Common use of Information Elements Clause in Contracts

Information Elements. In the mean time, Public Key Cryptography (PKC) - a fundamental building block in most KMPs - has become viable also on constrained devices. Indeed, we are now at a point in time where Elliptic Curve Cryptography (ECC) is not only affordable on today’s ever more powerful and (memory) capable constrained devices [7], [16], but it is even cheap and natively introduced in the latest generation of IIoT devices [14]. Such technological evolution is bringing us to a point where the primary concern is not anymore the computationally efficient support of ECC, but rather stems in how to use such primitives for building airtime-efficient authentication and key management protocols. Indeed, most of the proposed PKC- based handshakes [15] suffer from a significant shortcoming in terms of number and size of the messages exchanged [18]. In particular, transmission of long messages containing conventional X.509 certificates [12] yields a sizeable airtime consumption, whose major consequences are i) a significant latency in the authentication protocol when run over a typical low-rate communication channel, and ii) a significant power consumption, being airtime a major power drain component. Contribution. Based on these premises, the contribution of this letter is threefold. First, our proposed approach is among the first to concretely integrate and experimentally evaluate “implicit” Elliptic Curve Qu-Vanstone (ECQV) certificates [1] within an authentication and key agreement protocol devised for IIoT devices and scenarios. While in our former work [18] performance were affected by a software implementation of the ECC primitives, this work shows that the viability of such technique is greatly improved by the native (e.g., hardware) and efficient support of ECC over modern IIoT de- vices. Second, our novel proposed KMP relies on an ordinary and widely established “fixed” Elliptic Curve ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (ECDH) exchange [6], which provides authentication without any explicit signature, as well as ephemeral key derivation (and very fast re-keying, when necessary). This is obtained by exchanging per-session nonces and by securing the ex- change using a minimized number of messages (two per each direction, i.e., four in total). Finally, experimental performance results over both single-hop and multi-hop networks show significant improvements in terms of maximal airtime savings (up to 86,7%) with respect to a traditional approach relying on an ECDH exchange with public coefficients certified/signed using the ECC Digital Signature Algorithm (ECDSA). II. Background: ECQV implicit certificates For the reader’s convenience, we briefly review the notion of implicit certificates along with the details of the ECQV algorithm [1]. Let G be an Elliptic Curve Group, and let G ∈ G be a generator of (prime) order n of the group G. Let U ▇. ▇▇▇▇▇▇▇▇▇▇▇▇▇, ▇. ▇▇▇▇ and ▇.▇▇▇▇▇▇ are with the Department of Electrical and Information Engineering (DEI), Politecnico di Bari, Bari, Italy; e-mail: {▇▇▇▇.▇▇▇▇▇▇▇}@▇▇▇▇▇▇.▇▇. be the bit-string identifying a given user, and let CA be a Certification Authority with Private Key pca ∈ {0, n}, and Public Key PCA = pca · G ∈ G. An implicit certificate for the ▇. ▇▇▇▇▇▇▇ is with the Department of Electronic Engineering, University of Rome Tor Vergata, Rome, Italy; e-mail: ▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇ Manuscript received xxx xx, 2016; revised xx, 2016. user U is a single point CU of the group, issued by the CA, which permits a receiver who knows the user identity U 1. Key negotiation protocol. and the public key PCA of the CA, to extract the user’s Public Key PU such that PU = pu G, with pu 0, n being the user’s private key. Specifically, let H( ) be a cryptographic hash function; then an implicit certificate is issued as follows: 1. the user U generates a random positive integer r, computes an elliptic curve point R = r G, and sends it to the CA; 2. the CA generates a random positive integer k, and returns the implicit certificate as the elliptic point CU = R + k G, along with the implicit signature γu = pca + k H(CU , U ); 3. the user generates the private key pu = γu + r H(CU , U ) and the relevant public key PU = pu G. Any party can trivially compute U ’s public key by knowing 1. extract the Public Key PX = PCA + CX H(CX, X) from the implicit certificate CX , as described in section II, and 2. compute the (same and fixed) pre-master session key KCD using an ordinary ECDH. For instance, once received CD and after having extracted PD, the network coordinator C can use its private key pc to compute KCD = pcPD = pcpdG; the same result is obtained on the other side by the device D which computes KCD = pdPC = pcpdG. Note that (as indeed expected by a “fixed” ECDH exchange) subsequent handshakes among the same pair of devices would yield the same key KCD. Moreover, note that any attacker could replay the message containing the implicit certificate so as to impersonate one of the two devices. To address both such issues, our proposed Key Management Protocol relies on fresh nonces in each “new” exchange. Nonces serve for two complementary purposes: 1. Authentication. To authenticate the exchange, peers D and αD = Γ[KCD, (CD, D, CC, C, ρD, ρC)] αC = Γ[KCD, (CC, C, CD, D, ρC, ρD)] where the Γ[k, s] operator refers to a generic symmetric authentication algorithm (e.g., an HMAC) working on the bit stream s by using key k. Note that the two tags differ, as they use the same information but in a different order [6].

