Sie sind auf Seite 1von 34

Kevin Harris Singapore 27 March 2008

Highly Efficient Embedded Real-Time Encryptionthe BeepBeep Algorithm

Honeywell.com

Embedded Real-Time Cryptography


The application area
Cryptography optimized for embedded, real-time, systems such as used in industrial process control

The development
A new algorithm (called BeepBeep) overcomes the drawbacks of using existing cryptography for real-time systems

2 Document control number

Honeywell Proprietary

Honeywell.com

Topics
BeepBeep Technology Overview Requirements for Real-Time Cryptography Deficiencies of Conventional Encryption for this Overview of BeepBeeps Mechanism Applications/Market Opportunities Development Status Inventors Other Honeywell Technology Featured Today

3 Document control number

Honeywell Proprietary

Honeywell.com

BeepBeep Technology Overview


Real-time cryptography Very efficientvery small footprint (Compared to AES) Particularly good for processors with unsigned integer multiply instruction Key evolves continuously, so smaller target for cryptanalysis From private sectorno government involvement Resistant to massively-parallel special-purpose hardware attacks such as DeepCrack

4 Document control number

Honeywell Proprietary

Honeywell.com

Topics
BeepBeep Technology Overview Requirements for Real-Time Cryptography Deficiencies of Conventional Encryption for this Overview of BeepBeeps Mechanism Applications/Market Opportunities Development Status Inventors Other Honeywell Technology Featured Today

5 Document control number

Honeywell Proprietary

Honeywell.com

Requirements for Real-Time Cryptography


Encryption must add little or nothing to message length Encryption must be done extremely fast
Average speed does not matternever exceeding the maximum is critical

The above must be accomplished by use of very little processing power Ditto memory resourcesideally only processor registers In retrofit applications, the incremental power requirement must be zero, or very small Security time horizon is usually tactical versus strategic
Integrity needed only until next key change Secrecy (depends on type of data)
Control for a few hours Inventory for a few weeks or months Recipe for a few decades (but little such data is sent)

Cryptography needs to be only moderately secure


6 Document control number Honeywell Proprietary

Honeywell.com

Email Isnt Distributed, Embedded, Real-Time


Email Processor Memory Power Response Time Bandwidth Message Size Message Variability Integrity Need Physical Security Net Membership Autonomous Pentium II 1280 MB 200 watts Seconds 1 - 100 Mbps 100 Kbytes Very High Low Attended Anybody (Generalize) Yes Embedded DSP and/or C 128 KB 2 watts Milliseconds 1 - 100 Kbps 10 bytes Fixed Rate & Size Very High Not Attended Closed (Optimize) No

Approx. 1,000 : 1 Ratio of Resource Usage


7 Document control number Honeywell Proprietary

Honeywell.com

Needed Security Communication Capabilities


Privacy (a.k.a. confidentiality or secrecy)preventing the acquisition of a messages information unless authorized Integritydetecting unauthorized alteration of a message Authenticationdetermining whether a message was prepared and sent by the party from which it claims to originate Authorizationgranting of a power to do or be something Replay Protectionvalidating message sequencing and timeliness so that prior valid messages cannot be replayed by an attacker at a later point in time to effect the original or similar result Key Managementperiodic creation, distribution and replacement of communication security keys to
Minimize the damage caused by employee or site compromise Prevent accumulation of too much cryptanalysis source material Limit allowed cryptanalysis time

ComSec Event Monitoring and Alertingreporting ComSec hazards

8 Document control number

Honeywell Proprietary

Honeywell.com

Topics
BeepBeep Technology Overview Requirements for Real-Time Cryptography Deficiencies of Conventional Encryption for this Overview of BeepBeeps Mechanism Applications/Market Opportunities Development Status Inventors Other Honeywell Technology Featured Today

9 Document control number

Honeywell Proprietary

Honeywell.com

Problems in Use of Existing Cryptography


Relatively slow, particularly on start-up
Messages (and sessions) are small; less text to amortize start-up cost Latency (lag) is more important than throughput Only worst-case timing countsaverage is unimportant
One missed deadline is not helped by finishing early at all other times

Systems typically use repeating execution time-slots of fixed size startup overhead increases size of all time slots Central control changes key for each message (high key agility), which needs a large crypto-cache or (re-)startup cost for each message

10 Document control number

Honeywell Proprietary

Honeywell.com

Problems in Use of Existing Cryptography


Uses too much data memory (cache thrashing)
Real time systems are multitasking with many context switches/sec Must assume cache is flushed, S-box accesses are mostly misses

Consumes additional communication bandwidth


Ciphertext must be no bigger than plaintext

Uses separate secrecy and integrity algorithms (or modes)


Makes execution even slower Prevents lump in the cable retrofits

Most real-time cryptography is retrofitted exacerbates these problems


11 Document control number Honeywell Proprietary

Honeywell.com

Topics
BeepBeep Technology Overview Requirements for Real-Time Cryptography Deficiencies of Conventional Encryption for this Overview of BeepBeeps Mechanism Applications/Market Opportunities Development Status Inventors Other Honeywell Technology Featured Today

