NXP SEMICONDUCTORS Alice and Bob in Wonderland A first glimpse in the world of security and cryptography
September 2018 Mario Lamberger Agenda
Introduction The Good The Bad The Ugly The Future
COMPANY PUBLIC Introduction About myself
MSc, PhD in technical mathematics, TU Graz Post-doc assistant at IAIK @ TU Graz – Java + network security, cryptography Habilitation in IT-Security @ IAIK/TU Graz 20+ publications in mathematics, cryptography, IT-security Principal Cryptographer and Security Assessment expert @ NXP – Joined 2011 – Works on crypto libraries, certification topics, analysis on random number generators – Lead of „NXP Security School“, trainings on cryptography, certification topics, implementation security Trained more than 2500 employees
COMPANY PUBLIC THE GOOD Security in general
COMPANY PUBLIC Key security requirements
“Hello Confidentiality World” Integrity
Keeping secrets Ensuring unmodified secret (business value data transport & “Hello “Hello of data, privacy – unmodified SW World” World” encryption is the execution technology of choice)
Authenticity Alice Availability
Verifying identities for Ensuring that the source of data/SW, “Fake” Bob services remain (trusted access control available operations) Bob “Fake” Alice
COMPANY PUBLIC CONFIDENTIALITY Historic examples: This ... is ... Sparta!
Scytale: – Oldest known military encryption scheme. – It was used by the Spartans already 2500 years ago to encrypt messages. – For encryption a wooden cylinder has been used with a certain diameter (acting as the key). The Scytale is a transposition cipher.
Alternative hypothesis: Message authentication
COMPANY PUBLIC Historic examples: Alea iacta est!
Caesar cipher – The Caesar-Cipher is named after Julius Caesar (100-40 B.C.). – It was used for military correspondence. – For encryption the letters of the message where replaced by different letters of the same alphabet. The Caesar cipher is a substitution cipher.
Other examples: – Vigenère cipher – Hill cipher – ...
COMPANY PUBLIC Ceasar cipher in our days...
Cipher text Ns hwduytlwfumd, f Hfjxfw hnumjw, fqxt pstbs fx Hfjxfw'x hnumjw, ymj xmnky hnumjw, Hfjxfw'x htij tw Hfjxfw xmnky, nx tsj tk ymj xnruqjxy fsi rtxy bnijqd pstbs jshwduynts yjhmsnvzjx. Ny nx f yduj tk xzgxynyzynts hnumjw ns bmnhm jfhm qjyyjw ns ymj uqfnsyjcy nx wjuqfhji gd f qjyyjw xtrj kncji szrgjw tk utxnyntsx itbs ymj fqumfgjy. Ktw jcfruqj, bnym f xmnky tk Shift 3, F btzqi gj wjuqfhji gd I, G btzqi gjhtrj = 5 J, fsi xt ts. Ymj rjymti nx sfrji fkyjw In cryptography, a Caesar cipher, also known as Caesar's cipher, the shift cipher, Caesar's code or Caesar shift, is one of the Ozqnzx Hfjxfw, bmt zxji ny ns mnx simplest and most widely known encryption techniques. It is a type uwnafyj htwwjxutsijshj. of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a shift of 3, A would be replaced by D, B would become E, and so on. The method is named after Julius Caesar, who used it in his private correspondence.
COMPANY PUBLIC Symmetric Cryptography
Symmetric key information
Enc Dec
COMPANY PUBLIC Important Features and Principles of Block Ciphers n-bit block size Kerckhoff’s principle: – The attacker always knows the Plaintext (P) algorithm; the only information unknown to him/her is the key. – DES (1976) 010 010 Key Cipher 010 k-bit key Brute force attack (K) .. – Basically, given P and C, try out all 010 possible K – Possible on every cipher
Ciphertext (C)
COMPANY PUBLIC Modern Encryption Practice: Block Ciphers
Practical version of block substitution cipher for fixed key – Easy computation rule instead of huge table 𝑚𝑚1 𝑐𝑐1 𝑚𝑚2 𝑐𝑐2 3 3 𝑚𝑚... 𝑐𝑐... 4 4 Introduce computation rule to compute table elements: 𝑚𝑚... 𝑐𝑐... [m] = E (m, k)
𝑇𝑇 𝑛𝑛𝑛𝑛S Goal is to design „good“ rule E :
𝑛𝑛𝑛𝑛S
COMPANY PUBLIC https://www.youtube.com/watch?v=mlzxpkdXP58 COMPANY PUBLIC Performance, performance, performance...
AES instructions (Intel, ARM, NXP, ...) PXOR %xmm5, %xmm0 AESENC %xmm6, %xmm0 Intel: AESENC %xmm7, %xmm0 AESENC %xmm8, %xmm0 AESENC takes 4 cycles, so 40 cycles for full AES (at 2GHz 800MB per second!) AESENC %xmm9, %xmm0 AESENC %xmm10, %xmm0 AESENC %xmm11, %xmm0 Remember the brute-force attack from before? AESENC %xmm12, %xmm0 AESENC %xmm13, %xmm0 AESENC %xmm14, %xmm0 Above Intel PC: 5 10 encryptions per sec AESENCLAST %xmm15, %xmm0 10 years 7 23 ⋅ Computing power of Bitcoin network: 5 10 encryptions per sec 2,1581810 = 2.158.000.000.000 years ≈ ⋅ 12 13.799.000.000 years age of our universe ⋅
COMPANY PUBLIC Widely used block ciphers
Triple-DES – IBM + NSA – Based on DES (1976)
AES – V. Rijmen/J. Daemen
SM4 – Chinese cipher – Chinese wireless LAN cipher standard (WAPI)
COMPANY PUBLIC How to encrypt large amounts of data ?
Block by block ECB point in time 1 point in timepoint 1 in timepoint 2 in time 22 pointpointpoint ininin time timetime t tt ...... Cipher block chaining CBC IVm1 Ctr block 1n nm1 Ctr nblockm 22 n nn mmCtrtt block t nnn Counter mode CTR cii = ES(cmi-1i, k )mi,E kS), i>0 k ES k ES EkS kk EEESSS kkk
m1 n m2 n mt n ...... c1 nc1 c2 n c2 n nn ... cccttt nnn SenderSender Receiver Receiver ...... point in time 1 c1 pointn inc time2 2 nn ccttpoint in time tnn Ctr block 1 n Ctr block 2 n ... Ctr block t n
mii = DS(cii, k) ci-1, i>0 DS k DS kk DDSS kk
ES k ES k ES k ... c1 IV n n c2m1 n n m2 ct nn ... mmtnt nn
m1 n m2 n ... mt n
COMPANY PUBLIC What would you prefer ?
CBC/CTR mode output
COMPANY PUBLIC INTEGRITY Cryptographic Hash Functions – Protecting Integrity
Analogy: digital fingerprints NOT to be confused with: Data – Hash tables in databases Compression: Data of arbitrary length is mapped to a fixed length of bits (Typical values: = 256 bits) 𝑛𝑛 Hash Easy to compute𝑛𝑛 : Hash functions should be very efficient!
Cryptographic properties: NO COLLUSION NO COLLISIONS! A hash function should be hard to invert! It should be hard to find two data elements with the same hash value
COMPANY PUBLIC Cryptographic Hash Functions Applications – “Historic”
Important building block: >100 occurences in Windows operating system
98246 012345 6789… ?
Representative Commitment Randomizer
SHA256(“Mario”) = 61 C8 E1 6A D9 0D 4E 6D A3 17 18 0F A4 45 E2 62 E9 31 3B BF 21 FD 4D 30 B3 B9 B4 42 58 86 B2 F5
SHA256(“Marion”) = 34 17 CF DF 67 C5 1B 20 FE 04 24 BC 47 D5 69 2E 87 59 FB 06 B3 6D 48 28 A6 AD 1C 65 4A 9D C3 67
COMPANY PUBLIC Cryptographic Hash Functions Applications – Today
Bitcoin mining Proof of work (c) https://coincentral.com Solving “hash puzzles” (SHA-256)
August 2017, the mining difficulty (block #479669) (bit security ~2 . ) 71 65 0000000000000000005d68cd57cfb4f925aa1e3e729feb0cb81a64393306ad4f𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡
COMPANY PUBLIC Hash functions – a quick look under the hood
MD4-family of hash functions
Current state-of-the-art: SHA-2 family (FIPS 180-4)
Alternative construction: SHA-3 (sponge contruction) – Again a competition, – Again J. Daemen
COMPANY PUBLIC AUTHENTICITY AKA RECYCLING IN CRYPTO Message Authentication Codes (block cipher based)
Recycling in cryptography: point in time 1 point in time 2 point in time t ... CBC mode of operation IV n m1 n m2 n mt n
CBC MAC ci = ES(ci-1 mi, k), i>0 ES k ES k ES k (ISO/IEC 9797-1 MAC Algorithm 1) ... CMAC c1 n c2 n ct n Sender (NIST SP 800-38B) Receiver c1 n c2 n ... ct n
mi = DS(ci, k) ci-1, i>0 DS k DS k DS k
IV n m1 n m2 n ... mt n
COMPANY PUBLIC HMAC – keyed-hash message authentication code
Originally defined in 1996 Used extensively by IETF (RFC2104) Widely standarized NIST FIPS 198-1
( )|| || ′ ′ 𝐾𝐾 ⊕ 𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖 𝑀𝑀 𝐾𝐾 ⊕ 𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜 𝐻𝐻1
Hash Hash
( , )
𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻 𝑀𝑀 𝐾𝐾 COMPANY PUBLIC Using Encryption for Authentication
Basic authentication principles: – Something known – Something possessed – Something inherent
How to NOT do it: ID
E = Enc(ID, Key) Key Key
E
COMPANY PUBLIC A simple example for an authentication protocol
All modern authentication protocols use a time-variant parameter – Nonce (random challenge) – Timestamp – Sequence number
Challenge – response protocol
Challenge R Key Key E = Enc(R, Key)
Different for each authentication run!
