jaseg/safety-reset
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ma: Fix Björn's remaining comments from 2020-05-13

Browse source 
...and add some anderson references
This commit is contained in:
jaseg 2020-05-25 20:31:40 +02:00
parent 0c58d4a315
commit a4559b89ff
2 changed files with 88 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

25
ma/safety_reset.bib
View file

@ -1282,7 +1282,7 @@
@Misc{ukgov02,
date = {2014},
title = {Smart Metering Implementation ProgrammeSmart Metering Equipment Technical Specifications},
title = {Smart Metering Implementation Programme: Smart Metering Equipment Technical Specifications},
url = {https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/381535/SMIP_E2E_SMETS2.pdf},
urldate = {2020-05-18},
version = {1.58},
@ -1529,4 +1529,27 @@
year = {2005},
}
@Book{anderson02,
author = {Ross J. Anderson},
date = {2020},
title = {Security engineering},
edition = {3rd},
note = {Preview of upcoming edition},
publisher = {Wiley},
subtitle = {A guide to building dependable distributed systems},
url = {https://www.cl.cam.ac.uk/~rja14/book.html},
urldate = {2020-05-25},
}
@Article{anderson03,
author = {R. J. {Anderson} and S. J. {Bezuidenhoudt}},
title = {On the reliability of electronic payment systems},
doi = {https://doi.org/10.1109/32.502222},
number = {5},
pages = {294-301},
volume = {22},
journal = {IEEE Transactions on Software Engineering},
year = {1996},
}
@Comment{jabref-meta: databaseType:biblatex;}

117
ma/safety_reset.tex
View file

@ -374,8 +374,8 @@ before. One often-cited one is utilizing the new high-resolution load data to im
greater generation efficiency. Computerizing the meter also allows for new fee models where electricity cost is no
longer fixed over time but adapts to market conditions. Models such as prepayment electricity plans where the customer
is automatically disconnected until they pay their bill are significantly aided by a fully electronic system that can be
controlled and monitored remotely. A remotely controllable load switch can also be used to coerce customers in
situations where that was not previously economically possible\footnote{
controlled and monitored remotely\cite{anderson02}. A remotely controllable load switch can also be used to coerce
customers in situations where that was not previously economically possible\footnote{
The swiss association of electrical utility companies in sec.\ 7.2 par.\ (2)a of their 2010 whitepaper on the
introduction of smart metering\cite{vseaes01} cynically writes that remotely controllable load switches ``lead a new
tenant to swiftly register'' with the utility company. This whitepaper completely vanished from their website some
@ -487,19 +487,20 @@ technician smart meters have ushered in an era of frictionless control\footnote{
user inserts coins into a coin slot that activates a load switch at the household's main electricity connection.
These systems were non-networked and did not allow for remote control. A disadvantage of such systems compared to
modern \emph{smart} systems are the high cost of the coin acceptor and the overhead of site visits required to empty
the coin box. % FIXME nice citation
the coin box\cite{anderson02}.
}.
\subsection{Cryptographic coprocessors}
Just like in legacy electricity meters in smart meters physical security is still a key component of the overall system
design. Since in both types of meter cost depends on physical quantities being measured at the customer premises
customers can save cost in case they are able to falsify the meter's measurements without being detected. For this
reason both types of meters employ countermeasures against physical intrusion. Compared to high-risk devices such as
card payment processing terminals or ATMs the tamper proofing used in smart meters is only basic. Common measures
include sealing the case by irreversibly ultrasonically welding front and back plastic shells together or the use of
security seals on the lid covering the input/output screw terminals. Low-tech attacks using magnets to saturate the
current transformer's ferrite cores are detected using hall sensors\cite{itron01,hager01,easymeter01}.
customers can save cost in case they are able to falsify the meter's measurements without being
detected\cite{anderson02}. For this reason both types of meters employ countermeasures against physical intrusion.
Compared to high-risk devices such as card payment processing terminals or ATMs the tamper proofing used in smart meters
is only basic\cite{anderson02}. Common measures include sealing the case by irreversibly ultrasonically welding front
and back plastic shells together or the use of security seals on the lid covering the input/output screw terminals.
