securing iot - etsi · 14 philips research himmo •efficient collusion- and quantum- resistant...

1 PHILIPS RESEARCH

Oscar Garcia-Morchon ETSI Security Week June 14th 2016

Securing IoT

1

2 PHILIPS RESEARCH

Internet of Things Some use cases and features

• Robust architecture • Small packets • Private data • Low power

• Constrained links • Device to device • Large network • Low power • Long-term

• Identify devices • Low power • Robust • Speed

3 PHILIPS RESEARCH

Abstracting

Device 1

Server 1

Device 2

Server 2

Device d

Server s

Device 3

4 PHILIPS RESEARCH

Many Requirements

Energy efficiency Small and real-time

Simple operation Quantum secure

Device lifecycle

Manufacturing

Distribution

Installation

Operation

Re-configuration

End-of-life

5 PHILIPS RESEARCH

Many Requirements

Challenge: Efficient and scalable management of keys/credentials of devices

Small and real-time

Simple operation Quantum secure

Device lifecycle

Manufacturing

Distribution

Installation

Operation

Re-configuration

End-of-life

Energy efficiency

6 PHILIPS RESEARCH

Device Lifecycle and Security Needs

Device 1

Server 1

Device 2

Device d

Server s

Device 3

Root of trust

Root of trust

7 PHILIPS RESEARCH

Device Lifecycle and Security Needs

Device 1

Server 1

Device 2

Device d

Server s

Device 3

Root of trust

Root of trust

Network access

Manufacturing

Operation

Security infrastructure

8 PHILIPS RESEARCH

Device Lifecycle and Security Needs

Device 1

Server 1

Device 2

Device d

Server s

Device 3

Root of trust

Root of trust

Network access

Manufacturing

Operation

Security infrastructure Infrastructure • Out-of-band (secure manufacturing)

and in-band (Internet) provisioning • Efficient resistance to root capture • Long term security • Key escrow

9 PHILIPS RESEARCH

Device Lifecycle and Security Needs

Device 1

Server 1

Device 2

Device d

Server s

Device 3

Root of trust

Root of trust

Network access

Manufacturing

Operation

Security infrastructure

Network access • Backend authentication/authorization • Device authentication/authorization • Device identification/blacklisting • DoS prevention

Infrastructure • Out-of-band (secure manufacturing)

and in-band (Internet) provisioning • Efficient resistance to root capture • Long term security • Key escrow

10 PHILIPS RESEARCH

Device Lifecycle and Security Needs

Device 1

Server 1

Device 2

Device d

Server s

Device 3

Root of trust

Root of trust

Network access

Manufacturing

Operation

Security infrastructure

Network access • Backend authentication/authorization • Device authentication/authorization • Device identification/blacklisting • DoS prevention

Operation • Key agreement • Collusion resistance • Quantum resistance • Easy protocol integration • Forward security and key escrow • Credential verification, e.g., public-keys

Infrastructure • Out-of-band (secure manufacturing)

and in-band (Internet) provisioning • Efficient resistance to root capture • Long term security • Key escrow

11 PHILIPS RESEARCH

Options

KDC CA

PGK TTP

Configuration

Operation

12 PHILIPS RESEARCH

KDC CA

PGK TTP

Options Configuration

Operation

13 PHILIPS RESEARCH

HIMMO Efficient Collusion- and Quantum-Resistant Key Pre-Distribution Scheme

𝐼𝐷 𝐵

Configuration parameters

𝐼𝐷 𝐺𝐼𝐷(𝑥)

𝐾𝐴,𝐵 𝑆𝑒𝑐𝑟𝑒𝑡 𝑅(𝑥, 𝑦)

𝐾𝐵,𝐴

𝐸 𝐾𝐴,𝐵(𝑚)

𝐴

1) Setup 2) Keying material extraction 3) Operational protocol

TTP TTP

14 PHILIPS RESEARCH

HIMMO

• Efficient collusion- and quantum- resistant

• Easy protocol integration (TLS, MAC-layer level protocols, etc)