COMPANY PUBLIC PUBLIC KEY CRYPTO AKA ASYMMETRIC CRYPTO The problem so far ...
How do Alice and Bob get their symmetric keys in the first place ?
What if Alice and Bob are not the only people on earth ?
A B
E F 15 keys
C D
7 10 people 25 10 keys 9 18 After⋅ 2500 years it≈ was⋅ time for a new concept ...
COMPANY PUBLIC COMPANY PUBLIC Public Key Signatures
CREATE Remember 00110…..11001 11111…..10011 11111…..10011 hash digitally digitally signeddocument hash private key sender signed hash collisions ?
hash 00110…..11001
compare VERIFY 00110…..11001 11111…..10011 digitally digitally signeddocument public key sender
COMPANY PUBLIC Asymmetric/ Public Key Cryptography
Based on hard and long-studied mathematical problems from number theory, algebra, …
In theory, no initial key exchange between Alice and Bob
The idea: – Each participating party owns a key pair – A key pair consists of • A public key (can be known to everybody) • A private key (must stay under the sole control of the owner)
COMPANY PUBLIC RSA (Rivest, Shamir, Adleman, 1978)
Based on the so called factorization problem: dC – Given two prime numbers, it is easy to multiply them. d Given the product, it is difficult to find the prime numbers. B
A: nA,eA B: n ,e RSA Keys – Every participant has B B C : nC,eC – a modulus n = p·q (public), the product of two large prime numbers
– a public exponent e (for performance reasons, one often chooses small prime numbers with few 1’s) e = 216 + 1 are common choices (e = 3,17 in old designs) dA
– a private exponent d.
COMPANY PUBLIC RSA Operation
Encryption Decryption
The sender computes The receiver computes = , , 𝑒𝑒 where 𝑑𝑑 𝑐𝑐 𝑚𝑚 𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛 where 𝑐𝑐 𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛 m is the message, (n,e) is the public key of c is the cipher text and d is the private key of the receiver, and c is the cipher text. the receiver. Mathematically: = = = 𝑑𝑑 𝑒𝑒 𝑑𝑑 1+𝑘𝑘�𝜑𝜑 𝑛𝑛 𝑐𝑐 𝑚𝑚 𝑚𝑚 𝑚𝑚 𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛
Careful: In real life you need more OAEP, PSS, PKCS#1, FIPS 186-4
COMPANY PUBLIC Elliptic Curve Cryptography (ECC)
Geometrically, elliptic curves are actual curves in the plane, i.e. a set of points (x, y) with
y2 = x3 + ax + b
Cryptography on elliptic curves (ECC) is based on the fact that one can calculate on points of the elliptic curves, i.e., one can add points
Proposed for use in cryptography in 1985 by Koblitz / Miller
http://www.hpl.hp.com/research/i nfo_theory/ellipbook.html
COMPANY PUBLIC Elliptic Curves
ECC keys kC
– As a system parameter to be used by all users “one” elliptic kB curve E and one point P on this curve are chosen. – Every user has a secret key, i.e. an integer k. – Every user has the point Q = k·P as his/her public key. A: Q A Elliptic Curve E B: QB C: Q Security is based on ECDLP C Point P (Elliptic Curve Discrete Logarithm Problem)
Given find =
kA 𝑃𝑃 𝑄𝑄 𝑘𝑘 𝑄𝑄 𝑘𝑘 ⋅ 𝑃𝑃 Main applications: ECDSA, ECDH
COMPANY PUBLIC Elliptic Curves
Example for geometric point addition 4·P E: = 2 3 𝑦𝑦 𝑥𝑥 − 𝑥𝑥 P
3·P 5·P 2·P
COMPANY PUBLIC Recommended Key Sizes for Public Key Crypto
BSI (TR-02102-1) „Technische Richtlinie für Kryptographische Algorithmen und Schlüssellängen“, 29. May 2018
R ... Multiples of the computational effort like performing an elementary 1-block AES encryption RSA/DL in ( ): Starting from 2017, key sizes smaller than 3000 bits will only be conformant to BSI till 2022 For ECC: 256𝐺𝐺𝐺𝐺 bit𝑝𝑝 is the lower bound
COMPANY PUBLIC Major Takeaway:
Choose algorithms, modes and key sizes wisely (i.e. according to recommendations) Use widely standardized cryptographic building blocks Don‘t invent your own crypto!!! – Everybody is able to create a cryptosystem that he himself is not able to break! – Non reviewed crypto is doomed to fail!
