Upload
rudolph-taylor
View
212
Download
0
Embed Size (px)
Citation preview
11
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)
Submission Title: [NTRU Security Suite Proposal Highlights]Date Submitted: [March 8, 2002]Source: [Daniel V. Bailey, Product Manager for Wireless Networks and Ari Singer, Principal Engineer] Company [NTRU]Address [5 Burlington Woods, Burlington, MA 01803]Voice:[(781) 418-2500], FAX: [(781) 418-2507], E-Mail:[[email protected]]
Re: [Draft P802.15.3/D09, P802.15-02-074r1 802.15.3 Call For Proposals for a Security Suite]
Abstract: [This presentation presents highlights of NTRU’s proposal for security suite for the 802.15.3 draft standard.]
Purpose: [To familiarize the working group with the NTRU proposed security suite.]
Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.
22
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• 802.15.3 is a high data-rate, personal-range MAC and PHY• Most compelling use case is directed connectivity for
consumer rich media devices• 55 Mbps (and up!) per second is needed by things that
stream…– DVD players– HDTVs, wireless projectors– Digital camcorders
• …and things that “check in/out” content– Digital cameras– Personal MP3 players
• The things using 1394 and USB today!
Directed Connectivity
Use Cases
33
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• Consumer multimedia devices• Small form factor• User interface varies from a PC to a receiver to a digital
camera to a speaker• Setup has to be simpler than cables!!!
– Today consumers are fatigued by the effort needed to set up the average home entertainment center
• Operate in ad-hoc mode today– Plug your digital camera in where/when you need it– No Internet/backend connectivity can be assumed
• Severe cost/power constraints in this market– How much extra power does a camcorder have?
What About These Devices?
Use Cases
44
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• Today, security is a non-issue for the consumer– Just plug it in!– No threats against the consumer– Threats addressed by 5C are against content owners, not
consumers – DRM belongs outside the MAC/PHY
• 1394 asks one question of its user: Is THIS the device I want in MY network NOW?
• Plugging in answers “yes.”• So the user is trusted to make this decision
Security and 1394
Use Cases
55
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• What does that buy me in terms of security?• Everything I need!• Security Goal #1: Only devices I want can join my network/Is this
the device I want in my network now?• Security Goal #2: Only devices I want can read my data• Security Goal #3: Only devices I want can send data to my devices
• How do we make this happen in 802.15.3 just like 1394?
Security and 1394
Use Cases
66
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• The KISSS Principle: Keep it Simple and Secure, Stupid!– Complexity in security is BAD. It’s more stuff to get wrong.
– 1394’s security is Real Simple, but plenty for the application.
– Complexity is expensive.
• Let’s start with unsecured 802.15.3 and add the security features we need
Doing Security in 802.15.3
Use Cases
77
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• An 802.15.3 piconet has a star topology– One device, the PNC, allocates bandwidth
– So it decides who can talk over the radio
• Security Goal #1: Only devices I want can join the network• The PNC makes this decision in an unsecure piconet• Applying the KISSS principle, it will do so in a secure piconet,
too.• But how?
Securing an 802.15.3 Piconet
Use Cases
88
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• Devices or device manufacturers can’t answer this question for a user
• So let’s have the PNC ask the user– At least one device in a crowd of consumer multimedia machines must
have a rich enough user interface.
– Ad hoc networks of speakers aren’t very interesting
• Might as well decide to save the answer if it’s “yes.”• PNC hears from a device over the radio and prompts• But wait!• How do I know the device isn’t lying about who it is?
Is This the Device I Want in My Network Now?
Use Cases
99
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• Because they:– Don’t answer the relevant question: Is THIS the device I want in MY
network NOW?
– Require sophisticated user intervention in order to be secure• Requires user to map certificate to device• Inaccurate user intervention compromises security
– Are complicated to issue and manage
– Add cost to manufacturers
– Add complexity: Complex systems are harder to secure
Certificates have their uses…just not in a WPAN
Why Not Use Digital Certificates?
