A Cryptographic Suite for Embedded Systems - ETSI docbox

Download PDF
0 downloads 143 Views 267KB Size Report
Comment
Jan 19, 2011 - Finite field arithmetic operations XOR and SHIFTS, cheap to p. , p put in hardware. .... Server sends 4 p
A Cryptographic Suite for Embedded Systems SuiteE

6th ETSI Security Workshop 19 - 20 January 2011 ETSI Sophia Antipolis, ETSI, Antipolis France

Scott Vanstone, [email protected] Matthew Campagna, [email protected] Research in Motion © ETSI 2010. All rights reserved

Agenda ‰Motivation for a new cryptographic suite for embedded systems ‰Proposed algorithms for Suite E ‰A li bilit to ‰Applicability t hardware h d ‰Current status of these proposed standards

Evolution of Machine to Machine ‰ Increased number of wireless connected devices, automating and providing information about our environment. ‰ A natural center of an individuals personal area network is their smartphone. ¾ Connecting personal area network to the mobile and traditional Internet. Internet

‰ Cryptographic security services need to be designed for both the embedded and traditional environments. ‰ Embedded cryptographic techniques in hardware increases ¾ Security ¾ Performance ¾ Battery life

SuiteE ‰ Building a cryptographic suite fit for embedded systems ¾ Provide a full suite of standardized techniques ¾ Select primitives that favor cost saving and performance benefits in hardware ¾ Select primitives that are computationally efficient ¾ Select algorithms and techniques that reduce memory requirement ¾ Select protocols that minimize bandwidth ‰ Targeting g g emerging g g IPv6 over Low-power p personal p area networking ¾ IETF 6lowpan does not include IPSec ¾ Based B d on IEEE 802 802.15.4 15 4 Wi Wireless l P Personall A Area N Networking t ki

Proposed Suite E ‰ AES-C(G)CM ¾ Implemented in hardware on many IEEE 802.15.4 ¾ Only requires encrypt direction of AES engine ‰ ECC over binary fields ¾ Finite field arithmetic operations p XOR and SHIFTS,, cheap p to put in hardware. ¾ Much more efficient in bandwidth, storage and computation than IFC or FFC ‰ ECPVS bandwidth savings over ECDSA, and offers additional security properties ‰ ECQV certificates highly compact ‰ ECMQV highly efficient key agreement scheme ‰ SHA2 /AES-MMO /AES MMO – hash h h functions f ti

ZigBee Smart Energy ‰ ZigBee is a wireless mesh-networking standard based on lowpower IEEE 802.15.4 standard for wireless personal area networking. g ¾ Native packet size is 127-bytes. • Data payload from 96 - 112 bytes depending on mesh.

¾ Uses U AES AES-CCM CCM tto secure network t k and d peer-to-peer t t ffi traffic. ¾ Low-powered devices typically no greater than 16-bit, 24Mhz ‰ ZigBee Smart Energy profile requires authenticated key agreement to securely establish network and application keys. ¾ Every device is manufactured with an ECQV certicate. ¾ Performs an ECMQV key agreement to join the network and obtain application key. ¾ Signs demand-response demand response messages issued from utilities.

Elliptic Curve Cryptography

y − y1 = λ (x − x1) y −y λ = 2 1 = slope x2 − x1

Footer text (edit in View : Header and Footer)

7

ECMQV ‰ Description: Elliptic curve variant of a Diffie-Hellman scheme ‰ Standardized: ANSI X9.63, IEEE 1363, SECG SEC 1, ZigBee Smart Energy 1.0, ISA SP100.11. ‰ Benefits: B fit ¾ Lower computational complexity ¾ Reduction educt o o on ba bandwidth d dt ¾ High assurance FIPS implementation.

‰ Flexibility: Example IETF draft for TLS.

ECPVS Standardized : ANSI X9.92, IEEE 1363, SECG SEC 3 Signature Generation Input: Elliptic curve parameters T, message m||r, where r satisfies a redundancy requirement, and private key dA Output: signed message m, (c, s) generate t ephemeral h l key k pair i (d, (d Q) construct k = KDF(Q) encrypt c = Ek(r). (r) hash e = H(c||m) calculate s = edA + d (mod n) return m, (c, s) 9

ECQV ‰ Description: Elliptic curve variant of certified public keys ‰ Standardized: ANSI NWI ballot, SECG SEC 4, ZigBee Smart Energy 1.0, ISA SP100.11. ‰ Benefits: B fit ¾ Much smaller certificate sizes. ¾ Lower o e computational co putat o a complexity co p e ty ¾ Loosens the collision resistance requirement on the underlying hash function* ¾ Very fast for generating certified public keys keys. This is important when 100s of millions are required.

‰ Flexibility: Cross-over technology with ECQV Hybrid certificates.

ECQV CA (c, GCA)

A 1) Generate ephemeral key pair (a, QA)

QA

s (ICA||IDA) s,

2) Validate QA 3) Generate key pair (k, kG) 4) Compute ICA = QA + kG 5) Compute s = H(ICA||IDA)k + c (mod n)

6) Compute key pair e = H(ICA||IDA) dA = ea + s (mod n) GA = eICA + GCA Footer text (edit in View : Header and Footer)

11

Applicability to hardware ‰ Components selected for hardware embedding ‰ AES C(G)CM only require AES encrypt direction ‰ Binary y field operations p easier to embed in hardware ¾ Additions are XORs ¾ Multiplications are shifts and XORs

‰ Existing hardware that can do both larger prime operations and fast binary field operations ¾ Custom ASIC designs by Certicom and others ¾ Intel’s new Carry-less Multiplication instructions

‰ Computational energy can be less than the transmit-receive transmit receive cycle energy used Footer text (edit in View : Header and Footer)

12

TLS ECQV-ECMQV Key Exchange ‰ Exchanged certificates are 72 bytes ‰ Largest packet size is 109 bytes ‰ Total exchange g ¾ Client sends 3 packets, 216 bytes ¾ Server S sends d 4 packets, k t 220 b bytes t ¾ Total exchange 7 packets, 436 bytes

‰ Average certificate size today for TLS is roughly 2,000 bytes ‰ These numbers are based on a 128 bit security level. Footer text (edit in View : Header and Footer)

13

Resource and security comparison ECQV ECMQV

ECMQV

ECDHE

ECDH

Key control security









Entity Authentication









Known-key security







P f t forward Perfect f d security it







Key-compromise impersonation







Unknown key-share key share security









En/Dec/Scalar Multiply

5

3

2

2

Signing

0

0

2

0

Signature sizes

0

2*(512)

4*(512)

2*(512)

Verifications

0

2

4

2

Public keys

4*(256)

4*(256)

4*(256)

2*(256)

Assumes 128-bit security level and TLS_ECDHE_ECDSA_XXX, TLS_ECQV_ECMQV_XXX

Steps ahead ‰ Standardized for ZigBee Smart Energy 1.x 1x ‰ We p proposed p an IETF draft that defines SuiteE and seeks community input (co-authors). ¾ http://tools.ietf.org/html/draft-campagna-suitee-00 ‰ Standards being developed in the Standards for Efficient Cryptography yp g p y Group p (SECG) ( ) and ANSI X9 ¾ http://www.secg.org (open to all participants, proposals accepted) ¾ http://www.x9.org htt // 9 (f b (fee based d participation) ti i ti ) ‰ Interested parties invited to help shape these emerging standards ¾ [email protected], [email protected]