Low-tech attacks using magnets to saturate the current transformer's ferrite cores are detected using hall
sensors\cite{anderson02,anderson03,itron01,hager01,easymeter01}.
German smart metering standards are unique in that they specify the use of a smartcard-like security module to provide
transport encryption and other cryptographic services\cite{bsi-tr-03109-2,bsi-tr-03109-2-a}.
@ -610,14 +611,14 @@ billing irregularities.
The UK is currently undergoing a smart metering rollout. Meters in the UK are nationally standardized to provide both
Zigbee ZSE-based and IEC DLMS/COSEM connectivity. UK smart metering specifications are shared between electrical and gas
meters. Different to other countries' specifications the UK national specifications require electrical meters to have an
integrated load switch and gas meters to have an integrated valve. In the UK a significant number of consumers are
subject to prepaid electricity contracts. Prepayment and credit functionality are also specified in the national smart
metering standard, as is remote firmware update functionality. Outside communications in these standards is performed
through a gateway (there called \emph{communications hub}) that can be shared between several meters
\cite{ukgov01,ukgov02,ukgov03,brown01,sato01}. The combination of both gas and electricity metering into one family of
standards and the exceptionally large set of \emph{required} features make the UK regulations the maximalist among the
ones in this section. The mandatory inclusion of both load switches and remote connectivity up to remote firmware update
make it an interesting attack target.
integrated load switch and gas meters to have an integrated valve. In Northern Ireland most consumers use prepaid
electricity contracts\cite{anderson02}. Prepayment and credit functionality are also specified in the UK's national
smart metering standard, as is remote firmware update functionality\cite{ukgov02}. Outside communications in these
standards is performed through a gateway (there called \emph{communications hub}) that can be shared between several
meters \cite{ukgov01,ukgov02,ukgov03,brown01,sato01}. The combination of both gas and electricity metering into one
family of standards and the exceptionally large set of \emph{required} features make the UK regulations the maximalist
among the ones in this section. The mandatory inclusion of both load switches and remote connectivity up to remote
firmware update make it an interesting attack target.
\subsubsection{Italy}
@ -748,7 +749,7 @@ that is frequently cited in utility industry publications outside of a general p
electricity theft\cite{czechowski01}. Academic papers tend to either focus on other benefits such as generation
efficiency gains through better forecasting or try to rationalize the funamentally anti-consumer nature of smart
metering with strenuous claims of ``enormous social benefits''\cite{mcdaniel01}. Academics rarely point out the large
economical incentive such \emph{revenue protection} mechanisms provide\cite{anderson01}.
economical incentive such \emph{revenue protection} mechanisms provide\cite{anderson01,anderson02}.
This thesis will entirely focus on grid stability and discard electricity theft. For the attack scenarios we lay out
billing inaccuracies of utility companies are of very low urgency compared to grid stability. In fact stability is a
@ -793,8 +794,8 @@ this produces a high cost pressure on the software development process for smart
\subsection{The state of the art in embedded security}
Embedded security generally is much harder than security of higher-level systems. This is due to a combination of the
unique constraints of embedded devices (hard to update, usually small quantity) and their lack of capabilities
Embedded software security generally is much harder than security of higher-level systems. This is due to a combination
of the unique constraints of embedded devices (hard to update, usually small quantity) and their lack of capabilities
(processing power, memory protection functions, user interface devices). Even very well-funded companies continue to
have serious problems securing their embedded systems. A spectacular example of this difficulty is the recently-exposed
flaw in Apple's iPhone SoC first-stage ROM bootloader\footnote{
@ -1506,7 +1507,7 @@ error-correcting codes and we had no particular difficulty finding either.
\subsection{Cryptographic security}
\label{sec-crypto}
Informally the system we are looking for can be modelled as consisting of three parties: The trusted
Informally the system we are looking for can be modelled as consisting of three parties: the trusted
\emph{transmitter}, one of a large number of untrusted \emph{receivers}, and an \emph{attacker}. These three play
according to the following rules:
@ -1519,31 +1520,36 @@ according to the following rules:
public key fingerprints.
