Manuel Koschuch

Energy-Efficient Implementation of ECDH Key Exchange for Wireless Sensor Networks

Wireless Sensor Networks (WSNs) are playing a vital role in an ever-growing number of applications ranging from environmental surveillance over medical monitoring to home automation. Since WSNs are often deployed in unattended or even hostile environments, they can be subject to various malicious attacks, including the manipulation and capture of nodes. The establishment of a shared secret key between two or more individual nodes is one of the most important security services needed to guarantee the proper functioning of a sensor network. Despite some recent advances in this field, the efficient implementation of cryptographic key establishment for WSNs remains a challenge due to the resource constraints of small sensor nodes such as the MICAz mote. In this paper we present a lightweight implementation of the elliptic curve Diffie-Hellman (ECDH) key exchange for ZigBee-compliant sensor nodes equipped with an ATmega128 processor running the TinyOS operating system. Our implementation uses a 192-bit prime field specified by the NIST as underlying algebraic structure and requires only 5.20 ·106 clock cycles to compute a scalar multiplication if the base point is fixed and known a priori. A scalar multiplication using a random base point takes about 12.33 ·106 cycles. Our results show that a full ECDH key exchange between two MICAz motes consumes an energy of 57.33 mJ (including radio communication), which is significantly better than most previously reported ECDH implementations on comparable platforms.

Hardware/software co-design of elliptic curve cryptography on an 8051 microcontroller

8-bit microcontrollers like the 8051 still hold a considerable share of the embedded systems market and dominate in the smart card industry. The performance of 8-bit microcontrollers is often too poor for the implementation of public-key cryptography in software. In this paper we present a minimalist hardware accelerator for enabling elliptic curve cryptography (ECC) on an 8051 microcontroller. We demonstrate the importance of removing system-level performance bottlenecks caused by the transfer of operands between hardware accelerator and external RAM. The integration of a small direct memory access (DMA) unit proves vital to exploit the full potential of the hardware accelerator. Our design allows to perform a scalar multiplication over the binary extension field GF(2191) in 118 msec at a clock frequency of 12 MHz. Considering performance and hardware cost, our system compares favorably with previous work on similar 8-bit platforms.

Smart Elliptic Curve Cryptography for Smart Dust

Wireless ad-hoc and sensor networks play a vital role in an ever-growing number of applications ranging from environmental monitoring over vehicular communication to home automation. Security and privacy issues pose a big challenge for the widespread adoption of these networks, especially in the automotive domain. The two most essential security services needed to maintain the proper functioning of a wireless network are authentication and key establishment; both can be realized with Elliptic Curve Cryptography (ECC). In this paper, we introduce an efficient ECC implementation for resource-restricted devices such as sensor nodes. Our implementation uses a 160-bit Optimal Prime Field (OPF) over which a Gallant-Lambert-Vanstone (GLV) curve with good cryptographic properties can be defined. The combination of optimized field arithmetic with fast group arithmetic (thanks to an efficiently computable endomorphism) allows us to perform a scalar multiplication in about 5.5 ·106 clock cycles on an 8-bit ATmega128 processor, which is significantly faster than all previously-reported ECC implementations based on a 160-bit prime field.

Papers, Please…: X.509 certificate revocation in practice

X.509v3 certificates are the current standard of verifiable associating an entity with a public key, and are widely used in different networking applications: from HTTPS in browsers, SSH connections, to e-mail, PDF and code signing. This wide usage also necessitates the existence of a robust, reliable way to detect and deal with compromised or otherwise invalid certificates. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) are the two mechanisms currently deployed to handle revoked certificates. In this position paper we present preliminary results of our research into the practical use of these protocols, using an existing data-set to show that almost 85% of certificates currently in use contain no revocation information, and compare different browsers under different operating systems as to their dealing with unreachable OCSP servers. We find that browser behaviour in this case ranges from opening the site without any warnings whatsoever to totally blocking it, indicating no clear default reaction and no reliable behaviour.

Workload Characterization of a Lightweight SSL Implementation Resistant to Side-Channel Attacks

Ever-growing mobility and ubiquitous wireless Internet access raise the need for secure communication with devices that may be severely constrained in terms of processing power, memory capacity and network speed. In this paper we describe a lightweight implementation of the Secure Sockets Layer (SSL) protocol with a focus on small code size and low memory usage. We integrated a generic public-key crypto library into this SSL stack to support elliptic curve cryptography over arbitrary prime and binary fields. Furthermore, we aimed to secure the SSL handshake against side-channel attacks (in particular simple power analysis) by eliminating all data-dependent or key-dependent branches and memory accesses from the arithmetic operations and compare the resulting performance with an unprotected implementation. Our lightweight SSL stack has only 6% of the code size and RAM requirements of OpenSSL, but outperforms it in point multiplication over prime fields when no appropriate countermeasures against side-channel attacks are implemented. With such countermeasures, however, the execution time of a typical SSL handshake increases by roughly 50%, but still completes in less than 160 msec on a 200 MHz iPAQ PDA when using an elliptic curve over a 192-bit prime field.

Hardware/Software co-design of public-key cryptography for SSL protocol execution in embedded systems

Modern mobile devices like cell phones or PDAs allow for a level of network connectivity similar to that of standard PCs, making access to the Internet possible from anywhere at anytime. Going along with this evolution is an increasing demand for cryptographically secure network connections with such resource-restricted devices. The Secure Sockets Layer (SSL) protocol is the current de-facto standard for secure communication over an insecure network like the Internet and provides protection against eavesdropping, message forgery and replay attacks. To achieve this, the SSL protocol employs a set of computation-intensive cryptographic algorithms, in particular public-key algorithms, which can result in unacceptably long delays on devices with modest processing capabilities. In this paper we introduce a hardware/software co-design approach for accelerating SSL protocol execution in resource-restricted devices. The software part of our co-design consists of MatrixSSLTM, a lightweight SSL implementation into which we integrated elliptic curve cryptography (ECC) to speed up the public-key operations performed during the SSL handshake. The hardware part comprises a SPARC V8 compliant processor core with instruction set extensions to support the low-level arithmetic operations carried out in ECC. Our co-design executes a full SSL handshake using an elliptic curve over a 192-bit prime field in less than 300 msec when the SPARC processor is clocked at 20 MHz. A pure software implementation like OpenSSL is, depending on the field type and order, up to a factor of 10 slower than our co-design solution.

The Price of Security: A Detailed Comparison of the TLS Handshake Performance on Embedded Devices When Using Elliptic Curve Cryptography and RSA

The Transport Layer Security (TLS) Protocol is the current de-facto standard for secure connections over an insecure medium; it combines asymmetric and symmetric cryptography to achieve authentication, confidentiality and message integrity. The flexibility of the TLS protocol regarding the algorithms used allows it to also run efficiently on mobile devices severely constrained in terms of available memory, computing power and energy. In this work we present a thorough performance evaluation of the TLS handshake process by breaking it down into its individual phases, with a focus on the comparison between the usually applied RSA algorithm and cryptographic primitives based on Elliptic Curve Cryptography (ECC). We are especially interested how the transition to more secure TLS cipher suites (like switching from one-way to mutual authentication or to ephemeral primitives) affects the load that is put on client and server when using RSA and ECC, respectively.

How Little is Enough? Implementation and Evaluation of a Lightweight Secure Firmware Update Process for the Internet of Things.

With an ever growing number of devices connecting to each other and to the Internet (usually subsumed under the ”Internet-of-Things” moniker), new challenges arise in terms of keeping these devices safe, secure and usable. Against better judegment, a large number of such devices never gets updated after being deployed, be it from negligence, inconvenience or sheer technical challenges. And all that while a plethora of valid approaches already exists for secure wireless remote update processes for such devices. In this work, we present another approach to solve this problem, with a special focus on the ease of integration into existing systems: we try to provide the absolute bare minimum to enable a secure over-the-air update process, analyze the security of this approach, and evaluate the performance impact of the implementation. We show that our solution can deal with nearly 80% of the identified threats, with a negligible impact on practical performance in terms of processing power and energy consumption.

Searchitect - A Developer Framework for Hybrid Searchable Encryption (Position Paper).

In light of the trend towards cloud-based applications, privacy enhancing technologies are becoming increasingly important. Searchable encryption (SE) allows to outsource data to the cloud in a secure way, whilst permitting search functionality on that encrypted data: the host is able to perform search queries on behalf of the user, but without having access to the encryption keys. We propose Searchitect, a developer framework which allows to enhance existing cloud-based applications with searchable encryption. Searchitect provides a ready-to-use client-server infrastructure, which is expandable by custom SE schemes, the server being a configurable webservice offering searchable encryption as a service (SEaaS). Unlike other searchable encryption frameworks our approach is hybrid: Searchitect separates the index component from the data encryption scheme, leaving the application’s own specific encryption paradigm and access control untouched. In this way, we hope to ease the integration of searchable encryption into already existing cloud-based applications, requiring only the client code to be modified. Further, as searchable encryption is a very active field of research, we emphasize the experimental character of Searchitect’s framework. It aims at developers keeping track of recent SE developments, providing an easy deployable solution for testing in public and private clouds.

What a Difference a Year Makes: Long Term Evaluation of TLS Cipher Suite Compatibility

The Transport Layer Security (TLS) protocol is still the de-facto standard for secure network connections over an insecure medium like the Internet. But its flexibility concerning the algorithms used for securing a channel between two parties can also be a weakness, due to the possible agreement on insecure ciphers. State of the art cipher suites are not supported by all websites. We relate on an existing white paper (Applied Crypto Hardening) giving recommendations on how to securely configure SSL/TLS connections with regard to the practical feasibility of these recommendations. In addition, we propose an additional configuration set with the aim of increasing compatibility as well as security. We also developed a small Cipher Negotiation Crawler (CiNeg) to test TLS-handshakes using given cipher configurations with Alexa’s top websites and show its practical usability. In this work we examine the trend regarding supported cipher suites on webservers over time. To analyze this, we performed the scans twice with a one year gap. We compared the outcome of the two scans to see if we can determine a trend to better security as time goes by. And indeed, we found explicit enhancements in our reevaluations.