ma: Fix Björn's remaining comments from 2020-05-13

...and add some anderson references

2 files changed, 88 insertions, 54 deletions

diff --git a/ma/safety_reset.bib b/ma/safety_reset.bib
index 7b777ec..fdf40ef 100644
--- a/ma/safety_reset.bib
+++ b/ma/safety_reset.bib
@@ -1282,7 +1282,7 @@
 

 @Misc{ukgov02,

   date        = {2014},

-  title       = {Smart Metering Implementation ProgrammeSmart Metering Equipment Technical Specifications},

+  title       = {Smart Metering Implementation Programme: Smart Metering Equipment Technical Specifications},

   url         = {https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/381535/SMIP_E2E_SMETS2.pdf},

   urldate     = {2020-05-18},

   version     = {1.58},

@@ -1529,4 +1529,27 @@
   year      = {2005},

 }

 

+@Book{anderson02,

+  author    = {Ross J. Anderson},

+  date      = {2020},

+  title     = {Security engineering},

+  edition   = {3rd},

+  note      = {Preview of upcoming edition},

+  publisher = {Wiley},

+  subtitle  = {A guide to building dependable distributed systems},

+  url       = {https://www.cl.cam.ac.uk/~rja14/book.html},

+  urldate   = {2020-05-25},

+}

+

+@Article{anderson03,

+  author  = {R. J. {Anderson} and S. J. {Bezuidenhoudt}},

+  title   = {On the reliability of electronic payment systems},

+  doi     = {https://doi.org/10.1109/32.502222},

+  number  = {5},

+  pages   = {294-301},

+  volume  = {22},

+  journal = {IEEE Transactions on Software Engineering},

+  year    = {1996},

+}

+

 @Comment{jabref-meta: databaseType:biblatex;}

diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex
index 2f57066..c50865f 100644
--- a/ma/safety_reset.tex
+++ b/ma/safety_reset.tex
@@ -374,8 +374,8 @@ before. One often-cited one is utilizing the new high-resolution load data to im
 greater generation efficiency. Computerizing the meter also allows for new fee models where electricity cost is no
 longer fixed over time but adapts to market conditions. Models such as prepayment electricity plans where the customer
 is automatically disconnected until they pay their bill are significantly aided by a fully electronic system that can be
-controlled and monitored remotely. A remotely controllable load switch can also be used to coerce customers in
-situations where that was not previously economically possible\footnote{
+controlled and monitored remotely\cite{anderson02}. A remotely controllable load switch can also be used to coerce
+customers in situations where that was not previously economically possible\footnote{
     The swiss association of electrical utility companies in sec.\ 7.2 par.\ (2)a of their 2010 whitepaper on the
     introduction of smart metering\cite{vseaes01} cynically writes that remotely controllable load switches ``lead a new
     tenant to swiftly register'' with the utility company. This whitepaper completely vanished from their website some
@@ -487,19 +487,20 @@ technician smart meters have ushered in an era of frictionless control\footnote{
     user inserts coins into a coin slot that activates a load switch at the household's main electricity connection.
     These systems were non-networked and did not allow for remote control. A disadvantage of such systems compared to
     modern \emph{smart} systems are the high cost of the coin acceptor and the overhead of site visits required to empty
-    the coin box. % FIXME nice citation
+    the coin box\cite{anderson02}.
 }.
 
 \subsection{Cryptographic coprocessors}
 
 Just like in legacy electricity meters in smart meters physical security is still a key component of the overall system
 design. Since in both types of meter cost depends on physical quantities being measured at the customer premises
-customers can save cost in case they are able to falsify the meter's measurements without being detected. For this
-reason both types of meters employ countermeasures against physical intrusion. Compared to high-risk devices such as
-card payment processing terminals or ATMs the tamper proofing used in smart meters is only basic. Common measures
-include sealing the case by irreversibly ultrasonically welding front and back plastic shells together or the use of
-security seals on the lid covering the input/output screw terminals. Low-tech attacks using magnets to saturate the
-current transformer's ferrite cores are detected using hall sensors\cite{itron01,hager01,easymeter01}.
+customers can save cost in case they are able to falsify the meter's measurements without being
+detected\cite{anderson02}. For this reason both types of meters employ countermeasures against physical intrusion.
+Compared to high-risk devices such as card payment processing terminals or ATMs the tamper proofing used in smart meters
+is only basic\cite{anderson02}. Common measures include sealing the case by irreversibly ultrasonically welding front
+and back plastic shells together or the use of security seals on the lid covering the input/output screw terminals.
+Low-tech attacks using magnets to saturate the current transformer's ferrite cores are detected using hall
+sensors\cite{anderson02,anderson03,itron01,hager01,easymeter01}.
 
