INTEGRATION OF HARDWARE SECURITY MODULES INTO A DEEPLY EMBEDDED TLS STACK

Authors

  • Oliver Kehret
  • Andreas Walz
  • Axel Sikora

DOI:

https://doi.org/10.47839/ijc.15.1.827

Keywords:

hardware security module, HSM, Transport Layer Security, Embedded Systems, cryptography, hardware acceleration, Internet of Things.

Abstract

The Transport Layer Security (TLS) protocol is a well-established standard for securing communication over insecure communication links, offering layer-4 VPN functionality. In the classical Internet TLS is widely used. With the advances of the Internet of Things (IoT) there is an increasing need to secure communication on resource-constrained embedded devices. On these devices, computation of complex cryptographic algorithms is difficult. Additionally, sensor nodes are physically exposed to attackers. Cryptographic acceleration and secure hardware security modules (HSMs) are possible solutions to these challenges. The usage of specialized cryptographic modules for TLS is not a new phenomenon. However, there are still few hardware security modules suitable for the use on microcontrollers in sensor networks. We therefore present an overview of HSM and TLS solutions along with sample implementations and share some recommendations how to combine both.

References

T. Dierks and E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2 RFC5246, http://www.ietf.org/rfc/rfc5246, accessed March 2016.

R. Oppliger, SSL and TLS: Theory and Practice, Artech House, 2009.

E. Rescorla and N. Modadugu, Datagram Transport Layer Security Version 1.2 RFC7507, available online on http://www.ietf.org/rfc/rfc6347, accessed March 2016.

Legal Information Institute, U.S. Code § 3542 -Definitions, https://www.law.cornell.edu/uscode/text/44/3542, accessed March 2016.

M. Abomhara et al., Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks, Journal of Cyber Security, (4) 1 (2015), pp. 65-88.

A. Kerckhoffs, La cryptographie militaire, Journal des sciences militaires, 1883.

D. Eastlake et al., Randomness Requirements for Security RFC4086, http://www.ietf.org/rfc/rfc4086, accessed March 2016.

W. H. Tan, Practical Attacks on the MIFARE Classic, Imperial College London, http://www.doc.ic.ac.uk/~mgv98/MIFARE_files/report.pdf, accessed March 2016.

Bundesdruckerei, ePassport Pocket Guide 2013, https://www.bundesdruckerei.de/sites/

default/files/documents/2013/08/pocketguide_epass_en.pdf, accessed March 2016.

K. Mayes, An Introduction to Smart Cards, in: Smart Cards, Tokens, Security and Applications, Springer US, 2008, pp. 155-172.

TCG, TCG Specification Architecture Overview, http://www.trustedcomputinggroup.

org/files/resource_files/AC652DE1-1D09-3519

-ADA026A0C05CFAC2/TCG_1_4_Architectu

re_Overview.pdf, 2007, accessed March 2016.

A. Tomlinson, Introduction to the TPM, in: Smart Cards, Tokens, Security and Applications, Springer US, 2008, pp. 155-172.

R.L. Rivest et. al., A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, https://pdfs.semanticscholar.

org/21b2/34ff1ec4b42fb84f5f27f4de1a2cd05d7f2b.pdf, 1978, accessed March 2016.

M. Wolf, T. Gendrullis, Design, Implementation, and Evaluation of a Vehicular Hardware Security Module, in Proceeding of the 14th International Conference on Information Security and Cryptology ICISC'11, Springer-Verlag Berlin, Heidelberg, 2011, pp. 302-318.

M. Cooper et al., Internet X.509 Public Key Infrastructure: Certification Path Building RFC4158, http://www.ietf.org/rfc/rfc4158, accessed March 2016.

H. Krawczyk et al., HMAC: Keyed-Hashing for Message Authentication RFC2104, http://www.ietf.org/rfc/rfc2104, accessed March 2016.

E. Rescorla, Diffie-Hellman Key Agreement Method RFC2631, available online on http://www.ietf.org/rfc/rfc2631, accessed March 2016.

S. Blake-Wilson et al., Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) RFC4492, http://www.ietf.org/rfc/rfc4492, accessed March 2016.

