Viability of using One-Time-Pad + HMAC in low-volume IoT communications

Question

In the Internet-of-Things world there are certain applications that produce very low volume communications. For example reading a water meter once every hour comes to mind. If the reading could be encoded as a 32 bit unsigned integer and adding a 24 bit serial number this device would transmit only about 614 KBytes of data over an assumed life-time of 10 years (7 bytes * 24 hours * 365 days * 10 years).

I'd like to put for discussion whether a One-Time-Pad (OTP) solution plus HMAC could be a viable solution in this scenario. A key stream of 614 KBytes could be easily pre-generated and stored on the device, although a Hardware Security Module (HSM) implementing "OTP + HMAC" probably does not yet exist.

I am aware of the core problems of using One-Time-Pads in practice. Assuming that these challenges could be overcome (at least in a manner that is sufficiently secure for the purpose of transmitting water meter readings once every hour) the following pseudo-code explains the approach.

# KEYSTREAM is a file containing at least 614 KBytes of random bytes.
# COUNTER is the current offset into KEYSTREAM.
function encrypt_and_hmac(plaintext):
    fp = open(KEYSTREAM)
    fp.seek(COUNTER)

    # Remember the current offset into the KEYSTREAM
    pos = fp.pos()

    # Read bytes from KEYSTREAM for encrypting the plaintext
    cipherpad = fp.read(len(plaintext))
    ciphertext = plaintext XOR cipherpad

    # Read 8 bytes (in this example) from KEYSTREAM for HMAC
    macpad = fp.read(8)
    hmac = hash(ciphertext + macpad)

    # Safely(!) erase the used bytes from the KEYSTRAM
    erase(KEYSTREAM, pos, pos+len(plaintext)+8)

    return pos, ciphertext, hmac

The current offset into the key stream (pos), the ciphertext and HMAC can now be transmitted. Decryption and verification would work like this.

function decrypt_and_verify(pos, ciphertext, hmac):
    fp = open(KEYSTREAM)
    fp.seek(pos)

    cipherpad = fp.read(len(plaintext))

    macpad = fp.read(8)
    assert hash(ciphertext + macpad) == hmac

    plaintext = ciphertext XOR cipherpad

    return plaintext

Just to preempt some potential comments:

Yes, AES-EAX and the like may be a better solution.
The challenge of safely distributing the KEYSTREAM is no different from using any other shared secret unless a Key-Exchange Protocol is used.
Ideally the Encrypt-and-HMAC should be done inside an HSM module or the security could be easily compromised if someone gains access to the water meter.
Having a small number of compromised water meters may be an acceptable business risk akin to water meters that are simply faulty. This would eliminate the cost of the HSM module.
An interesting challenge arises if the payload size of the transmission channel is very small like in Sigfox (12 bytes) and the smaller packet size options of LoRaWan and Weightless. Could one transmit only the first few bytes of the HMAC???

I am looking forward to your comments, feedback and criticism.

score 2 · Answer 1 · answered Jul 20 '17 at 02:08

Two points adding to Raoul's answer are:-

To generate a HMAC you need a key, and this key will have to be stored within the meter. If there's a key, traditional encryption can be used if you can somehow generate IVs. Or don't generate them and accept that repeat readings will be transmitted as repeat cipher text. This probably isn't a particularly serious issue for water consumption. Although, a static reading suggests the occupants are on holiday and the house is unoccupied. So this is an example of information leakage.
You compare OTP distribution to traditional key distribution. That might be true but have you considered the office end? This application of a OTP is about the worst possible kind. OTPs do not perform well in many to one transmissions. There will have to be a huge one time pad at the receiving station to decode readings from (100k+) meters. And how will you decode the reading if the meter ID is encrypted? If you use an IP address as an identifier, that can be intercepted so what's the point of encrypting the meter ID? And what happens if you roll out more meters? More OTP material has to be stored, interwoven with existing OTP material and subsequently tracked at the base office.

In summary, this is not the most appropriate scenario for a OTP. But, it you only had one meter (for lets say a home automation system), OTP is perfect as it eliminates all the cryptographic code /testing issues. Assuming of course that you can estimate the required pad size as Raoul suggests.

Thanks, that's a very good contribution to the discussion. I had a chuckle thinking about "information leakage of water meters" ;-) — Markus Juenemann, Jul 21 '17 at 03:31

Raoul722 · Accepted Answer · 2017-07-13T06:15:40.360

1

The two main disadvantages that I see are:

You have to predict how many bytes will be encrypted during the device lifecycle. In my opinion, this is quite challenging.
However, let's say you are able to fix an upper bound. In your example, you need to store 614kB inside an IoT device. What would it be if you consider a margin of error? Storing about 1GB inside IoT devices does not seem appropriate since many chips will be low-costs. Thus they will probably not have that storage space available.

Furthermore, since you propose to use HMAC for integrity/authenticity, symmetric keys management is still necessary. Hence, why not using an AEAD cipher?

To answer your question, yes it is a common practice to truncate MACs (this is done in LoRa) as discussed here.

edited Jul 13 '17 at 06:15

answered Jul 13 '17 at 05:35

Raoul722

2,836
2
20
39

1

In some systems it may be possible to predict how many bytes will be encrypted. For instance both LoRaWan and Sigfox operate in the ISM band which limits the duty cycle. In case of Sigfox that equates to about at most 12 bytes * 144 messages per day. – Markus Juenemann Jul 13 '17 at 05:51
I agree, the cost of storage memory will be a factor. – Markus Juenemann Jul 13 '17 at 05:54
Regarding AEAD: there is one advantage a OTP has over stream ciphers as the former can encrypt input that is not multiple of 8 bits. This may(!) be useful if your payload size is a mere 12 bytes like in Sigfox. Apart from that your comment is perfectly valid. – Markus Juenemann Jul 13 '17 at 05:54
Thanks for the link about truncated MACs. That was info I hadn't found before and I am glad to read that it had been done before. – Markus Juenemann Jul 13 '17 at 05:56
PS: This pseudo-Markdown drives me nuts ;-) – Markus Juenemann Jul 13 '17 at 05:56
@MarkusJuenemann 12 bytes are 12*8 bits, so a multiple of 8. – Elias Jul 13 '17 at 07:35
@Elias, yes but the part that needs to be encrypted doesn't necessarily have to be a multiple of 8 bits. For example, one could encode a GPS location with an accuracy of about 1 metre as latitude=25 bits, longitude=26 bits, altitude=14 bits, encrypt those 65(!) bits, and finally append 31 bits of the HMAC which gives 12 bytes (96 bits). In this example one would have to "sacrifice" 7 bits of HMAC to make the GPS location byte-aligned (72 bits = 9 bytes). – Markus Juenemann Jul 13 '17 at 12:59
@MarkusJuenemann What makes you think that stream ciphers can not encrypt data whose bit size is not in multiples of 8? – Rukako Jul 20 '17 at 03:26
@Rukako You are right, stream ciphers could encrypt any number of bits because they simply XOR the key stream bits with the plaintext bits. In practice though (some|most|many|all ???) implementations operate on bytes. On the other hand it shouldn't be too hard to implement your own key-stream generator, e.g. 'AES-ECB(key, counter)' with a counter as in CTR mode, and then XOR bits with the plain text. – Markus Juenemann Jul 21 '17 at 03:23

Viability of using One-Time-Pad + HMAC in low-volume IoT communications

2 Answers2