Re: [Cryptography] System level security in low end environments

[Jerry Leichter]

On Oct 5, 2013, at 2:00 PM, John Gilmore wrote:
 b.  There are low-end environments where performance really does
 matter.  Those often have rather different properties than other
 environments--for example, RAM or ROM (for program code and S-boxes)
 may be at a premium.
 
 Such environments are getting very rare these days.  For example, an
 electrical engineer friend of mine was recently working on designing a
 cheap aimable mirror, to be deployed by the thousands to aim sunlight
 at a collector.  He discovered that connectors and wires are more
 expensive than processor chips these days!...
He had a big advantage:  He had access to power, since the system has to run 
the motors (which probably require an order of magnitude or more power than all 
his electronics).  These days, the limits on many devices are expressible in 
watts/compute for some measure of compute.  But less often noticed (because 
most designers are handed a fixed device and have to run with it) dynamic RAM 
also draws power, even if you aren't doing any computation.  (Apple, at least, 
appears to have become very aware of this early on and designs their phones to 
make do with what most people would consider to be very small amounts of RAM - 
though perhaps not those of us who grew up in 16-bit-processor days. :-)  Some 
other makers didn't include this consideration in their designs, built with 
larger RAM's - sometimes even advertising that as a plus - and paid for it in 
reduced battery life.)

A couple of years back, I listened to a talk about where the next generation of 
wireless communications will be.  Historically, every so many years, we move up 
a decade (as in factor of 10) in the frequencies we use to build our 
communications devices.  We're approaching the final such move, to the edge of 
the TeraHertz range.  (Another factor of 10 gets you to stuff that's more like 
infrared than radio - useful, but in very different ways.)  What's of course 
great about moving to higher frequencies is that you get much more bandwidth - 
there's 10 times as much bandwidth from 10GHz to 100GHz as there was from DC up 
to 10GHz.  And the power required to transmit at a given bit rate goes down 
with the bandwidth, and further since near-THz radiation is highly directional 
you're not spewing it out over a sphere - it goes pretty much only where it's 
needed.  So devices operating in the near-THz range will require really tiny 
amounts of power.  Also, they will be very small, as the 
 wavelengths are comparable to the size of a chip.  In fact, the talk showed 
pictures of classic antenna geometries - dipoles, Yagi's - etched directly onto 
chips.

Near-THz frequencies are highly directional, so you need active tracking - but 
the computes to do that can go on chip along with the antennas they control.  
You'd guess (at least I did until I learned better) that such signals don't 
travel far, but in fact you have choices there:  There are bands in which air 
absorption is high, which is ideal for, say, a WiFi replacement (which would 
have some degree of inherent security as the signal would die off very 
rapidly).  There are other bands that have quite low air absorption.  None of 
these frequencies are likely to propagate far through many common building 
materials, however.  So we're looking at designs with tiny, extremely low 
powered, active repeaters all over the place.  (I visualize a little device you 
stick on a window that uses solar power to communicate with a box on a pole 
outside, and then internally to similar scattered devices to fill your house 
with an extremely high speed Internet connection.)

The talk I heard was from a university group doing engineering 
characterization - i.e., this stuff was out of the lab and at the point where 
you could construct samples easily; the job now was to come up with all the 
design rules and tradeoff tables and simulation techniques that you need before 
you can build commercial products.  They thought this might be 5G telephone 
technology.  Expect to see the first glimmers in, say, 5 years.

Anyway, this is (a) a confirmation of your point that computational elements 
are now so cheap that components like wires are worth replacing; but (b) unlike 
the case with the mirror controllers, we'll want to build these things in large 
numbers and scatter them all over the place, so they will have to make do with 
very small amounts of power.  (For the first inkling of what this is like, 
think of RFID chips - already out there in the billions.)

So, no, I don't think you can assume that efficiency considerations will go 
away.  If you want pervasive security in your pervasive compute architecture, 
you're going to have to figure out how make it work when many of the nodes in 
your architecture are tiny and can't afford to drain power run complicated 
algorithms.
-- Jerry

___
The cryptography 

[Cryptography] System level security in low end environments

[John Gilmore]

 b.  There are low-end environments where performance really does
 matter.  Those often have rather different properties than other
 environments--for example, RAM or ROM (for program code and S-boxes)
 may be at a premium.

Such environments are getting very rare these days.  For example, an
electrical engineer friend of mine was recently working on designing a
cheap aimable mirror, to be deployed by the thousands to aim sunlight
at a collector.  He discovered that connectors and wires are more
expensive than processor chips these days!  So he ended up deciding to
use a system-on-chip with a built-in radio that eliminated the need to
have a connector or a wire to each mirror.  (You can print the antenna
on the same printed circuit board that holds the chip and the
actuator.)

What dogs the security of our systems these days is *complexity*.  We
don't have great security primitives to just drop into place.  And the
ones we do have, have complicated tradeoffs that come to the fore
depending on how we compound them with other design elements (like
RNGs, protocols, radios, clocks, power supplies, threat models, etc).
This is invariant whether the system is low end or high end.

That radio controlled mirror can be taken over by a drive-by attacker
in a way that would take a lot more physical labor to mess up a
wire-controlled one.  And if the attack aimed two hundred mirrors at
something flammable, the attacker could easily start a dangerous fire
instead of making cheap solar energy.  (Denial of service is even
easier - just aim the mirrors in random directions and the power goes
away.  Then what security systems elsewhere were depending on that
power?  This might just be one cog in a larger attack.)  Some of the
security elements are entirely external to the design.  For example,
is the radio protocol one that's built into laptops by default, like
wifi or bluetooth?  Or into smartphones?  Or does it require custom
hardware?  If not, a teenager can more easily attack the mirrors --
and a corrupt government can infect millions of laptops and phones
with malware that will attack mirror arrays that they come near to.

For products that never get made in the millions, the design cost
(salaries and time) is a significant fraction of the final cost per
unit.  Therefore everybody designs unencrypted and unauthenticated
stuff, just because it's easy and predictable.

For example it's pretty easy to make the system-on-chip above send or
receive raw frames on the radio.  Harder to get it to send or receive
UDP packets (now it needs an IP address, ARP, DHCP, more storage, ...).
Much harder to get it to send or receive *authenticated* frames or UDP
packets (now it needs credentials; is it two-way authenticated, if so
it needs a way to be introduced to its system, etc).  Much harder
again to get it to send or receive *encrypted* frames or UDP packets
(now it needs keys too, and probably more state to avoid replays,
etc).  And how many EE's who could debug the simple frame sending
firmware and hardware, can debug a crypto protocol they've just
implemented (even making the dubious assumpion that they compounded
the elements in a secure way and have just made a few stupid coding
mistakes)?

John

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography