Senzations’15: Secure Internet of Things

Top right corner for field-mark, customer or partner logotypes. See Best practice for example.

Slide title

36 pt

Slide subtitle 24 pt

Text 28 pt

Bullets level 2-5 24 pt

Slide title In CAPITALS

50 pt


Secure Internet of Things: Challenges and potential approaches

Dr.-Ing. Konrad Wrona NATO Communications and Information Agency

1


Slide title

36 pt


Text 28 pt


Internet of Things

2


Slide title

36 pt


Text 28 pt


Internet of Threats

3


Slide title

36 pt


Text 28 pt


Internet of Threats

4


Slide title

36 pt


Text 28 pt


Internet of Threats

§ A baby monitoring in Texas, USA

§ The newly-crowned Miss Teen USA

§ A botnet of over 100,000 hijacked everyday consumer devices

§ Delivery of incorrect dosages of insulin,

§ Printers catching on fire 5


Slide title

36 pt


Text 28 pt


What is Internet of Things?

6


Slide title

36 pt


Text 28 pt


Attacks on SCADA and M2M

§ Theft of water (Gignac Canal System in France) § Release of raw sewage, Maroochy Shire Sewage

plant in Australia) § Interference with a Landsat-7 earth observation

satellite § Computer viruses infecting the ground-control

systems of the Predator and Reaper remotely piloted aircraft

7


Slide title

36 pt


Text 28 pt


What are the solutions

§ Secure configuration of the devices and OS § Secure network communication § Secure storage § Physical security

§ Hack-proof security is unrealistic •  Need for intrusion detection and response

§ Defence-in-depth approach •  Several complementary security mechanisms •  Context-aware security and broken-glass policies

8


Slide title

36 pt


Text 28 pt


TLS/DTLS/eDTLS § TLS – Transport Layer Security

•  The most widely deployed security protocol •  Uses TCP: requires reliable, in-order packet delivery

§ DTLS – Datagram Transport Layer Security •  Uses UDP: works with unreliable, out-of-order packet

delivery used in constrained platforms and networks •  No multi-record stream cyphers

§ eDTLS on small embedded platforms •  Reduced state-machine code size, data overhead,

compressed handshake protocol •  More keying flexibility: Pre-shared, raw public/private,

X.509 certificate

9


Slide title

36 pt


Text 28 pt


Where are the problems

§ Network layer security is the easy part § Security provisioning and management is difficult

•  Constrained user interface •  Amount of devices •  Untrained users

§ Higher security means higher initial cost, complexity, power

•  However, data or life loss might be more expensive

10


Slide title

36 pt


Text 28 pt


Internet of Threats

11


Slide title

36 pt


Text 28 pt


DARPA view on IoT security

12


Slide title

36 pt


Text 28 pt


So, does all military equipment has military-level security?

13


Slide title

36 pt


Text 28 pt


Car hacking

14


Slide title

36 pt


Text 28 pt


Car hacking

15


Slide title

36 pt


Text 28 pt


Car hacking

16


Slide title

36 pt


Text 28 pt


Data recorded by automobile manufacturers

§ BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen, and Volvo

§ Aston Martin, Lamborghini, and Tesla did not respond

17


Slide title

36 pt


Text 28 pt



18


Slide title

36 pt


Text 28 pt



19


Slide title

36 pt


Text 28 pt


Data recorded by automobile manufacturers §  Physical location recorded at regular

intervals; §  Previous destinations entered into

navigation system; §  Last location parked. §  Potential crash events, such as sudden

changes in speed; §  Status of steering angle, brake

application, seat belt use, and air bag deployment;

§  Fault/error codes in electronic systems. §  Vehicle speed; §  Direction/heading of travel; §  Distances and times traveled;

§  Average fuel economy/consumption;

§  Status of power windows, doors, and locks;

§  Tire pressure; §  Fuel level; §  Engine RPM; §  Odometer reading; §  Mileage since last oil change; §  Battery health; §  Coolant temperature; §  Engine status; §  Exterior temperature and

pressure.

20


Slide title

36 pt


Text 28 pt


Why worry?

21


Slide title

36 pt


Text 28 pt


Why we need fine grained access control?

22


Slide title

36 pt


Text 28 pt


How to protect customers from the Internet of Threats? § Market design

•  Ask at the Business track of the school

§ Legislation

23


Slide title

36 pt


Text 28 pt


Example of Legislation: Security and Privacy in Your (SPY) Car Act (2015) § Vehicle owners to be made aware of what data is

being collected, transmitted and shared

§ To be offered the chance to opt out of data collection without losing access to key navigation or other features where feasible

§ Requiring an easy method for consumers to evaluate how well an automaker goes beyond the minimums defined in the proposed law

24


Slide title

36 pt


Text 28 pt


§ Market design •  Ask at the Business track of the school

§ Legislation § Secure design

•  Technology •  Usability of configuration •  Easy understanding of implications

25

How to protect customers from the Internet of Threats?


Slide title

36 pt


Text 28 pt


OLP Dimensions

26


Slide title

36 pt


Text 28 pt


27


Slide title

36 pt


Text 28 pt


Proposed solution: CPR

•  Originator defines content description (attributes), not confidentiality markings

•  Content attributes determine –  Protection requirements

•  How the content is to be processed and stored –  Release conditions

•  To whom it can be released

28

{PROTECTION REQUIREMENTS}

{RELEASE CONDITIONS}

Terminal attributes

User attributes

ACCESS REQUEST

D

D

+

RELEASE DECISION

CPRESS


Slide title

36 pt


Text 28 pt


NATO Object Level Protection: Content-based Protection and Release

29


Slide title

36 pt


Text 28 pt


CPR cryptographic access control: Encryption

30


Slide title

36 pt


Text 28 pt


CPR cryptographic access control: Decryption

31


Slide title

36 pt


Text 28 pt


BobAlice

sksk

Symmetric Key Encryption Schemes § Same secret key used for encryption and

decryption. § Any user can generate keys. § Relies on an authenticated distribution

mechanism.

32


Slide title

36 pt


Text 28 pt


BobAlice

pkCA

sk

pk

sk

Public-Key Encryption Schemes

§ Different keys for encryption and decryption •  The encryption key is made public •  The decryption key is kept secret

§ Any user can generate keys. § Relies on authenticated distribution mechanism

for public keys.

33


Slide title

36 pt


Text 28 pt


BobAlice

sk

[email protected] [email protected]

Key Distribution sk

Identity-Based Encryption Schemes § Public-key encryption scheme with custom-

formatted public keys § No longer relies on authenticated distribution

mechanism for public keys § Private keys need to be generated by a central

entity

34


Slide title

36 pt


Text 28 pt


BobAlice

Key Distribution

FemaleMSc

ManagementMale

MedicalTrainee

Female ˅ Trainee

Attribute-Based Encryption Schemes § Extension of IBE where users can be assigned

various attributes •  Users receive private keys corresponding to their attributes. •  Ciphertexts are linked with a predicate on the attributes. •  Decryption ciphertext possible by a user if and only if the linked

predicate evaluates to TRUE on its user attributes.

35


Slide title

36 pt


Text 28 pt


§ Predicate Encryption (PE) •  Also incorporates schemes that support predicate

hiding. § Functional Encryption (FE)

•  Also incorporates schemes where the outcome of a decryption is a non-trivial function of the involved message, predicate and key.

§ Relationship: 𝑃𝐾𝐸⊂𝐼𝐵𝐸⊂𝐴𝐵𝐸⊂𝑃𝐸⊂𝐹𝐸.

Other Related Encryption Schemes

9/4/15 36 NATO UNCLASSIFIED RELEASABLE TO PFP


Slide title

36 pt


Text 28 pt


Hybrid Encryption with ABE

§ Concept •  Encrypt plaintext with symmetric encryption scheme. •  Encrypt symmetric key using ABE.

§ Motivation •  The overhead of using ABE is relative to the size of

the data it encrypts. •  Symmetric keys tend to be much smaller than the

plaintext to be encrypted. •  Limited overhead when using symmetric encryption. •  This significantly reduces the overhead of using ABE

relative to the plaintext to be encrypted.

