OUR ROAD TO IOT: SECURE DEVICE GRID
5 October 2015 Kresten Krab Thorup @drkrab Introduction IoT and SSL/TLS landscape Secure Device Grid design Lessons Learned ABOUT THE SPEAKER
Kresten Krab Thorup, Ph.D. Trifork CTO - since 1999 JAOO, QCon, YOW!, GOTO Conferences Language Hacker HOW TO REMOTE CONTROL YOUR IOT DEVICES? IOT REMOTE CONTROL
ACCESS Device/Mobile behind NAT
SECURITY Secure Traffic (Secrecy, Integrity) Authentication Privacy DESIGN #1
TRUSTED? GATEWAY MAN IN THE MIDDLE
FIREWALL FIREWALL
MOBILE DEVICE DESIGN #2
END-TO-END GATEWAY TRUST
FIREWALL FIREWALL
MOBILE DEVICE DESIGN #2
GATEWAY
PIN
PAIRING MOBILE DEVICE KEY EXCHANGE DESIGN #2
GATEWAY
Secure
MOBILE Authenticated DEVICE Private HOW TO SECURE THIS? PUBLIC KEY CRYPTOGRAPHY
I’m Home! Alice Bob
SecretKey SecretKey PublicKey PublicKey ENCRYPTION
Eve
ciphertext Alice Bob
encode(“I’m Home!”, PublicKey)
decode(ciphertext, SecretKey)
Only Bob can decode it SIGNING
Eve
signed Alice Bob
sign(“I’m Home!”, SecretKey)
verify(signed, PublicKey)
Only Alice could have created the signed message TRUST
Eve
Alice Bob
PublicKey PublicKey
sign(PublicKey, Carl sign(PublicKey, SecretKey) SecretKey) SSL/TLS SSL/TLS
Standardized approach to Public Key Crypto Public Key Infrastructure (CA’s) Standard Protocols 15+ years of history SSL/TLS
OpenSSL iOS ARM Android GATEWAY Broadcom Windows WinCE SSL/TLS WOES
Many platforms ⇒ weakest link defines level
PROBLEMS
Implementation errors / limitations
Protocol errors
Configuration/use errors NATIVE STACK LIMITATIONS
Client certificate capability Validate/control connection status? Who are you connected to? Support proper (modern) ciphers WELL KNOWN SSL/TLS BUGS
FREAK - downgrade to ‘export grade’ crypto POODLE - downgrade makes keys guessable HeartBleed (OpenSSL)- expose contents of server memory Logjam - Exploits standard config (DH) params Many individual implementation bugs
TLS VULNERABILITIES SSL VULNERABILITIES LESSON #1
IMPLEMENT UPGRADE OF SOFTWARE IN THE FIELD LESSON #2
OPENSSL IS A ATTACK TARGET BECAUSE IT IS POPULAR (Just like Windows) COMPLEXITY TLS COMPLEXITY
Creeps in as standards develop 15+ years backwards compatible ASN.1, X509 Certificates, Revocations, … Protocol negotiation (and renegotiations) Diversity of features available on platforms Diversity of configurations DIVERSITY
OpenSSL iOS ARM Android Broadcom Windows WinCE OUR TLS SOLUTION
OpenSSL OpenSSL OpenSSL OpenSSL OpenSSL OpenSSL OpenSSL ONE CONFIGURATION: TLS 1.2 ECC BrainPool P384 One cipher ECDH_ECDSA_AES LESSON #3
ANY SSL/TLS IMPLEMENTATION IS LARGE AND COMPLEX
(ARM JUST OPEN SOURCED A NEW STACK ‘mbed TLS’) A NEW START: GOING SMALL A NEW START: NACL (CURVE 25519)
Crypto library from Daniel Bernstein (of qmail fame) Used in ZeroMQ, Tor, SSH, HomeKit, AirPlay, Chrome/QUIC, countless open source tools.
“An attacker who spends a billion dollars on special- purpose chips to attack Curve25519, using the best attacks available today, has about 1 chance in 1027 of breaking Curve25519 after a year of computation.”
NACL: CRYPTO SIMPLIFIED
One way to do things ECC crypto (Curve25519) Stream cipher (Salsa20) SHA25 CurveCP: Control Protocol (like SSL/TLS) NACL: CRYPTO SIMPLIFIED
Multiple implementations NaCl, the original (compiles to ~30k ARM code) libsodium (with fast ASM for popular platforms) TweetNacl, compiles to 10k ARM code Java, .NET, JavaScript, … you name it. NACL: WHAT’S NOT THERE?
Key Management Certificate Chains / X509 / ASN.1 Protocol negotiation, downgrade, … Many ciphers, hashes, … RANDOM SOURCE LESSON #4
WHEN YOU CONTROL BOTH ENDS, CONSIDER SIMPLIFYING RANDOM
LESSON #5
RANDOMNESS IS HARD IN EMBEDDED DEVICES RANDOM IS HARD
Initialize when product is ‘installed’ at factory product’s public key entropy data file
Recent JEEP hack was lack of entropy Android also had a serious random bug in 2013 PRIVACY PRIVACY
GATEWAY
MOBILE DEVICE NEED-TO-KNOW
Gateway/router has no knowledge of peer identity — It only knows that they trust each other A break-in of cloud infrastructure does not compromise peers Individual peers being compromised will not compromise other peers. LESSON #6
SAVE ONLY WHAT’S NECESSARY (PRIVACY BY DESIGN) TRUST SCHEMES?
Establish trust by means of a 3rd party SMS 3rd party SSO Certificate authority Trust direct between devices TRUST
Alice Eve Bob
PublicKey PublicKey sign(PublicKey, Carl sign(PublicKey, SecretKey) SecretKey) sign(PublicKey, Carl2 sign(PublicKey, SecretKey) SecretKey) sign(PublicKey, Carl3 sign(PublicKey, SecretKey) SecretKey) TRUST
OTP OTP
Alice Bob
SecretKey SecretKey PublicKey PublicKey LESSON #7
AVOID CERTIFICATE AUTHORITIES (CA’S) WHEN POSSIBLE TRUST ON FIRST USE
SSH shows a fingerprint to verify on first use Our product you enter a PIN to verify the peer Henceforth, trust the holder of that key END-TO-END LIMITATIONS
Sometimes you want an OPEN API - Most web-enabled IOT devices do that
IFTTT (open programmable interation platform) - Holds on to all your credentials - Email, google, facebook, devices, … - Ideal targt for a hacker
Make this a special case, not the default. SUMMARY SUMMARY
SSL/TLS is more complex than you think CA’s introduce trust in 3rd parties Implement software upgrade Control both ends? Consider a simpler solution. Randomness is hard Remember (log/store) only what’s necessary our product securedevicegrid.com
Aarhus Copenhagen Zurich Amsterdam Berlin Budapest Buenos Aires Krakow Leeds London San Francisco Seattle Stockholm Kresten Krab Thorup [email protected] @drkrab
Aarhus Copenhagen Zurich Amsterdam Berlin Budapest Buenos Aires Krakow Leeds London San Francisco Seattle Stockholm