how aga 12-1 protects scada data in transit
DESCRIPTION
A Presentation To The COTF1 Group By Bill Rush Gas Technology Institute April 26, 2003 Sun Valley, Idaho. How AGA 12-1 Protects SCADA Data In Transit. We Will Overview AGA 12-1 And Develop Background. Project History Threats And Attacks Cryptographic Fundamentals - PowerPoint PPT PresentationTRANSCRIPT
How AGA 12-1 Protects SCADA Data In Transit
A Presentation To TheCOTF1 Group
ByBill Rush
Gas Technology InstituteApril 26, 2003
Sun Valley, Idaho
We Will Overview AGA 12-1 And Develop Background> Project History
> Threats And Attacks
> Cryptographic Fundamentals
> How AGA 12 Protects Communications
> Future Developments
>
HISTORY OF AGA 12
The AGA 12 Group Adopted A Broad Charter> AGA = American Gas Association
> AGA Report = Recommended Practice
> AGA 12-1, “Cryptographic Protection Of SCADA Communications”
> Launched Effort In October 2001
> Goal: Cover Gas, Water, and Electric
> Balloting: March 25 to April 24
“We have no competitors – only partners we have not yet met !”
SCADA Communications Are Vulnerable> Assailants Can Attack SCADA
Communications
Control Control RoomRoom RTURTUNetwork Is Network Is
InsecureInsecure
(Secure)(Secure)(Secure)(Secure)
AGA 12-1 Has Several Goals
> Solid Cryptographic Communication Protection
> Retrofit To Existing Systems
> Reasonable Cost
> Tolerable Message Delays
> Reliable Certification Methods
> Interoperability Among Manufacturers
Today, Focus Is “What Attacks We Protect Against And How”
>
THREATS AND ATTACKS
There Are Several Possible SCADA Attackers> Hackers
> Organized Crime
> Financial Traders
> Terrorists
> Foreign Governments
> Insiders/Disgruntled Employees
> Combinations
We Protect Against 5 Attacks
> Interception – Listening To Messages
> Fabrication – Creating Forged Messages
> Alteration – Changing Valid Messages
> Replay – Copying Message, Sending Later
> Key Guessing/Extraction – Trial & Error OR Taking Key From Module
AGA 12-1 Protects SCADA Communications> Technical Approach: Attackers can’t read
““Open A Valve!”Open A Valve!”
““^fD%b*m>s#H!j“^fD%b*m>s#H!j“
““Open A Valve!”Open A Valve!”
Encrypt Decrypt
Even Intercepted SCADA Commands Are Secure Even Intercepted SCADA Commands Are Secure Until They Reach Their DestinationUntil They Reach Their Destination
>
CRYPTOGRAPHIC FUNDAMENTALS
Can A Published, Known Standard Encryption Mechanism Really Keep Data A Secret?
YES - And In Fact, It Is The Best Way. How Can This Be?
The Key, Not Algorithm The Key, Not Algorithm Secrecy, Provides SecuritySecrecy, Provides Security
The Mechanism Of Locks Is Public Knowledge
But Without The Key Or Combination -But Without The Key Or Combination - You Can’t Open A Single One !You Can’t Open A Single One !
A Simple Rotation Algorithm Provides A Simple Example> Substitute One Letter For Another
> Rotate Letters By “N” Positions
GOAL: An Algorithm Simple Enough ToGOAL: An Algorithm Simple Enough To See, But Real Enough To Show IssuesSee, But Real Enough To Show Issues
Plaintext Maps To Ciphertext Easily - With The Key
A B C D E F G H …ZA B C D E F G H …Z
A B C D E F G H I J … CA B C D E F G H I J … C
Plaintext:Plaintext:
CyphertextCyphertext:
With Rotation Key:With Rotation Key: 2 “HAD” Becomes “JCF”2 “HAD” Becomes “JCF” 3 “HAD” Becomes “KDG”3 “HAD” Becomes “KDG”
Key = Rotate Each Letter 2 To The Right Key = Rotate Each Letter 2 To The Right
A Rotation Algorithm Is A Simple Example> Substitute One Letter For Another
> Rotate Letters By “N” Positions
> N Is The (Shared, Secret) Key
> 0 < N < 25
GOAL: An Algorithm Simple Enough ToGOAL: An Algorithm Simple Enough To See, But Real Enough To Show IssuesSee, But Real Enough To Show Issues
The Rotation Algorithm Has General Characteristics
> Algorithm Is Known, Key Provides Security
> Unique Mapping Of Plaintext To Ciphertext
> Coding/Decoding Easy With The Key
> Decoding Hard Without The Key
> Can Be Broken By Guessing
> Longer Keys Harder To Break
A Digression: How Hard Is “Hard”?> A $250,000 Computer Can Guess A 56-Bit
Key In 2 Hours
> Each Additional Bit Doubles Guessing Time
> 64 Bits Takes 128x2=256 hours
> 128 Bits Takes 2x293 hours
The Rotation Algorithm Has General Characteristics (Cont)
> “Symmetric Key” Means Both Keys The Same
> Both Parties Have Common, SECRET Key
> If One Key For Many Units, Getting 1 Gets All
> “Symmetric Key” Management An Issue
> Changing Keys Adds Security
> Never Use A Key To Send A New Key
There Are Three Kinds Of Algorithm
> Symmetric Key - Same, Secret Key
> Public Key - Publish Half Of A Key
