The School of Electrical Engineeringand Computer Science (EECS)

CS/ECE Advanced Network Security

Dr. Attila Altay Yavuz

Topic 1.2 Course and Project Overview (2)

Advanced Network Security Dr. Attila Altay Yavuz 1Fall 2014

OSU EECS

Growing complexity of the in-car software, 3rd party SW integration

Attackers are becoming more professional, using more advanced methods

Tuning protection and avoidance of unjustified guarantee claims are a strong driver

2

escar 2011 - A Hardware Security Module for ECUs

Intra-car Communication Security

HMI

Internet

ECU ECU

ECU

CE-Device

Tester

• Attack surface is growing– Car networks get connected to the internet– CE-Devices are connected to the car networks– Network access hard- and software is now cheap (e.g. bluetooth –

CAN)

OSU EECS

• Real Attacks on Modern Automobile Systems:• Comprehensive Experimental Analyses of Automotive Attack Surfaces

Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno.  USENIX Security, August 10–12, 2011.

– Not only internal access, but CD players, Bluetooth, multi-media systems enable attacks– A media player playing a modified WMA music done the job!– Lots of remote exploits

• Relay Attacks on Passive Keyless Entry and Start Systems in Modern CarsAurelien Francillon, Boris Danev, and Srdjan Capkun Network and Distributed System Security Symposium (NDSS), 2011

• Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case StudyIshtiaq Roufa, Rob Millerb, Hossen Mustafaa, Travis Taylora, Sangho Ohb Wenyuan Xua, Marco Gruteserb, Wade Trappeb, and Ivan Seskarb  USENIX conference on Security, 2010

– Listing internal components from 40 meters away!– Play with tire-pressure system, stop and ambush drivers

3

Intra-Car Communication Security

OSU EECS 4

Secure Inter-ECU CommunicationSecure ECU Communication in Car

• Scenario: Communication among Electrical Contorl Units (ECUs) on internal vehicle systems

– Bus system: CAN, FlexRay (Ethernet)

• Malicious falsification of messages

– Sending corrupted messages by infected control units or interceptions for defective influence of recipient

• Why? – No authentication and/or integrity mechanism is used in intra-car systems!

OSU EECS 5

Secure Inter-ECU CommunicationSecure ECU Communication in Car

• Challanges:

• Ultra Limited Bandwidht– We have 16 bit (or 24 bit) allocated for securtiy purposes

• Limited Memory, little space for crypto keys – Keys must be re-newed (re-transmitted)

– Time and synronization issues, package loss

• PKC crypto not feasible as is

• Safety versus Security – Satefy is priority for auto industry, no one will change any standard easily

– Interpret security as a safety concern with malicious intent

OSU EECS 6

Secure ECU Communication in Car• Proposal:

• Use of different Message Authentication Code with Truncation– A 128-bit HMAC can be truncated up to 32 bits with no extra security loss

• 2^32 guaranteed.

– Can we do better than this?

• Universal Message Authentication Codes (UMACs) are algebraic one-time/multiple time MACs

– They are faster than traditional MACs under certain assumptions

• Strategy is to identify suitable UMACs, investigate under truncation and set up a key management method

– Why key management?

• UMACs require key sycnronization and renewal!

OSU EECS

• UMAC is itself two times faster than CMAC on ARM

• But key set up phase of UMAC is pretty slow

• Perform key setup beforehand, and use pre-computed keys. This enables fast computation with a memory trade-off

• If memory is a constraint, CMAC is a better choice

• If speed is more important and we can tolerate store, UMACs are fast. We can pre-compute keys in idle times and use them for a fast real-time computation

• Storing/transmitting a different key for each message is impractical

7

Secure ECU Communication in Car

OSU EECS

• Use crypto PRNGs: Signer and verifier share seed (root) key sk=(a,b), and for each message mj, a new key is derived from the previous key as skj CPRNG( skj-1 )– Not unconditionally secure anymore, at most as secure as CPRNG– Requires synchronization between the signer and receivers

• Optional, evolution of UMACs from a formal perspective– (i) Wegman-Carter, M is hashed to a short digest via a universal hash function

indexed by a secret key. Resulting value is OTP encrypted.

– (ii) Brassard replaces OTP with a PRF along with a random nonce.

– (iii) Apply PRF directly to the hash result.

