AllJoyn Greg Zaverucha Software Engineer, Microsoft 10 November - - PowerPoint PPT Presentation

alljoyn
SMART_READER_LITE
LIVE PREVIEW

AllJoyn Greg Zaverucha Software Engineer, Microsoft 10 November - - PowerPoint PPT Presentation

Sep 26, 2022 420 likes •743 views

Cryptography in AllJoyn Greg Zaverucha Software Engineer, Microsoft 10 November 2015 AllSeen Alliance 1 Agenda 1. Review of AllJoyn security features 2. Authentication and security protocols 3. Comparison to Internet protocols 4. Leveraging

slide-1
SLIDE 1

10 November 2015 AllSeen Alliance 1

Cryptography in AllJoyn

Greg Zaverucha Software Engineer, Microsoft

slide-2
SLIDE 2

10 November 2015 AllSeen Alliance 2

  • 1. Review of AllJoyn security features
  • 2. Authentication and security protocols
  • 3. Comparison to Internet protocols
  • 4. Leveraging AllJoyn crypto

Talking about versions 15.04, 15.09

Agenda

slide-3
SLIDE 3

10 November 2015 AllSeen Alliance 3

Motivation

This talk will not argue that AllJoyn/IoT needs security – given. Why is AllJoyn crypto important? It’s necessary for security. Should be the “strongest link”.

slide-4
SLIDE 4

4

Review of AllJoyn Security Features

slide-5
SLIDE 5

10 November 2015 AllSeen Alliance 5

Threat Model

Image source: https://allseenalliance.org/sites/default/files/developers/learn

slide-6
SLIDE 6

10 November 2015 AllSeen Alliance 6

Threat Model

Image source: https://allseenalliance.org/sites/default/files/developers/learn

slide-7
SLIDE 7

10 November 2015 AllSeen Alliance 7

Threat Model

  • Attacker on the local network is able to interact with AllJoyn

devices

  • Can intercept and modify packets in transit (man-in-the-middle)
  • Can drop and replay packets
  • Can compromise some of the AllJoyn devices on the network
  • Examples

– Malware on the WiFi access point – Malicious smartphone application – Malicious device on the network

  • Attackers could be physically nearby or choose to telecommute
slide-8
SLIDE 8

10 November 2015 AllSeen Alliance 8

Security Goals

  • Authentication/Integrity; apps know who they are talking to and

that messages are received as sent

  • Confidentiality; message contents are kept private
  • DoS resistance; attacker should not able to easily deny service
  • Perfect forward secrecy; compromise of an endpoint does not

compromise past sessions

  • Security 1.0 Example
  • Security 2.0 Example
slide-9
SLIDE 9

10 November 2015 AllSeen Alliance 9

Security 1.0 Example

  • Bootstrap authentication with a shared credential: password, key

– Alternatively: Trust a certificate on first use, then pin it

  • Credential type will dictate the authentication mechanism that

AllJoyn will use

  • Once a master secret is established, session keys are derived

from it

AJ app on phone Door Lock

Establish Master Secret Derive Session Key Encrypt data

slide-10
SLIDE 10

10 November 2015 AllSeen Alliance 10

Security 2.0 Example

  • Certificates are used for

identity and membership in security groups

  • Bootstrapping only required

between security manager and apps

Phone Door Lock Security Manager

Security 1.0 Protocols

  • New AllJoyn devices are in

“claimable” state when they join the network

  • The security manager claims

them and provisions certificates and policies

slide-11
SLIDE 11

11

Authentication Mechanisms and Crypto Algorithms

slide-12
SLIDE 12

10 November 2015 AllSeen Alliance 12

Authentication and Key Exchange Protocol

Establish a secure channel in three main steps

  • 1. Exchange GUIDs – Do we know each other?