12 Document control number

Honeywell Proprietary

Honeywell.com

Achieving Speed
Use an efficient stream cipher State stays in CPU registers (no RAM used) Fix problems with conventional implementations
Feedback shift registers are slow in software
Invention improves speed by almost 100 times

Multiply is slow
Becoming faster (from 42 clocks to 1//4 clocks) Invention uses multiply in a powerful new way

Conditional jumps are slow on pipelined CPUs


Use multiplexor logic instead of conditional jump
Instead of: if C then Z = A else Z = B or: Z = C ? A : B Use this: Z = ((A xor B) and C) xor B

Use unrolled loop to eliminate other jumps

Speed on Pentium is better than 1 bit per clock

13 Document control number

Honeywell Proprietary

Honeywell.com

BeepBeep Block Diagram


127 V
odd word
OR

63 lfsr[2] lfsr[1]

XOR

1 lfsr[0] 0

ctl
step 64 bits

lfsr[3]

31 clock

{lfsr[0], lfsr[2] }

LFSR output selection

alternates for { each text word }

{lfsr[2], lfsr[1] }

{lfsr[1], lfsr[2] }
state

sum

+ `

m
upper 32 bits

+ `

lower 32 bits

Thick lines are 32 bits.


Dotted lines are control. Bold italics are variables. " +`" is ones complement addition

Thin lines are one bit.

XOR i ciphertext j plaintext


14 Document control number

+/decrypt encrypt

XOR
Honeywell Proprietary

Honeywell.com

Broadcast Authentication
Real-time and embedded systems cannot afford public key encryption or multiple algorithms for authentication Simple symmetric key cant be used because the compromise of any node compromises the whole net Solution for simple broadcast commands: use BeepBeep both for encryption and for a one-way function hash
At net initialization, the broadcaster sends to each node the result of repeatedly hashing a secret truly random number (the message uses each nodes individual key for authentication and integrity) To send an authentic command, a value is broadcast which hashes to the value each node has stored If a node gets a transmission which hashes to its stored value, it performs the command and updates its stored hash value

Similar to the S/Key one-time password scheme


15 Document control number

Honeywell Proprietary

Honeywell.com

Benefits (vs AES, on Pentium)


About 2 times faster for very large messages About 40 times faster for small messages About half the memory size 25 to 200 times faster than 3DES Includes integrity with secrecy (increases the above ratios)
Allows lump in the cable (or dongle) implementations (with possible sub-bit-time latency)

Several thousand times faster and smaller than public key 1:1 byte replacement (to fit existing message sizes)
Can eliminate need for the addition of an explicit IV Can incorporate existing CRC or checksum into integrity

Optimized for CPUs typically found in embedded, real time, control, and communication systems Designed to be resistant to specialized hardware cracking
16 Document control number Honeywell Proprietary

Honeywell.com

Simple and Small


BeepBeeps executable code
One page of C code (half of which is declarations and comments) Pentium MMX without explicit IV Pentium MMX with explicit IV Pentium main loop Motorola HC12 without explicit IV 419 bytes 484 bytes 185 bytes 954 bytes

BeepBeeps data memory


Pentium MMX Motorola HC12 (data stays in registers) 0 bytes 28 bytes

17 Document control number

Honeywell Proprietary

Honeywell.com

Withstanding Attacks
Chosen plaintext
Generally not feasible; requires such invasive physical access that it would be easier just to read out the key(s)

Chosen ciphertext
Try send fake messages and watch for response (reaction attack) Integrity mechanism(s) reject most forgeries Bandwidth is so low, only a miniscule amount of data could be sent before source is detected and stopped

Known plaintext
Bandwidth is too low to accumulate many cipher-plain pairs

Plus Many BeepBeep Defenses against Specific Attacks!


18 Document control number Honeywell Proprietary

Honeywell.com

Topics
BeepBeep Technology Overview Requirements for Real-Time Cryptography Deficiencies of Conventional Encryption for this Overview of BeepBeeps Mechanism Applications/Market Opportunities Development Status Inventors Other Honeywell Technology Featured Today

19 Document control number

Honeywell Proprietary

Honeywell.com

Embedded Real-Time Systems


SCADA
Distribution control pipelines and electrical power grid Remote management of control systems in petrochemical and power plants

Access and control of remote sites (homes, buildings) physical security, load shedding, medical equipment Radio communications
Aircraft Mobile phones

Low-power/battery-operated devices, scatterable sensors, mines, satellites, intrinsic safety areas Real-time multimedia communications

20 Document control number

Honeywell Proprietary

Honeywell.com

Typical Distributed SCADA System


Controller How do we retrofit security to this system? Modem
RTU = Remote Terminal Unit

