Presentation is loading. Please wait.

Presentation is loading. Please wait.

ID-Based Design Patterns for M2M Secure Channels Francisco Corella Karen Lewison 10/29/2014 Presentation to M2MSec’14.

Published byBrianna Miles Modified over 9 years ago

Similar presentations

Presentation on theme: "ID-Based Design Patterns for M2M Secure Channels Francisco Corella Karen Lewison 10/29/2014 Presentation to M2MSec’14."— Presentation transcript:

1 ID-Based Design Patterns for M2M Secure Channels Francisco Corella fcorella@pomcor.com Karen Lewison kplewison@pomcor.com 10/29/2014 Presentation to M2MSec’14 1

2 Motivation The IoT is extremely diverse and gives rise to a broad range of requirements for secure channel protocols Requirements are often not met by traditional protocols such as TLS, IPsec or SSH Security is often sacrificed to meet constraints – BLE, ZigBee, Z-Wave are not secure There is a need for a broad variety of protocols to meet diverse requirements 10/29/20142

3 Protocol design patterns Here we propose protocol design patterns rather than particular protocols Goal: reduce latency and bandwidth consumption by – Eliminating the roundtrips that most secure channel protocols require for key exchange – Eliminating certificate transmission Energy may be saved as a side effect of reduced bandwidth consumption, but that is not an explicit goal of these particular patterns 10/29/20143

4 Previous work on reducing roundtrips and bandwidth consumption Caching parameters from initial connection can save roundtrips and transmission of certificates in subsequent connections, as in: – Abbreviated TLS handshake – TLS Fast-track – TLS False Start – TLS Snap Start – QUIC Proposed patterns: – Require no caching – Can eliminate roundtrips and certificate transmission for all connections 10/29/20144

5 Pattern ingredients Identity-based encryption – A special case of identity-based cryptography, used for key transport Replay tolerance for first flow – So that initiator can send application data right away Optional forward secrecy from second flow onward For global deployments: – Hierarchical identity-based encryption with multiple roots – Reliance on DNS or DNSSEC to store ID chains 10/29/20145

6 ID-based cryptography Trusted party called “private key generator (PKG)” analogous to certificate authority (CA) Public key of entity is computed from ID of entity and public key of PKG Private key of entity is computed from ID of entity and private key of PKG – Must be computed by the PKG and given to the entity 10/29/20146

7 Expiration and revocation of ID-based credentials Key pair can be made to expire by adding an expiration date or time to the identity, e.g. – Base ID: “pomcor.com” – ID with expiration date: “pomcor.com-20141029” Key pair can be revoked by adding a revocation counter – ID with revocation counter: “pomcor.com-4” – Latest ID must be retrieved from trusted repository Short term expiration + emergency revocation counter – pomcor.com-20141029-4 10/29/20147

8 Pattern #1 Responder-only authentication No forward secrecy 10/29/20148

9 init-nonce under resp-pubkey data1 under keys1-i2r Compute resp-pubkey Generate init-nonce Derive keys1-i2r from init-nonce Decrypt init-nonce Derive keys1-i2r from init-nonce Decrypt data1 Generate resp-nonce Derive keys2 from both nonces and responder's identity 10/29/20149

10 resp-nonce under keys2-i2r data3 under keys2-i2r Derive keys2 from both nonces and responder's identity Decrypt and check init-nonce Decrypt data2 Decrypt and check resp-nonce Decrypt data3 resp-nonce init-nonce under keys2-r2i data2 under keys2-r2i 10/29/201410

11 Pattern #2 Mutual authentication No forward secrecy 10/29/201411

12 init-nonce under resp-pubkey data1 under keys1-i2r Compute resp-pubkey Generate init-nonce Derive keys1-i2r from init-nonce Decrypt init-nonce Derive keys1-i2r from init-nonce Decrypt data1 Generate resp-nonce Derive keys2 from both nonces and responder's identity Compute init-pubkey 10/29/201412