> Common Number - Parties Get Same Keys
AGA 12-1 Uses Only Symmetric Key. AGA 12-1 Uses Only Symmetric Key. AGA 12-2 Will Include Public Key, TooAGA 12-2 Will Include Public Key, Too
Symmetric Keys Are The Same For Both Parties
> Key Must Be Secret
> One Key For All Raises Risk
> One Key Per Pair Is Hard On A Big Network
> Key Knowledge Is Weak Authentication
> Must “Introduce” Units To Each Other
> “AES” Is An Example Of A Symmetric Key
AES Shuffles And Changes Bits According To A Key
0 1 0 0 0 1 0 10 1 0 0 0 1 0 1
0 1 0 0 1 1 0 10 1 0 0 1 1 0 1
MoveMove
ChangeChange
0 1 1 0 1 1 1 00 1 1 0 1 1 1 0
AES Encrypts Messages
> Advanced Encryption Standard (AES)
> AES-128, 192, or 256 -> Key Length
> Winner Of NIST “Shoot-out”
> Both Units Have SHARED, SECRET Key
> NIST/FIPS Approved Algorithm
> Changing One Bit In Plain (Cipher) Text Changes Half The Bits In Cipher (Plain) Text
RSA Uses A Public And A Private Key> Public Key Is 2 Numbers, N And E
> N Is A Modulus
> E Is A Large Number Used To Encrypt
> D Is A Large Number Used To Decode
RSA Is Easy In Principle
> Message Is Called M
> Encrypt Message With RECIPIENT’S (N, E)
> C = Cyphertext = (M)E Mod N
> Mod N = Remainder After Dividing By N
> Recipient Decrypts With Private Half Of Key
> P = Plaintext = (C)D Mod N
RSA Uses Overflow In Modular Arithmetic> Cyphertext = C = (M)E Mod N
> Plaintext = P = (C)D Mod N
> P = (C)D Mod N = (ME)D Mod N = (MED) Mod N
> Note EITHER D Or E Can Encrypt
E And D Are Chosen So Raising M ToE And D Are Chosen So Raising M ToThe ED Power Is MThe ED Power Is M11
RSA Is Easy To Demonstrate By Example
> Take (E,N) As (7, 33)
> Take D = 3
> Take M = 15
> C = (15)7 Mod 33 = 27 (Transmit This)
> P = (27)3 Mod 33 = 15 (Original Message, M)
The Security Comes From How HardThe Security Comes From How HardIt Is To Find D, Given (E, N)It Is To Find D, Given (E, N)
Public Key Has Many Advantages> No Need To Track Key Pairs
> Can Authenticate AND Encrypt
RSA Will Send Session Keys And Authenticate> Public Key
> 1024 Bit Key
> Relatively Slow
> Authentic Signature (With Valid Public Key)
Algorithm Classes Require Different Resources> Public Code Length 3 Times Symmetric
> Public Key Is 10 Times Symmetric Key
> Public Key Execution = 100 Symmetric
Assumes Same Security, (128 Bit Assumes Same Security, (128 Bit Symmetric Key, 1024 Public Key)Symmetric Key, 1024 Public Key)
BUT WAIT! We Have A Problem!
> Formulas Are Deterministic
> Same Messages Give Same Ciphertext
> Assailants Can Deduce SCADA Messages
> “Cipher Block Chaining” Is The Solution
Protocol Requires Using The “CBC Mode”> Communicate In Sessions
> Unit A Generates A Random Number
> A Encrypts & Sends To B
> B Decrypts, Both Units Call This The “IV”
> IV = “Initialization Vector
> XOR Message With IV
> Encrypt XORed Message
> Same Plaintext -> Different Ciphertext
> Use Last Ciphertext As Next IV
>
HOW AGA 12 PROTECTS COMMUNICATIONS
AGA 12-1 Scrambles To Protect Against Interception
> AES-128, 192, or 256 Give Privacy
> Winner Of NIST “Shoot-out”
> Both Units Have SHARED, SECRET Key
> Operates In “CBC Mode”– “Cipher Block Chaining”– Same Plaintext -> Different Ciphertext– XOR Plaintext With Last Ciphertext– Both Units Have Same IV– XOR Is Self-Inverse Operation
AGA 12-1 Protects Against Fabrication> Shared Secret Key Helps
> CMID (Unique ID #)
> Public Key Coming – AGA 12-1.1– “Digital Certificates”
AGA 12-1 Protects Against Alteration & Replay> CBC Mode Prevents
– Block Insertion– Block Deletion– Block Re-ordering
> Replay Won’t Decrypt Properly Either– Messages Change Due To XOR With NEW
Number
AGA 12-1 Indicates Key Guessing / Extraction> “Guessing” Possible, But Slow
– Millions of Years– Change Keys Per Policy
> Minimum: Tamper Indication
> Can Specify Tamper Resistant/Envelope
>
FUTURE DEVELOPMENTS
A Few Things We Did Not Have Time To Mention> Need A Security Policy
> A Certification Program Exists
> Work Is Starting To Embed
> There Is A Cryptographic Protocol (SLS)
> Lab & Field Tests Starting
> . . . And A Lot More !
What Should You Do?
> Take A Full Course/Read The Standard
> Contact Bill Rush For Details/Questions– 847/768-0554– [email protected]
> Champion AGA 12 As A Standard
> Champion AGA 12 In Your Company
Use AGA 12-1 To Protect SCADA Communications> Gas, Water, Electric
> Protects Against Many Attacks
> Retrofits Many Systems
> Under 100 Millisecond Latency Added
> Reasonable Cost
> Will Be Upgraded
AGA 12-1 Uses Only Symmetric Key. AGA 12-1 Uses Only Symmetric Key. AGA 12-1.1 Will Include Public Key, TooAGA 12-1.1 Will Include Public Key, Too