 German smart metering standards are unique in that they specify the use of a smartcard-like security module to provide
 transport encryption and other cryptographic services\cite{bsi-tr-03109-2,bsi-tr-03109-2-a}.
@@ -610,14 +611,14 @@ billing irregularities.
 The UK is currently undergoing a smart metering rollout. Meters in the UK are nationally standardized to provide both
 Zigbee ZSE-based and IEC DLMS/COSEM connectivity. UK smart metering specifications are shared between electrical and gas
 meters. Different to other countries' specifications the UK national specifications require electrical meters to have an
-integrated load switch and gas meters to have an integrated valve.  In the UK a significant number of consumers are
-subject to prepaid electricity contracts.  Prepayment and credit functionality are also specified in the national smart
-metering standard, as is remote firmware update functionality. Outside communications in these standards is performed
-through a gateway (there called \emph{communications hub}) that can be shared between several meters
-\cite{ukgov01,ukgov02,ukgov03,brown01,sato01}. The combination of both gas and electricity metering into one family of
-standards and the exceptionally large set of \emph{required} features make the UK regulations the maximalist among the
-ones in this section. The mandatory inclusion of both load switches and remote connectivity up to remote firmware update
-make it an interesting attack target.
+integrated load switch and gas meters to have an integrated valve.  In Northern Ireland most consumers use prepaid
+electricity contracts\cite{anderson02}.  Prepayment and credit functionality are also specified in the UK's national
+smart metering standard, as is remote firmware update functionality\cite{ukgov02}. Outside communications in these
+standards is performed through a gateway (there called \emph{communications hub}) that can be shared between several
+meters \cite{ukgov01,ukgov02,ukgov03,brown01,sato01}. The combination of both gas and electricity metering into one
+family of standards and the exceptionally large set of \emph{required} features make the UK regulations the maximalist
+among the ones in this section. The mandatory inclusion of both load switches and remote connectivity up to remote
+firmware update make it an interesting attack target.
 
 \subsubsection{Italy}
 
@@ -748,7 +749,7 @@ that is frequently cited in utility industry publications outside of a general p
 electricity theft\cite{czechowski01}.  Academic papers tend to either focus on other benefits such as generation
 efficiency gains through better forecasting or try to rationalize the funamentally anti-consumer nature of smart
 metering with strenuous claims of ``enormous social benefits''\cite{mcdaniel01}. Academics rarely point out the large
-economical incentive such \emph{revenue protection} mechanisms provide\cite{anderson01}.
+economical incentive such \emph{revenue protection} mechanisms provide\cite{anderson01,anderson02}.
 
 This thesis will entirely focus on grid stability and discard electricity theft. For the attack scenarios we lay out
 billing inaccuracies of utility companies are of very low urgency compared to grid stability. In fact stability is a 
@@ -793,8 +794,8 @@ this produces a high cost pressure on the software development process for smart
 
 \subsection{The state of the art in embedded security}
 
-Embedded security generally is much harder than security of higher-level systems. This is due to a combination of the
-unique constraints of embedded devices (hard to update, usually small quantity) and their lack of capabilities
+Embedded software security generally is much harder than security of higher-level systems. This is due to a combination
+of the unique constraints of embedded devices (hard to update, usually small quantity) and their lack of capabilities
 (processing power, memory protection functions, user interface devices). Even very well-funded companies continue to
 have serious problems securing their embedded systems. A spectacular example of this difficulty is the recently-exposed
 flaw in Apple's iPhone SoC first-stage ROM bootloader\footnote{
@@ -1506,7 +1507,7 @@ error-correcting codes and we had no particular difficulty finding either.
 \subsection{Cryptographic security}
 \label{sec-crypto}
 
-Informally the system we are looking for can be modelled as consisting of three parties: The trusted
+Informally the system we are looking for can be modelled as consisting of three parties: the trusted
 \emph{transmitter}, one of a large number of untrusted \emph{receivers}, and an \emph{attacker}. These three play
 according to the following rules:
 
