CCCP: Secure Remote Storage for Computational RFIDs M. Salajegheh, - - PowerPoint PPT Presentation

Shane Clark, USENIX Security ’09

CCCP: Secure Remote Storage for Computational RFIDs

• M. Salajegheh, S. Clark, B. Ransford, K. Fu

(UMass Amherst)

• A. Juels

(RSA)

The Security Division of EMC

NSF-627529

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

RFID tags

2

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

RFID tags

2

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

RFID tags

2

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

RFID tags

2

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

RFID tags Computational

2

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

CRFIDs

• Batteryless
• Powered by harvested energy
• Interact with RFID readers
• Programmable

WISP 1.0

3

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

CRFIDs

WISP 1.0

3

• Tiny energy reservoir
• Frequent power loss
• Limited use of local storage

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Local Storage... at a Price

4

Read Write

56.97 0.64

Energy Consumption (J)

• Energy intensive writes

128 Bytes

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Local Storage... at a Price

4

Read Write

56.97 0.64

Energy Consumption (J)

• Energy intensive writes
• Erase-before-write

Read Write Erase

46.81 56.97 0.64

Energy Consumption (J) 128 Bytes

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Local Storage... at a Price

4

Read Write

56.97 0.64

Energy Consumption (J)

• Energy intensive writes
• Erase-before-write
• Small nonvolatile memory
• WISP 4.0: 32 KB flash

Read Write Erase

46.81 56.97 0.64

Energy Consumption (J) 128 Bytes

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Inexpensive Radio

Mote

[Hydrowatch]

5

CPU Flash Radio

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Inexpensive Radio

Mote

[Hydrowatch]

5

CPU Flash Radio

CPU Flash Radio

CRFID

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Outsource Storage?

6

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Outsource Storage?

6

Send Receive

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Outsource Storage?

Problem: a reader is not necessarily trustworthy

6

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Junk Read

Outsource Storage?

Problem: a reader is not necessarily trustworthy

6

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Cryptographic Computational Continuation Passing

7

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Cryptographic Computational Continuation Passing

7

ENC MAC

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Cryptographic Computational Continuation Passing

7

ENC MAC DEC MAC

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Goal: Computational Progress

• Change of computational state toward a goal

Example: completion of a loop

• Eliminate Sisyphean tasks

8

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

• Some workloads may never complete given

typical energy availability

• Manually splitting tasks is not necessarily

easy or effective

Sisyphean Tasks

9

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Mementos [Ransford ’08]

10

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Mementos [Ransford ’08]

10

T1 T2 T3 T4

Task = {

}

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Mementos [Ransford ’08]

10

Energy =

T1 T2 T3 T4

Task = {

}

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Mementos [Ransford ’08]

• Checkpoint state (locally) as energy wanes
• Spread computations over multiple lifecycles

10

Energy =

T1 T2 T3 T4

Task = {

}

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Mementos [Ransford ’08]

• Checkpoint state (locally) as energy wanes
• Spread computations over multiple lifecycles

10

Energy =

T1 T2 T3 T4

Task = {

}

Checkpoint Retrieve

T1 T2 T3 T4

{ }

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Mementos [Ransford ’08]

• Checkpoint state (locally) as energy wanes
• Spread computations over multiple lifecycles

10

Energy =

• Problem: flash write takes precious energy.

T1 T2 T3 T4

Task = {

}

Checkpoint Retrieve

T1 T2 T3 T4

{ }

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Security Goals

• Confidentiality
• Integrity
• Authentication
• Data Freshness
• Availability

11

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Security Goals

• Confidentiality
• Integrity
• Authentication
• Data Freshness
• Availability

11

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Expensive flash No battery

Security Goals

• Confidentiality
• Integrity
• Authentication
• Data Freshness
• Availability

11

T i n y c a p a c i t

• r

Reboots every few seconds Small RAM

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Security Primitives

• Stream cipher for confidentiality
• UMAC for integrity/authentication [Black ’99]
• Low cost in terms of energy

12

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Security Primitives

• Stream cipher for confidentiality
• UMAC for integrity/authentication [Black ’99]
• Low cost in terms of energy

12

• Challenge: Maintaining the keystreams

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Precomputation?

• Keystreams are required by the cipher and

the MAC

• Cannot reuse keystream bits
• Not enough energy to compute on the fly

13

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Good Power Seasons

• Times when the CRFID is idle
• CRFID is awake and has no computation

left to complete.

• CRFID finds a reader that does not

understand CCCP.

• Plentiful energy time to produce

keystream bits

14

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Data Freshness

• Some state must be in

trusted storage

• Nonvolatile memory is too

expensive to use frequently

• How can we use it frugally?

