TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

Transcription

1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastr, David Wagner Presented By: Tristan Brown

2 Outline Motivation Cryptography Overview TinySec Design Implementation and Evaluation Results

3 Motivation Need a secure communications platform for sensor networks Data is broadcast for all to hear. Sensor network nodes have severely limited resources. Can t use existing architectures designed for powerful devices.

4 Cryptography Overview Why use crypto? Provide probabilistic guarantees about messages sent/received on the network. Access control/message integrity Confidentiality Replay Protection

5 Access Control/Message Integrity Ensure only authorized senders are allowed to send messages. Ensure messages are unmodified after transmission. Can achieve both with a Message Authentication Code (MAC).

6 Message Authentication Codes Essentially a keyed checksum of the message Access Control: Cannot compute MAC without the key. Message Integrity: Any change to the message invalidates the MAC.

7 Confidentiality Keep message content from unauthorized viewers. Semantic security: ideally should prevent adversary from learning anything about the encrypted message. Achieved by message encryption with an Initialization Vector (IV)

8 Initialization Vector Plaintext prefix to the encrypted message Used to add variation to otherwise identical messages Without, identical messages would encrypt identically, violating semantic security.

9 Replay Protection Prevent a legitimate message from being resent later. Can be achieved by a monotonically increasing message counter. Not addressed by TinySec; authors believe higher layer protocols should handle this.

10 TinySec Design Unsuitability of existing schemes requires a new design High level protocols like SSL or IPSEC are too heavyweight. Existing wireless security designs are still too limiting Insecure (WEP) Incomplete (SNEP)

11 Two-teir design Based on the TinyOS Packet TinySec-Auth replaces the CRC and group field with a MAC TinySec-AE adds encryption to TinySec-Auth

12 Packet Format

13 MAC Protects the entire packet (except the MAC itself). Uses CBC-MAC with packet length XORed with the first block. Store 4 bytes of the result.

14 MAC Is 4 bytes secure? Requires 2 31 tries on average to brute force a single message. Given a 20kbps channel would take 20 months; far longer than a node lifetime. Numerous MAC failures would give away the attacker.

15 MAC Remove the CRC and group field to make room for the MAC. Groups can be created by using different keys for the CBC. MAC provides integrity protection making the CRC redundant Result: MAC increases packet size by only 1 byte.

16 Encryption Two components Initialization Vector Cipher Encrypt only the message Allows nodes to perform early rejection based on AM.

17 Initialization Vector 8 byte IV 4 bytes are taken from TinySec-Auth header fields 2 bytes are source address 2 bytes are a simple counter Results in 4 byte packet size increase

18 Initialization Vector How secure is this? Assuming all other header fields don t change, takes 2 16 packets to repeat an IV. At 1 packet/minute, will take 45 days to repeat an IV Repeated IV leaks limited information (due to cipher choice). If cipher is rekeyed, repeated IV isn t a problem.

19 Cipher What kind of cipher should be used? Stream cipher Use key and IV to generate keystream, XOR with data If IV is repeated, can recover XOR of plaintexts. Block Cipher (CBC) XOR first block with IV, encrypt For successive blocks XOR with prior ciphertext and encrypt.

20 CBC In case of a repeated IV only leaks the similarity of the first n identical blocks. Uses same cipher construct as CBC- MAC (save on code space) Must not use same key for encryption and CBC-MAC!

21 Keying Simple mechanism: use a single pair of keys for all nodes Entire network vulnerable to a single-node exploit. Link keying: use separate keys for every pair of nodes that communicates Key distribution is complex Group keying: Group nodes together, use different keys for each group.

22 Implementation and Evaluation Implemented for TinyOS on Mica platform Used skipjack as the block cipher for CBC/CBC-MAC Unencumbered by patents (unlike rc5) High performance and secure. Used single network-wide keypair for simplicity.

23 Performance Small throughput drop/latency rise consistent with the increased packet size No other noticeable difference (all computation can be completed as the packet is transmitted/received)

24 Power Consumption

25 Results Mostly effective authentication/encryption for sensor network environment Reduced size IV/MAC offset by inability to exploit the network without severely impacting it (node death) Some assumptions might not hold in all environments

26 Results Open Problems No keying mechanism (area of active research) Security assumptions made based on node lifetime; keys may outlive nodes.