KPI A Security Infrastructure for Trusted Devices

KPI:ASecurityInfrastructureforTrustedDevices

MahalingamRamkumar

DepartmentofComputerScienceandEngineeringMississippiStateUniversity,MississippiState,MS39762Ph:662-325-8435,Email:ramkumar@cse.msstate.edu

NasirMemon

DepartmentofComputerandInformationSciencePolytechnicUniversity,Brooklyn,NY11201Ph:718-260-3970,Email:memon@poly.edu

I.INTRODUCTION

Deploymentsofperhapsbillionsofautonomous,heteroge-neouswirelessdevices,somefixedandsomemobile,manufac-turedbydifferentvendors,withvaryingcapabilities,andverydifferentpurposes,butwithonecommonfeature-thateverydevicewillhavetheabilitytocommunicatewithanyotherdevice-areexpectedtoorganizethemselvesintopervasive,highlyinterconnected,adhocnetworks.Suchpervasivenet-workswouldserveascrucialinfrastructuresforourdaytodaycomputing/communicationneeds.Securingsuchdeploymentsfrommaliciousintents,aimedatsabotagingtheinfrastructure,isaveryimportantrequirement.

Forexample,nodesformingmobileadhocnetworks(MANETS)havetoco-operativelybuildroutingtables,andrelaymessagesdestinedforothernodes.Insuchascenario,maliciousactionbyasinglenodecouldhaveapotentiallydisruptiveeffectovertheentirenetwork.Anattacker“control-ling”oneormorenodescaninflictsignificantharmtoothernodes.Itisthereforevitalthatthenodes(ordevices)peoplepossess(oroperate)“behaveresponsibly.”Whileitmaynotbepossibletoforcetheownersofthenodestobehaveinaresponsiblefashion,itmaybepossibletoforcethedevicesthemselvestodoso.Inotherwords,itisthedevicesthataretrusted-nottheowners!

Thisnewparadigmshift(trustingdevicesinsteadoftrustingtheowners)isneedednotjustinapplicationsthatdependonmutualco-operationforfunctioning,butalsounderscenarioswhere

1)devicesneedtooperateautonomously(thereisnopersonaroundtosupplythedevicewithsecretswhenneces-2)sary),devicesand

thatneedtooperateinhostileenvironment(example,DRMapplications,wheretheownerofaDVDplayermightbeapotentialpirate).

Twodevicescantrusteachotherifthereexistssomemeansofconvincingeachotherthatthey“playbytherules,”orare“compliant”(tosomepre-imposedrules).Fromacryp-tographicperspective,twonodescantrusteachotheriftheycanestablishanauthenticatedsharedsecret.Thisisfacilitatedbyakeydistributionscheme(KDS),whichprovideseachnodewithoneormoresecrets.TheKDSsecretsarethenusedtoestablish(ordiscover)sharedsecrets.Thefactthatsuchasharedsecretcanbeestablishedsimultaneouslyprovides

mutualauthentication(oftheidentities)ofthepartiesinvolved-ortheinteractingpartiesestablishasecurityassociation(SA).

TheKDSsecretsprovidedtoanodecouldhowever,beusedasahookforcompliance.Inotherwords,onlynodes(ordevices)thathavebeencheckedforcompliancewouldbeprovidedwiththenecessarysecrets.Thereafter,theabilityofanytwonodestoestablishanSA,indirectlyprovidesameansforverificationofcompliance.

Anysecuritysolutionbasedontrusteddevicesthereforedemandsmechanismsforread-proofingthesecretsstoredintamper-resistantdevices[1].Intheabsenceoftheassuranceofread-proofness,secretsthatserveasahookforcompliancecouldbetransferredtonon-compliant[2]devices.Intheabsenceoftheassuranceoftamper-resistance,thecomponents(orsoftware)thatensurecomplianceofadevicecouldbemodified.

Ataminimum,adeploymentoftrusteddevicesconsistsofatrustedauthority(TA)whomanufacturesthedevices,andthedevicesthemselves.However,inpractice,devicesmaybemanufacturedbydifferentvendors(ordifferentTAs).Therefore,theneedforinteroperabilitydemandsthattheKDSshouldprovideforestablishmentofsecurityassociations(au-thenticatedsharedsecrets)evenbetweendevicesmanufacturedbydifferentvendors.

