Embed Size (px)
Citation preview
SESSION ID:SESSION ID:
#RSAC
Dr. Hilal Houssain
Blockchain Role in Smart Cities/IoT Security—A Cryptographic Perspective!
CCS-T08
#RSAC
Agenda
Internet of Things (IoT)IoT Security RequirementsIoT Security Issues
Blockchain TechnologyBlockchain for Securing IoT
Way forward and Conclusion
2
#RSAC
Internet of Things (IoT)
3
#RSAC
The Term IoT was first coined by Kevin Ashton in 1999
Network of devices able to: Configure themselves automatically,Generate, process, and exchange data as we as Request a service or start an action without human intervention at many levels.
Internet of Things (IoT)
4
#RSAC
Smart devices, sensors in real-time, Energy Saving
WiFi, Bluetooth, ZigBee, etc …
Big-data, Machine learning, Predictive analytics, …
Security/Privacy, Trust, Authenticity/Identity, Anonymity, …
5
Important Areas of Research for IoT
#RSAC
Security Requirements for IoT Devices
6
#RSAC
IoT adoption is set to rise exponentially in the coming years, but security, and a lack of in-house skills to manage that security risk, still feature at the top of business leaders’ concerns.
IoT devices can generate, process, and exchange vast amounts of critical data as well as privacy-sensitive information, and hence are appealing targets of various cyber attacks.
The IoT devices interact with each other and connected systems and infrastructures in a secure manner.
7
Security Requirements for IoT Devices
#RSAC
Authentication & Data integrity
Confidentiality (Encryption) is a NOT always required!
Secure against node(s) key leakage
8
Security Requirements for IoT Devices
#RSAC
9
Security Issues for IoT Devices
#RSAC
Not reachable (mostly
disconnected)
Can be lost and stolen (security
difficult )
Resource Constrained
(no processing power for crypto)
Finite life (Credentials tied to
lifetime)
10
Security Issues for IoT Devices
#RSAC
Majority of IoT devices had the following security issues:
Privacy concerns
Lacked encryption (processed/exchanged data and Firmware upgrades)
Insecure updates
Lack of mutual authentication (device, gateway)
Studies Reveal 70% Of IOT Devices Are Vulnerable To Attack.
11
Security Issues for IoT Devices
#RSAC
IoT Network Security
More challenging than traditional network security.
A wider range of communication protocols, standards, and device capabilities.
Pose significant issues and increased complexity!
12
Security Issues for IoT Devices
#RSAC
IoT Authentication
Authentication with no human intervention.
Mostly authenticating embedded sensors (device-to-device communication).
IoT standards are important catalysts but
still need time to mature.
13
Security Issues for IoT Devices
#RSAC
IoT Encryption
Encrypting data at rest and in transit.
Limited capability to have standard encryption processes and protocols.
Encryption key lifecycle management processes.
Data integrity and confidentiality.
Encryption is an absolute must
14
Security Issues for IoT Devices
#RSAC
IoT PKI
Digital certificate, and key (generation, distribution, management, and revocation).
Limited ability to utilize PKI.
Digital certificates securely loaded onto IoT devices at the time of manufacture or installed post-manufacture.
Data integrity and confidentiality.
15
Security Issues for IoT Devices
#RSAC
Low energy and lightweight (in terms of resources)
IoT devices must allocate most of their available resources to executing core application functionality.
Thus, supporting security and privacy is quite challenging.
Security Incidents Visibility: Caused by the scale and scope of IoT deployments !!!
16
Security Issues for IoT Devices
#RSAC
More IoT-specific security threats will definitely
drive innovative Security Solutions
mainly in new Cryptographic Primitives and
Blockchain-based Approaches
17
Security Issues for IoT Devices
#RSAC
18
Blockchain Technology
#RSAC
Bitcoin Whitepaper – 2008.10.31*
1919
Blockchain Technology
#RSAC
What is the problem that Blockchain attempts to solve?
A technology that enables moving digital assets from one node to another node.
20
Blockchain Technology
#RSAC
Traditional way
Trusted third party
21
Blockchain Technology
#RSAC
A Blockchain is an append-only distributed ledger that stores a time-ordered set of facts, aka transactions. Transactions are grouped into “blocks” and form a cryptographic hash-chain, hence the name Blockchain.
Role of Cryptography in Blockchain !!!!
● Integrity of ledger (Cryptographic hash function)● Authenticity of transactions (Ellitpic Curve Digital Signature Alg.)● Privacy of transactions (Pseudonymity through crypto tools)● Identity of participants (Cryptographic signatures)● Auditability and Transparency (Cryptographic hash chain)
Exploit advanced cryptographic techniques, trust in Blockchain is shifted to Technology (not in participants or nodes)
22
Blockchain Technology
#RSAC
Digitally signing (using Elliptic Curve Digital
Signature Algorithm) a hash digest of the
previous transaction and the public key of
the recipient.
Transactions are placed in blocks, which are linked by SHA256 hashes.
Every viable transaction is stored in a public ledger
23
Blockchain Technology
#RSAC
24
Blockchain for Securing IoT
#RSAC
Blockchain-based approaches provide security and privacy in
peer-to-peer networks with similar topologies to IoT
Not suitable for most resource-constrained IoT devices !!!!
Computationally expensive and involve high bandwidth overhead, delays, and significant energy.
Traditional security and privacy approaches are not applicable for IoT
25
Blockchain for Securing IoT
#RSAC
Eliminate the Proof of Work (POW) and the concept of coins.
Miners, as high resource device, are routers to manage communication between Private and Public Blockchain network.
As a result: Traffic volume, processing time and energy consumption reduced noticeably.
Security is preserved !!!
,,, but what about IoT device authentication ?
26
Blockchain for Securing IoT
#RSAC
PUF Technology to:
Authenticate an IoT device and Register that IoT device (including its ownership information) on the
Blockchain
Combining Blockchain and Physical Unclonable Function (PUF) technology
,,, but still PKI is needed for securing IoT devices !!!
27
Blockchain for Securing IoT
#RSAC
Reply PKI Digital Signature with Hash-based signatures (or other Merkle-tree schemes)
,,, anonymous IoT devices Joining & Leaving the network !!!
28
Blockchain for Securing IoT
#RSAC
Group signatures using one or multiple pre-shared group Key. This will remove anonymity in the IoT network.
,,, what about secure firmware update for IoT devices?
29
Blockchain for Securing IoT
#RSAC
IoT devices will need to freely (also securely with low-cost) buy, sell and trade their digital assets using
Blockchain technology.
Management all the updates in terms of integrity and source authenticity using blockchain. This is in addition to managing the IoT
devices standardization and compliances auditing, device and cryptographic key management, etc …
30
Blockchain for Securing IoT
#RSAC
As blockchain-based solutions and technology become widespread, expect to see sophisticated attacks on Blockchain using weaknesses in its
cryptographic primitives (design & implementation)
Example, collision in hash, solution to increase the hash bit length!
A Standardized Lightweight Cryptographic Primitive is Needed for recourse constrained IoT devices.
31
Way Forward and Conclusion
#RSAC
Finally, select three to five IoT applications, and review its security issues, andthen assess the implication of deploying lightweight cryptosystem with Blockchaintechnology to secure these IoT applications.
First, have a better understanding of the Bitcoin Blockchain Technology, i.e.,mastering the Satoshi while paper “Bitcoin: A Peer-to-Peer Electronic CashSystem”.
32
Apply What You Have Learned Today
Then Conduct a survey of the Lightweight Cryptographic Primitive suitable forrecourse constrained IoT devices.
#RSAC
Q & A
Thank You
33
