1. Secure Internet of Things:
Challenges and potential approaches
Dr.-Ing. Konrad Wrona
NATO Communications and Information Agency
1

2. Internet of Things
2

3. Internet of Threats
3

4. Internet of Threats
4

5. Internet of Threats
§ A baby monitoring in Texas, USA
§ The newly-crowned Miss Teen USA
§ A botnet of over 100,000 hijacked everyday
consumer devices
§ Delivery of incorrect dosages of insulin,
§ Printers catching on fire
5

6. What is Internet of Things?
6

7. Attacks on SCADA and M2M
§ Theft of water (Gignac Canal System in France)
§ Release of raw sewage, Maroochy Shire Sewage
plant in Australia)
§ Interference with a Landsat-7 earth observation
satellite
§ Computer viruses infecting the ground-control
systems of the Predator and Reaper remotely
piloted aircraft
7

8. What are the solutions
§ Secure configuration of the devices and OS
§ Secure network communication
§ Secure storage
§ Physical security
§ Hack-proof security is unrealistic
• Need for intrusion detection and response
§ Defence-in-depth approach
• Several complementary security mechanisms
• Context-aware security and broken-glass policies
8

9. TLS/DTLS/eDTLS
§ TLS – Transport Layer Security
• The most widely deployed security protocol
• Uses TCP: requires reliable, in-order packet delivery
§ DTLS – Datagram Transport Layer Security
• Uses UDP: works with unreliable, out-of-order packet
delivery used in constrained platforms and networks
• No multi-record stream cyphers
§ eDTLS on small embedded platforms
• Reduced state-machine code size, data overhead,
compressed handshake protocol
• More keying flexibility: Pre-shared, raw public/private,
X.509 certificate
9

10. Where are the problems
§ Network layer security is the easy part
§ Security provisioning and management is difficult
• Constrained user interface
• Amount of devices
• Untrained users
§ Higher security means higher initial cost,
complexity, power
• However, data or life loss might be more expensive
10

11. Internet of Threats
11

12. DARPA view on IoT security
12

13. So, does all military equipment
has military-level security?
13

14. Car hacking
14

15. Car hacking
15

16. Car hacking
16

17. Data recorded by automobile
manufacturers
§ BMW, Chrysler, Ford,
General Motors, Honda,
Hyundai, Jaguar Land
Rover, Mazda, Mercedes-
Benz, Mitsubishi, Nissan,
Porsche, Subaru, Toyota,
Volkswagen, and Volvo
§ Aston Martin, Lamborghini,
and Tesla did not respond
17

18. Data recorded by automobile
manufacturers
18

19. Data recorded by automobile
manufacturers
19

20. Data recorded by automobile
manufacturers
§ Physical location recorded at regular
intervals;
§ Previous destinations entered into
navigation system;
§ Last location parked.
§ Potential crash events, such as sudden
changes in speed;
§ Status of steering angle, brake
application, seat belt use, and air bag
deployment;
§ Fault/error codes in electronic systems.
§ Vehicle speed;
§ Direction/heading of travel;
§ Distances and times traveled;
§ Average fuel economy/
consumption;
§ Status of power windows, doors,
and locks;
§ Tire pressure;
§ Fuel level;
§ Engine RPM;
§ Odometer reading;
§ Mileage since last oil change;
§ Battery health;
§ Coolant temperature;
§ Engine status;
§ Exterior temperature and
pressure.
20

21. Why worry?
21

22. Why we need fine grained
access control?
22

23. How to protect customers
from the Internet of Threats?
§ Market design
• Ask at the Business track of the school
§ Legislation
23

24. Example of Legislation: Security
and Privacy in Your (SPY) Car Act (2015)
§ Vehicle owners to be made aware of what data is
being collected, transmitted and shared
§ To be offered the chance to opt out of data
collection without losing access to key navigation
or other features where feasible
§ Requiring an easy method for consumers to
evaluate how well an automaker goes beyond the
minimums defined in the proposed law
24

25. § Market design
• Ask at the Business track of the school
§ Legislation
§ Secure design
• Technology
• Usability of configuration
• Easy understanding of implications
25
How to protect customers
from the Internet of Threats?