Information Elements. In the mean time, Public Key Cryptography (PKC) - a fundamental building block in most KMPs - has become viable also on constrained devices. Indeed, we are now at a point in time where Elliptic Curve Cryptography (ECC) is not only affordable on today’s ever more powerful and (memory) capable constrained devices [7], [16], but it is even cheap and natively introduced in the latest generation of IIoT devices [14]. Such technological evolution is bringing us to a point where the primary concern is not anymore the computationally efficient support of ECC, but rather stems in how to use such primitives for building airtime-efficient authentication and key management protocols. Indeed, most of the proposed PKC- based handshakes [15] suffer from a significant shortcoming in terms of number and size of the messages exchanged [18]. In particular, transmission of long messages containing conventional X.509 certificates [12] yields a sizeable airtime consumption, whose major consequences are i) a significant latency in the authentication protocol when run over a typical low-rate communication channel, and ii) a significant power consumption, being airtime a major power drain component. Contribution. Based on these premises, the contribution of this letter is threefold. First, our proposed approach is among the first to concretely integrate and experimentally evaluate “implicit” Elliptic Curve Qu-Vanstone (ECQV) certificates [1] within an authentication and key agreement protocol devised for IIoT devices and scenarios. While in our former work [18] performance were affected by a software implementation of the ECC primitives, this work shows that the viability of such technique is greatly improved by the native (e.g., hardware) and efficient support of ECC over modern IIoT de- vices. Second, our novel proposed KMP relies on an ordinary and widely established “fixed” Elliptic Curve ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (ECDH) exchange [6], which provides authentication without any explicit signature, as well as ephemeral key derivation (and very fast re-keying, when necessary). This is obtained by exchanging per-session nonces and by securing the ex- change using a minimized number of messages (two per each direction, i.e., four in total). Finally, experimental performance results over both single-hop and multi-hop networks show significant improvements in terms of maximal airtime savings (up to 86,7%) with respect to a traditional approach relying on an ECDH exchange with public coefficients certified/signed using the ECC Digital Signature Algorithm (ECDSA). II. Background: ECQV implicit certificates For the reader’s convenience, we briefly review the notion of implicit certificates along with the details of the ECQV algorithm [1]. Let G be an Elliptic Curve Group, and let G ∈ G be a generator of (prime) order n of the group G. Let U ▇. ▇▇▇▇▇▇▇▇▇▇▇▇▇, ▇. ▇▇▇▇ and ▇.▇▇▇▇▇▇ are with the Department of Electrical and Information Engineering (DEI), Politecnico di Bari, Bari, Italy; e-mail: {▇▇▇▇.▇▇▇▇▇▇▇}@▇▇▇▇▇▇.▇▇. be the bit-string identifying a given user, and let CA be a Certification Authority with Private Key pca ∈ {0, n}, and Public Key PCA = pca · G ∈ G. An implicit certificate for the ▇. ▇▇▇▇▇▇▇ is with the Department of Electronic Engineering, University of Rome Tor Vergata▇▇▇ ▇▇▇▇▇▇▇, Rome, Italy; e-mail: ▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇ Manuscript received xxx xx, 2016; revised xx, 2016. user U is a single point CU of the group, issued by the CA, which permits a receiver who knows the user identity U 1. Key negotiation protocol. and the public key PCA of the CA, to extract the user’s Public Key PU such that PU = pu G, with pu 0, n being the user’s private key. Specifically, let H( ) be a cryptographic hash function; then an implicit certificate is issued as follows: 1. the user U generates a random positive integer r, computes an elliptic curve point R = r G, and sends it to the CA; 2. the CA generates a random positive integer k, and returns the implicit certificate as the elliptic point CU = R + k G, along with the implicit signature γu = pca + k H(CU , U ); 3. the user generates the private key pu = γu + r H(CU , U ) and the relevant public key PU = pu G. Any party can trivially compute U ’s public key by knowing 1. extract the Public Key PX = PCA + CX H(CX, X) from the implicit certificate CX , as described in section II, and 2. compute the (same and fixed) pre-master session key KCD using an ordinary ECDH. For instance, once received CD and after having extracted PD, the network coordinator C can use its private key pc to compute KCD = pcPD = pcpdG; the same result is obtained on the other side by the device D which computes KCD = pdPC = pcpdG. Note that (as indeed expected by a “fixed” ECDH exchange) subsequent handshakes among the same pair of devices would yield the same key KCD. Moreover, note that any attacker could replay the message containing the implicit certificate so as to impersonate one of the two devices. To address both such issues, our proposed Key Management Protocol relies on fresh nonces in each “new” exchange. Nonces serve for two complementary purposes: 1. Authentication. To authenticate the exchange, peers D and αD = Γ[KCD, (CD, D, CC, C, ρD, ρC)] αC = Γ[KCD, (CC, C, CD, D, ρC, ρD)] where the Γ[k, s] operator refers to a generic symmetric authentication algorithm (e.g., an HMAC) working on the bit stream s by using key k. Note that the two tags differ, as they use the same information but in a different order [6].