@@ -1519,31 +1520,36 @@ according to the following rules:
         public key fingerprints.
 \end{description}
 
-We are not interested in congestion scenarios where an attacker attempts to disrupt an ongoing transmission. In practice
-there are several avenues to prevent such attempts. Compromised loads that are being abused by the attacker can be
-manually disconnected by the utility. Error-correcting codes can be used to provide resiliency against small-scale
-disturbances. Finally, the transmitter can be designed to have high enough power to be able to override any likely
-attacker.
+We are not considering situations where an attacker attempts to jam an ongoing transmission. In practice there are
+several avenues to prevent such attempts. Compromised loads that are being abused by the attacker can be manually
+disconnected by the utility. Error-correcting codes can be used to provide resiliency against small-scale disturbances.
+Finally, the transmitter can be designed to have high enough power to be able to override any likely attacker.
 
 Our goal is to find a cryptographic primitive that has the following properties:
-\begin{enumerate}
-    \item The transmitter can produce a message bit sequence $\mathbf{s}$ that a subset of receivers can identify
-        as being generated by the transmitter: $\mathcal{R}\left(\mathbf{s}\right) = 1$. On reception of this sequence,
-        all addressed receivers performs a safety reset.
-    \item The attacker cannot forge $\mathbf{s}$, i.e.\ find $\mathbf{s}'$ such that
-        $\mathbf{s} \neq \mathbf{s}' \land \mathcal{R}\left(\mathbf{s}'\right) = 1$
-    \item Our system conforms to an at-most-once semantic. This means upon transmission of a valid bit sequence coded
-        for a set of receivers each one either performs exactly one safety reset or none at all. We cannot achieve an
-        exactly-once semantic since we are using an unidirectional lossy communication primitive. A receiver might be
-        offline (e.g.\ due to a localized power outage) and then would not hear the transmission even if our broadcast
-        primitive was reliable. Since there is no back-channel, the transmitter has no way of telling when that happens.
-        The practical impact of this can be mitigated by the transmitter by repeating the transmission a number of
-        times.
-    \item The message should be short. Our communications channel is outrageously slow compared to anything else used in
-        modern telecommunications and every bit counts.
-\end{enumerate}
+\begin{description}
+    \item[Authenticity.] The transmitter can produce a message bit sequence that a subset of receivers can identify as
+        being generated by the transmitter. On reception of this sequence, all addressed receivers perform a safety
+        reset.
+    \item[Unforgeability.] The attacker cannot forge a message, i.e.\ find a bit sequence other than one of the
+        transmitter's previous messages that a receiver would accept. This implies that the attacker also cannot modify
+        an existing message.
+    \item[Brevity.] The message should be short. Our communications channel is outrageously slow compared to anything
+        else used in modern telecommunications and every bit counts.
+\end{description}
 
-Along with the indistinguishability property the first requirement implies that we need a cryptographic
+On a protocol level we also have to ensure \emph{idempotence}. Our system should have an at-most-once semantic. This
+means for a given message each receiver either performs exactly one safety reset or none at all, even if the message is
+re-transmitted by either the transmitter or an attacker.  We cannot achieve the ideal exactly-once semantic wit pure
+protocol gymnastics since we are using an unidirectional lossy communication primitive. A receiver might be offline
+(e.g.\ due to a local power outage) and then would not hear the transmission even if our broadcast primitive was
+reliable. Since there is no back-channel, the transmitter has no way of telling when that happens.  The practical impact
+of this can be mitigated by the transmitter by repeating the transmission a number of times.
+
+It follows from the unforgeability requirement that we can trivially reach idempotence at the protocol level by keeping
+a database of all previous messages and only accepting \emph{new} messages. By considering this in our cryptographic
+design we can reduce the storage requirement for this ``database''.
+
+Along with the indistinguishability property the access requirement implies that we need a cryptographic
 signature\cite{lamport01}.  However, we have relaxed constraints on this signature compared to cryptographic practice.
 While cryptographic signatures need to work over arbitrary inputs, all we want to ``sign'' here is the instruction to
 perform a safety reset. This is the only message we might ever want to transmit so our message space has only one
@@ -1564,7 +1570,7 @@ the transmitter transmits and replay that same sequence later. Even without cryp
 attacker from violating the at-most-once criterion. If every receiver memorizes all bit sequences that have been
 transmitted so far it can detect replays. With this mitigation by replaying an older authentic transmission an attacker
 can cause receivers that were offline during the original transmission to reset at a later point. Considering our goal
-is to reset them in the first place this should not pose a danger to the system's safety or security.
+is to reset them in the first place this should not pose a threat to the system's safety or security.
 