D. McGrew et al., Fundamental Elliptic Curve Cryptography Algorithms RFC6090, http://www.ietf.org/rfc/rfc6090, accessed March 2016.

N. Gura et al., Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs, https://www.iacr.org/archive/ches2004/31560117/31560117.pdf, accessed March 2016.

BSI, TR-03116-3, Kryptographische Vorgaben für Projekte der Bundesregierung, 2015.

NSA, NSA Suite B Cryptography, 2015, https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml#guides.

Standards for Efficient Cryptography, SEC 2: Recommended Elliptic Curve Domain Parameters, http://www.secg.org/SEC2-Ver-1.0.pdf, accessed March 2016.

Atmel Inc., ATECC508A Summary Datasheet, http://www.atmel.com/images/atmel-8923s-cryptoauth-atecc508a-datasheet-summary.pdf, accessed March 2016.

National Institute of Standards and Technology, Recommended Elliptic Curves for federal Government use, http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf, accessed March 2016.

Inside Secure, VaultIC460 Summary Datasheet, http://www.insidesecure.com/content/download/1381/8640/version/2/file/SummaryVIC460_6606CS.pdf , accessed March 2016.

Inside Secure, FIPS PUB 140-2 Non-proprietary Security Policy, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1762.pdf, accessed March 2016.

National Institute of Standards and Technology, FIPS PUB 140-2 Security Requirements for cryptographic modules, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf, accessed March 2016.

National Institute of Standards and Technology, Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140

val-all.htm, accessed March 2016.

GlobalPlatform: Card Technology Secure Channel Protocol ‘03’ Card Specification v2.2 – Amendment D V1.1.1, http://www.globalplatform.org/specificationscard.asp, accessed March 2016.

A. Yushev et. al, Securing Embedded Communication with TLS1.2, 2015.

Free Software Foundation, GNU Lesser General Public License, version 2.1, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html, accessed March 2016.

RSA Laboratories, PKCS #11 Base Functionality v2.30: Cryptoki – Draft 4, ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf, accessed March 2016.

STMicroelectronics, STM32F4DISCOVERY, http://www.st.com/web/en/resource/technical/document/data_brief/DM00037955.pdf, accessed March 2016.

STMicroelectronics, STM32CubeF4, http://

www.st.com/st-web-ui/static/active/en/resource

/technical/document/data_brief/DM00103572.pdf, accessed March 2016.

GlobalPlatform, Card Secure Channel Protocol ‘11’ Card Specification v2.2 – Amendment F v1.0, http://www.globalplatform.org/specificationscard.asp, accessed March 2016.

PRNewswire, Atmel First to Ship Ultra-Secure Crypto Element Enabling Smart, Connected and Secure Systems, http://www.prnewswire.com/news-releases/atmel-first-to-ship-ultra-secure-crypto-element-enabling-smart-connected-and-secure-systems-300036172.html, accessed March 2016.

National Institute of Standards and Technology, Recommendation for the Entropy Sources Used for Random Bit Generation, NIST SP 800-90B, http://csrc.nist.gov/

publications/drafts/800-90/sp800-90b_second_draft.pdf, accessed March 2016.

F. D. Garcia et al., Computer Security, in Proceedings of the 13th European Syposium on Research in Computer Security ESORICS’08:, Málaga, Spain, 2008, Springer Berlin, Heidelberg, Chapter: Dismantling MIFARE Classic, pp. 97-114.

M. Koschuch et al., Hardware/Software Co-Design of Elliptic Curve Cryptography on an 8051 Microcontroller, https://www.iacr.org/archive/ches2006/34/34.pdf, accessed March 2016.

N. A. Kofi et al., Embedded TLS 1.2 Implementation for Smart Metering & Smart Grid Applications, 2015.

Downloads

Published

2016-03-31

How to Cite

Kehret, O., Walz, A., & Sikora, A. (2016). INTEGRATION OF HARDWARE SECURITY MODULES INTO A DEEPLY EMBEDDED TLS STACK. International Journal of Computing, 15(1), 22-30. https://doi.org/10.47839/ijc.15.1.827

Issue

2016, Volume 15, Issue 1

Section

Articles

License

International Journal of Computing is an open access journal. Authors who publish with this journal agree to the following terms:
•    Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
•    Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
•    Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.