15

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Hole Punching

16

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Hole Punching

16

000001112 (=710)

(a) Binary Counter

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

000010002 (=810)

Hole Punching

16

000001112 (=710)

(a) Binary Counter

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

000010002 (=810) 000010002 (=810)

Hole Punching

16

000001112 (=710) 111111112 (erase)

(a) Binary Counter

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

000010002 (=810) 000010002 (=810)

Hole Punching

16

000001112 (=710) 111111112 (erase)

(a) Binary Counter

111100000001 (=710)

(b) Unary Counter (complemented)

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

000010002 (=810) 000010002 (=810)

Hole Punching

16

000001112 (=710) 111111112 (erase)

(a) Binary Counter

111100000001 (=710)

(b) Unary Counter (complemented)

111000000001 (=810)

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Protocol

Reader CRFID

s t a t e

17

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Protocol

Reader CRFID

s t a t e

Non-autonomous communication

17

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Store Procedure

Reader CRFID

18

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Store Procedure

Reader CRFID

Query

18

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Store Procedure

Reader CRFID

Query

Tasks 1..k

18

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Store Procedure

Reader CRFID

Query Need to store

Tasks 1..k

18

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Store Procedure

Reader CRFID

Query Need to store Chunk size

Tasks 1..k

18

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Store Procedure

Reader CRFID

Query Need to store Chunk size

Tasks 1..k

• 1. Enc
• 2. MAC
• 3. Hole punch

18

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Store Procedure

Reader CRFID

Query Need to store Chunk size Ciphertext+MAC

Tasks 1..k

• 1. Enc
• 2. MAC
• 3. Hole punch

18

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Store Procedure

Reader CRFID

Query Need to store Chunk size Ciphertext+MAC

Tasks 1..k

• 1. Enc
• 2. MAC
• 3. Hole punch

Store

18

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Retrieve Procedure

Reader CRFID

19

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Retrieve Procedure

Retrieve

Reader CRFID

19

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Retrieve Procedure

Ciphertext+MAC

Retrieve

Reader CRFID

19

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Retrieve Procedure

Ciphertext+MAC

• 1. Verify
• 2. Dec

Retrieve

Reader CRFID

19

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Retrieve Procedure

Ciphertext+MAC

• 1. Verify
• 2. Dec

Retrieve

Reader CRFID

Tasks k..n

19

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Evaluation

20

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Experimental setup

21

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Experimental setup

21

1.Program the CRFID with a task

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Experimental setup

21

1.Program the CRFID with a task

• 2. Charge CRFID to voltage V

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Experimental setup

21

1.Program the CRFID with a task

• 2. Charge CRFID to voltage V
• 3. Disconnect the power supply

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Experimental setup

21

1.Program the CRFID with a task

• 4. Observe the voltage drop and

execution time

• 2. Charge CRFID to voltage V
• 3. Disconnect the power supply

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

22

15 30 45 60 75 90 32 64 96 128 160 192 224 256

Energy Consumption (J) Data Size (Bytes)

Local Storage Secure Remote Storage

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

23

15 30 45 60 75 90 32 64 96 128 160 192 224 256

Energy Consumption (J) Data Size (Bytes)

Flash Write CCCP/AuthConf CCCP/Auth

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

24

15 30 45 60 75 90 32 64 96 128 160 192 224 256

Energy Consumption (J) Data Size (Bytes)

Flash Write CCCP/AuthConf CCCP/Auth CCCP/NoSec

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

25

30 60 90 120 150 180 32 64 96 128 160 192 224 256

Energy Consumption Data Size (Bytes)

Flash Write CCCP/AuthConf CCCP/Auth CCCP/NoSec Flash Write+Erase (Calculated)

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

25

30 60 90 120 150 180 32 64 96 128 160 192 224 256

Energy Consumption Data Size (Bytes)

Flash Write CCCP/AuthConf CCCP/Auth CCCP/NoSec Flash Write+Erase (Calculated)

CCCP provides CRFIDs with secure, remote storage that is cheaper than local memory.

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Extensions/Future Work

26

• CRFID hardware design
• Long-term storage
• WOM codes [Rivest ’82]
• PKCS on CRFIDs

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Summary

27

• CRFIDs can go where other platforms cannot
• They are limited by available energy
• Remote storage is cheap
• CCCP provides remote storage that is secure

and yet less expensive than local storage.

Tuesday, August 18, 2009

Shane Clark, USENIX Security ’09

Summary

27

• CRFIDs can go where other platforms cannot
• They are limited by available energy
• Remote storage is cheap
• CCCP provides remote storage that is secure

and yet less expensive than local storage. More info at: www.cs.umass.edu/~ssclark/crfid

Tuesday, August 18, 2009