At least two entities involved Real-time process: offers a timeliness guarantee (through random

numbers or timestamps) Often no meaningful message involved

Message authentication Provided by digital signatures Can be a one-way process (e.g. Internet) Provides a transferable proof Provides additional cryptographic services

Non-repudiation and data integrity

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

12

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Protocols, Schemes, and Primitives Protocols

Used to provide cryptographic services

Sequence of steps

Schemes Basic building blocks of protocols Provide a set of cryptographic

methods (sign, verify, encrypt, decrypt, …)

Primitives Algorithms that rely on

mathematically hard problems Intractability is exploited to provide security

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

13

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Protocol Example Entity authentication protocol ISO/IEC 9798-2 B proofs to A the knowledge of a secret

Challenge-response protocol (unilateral or mutual) Based on an encryption scheme Function f as a cryptographic primitive (using key K)

A

B

RA

f(RA)K

Key K Key K

A

B

RA

f(RA)K , RB

f(RB)K Key K Key K

Unilateral authentication Mutual authentication

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

14

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Threats and Attacks Mathematical attacks: Cryptanalysis

Brute force attacks Factorization attacks, …

Protocol attacks Man-in-the-middle attacks Impersonation, replay, relay, reflection…

Implementation attacks Fault attacks Side-channel attacks

Attacks and analyses constitute an important phase during the design of secure IT systems

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

15

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

The Internet of Things Definitions

…network of physical objects… ... system [...] able to instantaneously identify any kind of object … number of technologies […] that enable the Internet to reach

out into the real world of physical objects…

Characteristics Pervasive Ubiquitous Dynamic and self organizing Heterogeneous and very high number of participants

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

16

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Evolution and Technologies

RFID is one of many enablers for the Internet of things

© www.ariva.de num

ber o

f obj

ects

Time

“Smart things”

Smart cards

PCs

ENIAC

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

17

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Power Supply of Smart Things

Reading range ~ 10 cm

Security high

Price/tag some €

Power cons. < 10mA

Reading range ~ 1-5m

Security Not yet

Price/tag Minimal +-0

Power cons. < 5-10µA

Reading range ~ 100 m

Security well

Price/tag Some 10 €

Power cons. ~ 50mA

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

18

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Do we need Security for Passive RFID?

Let us think 15 years back?

What do we learn?

We cannot predict the “killer applications” of the future

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

19

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Security and Privacy Challenges (1) Devices interact in networks without human

observers Passwords or PINs are inappropriate (undetected eavesdropping)

Different or even new attacks will come up Phishing will not work High potential of new attacks

Stealing nodes Tag cloning Clandestine readers

Implementation attacks pose a serious threat in the IoT

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

20

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

An Example: Fault Attacks on RFID We injected faults during the writing of data Analyzed commercially available HF and UHF

tags Faulty values could be written – undetected!

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

21

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Another Example: Extract Secrets We performed power and EM analysis attacks on

different RFID tags Power analysis

Separated the chip from its antenna Measured the power consumption over a resistor

EM analysis Measured the direct chip emanations

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

22

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Security and Privacy Challenges (2) Emulation of devices and networks of devices

Real time emulation of tags Real time emulation of readers/networks

Lifetime of devices No firmware update for remote devices Not often in the field, but for very long time (> 15 years)

Effects of attacks Pervasive network – people are not aware of the network Remember the year 2000 problem

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

23

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

State of the Art Security Crypto implementation

Tag costs

Communication overhead

Reading distance

Infrastructure overhead

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

24

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Implementation Challenges Limitations of crypto hardware

Chip area ~0.33 mm2

0.35 µm CMOS: 6,000 GE 0.18 µm CMOS: 25,000 GE Die size is proportional to silicon costs Power supply <15µA @ 1.5V

Optimizations Low die-size (area) Low power

Energy consumption per cycle

RF fieldRF field

Vdd

IIC

ISupply

VddMIN

Vdd

IIC

ISupply

VddMIN

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

25

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

An Example: AES on a passive RFID Tag

Features 128-bit Encryption and Decryption Round-key generation included

Architecture 8-bit datapath 256-bit RAM storage

32x8-bit organization

Implementation Details On 0.35 µm CMOS Proven suitability for RFID

0.25 mm2

3,400 GE chip area

3 µA @1.5V at 106 kHz 1,032 clock cycles

AES-128

Con

trolle

r

RAM32 x 8-bit

Data Unit

startread

finished

data_out

data_in

reset

enc

TINA

Secure

TINA

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

26

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Another Example: ECC for RFID Features

163-bit Elliptic-Curve Cryptography on a Chip (ECCON) Based on asymmetric cryptography over GF(2m)

Architecture 16-bit datapath 163x7-bit RAM storage

Implementation Details On 180 nm CMOS ISO 15693 RFID interface Proven suitability for RFID

13,685 GE chip area

6 µA @1.8V at 106 kHz 306,000 clock cycles

TINA

Secure

TINA

ECCON

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

27

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Comparison of Implementations Implemented on same platform Optimized using same methods

Algorithm Chip area [GEs]

Imean [µA @

100kHz, 1.5V]

# Clock cycles

AES-128 3,400 3.0 1,032

SHA-256 10,868 5.83 1,128

SHA-1 8,120 3.93 1,274

MD5 8,001 3.16 712

Trivium 3,090 0.68 (1,603) + 176

Grain 3,360 0.80 (130) + 104

ECC-192 23,600 13.3 500,000

TEA 2,633 3.79 289

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

28

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Secure RFID – Where is it? Crypto implementation

Tag costs

Communication overhead

Reading distance

Infrastructure overhead

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

29

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Requirements for a Successful Launch of a Secure Internet of Things

Education Realistic assumptions Service oriented approach Patience

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

30

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Conclusions Internet of Things and open

RFID infrastructures are meaningless without protection of data

Authentication and data integrity solutions for RFID tags will enable new applications

Heterogeneous networks require the same security level on each part of the network

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

31

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

Conclusions Light-weight security means

“lightweight implementation of secure primitives”

Standardization and use of standardized approaches helps to avoid security holes

Implementation of modern cryptographic primitives is technically possible on passive RFID tags

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security

32

Michael Hutter IAIK

VLSI

Sophia Antipolis, 2009

The Future … Attacks on passive RFID recently started TI DST (2006) Keeloq (2008) Mifare (2009)

The Internet of Things a secure network of objects a [..] secure system [...] able to instantaneously and

trustfully identify any kind of object