simple keys for simple smart objects
TRANSCRIPT
Simple Keysfor
Simple Smart Objects
Carsten Bormann 2012-03-23All the work was actually done by:
Stefanie Gerdes, Silke Schäfer, Olaf Bergmann, Klaus Hartke
Simple
This is way too complicated. People have to configure this thing and then learn the
buttons to press. This will never fly...
1994
SMS
Secure Bootstrapping of Nodes in a CoAP
Network
• Try to get by with Symmetric PSK
All the work was actually done by:Stefanie Gerdes, Silke Schäfer, Olaf Bergmann, Klaus Hartke
• Don’t think Moore’s law will fix it!
Insert le
gally u
nencumbered pictu
re
of penny-size
device h
ere.
http://6lowapp.net core@IETF80, 2011-03-28
10/100 vs. 50/250
� There is not just a single class of “constrained node”
� Class 0: too small to securely run on the Internet§ “too constrained”
� Class 1: ~10 KiB data, ~100 KiB code § “quite constrained”, “10/100”
� Class 2: ~50 KiB data, ~250 KiB code§ “not so constrained”, “50/250”
� These classes are not clear-cut, but may structure the discussion and help avoid talking at cross-purposes
8
Constrained nodes: orders of magnitude
CSDS = CoAP Service Discovery Server
DTLSDatagram TLS
Datagram Transport Layer Security
1
Request
Response
Client Server
CoAP without DTLS
1 roundtrip
2
Flig
ht 3Fl
ight 2
Flig
ht 1
Client Server
Client Hello
Hello Verify Request
Client Hello
Server Hello&HUWLÀFDWH6HUYHU�.H\�([FKDQJH&HUWLÀFDWH�5HTXHVWServer Hello Done
&HUWLÀFDWH&OLHQW�.H\�([FKDQJH
&HUWLÀFDWH�9HULI\&KDQJH�&LSKHU�6SHF
Finished
&KDQJH�&LSKHU�6SHFFinished
Request
Response
Flig
ht 4Fl
ight 5
Flig
ht 6
Client Server
CoAP with DTLS
4 roundtrips
3
Flig
ht 3Fl
ight 2
Flig
ht 1
Client Server
Client Hello
Hello Verify Request
Client Hello
Server Hello&HUWLÀFDWH6HUYHU�.H\�([FKDQJH&HUWLÀFDWH�5HTXHVWServer Hello Done
&HUWLÀFDWH&OLHQW�.H\�([FKDQJH
&HUWLÀFDWH�9HULI\&KDQJH�&LSKHU�6SHF
Finished
&KDQJH�&LSKHU�6SHFFinished
Request
Response
Flig
ht 4Fl
ight 5
Flig
ht 6
Client Server
CoAP with DTLS '7/6�KDQGVKDNH�RYHU��/R:3$1�³�a�������E\WHV�KDQGVKDNH�PHVVDJH�VL]H
Raw Public Key�6XEMHFW3XEOLF.H\,QIR�VL]HV
(&'6$B3����³����E\WHV
(&'6$B3����³�����E\WHV
(&'6$B3����³�����E\WHV
4 roundtrips
4
Flig
ht 3Fl
ight 2
Flig
ht 1
Client Server
Client Hello
Hello Verify Request
Client Hello
Server Hello&HUWLÀFDWH6HUYHU�.H\�([FKDQJH&HUWLÀFDWH�5HTXHVWServer Hello Done
&HUWLÀFDWH&OLHQW�.H\�([FKDQJH
&HUWLÀFDWH�9HULI\&KDQJH�&LSKHU�6SHF
Finished
&KDQJH�&LSKHU�6SHFFinished
Request
Response
Flig
ht 4Fl
ight 5
Flig
ht 6
Client Server
CoAP with DTLS '7/6�KDQGVKDNH�RYHU��/R:3$1�³�a�������E\WHV�KDQGVKDNH�PHVVDJH�VL]H
Raw Public Key�6XEMHFW3XEOLF.H\,QIR�VL]HV
(&'6$B3����³����E\WHV
(&'6$B3����³�����E\WHV
(&'6$B3����³�����E\WHV
4 roundtrips
5
Flig
ht 3Fl
ight 2
Flig
ht 1
Client Server
Client Hello
Hello Verify Request
Client Hello
Server Hello&HUWLÀFDWH6HUYHU�.H\�([FKDQJH&HUWLÀFDWH�5HTXHVWServer Hello Done
&HUWLÀFDWH&OLHQW�.H\�([FKDQJH