Be careful when random numbers are involved... Heads up: There are always random numbers involved!
COMPANY PUBLIC Modern cryptography comprises much, much more
COMPANY CONFIDENTIAL Real World Protocols Public Key Certificates -- x.509
Where do we come across public key signatures a lot in your daily work?
Data structure containing identity info + public key Signed by a trusted authority
COMPANY PUBLIC How do we put our techniques to use in the real world?
The real world is hybrid! We use symmetric AND asymmetric techniques jointly
Alice Eve
Bob creates a session key K 𝐴𝐴 𝐶𝐶 ENC(K) 𝐸𝐸𝐾𝐾 𝐸𝐸𝐾𝐾
Bob uses Alice‘s and Eve‘s public keys to encrypt the session key K 𝐸𝐸𝐾𝐾𝐴𝐴 𝐸𝐸𝐾𝐾𝐶𝐶
COMPANY PUBLIC The Transport Layer Security (TLS) protocol.
TLS basically puts the s in https
Recently (Aug. 2018), the latest version TLS 1.3 has been published by IETF
TLS provides a secure connection between two points: – confidentiality, – integrity, – authenticity of data, – Authentication between client and server.
TLS is algorithm independent – Cipher suites
COMPANY PUBLIC The TLS architecture.
Two main protocols: The Handshake protocol takes care of authenticating client and server and negotiating keys and cipher-suites.
The Record protocol defines the data formats, and secures the packets.
COMPANY PUBLIC Improvements in TLS 1.3 over 1.2
TLS1.3 removes weak algorithms – No more MD5, SHA1, RC4, no more MAC then Encrypt Reduces the overall protocol complexity (and thereby the attack surface) – No more compression (cf. CRIME attack) Downgrade Protection – Defense against downgrade attacks
Single round—trip handshake Session resumption
COMPANY PUBLIC The cryptography at work when you write WhatsApp/Signal messages...
Taken from „A formal security analysis of the Signal messaging protocol“
https://eprint.iacr.org/2016/1013
COMPANY PUBLIC THE BAD Hash function crisis (2004-2005)
New cryptanalysis technique announced by a team of Chinese researchers (Prof. Wang) – Improvement of differential cryptanalysis Collisions for MD4, MD5, RIPEMD in seconds Collisions for SHA in hours Collisions for SHA-1 theoretically possible – 2 hashing operations 69 ≈
COMPANY PUBLIC SHA-ttered… (https://shattered.io)
COMPANY PUBLIC SHA-1 collision
good.pdf bad.pdf
COMPANY PUBLIC Logical security Logical Security vs Functional Security
Functional security means all security features are implemented and achieve the desired level Logical security means there are no implementation bugs which can be used to logically bypass the implemented security This notion is about the implementation of security
Many things can go really wrong! In the following examples, cryptography was NOT the issue!
COMPANY PUBLIC Heartbleed (2014)
Bad place for a key !!