If so, do we share a master secret? (that hasn’t expired)

  • 2. [Key Exchange]

Authenticate the peer and establish the master secret Store master secret in the key store

  • 3. Derive Session key

Derive a session key from nonces and master secret

slide-13
SLIDE 13

10 November 2015 AllSeen Alliance 13

Key Exchange

  • ECDHE: Elliptic Curve Diffie-Hellman (Ephemeral)

– Long term credential used for authentication only – Fresh key pair generated for each exchange

  • Multiple ways to authenticate key exchange

– NULL: no authentication. Vulnerable to active MITM attacks – PSK: authentication by pre-shared key (PSK). Secure if PSK has high entropy (128 bits or greater) – ECDSA: authenticated with an ECDSA signature. Certificates exchanged and validated

  • SRP (SC only, deprecated)

– Similar use cases as ECHDE_PSK, but secure with low-entropy secrets

slide-14
SLIDE 14

10 November 2015 AllSeen Alliance 14

Key Exchange Crypto Algorithms

AllJoyn uses standard algorithms and parameters

  • ECDHE

– As specified in SP800-56A

  • ECDSA

– As specified in FIPS 186-4, ANSI X9.62 – Only signature algorithm in key exchange protocol and certificates

  • Elliptic curve parameters

– EC parameters are not negotiated – Fixed to one set, the 256-bit NIST curve “P256” – Balance between performance and security

slide-15
SLIDE 15

10 November 2015 AllSeen Alliance 15

Certificates

  • Standard X.509 v3 certificates (RFC 5280)

– Signature algorithm is always ECDSA – Curve parameters are always P256 – Hash algorithm is always SHA-256 – Supports PEM encoded certificates created with common tools

  • AllJoyn specific EKU fields indicate the certificate type

– In Security 2.0 usage, there are identity and membership types

  • Chains typically have length two:

– The security manager is the issuer/root and the app is the end-entity

  • Revocation is not implemented

– Security manager can use policy to deny access

slide-16
SLIDE 16

10 November 2015 AllSeen Alliance 16

Encryption of Data in Transit

  • Once a session key is established, data is encrypted and

authenticated

  • Data is protected with is AES in CCM mode (Counter with CBC-

MAC, RFC 3610)

– Authenticated encryption mode – Uses one key, 128-bits long, authentication tags are 128-bits as well – 112-bit IV: 32-bit counter + 96 random bits

slide-17
SLIDE 17

10 November 2015 AllSeen Alliance 17

Hashing and Key Derivation

  • All hashing is done with SHA-256

– With the exception of SRP, which uses SHA-1

  • Signing & certificates
  • Conversation hash

– A hash of all authentication protocol messages ensures integrity of the authentication conversation

  • Key derivation is done using the “TLS PRF” (RFC 5246, Section 5)
slide-18
SLIDE 18

10 November 2015 AllSeen Alliance 18

Security Level

  • Overall the collection of AllJoyn crypto algorithms is expected to

meet the 128-bit security level

– 128-bit encryption keys and authentication tags – 256-bit hash digests and elliptic curve parameters – Assuming random number generation has the same security level

  • Complexity of attacks should be around 2128 operations

– NIST (SP800-57) and ANSSI guidance: good until 2030 and beyond – ECRYPT: 2015 to 2040 – BSI: 2017-2021 at least (no guidance beyond 2021) – Summary of recommendations at www.keylength.com

slide-19
SLIDE 19

19

Comparison to TLS and the Web

slide-20
SLIDE 20

10 November 2015 AllSeen Alliance 20

Differences

AllJoyn TLS Fixed ciphersuite Negotiate ciphersuite One set of curve parameters Negotiated One certificate signature algorithm, params.