26. OLP Dimensions
26

27. 27

28. Proposed solution: CPR
• Originator defines content description (attributes), not
confidentiality markings
• Content attributes determine
– Protection requirements
• How the content is to be processed and stored
– Release conditions
• To whom it can be released
28
{PROTECTION
REQUIREMENTS}
{RELEASE
CONDITIONS}
Terminal
attributes
User
attributes
ACCESS
REQUEST
D
D
+
RELEASE
DECISION
CPRESS

29. NATO Object Level Protection:
Content-based Protection and Release
29

30. CPR cryptographic access control:
Encryption
30

31. CPR cryptographic access control:
Decryption
31

32. BobAlice
sksk
Symmetric Key Encryption
Schemes
§ Same secret key used for encryption and
decryption.
§ Any user can generate keys.
§ Relies on an authenticated distribution
mechanism.
32

33. BobAlice
pk
CA
sk
pk
sk
Public-Key Encryption Schemes
§ Different keys for encryption and decryption
• The encryption key is made public
• The decryption key is kept secret
§ Any user can generate keys.
§ Relies on authenticated distribution mechanism
for public keys.
33

34. BobAlice
sk
alice@email.com bob@email.com
Key
Distribution
sk
Identity-Based Encryption
Schemes
§ Public-key encryption scheme with custom-
formatted public keys
§ No longer relies on authenticated distribution
mechanism for public keys
§ Private keys need to be generated by a central
entity
34

35. BobAlice
Key
Distribution
Female
MSc
Management
Male
Medical
Trainee
Female
˅
Trainee
Attribute-Based Encryption
Schemes
§ Extension of IBE where users can be assigned
various attributes
• Users receive private keys corresponding to their attributes.
• Ciphertexts are linked with a predicate on the attributes.
• Decryption ciphertext possible by a user if and only if the linked
predicate evaluates to TRUE on its user attributes.
35

36. § Predicate Encryption (PE)
• Also incorporates schemes that support predicate
hiding.
§ Functional Encryption (FE)
• Also incorporates schemes where the outcome of a
decryption is a non-trivial function of the involved
message, predicate and key.
§ Relationship: 𝑃𝐾𝐸⊂ 𝐼𝐵𝐸⊂ 𝐴𝐵𝐸⊂ 𝑃𝐸⊂ 𝐹𝐸.
Other Related Encryption
Schemes
9/4/15 36NATO UNCLASSIFIED RELEASABLE TO PFP

37. Hybrid Encryption with ABE
§ Concept
• Encrypt plaintext with symmetric encryption scheme.
• Encrypt symmetric key using ABE.
§ Motivation
• The overhead of using ABE is relative to the size of
the data it encrypts.
• Symmetric keys tend to be much smaller than the
plaintext to be encrypted.
• Limited overhead when using symmetric encryption.
• This significantly reduces the overhead of using ABE
relative to the plaintext to be encrypted.
37

38. Definition Attribute-Based
Encryption
§ Let 𝑃: 𝐾× 𝐼→{0,1} be a PT predicate.
§ ABE consists of four PPT algorithms:
Ø ( 𝑝𝑘, 𝑚𝑠𝑘)← 𝑆𝑒𝑡𝑢𝑝(​1↑𝜆 )
Ø 𝑠𝑘← 𝐾𝑒𝑦𝐺𝑒𝑛( 𝑚𝑠𝑘, 𝒌)
Ø 𝑐← 𝐸𝑛𝑐𝑟𝑦𝑝𝑡( 𝑝𝑘, (𝒊𝒏𝒅, 𝑚))
Ø 𝑦← 𝐷𝑒𝑐𝑟𝑦𝑝𝑡(𝑠𝑘, 𝑐)
where 𝑘∈ 𝐾 and 𝑖𝑛𝑑∈ 𝐼 and
Ø 𝑦={█■𝑚 if 𝑃( 𝑘, 𝑖𝑛𝑑)=1⁠⊥ if 𝑃(𝑘, 𝑖𝑛𝑑)=0
38