Modem

Modem

Modem

Modem

RTU
21 Document control number

RTU

RTU

RTU
Honeywell Proprietary

Honeywell.com

Retrofitting Security
Controller

Insert crypto dongles


Modem

Modem

Modem

Modem

Modem

RTU
22 Document control number

RTU

RTU

RTU
Honeywell Proprietary

Honeywell.com

Free Power RS-232 Encryption Modules


One-square-inch surface-mount board, 3v components Single-chip microcomputer:
256 bytes on-chip RAM (can be as small as 32 bytes) 4 kilobytes OTP or flash memory (can be as small as 1 kilobyte) Two UARTS for pass-through communications 88 multiply instruction for BeepBeep encryption algorithm

Serial EEPROM (or part of microcomputer)


256 bytes with page write

RS-232 interfaces for pass-through functionality


3 inputs, 5 outputs at one connector; 3 outputs, 5 inputs at the other Operating power scavenged from input signals

Crystal or ceramic resonator Status LED (duty cycle limited)

23 Document control number

Honeywell Proprietary

Honeywell.com

Topics
BeepBeep Technology Overview Requirements for Real-Time Cryptography Deficiencies of Conventional Encryption for this Overview of BeepBeeps Mechanism Applications/Market Opportunities Development Status Inventors Other Honeywell Technology Featured Today

24 Document control number

Honeywell Proprietary

Honeywell.com

Some Product Developments


Aviation
Encryption of ACARS radio traffic Constraints: bandwidth, real-time multitasking
Also memory and execution time for retro-fit applications

This application has been cleared for export by BXA

Home automation and security


Secrecy, integrity, authentication, and key management Between central site and residences Constraints: memory, bandwidth, small (8/16 bit) CPU
No other algorithm could meet memory constraints
Limit: 1638 bytes Flash ROM, 50 bytes RAM Used: 1628 28

This application has been cleared for export by BXA

Commercial buildings and industrial controls


Prototype crypto-dongle developed
25 Document control number Honeywell Proprietary

Honeywell.com

Home Automation and Security


Remote Browser View or Control

Internet

ISP POP

Internet Interface

/ RN P U DP / IP

Home Controller In House Browser

Global Home Server


POTS Modem

Phone or Cable Network Telephone Network


26 Document control number Honeywell Proprietary

Honeywell.com

Topics
BeepBeep Technology Overview Requirements for Real-Time Cryptography Deficiencies of Conventional Encryption for this Overview of BeepBeeps Mechanism Applications/Market Opportunities Development Status Inventors Other Honeywell Technology Featured Today

27 Document control number

Honeywell Proprietary

Honeywell.com

Inventor

Kevin.Driscoll@Honeywell.com +1 612-951-7263
Some applicable Driscoll patents (US numbers):
6,804,354 Cryptographic Isolator Using Multiplication 6,763,363 Computer Efficient Linear Feedback Shift Register 6,760,440 One's [sic] Complement Cryptographic Combiner 7,277,543 Cryptographic Combiner Using Two Sequential NonAssociative Operations
Further Patents Pending
28 Document control number Honeywell Proprietary

Honeywell.com

Topics
BeepBeep Technology Overview Requirements for Real-Time Cryptography Deficiencies of Conventional Encryption for this Overview of BeepBeeps Mechanism Applications/Market Opportunities Development Status Inventors Other Honeywell Technology Featured Today

29 Document control number

Honeywell Proprietary

Honeywell.com

Other Honeywell Technology Featured Today


Fault-Tolerant Ethernet (FTE)
Software-only implementation continually checks for all routes

Genetic Algorithm
Optimum network path considering speed, cost, reliability, etc.

Latency-Controlled Redundant Wireless Routing


Automatic determination of alternate routes in noisy networks

Dynamic Wireless Power Conservation


Feedback schemes to minimize power consumption of remote devices
30 Document control number

Part of Honeywells OneWireless Multi-Use Solution for Noisy Environments


Honeywell Proprietary

Honeywell.com

Other Honeywell Technology Featured Today


OPC Server Kit with Time-Out
Low-cost development & maintenance plus increased robustness

OPC Redirection Manager


Increased OPC availability

Visual Query Language (VQL)


Drag over waveform to define patternVQL searches for matches

Digital Video Manager (DVM)


Uses existing networks to allow remote control of cameras Window on existing operator stations

31 Document control number

Honeywell Proprietary

Honeywell.com

One-Slide Version

33 Document control number

Honeywell Proprietary

Honeywell.com

Other Honeywell Technologies Featured Today


Networking
Robustness, e.g., by optimum use of all possible routes Robustness for OPC (OLE for Process Control) networking

Wireless-Specific
Multi-use wireless for noisy environments, e.g., industrial (OneWireless) Robustness and power conservation

Visual Query Language (VQL)


Drag over waveform to define pattern VQL searches vast databases for matches

Digital Video Manager (DVM)


Uses existing networks to allow remote control of cameras Window on existing operator stations
34 Document control number Honeywell Proprietary