O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Measuring the Performance and Energy Cost of Cryptography in IoT Devices

144 visualizações

Publicada em

Communication security technologies, like Transport Layer Security (TLS), are readily available for developers to use to protect their IoT systems. Still, developers are reluctant to use state-of-the-art security technologies due to the impact on performance, code size and RAM, and energy.

What is the impact of encryption algorithms, hash functions, and public key cryptosystems on a specific microcontroller?

Peter Torelli and Hannes Tschofenig introduce a new security benchmark developed by the benchmarking organization EEMBC that allows silicon manufacturers and developers to analyze and select the appropriate microcontroller.

Publicada em: Internet
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Measuring the Performance and Energy Cost of Cryptography in IoT Devices

  1. 1. Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Measuring the Performance and Energy Cost of Cryptography in IoT Devices Peter Torelli President/CTO EEMBC Hannes Tschofenig Senior Principal Engineer Arm
  2. 2. 2Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Agenda Motivation EEMBC & SecureMark-TLS • Concepts • Setup • Score • Early results Upcoming work
  3. 3. 3Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Why do we care?
  4. 4. 4Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon IoT Devices cannot do state-of-the-art crypto, right? Wrong! We looked at the performance of various state-of-the-art crypto operations on a range of MCUs. • Presented the investigations to the Internet Engineering Task Force (IETF). • Provided input to the 2015 NIST workshop on lightweight cryptography. Hope was that others (e.g., researchers) help analyse the performance on other MCUs and do additional tests.
  5. 5. 5Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Some time later… Unfortunately, there was more interest in inventing new algorithms (“lightweight crypto” and in “Post-Quantum Crypto”) than in analysing today’s algorithms on off-the-shelf hardware. Often published results are referring to estimates and simulations rather than measured performance. We cannot run the tests on the wide range of MCUs from different vendors ourselves. Did we reach a dead end?
  6. 6. 6Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon IoT security desperately needed IoT devices comprise an enormous attack surface and ever-increasing list of attacks against IoT devices published. Best current practice recommendations from various organizations (including ENISA, the GSMA, or OWASP) recommend utilizing state-of-the-art crypto, including Transport Layer Security (TLS) for protecting communication. How do developers ascertain both the power and performance costs of implementing crypto, and particularly TLS, in their design for different configurations of hardware and software?
  7. 7. 7Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Embedded Microprocessor Benchmark Consortium (EEMBC) to the rescue
  8. 8. 8Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Embedded Microprocessor Benchmark Consortium (EEMBC) It turns out that there is an organization that develops benchmarks for processors and MCUs. It has been doing this since the late ‘90s. For example, CoreMark is a benchmark that measures the performance of CPU used in embedded systems. EEMBC has established groups working on benchmarks for IoT:
  9. 9. 9Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon
  10. 10. 10Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon SecureMark-TLS is a synthetic benchmark that models a TLS handshake without actually running the handshake. Starting point is the TLS_ECDHE_ECDSA_WITH_AES_128_CCM ciphersuite. It measuring the performance and power consumption. It does this using the IoTConnect framework: a physical test harness and a firmware API that enables a wide variety of energy and performance benchmarking capabilities The firmware API is generic enough to facilitate the use of different software and hardware implementations of cryptographic functions and primitives. The reference implementation uses Mbed TLS for crypto.
  11. 11. 11Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Full TLS handshake ServerClient ClientHello ServerHello, Certificate, ServerKeyExchange, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify, [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Focused on • Mutual, public key based authentication • ECC crypto with NIST P256r1 curve • Flat certificate hierarchy • AES-128-CCM Legend: *: optional message []: Not a handshake message.
  12. 12. 12Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon TLS Handshake Crypto-primitive Analysis Map State Name # client hello 1 server hello 2 certificate 3 server key exchange 4 certificate request 5 server hello done 6 certificate 7 client key exchange 8 certificate verify 9 change cipher spec 10 finished 11 change cipher spec 12 finished 13 Handshake State # Primitive Usage 1 2 3 4 5 6 7 8 9 10 11 12 13 AES ECB / ENC AES ECB / ENC AES ECB / ENC AES GCM / DEC AES GCM / ENC ECDH ECDSA.SIGN ECDSA.VERF SHA256 SHA256 SHA256 SHA256 SHA256 SHA256 SHA256 SHA256 SHA256 Evaluated “states” of the reference implementation  13 The benchmark measures the TLS handshake crypto cost and speed without time-consuming setup of an actual client & server! Figure: State Names Figure: Primitive load per state (a gray box indicates a context for that primitive is active)