&HUWLÀFDWH�9HULI\&KDQJH�&LSKHU�6SHF
Finished
&KDQJH�&LSKHU�6SHFFinished
Request
Response
Flig
ht 4Fl
ight 5
Flig
ht 6
Client Server
CoAP with DTLS
4 roundtrips
6
Flig
ht 3Fl
ight 2
Flig
ht 1
Client Server
Client Hello
Hello Verify Request
Client Hello
Server Hello&HUWLÀFDWH6HUYHU�.H\�([FKDQJH&HUWLÀFDWH�5HTXHVWServer Hello Done
&HUWLÀFDWH&OLHQW�.H\�([FKDQJH
&HUWLÀFDWH�9HULI\&KDQJH�&LSKHU�6SHF
Finished
CSSFinished
Request
Response
Flig
ht 4Fl
ight 5
Flig
ht 6
Client Server
CoAP with DTLS
Flig
ht 4Fl
ight 5
5HWUDQVPLW�ÁLJKW
0HVVDJH�lost
5HWUDQVPLW�ÁLJKW
6 roundtrips
1
Request
Response
Client Server
CoAP without DTLS
1 roundtrip
Using CoAP to transport DTLS?
POST /dtls/phase1
2.01 Created /dtls/phase2
CoAP-Block solves the large-object retransmission problem
Code Size Description
1429 Bytes SHA-256992 Bytes CCM
9812 Bytes DTLS state machine
TABLE ICODE FOOTPRINT OF MINIMAL DTLS IMPLEMENTATION
IV. A LIGHTWEIGHT DTLS IMPLEMENTATION
The CoAP specification [3] offers three operation modes forDTLS in constrained networks: PreSharedKey uses symmetrickey cryptography and requires only little processing overhead.RawPublicKeys and Certificates use asymmetric ciphers andthus provide advanced security features. As there are manyproduction-quality implementations for less-constrained de-vices (regarding CPU power and memory), these operationmodes can be seen as mature and well understood.
Where resource usage is a concern, security parametersshould be tuned to enable lightweight implementations withoutsacrificing the overall level of protection that can be achieved.Of course, a trade-off exists between efficiency and the result-ing security level.
As a proof of concept and to feed the ongoing discus-sion of which parameters to adjust for the use of CoAP inconstrained networks, we have implemented the bootstrap-ping protocol proposed in Section III for constrained nodesof Class 1. The hardware is based on ST MicroelectronicsSTM32W108 with 128 KiB flash memory and 8 KiB RAM,featuring ARM Cortex M3 CPU architecture. It is equippedwith an IEEE 802.15.4 RF transmitter and includes hardwarefor AES-128 encryption. The Contiki operating system [17]provides support for several boards of the STM32 chip familyas platform mbxxx.1 The CoAP protocol is handled by theopen-source library libcoap2.
Our DTLS implementation is based on the open-sourcelibrary tinyDTLS3, ported to Contiki. We have replaced theexisting cipher suite of tinyDTLS by our implementation ofTLS_PSK_WITH_AES_128_CCM_8 defined in [18]. Provid-ing Authenticated Encryption with Associated Data (AEAD,[19]), this cipher suite combines payload encryption andmessage authentication. The base cryptographic primitivesrequired thus are only AES-128 encryption and SHA-256 forthe pseudo random function (PRF) of DTLS 1.2 [7]. Limitingthe key exchange options to pre-shared keys only, no certificateexchange during DTLS handshake is required.
