Transcript Devices, Automation and Security

K21 and Automation System
Architecture
Matthew Burnside
[email protected]
MIT Laboratory for Computer Science
January 8, 2002
Jointly with: Dwaine Clarke, Todd Mills, Ali Tariq
Overview
• Problem
• Naïve Solution
• Our Solution
• 3 Layers
• 2 Protocols
• Device-Proxy protocol
• Proxy-Proxy protocol
Problem Description
How to interconnect securely?
?
Camera
Coffee
Maker
Printer
Lamp
Security Goals
• Identification and authentication of resources
• What is this thing, and is it really what it says it is?
• E.g., printers, light bulbs, speakers, coffee makers, etc.
• Secure communication with resources
• E.g., I don’t want anyone to know I am watching “Jerry
Springer”
• Provide usage/access permissions
• Access Control Lists (ACLs) for most resources
The Naïve Solution


Each device has a public key/private key pair.
Communication to the device is encoded with
its public key
–


And signed with private key of initiator
Each transaction goes through a server
Servers maintain ACLs for each device.
–
Centralized, secure server handles all the traffic
Issues to Remember

Devices are dumb.
–

No public-key crypto on a light bulb.
Centralization is not necessarily a good idea
–
–
Problems with scalability and fault tolerance.
Makes ACL maintenance difficult.
Our System

Three layers
Security
Routing and Naming
Device
communication

Scripting
Modular architecture
–
Layers can be implemented differently without
affecting others
Event-Based Communication



All messages are passed in the form of events.
<STATUS_CHANGE_EVENT, light_bulb=on>
<COMMAND_EVENT, play_tape=true>
Layer 1: Device Communication
Device
Wireless
Transceiver
UDP/IP
Proxy
Gateway
Device
Wireless
Transceiver
Device
Wireless
Transceiver
A device may also
contain a Cricket
listener.
Wireless
Transceiver
Ethernet
Card
Proxy
Proxy

One proxy for every device.
Each device may have a unique interface to its
proxy.

Proxy



Software representation of the device.
Translates device actions into events other proxies can
interpret (and vice versa).
Device security handled here; proxy runs on a trusted
computer.
Example:
Information Appliance
Wireless
Comm.
Commands and status
VCR Proxy
The proxy has an ACL
that limits who can
control the VCR.
Example:
Location-aware Mobile Speaker
Speaker can behave
differently based on its
location (which is only
known to its proxy).
Cricket
Listener
Wireless
Comm.
Location and audio data
Speaker
Proxy
Example:
Badge (Key21) Device
•A repository for someone’s cryptographic key
•Has understanding of Location
•Wireless communication
(explained later on)
Key21
Cricket
Listener
Wireless
The proxy has an ACL
that limits who else is
allowed to know the
person’s location.
Proxy
Automation Scripts



Each proxy can run multiple scripts.
Each script generates new events based on input
events.
For example:
– `Matt has walked into the room’  Turn on light
– `It’s 6am and it’s a workday’  Turn on the coffee
machine
Layer 2: Routing/Naming Network
Routing/Naming Network
Proxy Farm
Scripting
Proxy
K21
Proxy Farm
Proxy
Device
Scripting
Proxy
K21
Proxy
Device
Example: user wants to play a tape
Name Resolution
Routing
Play Tape
Command
Play Tape
Command
Proxy
Scripting
Proxy
K21
Naming


Distributed network of name resolvers/routers
INS-style names:
–
–
–
[id=spk03 [loc=ne43-226] [devtype=speaker]]
[id=* [loc=ne43-226] [devtype=speaker]]
[id=* [loc=ne43-226] [devtype=*]]
Layer 3: Proxy-Based Security
Proxy-to-Proxy
Security Protocol
Naming/Routin
g Network
Proxy
Proxy-to-Proxy
Security Protocol
Proxy
Device-to-Proxy
Security Protocol
Device-to-Proxy
Security Protocol
K21
The two protocol architecture allows for simple devices to have a
simple protocol, and complex devices to have a sophisticated
protocol.
Device-Proxy Security
Cricket
Listener
K21
Wireless
Comm.
Location
K21 Proxy
Secure Communication
1.
Device-dependent protocol.
2.
Device and Proxy share 128-bit symmetric
keys.
3.
Communication between device and
proxy is encrypted and MAC’d.
4.
Sequence numbers used for protection
against replay attacks
Proxy-Proxy Security
Name Resolution
SPKI/SDSI
Over SSL/TLS
Routing
SPKI/SDSI
Over SSL/TLS
Proxy
Scripting
Proxy
K21
All proxies talk to each other with the same protocol.
Status




System design completed and largely
implemented.
Being evaluated in terms of performance and
scalability
Ongoing work:
Security issues with anonymous computation
and/or minimally-trusted computers
Questions?