Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Considerations for IEEE 802.15.4 Networks Karthikeyan Mahadevan.

Published byBryce Merritt Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Considerations for IEEE 802.15.4 Networks Karthikeyan Mahadevan."— Presentation transcript:

1 Security Considerations for IEEE 802.15.4 Networks Karthikeyan Mahadevan

2 Martin Cooper’s Law Cooper's Law, (after ArrayComm Chairman, Martin Cooper), states that the number of conversations (voice and data) conducted over a given area, in all of the useful radio spectrum, has doubled every two and a half years for the last 105 years, ever since Marconi discovered radio in 1895

3 What is IEEE 802.15.4 IEEE 802.15.4 LR WPAN is a task group for developing a standard for Low – Rate Wireless Personal Area Networks Wireless is gone beyond office and home to new environments like factories, hospitals and military applications

4 Goals of IEEE 802.15.4 Very low power consumption: The largest consumer of energy on a wireless device is the radio. Very low cost

5 Constraints Low power – Energy is very limited Must be carefully used No human intervention Lifetime – depends order of months to years In summary the software must be correct and minimal

6 Why are we interested? Application domain ranges from wireless gaming to military applications Certain classes of these applications needs security Communication medium is RF… This concern is addressed in the 802.15.4 specification – Link Layer Security

7 Contributions Critical analysis of the security features of 802.15.4 Outlines the problems Recommendations Targeted audience Radio designers Application Developers

8 Overview of 802.15.4 Security The basic features provided by the link layer security protocol are Access Control Message Integrity Message Confidentiality Replay Protection

9 Access Control and Message Integrity Unauthorized entities should not be part of a secure network A mechanism to detect the above scenario Message integrity – message tampering should be detected – MAC Requires communicating parties to share a secret

10 Confidentiality Means of achieving – encryption Notion of “Semantic Security” The encryption must prevent an adversary from learning even partial information about the message This means that encryption of the same plaintext twice should result in different cipher texts Nonce

11 Replay Protection Adversary eavesdrops a message from a legitimate sender and replays it after a time delay ‘x’ Sequence numbers – increased with every packet

12 802.15.4 Stack LLC – Logical Link Control SSCS – Service Specific Convergence Sub layer

13 802.15.4 Protocol Each node has 64 – bit Node ID 16 – bit Network ID (A node could use 16-bit Node ID) Two types of packets (relevant to security) Data ACK (Sender explicitly requests it)

14 Data and ACK packet formats

15 Where is security ? Handled by the Media access control layer The application controls the security required By default – “NO Security” Four types of packets Beacon, Data, ACK, Control packets for MAC Layer NO Security for ACK packets The other packets can optionally use encryption or integrity checks

16 Security Suites No security – NULL AES-CTR - Encryption only, CTR Mode AES-CBC-MAC – MAC only (options of 32bit, 64bit and 128bit MAC’s) AES-CCM – Encryption and MAC (options of 32bit, 64bit and 128bit MAC’s) Replay protection can be turned on or off for any of the above

17 How does it work? Application decides the choices on the security level. (A bool value) Access Control Lists are used to enforce these security levels (max up to 255 entries) If security is enforced then the MAC layer looks up the ACL table for the cryptographic material for the destination

18 Cont’d On packet reception, based on the flags the MAC layer decides how to process the packet ACL Entry Format

19 Details of Security Suites NULL – no security, mandatory in all chips AES-CTR (Confidentiality alone) Break plain text into 16-byte blocks p 1,…,p n Compute cipher text c i = p i xor E k (x i ) CTR or Nonce x i is necessary for the receiver to decrypt

20 Nonce Is made up of Static flags field Sender’s address 3 counters 4 byte frame counter (identifies the packet) 1 byte key counter 2 byte block counter (numbers the 16 byte blocks in a packet)

21 More on Nonce Frame counter controlled by the hardware radio Sender increments it after every packet When reaches max value no further encryptions are possible Key counter – application’s control Used when frame counter has reached its max value Goal of frame and key counter is to prevent nonce reuse (in a single key’s life-time) Use of block counter ensure different nonce’s are used for each block need not be transmitted

22 AES-CBC-MAC Sender has options of 4, 8 or 16 byte MAC Communicating parties have to share a key

23 AES-CCM Applies CBC-MAC over the header and the data Encrypts the data MAC on both using AES-CTR mode

24 Replay Counter Applicable to AES-CTR and AES-CCM suites The replay counter is 5 bytes long Frame counter Key Counter (MSB) Note: This is same as the nonce but is used for a different purpose.