\end{description}
We are not interested in congestion scenarios where an attacker attempts to disrupt an ongoing transmission. In practice
there are several avenues to prevent such attempts. Compromised loads that are being abused by the attacker can be
manually disconnected by the utility. Error-correcting codes can be used to provide resiliency against small-scale
disturbances. Finally, the transmitter can be designed to have high enough power to be able to override any likely
attacker.
We are not considering situations where an attacker attempts to jam an ongoing transmission. In practice there are
several avenues to prevent such attempts. Compromised loads that are being abused by the attacker can be manually
disconnected by the utility. Error-correcting codes can be used to provide resiliency against small-scale disturbances.
Finally, the transmitter can be designed to have high enough power to be able to override any likely attacker.
Our goal is to find a cryptographic primitive that has the following properties:
\begin{enumerate}
\item The transmitter can produce a message bit sequence $\mathbf{s}$ that a subset of receivers can identify
as being generated by the transmitter: $\mathcal{R}\left(\mathbf{s}\right) = 1$. On reception of this sequence,
all addressed receivers performs a safety reset.
\item The attacker cannot forge $\mathbf{s}$, i.e.\ find $\mathbf{s}'$ such that
$\mathbf{s} \neq \mathbf{s}' \land \mathcal{R}\left(\mathbf{s}'\right) = 1$
\item Our system conforms to an at-most-once semantic. This means upon transmission of a valid bit sequence coded
for a set of receivers each one either performs exactly one safety reset or none at all. We cannot achieve an
exactly-once semantic since we are using an unidirectional lossy communication primitive. A receiver might be
offline (e.g.\ due to a localized power outage) and then would not hear the transmission even if our broadcast
primitive was reliable. Since there is no back-channel, the transmitter has no way of telling when that happens.
The practical impact of this can be mitigated by the transmitter by repeating the transmission a number of
times.
\item The message should be short. Our communications channel is outrageously slow compared to anything else used in
modern telecommunications and every bit counts.
\end{enumerate}
\begin{description}
\item[Authenticity.] The transmitter can produce a message bit sequence that a subset of receivers can identify as
being generated by the transmitter. On reception of this sequence, all addressed receivers perform a safety
reset.
\item[Unforgeability.] The attacker cannot forge a message, i.e.\ find a bit sequence other than one of the
transmitter's previous messages that a receiver would accept. This implies that the attacker also cannot modify
an existing message.
\item[Brevity.] The message should be short. Our communications channel is outrageously slow compared to anything
else used in modern telecommunications and every bit counts.
\end{description}
Along with the indistinguishability property the first requirement implies that we need a cryptographic
On a protocol level we also have to ensure \emph{idempotence}. Our system should have an at-most-once semantic. This
means for a given message each receiver either performs exactly one safety reset or none at all, even if the message is
re-transmitted by either the transmitter or an attacker. We cannot achieve the ideal exactly-once semantic wit pure
protocol gymnastics since we are using an unidirectional lossy communication primitive. A receiver might be offline
(e.g.\ due to a local power outage) and then would not hear the transmission even if our broadcast primitive was
reliable. Since there is no back-channel, the transmitter has no way of telling when that happens. The practical impact
of this can be mitigated by the transmitter by repeating the transmission a number of times.
It follows from the unforgeability requirement that we can trivially reach idempotence at the protocol level by keeping
a database of all previous messages and only accepting \emph{new} messages. By considering this in our cryptographic
design we can reduce the storage requirement for this ``database''.
Along with the indistinguishability property the access requirement implies that we need a cryptographic
signature\cite{lamport01}. However, we have relaxed constraints on this signature compared to cryptographic practice.
While cryptographic signatures need to work over arbitrary inputs, all we want to ``sign'' here is the instruction to
perform a safety reset. This is the only message we might ever want to transmit so our message space has only one
@ -1564,7 +1570,7 @@ the transmitter transmits and replay that same sequence later. Even without cryp
attacker from violating the at-most-once criterion. If every receiver memorizes all bit sequences that have been
transmitted so far it can detect replays. With this mitigation by replaying an older authentic transmission an attacker
can cause receivers that were offline during the original transmission to reset at a later point. Considering our goal
is to reset them in the first place this should not pose a danger to the system's safety or security.
is to reset them in the first place this should not pose a threat to the system's safety or security.