 A possible scenario would be that an attacker first causes enough havoc for authorities to trigger a safety reset. The
 attacker would record the trigger transmission. We can assume most meters were reset during the attack. Due to this the
@@ -1584,9 +1590,10 @@ comparatively high computational effort required for signature verification woul
 several minutes anyway and we can afford to spend some tens of seconds even in signature verification. Transmission
 length and by proxy system latency would be determined by the length of the signature. For RSA signature length is the
 modulus length (i.e. larger than \SI{1000}{bit} for very basic contemporary security). For elliptic curve-based systems
-signature size is approximately twice the curve length (i.e. $\SI{\approx 300}{bit}$ for contemporary security).
-Thanks to our unique setting we can do better than this. We can exploit that our effective message entropy is 0 bit to
-derive a more efficient scheme.
+curve length is approximately twice the security level and signature size is twice the curve length because two curve
+points need to be encoded\cite{anderson02}.  For contemporary security this results in more than 300 bit transmission
+length. Thanks to our unique setting we can do better than this. We can exploit that our effective message entropy is 0
+bit to derive a more efficient scheme.
 
 \subsubsection{Lamport signatures}
 
@@ -1645,27 +1652,31 @@ construction. To prevent an attacker from re-triggering a receiver a second time
 all receivers have to blacklist any ``used'' $\sigma$. Alas, this means we can only ever trigger a receiver \emph{once}.
 The good part is that any receiver that missed this trigger can still be triggered later, but the bad part is that once
 $s$ is burned we are out of options. The trivial solution to this would be to simply inform each receiver with a whole
-list of public keys in advance. This however takes $n$ times the amount of space for $n$-fold retriggerability. Luckily
-we can easily derive a scheme that yields $n$-fold retriggerability while using no more same space than the original
-scheme by taking some inspiration from Winternitz signatures above.
+list of public keys in advance. This however takes $n$ times the amount of space for $n$-fold retriggerability and we
+have to memorize separately for each one whether it has been used up. Luckily we can easily derive a scheme that yields
+$n$-fold retriggerability and naturally memorizes replay state while using no more same space than the original scheme
+by taking some inspiration from Winternitz signatures above.
 
-In this scheme the secret key $s$ is still a random bit string. The public key is $p = H^n(s)$ for n-times
+In this scheme the secret key $s$ is still a random bit string. The public key is $p = H^n(s)$ for $n$-times
 retriggerability.  The $i$-th time the trigger is activated, $\sigma_i = H^n-i(s)$ is published, and every receiver can
 verify that $\sigma_{i-1} = H\left(\sigma_i\right)$ with $\sigma_0 = p$. In case a receiver missed one or more previous
-triggers it can simply continue computing $H\left(H\left(\sigma_i\right)\right)$ and
+triggers it continues computing $H\left(H\left(\sigma_i\right)\right)$ and
 $H\left(H\left(H\left(\sigma_i\right)\right)\right)$ until either reaching the $n$-th recursion level (indicating an
 invalid signature) or finding $H^n\left(\sigma_i\right) = \sigma_j$ with $sigma_j$ being the last signature this
 receiver recorded, or $p$ in case there is none.
 
 This scheme provides replay protection through receiver memorizing the last signature they activated to. Public key
 length is equal to the length of the hash function $H$ used. Even for our embedded systems use case $n$ can
-realistically be up to $\mathcal O\left(10^3\right)$, which is easily enough for our application.
+realistically be up to $\mathcal O\left(10^3\right)$, which is easily enough for our purposes.
 
 The ``disarm'' message we discussed above can be integrated into this scheme by encoding the ``enable'' bit into the
 least significant bit of $n$ in our $H^n$ construction. In the chain of valid signatures every second one would be a
 disarm signature. Reset and disarm signatures would alternate in this scheme. By skipping a disarm signature two resets
 can still be triggered directly after one another.
 
+% FIXME diagram
+% FIXME include domain mechanism
+
 \chapter{Practical implementation}
 
 To validate the practical feasibility of the theoretical concepts we laid out in the previous chapter we decided to