Use Cases
1010
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• The real question is: Is the PNC hearing over the radio from the same device I’m trying to add to my network?
• Actual identity of a device isn’t needed.– With 1394, I just know it’s “this one.”
• How do we get the user to point and say “this one?”• Best way depends on the application, but we can rely on the
DME to ask the user to introduce the devices– Bring them close together and they can whisper
– PNC asks the user to confirm some information the device sent
– PNC asks the user to confirm the distance between the devices
– Device presents the PNC with a signed statement about its identity
Is the PNC Talking to the Right Device?
Use Cases
1111
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• While we’re at it, how does the device know the PNC is the right one?
• All the same ways, it turns out…
Is the Device Talking to the Right PNC?
Use Cases
1212
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• Once the user points and says “this one,” it’d be nice for the devices to be able to prove to each other they really are “this one.”
• How do we do that?• How about if I send you a secret only you can read and you
prove to me you could read it?• That’s the essence of a Challenge-Response Protocol• Alice sends Bob a challenge only he can read. • Bob responds showing he could read it
Device Confirmation
Use Cases
1313
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• One type of authentication protocol• Often uses public-key cryptography• They’re well-studied
– You find them in textbooks, web browsers, …
• Applying the KISSS Principle, let’s pick one off the shelf and gently modify it to suit our needs– We picked SSL, found in every web browser
• Let’s also pick the most-efficient public-key algorithms to hold down costs– We picked NTRUEncrypt, cause it’s the most efficient.
– More about NTRUEncrypt later!
Challenge-Response Protocols
Use Cases
1414
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• PNC and device now can tell if they’re talking to the right one.• But how do I know they’re still talking to the right one?
My Secure Piconet
Use Cases
1515
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• Once authentication is finished, any device can come along and pretend to be either the PNC or the device
• How did the PNC know it was the right device?• It sent a challenge, which the device proved it knew.• So the device can just go on proving it still knows the
challenge• That’s the essence of a Message Authentication Code (MAC)
– Let’s just call it an Integrity Code (IC) so we don’t get confused
• Applying the KISSS Principle, let’s pick one off the shelf and use it.– We picked Triple-DES cause it’s the most studied block cipher in the
world and the most area efficient for these data rates
Integrity Protection
Use Cases
1616
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• PNC and device now can tell if they started talking to the right one.
• Now they can also tell if they’re still talking to the right one• All PNC-DEV commands protected with a unique integrity key
only they share• All piconet data protected with a shared integrity key everyone
in the piconet knows• But I don’t want other devices to hear my data traffic
– 1394 protects me in this way
My Secure Piconet
Use Cases
1717
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• Anyone with a radio can hear all my data traffic• How do I keep it secret?• Use a symmetric cipher
– Note: Not public-key! Symmetric ciphers are more efficient once we already share challenges
• Applying the KISSS Principle, let’s pick one off the shelf and use it– We picked Triple-DES cause it’s the most studied block cipher in the
world and the most area efficient for these data rates
• Hey, wait, haven’t I heard that line before?
Bulk Data Encryption
Use Cases
1818
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• You can use the same gates to implement encryption as well as integrity.– Or you can use different algorithms for encryption and integrity
• The KISSS Principle tells us that’s the thing to do• Synthesized with LeonardoSpectrum, you’ll need exactly 9796
gates.• Throughput is 2 bits/cycle for both encryption and integrity• To hit 55 Mbps, a 30 MHz clock is fine• Crypto-esoterica tells us we should encrypt first and then do
integrity…
Triple-DES
Use Cases
1919
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• PNC and device now can tell if they started talking to the right one.
• They can also tell if they’re still talking to the right one• Now outsiders can’t hear my data traffic• But how do devices get piconet-wide keys?
My Secure Piconet
Use Cases
2020
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• How do devices get piconet-wide keys?• Well, how do they get piconet-wide guaranteed time slots?• The PNC allocates time slots, so applying the KISSS Principle,
let it generate and distribute keys
Piconet-wide Key Distribution
Use Cases
2121
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
• Change the piconet keys• But how do I ensure only devices I want get the new keys?• PNC already shares unique keys with each device, so send the
piconet-wide keys to each encrypted with their unique key
What if a Device Joins or Leaves?
