Quiz 6 Securing IoT

Flashcard set for lectures 13 and 14 for securing the IoT

Signature/verification

Another use for asymmetric key cryptography

Non-repudiation

Assurance that a person or entity cannot deny the validity of a transaction (typically achieved through digital signatures)

Verify

Process of checking whether digital signature is correct

True

True or False: Signature/verification is not always the reverse of encrypt/decrypt.

True

True or False: Signature and verify both require the correct key.

Using a users secret key, and verified using the same users public key.

How is a signature computed?

Signature/Verification

Now assume Alice sends a signed message m to Bob

• Bob can verify that Alice sent the message since only Alice knows her secret key. Bob verifies using Alice’s public key.

• Bob can show it to Charlie that message was sent by Alice, and Charlie will believe it. Charlie verifies using Alice’s public key.

(Note: In an unsigned message, Bob cannot prove to any third party that the message came from Alice because there’s no signature to prove it)

False; Can also use trusted third party (TTP)

True or False: Asymmetric key is the only way to share keys.

A contacts TTP requesting a new key for A and B to communicate securely

Lets assume the following:

• Alice knows Ka; Bob knows Kb

• TTP knows Ka and Kb

• We want Alice and Bob to share a key (Kab)

What is happening if:

A → TTP: A, B, Na

Tells A that message is fresh from TTP, not replayed by someone else

Lets assume the following:

• Alice knows Ka; Bob knows Kb

• TTP knows Ka and Kb

• We want Alice and Bob to share a key (Kab)

What is Na used for:

1. A → TTP: A, B, Na

2. A ← TTP: {Na, B, Kab, {Kab, A}_Kb}_Ka

The new session key generated by TTP

Lets assume the following:

• Alice knows Ka; Bob knows Kb

• TTP knows Ka and Kb

• We want Alice and Bob to share a key (Kab)

What is Kab used for:

1. A → TTP: A, B, Na

2. A ← TTP: {Na, B, Kab, {Kab, A}_Kb}_Ka

That is the encryption of the new key, Kab, by TTP that is meant for B (i.e. only B can decrypt)

Lets assume the following:

• Alice knows Ka; Bob knows Kb

• TTP knows Ka and Kb

• We want Alice and Bob to share a key (Kab)

What is {Kab, A}_Kb} used for:

1. A → TTP: A, B, Na

2. A ← TTP: {Na, B, Kab, {Kab, A}_Kb}_Ka

The entire message is encrypted using Ka, meaning only (A) can decrypt.

Who can decrypt the message if

1. A → TTP: A, B, Na

2. A ← TTP: {Na, B, Kab, {Kab, A}_Kb}_Ka

B can decrypt using Kb; now B will have a new key Kab that only A and B know (and TTP, but that is a trusted source)

Who can decrypt the message if

1. A → TTP: A, B, Na

2. A ← TTP: {Na, B, Kab, {Kab, A}_Kb}_Ka

3. A → B: {Kab, A}_Kb

B does not know who send {Kab, A}_Kb. If A does not know Kab, we will not be able to decrypt the message to know Nb, thus cannot return the right answer Nb-1.

Who is supposed to know Kab?

1. A → TTP: A, B, Na

2. A ← TTP: {Na, B, Kab, {Kab, A}_Kb}_Ka

3. A → B: {Kab, A}_Kb

4. A ← B: {Nb}_Kab

5. A → B: {Nb-1}_Kab  

Nothing; everything is encrypted (except 1st messsage)

What does an eavesdropper know from this?:

1. A → TTP: A, B, Na

2. A ← TTP: {Na, B, Kab, {Kab, A}_Kb}_Ka

3. A → B: {Kab, A}_Kb

4. A ← B: {Nb}_Kab

5. A → B: {Nb-1}_Kab  

Certificate

Trusted entity vouching that a particular name goes with a particular public key (among other things).

• The trusted entity will sign that certificate with its private key

• Side note: Trusted entity if often called the certificate authority (CA)

False; only public keys. Each entity that gets a certificate maintains its own private key.

True or False: the CA maintains public and private keys.

Typically coded into OS or software by the vendor.

How do devices get the public keys of the CA in the first place?

True

True or False: When a new device/entity is introduced, only that new device/entity and the CA need to be configured with the public key for that node.

Public Key Infrastructure (PKI)

The infrastructure supporting the use of public key cryptography

False; both internet and IoT

True or False: PKI is only used for the internet web.

True (sometimes its not applicable, but it does use certificates)

True or False: IoT makes use of certificates

Internet (web) vs Internet of Things

PKI on the web tends to have well defined names, i.e. name of website. Not always on IoT e.g. what is the name of a printer?

Internet (web) vs Internet of Things

IoT devices may not always have access to larger Internet for certain operations, e.g. connect tablet to screen

Bluetooth

• Started in the 1990s as a means of connecting peripherals to PCs

• Characteristics are relatively short range, low power, low data rates

• Uses unlicensed band

Bluetooth

• Bluetooth can connect more than 2 devices

• One device is the master, the other devices are slave devices

Early version of Bluetooth

Initialization procedures:

1. Create initialization key (Kinit)

2. Create link key (Kab)

3. Authenticate

4. Create encryption key (optional)