25 Problems Three classes Nonce management Key management Integrity protection

26 Nonce Problems Same Key in Multiple ACL entries If used, very likely that nonce is also reused This could break the confidentiality Simple solution If using the same key then use only one ACL entry, after sending the first packet, change the ACL entry (the software must keep track of which destinations are in play)

27 Nonce Problems Loss of ACL – Power Failure Assuming that the ACL is restored, what about the nonces? The authors say that the 802.15.4 lacks clarity in this issue Recommendation – re-key after power failure Related issue – what happens when the node is sleeping Again there is presumably no clarity in the specification

28 Key Management Problems No group keying First approach: Assign different ACL entries for all the nodes in the group and use the same key (Nonce management problem, ACL will be large) Second approach: Single ACL entry – heavy, since for every destination the ACL has to be changed. Assuming the receivers also employ the same strategy then the receiver must switch the ACL before a packet arrives from a destination other than that in the current ACL

29 Key Management Problems Replay protection is incompatible with group keying Node x transmits 100 messages, so replay counter is at 99 now Node y starts transmission, its replay counter is going to 0, so the packets are dropped.

30 Nonce and Replay Counter Nonce is bound to the key – incremented with every message that is sent should use a different nonce (if two different entries use the same key, they share a nonce) Replay counter is bound to the sender’s address. If two ACL entries share a key, they still have different replay counters.

31 Integrity protection Problems Unauthenticated encryption Recommendation – do not use AES-CTR DoS on AES-CTR Two parties X and Y communicating (Replay protection is enabled) Attacker sends a very high value for the key and frame counter with garbage with sender ID X This would cause the messages from legitimate sender to be dropped.

32 Integrity protection Problems ACK without MAC Sequence number sent in clear Adversary can send ACK’s

33 Take - away Application Designers Do not use AES-CTR Do not rely on ACK Hardware Designers Support for 255 ACL entries (depends on the size of the network) Retail ACL in low power mode (if possible nonces too) Do not support AES-CTR

34 Take - away Specification writers Warn against Dangerous ACL configurations Better support for various keying models Do not support AES-CTR Authenticated ACK

35 References Naveen Sastry and David Wagner, “Security Considerations for IEEE 802.15.4 Networks”. ACM Workshop on Wireless Security WiSe 2004, October 2004

Download ppt "Security Considerations for IEEE 802.15.4 Networks Karthikeyan Mahadevan."

Similar presentations

Jason Li Jeremy Fowers. Background Information Wireless sensor network characteristics General sensor network security mechanisms DoS attacks and defenses.

Jason Li Jeremy Fowers. Background Information Wireless sensor network characteristics General sensor network security mechanisms DoS attacks and defenses.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
1 The 7 layer OSI model Sending an e-mail. 2 The seven layers.

1 The 7 layer OSI model Sending an . 2 The seven layers.
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.
Advanced Information Security – Final Project Made Harta Dwijaksara.

Advanced Information Security – Final Project Made Harta Dwijaksara.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.
Networking Theory (Part 1). Introduction Overview of the basic concepts of networking Also discusses essential topics of networking theory.

Networking Theory (Part 1). Introduction Overview of the basic concepts of networking Also discusses essential topics of networking theory.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.
1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry, David Wagner Presented by Paul Ruggieri.

1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry, David Wagner Presented by Paul Ruggieri.
OSI Model.

OSI Model.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Similar presentations

Ads by Google