© XKCD
COMPANY PUBLIC Heartbleed
Problem… … buffer = OPENSSL_malloc(1 + 2 + payload + padding); … and how to fix it… … if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; buffer = OPENSSL_malloc(1 + 2 + payload + padding); …
COMPANY PUBLIC Apple’s ‘goto fail’ bug
Occurred during SSL certificate checking
© zdnet
COMPANY PUBLIC Google’s “Android Master Key attack”
Signature on files within an Android APK are checked before installing the application (i.e. crypto OK) An APK is a ZIP file If one puts 2 files with the same name in an APK, the first one being the genuine file, the other being the hackers file: – Android checks signature on first one and installs second one!!! Wrong assumption on correctness of Android’s installation file
COMPANY PUBLIC Padding oracle attack against SSL 3.0
Never underestimate the ingenuity of attackers In SSL3.0 handshakes, the server assumed you sent something encrypted with his public key So he tries to decrypt the message, and checks the structure of the plaintext In case this is ill-formatted, the server replies that the plaintext was ill-formated
Million message attack :
1.) Listen to handshake 2.) Keep all encrypted comm 3.) Send crafted messages to server and look at responses 4.) Do math 5.) Read encrypted comm
COMPANY PUBLIC Takeaway
In general, everything is possible!
Code and protocol reviews
Defensive, secure and clean programming
Formal proof and V&V
Vulnerability analysis / penetration testing
COMPANY PUBLIC THE UGLY Physical Security vs Functional Security
Functional security means all security features are implemented and achieve the desired level Physical security addresses the fact that there is no way to physically bypass the implemented security functionality This notion is again about the implementation of security
Key differentiator for NXP is the know-how to implement things securely in order to withstand physical attacks!
Yet again, many things can go really wrong!
COMPANY PUBLIC Side-Channel Analysis Side-Channel Analysis
“Most famous Side-Channel-Attack”
COMPANY PUBLIC Pentagon Pizza Attack
Washington Domino Pizza Index (early ’90) Pentagon, at any normal evening about 12 - 15 pizzas…
But every once in a while 36 - 45 pizzas…
Panama, Gulf War, … Information leakage without any official press announcement!
Power Power SPA: Simple Pizza Analysis DPA: Differential Pizza Analysis
COMPANY PUBLIC Side-Channels
Power Consumption Timing
Electromagnetic Error Messages Emanation
COMPANY PUBLIC Side-Channel Analysis Attacks Overview
COMPANY PUBLIC But there‘s more...
Acoustic cryptanalysis: https://www.tau.ac.il/~tromer/acoustic/ In 2014, researchers showed how to extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. They demonstrate that such attacks can be carried out, using either – a plain mobile phone placed next to the computer, – or a more sensitive microphone placed 4 meters away.
COMPANY PUBLIC Electromagnetic emanation from your next door neighbor
ECDH computation measured from the laptop in the adjacent office https://www.tau.ac.il/~tromer/ecdh/
COMPANY PUBLIC Demo: Breaking AES with DPA – ChipWhisperer DEMO
Attacking an unprotected SW AES implementation with ~ 500 traces is no problem ! The code is run on the XMEGA target platform The power traces are recorded by the left part of the CW lite. Analysis is done with CPA (correlation power analysis)
© www.newae.com COMPANY PUBLIC Fault Attacks Fault Attacks Overview Introduce a fault in the computation – Laser beam – Flash light – Voltage burst – Clock jitter – EM fault injection – Permanent fault (Focused Ion Beam) Use the faulty output as side-channel information Manipulate branch Change security setting
COMPANY PUBLIC Generate
Calculate , = 𝑚𝑚 𝑑𝑑 𝑛𝑛 𝑑𝑑 𝑠𝑠 𝑚𝑚 𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛 𝑠𝑠 𝑚𝑚 , = 𝑑𝑑 𝑛𝑛 Generate 𝑑𝑑 = , , , , , 𝑠𝑠 𝑚𝑚 𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛 −1 −1 𝑑𝑑 𝑚𝑚 𝑝𝑝 𝑞𝑞 Calculate 𝑠𝑠 𝑚𝑚 𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛 𝑑𝑑 𝑑𝑑 𝑝𝑝 𝑞𝑞 𝑝𝑝 𝑞𝑞 𝑠𝑠 = 𝑑𝑑𝑝𝑝 𝑠𝑠𝑝𝑝 𝑚𝑚 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝
= 𝑑𝑑𝑞𝑞 𝑠𝑠𝑞𝑞 𝑚𝑚 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 = = + = ( −1 ) 𝑝𝑝 𝑎𝑎 𝑝𝑝 ⋅ 𝑝𝑝−1 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 𝑠𝑠 𝑎𝑎𝑝𝑝 ⋅ 𝑠𝑠𝑝𝑝 𝑎𝑎𝑞𝑞 ⋅ 𝑠𝑠𝑞𝑞 𝑎𝑎𝑞𝑞 𝑞𝑞 ⋅ 𝑞𝑞 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝
𝑠𝑠 There is no such thing as „perfect security“
A secure system makes an attack more expensive than the value of the advantage gained by the attacker.
