securing critical unattended systems with identity based cryptography a case study johannes blömer,...
TRANSCRIPT
Securing Critical Unattended Systems with Identity Based Cryptography
A Case Study
Johannes Blömer, Peter GüntherUniversity of Paderborn
Volker KrummelWincor Nixdorf International
Unattended systems
2
An unattended systems (USys) is anIT-based system that runs (mostly)autonomously.
Examples- control systems- self service terminals- automated teller machines (ATM)
A Usys consists of components thatcommunicate via standard protocols,e.g. USB.
Communication in ATMs
3
card reader
EPP
encrypted pin pad
cash dispenser
Unattended systems
4
- Large numbers of Usys form networks, e.g. ATM networks.
- Remote monitoring is possible, e.g. updating software.
- Permanent technical maintenancehas to be avoided.
- Human interaction only in exceptionalcircumstances.
Security threats
5
Component substitution attacks- prepare malicious substitute component - exchange component by substitute- activate malicious mechanisms to execute
unauthorized actions
Message manipulation attacks- get access to communication links- manipulate and induce messages- execute unauthorized actions
Requirements
6
Component authenticity USys consists of authentic components.
Data origin authenticitycommunication between components isauthenticated
Local verifiabilitydetection and reaction to security breachesrelies on internal components only
No single point of failurefailure of individual components can be tolerated
Efficiency
Two step approach
7
1. Each component verifies the authenticity of every other component within the same Usys.
2. After successfully verifying the authenticity of another component an authenticated (and confidential) communication channel is established between components.
Outline
8
…
ATM protocolkey exchange/
agreementencryption scheme
hash functions
signatures identificationprotocol
identity based cryptography
…
pairings elliptic curves
block ciphers
arithmetic in finite fields
…
Everything implemented on security token, e.g. smart card!
9
Public key cryptography
Certification Authority (CA)
Certificates and certification authorities
10
- require significant organizational and technical overhead
- require complex data management
- their complexity can become a threat to security
Public key vs. identity-based encryption
11
- PKE requires special pairs of keys, not all bit strings can be public keys
- in IBE every bit string or identity can be a public key
- identities can already be certified, e.g. passport numbers
- may simplify necessary infrastructure
- IBE introduced in 1984 by A. Shamir
- first fully functional realization in 2001 by Boneh, Franklin
- everything that can be realized with public key cryptocan also be realized with identity based crypto
Identity-based enryption
12
Private Key Generator
Identity-based enryption
13
Identity based encryption
14
Private Key Generator
Identities and personalization
15
Identities can be
- email addresses
- passport numbers
- serial numbers
In many cases these are personalized by processes outsidesecurity mechanisms!
Identities and personalization in USys
16
- USys personalized with unique identity id during production
- private key belonging to id is generated with PKG of identity based crypto system
- remove additional personalization step for public keyfrom classical public key crypto systems
17
IBC security – requirements
- adversaries known complete specifications of encryption schemes (Kerckhoff’s principle)
- adversaries should learn nothing about plaintexts from ciphertexts
- adversary should not be able to forge signatures
- adversary may know many plaintext/ciphertext pairsand message/signature pairs
- adversary may know private keys to many identities
corrupting one Usys does not compromise the whole network
Challenge Exponentially (in n) many private keys depend on
master secret msk of polynomial (in n) length.
From signatures to identification
18
…
ATM protocolkey exchange/
agreementencryption scheme
hash functions
signatures identificationprotocol
identity based cryptography
…
pairings elliptic curves
block ciphers
arithmetic in finite fields
…
Everything implemented on security token, e.g. smart card!
IBC based protocols
19
- can use standard identification protocols based on public key crypto techniques
- replace public key techniques by identity based cryptotechniques
A B
nr 0,1
r
c
challenge
response
AskSign r
Apk
return 1 iff
Vrfy r,
IBC on smart cards
20
- everything needed to be implemented on smart cards
- modern smart card offer no specific support for IBC
- they support elliptic curve cryptography
- implemented identity based encryption, signature andidentification protocols
- security level comparable to RSA with key length 1024
- generating and verifying signatures takes few hundredmilliseconds
- IBC requires one additional primitive, i.e. bilinear pairings
- Weil pairing
- Tate pairing
Pairings
21
Needs to satisfy cryptographic / complexity theoretic hardness assumptions!
Lessons learned
22
- complete system implemented for ATMs
- initial effort high
- but it pays off
complexity of backend reduced, no CA
security processes easier to handle, e.g. maintenance
ratio between security and efficiency better