5 October 2015

OUR ROAD TO IOT: SECURE DEVICE GRID

Kresten Krab Thorup @drkrab

Introduction

IoT and SSL/TLS landscape

Secure Device Grid design

Lessons Learned

ABOUT THE SPEAKER

Kresten Krab Thorup, Ph.D.

Trifork CTO - since 1999

JAOO, QCon, YOW!, GOTO Conferences

Language Hacker

HOW TO REMOTE CONTROL YOUR IOT DEVICES?

IOT REMOTE CONTROL

ACCESS

Device/Mobile behind NAT

SECURITY

Secure Traffic (Secrecy, Integrity)

Authentication

Privacy

DESIGN #1

GATEWAY

MOBILE DEVICE

TRUSTED? MAN IN THE MIDDLE

FIREWALL FIREWALL

DESIGN #2

GATEWAY

MOBILE DEVICE

END-TO-END TRUST

FIREWALL FIREWALL

DESIGN #2

GATEWAY

MOBILE DEVICEPAIRING

KEY EXCHANGE

PIN

DESIGN #2

GATEWAY

MOBILE DEVICE

Secure

Authenticated

Private

HOW TO SECURE THIS?

PUBLIC KEY CRYPTOGRAPHY

SecretKey PublicKey

Alice BobI’m Home!

SecretKey PublicKey

ENCRYPTION

Alice Bobciphertext

encode(“I’m Home!”, PublicKey)

decode(ciphertext, SecretKey)

Only Bob can decode it

Eve

SIGNING

Alice Bobsigned

sign(“I’m Home!”, SecretKey)

verify(signed, PublicKey)

Only Alice could have created the signed message

Eve

TRUST

Alice Bob

Eve

Carl

PublicKey PublicKey

sign(PublicKey, SecretKey)

sign(PublicKey, SecretKey)

SSL/TLS

SSL/TLS

Standardized approach to Public Key Crypto

Public Key Infrastructure (CA’s)

Standard Protocols

15+ years of history

SSL/TLS

iOS

Android

Windows

OpenSSL

ARM

Broadcom

WinCE

GATEWAY

Many platforms ⇒ weakest link defines level

PROBLEMS

Implementation errors / limitations

Protocol errors

Configuration/use errors

SSL/TLS WOES

NATIVE STACK LIMITATIONS

Client certificate capability

Validate/control connection status?

Who are you connected to?

Support proper (modern) ciphers

WELL KNOWN SSL/TLS BUGS

FREAK - downgrade to ‘export grade’ crypto

POODLE - downgrade makes keys guessable

HeartBleed (OpenSSL)- expose contents of server memory

Logjam - Exploits standard config (DH) params

Many individual implementation bugs

TLS VULNERABILITIES

SSL VULNERABILITIES

LESSON #1

IMPLEMENT UPGRADE OF SOFTWARE IN THE FIELD

LESSON #2

OPENSSL IS A ATTACK TARGET BECAUSE IT IS POPULAR

(Just like Windows)

COMPLEXITY

TLS COMPLEXITY

Creeps in as standards develop

15+ years backwards compatible

ASN.1, X509 Certificates, Revocations, …

Protocol negotiation (and renegotiations)

Diversity of features available on platforms

Diversity of configurations

DIVERSITY

iOS

Android

Windows

OpenSSL

ARM

Broadcom

WinCE

OUR TLS SOLUTION

OpenSSL

OpenSSL

OpenSSL

OpenSSL

OpenSSL

OpenSSL

OpenSSLONE CONFIGURATION: TLS 1.2 ECC BrainPool P384One cipher ECDH_ECDSA_AES

LESSON #3

ANY SSL/TLS IMPLEMENTATION IS LARGE AND COMPLEX

(ARM JUST OPEN SOURCED A NEW STACK ‘mbed TLS’)

A NEW START:

GOING SMALL

A NEW START: NACL (CURVE 25519)

Crypto library from Daniel Bernstein (of qmail fame)

Used in ZeroMQ, Tor, SSH, HomeKit, AirPlay, Chrome/QUIC, countless open source tools.

“An attacker who spends a billion dollars on special-purpose chips to attack Curve25519, using the best attacks available today, has about 1 chance in 1027 of breaking Curve25519 after a year of computation.”

NACL: CRYPTO SIMPLIFIED

One way to do things

ECC crypto (Curve25519)

Stream cipher (Salsa20)

SHA25

CurveCP: Control Protocol (like SSL/TLS)

NACL: CRYPTO SIMPLIFIED

Multiple implementations

NaCl, the original (compiles to ~30k ARM code)

libsodium (with fast ASM for popular platforms)

TweetNacl, compiles to 10k ARM code

Java, .NET, JavaScript, … you name it.

NACL: WHAT’S NOT THERE?

Key Management

Certificate Chains / X509 / ASN.1

Protocol negotiation, downgrade, …

Many ciphers, hashes, …

RANDOM SOURCE

LESSON #4

WHEN YOU CONTROL BOTH ENDS, CONSIDER SIMPLIFYING

RANDOM

LESSON #5

RANDOMNESS IS HARD IN EMBEDDED DEVICES

RANDOM IS HARD

Initialize when product is ‘installed’ at factory

product’s public key

entropy data file

Recent JEEP hack was lack of entropy

Android also had a serious random bug in 2013

PRIVACY

PRIVACY

GATEWAY

MOBILE DEVICE

NEED-TO-KNOW

Gateway/router has no knowledge of peer identity — It only knows that they trust each other

A break-in of cloud infrastructure does not compromise peers

Individual peers being compromised will not compromise other peers.

LESSON #6

SAVE ONLY WHAT’S NECESSARY (PRIVACY BY DESIGN)

TRUST SCHEMES?

Establish trust by means of a 3rd party

SMS

3rd party SSO

Certificate authority

Trust direct between devices

TRUST

Alice BobEve

Carl

PublicKey PublicKey

sign(PublicKey, SecretKey)

sign(PublicKey, SecretKey)

Carl2sign(PublicKey, SecretKey)

sign(PublicKey, SecretKey)

Carl3sign(PublicKey, SecretKey)

sign(PublicKey, SecretKey)

TRUST

SecretKey PublicKey

Alice Bob

SecretKey PublicKey

OTPOTP

LESSON #7

AVOID CERTIFICATE AUTHORITIES (CA’S) WHEN POSSIBLE

TRUST ON FIRST USE

SSH shows a fingerprint to verify on first use

Our product you enter a PIN to verify the peer

Henceforth, trust the holder of that key

END-TO-END LIMITATIONS

Sometimes you want an OPEN API - Most web-enabled IOT devices do that

IFTTT (open programmable interation platform) - Holds on to all your credentials

- Email, google, facebook, devices, …

- Ideal targt for a hacker

Make this a special case, not the default.

SUMMARY

SUMMARY

SSL/TLS is more complex than you think

CA’s introduce trust in 3rd parties

Implement software upgrade

Control both ends? Consider a simpler solution.

Randomness is hard

Remember (log/store) only what’s necessary

Aarhus Copenhagen Zurich Amsterdam Berlin Budapest Buenos Aires Krakow Leeds London San Francisco Seattle Stockholm

our product securedevicegrid.com

Aarhus Copenhagen Zurich Amsterdam Berlin Budapest Buenos Aires Krakow Leeds London San Francisco Seattle Stockholm

Kresten Krab Thorup krab@trifork.com

@drkrab