37


Slide title

36 pt


Text 28 pt


Definition Attribute-Based Encryption § Let 𝑃:𝐾×𝐼→{0,1} be a PT predicate. § ABE consists of four PPT algorithms:

Ø (𝑝𝑘,𝑚𝑠𝑘)←𝑆𝑒𝑡𝑢𝑝( 1↑𝜆 ) Ø 𝑠𝑘←𝐾𝑒𝑦𝐺𝑒𝑛(𝑚𝑠𝑘,𝒌) Ø 𝑐←𝐸𝑛𝑐𝑟𝑦𝑝𝑡(𝑝𝑘, (𝒊𝒏𝒅,𝑚)) Ø 𝑦←𝐷𝑒𝑐𝑟𝑦𝑝𝑡(𝑠𝑘,𝑐)

where 𝑘∈𝐾 and 𝑖𝑛𝑑∈𝐼 and Ø 𝑦={█■𝑚 if 𝑃(𝑘,𝑖𝑛𝑑)=1⊥ if 𝑃(𝑘,𝑖𝑛𝑑)=0  

38


Slide title

36 pt


Text 28 pt


Key Policy

§ The key space 𝐾 consists of 𝑛-variable Boolean formulas 𝜙.

§ Elements 𝑖𝑛𝑑=𝑧=( 𝑧↓1 , 𝑧↓2 ,⋯, 𝑧↓𝑛 ) from the index space 𝐼∈ {0,1}↑𝑛  are interpreted as representations of 𝑛 Boolean values.

§ 𝑃(𝜙,𝑧)={█■1 if 𝜙(𝑧)=1 0 otherwise   

39


Slide title

36 pt


Text 28 pt


Ciphertext Policy

§ The key space 𝐾= {0,1}↑𝑛  consists of representations 𝑘=𝑧=( 𝑧↓1 , 𝑧↓2 ,⋯, 𝑧↓𝑛 ) of 𝑛 Boolean values.

§ Elements 𝑖𝑛𝑑=𝜙 from the index space 𝐼 are 𝑛-variable Boolean formulas.

§ 𝑃(𝑧,𝜙)={█■1 if 𝜙(𝑧)=1 0 otherwise   

40


Slide title

36 pt


Text 28 pt


Challenger Adversary

(Setup)

(Query Phase 1)

(Challenge set selection)

(Plaintext submission)

(Query Phase 2)

(Guess)

(Challenge response)

public parameters

key queries

attribute set S not accepted by queried keys

challenge messages m0, m1

Encrypt(pk,(S,m0)) or Encrypt(pk,(S,m1))

queries for keys with policy not accepting S

m0 or m1

Full Security

§ Security defined by the following game:

41 41


Slide title

36 pt


Text 28 pt


Challenger Adversary

(Setup)

(Query Phase 1)

(Challenge set selection)

(Plaintext submission)

(Query Phase 2)

(Guess)

(Challenge response)

public parameters

attribute set S

challenge messages m0, m1

Encrypt(pk,(S,m0)) or Encrypt(pk,(S,m1))


m0 or m1


Selective Security

§ Security defined by the following game:

42 42


Slide title

36 pt


Text 28 pt


Selective Security Limitations

§ Can only use policies that accept the challenge attribute set.

§ Can only use attributes in the challenge attribute set.

•  This in particular makes selective security unsuitable for ABE schemes that need to support both positive and negative attributes.

§ Therefore, we mainly focus on fully secure schemes.

43


Slide title

36 pt


Text 28 pt


§ Attribute assignments are Boolean. •  E.g., a person may get assigned the attribute

“member”, “not a member” or no attribute related to membership at all.

§ Relatively efficient inequality comparisons involving static integers are however possible.

•  Uses attributes corresponding to bit representations. •  E.g., 6 encodes as the set {“1∗∗”, “∗1∗”, “∗∗0”}. •  E.g, 𝑎 < 5 encodes as “0∗∗” ∨ (“∗0∗” ∧ “∗∗0”).

Inequalities in Policies

9/4/15 44 NATO UNCLASSIFIED RELEASABLE TO PFP


Slide title

36 pt


Text 28 pt


Revocation

§ Revocation mechanism types •  Indirect revocation •  Direct revocation

§ Efficiency-enhancing techniques for revocation

45


Slide title

36 pt


Text 28 pt


USE CASES

46


Slide title

36 pt


Text 28 pt


§ Provide protection of information in an environment where both communication and data storage infrastructure are controlled by a third party

§ Support all standard information exchange scenarios

CPR cryptographic access control: Infrastructure

47


Slide title

36 pt


Text 28 pt


CPR Example: Information sharing for Passive Missile Defence

48

NATO Desktop located in Class I area NATO employee with

NATO Secret clearance

NATO contractor with NATO Restr. clearance

NATO laptop

Red Cross worker Unknown terminal

Full view

Partial view

Public information only

CPR


Slide title

36 pt


Text 28 pt


Slide title In CAPITALS

50 pt


Thank you!

[email protected]