Use Cases
2222
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
What About PNC Handover?
• We’ve got two options– A device explicitly establishes trust (if it hadn’t already done so) with the
new PNC• Could disrupt the piconet if some devices need user intervention!
– A device trusts the new PNC because the old PNC trusts it• No disruption, but problematic
• Since this is a PERSONAL Area Networking standard, it’s likely the DEV, the old PNC, and the new PNC will be trusting the same user
• So let the user decide! • If I’m facilitating trust for all these devices, I don’t care who the
PNC is. Let it hand off.• If I’m not facilitating this trust, I’d rather my devices ask before
associating to a new PNC.
2323
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
What Does a Device Need to Know?
• A device has a public/private key pair, installed at provisioning time.
• An authenticated device shares a unique DEK and DIK with the PNC agreed on during the authentication process
• An authenticated device shares a different DEK and DIK with the rest of the piconet.
2424
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
What Does a Device Need to Know?
• A device keeps a table (access control list) of the other DEVs with which it has a trust relationship
• A simple device only needs one entry: the PNC!• The public key itself need not be stored• The PNC will need storage for each associated DEV• Ideally, we’d like to put this in EEPROM
– When the electricity goes out, I don’t want to have to reintroduce every device to the PNC
Device ID
Hash of Public Key & ID
DEV or SM
Shared Keys & SSID
Sequence Numbers
2525
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
What Does a Device Need to Know?
• Each device keeps some data about the current group keys
• If the beacon has the same SSID and a greater time token, the time token is updated and the key is valid for that superframe
• If the PNC ID and the PNC ID in the beacon are different, a new device is now PNC and the device attempts to authenticate to the new PNC
PNC ID SSID Shared Keys
Last Trusted Time Token
Valid in this super-frame?
PNC ID in Beacon
2626
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
How Do We Protect the Beacon?
• The beacon includes a Security Session ID (SSID) so devices know which piconet-wide key is in use
• Beacon also includes a Time Token. It’s really a beacon counter to be used in all messages to prevent replay of messages in future superframes.
• We use a message authentication code, or MAC. Let’s call it an integrity code.
• The integrity code prevents an outside attacker from modifying data in the beacon.
Beacon Header
Current SSID
Time Token
Integrity Code
2727
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
How Do We Protect Commands?
• 802.1x was broken due to failure to protect commands!• Commands are protected independently from each other.• Commands include the current SSID and time token that were
sent in the protected beacon for group related commands.• Commands also include the counter from the peer relationship
for key management commands.
Command Header
Current SSID
Time Token
Counter IV Encrypted Command Data
Integrity Code
2828
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
The NTRU Hard Problem
The hard problem underlying NTRU is the
Shortest Vector Problem
in lattices of high dimension
System Hard Problem Best Solution Method
NTRU Short vector problem LLL lattice reduction
RSA Integer factorization Number field sieve
ECC Elliptic curve discrete log Pollard rho
DH Discrete logarithm Index calculus
Best Known Methods to Break:• NTRU and ECC are exponential (very slow)• RSA and DH are subexponential (faster)
2929
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
Brief History of Lattice Problems
• Lattices, the SVP, and the CVP have been extensively studied for more than 100 years (Hermite 1870s, Minkowski 1890s,…).
• Best computational tool was developed by Lenstra, Lenstra, and Lovasz (LLL algorithm) in early 1980s.
• Improvements to LLL are due to Schnorr, Euchner, Horner, Koy, and others.
• Algorithms to find small vectors in lattices have been extensively studied because they have applications to many areas outside of cryptography, including physics, combinatorics, number theory, computer algebra,….
• Contrast this with integer factorization (RSA) and elliptic curve discrete logarithms (ECC), where the only applications are to cryptography.
