Presentation on theme: "TinySec: Security for TinyOS C. Karlof, N. Sastry, D. Wagner November 20, 2002."— Presentation transcript:
TinySec: Security for TinyOS C. Karlof, N. Sastry, D. Wagner November 20, 2002
Goals of TinySec Access Control –Authorized participants only Integrity –Altering and retransmitting a message should be difficult Confidentiality Transparent to applications and programmers
Block Ciphers Pseudorandom permutation (invertible) –DES, RC5, Skipjack, AES –Maps n bits of plaintext to n bits of ciphertext Block size n is typically 64 or 128 bits Key size k is typically 64 or 128 bits
Symmetric key encryption Confidentiality achieved by encryption Encryption schemes (modes) can be built using block ciphers –CBC-mode: break a m bit message into 64 bit chunks (m 1,m 2,..) –Transmit (c 1, c 2, …) and iv iv m2m2 m1m1 c1c1 c2c2 EkEk EkEk EkEk CBC-Mode iv is needed to achieve semantic security –A message looks different every time it is encrypted –iv reuse may leak information
Message Authentication Codes Encryption is not enough to ensure message integrity –Receiver cannot detect changes in the ciphertext –Resulting plaintext will still be valid Integrity achieved by a message authentication code –A t bit cryptographic checksum with a k bit key from an m bit message –Can detect both malicious changes and random errors –Replaces CRC –Can be built using a block cipher –MAC key should be different than encryption key length m2m2 m1m1 MAC EkEk EkEk EkEk CBC-MAC Mode
Packet Format destAMIVlengthdataMAC 21414 Encrypted MACed Key Differences No CRC -2 bytes No group ID -1 bytes MAC +4 bytes IV +4 bytes Total: +5 bytes
Usage: How does this change my life? Need to be aware of keys & keyfile –Currently, keys part of program, not intrinsic to mote (similar to moteID) –Plan to use EEPROM to tie key to mote –Makerules generates a keyfile if none exists and then uses it for programming all motes; –Keyfiles tied to a particular TinyOS installation. Manual transfer needed to install motes from different computers. Only application level code change: –Just use SecureGenericComm instead of GenericComm Works on Simulator
Implications for reliable transport CRC is replaced by MAC CRC is lightweight, MAC computation is expensive (~1000 vs. ~10000 cycles for 24 byte packet) MAC still detects errors, but computation must be completed in time for ACK transmission For each 8 bytes received, a block cipher called is needed (~1750 cycles) too expensive to run in SpiByteFifo event handler Cant run as a task: no real-time completion guarantees Trick: Run synchronously in event handler with interrupts enabled Like a preemptive priority scheduler that only TinySec can use (!!)
Tradeoffs 1 Early rejection –Still possible to reject based on dest or AM type –Question: Group ID provided weak access control; still needed? Short packets are expensive –Min data size is 8 bytes (size of block cipher) –Restriction can be elminated with reduced security (run in stream cipher mode) –Question: Is this a good tradeoff? Packet length not affected for more than 8 bytes of data
Analysis Access control and integrity –Probability of blind MAC forgery 1/2 32 –Industrial strength is usually 1/2 64 or less –Replay protection not provided, but can be done better at higher layers Confidentiality –Lots of ways to structure and manage IVs, but IV reuse will occur after ~65000 messages from each node –For CBC mode, IV reuse is not as severe has other modes Does not necessarily leak plaintext –Common solution is to increase IV length adds packet overhead
Performance: RC5 Cipher Rol32 cyclesRC5 cipher op cycles Time C version207~5750 +1.70 ms SPINS [C + asm]~85 avg~2775 avg.75 ms TinySec [C + asm]~42 avg~1775 avg.50 ms Number Block Cipher Ops (m byte msg) CBC-Encryption CBC-MAC Total
Current Status Working w/ Phil to get into broken/experimental TinySec needs to be incorporated into January retreat demos.
TinyOS System Changes MicaHighSpeedRadio TinySec CBC-Mode RC5 CBC-MAC
Tradeoffs 2: IV allocations Most secure idea for IV: src IDcounter IV 22 Counter must be persistent across reboot Gives each sender ~65000 messages before IV is reused (worst case) Question: src ID good for security (replay, IV) useful for other things?