in security of iot
play

(In)Security of IoT Pascal Lafourcade Chaire de Confiance Num - PowerPoint PPT Presentation

IoTs and Security (In)Security of IoT Pascal Lafourcade Chaire de Confiance Num erique 15th March 2016 1 / 19 IoTs and Security Internet of Thing (IoT) 2 / 19 IoTs and Security Increasing Succes of IoT 3 / 19 IoTs and Security


  1. IoTs and Security (In)Security of IoT Pascal Lafourcade Chaire de Confiance Num´ erique 15th March 2016 1 / 19

  2. IoTs and Security Internet of Thing (IoT) 2 / 19

  3. IoTs and Security Increasing Succes of IoT 3 / 19

  4. IoTs and Security Reasons of the Succes of IOT Technology ◮ Wireless Communications: Wifi, 3G, 4G, Bluethooth, Sigfox ... ◮ Batteries ◮ CPU ◮ Sensors ◮ Price 4 / 19

  5. IoTs and Security Reasons of the Succes of IOT Technology ◮ Wireless Communications: Wifi, 3G, 4G, Bluethooth, Sigfox ... ◮ Batteries ◮ CPU ◮ Sensors ◮ Price Usage ◮ Monitoring services ◮ Hyperconnectivity 4 / 19 ◮ Avaibility

  6. IoTs and Security Wireless communications ⇒ Wormhole Attack 5 / 19

  7. IoTs and Security Real attacks on IoT from 2007 ... 6 / 19

  8. IoTs and Security Real attacks on IoT from 2007 ... 6 / 19

  9. IoTs and Security Real attacks on IoT from 2007 ... 6 / 19

  10. IoTs and Security Real attacks on IoT from 2007 ... S´ eminaire Confiance num´ erique : 7 avril 14h00 Amphi B IUT 6 / 19

  11. IoTs and Security Insecurity of IoT by HP in 2015 POODLE: Padding Oracle On Downgraded Legacy Encryption 7 / 19

  12. IoTs and Security TOP 10: Vulnerabilities of IoT 1. Insecure Web Interface (weak passwords, account protection) 2. Unsufficient Authtneitcation/Authorization 3. Insecure Newtork Services (ports open, DoS) 4. Lack of Transport Encryption 5. Privacy Concerns (leak of personal informations) 6. Insecure Cloud interfaces 7. Insecure Mobile Interfaces 8. Insufficient Security Configurability 9. Insecure Software/Firmeware 10. Poor Physical Security https://www.owasp.org/images/8/8e/Infographic-v1.jpg 8 / 19

  13. IoTs and Security How to Secure IoT Cryptography: ◮ Primitives: RSA, Elgamal, AES, DES, SHA-3 ... ◮ Protocols: Distributed Algorithms 9 / 19

  14. IoTs and Security How to Secure IoT Cryptography: ◮ Primitives: RSA, Elgamal, AES, DES, SHA-3 ... ◮ Protocols: Distributed Algorithms Properties: ◮ Secrecy, ◮ Authentication, ◮ Privacy ◮ Non Repudiation ... 9 / 19

  15. IoTs and Security How to Secure IoT Cryptography: ◮ Primitives: RSA, Elgamal, AES, DES, SHA-3 ... ◮ Protocols: Distributed Algorithms Properties: ◮ Secrecy, ◮ Authentication, ◮ Privacy ◮ Non Repudiation ... Intruders: ◮ Passive, active ◮ CPA, CCA ... 9 / 19

  16. IoTs and Security How to Secure IoT Cryptography: ◮ Primitives: RSA, Elgamal, AES, DES, SHA-3 ... ◮ Protocols: Distributed Algorithms Properties: ◮ Secrecy, ◮ Authentication, ◮ Privacy ◮ Non Repudiation ... Intruders: ◮ Passive, active ◮ CPA, CCA ... Designing such secure protocols is difficult 9 / 19

  17. IoTs and Security Is it preserving your privacy? 10 / 19

  18. IoTs and Security Is it preserving your privacy? 4096 RSA encryption 10 / 19

  19. IoTs and Security Is it preserving your privacy? 4096 RSA encryption Environs 60 temp´ eratures possibles: 35 ... 41 10 / 19

  20. IoTs and Security Is it preserving your privacy? 4096 RSA encryption Environs 60 temp´ eratures possibles: 35 ... 41 { 35 } pk , { 35 , 1 } pk , ..., { 41 } pk 10 / 19

  21. IoTs and Security 3-Pass Shamir 11 / 19

  22. IoTs and Security 3-Pass Shamir 11 / 19

  23. IoTs and Security 3-Pass Shamir 11 / 19

  24. IoTs and Security 3-Pass Shamir 11 / 19

  25. IoTs and Security 3-Pass Shamir Abstract Representation 1 A → B : { m } K A 11 / 19

  26. IoTs and Security 3-Pass Shamir Abstract Representation 1 A → B : { m } K A 2 → : {{ m } K A } K B B A 11 / 19

  27. IoTs and Security 3-Pass Shamir Abstract Representation 1 A → B : { m } K A Commutative 2 → : {{ m } K A } K B = {{ m } K B } K A Encryption B A 11 / 19