• Features – Identity-based – Multiple TTP support – Credential certification and verification – One-way key exchange and authentication in 30 Bytes

• Advantages – Very low overhead – Blacklisting feasible – Resilient TTP infrastructure – Out-of-the-box secure by factory configuration – Architectures able to support both forward secrecy and key escrow

𝑩 𝑨 TLS

15 PHILIPS RESEARCH

+ Information and Contest for Open Verification

www.himmo-scheme.com

16 PHILIPS RESEARCH

Conclusions

• The IoT covers a plethora of use cases with very diverse needs

• The key challenge: efficient and scalable management of keys/credentials of devices through their lifecycle

• HIMMO is an efficient collusion- and quantum-resistant key pre-distribution scheme overcoming this problem

17 PHILIPS RESEARCH

18 PHILIPS RESEARCH

[1] O. Garcia-Morchon, L. Tolhuizen, D. Gomez, and J. Gutierrez. Towards full collusion resistant ID-based establishment of pairwise keys. In Extended abstracts of the third Workshop on Mathematical Cryptology (WMC 2012) and the third international conference on Symbolic Computation and Cryptography (SCC 2012). Pages 30-36, 2012. [2] O. Garcia Morchon, Ronald Rietman, Igor E. Shparlinski, and Ludo Tolhuizen. Interpolation and approximation of polynomials in finite fields over a short interval from noisy values. Experimental mathematics, 23:241–260, 2014. [3] O. Garcia-Morchon, D. Gomez-Perez, J. Gutierrez, R. Rietman, and L. Tolhuizen. The MMO problem. In Proc. ISSAC’14, pages 186–193. ACM, 2014. [4] O. Garcia-Morchon, D. Gomez-Perez, J. Gutierrez , R. Rietman, B. Schoenmakers, and L. Tolhuizen,. HIMMO - A Lightweight, Fully Collusion Resistant Key-Pre-distribution Scheme. Cryptology ePrint Archive, Report 2014/698. [5] O. Garcia-Morchon, R. Rietman, S. Sharma, L. Tolhuizen, J.L., Torre-Arce. DTLS-HIMMO Efficiently Securing a Post-Quantum World with a Fully-Collusion Resistant KPS. In ESORICS 2015; also presented at NIST workshop on Cybersecurity in a Post-Quantum World, 2015. [6] O. Garcia-Morchon, R. Rietman, S. Sharma, L. Tolhuizen, J.L., Torre-Arce. A comprehensive and lightweight security architecture to secure the IoT throughout the lifecycle of a device based on HIMMO. In ALGOSENSORS 2015; also presented at NIST Lightweight Cryptography Workshop, 2015. [7] O. Garcia-Morchon, R. Rietman, I. Shparlinski, and L. Tolhuizen, "Results on polynomial interpolation with mixed modular operations and unknown moduli". IACR ePrint Archive, Report 2015-1003 [8] O. Garcia-Morchon, R. Rietman, L. Tolhuizen, J.L. Torre-Arce, M.S. Lee, D. Gomez-Perez, J. Gutierrez, B. Schoenmakers, "Attacks and parameter choices in HIMMO", ", IACR ePrint Archive, Report 2016-152 [9] O. Garcia-Morchon, R. Rietman, L. Tolhuizen, J.L. Torre-Arce, S. Bhattacharya and M. Bodlaender "Efficient quantum-resistant trust Infrastructure based on HIMMO", IACR ePrint Archive, Report 2016-410

Literature

19 PHILIPS RESEARCH

HI and MMO Problems

• Hiding Information (HI) problem [2]:

Let 𝒇 ∈ 𝒁 𝒙 of degree at most 𝜶, 𝒙𝒊 ∈ 𝒁 and 𝒚𝒊 = 𝒇(𝒙𝒊) 𝑵 𝒓 for

𝟎 ≤ 𝒊 ≤ 𝒄. Given 𝜶,𝑵, 𝒓, 𝒙𝟏, 𝒚𝟏 , … 𝒙𝒄, 𝒚𝒄 and 𝒙𝟎, find 𝒚𝟎 .

