Protecting EST Payloads with OSCORE: IETF Internet Draft

draft-selander-ace-coap-est-oscore-04This document specifies public-key certificate enrollment procedures protected with lightweight application-layer security protocols suitable for Internet of Things (IoT) deployments. The protocols leverage payload formats defined in Enrollment over Secure Transport (EST) and existing IoT standards including the Constrained Application Protocol (CoAP), Concise Binary Object Representation (CBOR) and the CBOR Object Signing and Encryption (COSE) format

Industrial IoT with Crystal-Free Mote-on-Chip

International audienc

[I] Why do we find so many meteorites on the Nansen blue ice field and where else could we look?

The Tenth Symposium on Polar Science/Special session: [S] Future plan of Antarctic research: Towards phase X of the Japanese Antarctic Research Project (2022-2028) and beyond, Tue. 3 Dec. / 2F Auditorium, National Institute of Polar Researc

Extraordinary rocks from the peak ring of the Chicxulub impact crater: P-wave velocity, density, and porosity measurements from IODP/ICDP Expedition 364

Joint International Ocean Discovery Program and International Continental Scientific Drilling Program Expedition 364 drilled into the peak ring of the Chicxulub impact crater. We present P-wave velocity, density, and porosity measurements from Hole M0077A that reveal unusual physical properties of the peak-ring rocks. Across the boundary between post-impact sedimentary rock and suevite (impact melt-bearing breccia) we measure a sharp decrease in velocity and density, and an increase in porosity. Velocity, density, and porosity values for the suevite are 2900–3700 m/s, 2.06–2.37 g/cm3, and 20–35%, respectively. The thin (25 m) impact melt rock unit below the suevite has velocity measurements of 3650–4350 m/s, density measurements of 2.26–2.37 g/cm3, and porosity measurements of 19–22%. We associate the low velocity, low density, and high porosity of suevite and impact melt rock with rapid emplacement, hydrothermal alteration products, and observations of pore space, vugs, and vesicles. The uplifted granitic peak ring materials have values of 4000–4200 m/s, 2.39–2.44 g/cm3, and 8–13% for velocity, density, and porosity, respectively; these values differ significantly from typical unaltered granite which has higher velocity and density, and lower porosity. The majority of Hole M0077A peak-ring velocity, density, and porosity measurements indicate considerable rock damage, and are consistent with numerical model predictions for peak-ring formation where the lithologies present within the peak ring represent some of the most shocked and damaged rocks in an impact basin. We integrate our results with previous seismic datasets to map the suevite near the borehole. We map suevite below the Paleogene sedimentary rock in the annular trough, on the peak ring, and in the central basin, implying that, post impact, suevite covered the entire floor of the impact basin. Suevite thickness is 100–165 m on the top of the peak ring but 200 m in the central basin, suggesting that suevite flowed downslope from the collapsing central uplift during and after peak-ring formation, accumulating preferentially within the central basin

Ocean Drilling Perspectives on Meteorite Impacts

Extraterrestrial impacts that reshape the surfaces of rocky bodies are ubiquitous in the solar system. On early Earth, impact structures may have nurtured the evolution of life. More recently, a large meteorite impact off the Yucatán Peninsula in Mexico at the end of the Cretaceous caused the disappearance of 75% of species known from the fossil record, including non-avian dinosaurs, and cleared the way for the dominance of mammals and the eventual evolution of humans. Understanding the fundamental processes associated with impact events is critical to understanding the history of life on Earth, and the potential for life in our solar system and beyond. Scientific ocean drilling has generated a large amount of unique data on impact pro- cesses. In particular, the Yucatán Chicxulub impact is the single largest and most sig- nificant impact event that can be studied by sampling in modern ocean basins, and marine sediment cores have been instrumental in quantifying its environmental, cli- matological, and biological effects. Drilling in the Chicxulub crater has significantly advanced our understanding of fundamental impact processes, notably the formation of peak rings in large impact craters, but these data have also raised new questions to be addressed with future drilling. Within the Chicxulub crater, the nature and thickness of the melt sheet in the central basin is unknown, and an expanded Paleocene hemipelagic section would provide insights to both the recovery of life and the climatic changes that followed the impact. Globally, new cores collected from today’s central Pacific could directly sample the downrange ejecta of this northeast-southwest trending impact. Extraterrestrial impacts have been controversially suggested as primary drivers for many important paleoclimatic and environmental events throughout Earth history. However, marine sediment archives collected via scientific ocean drilling and geo- chemical proxies (e.g., osmium isotopes) provide a long-term archive of major impact events in recent Earth history and show that, other than the end-Cretaceous, impacts do not appear to drive significant environmental changes

Probing the hydrothermal system of the Chicxulub impact crater

The ~180-km-diameter Chicxulub peak-ring crater and ~240-km multiring basin, produced by the impact that terminated the Cretaceous, is the largest remaining intact impact basin on Earth. International Ocean Discovery Program (IODP) and International Continental Scientific Drilling Program (ICDP) Expedition 364 drilled to a depth of 1335 m below the sea floor into the peak ring, providing a unique opportunity to study the thermal and chemical modification of Earth’s crust caused by the impact. The recovered core shows the crater hosted a spatially extensive hydrothermal system that chemically and mineralogically modified ~1.4 × 105 km3 of Earth’s crust, a volume more than nine times that of the Yellowstone Caldera system. Initially, high temperatures of 300° to 400°C and an independent geomagnetic polarity clock indicate the hydrothermal system was long lived, in excess of 106 years

Globally distributed iridium layer preserved within the Chicxulub impact structure

The Cretaceous-Paleogene (K-Pg) mass extinction is marked globally by elevated concentrations of iridium, emplaced by a hypervelocity impact event 66 million years ago. Here, we report new data from four independent laboratories that reveal a positive iridium anomaly within the peak-ring sequence of the Chicxulub impact structure, in drill core recovered by IODP-ICDP Expedition 364. The highest concentration of ultrafine meteoritic matter occurs in the post-impact sediments that cover the crater peak ring, just below the lowermost Danian pelagic limestone. Within years to decades after the impact event, this part of the Chicxulub impact basin returned to a relatively low-energy depositional environment, recording in unprecedented detail the recovery of life during the succeeding millennia. The iridium layer provides a key temporal horizon precisely linking Chicxulub to K-Pg boundary sections worldwide

The formation of peak rings in large impact craters

Large impacts provide a mechanism for resurfacing planets through mixing near-surface rocks with deeper material. Central peaks are formed from the dynamic uplift of rocks during crater formation. As crater size increases, central peaks transition to peak rings. Without samples, debate surrounds the mechanics of peak-ring formation and their depth of origin. Chicxulub is the only known impact structure on Earth with an unequivocal peak ring, but it is buried and only accessible through drilling. Expedition 364 sampled the Chicxulub peak ring, which we found was formed from uplifted, fractured, shocked, felsic basement rocks. The peak-ring rocks are cross-cut by dikes and shear zones and have an unusually low density and seismic velocity. Large impacts therefore generate vertical fluxes and increase porosity in planetary crust

Security for the internet of things : a bottom-up approach to the secure and standardized internet of things

La rapide expansion du marché de l’IoT a permis de relier de plus en plus de matériels bon marché àl’Internet. Pour bon nombre de ces objets, la sécurité ne constitue pas une priorité. En raison de leursfonctionnalités avancées de détection et de manipulation, ces produits IoT mal sécurisés mettent en dangerla vie privée et la sécurité de leurs utilisateurs.Bien que l’IoT englobe des objets connectés de capacités variables, dans ces travaux, nous nous concentronssur les équipements contraints en énergie, en ressources mémoires, et à faible puissance de calcul.Ces restrictions limitent non seulement la possibilité de traitements, mais aussi la capacité à protéger lesdonnées et les utilisateurs. Afin de sécuriser l’IoT, nous identifions plusieurs éléments de bases permettantde fournir des services de sécurité sur l’ensemble d’un équipement.L’implémentation des mécanismes de sécurité au niveau matériel constitue un premier pilier pourl’IoT sécurisé. Diverses fonctions, telles que le démarrage sécurisé, l’attestation à distance et les mises àjour "over-the-air", dépendent en effet fortement de son support. Comme l’implémentation de la sécuritématérielle est souvent coûteuse et ne peut être appliquée aux systèmes existants, nous étudions l’attestationpurement logicielle. Cette méthode fournit une racine de confiance aux systèmes distants qui ne supportentpas la sécurité au niveau matériel. Dans le cadre de l’attestation à distance, l’identification de l’appareilest primordiale. Une partie de ce travail est donc consacrée à l’étude des identificateurs physiques desdispositifs et de leur fiabilité.L’IoT sécurisé repose sur un deuxième élément clé: la cryptographie. Cette dernière est abondammentutilisée par tous les autres mécanismes de sécurité et largement étudiée. Nous étudions les performancesdes algorithmes cryptographiques récents pour les dispositifs contraints.Un troisième élément central pour sécuriser l’IoT est la capacité de la pile protocolaire à sécuriser lescommunications. Nous montrons par exemple qu’il est possible d’exploiter la tolérance du BLE à la dérived’horloge pour établir un canal couvert. D’autre part, il est possible de monter une attaque de déni deservice en exploitant les phases énergivores du réseau, notamment la phase d’attache. Nous proposonsdans ces travaux un algorithme défensif qui réduit quasiment à néant les surcoûts liés à la connexion auréseau.Les architectures de sécurité constituent le dernier pilier pour la sécurité de l’IoT. Elles permettent eneffet de guider le déploiement d’un IoT sécurisé à grande échelle. Après avoir étudié la proposition de l’IETFde schéma d’authentification et d’autorisation pour l’IoT, nous proposons deux pistes d’amélioration de lasécurité.Enfin, la mise en place d’une architecture de sécurité implique le choix du protocole. Dans le contextedes réseaux contraints énergétiquement, le critère déterminant sera la consommation. Même si, àl’avenir, l’IoT utilisera principalement le paradigme d’objets sécurisés pour protéger les données, tant queces derniers ne seront pas largement supportés, de nombreux produits IoT s’appuieront sur les protocolesde sécurité traditionnels tels que TLS et DTLS. C’est pourquoi nous réalisons une étude de performance surla partie la plus critique de ces protocoles : l’établissement du secret partagé. Nous montrons que, mêmesi le "handshake" DTLS utilise moins de paquets pour établir le secret partagé, TLS obtient des meilleursrésultats dans les réseaux avec pertes.The rapid expansion of the IoT has unleashed a tidal wave of cheap Internet-connected hardware. Formany of these products, security was merely an afterthought. Due to their advanced sensing and actuatingfunctionalities, poorly-secured IoT devices endanger the privacy and safety of their users.While the IoT contains hardware with varying capabilities, in this work, we primarily focus on the constrainedIoT. The restrictions on energy, computational power, and memory limit not only the processingcapabilities of the devices but also their capacity to protect their data and users from attacks. To secure theIoT, we need several building blocks. We structure them in a bottom-up fashion where each block providessecurity services to the next one.The first cornerstone of the secure IoT relies on hardware-enforced mechanisms. Various security features,such as secure boot, remote attestation, and over-the-air updates, rely heavily on its support. Sincehardware security is often expensive and cannot be applied to legacy systems, we alternatively discusssoftware-only attestation. It provides a trust anchor to remote systems that lack hardware support. In thesetting of remote attestation, device identification is paramount. Hence, we dedicated a part of this work tothe study of physical device identifiers and their reliability.The IoT hardware also frequently provides support for the second building block: cryptography. Itis used abundantly by all the other security mechanisms, and recently much research has focussed onlightweight cryptographic algorithms. We studied the performance of the recent lightweight cryptographicalgorithms on constrained hardware.A third core element for the security of the IoT is the capacity of its networking stack to protect the communications.We demonstrate that several optimization techniques expose vulnerabilities. For example,we show how to set up a covert channel by exploiting the tolerance of the Bluetooth LE protocol towardsthe naturally occurring clock drift. It is also possible to mount a denial-of-service attack that leverages theexpensive network join phase. As a defense, we designed an algorithm that almost completely alleviates theoverhead of network joining.The last building block we consider is security architectures for the IoT. They guide the secure integrationof the IoT with the traditional Internet. We studied the IETF proposal concerning the constrainedauthentication and authorization framework, and we propose two adaptations that aim to improve its security.Finally, the deployment of the IETF architecture heavily depends on the security of the underlying communicationprotocols. In the future, the IoT will mainly use the object security paradigm to secure datain flight. However, until these protocols are widely supported, many IoT products will rely on traditionalsecurity protocols, i.e., TLS and DTLS. For this reason, we conducted a performance study of the most criticalpart of the protocols: the handshake phase. We conclude that while the DTLS handshake uses fewerpackets to establish the shared secret, TLS outperforms DTLS in lossy networks

Sécurité pour l'internet des objets : une approche des bas en haut pour un internet des objets sécurisé et normalisé

