SSL on Motes (The World's Smallest Secure Web Server)

552 views

Published on

This presentation describes Sizzle, the world’s smallest secure web server. It runs on coin-sized, wireless devices called Motes (8-bit CPU, 4KB RAM) which are the de-facto standard platform for sensor networks research in academia and industry. Prior security research deemed public-key cryptography and, therefore, Internet standards like SSL that rely on it infeasible for such devices.

This research was described as the “biggest breakthrough in sensor network security in [2004]”, by Berkeley Prof. David Wagner and won the Mark Weiser Best Paper Award at PerCom 2005.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
552
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SSL on Motes (The World's Smallest Secure Web Server)

  1. 1. Sizzle: SSL on Motes Vipul Gupta, Sun Labs (Joint work with S. Chang Shantz, H. Eberle, S. Fung*, N. Gura, M. Millard*, A. Patel*, A. Wander*, M. Wurm*, Y. Zhu*) *Student intern CENTS Retreat, Granlibakken Conference Center, Tahoe City, Jan 12-14, 2005
  2. 2. Outline • • • • • Sensor network security background Elliptic Curve Cryptography (ECC) overview Sizzle (Slim SSL) – HTTPS server on motes Demo Conclusion 2
  3. 3. Sensor Network Security • General perception: public-key cryptography is impractical • Previous symmetric-key based approaches: • Key distribution problem • Link level security (not end-to-end) • Compromising a few nodes jeopardizes security of entire network • Sizzle: Standards-based end-to-end security architecture (ECC + SSL) 3
  4. 4. Elliptic Curve Cryptography • Computationally highly efficient public-key cryptosystem, highest security strength per bit • Savings in memory, Sym. 80 112 128 192 256 RSA 1,024 2,048 3,072 7,680 15,360 ECC 160 224 256 384 521 Ratio MIPS yrs 1012 6:1 1024 9:1 1028 12:1 1047 20:1 1066 30:1 bandwidth, power • Advantage improves as security needs increase • Endorsed/standardized by NIST, ANSI, IEEE, IETF • Good match for AES More information: http://research.sun.com/projects/crypto/ 4
  5. 5. ECC on Small Devices Berkeley/Crossbow MICA “mote” ECC (8-bit, Atmel ATmega processor, 128KB FLASH, 4KB SRAM, 4KB EEPROM) ECC secp160r1 ECC secp224r1 RSA 1024 (pub**) RSA 1024 (priv) RSA-2048 (pub**) RSA-2048 (priv) Time* (s) 0.81 2.19 0.43 10.99 1.94 83.26 RSA priv 90 80 70 Data bytes 282 422 542 930 1332 1853 Code bytes 3682 4812 1073 6292 2854 7736 * 8MHz Atmel ATmega ** e=65537 More information: Gura et al., CHES 2004 paper Time (sec) Algorithm RSA pub 38x 60 50 40 30 20 13x 10 0 Current Future Security levels 5
  6. 6. Sizzle Overview • World's smallest secure web server • Uses ECC key exchange in SSL* • Interoperates with ECC-enabled Mozilla/Firefox/OpenSSL • Lowers barrier for connecting interesting new devices to the Internet, and controlling/ monitoring them securely *Based on IETF internet-draft draft-ietf-tls-ecc-xx.txt 6
  7. 7. Sizzle Features • Uses 160-bit ECC (on curve secp160r1) • ECDH-ECDSA-RC4-SHA cipher suite • Minimizes SRAM memory usage and SSL handshake overhead, e.g. • Static info stored in program memory • Small session identifiers, certs • Implements session reuse, persistent HTTP(S) 7
  8. 8. Sizzle Architecture and Statistics Gateway Sensors/ Actuators Monitoring station TCP/IP RS232 Sizzle on “mote” End-to-end security with SSL • Memory usage from objdump: ~3KB (RAM), ~60KB (FLASH) on Mica2 mote • Page load time in sec (450-byte HTTPS transfer on Mica2 w/ Tiny OS 1.1.6): Full Handshake RSA ECC 16.8 4.9 Session Persistent Reuse HTTP(S) 2.9 1.1 Plain HTTP 0.9 8
  9. 9. Performance Details (RSA) RSA decryption dominates Handshake Data Transfer 9
  10. 10. Performance Details (ECC) Reduces cost of public-key operation in full handshake Handshake Data Transfer 10
  11. 11. Performance Details (Session Reuse) Eliminates public-key operation, still incurs cost of abbreviated handshake Handshake Data Transfer NOTE: In data transfer phase, bulk encryption/authentication overhead is dwarfed by transmission time. 11
  12. 12. Performance Details (Persistent HTTPS) • Amortizes the cost of an SSL handshake (full or abbreviated) across multiple data transfers Gateway Client Mote Time Establish TCP Connect to Mote SSL Handshake HTTP Request and Response n HTTP Request and Response n+1 HTTP Request and Response n+2 12
  13. 13. Sizzle Demonstration • ECC-enabled Mozilla communicating with Sizzle • Secure monitoring and control of a “wireless thermostat” • Comparison of ECC v/s RSA-based handshake • Impact of session reuse and persistent HTTP(S) 13
  14. 14. Takeaway Elliptic Curve Cryptography (ECC) makes public-key cryptography feasible on mote-like devices and creates the opportunity to reuse standard security protocols on the “embedded” Internet. 14
  15. 15. References • V. Gupta et al., “Sizzle: A Standards-based end-to- end Security Architecture for the Embedded Internet”, PerCom 2005, Mar. 2005* • N. Gura et al., “Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs”, CHES 2004, Aug. 2004 • V. Gupta et al., “ECC Cipher Suites for TLS”, IETF internet-draft, Dec. 2004 • V. Gupta et al., "Integrating Elliptic Curve Cryptography into the Web's Security Infrastructure", WWW 2004, May 2004 *Mark Weiser Best Paper Award at PerCom 2005 15
  16. 16. sheueling.chang@sun.com hans.eberle@sun.com vipul.gupta@sun.com nils.gura@sun.com http://research.sun.com/projects/crypto

×