[Cryptography] Long-term security (was Re: ratcheting DH strengths over time)

Jerry Leichter leichter at lrw.com
Mon Nov 16 14:58:10 EST 2015 

> SCADA systems and other embedded hardware may need to be kept secure
> from tampering for 30 years or longer. This stuff shows up in
> surprising places -- people really are doing things like putting
> building heating and elevator systems onto the internet now....
> 
> Say you have thousands of such systems or even millions of them out in
> the field, all happily dialing home and getting new instructions, all
> that protected by an RSA key or an elliptic curve signature key. How
> do you keep that safe for a stupid amount of time?
> 
> The sad truth is, you probably can't...
Of course you can.  Just forget about public key cryptography!

Public key solves the "any-any" communications problem, where each pair of speakers needs to have its own shared key.  It also solves the introduction problem, in which a node may need to talk to a new node it knows nothing about.

Neither of these is relevant to a SCADA network.  SCADA elements talk to controllers.  A controller can easily keep track of a unique key per element.  A element only needs the key to talk to its controller.  Build the things with 256-bit AES keys and your vulnerability is to someone coming up with a break in AES.  How to protect against *that* ... I have no proposals.

Burning a unique key into each element is no big deal; nor is registering that key when the element is itself registered.  Or you can create and install a key during registration.

SCADA elements don't spontaneously get bored and start talking to friends out on the Internet.  :-)  

Even if someone does get physical control over an element - the worst they can do is manipulate that element.  The key stored in it can be rendered difficult to extract using well-understood techniques, at which point getting physical control gives you ... the ability to manipulate things you could have controlled anyway, given physical control.

If you need to do anything more sophisticated than simple point-to-point controller/controlled element communication, a Kerberos-like system would be very appropriate.

I know of an installation that does something like this with secure video conferencing stations.  They are designed to wipe their keys after any but a minimal power outage.  Yes, after a big power outage, you need to send technicians around to set up new keys, but that's considered a good security tradeoff - a stolen device has no special access to the teleconference setup.  Sometimes clever technology alone isn't the answer....

                                                        -- Jerry

More information about the cryptography mailing list