The rapid expansion of the IoT has unleashed a tidal wave of cheap Internet-connected hardware. Formany of these products, security was merely an afterthought. Due to their advanced sensing and actuatingfunctionalities, poorly-secured IoT devices endanger the privacy and safety of their users.While the IoT contains hardware with varying capabilities, in this work, we primarily focus on the constrainedIoT. The restrictions on energy, computational power, and memory limit not only the processingcapabilities of the devices but also their capacity to protect their data and users from attacks. To secure theIoT, we need several building blocks. We structure them in a bottom-up fashion where each block providessecurity services to the next one.The first cornerstone of the secure IoT relies on hardware-enforced mechanisms. Various security features,such as secure boot, remote attestation, and over-the-air updates, rely heavily on its support. Sincehardware security is often expensive and cannot be applied to legacy systems, we alternatively discusssoftware-only attestation. It provides a trust anchor to remote systems that lack hardware support. In thesetting of remote attestation, device identification is paramount. Hence, we dedicated a part of this work tothe study of physical device identifiers and their reliability.The IoT hardware also frequently provides support for the second building block: cryptography. Itis used abundantly by all the other security mechanisms, and recently much research has focussed onlightweight cryptographic algorithms. We studied the performance of the recent lightweight cryptographicalgorithms on constrained hardware.A third core element for the security of the IoT is the capacity of its networking stack to protect the communications.We demonstrate that several optimization techniques expose vulnerabilities. For example,we show how to set up a covert channel by exploiting the tolerance of the Bluetooth LE protocol towardsthe naturally occurring clock drift. It is also possible to mount a denial-of-service attack that leverages theexpensive network join phase. As a defense, we designed an algorithm that almost completely alleviates theoverhead of network joining.The last building block we consider is security architectures for the IoT. They guide the secure integrationof the IoT with the traditional Internet. We studied the IETF proposal concerning the constrainedauthentication and authorization framework, and we propose two adaptations that aim to improve its security.Finally, the deployment of the IETF architecture heavily depends on the security of the underlying communicationprotocols. In the future, the IoT will mainly use the object security paradigm to secure datain flight. However, until these protocols are widely supported, many IoT products will rely on traditionalsecurity protocols, i.e., TLS and DTLS. For this reason, we conducted a performance study of the most criticalpart of the protocols: the handshake phase. We conclude that while the DTLS handshake uses fewerpackets to establish the shared secret, TLS outperforms DTLS in lossy networks.La rapide expansion du marché de l’IoT a permis de relier de plus en plus de matériels bon marché àl’Internet. Pour bon nombre de ces objets, la sécurité ne constitue pas une priorité. En raison de leursfonctionnalités avancées de détection et de manipulation, ces produits IoT mal sécurisés mettent en dangerla vie privée et la sécurité de leurs utilisateurs.Bien que l’IoT englobe des objets connectés de capacités variables, dans ces travaux, nous nous concentronssur les équipements contraints en énergie, en ressources mémoires, et à faible puissance de calcul.Ces restrictions limitent non seulement la possibilité de traitements, mais aussi la capacité à protéger lesdonnées et les utilisateurs. Afin de sécuriser l’IoT, nous identifions plusieurs éléments de bases permettantde fournir des services de sécurité sur l’ensemble d’un équipement.L’implémentation des mécanismes de sécurité au niveau matériel constitue un premier pilier pourl’IoT sécurisé. Diverses fonctions, telles que le démarrage sécurisé, l’attestation à distance et les mises àjour "over-the-air", dépendent en effet fortement de son support. Comme l’implémentation de la sécuritématérielle est souvent coûteuse et ne peut être appliquée aux systèmes existants, nous étudions l’attestationpurement logicielle. Cette méthode fournit une racine de confiance aux systèmes distants qui ne supportentpas la sécurité au niveau matériel. Dans le cadre de l’attestation à distance, l’identification de l’appareilest primordiale. Une partie de ce travail est donc consacrée à l’étude des identificateurs physiques desdispositifs et de leur fiabilité.L’IoT sécurisé repose sur un deuxième élément clé: la cryptographie. Cette dernière est abondammentutilisée par tous les autres mécanismes de sécurité et largement étudiée. Nous étudions les performancesdes algorithmes cryptographiques récents pour les dispositifs contraints.Un troisième élément central pour sécuriser l’IoT est la capacité de la pile protocolaire à sécuriser lescommunications. Nous montrons par exemple qu’il est possible d’exploiter la tolérance du BLE à la dérived’horloge pour établir un canal couvert. D’autre part, il est possible de monter une attaque de déni deservice en exploitant les phases énergivores du réseau, notamment la phase d’attache. Nous proposonsdans ces travaux un algorithme défensif qui réduit quasiment à néant les surcoûts liés à la connexion auréseau.Les architectures de sécurité constituent le dernier pilier pour la sécurité de l’IoT. Elles permettent eneffet de guider le déploiement d’un IoT sécurisé à grande échelle. Après avoir étudié la proposition de l’IETFde schéma d’authentification et d’autorisation pour l’IoT, nous proposons deux pistes d’amélioration de lasécurité.Enfin, la mise en place d’une architecture de sécurité implique le choix du protocole. Dans le contextedes réseaux contraints énergétiquement, le critère déterminant sera la consommation. Même si, àl’avenir, l’IoT utilisera principalement le paradigme d’objets sécurisés pour protéger les données, tant queces derniers ne seront pas largement supportés, de nombreux produits IoT s’appuieront sur les protocolesde sécurité traditionnels tels que TLS et DTLS. C’est pourquoi nous réalisons une étude de performance surla partie la plus critique de ces protocoles : l’établissement du secret partagé. Nous montrons que, mêmesi le "handshake" DTLS utilise moins de paquets pour établir le secret partagé, TLS obtient des meilleursrésultats dans les réseaux avec pertes