13 resp-nonce under keys2-i2r data3 under keys2-i2r Decrypt resp-nonce Derive keys2 from both nonces and responder's identity Decrypt and check init-nonce Decrypt data2 Decrypt and check resp-nonce Decrypt data3 resp-nonce under init-pubkey init-nonce under keys2-r2i data2 under keys2-r2i 10/29/201413

14 Pattern #3 Mutual authentication Forward secrecy from the second flow onward 10/29/201414

15 init-nonce under resp-pubkey init-edh-pubkey data1 under keys1-i2r Compute resp-pubkey Generate init-nonce Derive keys1-i2r from init-nonce Generate init-edh-keypair Decrypt init-nonce Derive keys1-i2r from init-nonce Decrypt data1 Generate resp-nonce Generate resp-edh-keypair Compute edh-secret Derive keys2 from edh-secret Compute init-pubkey 10/29/201415

16 resp-nonce under keys2-i2r data3 under keys2-i2r Decrypt resp-nonce Compute edh-secret Derive keys2 from edh-secret Decrypt and check init-nonce Decrypt data2 Decrypt and check resp-nonce Decrypt data3 resp-nonce under init-pubkey resp-edh-pubkey init-nonce under keys2-r2i data2 under keys2-r2i 10/29/201416

17 Other ID-based patterns Responder-only authentication with forward secrecy Patterns with initiator-only authentication… 10/29/201417

18 For global deployments… A single PKG is not enough A hierarchy of PKGs may be needed – Analogous to a CA hierarchy A global PKG hierarchy may need to have multiple roots – Just like a global CA hierarchy The identity of a party is a chain of IDs of PKGs (the “ID chain”) The ID of a root PKG is a reference to cryptographic parameters built into the relying party – Analogous to a built-in root CA public key 10/29/201418

19 DNS/DNSSEC support for global deployments The relying party needs to know what PKG chain is used by the authenticating party The ID chain of the responder could be retrieved from DNS/DNSSEC without an additional roundtrip – By contrast, a certificate chain is too large to be reliably retrieved from the DNS The revocation counter can also be retrieved from the DNS/DNSSEC Retrieving the ID chain from DNSSEC solves the “rogue PKG problem” – Just like DANE solves the “rogue CA problem” 10/29/201419

20 Follow-up work Proofs of security for patterns Low-energy patterns? Design of protocols that use the patterns Proofs of security of protocols, relying on proofs of security of patterns as lemmas 10/29/201420

21 Thank you for your attention! 10/29/2014 For more information: Web site: pomcor.com Blog: pomcor.com/blog Francisco Corella fcorella@pomcor.com Karen Lewison kplewison@pomcor.com 21 Any questions?

Download ppt "ID-Based Design Patterns for M2M Secure Channels Francisco Corella Karen Lewison 10/29/2014 Presentation to M2MSec’14."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
It’s Time to Replace SSL/TLS Karen P. Lewison, MD – CEO Francisco Corella, PhD – CTO 5/29/2014 -- Updated 5/31.

It’s Time to Replace SSL/TLS Karen P. Lewison, MD – CEO Francisco Corella, PhD – CTO 5/29/ Updated 5/31.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella Karen Lewison Pomcor (http://pomcor.com/)

9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella Karen Lewison Pomcor (
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
RIKE Using Revocable Identities to Support Key Escrow in PKIs Nan Zhang, Jingqiang Lin, Jiwu Jing, Neng Gao State Key Laboratory of Information Security,

RIKE Using Revocable Identities to Support Key Escrow in PKIs Nan Zhang, Jingqiang Lin, Jiwu Jing, Neng Gao State Key Laboratory of Information Security,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Identity-Based Cryptography for Grid Security Hoon Wei Lim Information Security Group Royal Holloway, University of London (Joint work with Kenny Paterson)

Identity-Based Cryptography for Grid Security Hoon Wei Lim Information Security Group Royal Holloway, University of London (Joint work with Kenny Paterson)
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

Similar presentations

Ads by Google