1 PHILIPS RESEARCH
Oscar Garcia-Morchon ETSI Security Week June 14th 2016
Securing IoT
1
2 PHILIPS RESEARCH
Internet of Things Some use cases and features
• Robust architecture • Small packets • Private data • Low power
• Constrained links • Device to device • Large network • Low power • Long-term
• Identify devices • Low power • Robust • Speed
3 PHILIPS RESEARCH
Abstracting
Device 1
Server 1
Device 2
Server 2
Device d
Server s
Device 3
4 PHILIPS RESEARCH
Many Requirements
Energy efficiency Small and real-time
Simple operation Quantum secure
Device lifecycle
Manufacturing
Distribution
Installation
Operation
Re-configuration
End-of-life
5 PHILIPS RESEARCH
Many Requirements
Challenge: Efficient and scalable management of keys/credentials of devices
Small and real-time
Simple operation Quantum secure
Device lifecycle
Manufacturing
Distribution
Installation
Operation
Re-configuration
End-of-life
Energy efficiency
6 PHILIPS RESEARCH
Device Lifecycle and Security Needs
Device 1
Server 1
Device 2
Device d
Server s
Device 3
Root of trust
Root of trust
7 PHILIPS RESEARCH
Device Lifecycle and Security Needs
Device 1
Server 1
Device 2
Device d
Server s
Device 3
Root of trust
Root of trust
Network access
Manufacturing
Operation
Security infrastructure
8 PHILIPS RESEARCH
Device Lifecycle and Security Needs
Device 1
Server 1
Device 2
Device d
Server s
Device 3
Root of trust
Root of trust
Network access
Manufacturing
Operation
Security infrastructure Infrastructure • Out-of-band (secure manufacturing)
and in-band (Internet) provisioning • Efficient resistance to root capture • Long term security • Key escrow
9 PHILIPS RESEARCH
Device Lifecycle and Security Needs
Device 1
Server 1
Device 2
Device d
Server s
Device 3
Root of trust
Root of trust
Network access
Manufacturing
Operation
Security infrastructure
Network access • Backend authentication/authorization • Device authentication/authorization • Device identification/blacklisting • DoS prevention
Infrastructure • Out-of-band (secure manufacturing)
and in-band (Internet) provisioning • Efficient resistance to root capture • Long term security • Key escrow
10 PHILIPS RESEARCH
Device Lifecycle and Security Needs
Device 1
Server 1
Device 2
Device d
Server s
Device 3
Root of trust
Root of trust
Network access
Manufacturing
Operation
Security infrastructure
Network access • Backend authentication/authorization • Device authentication/authorization • Device identification/blacklisting • DoS prevention
Operation • Key agreement • Collusion resistance • Quantum resistance • Easy protocol integration • Forward security and key escrow • Credential verification, e.g., public-keys
Infrastructure • Out-of-band (secure manufacturing)
and in-band (Internet) provisioning • Efficient resistance to root capture • Long term security • Key escrow
11 PHILIPS RESEARCH
Options
KDC CA
PGK TTP
Configuration
Operation
12 PHILIPS RESEARCH
KDC CA
PGK TTP
Options Configuration
Operation
13 PHILIPS RESEARCH
HIMMO Efficient Collusion- and Quantum-Resistant Key Pre-Distribution Scheme
𝐼𝐷 𝐵
Configuration parameters
𝐼𝐷 𝐺𝐼𝐷(𝑥)
𝐾𝐴,𝐵 𝑆𝑒𝑐𝑟𝑒𝑡 𝑅(𝑥, 𝑦)
𝐾𝐵,𝐴
𝐸 𝐾𝐴,𝐵(𝑚)
𝐴
1) Setup 2) Keying material extraction 3) Operational protocol
TTP TTP
14 PHILIPS RESEARCH
HIMMO