  • Flexible. RSA signatures are

most common No protocol extensions Well-defined extension mech. New, less security review Highly scrutinized

slide-21
SLIDE 21

10 November 2015 AllSeen Alliance 21

Differences (con’t)

AllJoyn TLS Static relationships with fewer peers Variable duration, diverse peers Typically a local PKI Typically global PKI (web) Mutual auth. always Typically server auth. only Renegotiation used a lot Less use of renegotiation

slide-22
SLIDE 22

10 November 2015 AllSeen Alliance 22

Similarities

Many crypto-level similarities with TLS (as commonly deployed) Data from SSLLabs.com (September 2015)

  • ECDHE use with TLS on the rise

– About 70% of TLS servers support ciphersuites with PFS

  • Use of SHA-256 for certificates preferred in TLS (71%)
  • Authenticated encryption modes preferred in TLS 1.3

– More AES use now that RC4 is being turned off

  • PRF is the same
  • Both use X.509 certificates
  • AllJoyn’s use of a master secret is similar to renegotiation in TLS
slide-23
SLIDE 23

23

Leveraging AllJoyn Crypto

slide-24
SLIDE 24

10 November 2015 AllSeen Alliance 24

Crypto Considerations when Using AllJoyn Security

  • AllJoyn apps shouldn’t need to design security protocols
  • Leverage core protocols to simplify application security design
  • Security 1.0 apps must

– Choose the authentication mechanisms to support – Decide how to bootstrap authentication and provision credentials

  • Security 2.0 apps must

– Have a security manager to work with – Choose between NULL and PSK auth. for first contact with security manager

  • Security manager should probably accept both
  • Apps (esp. devices) should prefer PSK
slide-25
SLIDE 25

10 November 2015 AllSeen Alliance 25

Certificate Validation

  • Security 1.0 applications must validate certificate chains with a

callback

– The AllJoyn core doesn’t know who the app trusts – Requires care to do well – Some API support and sample code is available

  • Security 2.0 uses certificates after bootstrapping and has enough

information to validate certificates

– The security manager installs the necessary root certificates – Applications don’t have to worry about cert validation

slide-26
SLIDE 26

10 November 2015 AllSeen Alliance 26

Secure Key Storage

  • The core library keeps cryptographic keys in a keystore
  • By default it lacks strong protections, since these are platform

specific, e.g.,

– Available hardware for secure storage differs across devices – An app may rely on the platform to isolate its storage from other apps

  • n the system
  • Especially important to protect the security manager keystore in

Security 2.0 deployments

– Security manager root key can add devices and policies to the network and grant access arbitrarily

slide-27
SLIDE 27

10 November 2015 AllSeen Alliance 27

Crypto Implementation Details

  • Standard client (SC) apps shouldn’t have to implement any crypto

– Authenticated, secure channels can be established with the core library – Leverages platform crypto where possible (CNG and OpenSSL) – Also has a “built-in” option that has no dependencies

slide-28
SLIDE 28

10 November 2015 AllSeen Alliance 28

Crypto Implementation Details

  • Thin Client (TC) apps/devices may want to make optimizations

– TC includes all crypto. Not optimized, generic C – Devices may offload to hardware, or have platform-specific ASM – Benchmark first, consider scenario – Small amounts of platform-specific ASM will go a long way – Make sure to review the slides of yesterday’s TC Porting talk by Mathew Martineau and Peter Krystad

slide-29
SLIDE 29

10 November 2015 AllSeen Alliance 29

Crypto Implementation Details

  • Crypto needs a source of entropy (important on TC devices)

– DRBG implementation needs a seed

  • Built-in implementations have protections for common side-

channels attacks

– Execution time and memory access pattern are independent of secret values

slide-30
SLIDE 30

10 November 2015 AllSeen Alliance 30

Summary

  • AllJoyn includes cryptographic primitives for authentication and

secure communications

– Well understood, conservative algorithms, 128-bit security

  • AllJoyn applications should leverage these mechanisms so their

developers can focus on other issues

– Some attention required to use the primitives correctly

  • Feedback is welcome

– Is something missing? – Deployment, porting pain points? – Is performance acceptable?

slide-31
SLIDE 31

10 November 2015 AllSeen Alliance 31

Resources and Links

  • Related AllSeen Summit events

– Wed 1 pm: Security 2.0 Overview, Dave Thaler (Microsoft) – Wed 3 pm: Security BoF Meeting – Multiple other security-related talks on the program

  • Security 2.0 HLD
  • Source code

– core/alljoyn – core/ajtcl

  • Core WG mailing list