1. The School of Electrical Engineering and Computer Science (EECS) CS/ECE Advanced Network Security Dr. Attila Altay Yavuz Topic 1.2 Course and Project Overview (2) Advanced Network Security Dr. Attila Altay Yavuz1Fall 2014

2. OSU EECS  Growing complexity of the in-car software, 3 rd party SW integration  Attackers are becoming more professional, using more advanced methods  Tuning protection and avoidance of unjustified guarantee claims are a strong driver 2 escar 2011 - A Hardware Security Module for ECUs Intra-car Communication Security HMI Internet ECU CE-Device Tester Attack surface is growing –Car networks get connected to the internet –CE-Devices are connected to the car networks –Network access hard- and software is now cheap (e.g. bluetooth – CAN)

3. OSU EECS Real Attacks on Modern Automobile Systems: Comprehensive Experimental Analyses of Automotive Attack Surfaces Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. USENIX Security, August 10–12, 2011.Comprehensive Experimental Analyses of Automotive Attack Surfaces –Not only internal access, but CD players, Bluetooth, multi-media systems enable attacks –A media player playing a modified WMA music done the job! –Lots of remote exploits Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurelien Francillon, Boris Danev, and Srdjan Capkun Network and Distributed System Security Symposium (NDSS), 2011Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study Ishtiaq Roufa, Rob Millerb, Hossen Mustafaa, Travis Taylora, Sangho Ohb Wenyuan Xua, Marco Gruteserb, Wade Trappeb, and Ivan Seskarb USENIX conference on Security, 2010Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study –Listing internal components from 40 meters away! –Play with tire-pressure system, stop and ambush drivers 3 Intra-Car Communication Security

4. OSU EECS 4 Secure Inter-ECU Communication Secure ECU Communication in Car Scenario: Communication among Electrical Contorl Units (ECUs) on internal vehicle systems –Bus system: CAN, FlexRay (Ethernet) Malicious falsification of messages –Sending corrupted messages by infected control units or interceptions for defective influence of recipient Why? –No authentication and/or integrity mechanism is used in intra-car systems!

5. OSU EECS 5 Secure Inter-ECU Communication Secure ECU Communication in Car Challanges: Ultra Limited Bandwidht –We have 16 bit (or 24 bit) allocated for securtiy purposes Limited Memory, little space for crypto keys –Keys must be re-newed (re-transmitted) –Time and synronization issues, package loss PKC crypto not feasible as is Safety versus Security –Satefy is priority for auto industry, no one will change any standard easily –Interpret security as a safety concern with malicious intent

6. OSU EECS 6 Secure ECU Communication in Car Proposal: Use of different Message Authentication Code with Truncation –A 128-bit HMAC can be truncated up to 32 bits with no extra security loss 2^32 guaranteed. –Can we do better than this? Universal Message Authentication Codes (UMACs) are algebraic one- time/multiple time MACs –They are faster than traditional MACs under certain assumptions Strategy is to identify suitable UMACs, investigate under truncation and set up a key management method –Why key management? UMACs require key sycnronization and renewal!

7. OSU EECS UMAC is itself two times faster than CMAC on ARM But key set up phase of UMAC is pretty slow Perform key setup beforehand, and use pre-computed keys. This enables fast computation with a memory trade-off If memory is a constraint, CMAC is a better choice If speed is more important and we can tolerate store, UMACs are fast. We can pre-compute keys in idle times and use them for a fast real-time computation Storing/transmitting a different key for each message is impractical 7 Secure ECU Communication in Car

8. OSU EECS Use crypto PRNGs: Signer and verifier share seed (root) key sk=(a,b), and for each message m j, a new key is derived from the previous key as sk j  CPRNG( sk j-1 ) –Not unconditionally secure anymore, at most as secure as CPRNG –Requires synchronization between the signer and receivers Optional, evolution of UMACs from a formal perspective –(i) Wegman-Carter, M is hashed to a short digest via a universal hash function indexed by a secret key. Resulting value is OTP encrypted. –(ii) Brassard replaces OTP with a PRF along with a random nonce. –(iii) Apply PRF directly to the hash result. –(iv) Derive UMAC key from a short key (as above), –(v) Reuse keys for some messages. Many UMACs use this approach, and it is problematic 8 Secure ECU Communication in Car

9. OSU EECS Some Important UMACs Polynomial UMACs (e.g., [1]): (k,k’) are n-bit keys, messages with l=t*n bits. Split message x into t blocks, work on GF(2^{n}) Square Hash [2]: MMH [3]: There are many more: NMH family (e.g., [4]), WH [5], NH [6] Polynomial evaluation and message authentication [7] by Daniel J. Bernstein is a very fast UMAC 9 Secure ECU Communication in Car

10. OSU EECS Group Size: 1-2 student –Students considering security research, or Winter 2014:Applied crypto class Required Background: –C/C++ or Java programming, or ability to use software packages from existing libraries –Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random 1) Identify a set of good UMACs 2) Implement selected UMACs (or obtain implementation) 3) Work on efficient key update mechanisms for UMACs 4) Understand Blundo polynomials to set up keys between ECUs 5) Report overall security architecture and scheme 6) Final report and presentation 10 Secure ECU Communication in Car

11. OSU EECS Universal Message Authentication Code (UMAC) References [1] Ted Krovetz. UMAC: Message Authentication Code using Universal Hashing, March 2006. RFC 4418, http://fastcrypto.org/umac/rfc4418.txt.http://fastcrypto.org/umac/rfc4418.txt –Version for 2000, http://fastcrypto.org/umac/index00.html [ 2] M. Etzel, S. Patel, Z. Ramzan, “Square Hash: Fast Message Authentication via Optimized Universal Hash Functions,” Proc. Crypto’99, LNCS 1666, M. Wiener, Ed., Springer-Verlag, 1999, pp. 234–251. [3] S. Halevi, H. Krawczyk, “MMH: Software Message Authentication in the Gbit/second Rates,” Fast Software Encryption, LNCS 1267, E. Biham, Ed., Springer-Verlag, 1997, pp. 172–189. [4] M.N. Wegman, J.L. Carter, “New Hash Functions and their Use in Authentication and Set Equality,” Journal of Computer and System Sciences, Vol. 22, No. 3, 1981, pp. 265–279. [5] J.-P. Kaps, K. Yuksel, B. Sunar, “Energy Scalable Universal Hashing,” IEEE Trans. on Computers, Vol. 54, No. 12, 2005, pp. 1484–1495. [6] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway. “UMAC: Fast and Secure Message Authentication,” Proc. Crypto’99, LNCS 1666, M. Wiener, Ed., Springer-Verlag, 1999, pp. 216–233. [7] Daniel J. Bernstein, The Poly1305-AES message-authentication code [8] W.Nevelsteen and B. Preneel. Software performance of universal hash functions. In Proceedings of the 17th international conference on Theory and application of cryptographic techniques (EUROCRYPT'99), Springer-Verlag, 24-41. [9] H. Handschuh and B. Preneel. Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms. In Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology (CRYPTO 2008), Springer-Verlag, Berlin, 144-161. 11

12. OSU EECS 12 Secure Inter-ECU Communication Encryption Methods for Medical Systems Research Problem: Chaos-based encryption methods are proposed for medical systems –They are claimed to be more „effective“ (?) than traditiona encryption methods Secure of Chaous-based methods are being critizied Security is dubious, but even are they so much more efficient than traditional encryption? Investigate this case! It is likely that their efficiency advantages do not justy the security

13. OSU EECS 13 Secure Inter-ECU Communication Encryption Methods for Medical Systems Some papers: 1 ) An Efficient Medical Image Cryptosystem Based on Chaotic Maps http://www.aicit.org/JDCTA/ppl/JDCTA%20Vol6%20No13%20Binder1_part29.pdf 2) Chaos Based Encryption System for Encrypting Electroencephalogram Signals, Journal of Medical Systems. http://www.researchgate.net/publication/261736834_Chaos_based_encryption_system_for_e ncrypting_electroencephalogram_signals The above paper discusses a C# based implementation 3) An efficient and secure medical image protection scheme based on chaotic maps. http://www.ncbi.nlm.nih.gov/pubmed/23816172 4) A review paper on Chaos-based encryption http://www.ripublication.com/irph/ijict_spl/ijictv4n2spl_14.pdf 5) http://www.intechopen.com/books/multimedia-a-multidisciplinary-approach-to-complex- issues/multimedia-security-a-survey-of-chaos-based-encryption-technology

14. OSU EECS Group Size: 1-2 student(s) Required Background: –C/C++ or Java programming, or ability to use software packages from existing libraries –Knowledge on cryptographic hash functions, MAC, block ciphers (AES), Pseudo Random F. Work on implementation of the latest Chaos schemes –Totally ok if you can obtain existing implementations Work on efficient AES implementations or ciphers such as –Present Cipher Suite –Humming Bird Compare efficiency, discuss security differences, analyze the claim, final report and presentation 14 Encryption Methods for Medical Systems