• Efficient collusion- and quantum- resistant
• Easy protocol integration (TLS, MAC-layer level protocols, etc)
• Features – Identity-based – Multiple TTP support – Credential certification and verification – One-way key exchange and authentication in 30 Bytes
• Advantages – Very low overhead – Blacklisting feasible – Resilient TTP infrastructure – Out-of-the-box secure by factory configuration – Architectures able to support both forward secrecy and key escrow
𝑩 𝑨 TLS
15 PHILIPS RESEARCH
+ Information and Contest for Open Verification
www.himmo-scheme.com
16 PHILIPS RESEARCH
Conclusions
• The IoT covers a plethora of use cases with very diverse needs
• The key challenge: efficient and scalable management of keys/credentials of devices through their lifecycle
• HIMMO is an efficient collusion- and quantum-resistant key pre-distribution scheme overcoming this problem
17 PHILIPS RESEARCH
18 PHILIPS RESEARCH
[1] O. Garcia-Morchon, L. Tolhuizen, D. Gomez, and J. Gutierrez. Towards full collusion resistant ID-based establishment of pairwise keys. In Extended abstracts of the third Workshop on Mathematical Cryptology (WMC 2012) and the third international conference on Symbolic Computation and Cryptography (SCC 2012). Pages 30-36, 2012. [2] O. Garcia Morchon, Ronald Rietman, Igor E. Shparlinski, and Ludo Tolhuizen. Interpolation and approximation of polynomials in finite fields over a short interval from noisy values. Experimental mathematics, 23:241–260, 2014. [3] O. Garcia-Morchon, D. Gomez-Perez, J. Gutierrez, R. Rietman, and L. Tolhuizen. The MMO problem. In Proc. ISSAC’14, pages 186–193. ACM, 2014. [4] O. Garcia-Morchon, D. Gomez-Perez, J. Gutierrez , R. Rietman, B. Schoenmakers, and L. Tolhuizen,. HIMMO - A Lightweight, Fully Collusion Resistant Key-Pre-distribution Scheme. Cryptology ePrint Archive, Report 2014/698. [5] O. Garcia-Morchon, R. Rietman, S. Sharma, L. Tolhuizen, J.L., Torre-Arce. DTLS-HIMMO Efficiently Securing a Post-Quantum World with a Fully-Collusion Resistant KPS. In ESORICS 2015; also presented at NIST workshop on Cybersecurity in a Post-Quantum World, 2015. [6] O. Garcia-Morchon, R. Rietman, S. Sharma, L. Tolhuizen, J.L., Torre-Arce. A comprehensive and lightweight security architecture to secure the IoT throughout the lifecycle of a device based on HIMMO. In ALGOSENSORS 2015; also presented at NIST Lightweight Cryptography Workshop, 2015. [7] O. Garcia-Morchon, R. Rietman, I. Shparlinski, and L. Tolhuizen, "Results on polynomial interpolation with mixed modular operations and unknown moduli". IACR ePrint Archive, Report 2015-1003 [8] O. Garcia-Morchon, R. Rietman, L. Tolhuizen, J.L. Torre-Arce, M.S. Lee, D. Gomez-Perez, J. Gutierrez, B. Schoenmakers, "Attacks and parameter choices in HIMMO", ", IACR ePrint Archive, Report 2016-152 [9] O. Garcia-Morchon, R. Rietman, L. Tolhuizen, J.L. Torre-Arce, S. Bhattacharya and M. Bodlaender "Efficient quantum-resistant trust Infrastructure based on HIMMO", IACR ePrint Archive, Report 2016-410
Literature
19 PHILIPS RESEARCH
HI and MMO Problems
• Hiding Information (HI) problem [2]:
Let 𝒇 ∈ 𝒁 𝒙 of degree at most 𝜶, 𝒙𝒊 ∈ 𝒁 and 𝒚𝒊 = 𝒇(𝒙𝒊) 𝑵 𝒓 for
𝟎 ≤ 𝒊 ≤ 𝒄. Given 𝜶,𝑵, 𝒓, 𝒙𝟏, 𝒚𝟏 , … 𝒙𝒄, 𝒚𝒄 and 𝒙𝟎, find 𝒚𝟎 .