  13. 13. 13Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon The IoTConnect Framework Extensible framework with nano- Joule accuracy, wired and wireless interfaces, with a hardware setup cost of <US$200* * Note, this is the cost of the hardware from 3rd parties (e.g., Digikey, Farnell). Host software and DUT benchmark firmware licensed separately from EEMBC directly. ** Radio manager not required for SecureMark or ULPMark Device Under Test (DUT) BLE ZigBee LoRa thread 802.11x Host System I2C SPI GPIO UART IO Manager Energy Monitor Radio Manager**
  14. 14. 14Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Actual Hardware Build The DUT (center) is powered by the energy monitor (left). The IO Manager (left, under EMON) acts as both sensor emulation and communication proxy. The Radio Manager (right) acts as the wireless gateway (not needed for SecureMark) The Host (not shown) coordinates all four subsystems.
  15. 15. 15Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon One Framework, Many Benchmarks Deploying one extensible framework keeps the environment consistent between new benchmarks. Same UI, same firmware pattern, same hardware connectivity reduces engineering effort to port new hardware.
  16. 16. 16Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Application Programming Interface Generic API for talking to host software via UART (3 functions) Benchmark-specific profile for executing content (~6 functions per 5 primitives: SHA256, ECDH, ECDSA, AES/ECB, AES/CCM) Ported to ARC SSL (Synopsys), mbedTLS, STMicro Crypto32 software and STMicro hardware AES acceleration
  17. 17. 17Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Benchmark composition SecureMark = inverse sum of energy x scale factor => single integer score representing TLS energy efficiency (bigger is better) Performance and power also provided as part of analysis Deep dive into zoomable energy graph
  18. 18. 18Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Incremental porting processes makes bring-up easy… Creating and submitting SecureMark-TLS scores Port UART interface Port Crypto API Optimize Score Setup H/W Submit Score
  19. 19. 19Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Preventing “cheating” Randomize Keys + Check Results • Before testing the Host UI provides random keys and pre-generated plaintext / cyphertext • After testing the expected responses are compared by the Host • No way to fake performing the operation Disclosures + Certification + Community Policing • Submitted scores must appear on website (legal requirement for licensees) with disclosure • Certified scores are highest quality: EEMBC internally reviews source code and makes it available to members • Members often reproduce competitor’s scores: disabling a hardening feature for a better score would be exposed
  20. 20. 20Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon First results and observations
  21. 21. 21Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon The first published SecureMark-TLS score! https://www.eembc.org/securemark/scores.php Detailed results include information about • Compiler, linker, and toolchain • Crypto library (mbedTLS 5.4.0) plus security-relevant optimizations, and • Detailed energy and performance subscores for AES ECB Encrypt, AES CCM Encrypt/Decrypt, ECDH p256r1, ECDSA p256r1 Sign & Verify, and SHA256. • For example: The ECDSA sign operation takes 438 msec and the verify operation needs 1500 msec
  22. 22. 22Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon First SecureMark-TLS Results, Overall Comparing two platforms (Plat A/B) and two libraries (Lib A/B) Platform A has no hardware acceleration Platform B has full hardware acceleration Lib A’ uses compiler optimizations Acceleration clearly rewarded 0 2000 4000 6000 8000 10000 12000 Plat A, Lib A Plat A, Lib A' Plat A, Lib B Plat B, Lib A Plat B, Accelerated SecureMark-TLS Prelimanary Scores 1200 1300 1400 1500 1600 Plat A, Lib A Plat A, Lib A' Plat A, Lib B
  23. 23. 23Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon First SecureMark-TLS Results, per Primitive Class Zooming in on energy costs relative to baseline Enormous gains in energy efficiency using dedicated hardware Library and compiler options vary 0.0 0.5 1.0 1.5 2.0 2.5 AES ECB AES CCM SHA ECDH ECDSA Energy Cost per Platform Relative to Platform A, Library A Plat A, Lib A Plat A, Lib A' Plat A, Lib B Plat B, Lib A Plat B, Accelerated
  24. 24. 24Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Summary and next steps
  25. 25. 25Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Summary With SecureMark-TLS we created the first IoT security benchmark. It will help developers and designers to know upfront what performance and power consumption to expect from a given MCU for state-of-the-art crypto • High level score available for easy comparison • Detailed data within the disclosure form Details to be found at www.eembc.org/securemark
  26. 26. 26Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon Next steps EEMBC is ready to receive score submissions This was the first version of the SecureMark-TLS benchmark. We are not standing still and have started to brainstorm about the direction this could go. Performance scoring of SecureMark-TLS Possible work areas: RAM consumption, additional algorithms and … Join us in EEMBC or help submit new scores
  27. 27. 27Copyright © 2018 Arm TechCon, All rights reserved. #ArmTechCon 27 Acknowledgments go to the members of the EEMBC SecureMark working group, particularly the chairs Mike Borza and Ruud Derwig. Thank you!

×