A possible scenario would be that an attacker first causes enough havoc for authorities to trigger a safety reset. The
attacker would record the trigger transmission. We can assume most meters were reset during the attack. Due to this the
@ -1584,9 +1590,10 @@ comparatively high computational effort required for signature verification woul
several minutes anyway and we can afford to spend some tens of seconds even in signature verification. Transmission
length and by proxy system latency would be determined by the length of the signature. For RSA signature length is the
modulus length (i.e. larger than \SI{1000}{bit} for very basic contemporary security). For elliptic curve-based systems
signature size is approximately twice the curve length (i.e. $\SI{\approx 300}{bit}$ for contemporary security).
Thanks to our unique setting we can do better than this. We can exploit that our effective message entropy is 0 bit to
derive a more efficient scheme.
curve length is approximately twice the security level and signature size is twice the curve length because two curve
points need to be encoded\cite{anderson02}. For contemporary security this results in more than 300 bit transmission
length. Thanks to our unique setting we can do better than this. We can exploit that our effective message entropy is 0
bit to derive a more efficient scheme.
\subsubsection{Lamport signatures}
@ -1645,27 +1652,31 @@ construction. To prevent an attacker from re-triggering a receiver a second time
all receivers have to blacklist any ``used'' $\sigma$. Alas, this means we can only ever trigger a receiver \emph{once}.
The good part is that any receiver that missed this trigger can still be triggered later, but the bad part is that once
$s$ is burned we are out of options. The trivial solution to this would be to simply inform each receiver with a whole
list of public keys in advance. This however takes $n$ times the amount of space for $n$-fold retriggerability. Luckily
we can easily derive a scheme that yields $n$-fold retriggerability while using no more same space than the original
scheme by taking some inspiration from Winternitz signatures above.
list of public keys in advance. This however takes $n$ times the amount of space for $n$-fold retriggerability and we
have to memorize separately for each one whether it has been used up. Luckily we can easily derive a scheme that yields
$n$-fold retriggerability and naturally memorizes replay state while using no more same space than the original scheme
by taking some inspiration from Winternitz signatures above.
In this scheme the secret key $s$ is still a random bit string. The public key is $p = H^n(s)$ for n-times
In this scheme the secret key $s$ is still a random bit string. The public key is $p = H^n(s)$ for $n$-times
retriggerability. The $i$-th time the trigger is activated, $\sigma_i = H^n-i(s)$ is published, and every receiver can
verify that $\sigma_{i-1} = H\left(\sigma_i\right)$ with $\sigma_0 = p$. In case a receiver missed one or more previous
triggers it can simply continue computing $H\left(H\left(\sigma_i\right)\right)$ and
triggers it continues computing $H\left(H\left(\sigma_i\right)\right)$ and
$H\left(H\left(H\left(\sigma_i\right)\right)\right)$ until either reaching the $n$-th recursion level (indicating an
invalid signature) or finding $H^n\left(\sigma_i\right) = \sigma_j$ with $sigma_j$ being the last signature this
receiver recorded, or $p$ in case there is none.
This scheme provides replay protection through receiver memorizing the last signature they activated to. Public key
length is equal to the length of the hash function $H$ used. Even for our embedded systems use case $n$ can
realistically be up to $\mathcal O\left(10^3\right)$, which is easily enough for our application.
realistically be up to $\mathcal O\left(10^3\right)$, which is easily enough for our purposes.
The ``disarm'' message we discussed above can be integrated into this scheme by encoding the ``enable'' bit into the
least significant bit of $n$ in our $H^n$ construction. In the chain of valid signatures every second one would be a
disarm signature. Reset and disarm signatures would alternate in this scheme. By skipping a disarm signature two resets
can still be triggered directly after one another.
% FIXME diagram
% FIXME include domain mechanism
\chapter{Practical implementation}
To validate the practical feasibility of the theoretical concepts we laid out in the previous chapter we decided to