Electronic Design

Keeping Embedded Secure: Authentication And Encryption

Security demands focus the need for authentication, encryption, and digital signatures in embedded network devices as more devices are connected to the Internet. Attacks on desktops, servers, and PCs are increasing because of common platforms and languages, such as Visual Basic, and the number of Internet-connected PCs.

Soon, the number of embedded devices connected to the Internet will be greater than the number of PCs, making them ideal targets for a range of attackers. Unsecured and unverifiable transmission of information will still occur, although secured and verifiable transmissions will be required, especially for key actions like downloading programs or data to an embedded device.

Authentication, digital signatures, and encryption are generally based on a set of keys and algorithms for transforming digital data, called clear text, into an encrypted form and back again. Digital signatures are based on the encryption of a checksum of the data being signed. Secure authentication is accomplished using digital signatures.

Today's popular forms of encryption use a private key or a public key approach. The private key method employs shared secret keys that are typically identical, while the latter approach uses a pair of keys: one secret and one public.

Digital signatures can implement either approach for encrypting data that will confirm the validity of other data. Frequently, the encrypted data is a checksum. The encrypted checksum and its matching data are usually paired to make verification easier. Pairing allows additional digital signatures to be associated with the unencrypted data. Likewise, another digital signature could be applied to the combination.

Digital signature verification can be performed using two mechanisms. The first decrypts the signature and compares the decrypted information with that generated from the signed information. The second generates a copy of the encrypted information and compares the encrypted data. A match using either technique indicates that the clear text has been signed.

Digital signatures can be employed for authorization. These are often called certificates or tickets. In such cases, the encrypted information will usually be larger than the clear text. For example, Kerberos is a server-based authentication system that uses digital signatures. Authentication details are hidden in the encrypted information so the details can't be extracted from an intercepted signature packet. Digital signatures often have time stamps and lifetime information. Lifetimes of minutes or hours are often implemented to let remote applications access resources on a remote server.

A public key infrastructure (PKI) is a centralized method for securely managing and distributing public keys. The keys are delivered as certificates, each with one or more digital signatures from a certificate authority (CA). A certificate holder can trust the key if it verifies and trusts that the digital signatures and the lifetime of the certificate haven't expired. PKIs are typically implemented for keys used with e-mail, Web browsers, and remote-access services.

See associated figures:
Private key encryption
Public key encryption
Digital signature verification
Digital signature verification
Encrypted or signed communication

ENCRYPTION
Title Name Standard Organization Description/Web site
Blowfish Blowfish n/a n/a Encryption algorithm developed by Bruce Schneier
http://www.counterpane.com/bfsverlag.html
3DES Triple DES FIPS PUB 46-3NIST   Applies DES using three 56-bit keys
DES Data Encryption Standard FIPS PUB 46-3 NIST 56-bit private key encryption algorithm
DH/DSS Diffie-Hellman/Digital
Signature Standard
    Popular encryption standard developed by Diffie and Hellman
MD5 Message Digest RFC 1321 IETF Encryption algorithm developed by Ronald L. Rivest of MIT
P1363 P1363 P1363 IEEE Encryption standards group
http://www.manta.ieee.org
PGP Pretty Good Privacy RFC 2440 IETF Public key encryption algorithm
http://www.pgpi.org, http://www.pgp.com
RSA R. Rivest, A. Shamir, L. Adleman   PKCS Public key encryption algorithm developed by RSA Security Inc.
GSSAPI Generic Security Services API RFC 1508 IETF Security-related API definitions
SHA Secure Hash Algorithm FIPS PUB 180-1 NIST Encryption algorithm
AUTHENTICATION
Title Name Standard Organization Description/Web site
Kerberos Kerberos RFC 1510 IETF Server-based public key authentication system
http://web.mit.edu/kerberos/www/
RADIUS Remote Authentication Dial In User Service RFC 2865 IETF Used to manage remote access servers
DIGITAL SIGNATURES AND CERTIFICATES
Title Name Standard Organization Description/Web site
DSS Digital Signature Standard FIPS PUB 186 NIST Uses DES
ISAKMP Internet Security Association and Key Management Protocol RFC 2408 IETF Key management system used with IPsec
X.509 Public key certificate X.509 ITU X.500 digital certificate standard
COMMUNICATION LINKS
Title Name Standard Organization Description/Web site
SSH Secure Shell 1 Draft IETF Secure terminal and application virtual private networks connections
http://www.ietf.org/html.charters/secsh-charter.html
SSH2 Secure Shell 2 Draft IETF Secure terminal and application virtual private networks connections
http://www.ssh.org/specs.html
IPsec IP security RFC 2411 IETF Used for virtual private networks (VPN)
http://www.ietf.org/html.charters/ipsec-charter.html
SSL Secure Socket Layer n/a Netscape Secure Internet connection
OpenSSL Open SSL n/a OpenSSL Open-source implementation of SSL and TSL
http://www.openssl.org
TSL Transport Security Layer RFC 2246 IETF Alternative to SSL
SHTTP Secure Hypertext Transfer Protocol RFC 2660 IETF Secure version of HTTP for secure Web server access
APPLICATION SPECIFIC
Title Name Standard Organization Description/Web site
S/MIME Secure-MIME RFC 2311 IETF E-mail encryption and digital signature standard
OpenPGP Open Pretty Good Privacy RFC 2440 IETF E-mail encryption and digital signature standard
http://www.ietf.org
DNSSEC Domain Name Server Security RFC 3008 IETF Domain name server (DNS) secure update protocol
ORGANIZATIONS
Title Organization Web site
ANSI American National Standards Institute http://www.x9.org
IEEE Institute of Electrical and Electronic Engineers http://www.ieee.org
IETF Internet Engineering Task Force http://www.ietf.org
ISO International Standards Organization http://www.iso.org
ITU International Telecommunications Union http://www.itu.ch
NIST U.S. National Institute of Standards and Technology http://www.nist.gov
OG Open Group http://www.opengroup.org
PGPI PGP International http://pgpi.org
PKCS Public Key Cryptography Standard http://www.rsasecurity.com


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish