TDDE21 Advanced Project: Secure Distributed and Embedded Systems

Course information

It looks like we will have 2 projects for 5-6 students in Fall 2023: 1) Continuing OpenHIP development 2) Cryptographic Drone ID

The course goes for whole Fall, September - December.

Welcome slides 2023. IETF slides.

Project 1: HIPv2

Host Identity Protocol (HIPv2) is a newly standardized network security protocol by the IETF (RFC 7401). It establishes encrypted IPsec tunnels between hosts identified by public/private keys. While commercial use of HIP is rapidly progressing (By Tempered) its open-source implementations are somewhat outdated. Your task is to setup a virtual machine environment to test basic HIP functions such as Base Exchange, mobility update, multihoming with wireshark packet capture. OpenHIP can be run with CORE network simulator. OpenHIP software should be updated to support the latest RFCs.

You can study background material:

• What is HIP?
• HIP book
• Practical use of HIP to secure cruising ships, university campuses, etc
• CORE Simulator
  Latest code, Core setup, Running HIP
• OpenHIP code on Bitbucket Send your BitbucketID to Andrei to get full access.
  OpenHIP website
• Host Identity Protocol v2. RFC7401 RFC7402 Other relevant RFCs
• Alternative HIPL implementation
• Python HIP implementation
• HIP tutorial slides
• Project Report 2018
• Project Report 2019
• Project Report 2020
• Project Report 2021
• Project Report 2022
• Project Report 2023

Main changes from HIPv1 to HIPv2

• cryptographic agility features
• update of mandatory/optional algorithms, including ECDSA and ECDH, HMAC-SHA-256, RSASSA-PSS

Details:
• Initiator may express DH group preference in I1
• Different crypto hash algorithms to generate the HIT
• HIT Suites group together pub key sig, hash fn, and hash truncation
• Puzzle uses HIT hash function
• Procedures for aborting HIP BEX added.
• Guidance on preventing downgrade attacks on crypto algorithms.
• Key derivation function now negotiable aspect of protocol.
• Clarifications on multiple ACKs and echo requests

Classic code implements RFC5201 and RFC5202. The minimum goal is to implement and test in CORE the v2 base exchange and IPsec (RFC7401 and RFC7402). (That was done by students in 2017-2019).

Full HIPv2 implemenation should support mobility (RFC8046), multihoming (RFC8047), and ideally also certificates (RFC8002), registration (RFC8003), rendezvous (RFC8004), and DNS (RFC8005).

Goals for 2020: New Orchids update of RFC7343. Support of EdDSA25519, new crypto in HIP. Hierarchical HITs.

Goals for 2021: Support of Xoodyak, new crypto in HIP, revision 10. Support of OpenSSL 1.1.1 and test of 3.0. Improve: New Orchids update of RFC7343, Hierarchical HITs. Implement draft-ietf-hip-dex-24.

Goals for 2022: Stable release with OpenSSL 1.1.1q. Automatic tests. Debugging OpenSSL 3.0.5 Updates Hierachical HITs, ORCHIDs.

Goals for 2023. OpenSSL 3.0.10. Hierarchical HITS like in RFC9374. Latest crypto support. Interop with PyHIP. Diet-ESP.

Project 2: Cryptographic Drone ID

The goal of this project is to prototype drone ID as specified by DRIP IETF Working Group.

The drone ID is broadcasted over Bluetooth or WiFi as a HIP Host Identity Tag (HIT) in about 20 Bytes.

Prototyping can happen with Raspberry Pi4 (Bluetooth 5--) or Pi 3B+ (Bluetooth 4.2)

This project can interact and get help with HIP features from project 1.

We have a real drone Phantom 4 pro V2.0 for testing;)

• IETF DRIP WG
• drone ID architecture
• drone ID testbed
• Message auth formats
• ASTM standard
• Sample code from OpenDroneID
• Public release of DRIP code 0.2
• HHIT generator scripts
• Project Report 2020
• Project Report 2021
• Project Report 2022
• Project Report 2023

Accomplished: prototype Broadcast Remote Drone ID over Bluetooth/WiFi. Also write an Android application for Observer than can see drones nearby. Store drone track to a blockchain (Iroha). Test battery powered RP with GPS on a Phantom drone. Material: Iroha demo video and gitlab code, archieve with code for app-frontend-backend.

Goals for 2021: Update to draft-ietf-drip-rid-09, draft-ietf-drip-auth-01, test BT 5 dongle.

Goals for 2022: Update to draft-ietf-drip-rid-32, draft-ietf-drip-auth-17. Implement draft-moskowitz-drip-secure-nrid-c2. Test on NUC. Check BT5 status. WiFI BEACON test. Interop. Replace Google maps with Open maps in Android app.

Goals for 2023: Update to RFC9374. Possibly port Android App to iPhone. Interface to DNS registry (registries-13) (check Master thesis status). Authentication extension (update fom -17 to -40). Interop with other implementations.

Half-time presentation

For half-time seminar, can each group please make 20-30 min presentation focusing on following topics

• problem statement
• state of the art
• current status
• development strategy, hardware used
• division of tasks within the group
• main challenges so far
• work plan for 2nd half

Slides should be enough at this point, but if you can show some running code with devices, it would be nice!

Final presentation

Presentation covering same topics as half-time, but having lessons learned and conclusions instead of work plan.
A demo and code walkthrough must be presented also.
A report (about 7-10 pages) summarizing main results and advice for future students should be provided before the presentation.

Page responsible: Andrei Gurtov
Last updated: 2024-03-07