LATe: A Lightweight cole Mines-Tlcom Authenticated Time - - PowerPoint PPT Presentation

late a lightweight
SMART_READER_LITE
LIVE PREVIEW

LATe: A Lightweight cole Mines-Tlcom Authenticated Time - - PowerPoint PPT Presentation

Nov 02, 2022 323 likes •746 views

IMT Atlantique Bretagne-Pays de la Loire LATe: A Lightweight cole Mines-Tlcom Authenticated Time Synchronization Protocol for IoT Renzo E. NAVAS, Laurent TOUTAIN Table of contents 1/26 1 Problem Statement and SoA 2 LATe Protocol 3

slide-1
SLIDE 1

IMT Atlantique

Bretagne-Pays de la Loire École Mines-Télécom

LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

Renzo E. NAVAS, Laurent TOUTAIN

slide-2
SLIDE 2

Table of contents

1/26 1 Problem Statement and SoA 2 LATe Protocol 3 Formal Verification 4 Real World Issues 5 Comparison to other protocols 6 Perspectives and Conclusion

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-3
SLIDE 3

Problem Statement

2/26

Why do we need time synchronization? Timestamp measurements (application data) Validate cryptographic credentials (e.g. OAuth tokens) Is a way to assure freshness of transactions

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-4
SLIDE 4

Problem Statement

3/26

why do we need secure time synchronization?

slide-5
SLIDE 5

Problem Statement

4/26

Modified from Source: Ben Stansall / AFP - Getty Images file.

slide-6
SLIDE 6

Problem Statement

5/26

What happens if the source of time of a system is not secure?

None of the aforementioned use cases could be guaranteed (i.e. can be attacked). Security bootstrapping problem Many security services rely on synchronized time. How to securely synchronize time? A leap of faith needed... (make it short)

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-7
SLIDE 7

State of the Art: Standards

6/26

Patches to well-known standards:

  • Annex K for Precision Time Protocol (PTP). Network Time Protocol

(NTP) symmetric key authentication scheme and Autokey.

IETF Network Time Security (NTS) [1] work-in-progress. Current Standards are not optimized for IoT.

  • e.g. NTS at least 4 messages (2 cookie + 2 sync). Not compact
  • representations. Focused on precision.

Work done for Wireless Sensor Networks:

  • Similar constraints. Lack of standard, will compare later.

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-8
SLIDE 8

Proposed Solution

7/26

LATe Synchronization Protocol

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-9
SLIDE 9

LATe: Protocol Goals

8/26

Functional Goal: Provide a Time Client with the time representation from a trusted Time Server. Non-goal: Precise time synchronization.

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-10
SLIDE 10

LATe: Protocol Goals

9/26

Security Goals:

  • Data Authentication/Integrity
  • Freshness (i.e. no replay attack)

Design Goals:

  • Lightweight (minimize energy).
  • Agnostic to underlying layers
  • Cryptographic agility
  • Built upon standards

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-11
SLIDE 11

LATe Messages Exchange

10/26

Time Client KCS Time Server KCS fresh NC IDC, NC NC, TimeS, MACKCS(NC, TimeS) sync Time protocol LATe synchronization protocol

Figure: LATe Synchronization Protocol Diagram.

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-12
SLIDE 12

Time Synchronization Calculation

11/26

RTT = TMsg2 − TMsg1

TimeClient = TimeS + RTT 2

Uncertainity ±RTT

2

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-13
SLIDE 13

Message Encoding: IoT Standards!

12/26

CBOR: Concise Binary Object Representation [RFC7049] for Data representation COSE: CBOR Object Signing and Encryption [RFC8152] for Security Services (i.e. the MAC’ed response)

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-14
SLIDE 14

Message Encoding: IoT Standards!

13/26

Application: Two new CBOR Maps (Key-Value pairs)

  • TIC Information
  • TOC Response

Security: TOC Response will be authenticated using a COSE_Mac0 structure

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-15
SLIDE 15

Message Encoding: TIC

14/26 Parameter name CBOR Key Value Type Description nonce 4 binary string A random nonce kid 5 binary string Key-ID is an opaque value and identifies the cryptographic key to be used in the response alg (optional) 6 int Identifies the crypto- graphic algorithm to be used in the response server (optional) 7 string Identifies the intended Server for time synchro- nization (Absulute URI) Table: CBOR Map "TIC Information" object definition

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-16
SLIDE 16

Message Encoding: TIC

15/26 { nonce:h'73616E206C6F7265', kid :h'0001', alg :4 /*HMAC w/SHA-256 truncated to 64 bits*/ }

Listing 1: TIC Information on CBOR diagnostic notation.