  28. IoTs and Security 3-Pass Shamir Abstract Representation 1 A → B : { m } K A Commutative 2 → : {{ m } K A } K B = {{ m } K B } K A Encryption B A 3 A → B : { m } K B 11 / 19

  29. IoTs and Security Logical Attack on Shamir 3-Pass Protocol (I) Perfect encryption one-time pad (Vernam Encryption) { m } k = m ⊕ k XOR Properties (ACUN) ◮ ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) A ssociativity ◮ x ⊕ y = y ⊕ x C ommutativity ◮ x ⊕ 0 = x U nity ◮ x ⊕ x = 0 N ilpotency 12 / 19

  30. IoTs and Security Logical Attack on Shamir 3-Pass Protocol (I) Perfect encryption one-time pad (Vernam Encryption) { m } k = m ⊕ k XOR Properties (ACUN) ◮ ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) A ssociativity ◮ x ⊕ y = y ⊕ x C ommutativity ◮ x ⊕ 0 = x U nity ◮ x ⊕ x = 0 N ilpotency Vernam encryption is a commutative encryption : {{ m } K A } K I = ( m ⊕ K A ) ⊕ K I = ( m ⊕ K I ) ⊕ K A = {{ m } K I } K A 12 / 19

  31. IoTs and Security Logical Attack on Shamir 3-Pass Protocol (II) Perfect encryption one-time pad (Vernam Encryption) { m } k = m ⊕ k Shamir 3-Pass Protocol 1 A → B : m ⊕ K A 2 B → A : ( m ⊕ K A ) ⊕ K B 3 → B : m ⊕ K B A Passive attacker : m ⊕ K A m ⊕ K B ⊕ K A m ⊕ K B 13 / 19

  32. IoTs and Security Logical Attack on Shamir 3-Pass Protocol (II) Perfect encryption one-time pad (Vernam Encryption) { m } k = m ⊕ k Shamir 3-Pass Protocol 1 A → B : m ⊕ K A 2 B → A : ( m ⊕ K A ) ⊕ K B 3 → B : m ⊕ K B A Passive attacker : m ⊕ K A ⊕ m ⊕ K B ⊕ K A ⊕ m ⊕ K B = m 13 / 19

  33. IoTs and Security Second Example Needham Schroeder Key Echange 1976 A → B : { A , N A } Pub ( B ) B → A : { N A , N B } Pub ( A ) A → B : { N B } Pub ( B ) ◮ Use cryptography ◮ Small programs ◮ Distributed 14 / 19

  34. IoTs and Security Cryptography is not sufficient ! Example : Needham Schroeder Key Echange A → B : { A , N A } Pub ( B ) B → A : { N A , N B } Pub ( A ) A → B : { N B } Pub ( B ) 15 / 19

  35. IoTs and Security Cryptography is not sufficient ! Example : Needham Schroeder Key Echange A → B : { A , N A } Pub ( B ) B → A : { N A , N B } Pub ( A ) A → B : { N B } Pub ( B ) Broken 17 years after, by G. Lowe A → I : { A , N A } Pub ( I ) I → B : { A , N A } Pub ( B ) A ← I : { N A , N B } Pub ( A ) I ← B : { N A , N B } Pub ( A ) A → I : { N B } Pub ( I ) I → B : { N B } Pub ( B ) 15 / 19

  36. IoTs and Security Cryptography is not sufficient ! Example : Needham Schroeder Key Echange A → B : { A , N A } Pub ( B ) B → A : { N A , N B } Pub ( A ) A → B : { N B } Pub ( B ) Broken 17 years after, by G. Lowe A → I : { A , N A } Pub ( I ) I → B : { A , N A } Pub ( B ) A ← I : { N A , N B } Pub ( A ) I ← B : { N A , N B } Pub ( A ) A → I : { N B } Pub ( I ) I → B : { N B } Pub ( B ) Computer-Aided Security 15 / 19

  37. IoTs and Security Formal Verification Approaches Designer Attacker 16 / 19

  38. IoTs and Security Formal Verification Approaches Designer Attacker 16 / 19 Security Team

  39. IoTs and Security Formal Verification Approaches Designer Attacker Give a proof 16 / 19 Security Team

  40. IoTs and Security Formal Verification Approaches Designer Attacker Give a proof Find a flaw 16 / 19 Security Team

  41. IoTs and Security Security Challenges for IoT Data exchanged should be protected. Security Properties ◮ Data Integrity ◮ Data Confidentiality ◮ Data Privacy ◮ Authentication ◮ Non-repudiation ◮ Avaibility 17 / 19

  42. IoTs and Security 5 Things to Bring Home 1. Severals security challenges in IoT 2. Security has to be taken at the design of IoT 3. Designing secure protocols is difficult 4. Tradeoff between security, battery, CPU and price. 5. Formal methods can help you for designing secure protocols Protocol + Properties + Intruder ⇒ Security 18 / 19

  43. IoTs and Security Thanks for your attention Questions ? 19 / 19

Recommend


More recommend