• Mixing Modular Operations (MMO) problem [3]: Let 𝒎 ≥ 𝟐 and 𝒈𝟏, … , 𝒈𝒎 ∈ 𝒁 𝒙 , all of degree at most 𝜶, let 𝒙𝒊 ∈ 𝒁

and 𝒚𝒊 = 𝒈𝒋(𝒙𝒊) 𝒒𝒋𝒎𝒋=𝟏 for 𝟎 ≤ 𝒊 ≤ 𝒄 . Given 𝜶,𝒎 𝒙𝟏, 𝒚𝟏 , … , (𝒙𝒄, 𝒚𝒄)

and 𝒙𝟎, find 𝒚𝟎 .

20 PHILIPS RESEARCH

Performance

Target security level (bits) 80 128

Identity size (B) 10 32

“Signature size” (B) 10 32

One-way key exchange (B) 20 75

One-way key exchange & entity authentication (B) 30 107

PC time (ms) 0.29 0.68

NXP 120 MHz time (ms) 18.45 41.37

Required Root Hermite factor 1.008 1.0056

Pre-processing running time for LLL (years) 75 639.65

Classical Quantum

21 PHILIPS RESEARCH

𝐴

𝐵

{𝐴𝑙𝑖𝑐𝑒, 1982}

𝐺𝐻𝑎𝑠ℎ(𝐴𝑙𝑖𝑐𝑒,1982)(𝑥) TTP

• 𝐾𝐵,𝐴 = 𝐺𝐵 𝐻𝑎𝑠ℎ 𝐴𝑙𝑖𝑐𝑒, 1982

• Decrypt and verify m (and implicitly, information)

𝐻𝑎𝑠ℎ 𝐴𝑙𝑖𝑐𝑒, 1982 , 𝐴𝐸 𝐾𝐴,𝐵(𝑚| 𝐴𝑙𝑖𝑐𝑒, 1982 ) 𝐴

1) Certification

2) Verification

Certification and verification of information

22 PHILIPS RESEARCH

• Trusted: never rely on a single authority, what if hacked or monitoring

• Efficient : same overhead as a single TTP scheme

• Key escrow: IFF agreement by all TTPs

A

A

𝐺𝐴,1(𝑥)

TTP 1 TTP 2

A 𝐺𝐴,2(𝑥)

TTP 1

Supporting multiple TTPs

23 PHILIPS RESEARCH

• Problems

– Whole system/network depends on a single master key

– Credential management for millions of devices

• HIMMO key shares instead of a common secret

– Quantum- and collusion-resistant

– No overhead

– Straightforward integration

– Blacklisting feasible

– Out-of-the-box secure by factory configuration

Device 1

Device 2

Device d

Device 3

Secure Device-to-Device Communication

24 PHILIPS RESEARCH

• Problems in (D)TLS

– Non-PSK modes are resource-hungry and PSK does not scale

– All cipher suites in (D)TLS (except PSK) are not quantum-resistant

– Certification authority compromised huge problem

• HIMMO can be easily integrated into (D)TLS-PSK mode by exchanging HIMMO identities in two parameters of DTLS-PSK

End-to-end secure communication

Client Server

*ServerKeyExchange (PSK identity hint = HIMMO fields)

ClientKeyExchange (Key hint = HIMMO fields), Finish

HIMMO key HIMMO credential verification

HIMMO key HIMMO credential verification

Finish

25 PHILIPS RESEARCH

HIMMO-based trust infrastructure (IoT and beyond)

• We can even – Use HIMMO to authenticate public-keys: Public-keys are “signed” by several TTPs – Use public-key to securely distribute HIMMO keying material to a node

• Features – Extremely efficient public-key verification – Resilient TTP infrastructure – Supports forward secrecy and key escrow – Excellent performance independent of TTP number – Handshake modification enables encrypted exchange of credentials