K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial - PowerPoint PPT Presentation

K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock Danny.DeCock@esat.kuleuven.be Katholieke Universiteit Leuven/Dept. Elektrotechniek (ESAT) Computer Security and Industrial Cryptography (COSIC) Kasteelpark Arenberg 10 B-3001 Heverlee Belgium

ESAT/SCD-COSIC ! SCD Chief: Prof. Dr. Joos Vandewalle ! COSIC chiefs: Prof. Bart Preneel, Dr. Ingrid Verbauwhede ! Contact data: " Kasteelpark Arenberg 10, B-3001 Leuven (Belgium) " Telephone: +32-(0)16 321148 " Fax: +32(0)16 321969 " Email: bart.preneel@esat.kuleuven.be " Website: http://www.esat.kuleuven.be/cosic June 2005 2

Research: Protocols & Applications Mission statement: Creating electronic equivalent of the real world: confidentiality, digital signature, anonymity, privacy, payments, non-repudiation, digital " right managements, elections Technologies: ! key management: ad hoc networks, PKI, group keying " anonymous communications and services " software tamper resistance and obfuscation " software agents " trusted systems: TCG/NGSCB, TPM… " e-document security and XML: XADES " Applications: ! electronic payments, e-commerce, m-commerce and secure e-banking " e-government: electronic ID card " electronic voting: Cybervote " securing mobile and wireless communications: UMTS, WLAN, PAN…. " ambient intelligence "

Applications Trusted Platforms Privacy & Anonymity Embedded Systems Identity Management Security in Wireless and Ad Hoc Networks Digital Rights Management Document Security Software Obfuscation Archiving June 2005 4

Relevant Projects & Study Identity management: ! EU/IST/FIDIS – Future of Identity in the Information Society " EU/IST/PRIME – Privacy and Identity Management in Europe " EU/MODINIS/Modinis IDM – Study on Identity Management in e-government of the " European Member States ! With Lawfort (B) and A-SIT (AT) Applications: ! EU/IST/GST – Global System for Telematics " EU/IST/TEAHA – The European Home Alliance " B/IWT/ADAPID – Advanced Applications of Electronic Identity Cards " B/IBBT/IDEM – Identity Management Systems for Federal and Flemish eGovernment " B/IBBT/INDEX – Inter-governmental Data Exchange between Federal and Flemish " Administrations B/IBBT/IPEA – Innovative Platform for Electronic Archiving " June 2005 5

Security Challenges for Current & Future Systems Date : June, 2004 Location : Athens, Greece Authors : Danny De Cock, K.U.Leuven

TEAHA Devices Service Provider Multimedia UPnP Cluster Merloni Washing Machine ! Ultra-low cost power line connection " TEAHA Smart Adapter " Zigbee/EHS/KNX/Bluetooth ! RS232 Energy mgt Ultra-low cost power line connection ! Cluster Residential Gateway ! OSGi framework " Zigbee/EHS/KNX EHS " Ethernet / Wifi / ADSL Zigbee " Bluetooth ULC PLC EDF Power Meter ! Serial line interface " Household Telefonica Back-End ! Appliance OSGi based platforms for Aggregating services " Cluster Content and Service Provision/Service Aggregator " June 2005 7

Different Security Approaches Based on implementation complexity and cost: No security mechanisms ! Non-cryptographic techniques (e.g., CRC, ! hardware enclosures,…) Combine all of the above with cryptographic ! techniques Different security levels protect data in transit and persistently: Ignore data protection ! Protect data integrity and/or its confidentiality ! Different security layers to provide: End-to-End security for users and applications ! Point-to-Point secure communications ! June 2005 8

State of the Art Security Features Residential Gateway Any Any Secure Zero-configuration ! Remote User Network Network Simple hierarchy of devices, users, service providers " Seamless interoperability and interaction with other devices " Initialization of security parameters during device and service discovery " Implicit asset protection of registered TEAHA devices " Remote management of security parameters, software, users,… ! Minimizes maintenance costs TEAHA devices # Suited for a highly dynamic client-service architecture # Simple and modular security mechanisms ! Ideal and easy to understand and verify # Delegation of critical operations to a security module ! Isolation of security features from non-critical code # Policy-based access to (home) network ! Increased network privacy through transparent access control # June 2005 9

Installation of a User PC and Internet Gateway A User PC and Internet Gateway ! Internet Registration Proof Gateway receive their proof of registration The Internet Gateway may be a ! SM IG Routing service provided by the residential gateway, these services have been GUI logically separated Registration Proof User PC SM UPC Registration Proof Neighbor Apartment SM RG Registration Proof Ping Ping SM RG’ Registry Residential Registry Ping Ping Gateway Wash Residential Ping Ping Gateway Wash Washing Ping Ping Machine Washing SM WM Machine June 2005 10 Registration Proof Registration Proof SM WM’

Layered Security Architecture Residential Gateway Device 1 Device 2 Device Device Device Intelligence Intelligence Intelligence Store and Forward of Application Data, Allows for Heterogeneous Security Mechanisms Application Data Application Data Converter, Point to Point Secure Communications secure Security Module confidential Hardware Component authenticate (optional) Application Data Securely Exchanged between Device 1 and 2 insecure June 2005 11 Secure Communications Tunnel

Embedded Security Service Providers Devices Users Applications Multimedia Cluster End-to-End Security Household Appliance Cluster Point-to-Point Security Safety Cluster June 2005 12

Pay Per Use Washing Machine Pay Per Use Internet Washing Machine Service Provider 1. Machine runs out of credit Loading new coins initiated/approved by washing machine user ! Secure Smart Adapter acts as a protective shell around the machine ! End to end security: ! Service Provider validates request authenticated by Secure Smart Adapter " Secure Smart Adapter validates response from Service Provider " 2. Service Provider checks on the washing machine’s state Triggered from non-home environment, e.g., Service Provider ! Enters the home environment through a Residential Gateway ! Request finds its way to the washing machine Secure Smart Adapter ! Adapter processes the request and forwards it ! Challenge-response query " Response is sent back through the same path ! June 2005 13

Secure Registry Discovery and Service Registration/Rejection The new device can only operate as a true TEAHA device if a Registry approves its existence New Registry New Registry Device searches a registry Device Registry Device Registry Registry Registry 1 2 A Registry registers the new services 4 3 Registry Search Hi, I am new around here, could you help me? Existing Existing TEAHA Existing TEAHA Existing a b Device TEAHA Existing Device TEAHA Existing Optional: Go away – you do not exist!! Device TEAHA Device TEAHA d c Device Device June 2005 14

Secure Service Discovery of TEAHA Devices D1 D1 Registry D2 Registry D2 Service 5 6 Query Data Transfer Optionally Through Security Tunnel 6 5 Secure P2P Discovery and Usage Ping 1 2 Pong Direct 4 3 Service Selection 5 6 Data Transfer 6 5 June 2005 15

Questions? key words: “godot TEAHA” TEAHA http://www.teaha.org Myself Danny.DeCock@esat.kuleuven.be http://www.esat.kuleuven.be/~decockd June 2005 16