Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 46
Текст из файла (страница 46)
5.6) mathematicalfunction that converts a large variable-sized input string into a fixed size bit-string,called the cryptographic hash value (or for short a hash) under the followingconstraints:lllAn accidental or intentional change of data in the input string will change thehash value.It should be hard to find an input string that has a given hash value.It should be hard to find two different input strings with the same hash value.Cryptographic hash functions are required to establish the authenticity and integrityof a plain text message by an electronic signature.Authentication. Anyone who knows the sender’s public key can decrypt a messagethat is encrypted with the sender’s private key.
If a trusted relationship between thesender’s public key and the identity of the sender has been ascertained, then thereceiver knows that the identified sender has produced the message.Digital signature. If both, the authenticity and integrity of a plain-text messagemust be established, the plain text is taken as the input to a cryptographichash function.
The hash value is then encrypted with the author’s private key togenerate the digital signature that is added to the plain text. A receiver who is inthe possession of the author’s public key must check whether the decryptedsignature is the same bit string as the recalculated hash value of the received text.Privacy. Anyone who uses a receiver’s public key for the encryption of a message canbe sure that only the receiver, whose public key has been used, can decipher themessage.Resource Requirements. The computational effort for cryptographic operationsmeasured in terms of required energy, time and gate count of an implementation depends on the selected algorithm and its implementation. In 2001 theUS National Institute of Standards has selected the AES (Advanced EncryptionStandard) Algorithm as the Federal Information Processing Standard for symmetricencryption.
AES supports key sizes of 128, 192 and 256 bits. Table 6.1 gives anestimate of the resource requirements of different hardware implementations forthe AES. From this table it is evident that there is an important design trade-offbetween required time and required silicon area.1486 DependabilityTable 6.1 Comparison of requirements of different hardware AES implementations (Adaptedfrom Feldhofer et al. [Fel04a])AES 128 encryptionGate equivalentClock cyclesFeldhofer3,628992Mangard10,79964Verbauwhede173,00010The different implementations of the AES algorithm depicted in Table 6.1 showthe tradeoff between silicon area (gate count) and speed (clock cycles) thatapplies to many algorithms.
The resource requirements for public key encryptionare higher than listed in Table 6.1. However, there is a concerted research effortongoing to find resource-aware implementations for public-key cryptography thatuse elliptic curve cryptography [Rom07] in order to deploy public key cryptography in small embedded systems at a reasonable cost. The results of this researchon one side and the progress of the semiconductor industry on the other side willprovide the technical and economic basis for the pervasive use of cryptographyin all but very small embedded systems in the near future.6.2.4Network AuthenticationIn the following section, we outline a sample of a network authentication protocolthat uses public key cryptography to establish the trusted relationship between anew node and its public key.
For this purpose we need the trusted security server.Let us assume all nodes know the public cryptographic key of the security serverand the security server knows the public cryptographic keys of all nodes a priori.If a node, say node A, wants to send a encrypted message to a yet unknownnode, say node B, then node A takes the following steps:1. Node A forms a signed message with the following content: current time, nodeA wants to know what is the public key of node B?, signature of node A. It thenencrypts this message with the public key of the security server, and sendsthe ciphertext message to the security server over an open channel.2.
The security server decrypts the message with its private key and checkswhether the message has been sent recently. It then examines the signatureof the message with the a priori known public key of the signature of node Ato find out whether the contents of the message from node A are authentic.3. The security server forms a response message with the contents: current time,address of node B, public key of node B, signature, encrypts this message withthe public key of node A, and sends this ciphertext message to node A overan open channel.4.
Node A decrypts the message with its private key, checks whether the messagehas been sent recently and whether the signature of the security server isauthentic. Since node A trusts the information of the security server, it now6.2 Information Security149knows that the public key of node B is authentic.
It uses this key to encrypt themessages it sends to B.A network authentication protocol that establishes a secure channel betweentwo nodes by using symmetric cryptography is the aforementioned KERBEROSprotocol [Neu94].6.2.5Protection of Real-Time Control DataLet us assume the following attack model for a real-time process control system inan industrial plant. A number of sensor nodes distributed throughout the plantperiodically send real-time sensor values by open wireless channels to a controllernode which calculates the set points for the control valves. An adversary wants tosabotage the operation of the plant by sending counterfeit sensor values to thecontroller node.In order to establish the authenticity and integrity of a sensor value, a standardsecurity solution would be to append an electronic signature to the sensor valueby the genuine sensor node and to check this signature by the controller node thatreceives the message.
However, this approach would extend the duration ofthe control loop by the time it takes for generating and checking the electronicsignature. Such an extension of the length of the control loop period has a negativeeffect on the quality of control and must be avoided.In a real-time control system, the design challenge is to find a solution thatdetects an adversary without any extension of the duration of the control-loopperiod. The above example shows that the two requirements, real-time performanceand security cannot be dealt with separately in a real-time control system.There are characteristics of real-time control systems that must be consideredwhen designing a security protocol:lllIn many control systems, a single corrupted setpoint value is not of seriousconcern.
Only a sequence of corrupted values must be avoided.Sensor values have a short temporal accuracy (see Sect. 5.4.2) – often in therange of a few milliseconds.The resources of many mobile embedded system, both computational andenergy, are constrained.Some of these characteristics are helpful; others make it more difficult to finda solution.Example: It is possible to take the signature generation and the signature check of realtime data out of the control loop and perform it in parallel. As a consequence, the detectionof an intrusion will be delayed by one or more control cycles (which is acceptableconsidering the characteristics of control system).Further research is needed to find effective protection techniques for real-time dataunder the listed constraints.1506.36.3.16 DependabilityAnomaly DetectionWhat Is an Anomaly?If we look at the state space of real-life embedded systems, we find many examplesthat show a grey zone between the intended (correct) state and an error.
We callstates in this intermediate grey zone between intended and erroneous statesor behavioral patterns an anomaly or an out-of-norm state (see Fig. 6.4). Anomalydetection is concerned with the detection of states or behavioral patterns outside theexpected, i.e., the normal behavioral patterns, but do not fall into the categoryof errors or failures. There are many reasons for the occurrence of anomalies:activities by an intruder to find a vulnerability, exceptional circumstances in theenvironment, user mistakes, degradation of sensors resulting in imprecise sensorreadings, external perturbations, specification changes, or imminent failures causedby an error in the design or the hardware.
The detection of anomalies is important,since the occurrence of an anomaly is an indication that some atypical scenariothat may require immediate corrective action (e.g., the imminent intrusion by anadversary) is developing.Application-specific a priori knowledge about the restricted ranges and theknown interrelationships of the values of RT entities can be used to detect anomaliesthat are undetectable by syntactic methods.
Sometimes these application-specificmechanisms are called plausibility checks.Example: The constraints imposed on the speed of change of the RT entities by the inertiaof a technical process (e.g., change of temperature) form a basis for very effectiveplausibility checks.Plausibility checks can be expressed in the form of assertions to check for theplausibility of an intermediate result or at the end of a program by applying anacceptance test [Ran75]. Acceptance tests are effective to detect anomaliesthat occur in the value domain.Advanced dynamic anomaly detection techniques keep track of the operationalcontext of a system and autonomously learn about the normal behavior inFig.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
