Implementation of Elliptic Curve Digital Signature ...

Download PDF
10 downloads 218980 Views 622KB Size Report
Comment
data securely. This work provides an efficient implementation of. Elliptic Curve Digital Signature Algorithm (ECDSA) using SHA-. 512 algorithm on an IRIS mote.
2015 International Conference on Industrial Instrumentation and Control (ICIC) College of Engineering Pune, India. May 28-30, 2015

Implementation of Elliptic Curve Digital Signature Algorithm on an IRIS Mote Using SHA-512 Sudha Ellison Mathe, Lakshmi Boppana and Ravi Kishore Kodali Department of Electronics and Communication Engineering National Institute of Technology, Warangal Telangana-506004 Email: [email protected] Abstract—Wireless Sensor Networks (WSN) are spatially distributed nodes monitoring physical or environmental conditions such as temperature, pressure, sound, light etc using sensors. The sensed data is cooperatively passed through a series of nodes in a network to a main base-station (BS) where it is analysed by the user. The data is communicated over a wireless channel between the nodes and since wireless channel has minimum security, the data has to communicated in a secure manner. Different encryption techniques can be applied to transmit the data securely. This work provides an efficient implementation of Elliptic Curve Digital Signature Algorithm (ECDSA) using SHA512 algorithm on an IRIS mote. The ECDSA does not actually encrypt the data but provides a means to check the integrity of the received data. If the received data has been modified by an attacker, the ECDSA detects it and signals to the transmitter for retransmission. The SHA-512 algorithm is the hash algorithm used in the ECDSA and is implemented for an 8-bit architecture. The SHA-512 algorithm is chosen as it provides better security than its predecessors. Keywords—ECDSA, WSN, SHA-512, IRIS mote

I.

I NTRODUCTION

The Wireless Sensor Network is built of nodes, from a few to several hundreds or even thousands, where each node is connected to one, or sometimes several, sensors. Each such sensor network node has typically several parts: a radio transceiver with an internal antenna or connection to an external antenna, a microcontroller, an electronic circuit for interfacing with the sensors and an energy source, usually a battery or an embedded form of energy harvesting. These nodes are deployed into the environment forming a network of any desired topology. Different nodes perform different functions. Some nodes can be programmed only as sensors, some can be programmed only as carriers and some can be programmed as both. The sensing nodes send the data to the intermediate nodes. These intermediate nodes perform data aggregation or any other operation specified by the user and sends it to a Base Station (BS) receiver present at the user terminal. The WSN nodes, also referred as motes, communicate using a wireless channel. The security of wireless channel is minimal and an attacker can easily tap into the wireless stream and can view the data or modify it. To prevent these attacks, security measures are necessary to prevent unauthorised access or modification of the transmitted data [1]. Algorithms like Digital signature algorithm (DSA), RSA [2] etc, can be employed for our security necessities. However, algorithms such 978-1-4799-7165-7/15/$31.00 ©2015 IEEE

445

as DSA or RSA require large memory and processing power. A WSN mote is a very low power device and typically has an 8-bit architecture. It has very limited computational and memory resources. Hence the cryptographic algorithms to be implemented must take up a fraction of the available resources. This work employs ECDSA [3] security scheme as it is better in terms of computation speed, security and requires minimal resources. The ECDSA performs hash computation of the data and encrypts this hash using Elliptic Curve Cryptography (ECC) [4]. The hash value is encrypted using ECC point operations to obtain the Digital Signature of the data and is sent along with the data. The receiver decrypts the signature and checks for its validity. If the check fails, then the data can be sent again. In this work, SHA-512 is the hash algorithm used in the ECDSA implementation. The SHA-512 algorithm operates on 64-bit words which cannot be implemented on the mote. Hence it is modified to be compatible with the 8-bit architecture of the mote. Typical ECDSA implementations use SHA-1 as its hash algorithm. However, SHA-1 is vulnerable to attacks [5] and provides less security compared to SHA512. This work employs SHA-512 algorithm to overcome the limitation of SHA-1. This paper is organised as follows: In Section II, we take a look at related work, Section III presents the ECDSA algorithm, Section IV presents the SHA-512 algorithm, Section V describes the proposed implementation of ECDSA on an IRIS mote, Section VI presents results and discussion followed by conclusion in Section VII. II.

R ELATED W ORK

WSN’s are ubiquitous computing environment and security of WSN’s has quickly gained momentum in the past few years. Major focus is on the public-key based security protocols. Symmetric-key based protocols are not as versatile as the public-key system and they complicate the design of the security protocol which is not suitable to run on lowresource WSN devices. Hence an extensive research is carried out in public-key protocols leaving behind the symmetrickey schemes. Here, we give a few public-key based protocols proposed by various authors. TinyPK [6] allows authentication and key exchange between sensor nodes and a sensor node and a third party as well. They demonstrated that the widely used RSA public key cryptosystem and Diffie-Hellman key exchange techniques [7] can be deployed on even the most constrained of sensor network

devices. TinyPK was implemented on an 8-bit MICA2 mote. A communication protocol employing ECDH key exchange is introduced in [8]. This implementation is based on optimal extension fields (OEF) which are special type of finite fields. The efficiency of the field multiplications provided by this approach was nullified by an attack called the Weil descent attack. The hardware platform chosen for this implementation is the Chipcon CC1010, an 8-bit 8051 processor core. An implementation of elliptic curve cryptography based on finite fields is proposed in [9]. The authors have argued that the public key infrastructure is viable and practical for TinySec [10] keys’ distribution even on MICA2. They have used EccM 2.0 to implement the ECDH key agreement protocol on an 8bit, 7.3828 MHz MICA2 mote. The design, implementation and evaluation of TinyECC, a configurable library for ECC operations in WSN’s is given in [11]. TinyECC provides readyto-use software package for ECC-based public key operations that can be flexibly configured and integrated in sensor network applications. In [12], the authors introduce TinyECCK which is a Tiny Elliptic Curve Cryptosystem with Koblitz curve. This is a TinyOS package which supports elliptic curve operations and is very efficient w.r.t speed over GF(2m ) on 8-bit sensor motes using ATmega128L. The first fully functional pairingbased cryptographic library, called TinyPairing, for WSN’s is presented in [13]. This fast and lightweight library is implemented on MICAz mote with feasible attributes. In [14], the authors present TinyPBC, an efficient implementation of pairing-based cryptography protocols for 8, 16 and 32-bit processors which are commonly used in sensor nodes. The implementation and performance comparison of TinyPBC on ATmega128L, MSP430 and PXA27x is also performed. Many authors have put forth comparative analysis of various public key protocols. A comparison of energy consumption of RSA and ECC on an ATmega128L processor is given in [15]. They integrated the RSA and ECC into an SSL handshake to provide mutual authentication and key exchange. A comparison of power, energy and time (per message) of Rabin’s scheme, NtruEncrypt/NtruSign, and ECMV/ECDSA is given in [16]. A performance analysis of ECDSA, Diffie-Hellman and El-Gamal on an 8-bit MICA2 mote is given in [17]. Performance analysis under multiple metrics of well known security schemes like TinySec, RC5, ECIES and ECDSA is performed by implementing it in real-time scenarios [18]. III.