Shamir’s laws – Absolutely secure systems do not exist
– To halve your vulnerabilities you need to double your expenditure
– Cryptography is typically bypassed, not broken
© xkcd
COMPANY CONFIDENTIAL Takeaway
In general, everything is possible! Physical attacks have been around for ~20 years now, mainly in the embedded security world Solutions exist that make the aforementioned attacks extremely difficult and expensive
COMPANY CONFIDENTIAL THE FUTURE ...... IS IT GOING TO BE GOOD, BAD OR UGLY? Internet of Things: why do we need security?
IoT is about Connections Bringing new risks of attack from virtually anywhere (no air gap anymore, infection across heterogenous networks, no security perimeter)
IoT is about Data Risk of terrifying breaches of privacy (smart devices are everywhere: home, wrist, car, bike, factory & enterprise, street, …) Industrial espionage & IP theft
IoT is about Command & Control Sensitive real time processes (medical device, Industrial process, city traffic management)
COMPANY PUBLIC The lack of Security in IoT is now tangible Casino Mirai botnet Jeep hack Disruption of major Internet services hack Loss of control over vehicle Overview of via WiFi connection high-rollers extracted via thermostat of a fish-aquarium in the lobby
Nest Hack Target Hack Security camera shut down by a Target declared that the total simple click on a phone cost of the data breach had been $202M NBC news, May 24, 2017
SEPTEMBER 20, 2017 by Mamta Badkar in New York
Parcel delivery company FedEx said on Tuesday that a June cyber attack on its TNT Express unit cost the company $300m in the first quarter, … the NotPetya cyber attack, which originated from tax preparation software in Ukraine and resulted in the disruption of communications systems at TNT Express.
COMPANY PUBLIC IoT security threats and general protection principles
THREAT SPECTRUM SOLUTION RATIONALE AGAINST THREATS Physical Logical Physical Logical
• All local interfaces: If an attacker can get local If an attacker can get local • Exploiting access to the device, make a access to the device, aim to • Power analysis JTAG cost/benefit trade-off and protect protect against local logical • Light attacks Local • Serial against relevant local physical attacks. Reason: can be • Glitching • USB attacks over the lifetime of the automated and executed by • … device laymen
• Buffer overflow Aim to protect against remoteBuffer attacks. overflow • Rowhammer Rowhammer Heartbleed Reason: scalable attacks can be automatedHeartbleed and executed by Remote • Cache Timing Cache timing • Flooding/DoS laymen from anywhere in theFlooding/DoS world
Level of importance to ensure security against threats High Higher Highest
COMPANY PUBLIC „IOT goes nuclear – Creating a ZigBee chain reaction“
In June 2017, researchers published a paper that describes a severe attack on Philips‘ Hue smart lamps
• The attack is a clever combination of a logical implementation attack and a physical side-channel attack
Step 2 Step 1 An implementation bug in the The 350US$ Chipwhisperer Lite Zigbee protocol (proximitiy check) platform has been used to allowed to disassociate the lamps extract the OTA firmware update from their PANs and use the FW key (AES-CCM) update key from step 1 to install the attack FW from up to 400m away Very unfortunate choice: Every bulb of a certain model used the same key... COMPANY PUBLIC Pictures © http://iotworm.eyalro.net/ Challenges for IoT security
Huge amount of devices
Many IoT devices are going to be autonomous
IoT devices have unmanaged lifetimes
Many IoT devices have limited resources
IoT devices generate huge amounts of personal data ....
COMPANY PUBLIC Concepts towards a solution
Security by design • Encryption • Isolation architectures Privacy by design authentication Security IC, Runtime protection integrity Trustzone in application processors, • Key management Trustzone-M in microcontrollers, Analytics, recovery etc. and damage control • Securely booting • Securely connecting Certification Cryptography to Resilient Security Trust provisioning establish secure Architectures to mitigate connections and Trusted implementation Managing the security functionality vulnerabilities lifecycle Security must be maintained in an uncontrolled and evolving environment!
COMPANY PUBLIC Thank you for your attention!
COMPANY PUBLIC