autonomous vehicles workshop feb 2016 · conclusions assurance for secure communications is...
TRANSCRIPT
Secure Communication?
Cas Cremers
Summary:Security protocols are hard.
It's scary to attach a (large) vehicle to them.
Attacks on AV can be critical
Attacker controlhas serious
consequences
OBD2 telematics hack lets remote attackers mess with car’s brakesDevices used by insurance companies, fleet managers open doors to remote attack.Aug 11, 2015 5:25pm BST
AV software updates are not easy
Repairing bugs(enforcing updates)is expensive/hard
Volvo Recalls 59,000 Cars For Faulty Software In 40 Markets02/20/16 AT 11:13 AM
What if something goes wrong?
Remote influence oncontrol systems?
3G
Bluetooth
Wifi
...
Control systems
Secure communications are crucial for AV
CAV
Remote influence oncontrol systems?
Attacker controlhas serious
consequences
Repairing bugs(enforcing updates)is expensive/hard
Who to turn to for secure communications?
● Reminder: these standards can not be local
● ISO/IEC?
● ETSI (European Telecommunications Standards Institute)?● 3G, UMTS, ...
● IETF (Internet Engineering Task Force)?● TLS, ...
TLS: Transport Layer Security
TLS over time
TLS over time
Our work in this space
● Develop mathematical frameworks to reason about security protocols & threat models● Side effect: new attack types, new guarantees
● Develop (automated) tools to analyse protocols● E.g., Scyther, Tamarin, ...
● Use the results to improve standards● ISO 9798 & 11770, TLS 1.3, ...
Cas Cremers – http://www.cs.ox.ac.uk/people/cas.cremers/intro.html
Automated analysis of TLS 1.3
Automated analysis of TLS 1.3
● Resources● Lots of manpower● Hardware (mostly
memory currently)
● Outcome:● Proof of rev 10● Attack on one
suggested variant
Automated Analysis of TLS 1.3: 0-RTT, Resumption and Delayed Authentication C. Cremers, M. Horvat, S. Scott, T. van der Merwe. IEEE Symposium on Security and Privacy (Oakland), 2016.
The ISO/IEC 9798 Standard
● Entity Authentication Mechanisms
● 18 base protocols● Symmetric-key encryption,
Digital signatures, Cryptographic check functions
● Unilateral or Mutual authentication● Additional protocols with TTP
● Further variants from optional fields
Results● No strong authentication properties
Aliveness < Agreement < Synchronisation
● Under some conditions no authentication
Open issues
● Secure protocols quite elusive
● TLS possibly most scrutinized
● No reason to believe protocols such as WPA2 etc more secure● rather the opposite
Conclusions
● Assurance for secure communications is critical for CAV● Attacker controlled CAV is a nightmare● Security protocol can be only barrier between attacker and control● Classic problem that is still hugely challenging● Hard to patch the AVs once out there
● Expertise is available – need to collaborate!● IETF has set a good example in involving experts
● We would like to avoid reading on a forum:● "AV-Botnet for sale..."
Cas Cremers – http://www.cs.ox.ac.uk/people/cas.cremers/intro.html