TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Roh, Yohan October 28, 2004

2 Contents Introduction & Motivation Introduction & Motivation Design Goals Design Goals Security Primitives Security Primitives Design of TinySec Design of TinySec Security Analysis Security Analysis Evaluations Evaluations Conclusions Conclusions

3 Introduction & Motivation(1/5) Widespread deployment of sensors could be reduced without adequate security Widespread deployment of sensors could be reduced without adequate security We observes that about 50-80% of all wireless networks operate in the clear, without any cryptographic protection We observes that about 50-80% of all wireless networks operate in the clear, without any cryptographic protection Security system requirements Security system requirements Usage must be transparent and intuitive Usage must be transparent and intuitive Performance must be reasonable Performance must be reasonable

4 Introduction & Motivation(2/5) TinySec is a lightweight link layer security mechanism for sensor networks TinySec is a lightweight link layer security mechanism for sensor networks Sensors : Berkeley Mica2 Mote Sensors : Berkeley Mica2 Mote 8MHz 8-bit ATMEGA 128L CPU 8MHz 8-bit ATMEGA 128L CPU 128 kB instruction memory 128 kB instruction memory 4 kB RAM for data 4 kB RAM for data 512 kB flash memory 512 kB flash memory 916Mhz radio (100m ’ max) 916Mhz radio (100m ’ max) 19.2 kbps application bandwidth 19.2 kbps application bandwidth 2 AA batteries 2 AA batteries

5 Introduction & Motivation(3/5) TinySec is a lightweight link layer security mechanism for sensor networks TinySec is a lightweight link layer security mechanism for sensor networks The main goal of TinySec is minimizing overhead with reasonable protection The main goal of TinySec is minimizing overhead with reasonable protection Energy Energy Bandwidth Bandwidth Latency, etc. Latency, etc.  experiments & analysis

6 Introduction & Motivation(4/5) TinySec is a lightweight link layer security mechanism for sensor networks TinySec is a lightweight link layer security mechanism for sensor networks Link layer security involves Link layer security involves Access control Access control Integrity Integrity Confidentiality Confidentiality Adversary + key

7 Introduction & Motivation(5/5) TinySec is a lightweight link layer security mechanism for sensor networks TinySec is a lightweight link layer security mechanism for sensor networks Hop-by-hop, not end-to-end Hop-by-hop, not end-to-end Better security support for In-network processing Better security support for In-network processing Aggregation Aggregation Duplication elimination Duplication elimination

8 Design Goals Security Security Access control Access control Message integrity Message integrity Message confidentiality Message confidentiality Performance Performance Energy Energy Bandwidth Bandwidth etc. etc. Ease of use Ease of use  MESSAGE AUTHENTICATION CODE  ENCRYPTION  DECREASE MESSAGE LENGTH  PUT IN TinyOS

9 Security Primitives(1/3) MACs : Message authentication codes MACs : Message authentication codes For access control & integrity For access control & integrity + shared key MESSAGEMACs MESSAGEMACs

10 Security Primitives(2/3) IVs : Initialization vectors IVs : Initialization vectors For encryption especially for semantic security For encryption especially for semantic security Same plaintext two times should give two different ciphertexts Same plaintext two times should give two different ciphertexts + shared key MESSAGE (YES/NO)

11 Security Primitives(3/3) IVs : Initialization vectors IVs : Initialization vectors To add variation to the encryption process To add variation to the encryption process IVs is side input to the encryption algorithm IVs is side input to the encryption algorithm Sent in the clear i.e. included in the packet with the encrypted data Sent in the clear i.e. included in the packet with the encrypted data As most encryption schemes do not rely on IVs being secret As most encryption schemes do not rely on IVs being secret

12 Design of TinySec(1/7) Two different security options: Two different security options: Authenticated Encryption : TinySec-AE Authenticated Encryption : TinySec-AE Authenticated only : TinySec-Auth Authenticated only : TinySec-Auth MESSAGEHeader encrypted MACs MESSAGEHeaderMACs

13 Design of TinySec(2/7) How to encrypt How to encrypt 1. To select an encryption scheme 1. To select an encryption scheme 2. To specify the IV format 2. To specify the IV format  CIPHER BLOCK CHAINING : CBC  8 Byte IV format

14 Design of TinySec(3/7) 2. TinySec IV format 2. TinySec IV format (Recall our goal is to reduce overhead of security) (Recall our goal is to reduce overhead of security) TinyOS packet (CRC) TinySec-AE (Authentication, Encryption) IV

