Jan 19, 2011 - Increased number of wireless connected devices, automating and providing ... Internet. â Cryptographic
A Cryptographic Suite for Embedded Systems SuiteE
6th ETSI Security Workshop 19 - 20 January 2011 ETSI Sophia Antipolis, ETSI, Antipolis France
Scott Vanstone,
[email protected] Matthew Campagna,
[email protected] Research in Motion © ETSI 2010. All rights reserved
Agenda Motivation for a new cryptographic suite for embedded systems Proposed algorithms for Suite E A li bilit to Applicability t hardware h d Current status of these proposed standards
Evolution of Machine to Machine Increased number of wireless connected devices, automating and providing information about our environment. A natural center of an individuals personal area network is their smartphone. ¾ Connecting personal area network to the mobile and traditional Internet. Internet
Cryptographic security services need to be designed for both the embedded and traditional environments. Embedded cryptographic techniques in hardware increases ¾ Security ¾ Performance ¾ Battery life
SuiteE Building a cryptographic suite fit for embedded systems ¾ Provide a full suite of standardized techniques ¾ Select primitives that favor cost saving and performance benefits in hardware ¾ Select primitives that are computationally efficient ¾ Select algorithms and techniques that reduce memory requirement ¾ Select protocols that minimize bandwidth Targeting g g emerging g g IPv6 over Low-power p personal p area networking ¾ IETF 6lowpan does not include IPSec ¾ Based B d on IEEE 802 802.15.4 15 4 Wi Wireless l P Personall A Area N Networking t ki
Proposed Suite E AES-C(G)CM ¾ Implemented in hardware on many IEEE 802.15.4 ¾ Only requires encrypt direction of AES engine ECC over binary fields ¾ Finite field arithmetic operations p XOR and SHIFTS,, cheap p to put in hardware. ¾ Much more efficient in bandwidth, storage and computation than IFC or FFC ECPVS bandwidth savings over ECDSA, and offers additional security properties ECQV certificates highly compact ECMQV highly efficient key agreement scheme SHA2 /AES-MMO /AES MMO – hash h h functions f ti
ZigBee Smart Energy ZigBee is a wireless mesh-networking standard based on lowpower IEEE 802.15.4 standard for wireless personal area networking. g ¾ Native packet size is 127-bytes. • Data payload from 96 - 112 bytes depending on mesh.
¾ Uses U AES AES-CCM CCM tto secure network t k and d peer-to-peer t t ffi traffic. ¾ Low-powered devices typically no greater than 16-bit, 24Mhz ZigBee Smart Energy profile requires authenticated key agreement to securely establish network and application keys. ¾ Every device is manufactured with an ECQV certicate. ¾ Performs an ECMQV key agreement to join the network and obtain application key. ¾ Signs demand-response demand response messages issued from utilities.
Elliptic Curve Cryptography
y − y1 = λ (x − x1) y −y λ = 2 1 = slope x2 − x1
Footer text (edit in View : Header and Footer)
7
ECMQV Description: Elliptic curve variant of a Diffie-Hellman scheme Standardized: ANSI X9.63, IEEE 1363, SECG SEC 1, ZigBee Smart Energy 1.0, ISA SP100.11. Benefits: B fit ¾ Lower computational complexity ¾ Reduction educt o o on ba bandwidth d dt ¾ High assurance FIPS implementation.
Flexibility: Example IETF draft for TLS.
ECPVS Standardized : ANSI X9.92, IEEE 1363, SECG SEC 3 Signature Generation Input: Elliptic curve parameters T, message m||r, where r satisfies a redundancy requirement, and private key dA Output: signed message m, (c, s) generate t ephemeral h l key k pair i (d, (d Q) construct k = KDF(Q) encrypt c = Ek(r). (r) hash e = H(c||m) calculate s = edA + d (mod n) return m, (c, s) 9
ECQV Description: Elliptic curve variant of certified public keys Standardized: ANSI NWI ballot, SECG SEC 4, ZigBee Smart Energy 1.0, ISA SP100.11. Benefits: B fit ¾ Much smaller certificate sizes. ¾ Lower o e computational co putat o a complexity co p e ty ¾ Loosens the collision resistance requirement on the underlying hash function* ¾ Very fast for generating certified public keys keys. This is important when 100s of millions are required.
Flexibility: Cross-over technology with ECQV Hybrid certificates.
ECQV CA (c, GCA)
A 1) Generate ephemeral key pair (a, QA)
QA
s (ICA||IDA) s,
2) Validate QA 3) Generate key pair (k, kG) 4) Compute ICA = QA + kG 5) Compute s = H(ICA||IDA)k + c (mod n)
6) Compute key pair e = H(ICA||IDA) dA = ea + s (mod n) GA = eICA + GCA Footer text (edit in View : Header and Footer)
11
Applicability to hardware Components selected for hardware embedding AES C(G)CM only require AES encrypt direction Binary y field operations p easier to embed in hardware ¾ Additions are XORs ¾ Multiplications are shifts and XORs
Existing hardware that can do both larger prime operations and fast binary field operations ¾ Custom ASIC designs by Certicom and others ¾ Intel’s new Carry-less Multiplication instructions
Computational energy can be less than the transmit-receive transmit receive cycle energy used Footer text (edit in View : Header and Footer)
12
TLS ECQV-ECMQV Key Exchange Exchanged certificates are 72 bytes Largest packet size is 109 bytes Total exchange g ¾ Client sends 3 packets, 216 bytes ¾ Server S sends d 4 packets, k t 220 b bytes t ¾ Total exchange 7 packets, 436 bytes
Average certificate size today for TLS is roughly 2,000 bytes These numbers are based on a 128 bit security level. Footer text (edit in View : Header and Footer)
13
Resource and security comparison ECQV ECMQV
ECMQV
ECDHE
ECDH
Key control security
√
√
√
√
Entity Authentication
√
√
√
√
Known-key security
√
√
√
P f t forward Perfect f d security it
√
√
√
Key-compromise impersonation
√
√
√
Unknown key-share key share security
√
√
√
√
En/Dec/Scalar Multiply
5
3
2
2
Signing
0
0
2
0
Signature sizes
0
2*(512)
4*(512)
2*(512)
Verifications
0
2
4
2
Public keys
4*(256)
4*(256)
4*(256)
2*(256)
Assumes 128-bit security level and TLS_ECDHE_ECDSA_XXX, TLS_ECQV_ECMQV_XXX
Steps ahead Standardized for ZigBee Smart Energy 1.x 1x We p proposed p an IETF draft that defines SuiteE and seeks community input (co-authors). ¾ http://tools.ietf.org/html/draft-campagna-suitee-00 Standards being developed in the Standards for Efficient Cryptography yp g p y Group p (SECG) ( ) and ANSI X9 ¾ http://www.secg.org (open to all participants, proposals accepted) ¾ http://www.x9.org htt // 9 (f b (fee based d participation) ti i ti ) Interested parties invited to help shape these emerging standards ¾
[email protected],
[email protected]