Forlong-livedsecurityofthedeploymentofdevices,theKDSsecretsstoredinadevice(thatguaranteecompliance),shouldberenewedperiodically.Further,theKDSshouldoffermechanismsforrevocationofdevices(revokeddeviceswillnotbeabletotakesubsequentpartinthedeployment).Additionally,theKDSshouldalsoprovidefornon-repudiationofmessagessentbydevices.ItwouldalsobeveryusefuliftheunderlyingKDSprovidessolutionsformulticastsecurity.AtrusteddeviceA,thenconsistsofcomponentsthatrenderthedevicecompliant,andthesetofsecret(s)SA,allenclosedinaread-proofandtamper-resistantcasing.Forexample,eachdevicemayhaveageneralpurposeprocessor.Thesoftwarethatrunsontheprocessordeterminesthe“rules”thatthedevicehonors.OnlytheprocessorindeviceAwillhaveaccesstothesecretsSA.ThenatureandnumberofsecretsSAwoulddependontheunderlyingKDSusedtosecurethedeployment.

II.KPI-KEYPRE-DISTRIBUTIONINFRASTRUCTUREForapplicationsinvolvingnodesformingadhocnetworks,privacyandpracticalityconstraintsdictatethatinteractionsbetweenanytwonodes,forpurposesofestablishingsecu-rityassociations,shouldnotneedexternalmediators-thusrulingoutKerberosasaviableoption.WhilePKI,basedonasymmetriccryptography,supportsadhocestablishmentofsecurityassociations,thecomputationaldemandsplacedbyasymmetriccryptographymaynotbeacceptableinallscenarios.

Athirdoptioniskeypre-distribution(KPD)[3].AKPDschemeconsistsofatrustedauthority(TA),andNnodeswithuniqueIDs(sayID1···IDN).TheTAchoosesPsecretsR.ThenodeiispreloadedwithpreloadedsecretsSi=f(i,R)-thekey-ringofnodei.TwonodesandSjcandiscoverauniquesharedsecretKijusingapublicoperatorg()withoutfurtherinvolvementoftheTA.

Kij=g(Si,IDj)=g(Sj,IDi).

(1)

Asg()ispublic,itpossiblefortwonodes,justbyexchangingtheirIDs,toexecuteg()anddiscoverauniquesharedsecret.Thenatureofthefunctionsf()andg()determinetheactualKPDscheme.

However,asthekeysstoredindifferentdevicesarenotindependent,anattacker,byexposingsecretsfromafinitenumberofdevices,maybeabletocompromisesecretsofotherdevices,orevencompromiseallthesecretsR.Thereisthusaconceptofn-secureKPDs.Typically,theefficiencyofaKPDschemeismeasuredasaratioofnvsthekey-ringsizerequiredineachdevice.

TheKPI(orkeypre-distributioninfrastructure)[4]consistsofaKPDschemeatitscore,andsecuritypoliciesandprotocolstorenderthedeploymentinter-operableandsecure.WeproposetheuseofHARPS(hashedrandompreloadedsubsets)[5]astheunderlyingKPDfortheKPI,ThesecuritypolicyfortheenvisagedKPIisanextensionofthe“resur-rectingduckling”policyinbyStajanoetal[6]-[7].TheextensionofthesecuritypolicyisbasedonadelaybasedcircuitauthenticationtechniqueproposedbyGassendetal[8],whichpermitsremoteresurrectionoftheduckling-orinotherwords,saferenewalofthepreloadedsecretswithoutphysicalcontactbetweenadeviceandtheTA[9].

Thetree-hierarchicaldeploymentofKPIstartswitharootnodeattherootofthetree.EachchildnodecouldfurtheractasTAs(vendors)fortheirchildnodes(devicesmanufacturedbythevendors).Eachnode,inaccordancewithHARPS,ispreloadedwithasubsetofsecretsbelongingtoitsparent.However,thepreloadedsecretsarerepeatedlyhashedavari-ablenumberoftimes.