The resulting code size for these primitives and the DTLShandshake protocol is shown in Table I.
The DTLS state machine comprises the cipher suite imple-mentation as well as the DTLS record and handshake protocolfor both client and server functionality. For efficiency, we havedecided not to implement DTLS message fragmentation andhave limited the alert protocol to a minimum.
1See http://www.contiki-os.org/ for more information on the Contiki OS.2See http://libcoap.sourceforge.net.3See http://tinydtls.sourceforge.net.
These numbers can certainly be optimized, but alreadyindicate that a basic DTLS implementation is feasible with lessthan 10 KiB of code plus 1.4 KiB for the hash underlying thePRF. Depending on the actual cipher suites selected, only littleextra code is needed. For example, the overhead for CCM isless than 1 KiB when AES encryption is in hardware, resultingin approximately 12 KiB for the entire DTLS support.
The modest code size in this case is helped a lot by the useof AEAD in combination with hardware AES-128 encryption.Although improved error handling might add some code tothe implementation of the DTLS state machine, our resultsdemonstrate that DTLS is viable for communication security inconstrained nodes and networks. However, our optimizationslose compliance with [7]. Future standardization should definea minimal DTLS profile for constrained nodes, simplifyingerror handling, removing the need to support fragmentation atthe DTLS layer, and limiting mandatory-to-implement ciphersuites to AEAD.
V. CONCLUSIONS
We have presented an approach for Smart Object securitybased on security bootstrapping without pre-provisioned cre-dentials and a basic implementation of DTLS. We are in theprocess of gaining experience with this approach in a lightingcontrol scenario. In our implementation, we plan to optimizetinyDTLS further, to improve its robustness, and to derivesome results on which are the most promising elements of theprotocol that may be mandatory to implement in the standardbut can be left out when needing a constrained implementation.
For work targeting a more managed deployment sce-nario, we are also interested in the implementation re-quirements for making asymmetric cryptography available toCoAP/tinyDTLS nodes: this has become more accessible bythe recent work on using raw public keys instead of fully-builtX.509 certificates in the DTLS handshake [20].
Finally, our prototype should give us experience in devel-oping suitable user interfaces for inexpensive mother devices.With the ubiquity of relatively powerful smartphones, these arebecoming the home automation remote control of choice andcan be used to present relatively complex configuration andsecurity setup operations in a simple, familiar user interface.
REFERENCES
[1] K. Ashton. (2009, Jun. 22) That ’Internet of Things’ thing. RFID Journal.[Online]. Available: http://www.rfidjournal.com/article/view/4986
[2] C. Bormann, “Guidance for Light-Weight Implementations of the Inter-net Protocol Suite,” Internet-Draft (work in progress), Jan. 2012. [On-line]. Available: http://tools.ietf.org/html/draft-bormann-lwig-guidance
[3] Z. Shelby, K. Hartke, C. Bormann, and B. Frank, “ConstrainedApplication Protocol (CoAP),” Internet-Draft (work in progress), Nov.2012. [Online]. Available: http://tools.ietf.org/html/draft-ietf-core-coap
[4] K. Kuladinithi, O. Bergmann, T. Potsch, M. Becker, and C. Gorg,“Implementation of CoAP and its Application in Transport Logistics,”in Proc. of ’Extending the Internet to Low power and Lossy
Networks’ (IP+SN 2011), Chicago, 11. Apr. 2011. [Online]. Available:http://hinrg.cs.jhu.edu/joomla/images/stories/coap-ipsn.pdf
[5] J. Arkko, H. Rissanen, S. Loreto, Z. Turanyi, andO. Novo, “Implementing Tiny COAP Sensors,” Internet-Draft (work in progress), Jul. 2011. [Online]. Available:http://tools.ietf.org/id/draft-arkko-core-sleepy-sensors