• Mixing Modular Operations (MMO) problem [3]: Let 𝒎 ≥ 𝟐 and 𝒈𝟏, … , 𝒈𝒎 ∈ 𝒁 𝒙 , all of degree at most 𝜶, let 𝒙𝒊 ∈ 𝒁
and 𝒚𝒊 = 𝒈𝒋(𝒙𝒊) 𝒒𝒋𝒎𝒋=𝟏 for 𝟎 ≤ 𝒊 ≤ 𝒄 . Given 𝜶,𝒎 𝒙𝟏, 𝒚𝟏 , … , (𝒙𝒄, 𝒚𝒄)
and 𝒙𝟎, find 𝒚𝟎 .
20 PHILIPS RESEARCH
Performance
Target security level (bits) 80 128
Identity size (B) 10 32
“Signature size” (B) 10 32
One-way key exchange (B) 20 75
One-way key exchange & entity authentication (B) 30 107
PC time (ms) 0.29 0.68
NXP 120 MHz time (ms) 18.45 41.37
Required Root Hermite factor 1.008 1.0056
Pre-processing running time for LLL (years) 75 639.65
Classical Quantum
21 PHILIPS RESEARCH
𝐴
𝐵
{𝐴𝑙𝑖𝑐𝑒, 1982}
𝐺𝐻𝑎𝑠ℎ(𝐴𝑙𝑖𝑐𝑒,1982)(𝑥) TTP
• 𝐾𝐵,𝐴 = 𝐺𝐵 𝐻𝑎𝑠ℎ 𝐴𝑙𝑖𝑐𝑒, 1982
• Decrypt and verify m (and implicitly, information)
𝐻𝑎𝑠ℎ 𝐴𝑙𝑖𝑐𝑒, 1982 , 𝐴𝐸 𝐾𝐴,𝐵(𝑚| 𝐴𝑙𝑖𝑐𝑒, 1982 ) 𝐴
1) Certification
2) Verification
Certification and verification of information
22 PHILIPS RESEARCH
• Trusted: never rely on a single authority, what if hacked or monitoring
• Efficient : same overhead as a single TTP scheme
• Key escrow: IFF agreement by all TTPs
A
A
𝐺𝐴,1(𝑥)
TTP 1 TTP 2
A 𝐺𝐴,2(𝑥)
TTP 1
Supporting multiple TTPs
23 PHILIPS RESEARCH
• Problems
– Whole system/network depends on a single master key
– Credential management for millions of devices
• HIMMO key shares instead of a common secret
– Quantum- and collusion-resistant
– No overhead
– Straightforward integration
– Blacklisting feasible
– Out-of-the-box secure by factory configuration
Device 1
Device 2
Device d
Device 3
Secure Device-to-Device Communication
24 PHILIPS RESEARCH
• Problems in (D)TLS
– Non-PSK modes are resource-hungry and PSK does not scale
– All cipher suites in (D)TLS (except PSK) are not quantum-resistant
– Certification authority compromised huge problem
• HIMMO can be easily integrated into (D)TLS-PSK mode by exchanging HIMMO identities in two parameters of DTLS-PSK
End-to-end secure communication
Client Server
*ServerKeyExchange (PSK identity hint = HIMMO fields)
ClientKeyExchange (Key hint = HIMMO fields), Finish
HIMMO key HIMMO credential verification
HIMMO key HIMMO credential verification
Finish
25 PHILIPS RESEARCH
HIMMO-based trust infrastructure (IoT and beyond)
• We can even – Use HIMMO to authenticate public-keys: Public-keys are “signed” by several TTPs – Use public-key to securely distribute HIMMO keying material to a node
• Features – Extremely efficient public-key verification – Resilient TTP infrastructure – Supports forward secrecy and key escrow – Excellent performance independent of TTP number – Handshake modification enables encrypted exchange of credentials