– (iv) Derive UMAC key from a short key (as above),

– (v) Reuse keys for some messages. Many UMACs use this approach, and it is problematic

8

Secure ECU Communication in Car

OSU EECS

Some Important UMACs

• Polynomial UMACs (e.g., [1]): (k,k’) are n-bit keys, messages with

l=t*n bits. Split message x into t blocks, work on GF(2^{n})

• Square Hash [2]:

• MMH [3]:

• There are many more: NMH family (e.g., [4]), WH [5], NH [6]

• Polynomial evaluation and message authentication [7] by Daniel J. Bernstein is a very fast UMAC

9

Secure ECU Communication in Car

OSU EECS

• Group Size: 1-2 student

– Students considering security research, or Winter 2014:Applied crypto class

• Required Background:

– C/C++ or Java programming, or ability to use software packages from existing libraries

– Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random

• 1) Identify a set of good UMACs

• 2) Implement selected UMACs (or obtain implementation)

• 3) Work on efficient key update mechanisms for UMACs

• 4) Understand Blundo polynomials to set up keys between ECUs

• 5) Report overall security architecture and scheme

• 6) Final report and presentation

10

Secure ECU Communication in Car

OSU EECS

Universal Message Authentication Code (UMAC)

References

• [1] Ted Krovetz. UMAC: Message Authentication Code using Universal Hashing, March

• 2006. RFC 4418, http://fastcrypto.org/umac/rfc4418.txt.– Version for 2000, http://fastcrypto.org/umac/index00.html

• [2] M. Etzel, S. Patel, Z. Ramzan, “Square Hash: Fast Message Authentication via Optimized Universal Hash Functions,” Proc. Crypto’99, LNCS 1666, M. Wiener, Ed., Springer-Verlag, 1999, pp. 234–251.

• [3] S. Halevi, H. Krawczyk, “MMH: Software Message Authentication in the Gbit/second Rates,” Fast Software Encryption, LNCS 1267, E. Biham, Ed., Springer-Verlag, 1997, pp. 172–189.

• [4] M.N. Wegman, J.L. Carter, “New Hash Functions and their Use in Authentication

• and Set Equality,” Journal of Computer and System Sciences, Vol. 22, No. 3, 1981,

• pp. 265–279.

• [5] J.-P. Kaps, K. Yuksel, B. Sunar, “Energy Scalable Universal Hashing,” IEEE Trans. on Computers, Vol. 54, No. 12, 2005, pp. 1484–1495.

• [6] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway. “UMAC: Fast and Secure Message Authentication,” Proc. Crypto’99, LNCS 1666, M. Wiener, Ed., Springer-Verlag, 1999, pp. 216–233.

• [7] Daniel J. Bernstein, The Poly1305-AES message-authentication code

• [8] W.Nevelsteen and B. Preneel. Software performance of universal hash functions. In Proceedings of the 17th international conference on Theory and application of cryptographic techniques (EUROCRYPT'99), Springer-Verlag, 24-41.

• [9] H. Handschuh and B. Preneel. Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms. In Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology (CRYPTO 2008), Springer-Verlag, Berlin, 144-161.

11

OSU EECS 12

Secure Inter-ECU CommunicationEncryption Methods for Medical Systems• Research Problem:

• Chaos-based encryption methods are proposed for medical systems– They are claimed to be more „effective“ (?) than traditiona encryption methods

• Secure of Chaous-based methods are being critizied

• Security is dubious, but even are they so much more efficient than traditional encryption?

• Investigate this case!

• It is likely that their efficiency advantages do not justy the security

OSU EECS 13

Secure Inter-ECU CommunicationEncryption Methods for Medical Systems• Some papers:

1) An Efficient Medical Image Cryptosystem Based on Chaotic Maps

http://www.aicit.org/JDCTA/ppl/JDCTA%20Vol6%20No13%20Binder1_part29.pdf

2) Chaos Based Encryption System for Encrypting Electroencephalogram Signals, Journal of Medical Systems.

http://www.researchgate.net/publication/261736834_Chaos_based_encryption_system_for_encrypting_electroencephalogram_signals

The above paper discusses a C# based implementation

3) An efficient and secure medical image protection scheme based on chaotic maps.

http://www.ncbi.nlm.nih.gov/pubmed/23816172

4) A review paper on Chaos-based encryption

http://www.ripublication.com/irph/ijict_spl/ijictv4n2spl_14.pdf

5) http://www.intechopen.com/books/multimedia-a-multidisciplinary-approach-to-complex-issues/multimedia-security-a-survey-of-chaos-based-encryption-technology

OSU EECS

• Group Size: 1-2 student(s)

• Required Background:

– C/C++ or Java programming, or ability to use software packages from existing libraries

– Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random F.

• Work on implementation of the latest Chaos schemes

– Totally ok if you can obtain existing implementations

• Work on efficient AES implementations or ciphers such as

– Present Cipher Suite

– Humming Bird

• Compare efficiency, discuss security differences, analyze the claim , final report and

presentation

14

Encryption Methods for Medical Systems