Thetreehierarchicalnatureofthedeploymentpermitsdevicesmanufacturedbydifferentvendorstoestablishsecurityassociations.Further,thepreloadedHARPSsecrets,apartfrombeingusedforestablishingpairwisesecurityassociationscanalsobeusedfor

1)2)DiscoveryBroadcastauthenticationofconference[10]secrets

-ornon-repudiationofthe3)source,Broadcastand

encryption[11]

2

Inparticular,HARPSpermitsevenpeernodes(ordevices)toperformauthenticatedbroadcastsandbroadcastencryption.BroadcastauthenticationbytheTAcanbeusedforbroad-castingrevocationlistssimilartoPKI.Anevenmoreefficientmechanismofrevocationisrenderedpossiblethroughbroad-castencryptionbytheTA.TheTAcouldbroadcastrevocationsecretsthatwouldnotbedecipherablebyrevokednodes.Notethatifbroadcastauthenticationisusedforrevocation,thenodeswouldneedtostorelistofrevokeddevices.However,ifbroadcastencryptionisused,nodesneedtostoreonlythelatestrevocationsecret(whichisnotavailabletotherevokednodes).

Acombinationofdifferentsecurityprimitivescouldalsobeusedtorealizemorecomplexsecurityassociationslikeestablishmentandmaintenanceofcommunitiesofinterests(ormulticastgroups),andalsoprovidesasecurityframeworkforpeer-to-peerpublish-subscribe[12]systems.

AuniquefeatureofbroadcastauthenticationusingHARPSisthatitcatersforanovelcryptographicparadigmof“targetedsignatures”[13].Whileatypicalsignatureschemesdonotdifferentiate,ordonothavetheabilitytodifferentiate,betweenintendedandnon-intendedrecipientsofabroadcast,formostpracticalapplications,mostmessagesdoinfacthaveintendedandnon-intendedrecipients.HARPSenablessignaturescanbetargetedtooneormoreverifiers.

REFERENCES

[1]R.Gennaro,A.Lysyanskaya,T.Malkin,S.Micali,T.Rabin,“Tamper

ProofSecurity:TheoreticalFoundationsforSecurityAgainstHardwareTampering,”TheoryofCryptographyConference,Cambridge,MA,February2004.

[2]J.Lotspiech,S.Nusser,F.Pestonoi,“AnonymousTrust:DigitalRights

ManagementusingBroadcastEncryption,”ProceedingsoftheIEEE,92(6),pp8–909,2004.

[3]R.Blom,“AnOptimalClassofSymmetricKeyGenerationSystems,”

AdvancesinCryptology:Proc.ofEurocrypt84,LectureNotesinComputerScience,209,Springer-Verlag,Berlin,pp.335-338,1984.[4]M.Ramkumar,N.Memon,“AHierarchicalRandomKeyPre-distributionSchemeforaLowComplexitySecurityInfrastructure,”submittedtotheIEEEInformationAssuranceWorkshop,2005.

[5]M.Ramkumar,N.Memon,“AnEfficientRandomKeyPre-distribution

SchemeforMANETSecurity,”toappear,IEEEJournalonSelectedAreasofCommunication,March2005.

[6]F.Stajano,R.Anderson.“TheResurrectingDuckling:SecurityIssues

inAd-HocWirelessNetworks.”In“SecurityProtocols,7thInternationalWorkshopProceedings”,LectureNotesinComputerScience.Springer-Verlag,1999.1

[7]F.Stajano,“TheResurrectingDuckling-whatnext?,”avail-ableathttp://www-lce.eng.cam.ac.uk/fms27/duckling/duckling-what-next.html.

[8]B.Gassend,D.Clarke,M.vanDijk,S.Devadas,“Delay-basedCir-cuitAuthenticationandApplications,”Proceedingsofthe2003ACMsymposiumonAppliedComputing,Melbourne,Florida,pp294–301,2003.

[9]M.Ramkumar,“OnKeyRenewalinTrustedDevices,”submittedto

ICDCS2005.

[10]R.Canetti,J.Garay,G.Itkis,D.Micciancio,M.Naor,B.Pinkas,

“MulticastSecurity:ATaxonomyandSomeEfficientConstructions,”INFOCOMM’99,1999.

[11]A.Fiat,M.Noar,“BroadcastEncryption,”LectureNotesinComputer

Science,AdvancesinCryptology,Springer-Verlag,773,pp480–491,1994.

[12]C.Wang.A.Carzaniga,D.Evans,andA.Wolf,“SecurityIssuesandRe-quirementsinInternet-scalePublish-subscribeSystems.”InHICSS’02,January,2002.

[13]M.Ramkumar,“TargetedSignatures:BroadcastAuthenticationwith

HashedRandomPreloadedSubsets,”submittedtotheIEEESymposiumonSecurityandPrivacy2005.