ECDSA A LGORITHM

In this paper, we propose the Elliptic Curve Digital Signature Algorithm (ECDSA) which is a variant of the Digital Signature algorithm (DSA). SHA-512 is the hash function used to compute the hash of the message and it has the maximum security compared to any current hash funtions. The ECDSA provides same level of security as the traditional DSA for a smaller key size. Because of less number of bits in its key, the ECDSA computations are faster and much easier to implement on a WSN device compared to the traditional public key based approaches. A comparison of ECDSA with other traditional public key schemes in [19] unquestionably puts ECDSA above other schemes in terms of performance. The ECDSA consists of two phases, namely, Signature generation and verification. Algorithm 1 describes the signature generation phase in detail. The signature consists of two 446

parts, r and s. An elliptic curve is considered with parameters G, n, a and b. The point G is the elliptic curve base point, also called as the generator of the elliptic curve with large prime order n. The a and b values are the coefficients of the elliptic curve. A random number is chosen in the interval [1, n-1] which acts as the private key, dA . A point multiplication operation is performed on G with dA which gives a point QA and this is treated as the public key curve point. The SHA512 hash of the message e is computed. Ln leftmost bits from e are chosen which is designated as z. A random number k is selected from the interval [1, n-1]. A point multiplication operation is performed on G with k and the resultant point’s x-coordinate is treated as the value r. The s value is calculated based on the equation given in step 10 of Algorithm 1. The r and s value together form the ECDSA signature. Algorithm 1 Signature Generation 1: Consider the elliptic curve parameters (G, n, a, b) 2: A private key dA is randomly chosen in [1,n-1] 3: Compute public key curve point QA = dA . G 4: Compute the hash e = SHA512(m) 5: Let z be the Ln leftmost bits of e 6: Select a random integer k from the interval [1, n-1] 7: Calculate the curve point (x1 , y1 ) = k . G 8: Calculate r = x1 (mod n) 9: if r = 0 then goto step 6 10: Compute s = k-1 (z + r . dA ) (mod n) 11: if s = 0 then goto step 6 12: Signature for message m is S = (r, s) To verify the signature’s integrity, first we have to verify the r and s values. The hash of the message, e is calculated. z is taken as the Ln leftmost bits of e. The modular multiplicative inverse of s is calculated which is designated as w. A point is computed using the equation given in step 10 of Algorithm 2. If the x-coordinate of the resultant point is equal to r, then the signature is valid. Otherwise, it can be concluded that the data has been modified either by an attacker or due to noise. Algorithm 2 gives the signature verification phase in detail. Algorithm 2 Signature Verification 1: Check that QA is not equal to the identity element O 2: Check that QA lies on the curve 3: Check that n . QA = O 4: Verify that r and s are integers in [1, n-1] 5: Compute the hash e = SHA512(m) 6: Let z be Ln leftmost bits of e 7: Compute w = s-1 (mod n) 8: Compute u1 = z . w (mod n) 9: Compute u2 = r . w (mod n) 10: Compute (x1 , y1 ) = u1 . G + u2 . QA 11: The signature is valid if r = x1 IV.

SHA-512 A LGORITHM

1) SHA-512 Algorithm: SHA stands for Secure Hash Algorithm. There are many variants of SHA i.e. SHA-0, SHA-1, SHA-2 and SHA-3. Each variant is a set of hash functions. The SHA-512 algorithm is classified under SHA-2 which is a set of cryptographic hash functions designed by the U.S. National

Security Agency (NSA) and published in 2001 by the NIST as a U.S. federal standard (FIPS). The SHA-512 algorithm has a maximum message size of 2128 bits and operates on a 1024-bit blocks. It has 80 rounds of processing and operates on 64-bit word data. It produces an output message digest having a size of 512 bits. Each 1024-bit block is processed to produce a 512-bit hash which is added to the previous hash. This aggregation of the hash values of each 1024-bit block gives the final hash value of the entire message. The security of a hash function is directly related to its message digest length [20]. SHA-512 has a message digest length of 512 bits which is significantly higher than SHA-1. This clearly makes the SHA-512 algorithm better than SHA-1 in terms of security. Table I gives the specifications of SHA512 which shows that the security of SHA-512 is greater than any of its predecessors. TABLE I.

SHA-512 S PECIFICATIONS

Specifications

SHA-2 (512)

SHA-2 (256)

SHA-1

Input message size (bits) Padded data block (bits) Words size (bits) Transformation rounds Message digest (bits) Security (bits)