39. Key Policy
§ The key space 𝐾 consists of 𝑛-variable Boolean
formulas 𝜙.
§ Elements 𝑖𝑛𝑑= 𝑧=(​ 𝑧↓1 ,​ 𝑧↓2 ,⋯,​ 𝑧↓𝑛 ) from the index
space 𝐼∈​{0,1}↑𝑛 are interpreted as
representations of 𝑛 Boolean values.
§ 𝑃(𝜙, 𝑧)={█■1 if 𝜙(𝑧)=1 ⁠0 otherwise
39

40. Ciphertext Policy
§ The key space 𝐾=​{0,1}↑𝑛 consists of
representations 𝑘= 𝑧=(​ 𝑧↓1 ,​ 𝑧↓2 ,⋯,​ 𝑧↓𝑛 ) of 𝑛
Boolean values.
§ Elements 𝑖𝑛𝑑= 𝜙 from the index space 𝐼 are
𝑛-variable Boolean formulas.
§ 𝑃(𝑧, 𝜙)={█■1 if 𝜙(𝑧)=1 ⁠0 otherwise
40

41. Challenger Adversary
(Setup)
(Query
Phase
1)
(Challenge
set
selection)
(Plaintext
submission)
(Query
Phase
2)
(Guess)
(Challenge
response)
public
parameters
key
queries
attribute
set
S
not
accepted
by
queried
keys
challenge
messages
m0,
m1
Encrypt(pk,(S,m0))
or
Encrypt(pk,(S,m1))
queries
for
keys
with
policy
not
accepting
S
m0
or
m1
Full Security
§ Security defined by the following game:
41 41

42. Challenger Adversary
(Setup)
(Query
Phase
1)
(Challenge
set
selection)
(Plaintext
submission)
(Query
Phase
2)
(Guess)
(Challenge
response)
public
parameters
attribute
set
S
challenge
messages
m0,
m1
Encrypt(pk,(S,m0))
or
Encrypt(pk,(S,m1))
queries
for
keys
with
policy
not
accepting
S
m0
or
m1
queries
for
keys
with
policy
not
accepting
S
Selective Security
§ Security defined by the following game:
4242

43. Selective Security Limitations
§ Can only use policies that accept the challenge
attribute set.
§ Can only use attributes in the challenge attribute
set.
• This in particular makes selective security unsuitable
for ABE schemes that need to support both positive
and negative attributes.
§ Therefore, we mainly focus on fully secure
schemes.
43

44. § Attribute assignments are Boolean.
• E.g., a person may get assigned the attribute
“member”, “not a member” or no attribute related to
membership at all.
§ Relatively efficient inequality comparisons
involving static integers are however possible.
• Uses attributes corresponding to bit representations.
• E.g., 6 encodes as the set {“1∗∗”, “∗1∗”, “∗∗0”}.
• E.g, 𝑎 < 5 encodes as “0∗∗” ∨ (“∗0∗” ∧ “∗∗0”).
Inequalities in Policies
9/4/15 44NATO UNCLASSIFIED RELEASABLE TO PFP

45. Revocation
§ Revocation mechanism types
• Indirect revocation
• Direct revocation
§ Efficiency-enhancing techniques for revocation
45

46. USE CASES
46

47. § Provide protection
of information in an
environment where both
communication
and data storage
infrastructure are
controlled by a third
party
§ Support all standard
information exchange
scenarios
CPR cryptographic access control:
Infrastructure
47

48. CPR Example: Information
sharing for Passive Missile Defence
48
NATO Desktop located
in Class I areaNATO employee with
NATO Secret clearance
NATO contractor with
NATO Restr. clearance
NATO
laptop
Red Cross worker Unknown
terminal
Full view
Partial view
Public information
only
CPR

49. Thank you!
konrad.wrona@ncia.nato.int