Testing the limits of SPDM: Authentication of intermittently connected devices

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-10-09 DOI:10.1016/j.cose.2024.104142

Renan C.A. Alves, Otávio F. Freitas, Bruno C. Albertini, Marcos A. Simplicio Jr.

{"title":"Testing the limits of SPDM: Authentication of intermittently connected devices","authors":"Renan C.A. Alves, Otávio F. Freitas, Bruno C. Albertini, Marcos A. Simplicio Jr.","doi":"10.1016/j.cose.2024.104142","DOIUrl":null,"url":null,"abstract":"<div><div>The Security Protocol and Data Model (SPDM) is an open standard for authentication, attestation, and key exchange among hardware units, such as CPUs and peripheral components. In principle, SPDM was designed to operate over a somewhat stable communication channel, meaning that connection losses usually require the re-execution of the entire protocol. This puts into question SPDM’s suitability for battery-powered devices, which may keep only intermittent communications aiming to save energy. To address this question, we evaluate different authentication approaches that build upon and extend SPDM’s native key bootstrapping capabilities to handle intermittent authentication. In particular, we show that the combination of SPDM and a Time-based One-Time Password (TOTP) protocol is a promising solution for this scenario. We analyze the performance of the proposed authentication schemes using a proof-of-concept virtual device. The TOTP-based scheme was shown to be the fastest, the reconnection step being at least twice and up to <span><math><mrow><mn>900</mn><mo>×</mo></mrow></math></span> faster than possible straightforward applications of SPDM. Also, our scheme requires less memory to operate. Finally, we discuss the possibility of integrating intermittent authentication capabilities into the SPDM standard itself.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104142"},"PeriodicalIF":4.8000,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004474","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The Security Protocol and Data Model (SPDM) is an open standard for authentication, attestation, and key exchange among hardware units, such as CPUs and peripheral components. In principle, SPDM was designed to operate over a somewhat stable communication channel, meaning that connection losses usually require the re-execution of the entire protocol. This puts into question SPDM’s suitability for battery-powered devices, which may keep only intermittent communications aiming to save energy. To address this question, we evaluate different authentication approaches that build upon and extend SPDM’s native key bootstrapping capabilities to handle intermittent authentication. In particular, we show that the combination of SPDM and a Time-based One-Time Password (TOTP) protocol is a promising solution for this scenario. We analyze the performance of the proposed authentication schemes using a proof-of-concept virtual device. The TOTP-based scheme was shown to be the fastest, the reconnection step being at least twice and up to

900 \times

faster than possible straightforward applications of SPDM. Also, our scheme requires less memory to operate. Finally, we discuss the possibility of integrating intermittent authentication capabilities into the SPDM standard itself.

查看原文本刊更多论文

测试 SPDM 的极限：间歇性连接设备的身份验证

安全协议和数据模型（SPDM）是一种开放式标准，用于 CPU 和外围设备等硬件单元之间的身份验证、证明和密钥交换。从原理上讲，SPDM 是为在一定程度上稳定的通信信道上运行而设计的，这意味着连接中断通常需要重新执行整个协议。这就对 SPDM 是否适用于电池供电设备提出了质疑，因为电池供电设备可能只保持间歇性通信，以节省能源。为了解决这个问题，我们评估了不同的验证方法，这些方法基于并扩展了 SPDM 的本地密钥引导功能，以处理间歇性验证。我们特别指出，SPDM 和基于时间的一次性密码 (TOTP) 协议的结合是解决这种情况的一个很有前景的方案。我们使用概念验证虚拟设备分析了所建议的验证方案的性能。结果表明，基于 TOTP 的方案速度最快，其重新连接步骤比直接应用 SPDM 至少快两倍，最多可快 900 倍。此外，我们的方案运行所需的内存更少。最后，我们讨论了将间歇验证功能集成到 SPDM 标准本身的可能性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.