WIRELESS SECURITY IN THE “RING”
Bart Shields (Olympus Sky Technologies)
David Gell (Olympus Sky Technologies)
Every day, we hear somewhere in the news about a new secure hack. We all know basically what that means: an unwanted intruder breached a system they had no expressed permission to do so. But very few of us know how it actually happens?
In contrast to the glamorized version that Hollywood has presented, the true nature of security and how it gets broken is usually – not always – much more mundane, often involving some weakness or backdoor left open by human error or oversight. That is exacerbated by the fact that for the vast majority of networks, both wired and wireless, the mechanism providing the core of the network cybersecurity is a static target: the master key.
Without a security layer in place, wireless communication is available for anyone to receive and read. And, unlike a purely hardwired network, would-be attackers do not need any external communication gateway to enter the network. They just need to be in close physical proximity to a wireless transceiver belonging to the network to be able to listen and/or communicate with it.
Securing a system in different layers
The security of communication and IT systems involves many layers: not only encryption of the actual data, but proactive features that prevent an intruder from soliciting and instigated unwanted behavior in the system. Replay Attacks are a prime example of this, where without explicit protection, an intruder can capture data that has been encrypted, play it back to the network and allow an adversary to masquerade as a legitimate network user.
Replay Attack diagram
Replay Attacks can be executed even on encrypted frames. Once the hacker has captured enough frames and categorized them, they can “inject” frames as desired in order to gain access and control of the targeted systems.
Command Injection Diagram
The point is that while encryption is important, encryption alone does not prevent a Replay Attack and thus, an intruder could still take over your system and take unwanted action. In this situation, the result would not only be chaos, but also a loss of time and money.
When choosing a security mechanism for your wireless network, you should make sure that not only is your data secured via encryption but that you address other areas as well: Replay Attack prevention, Perfect Forward Secrecy, Denial of Service, etc.
The most common method to provide encrypted security within the wireless domain uses a shared set of security credentials, i.e. a shared secret, amongst all of the stations within a given network. Through this shared secret, temporary secrets can be issued for each separate security relationship and for each session, but all of the individual security relationships are “protected” by the common shared secret.
The problem with this scheme is that because all stations within the network are protected by a semi-static (or permanently static) shared secret, if any given station is breached, then all stations within the network are effectively breached. Thereafter, the intruder can potentially see everything in the network, including the temporary secrets used to encrypt the data.
To help illustrate this point, consider the following analogy: imagine all houses in a neighborhood have their own electronic house key. For safety reasons[i], each key is generated by a single master secret held in a very secure location within the neighborhood. Now, to increase the security of each individual home, the master secret from the centralized location is used to create and distribute a new temporary key which is issued every day and is only valid for the duration of that one day. Assuming the master secret was kept in a safe place, this sounds like a very secure solution.
But what if an intruder were somehow able to “hack” into one of the homes or into the secure location and obtain the master secret? Then, the intruder has the ability to unlock the door of all of the homes in the neighborhood.
This example is not just theoretical, it is actual, and is the key aspect hackers count on: a centralized set of security credentials, that is infrequently, or more likely never, updated. While the act of refreshing the temporary keys increased the strength of the system by presenting a continual moving target to would-be attackers, it does not protect against a hack of the master secret. The more complex the security system, the higher the propensity is for something to go wrong.
Security, the “EchoRing” Way
What if you could design a security solution that:
- were lightweight and consumed fewer resources than traditional solutions;
- did not communicate (expose) any secrets that could lead to the breach of the system;
- had almost zero latency – because all security credentials are always pre-calculated;
- had extremely high entropy (more difficult to hack[ii]);
- utilized a decentralized architecture – no single point of failure[iii];
- had a very simplistic security architecture and thus, a much smaller threat surface;
- required virtually no maintenance after initial provisioning;
- had built-in intrusion detection – analytics are captured with every frame[iv];
- was explicitly designed to operate at, “IoT Scale”.
- And, best of all, had a Total Cost of Ownership[v] (including virtually no maintenance) at 1/5th the cost of traditional security solutions.
At R3 Communications, that’s exactly what we did. In partnership with Olympus Sky Technologies, we have created a full-scale security system within EchoRing that is better, simpler, faster, more secure, and easier to deploy, use, and maintain than any other security system in use today.
Very simply, we keep the bad guys out and do so without the usual costs associated with world-class security.
Each EchoRing subnetwork (ring) has a continuously refreshing set of security credentials. The refresh period is user-definable and can be, as an example, a minute, an hour, a day, or whatever period of time is suitable for the particular use case in which EchoRing is used. Besides, every ring can refresh its security credentials on a time interval different from another ring, even if these rings belong to the same larger network. Additionally, each EchoRing Station can belong to multiple rings, simultaneously. A different set of security credentials is locally managed for each EchoRing (security relationship) to which the EchoRing Station belongs.
Further, and unlike standard methods to distribute temporary keys, EchoRing stations do not communicate (i.e. expose) secrets that could lead to a security breach. All EchoRing stations are provisioned once in the beginning of a security relationship and never need to be reprogrammed nor communicate any secrets with each other in order for its security credentials to refresh.
EchoRing is able to accomplish this because each station updates its security credentials autonomously, automatically, and in perfect synchronization with all of the other stations within a ring. Accordingly, EchoRing enjoys Perfect Forward Secrecy. This means that, even if a would-be attacker learns of the security credentials of a particular ring, information will be of no benefit in trying to decrypt past sessions. Plus, because each ring has its own, unique and unrelated set of security credentials, a breach of one ring yields no insight into how to breach a different ring. Thus, allowing the breach to be more easily isolated and contained.
All of these attributes lead to a reduction in both the complexity and size of the threat surface, which in turn increases the security.
Adding to above EchoRing’s Replay Attack Counter, Message Authentication Code, and the gathering of security analytics on every single frame, it is easy to see why EchoRing is the perfect solution for wireless Industrial IoT systems: it is a highly secure, deterministic, and reliable wireless solution.
[i] An example of a typical safety reason could be so that police, fire, or other types of “first responders” could enter your home unencumbered in the event of an emergency or other legitimate reason.
[ii] The randomness associated with measuring the predictability of the derivation of security credentials between two back-to-back sessions, exceeds the age of the universe as measured in seconds.
[iii] No single point of failure is very important to safety and mission-critical systems.
[iv] The core technology of the underlying security framework is a security protocol, which is part of every frame.
[v] Total Cost of Ownership (TCO).