Beepbeep-3a2093546 148

Kevin Harris Singapore 27 March 2008
Highly Efficient Embedded Real-Time Encryptionthe BeepBeep Algorithm
Honeywell.com
Embedded Real-Time Cryptography

The application area
Cryptography optimized for embedded, real-time, systems such as used in industrial process control
The development
A new algorithm (called BeepBeep) overcomes the drawbacks of using existing cryptography for real-time systems
2 Document control number
Honeywell Proprietary
Honeywell.com
Topics
BeepBeep Technology Overview Requirements for Real-Time Cryptography Deficiencies of Conventional Encryption for this Overview of BeepBeeps Mechanism Applications/Market Opportunities Development Status Inventors Other Honeywell Technology Featured Today
Honeywell.com
BeepBeep Technology Overview

Real-time cryptography Very efficientvery small footprint (Compared to AES) Particularly good for processors with unsigned integer multiply instruction Key evolves continuously, so smaller target for cryptanalysis From private sectorno government involvement Resistant to massively-parallel special-purpose hardware attacks such as DeepCrack
Honeywell.com
Topics
Honeywell.com
Requirements for Real-Time Cryptography

Encryption must add little or nothing to message length Encryption must be done extremely fast
Average speed does not matternever exceeding the maximum is critical
The above must be accomplished by use of very little processing power Ditto memory resourcesideally only processor registers In retrofit applications, the incremental power requirement must be zero, or very small Security time horizon is usually tactical versus strategic
Integrity needed only until next key change Secrecy (depends on type of data)
Control for a few hours Inventory for a few weeks or months Recipe for a few decades (but little such data is sent)
Cryptography needs to be only moderately secure

6 Document control number Honeywell Proprietary
Honeywell.com
Email Isnt Distributed, Embedded, Real-Time

Email Processor Memory Power Response Time Bandwidth Message Size Message Variability Integrity Need Physical Security Net Membership Autonomous Pentium II 1280 MB 200 watts Seconds 1 - 100 Mbps 100 Kbytes Very High Low Attended Anybody (Generalize) Yes Embedded DSP and/or C 128 KB 2 watts Milliseconds 1 - 100 Kbps 10 bytes Fixed Rate & Size Very High Not Attended Closed (Optimize) No
Approx. 1,000 : 1 Ratio of Resource Usage

Honeywell.com
Needed Security Communication Capabilities

Privacy (a.k.a. confidentiality or secrecy)preventing the acquisition of a messages information unless authorized Integritydetecting unauthorized alteration of a message Authenticationdetermining whether a message was prepared and sent by the party from which it claims to originate Authorizationgranting of a power to do or be something Replay Protectionvalidating message sequencing and timeliness so that prior valid messages cannot be replayed by an attacker at a later point in time to effect the original or similar result Key Managementperiodic creation, distribution and replacement of communication security keys to
Minimize the damage caused by employee or site compromise Prevent accumulation of too much cryptanalysis source material Limit allowed cryptanalysis time
ComSec Event Monitoring and Alertingreporting ComSec hazards
Honeywell.com
Topics
Honeywell.com
Problems in Use of Existing Cryptography

Relatively slow, particularly on start-up
Messages (and sessions) are small; less text to amortize start-up cost Latency (lag) is more important than throughput Only worst-case timing countsaverage is unimportant
One missed deadline is not helped by finishing early at all other times
Systems typically use repeating execution time-slots of fixed size startup overhead increases size of all time slots Central control changes key for each message (high key agility), which needs a large crypto-cache or (re-)startup cost for each message
Honeywell.com
Problems in Use of Existing Cryptography

Uses too much data memory (cache thrashing)
Real time systems are multitasking with many context switches/sec Must assume cache is flushed, S-box accesses are mostly misses
Consumes additional communication bandwidth

Ciphertext must be no bigger than plaintext
Uses separate secrecy and integrity algorithms (or modes)

Makes execution even slower Prevents lump in the cable retrofits
Most real-time cryptography is retrofitted exacerbates these problems

Honeywell.com
Topics
Honeywell.com
Achieving Speed
Use an efficient stream cipher State stays in CPU registers (no RAM used) Fix problems with conventional implementations
Feedback shift registers are slow in software
Invention improves speed by almost 100 times
Multiply is slow
Becoming faster (from 42 clocks to 1//4 clocks) Invention uses multiply in a powerful new way
Conditional jumps are slow on pipelined CPUs

Use multiplexor logic instead of conditional jump
Instead of: if C then Z = A else Z = B or: Z = C ? A : B Use this: Z = ((A xor B) and C) xor B
Use unrolled loop to eliminate other jumps
Speed on Pentium is better than 1 bit per clock
Honeywell.com
BeepBeep Block Diagram

127 V
odd word
OR
63 lfsr[2] lfsr[1]
XOR
1 lfsr[0] 0
ctl
step 64 bits
lfsr[3]
31 clock
{lfsr[0], lfsr[2] }
LFSR output selection
alternates for { each text word }
{lfsr[2], lfsr[1] }
{lfsr[1], lfsr[2] }
state
sum
+ `
m
upper 32 bits
+ `
lower 32 bits
Thick lines are 32 bits.