3030
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
NTRU Security
Cryptographic System Key/Block Size (Bits)
Processing Time
(MIPS-Years)
RSA 512 1 X 104
NTRU 834 (N = 139) 1 x 104
DES 56 5 x 105
RSA 1024 8 x 109
NTRU 1757 (N = 251) 5 x 1010
ECC ~1000 (p = 163) 7 x 1011
RSA 2048 1 x 1020
NTRU 2429 (N = 347) 2 x 1021
AES 128 2 x 1027
NOTE: 4 x 103 MIPS-Years = c. 1 year on a 450 MHz Pentium
3131
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
Scrutiny and Standardization
3232
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
Scrutiny
• NTRUEncrypt has been widely studied since it was first announced in 1996– Papers on NTRU techniques appear at every major cryptography
conference
– Nguyen and Stern (CaLC-2001): “this makes NTRU the leading candidate among knapsack-based and lattice-based cryptosystems, and allows high dimension lattices.”
– Miccancio (IMAP 2002) observed that NTRU lattices are in Hermite Normal Form, the most secure form for a general lattice
• NTRU encourages peer review– Challenge problems
– Support to Crypto community (CaLC conference, etc)
3333
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
NTRU Standardization work
• IEEE P1363• Draft of P1363.1 available on IEEE P1363 WG web site with
NTRUEncrypt included• Vote on permanently including NTRUEncrypt passed at May
2001 meeting
• Consortium for Efficient Embedded Security (CEES)• Draft of EESS #1 standardizing NTRUEncrypt currently available
from http://www.ceesstandards.org• Drafts include complete specification, encodings, certificate
formats, etc.
• VHN (Versatile Home Networking)• NTRU included in EIA/CEA-851
3434
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
NTRU Standardization work
• IETF• TLS: NTRU ciphersuites proposed May 2001.
• Expected to proceed to Informational RFC.
• PKIX: “Supplemental Algorithms for PKI” Internet Draft• Edited by NTRU, includes NTRUEncrypt
• Also includes new US Government algorithms: DSA2, SHA-256…
• WAP• NTRU active participants in WSG
3535
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
Performance on a Microcontroller
• Speakers will have an 8051 if they’re lucky• Microcontrollers vary widely, so here’s three implementations
of NTRUEncrypt:
Architecture Internal Clock Enc. Time Dec. time RAM
8 bits 2.66 MHz 42.6 ms 60.0 ms 841 bytes
8 bits 3.4 MHz 41.3 ms 65.9 ms 841 bytes
16 bits 1 MHz 65 ms 119 ms 841 bytes
3636
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
Comparison on a Microcontroller
• For comparison, the top microcontroller has a 50,000 gate RSA/ECC coprocessor
• 028r3-TG3-Coding-Criteria.ppt gives the following cost/power guidance:– In 0.18 micron technology, 100,000 gates cost 20 cents– Power is dissipated at a rate of 0.018 mW/(MHz*kgates)
* This is a software implementation of NTRUEncrypt and so requires no additional gates beyond the microcontroller
Algorithm Gate Count Gate Cost Gate Power Time
NTRU * * * 60 msec
RSA 50,000 .10 2.4 mW 420 msec
ECC 50,000 .10 2.4 mW 160 msec
3737
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
Comparison in Hardware
• What if you need NTRUEncrypt in hardware?• This is a complete implementation, including SHA-1
Algorithm Gate Count Gate Cost Gate Power Time
NTRU 20,000 .04 0.96 mW 20 msec
RSA 50,000 .10 2.4 mW 420 msec
ECC 50,000 .10 2.4 mW 160 msec
3838
March, 2002 doc:.: 802.15-02/132r0
Daniel V. Bailey, Ari Singer, NTRU
Summary
• Our proposal:– Fulfills the requirements set out:
• Security Goal #1: Only devices I want can join my network• Security Goal #2: Only devices I want can read my data• Security Goal #3: Only devices I want can send data
– Respects network design principles
– Keeps to the KISSS Principle
– Reduces cost for manufacturers
– Reduces complexity for implementers
– Enables deployment of the widest range of devices
– Is simple, complete and secure.