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-17
SLIDE 17

Message Encoding: TIC

16/26 D83B # tag(59) (TIC Info.) A3 # map(3) 04 # unsigned(4) (=nonce) 48 # bytes(8) 73616E206C6F7265 # Nonce Value 05 # unsigned(5) (=kid) 42 # bytes(2) 0001 # Key-ID Value 06 # unsigned(6) (=alg) 04 # unsigned(4)

Listing 2: TIC Information CBOR object (19 Bytes).

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-18
SLIDE 18

... what about the security goals?

slide-19
SLIDE 19

Formal Method Verification

18/26

Formal Method (vs. provable secure) Scyther tool Dolev-Yao attacker model, black box cryptography Automatic proofs

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-20
SLIDE 20

Formal Method Verification: Results

19/26 Figure: Scyther Results

Data authentication-integrity: OK. Freshness?

  • Not enough to prove it!
  • Must prove injective

synchronization property.

.

slide-21
SLIDE 21

Is never enough... real world

20/26

From a model to real world: simplifications, abstractions, generalizations. a model does not map 1 to 1 with reality can the use case live with that?

  • NASA Apollo Moon Missions where ok with newtonian physics and

simplifications (only one gravitational body considered; jupiter, venus off)

can security?

  • your system is secure.. with 99% provability.
  • how a proof on a model translates to reality? means that axioms and logic
  • f deduction are valid (leap of faith?).

epistemology, philosophy of science [2] (inductivism,

falsifiability)

slide-22
SLIDE 22

Is never enough... real world

21/26

Real Nonces/Crypto

  • Finite length: birthday attack, pre-play attack.
  • True Random? YES/NO
  • Avoid randomness altogether (auth. 1st msg. LATe v2)

Real attackers

  • real humans, AI-powered cyberattacks.
  • attacker model enough?

Real systems

  • software, implementations, bugs
  • hardware, internal time representation, bugs
  • side-channel attacks
slide-23
SLIDE 23

why is LATe lightweight?

slide-24
SLIDE 24

Comparison to other protocols I

23/26 Figure: Secure Time Synchronization protocols baseline comparison

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-25
SLIDE 25

Comparison to other protocols II

24/26

Standards: NTS 268 Bytes; PTP-K 512 Bytes. WSN Best: SPS 41 Bytes. LATe: 30 Bytes. 25% less TX/RX than SPS.

  • Minimizing energy consumption is our priority.
  • Radio TX/RX is the most energy consuming activity.
  • → Minimizing Radio TX/RX is our priority.

Trade-off energy vs time precision.

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-26
SLIDE 26

Perspectives and Conclusion

25/26

Gap protocol designers and cryptography

  • Computer verif tools shortens the gap. TLS 1.3 design.

IoT needs time synchronization, but no standard exists. LATe offers authenticated end-to-end, coarse-grained solution. Go for an IoT secure time sync. open protocol?

  • IETF-draft https://datatracker.ietf.org/doc/

draft-navas-ace-secure-time-synchronization/

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-27
SLIDE 27

The End

26/26

Thank you! Questions?

slide-28
SLIDE 28

Appendix

slide-29
SLIDE 29

LATe v2

2/13

Time Client KCS Time Server KCS fresh NC IDC, NC, MACKCS(IDC, NC) TimeS, MACKCS(IDC, NC, TimeS) sync Time protocol LATe synchronization protocol v2

Figure: LATe Synchonization Protocol V2.

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-30
SLIDE 30

LATe Embedded on IETF Ace Framework I

3/13

  • Auth. Server

Client Resource Server (Time Server) | (Time Client) | | | | +------ Res. Req.----->+ | | | | | | | +<-4.01 Unauthorized---+ | | (TIC Info) | +<---LATe MSG1-----+ | | | | | | | +----LATe MSG2---->+ | | | | | +-------POST /time---->+ /time | | (AUTH TOC Response) | | | | | +<----2.04 Changed-----+ | | | + + +

Figure: LATe on IETF ACE Scenario 1

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-31
SLIDE 31

LATe Embedded on IETF Ace Framework II

4/13

AS C RS (Time Server) | (Time Client) | | | | +--Unauthz.Res. Req.-->+ 1. | | | | | | | +<-4.01 Unauthorized---+ 2. | | (ACE Info + TIC) |

  • 3. +<---Token Request-+

| | + TIC | | | | |

  • 4. +--Token Response->+

| | + AUTH TOC | | | +---POST /authz-inf--->+ 5. | | (Token + AUTH TOC) | | | | | +<----2.04 Changed-----+ 6. | | | + + +

Figure: LATe on IETF ACE Scenario 2

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-32
SLIDE 32

Message Encoding: TOC

5/13 Parameter name CBOR Key Value Type Description time 3 unsigned int Time representation information nonce 4 binary string A random nonce Table: CBOR Map "TOC Response" object definition

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-33
SLIDE 33

LATe COSE-MACed ’TOC Response’

6/13

Header: Changed (Code=2.04) Content-Type: "application/late+cose; cose-type=cose-mac; late-type=toc" Payload: { protected : { kid: h'0001', alg: 4 /* HMAC w/ SHA-256 truncated to 64 bits */ }, payload : { time : 1477307841, nonce : h'73616e206c6f7265' }, tag : h'36f5afaf0bab5d43' }

Figure: COSE-MACed ’TOC Response’ in CBOR diagnostic notation

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-34
SLIDE 34

Baseline comparison assumptions

7/13

No overhead for metadata, and we assume the following data sizes: Timestamp representation is 4 bytes, Node Identity is 2 bytes, a Nonce is 8 bytes, and a MAC is 8 bytes. In E-SPBS an ECDSA signature is 48 bytes; In Guo et al. we assume an Unspecified Signature being of 16 bytes, and non-cryptographic hash 16 bytes; In Ganeriwal2008 and Sun2006 syn-ack information of 1 byte.

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-35
SLIDE 35

An NTP Packet Header

8/13

1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |LI | VN |Mode | Stratum | Poll | Precision | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Root Delay | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Root Dispersion | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reference Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Reference Timestamp (64) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Originate Timestamp (64) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Receive Timestamp (64) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Transmit Timestamp (64) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Identifier (optional) (32) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | Message Digest (optional) (128) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

44 Bytes Minimum Batteries Security not included

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-36
SLIDE 36

Cryptographic Recommendations

9/13

MAC: COSE_Mac0 message recommended algorithms:

  • HMAC w/SHA-256 truncated to 64 bits (256-bit pre-shared-key)

(MUST)

  • AES-CBC-MAC (128-bit key)
  • AES-CMAC (128-bit key)

Nonce: At least 64-bits. TRNG or good seed for pseudo-RNG.

  • 64-bit probability of collision around 2−32 for 216 (65 536) uses of the

protocol

  • 50% for 232 uses (4 294 967 296)

Real-Time Clocks (RTC): The Time Client must have a

  • RTC. (Disclaimer: Raspberry Pi does not have)

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-37
SLIDE 37

Authentication Notions Cremers [3] I

10/13

Synchronization A security property requiring that all protocol messages occur in the expected order with the values as expected. Injectivity Requires that each run of an agent executing the initiator role corresponds to a unique run of its communication partner running the responder role. Injective Synchronization An Initiator I considers a protocol injectively synchronizing if the protocol (non-injective) synchronizes and each run of I corresponds to a unique run of Responder R

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-38
SLIDE 38

Authentication Notions Cremers [3] II

11/13 Figure: Hierarchy of security properties

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-39
SLIDE 39

Authentication Notions Cremers [3] III

12/13

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT

slide-40
SLIDE 40

Further Reading I

13/13 [1] Daniel Fox Franke , Dieter Sibold and Kristof Teichel Network Time Security for the Network Time Protocol IETF, draft-ietf-ntp-using-nts-for-ntp-11, March 05, 2018. [2] Cormac Herley ; P. C. van Oorschot SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit Security and Privacy (SP), 2017 IEEE Symposium on, 22-26 May 2017 . [3] Cremers, C. J. F. et. al. Injective synchronisation: An extension of the authentication hierarchy Theoretical Computer Science Journal no. 1-2, 2006.

IMT Atlantique

InterOSS 2018 Renzo E. Navas LATe: A Lightweight Authenticated Time Synchronization Protocol for IoT