Dotted lines are control. Bold italics are variables. " +`" is ones complement addition
Thin lines are one bit.
XOR i ciphertext j plaintext

+/decrypt encrypt
XOR
Honeywell.com
Broadcast Authentication
Real-time and embedded systems cannot afford public key encryption or multiple algorithms for authentication Simple symmetric key cant be used because the compromise of any node compromises the whole net Solution for simple broadcast commands: use BeepBeep both for encryption and for a one-way function hash
At net initialization, the broadcaster sends to each node the result of repeatedly hashing a secret truly random number (the message uses each nodes individual key for authentication and integrity) To send an authentic command, a value is broadcast which hashes to the value each node has stored If a node gets a transmission which hashes to its stored value, it performs the command and updates its stored hash value
Similar to the S/Key one-time password scheme

Honeywell.com
Benefits (vs AES, on Pentium)

About 2 times faster for very large messages About 40 times faster for small messages About half the memory size 25 to 200 times faster than 3DES Includes integrity with secrecy (increases the above ratios)
Allows lump in the cable (or dongle) implementations (with possible sub-bit-time latency)
Several thousand times faster and smaller than public key 1:1 byte replacement (to fit existing message sizes)
Can eliminate need for the addition of an explicit IV Can incorporate existing CRC or checksum into integrity
Optimized for CPUs typically found in embedded, real time, control, and communication systems Designed to be resistant to specialized hardware cracking
Honeywell.com
Simple and Small

BeepBeeps executable code
One page of C code (half of which is declarations and comments) Pentium MMX without explicit IV Pentium MMX with explicit IV Pentium main loop Motorola HC12 without explicit IV 419 bytes 484 bytes 185 bytes 954 bytes
BeepBeeps data memory

Pentium MMX Motorola HC12 (data stays in registers) 0 bytes 28 bytes
Honeywell.com
Withstanding Attacks
Chosen plaintext
Generally not feasible; requires such invasive physical access that it would be easier just to read out the key(s)
Chosen ciphertext
Try send fake messages and watch for response (reaction attack) Integrity mechanism(s) reject most forgeries Bandwidth is so low, only a miniscule amount of data could be sent before source is detected and stopped
Known plaintext
Bandwidth is too low to accumulate many cipher-plain pairs
Plus Many BeepBeep Defenses against Specific Attacks!

Honeywell.com
Topics
Honeywell.com
Embedded Real-Time Systems

SCADA
Distribution control pipelines and electrical power grid Remote management of control systems in petrochemical and power plants
Access and control of remote sites (homes, buildings) physical security, load shedding, medical equipment Radio communications
Aircraft Mobile phones
Low-power/battery-operated devices, scatterable sensors, mines, satellites, intrinsic safety areas Real-time multimedia communications
Honeywell.com
Typical Distributed SCADA System

Controller How do we retrofit security to this system? Modem
RTU = Remote Terminal Unit
Modem
Modem
Modem
Modem
RTU
RTU
RTU
RTU
Honeywell.com
Retrofitting Security
Controller
Insert crypto dongles

Modem
Modem
Modem
Modem
Modem
RTU
RTU
RTU
RTU
Honeywell.com
Free Power RS-232 Encryption Modules

One-square-inch surface-mount board, 3v components Single-chip microcomputer:
256 bytes on-chip RAM (can be as small as 32 bytes) 4 kilobytes OTP or flash memory (can be as small as 1 kilobyte) Two UARTS for pass-through communications 88 multiply instruction for BeepBeep encryption algorithm
Serial EEPROM (or part of microcomputer)

256 bytes with page write
RS-232 interfaces for pass-through functionality

3 inputs, 5 outputs at one connector; 3 outputs, 5 inputs at the other Operating power scavenged from input signals
Crystal or ceramic resonator Status LED (duty cycle limited)
Honeywell.com
Topics
Honeywell.com
Some Product Developments

Aviation
Encryption of ACARS radio traffic Constraints: bandwidth, real-time multitasking
Also memory and execution time for retro-fit applications
This application has been cleared for export by BXA
Home automation and security

Secrecy, integrity, authentication, and key management Between central site and residences Constraints: memory, bandwidth, small (8/16 bit) CPU
No other algorithm could meet memory constraints
Limit: 1638 bytes Flash ROM, 50 bytes RAM Used: 1628 28
This application has been cleared for export by BXA
Commercial buildings and industrial controls

Prototype crypto-dongle developed
Honeywell.com
Home Automation and Security

Remote Browser View or Control
Internet
ISP POP
Internet Interface
/ RN P U DP / IP
Home Controller In House Browser
Global Home Server

POTS Modem
Phone or Cable Network Telephone Network

Honeywell.com
Topics
Honeywell.com
Inventor
Kevin.Driscoll@Honeywell.com +1 612-951-7263
Some applicable Driscoll patents (US numbers):
6,804,354 Cryptographic Isolator Using Multiplication 6,763,363 Computer Efficient Linear Feedback Shift Register 6,760,440 One's [sic] Complement Cryptographic Combiner 7,277,543 Cryptographic Combiner Using Two Sequential NonAssociative Operations
Further Patents Pending
Honeywell.com
Topics
Honeywell.com
Other Honeywell Technology Featured Today

Fault-Tolerant Ethernet (FTE)
Software-only implementation continually checks for all routes
Genetic Algorithm
Optimum network path considering speed, cost, reliability, etc.
Latency-Controlled Redundant Wireless Routing

Automatic determination of alternate routes in noisy networks
Dynamic Wireless Power Conservation

Feedback schemes to minimize power consumption of remote devices
Part of Honeywells OneWireless Multi-Use Solution for Noisy Environments

Honeywell.com
Other Honeywell Technology Featured Today

OPC Server Kit with Time-Out
Low-cost development & maintenance plus increased robustness
OPC Redirection Manager

Increased OPC availability
Visual Query Language (VQL)

Drag over waveform to define patternVQL searches for matches
Digital Video Manager (DVM)

Uses existing networks to allow remote control of cameras Window on existing operator stations
Honeywell.com
One-Slide Version
Honeywell.com
Other Honeywell Technologies Featured Today

Networking
Robustness, e.g., by optimum use of all possible routes Robustness for OPC (OLE for Process Control) networking
Wireless-Specific
Multi-use wireless for noisy environments, e.g., industrial (OneWireless) Robustness and power conservation
Visual Query Language (VQL)

Drag over waveform to define pattern VQL searches vast databases for matches
Digital Video Manager (DVM)

Uses existing networks to allow remote control of cameras Window on existing operator stations

Beepbeep-3a2093546 148

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Beepbeep-3a2093546 148

Uploaded by

Copyright:

Available Formats

Kevin Harris Singapore 27 March 2008

Highly Efficient Embedded Real-Time Encryptionthe BeepBeep Algorithm

Embedded Real-Time Cryptography

2 Document control number

3 Document control number

BeepBeep Technology Overview

4 Document control number

5 Document control number

Requirements for Real-Time Cryptography

Cryptography needs to be only moderately secure

Email Isnt Distributed, Embedded, Real-Time

Approx. 1,000 : 1 Ratio of Resource Usage

Needed Security Communication Capabilities

ComSec Event Monitoring and Alertingreporting ComSec hazards

8 Document control number

9 Document control number

Problems in Use of Existing Cryptography

10 Document control number

Problems in Use of Existing Cryptography

Consumes additional communication bandwidth

Uses separate secrecy and integrity algorithms (or modes)

Most real-time cryptography is retrofitted exacerbates these problems

12 Document control number

Conditional jumps are slow on pipelined CPUs

Use unrolled loop to eliminate other jumps

Speed on Pentium is better than 1 bit per clock

13 Document control number

BeepBeep Block Diagram

LFSR output selection

alternates for { each text word }

Thick lines are 32 bits.

Thin lines are one bit.

XOR i ciphertext j plaintext

Similar to the S/Key one-time password scheme

Benefits (vs AES, on Pentium)

Simple and Small

BeepBeeps data memory

17 Document control number

Plus Many BeepBeep Defenses against Specific Attacks!

19 Document control number

Embedded Real-Time Systems

20 Document control number

Typical Distributed SCADA System

Insert crypto dongles

Free Power RS-232 Encryption Modules

Serial EEPROM (or part of microcomputer)

RS-232 interfaces for pass-through functionality

Crystal or ceramic resonator Status LED (duty cycle limited)

23 Document control number

24 Document control number

Some Product Developments

This application has been cleared for export by BXA

Home automation and security

This application has been cleared for export by BXA

Commercial buildings and industrial controls

Home Automation and Security

Home Controller In House Browser

Global Home Server

Phone or Cable Network Telephone Network

27 Document control number

29 Document control number

Other Honeywell Technology Featured Today

Latency-Controlled Redundant Wireless Routing