15 Design of TinySec(4/7) 1. Encryption schemes : Why CBC? 1. Encryption schemes : Why CBC? (Recall our goal is to reduce overhead of security) (Recall our goal is to reduce overhead of security) Stream ciphers Stream ciphers If same IV is ever used to encrypt two different packets, then it is often possible to recover both plaintexts If same IV is ever used to encrypt two different packets, then it is often possible to recover both plaintexts Requires IVs to be fairly long at least 8 bytes not to reuse IVs Requires IVs to be fairly long at least 8 bytes not to reuse IVs Adding 8 additional bytes is unacceptable Adding 8 additional bytes is unacceptable

16 Design of TinySec(5/7) 1. Encryption schemes : Why CBC? 1. Encryption schemes : Why CBC? Modes of operation using block ciphers Modes of operation using block ciphers Counter : CTR mode Counter : CTR mode Stream cipher mode Stream cipher mode Shares all problems as stream cipher Shares all problems as stream cipher Cipher Block Chaining :8byte CBC mode(CBC-MAC) Cipher Block Chaining :8byte CBC mode(CBC-MAC) Given two plaintexts P, P’ with same IV, ciphertext leak the length of longest shared prefix of P and P’ Given two plaintexts P, P’ with same IV, ciphertext leak the length of longest shared prefix of P and P’ E.g. DES, AES, RC5, Skipjack E.g. DES, AES, RC5, Skipjack slow patent

17 Design of TinySec(6/7) TinySec pack format TinySec pack format Old packet (CRC): +7 b Authentication Only (TinySec-Auth): +8 b Authentication, Encryption (TinySec-AE) : +12 b IV

18 Design of TinySec(7/7) Key Management Key Management networ k base station k k k k k k Making key management easy: Global shared keys

19 Security Analysis(1/2) Access control & Message integrity Access control & Message integrity Using 4 byte MAC, adversary has a 1 in 2^32 chance in blindly forging a valid MAC Using 4 byte MAC, adversary has a 1 in 2^32 chance in blindly forging a valid MAC On 19.2kbps channel, one can only send 40 forgery attempts per second, so sending 2^31 packets at this rate would take over 20 months On 19.2kbps channel, one can only send 40 forgery attempts per second, so sending 2^31 packets at this rate would take over 20 months  Heuristic : nodes could signal the base station when the rate of MAC failures exceeds some predetermined threshold

20 Security Analysis(2/2) Confidentiality Confidentiality (Src||Ctr) of IV format of the last 4 byte guarantees each node can send at least 2^16 packets before IV reuse (Src||Ctr) of IV format of the last 4 byte guarantees each node can send at least 2^16 packets before IV reuse One packet per minute per node, IV reuse will not occur for over 45 days One packet per minute per node, IV reuse will not occur for over 45 days (one packet per 30s per node  22.5 days) (one packet per 30s per node  22.5 days) (one packet per 1s per node  0.75 days) (one packet per 1s per node  0.75 days)

21 Performance Summary Predicted (packet size only) BW Overhead Energy Overhead CRC (No TinySec) TinySec- Auth 1.5%Negligible3% TinySec-AE8%6%10%

22 Packets & Predicted Overhead Old packet (CRC): +7 b Authentication Only (TinySec-Auth): +8 b Authentication, Encryption (TinySec-AE) : +12 b IV Overhead (byte) Total Size (byte) Xmit time (ms) (19.2kbps) IncreaseCRC 39 (28+4+7) TinySec-Auth 40 (28+4+8) % TinySec-AE 44 ( ) %

23 Energy +3% +10%

24 Bandwidth TinySec-Auth: same throughput TinySec-AE: 6% less throughput

25 Conclusions-TinySec(1/2) Link layer security architecture for TinyOS Link layer security architecture for TinyOS Access control Access control Message integrity Message integrity Message confidentiality Message confidentiality Architectural features Architectural features Fully implemented Fully implemented Single globally shared key Single globally shared key Optimized for sensor networks Optimized for sensor networks Minimizing overhead for security Minimizing overhead for security Energy Consumption Energy Consumption Bandwidth Bandwidth Latency, etc. Latency, etc.

26 Conclusions-TinySec(2/2) Good Good Performance is ok Performance is ok Integration seems truly easy Integration seems truly easy Neutral Neutral Out of scope: per-node keying; public-key infrastructure; Out of scope: per-node keying; public-key infrastructure; No security against insider attacks; What if a node is captured, stolen, or compromised? No security against insider attacks; What if a node is captured, stolen, or compromised?