Abstract
The aim of this chapter is to give a thorough overview of secure remote reconfiguration technologies for wireless embedded systems, and of the communication standard commonly used in those systems. In particular, we focus on basic security mechanisms both at hardware and protocol level. We will discuss the possible threats and their corresponding impact level. Different countermeasures for avoiding these security issues are explained. Finally, we present a complete and compact solution for a service-oriented architecture enabling secure remote reconfiguration of wireless embedded systems, called the STRES system.
Top1. Introduction
The broad diffusion of different wireless technologies like WiFi (Wireless Fidelity), GPRS (General Packet Radio Services), EDGE (Enhanced Data Rates for GSM Evolution), UMTS (Universal Mobile Telecommunication Systems), Zigbee, Bluetooth, etc. has prompted a wide interest in remote reconfiguration and remote monitoring of wireless embedded systems in several industrial environments such as car-manufacturers, health-care, the financial sector and the entertainment industry.
Three main features are desirable in a state-of-the-art wireless embedded system: remote status checking, remote problem solving and remote upgradeability. It is, however, important that these remote techniques are reliable, have a low integration cost and are sufficiently secure. The reconfiguration or update of such embedded wireless systems can imply a change either in the system’s software or in its reconfigurable hardware. The wireless nature of such kind of embedded systems makes them extremely prone to security threats. For this reason, the reconfiguration schemes must be designed very carefully, taking into account all kind of possible threats and attack schemes. Unfortunately, the increase in security can be achieved at the cost of an increased hardware complexity, which in embedded and cost-constrained systems is, most of the times, unaffordable. This brings up some key issues in the design of a wireless reconfigurable embedded system, since a new design constraint must be considered and part of the design efforts must be devoted to trade off security for cost.
We first give a thorough overview of remote reconfiguration technologies for wireless embedded systems and of the communication standard commonly used in those systems. Basic security mechanisms both at hardware and protocol level will be carefully reviewed and explained, putting particular emphasis on the possible threats and their impact level.
Protection at protocol level is necessary due to the fact that many off-the-shelf state-of-the-art communication modules provide little or poor protection against wireless security threats with respect to confidentiality and authentication of the configuration data. Some schemes propose to encrypt and to authenticate the bitstream to thwart security attacks but this does not prevent the replay of old bitstream versions. In fact, wireless embedded systems are particularly vulnerable to man-in-the-middle (MITM) attacks performed over the network while the system is being monitored or reconfigured. A MITM attack is a form of active eavesdropping in which the attacker establishes independent connections with the victim nodes and forwards messages between them, making them believe that they are communicating directly to each other over a private connection. As a consequence, it is necessary to develop a protection layer on top of the provided communication stack dealing with, confidentiality and authentication between three entities: user, embedded system, and service provider for updates and status monitoring. A cross-layer system-wide design approach is often required to cope with the demand for a low-cost implementation and secure wireless remote reconfigurability. An overview of different types of protocols is presented. Also a short discussion on the used algorithms is given.
Key Terms in this Chapter
Semi-Invasive Attack: A category of attacks on a cryptographic device with the goal to reveal its secret key. In this type of attacks, the attacker can also have direct electrical access to the internal components, but with the restriction that no damage to the system is allowed.
Invasive Attack: A category of attacks on a cryptographic device with the goal to reveal its secret key. In this type of attacks, the attacker can have direct electrical access to the internal components by physically probing the system’s components using simple or high-tech techniques.
Confidentiality: Confidentiality is the property that ensures the accessibility of information only for authorized persons.
Remote Reconfiguration: Remote reconfiguration is a technique which allows reprogramming or reconfiguring a system remotely.
FPGA: An FPGA (field programmable gate array) is a reconfigurable digital device containing programmable logic components called logic blocks, and a hierarchy of reconfigurable interconnects that wire the blocks together.
Man In The Middle (MITM) Attack: A MITM attack is a form of active eavesdropping in which the attacker establishes independent connections with the victim nodes and forwards messages between them, making them believe that they are communicating directly to each other over a private connection.
Symmetric Key Cryptography or Secret Key Cryptography: In symmetric key cryptography, the algorithms for encryption and decryption make use of the same key. Consequently, both sender and receiver share the same key that is agreed before communication.
Authentication: Authentication is the property that something (authentication of data) or someone (authentication of entity) can prove what or who it is declared to be.
Asymmetric Key Cryptography or Public Key Cryptography: In asymmetric key cryptography, the algorithms for encryption and decryption make use of a different key, called the private and public key respectively. Consequently, each user possesses a pair of keys: the private key that is kept secret and the public key that may be widely distributed. The algorithms are based on one way functions, i.e. functions that are only easy to evaluate if some trapdoor information is known.
Side-Channel Attack: A category of attacks on a cryptography device with the goal to reveal its secret key. The attacker tries to discover certain patterns in the system by analysis of information gained from the physical implementation of the system. This information might be for example, timing analysis, power consumption, electromagnetic leaks or even sound.