7/13/2007 AIIT Summer Course - F2 S ecurity 1 Wireless Embedded Systems and Networking Foundations of IP-based Ubiquitous Sensor Networks WSN Security David E. Culler University of California, Berkeley Arch Rock Corp. July 9-13, 2007 Much of this material based on work by David Wagner, UC Berkeley
38
Embed
7/13/2007 AIIT Summer Course - F2 Security 1 Wireless Embedded Systems and Networking Foundations of IP-based Ubiquitous Sensor Networks WSN Security David.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
7/13/2007AIIT Summer Course - F2 Security
1
Wireless Embedded Systems and Networking
Foundations of IP-based Ubiquitous Sensor Networks
WSN Security
David E. CullerUniversity of California, Berkeley
Arch Rock Corp.
July 9-13, 2007
* Much of this material based on work by David Wagner, UC Berkeley
7/13/2007AIIT Summer Course - F2 Security
2
Learn From History…
analog cellphones: AMPS1980
1990
2000
analog cloning, scannersfraud pervasive & costly
digital: TDMA, GSM
TDMA eavesdropping [Bar]
more TDMA flaws [WSK]GSM cloneable [BGW]GSM eavesdropping [BSW,BGW]
Future: 3rd gen.: 3GPP, …
cellphones
802.11, WEP
2001
2002
WEP broken [BGW]WEP badly broken [FMS]
WPA
2000
1999
Future: 802.11i
2003
attacks pervasive
wireless networks
Berkeley motes
2002
TinyOS 1.0
TinyOS 1.1, TinySec
2003
sensor networks
Let’s get it right the from the start
802.15.4 AES
AR TinyOS 2 AES
7/13/2007AIIT Summer Course - F2 Security
3
Sensor Network Security
What’s different about sensor nets?
• Stringent resource constraints
• Insecure wireless networks
• No physical security
• Interaction with the physical environment
Back to the 90’s
New
Back to the 70’s
7/13/2007AIIT Summer Course - F2 Security
4
Communications Security
“It doesn’t matter how good your crypto is if it is never used.”
7/13/2007AIIT Summer Course - F2 Security
5
7/13/2007AIIT Summer Course - F2 Security
6
7/13/2007AIIT Summer Course - F2 Security
7
7/13/2007AIIT Summer Course - F2 Security
8
TinySec Design Philosophy
The lesson from 802.11:
• Build crypto-security in, and turn it on by default!
TinySec Design Goals:
1. Encryption turned on by default
2. Encryption turned on by default
3. Encryption turned on by default
Usage must be transparent and intuitive
Performance must be reasonable
4. As much security as we can get, within these constraints
7/13/2007AIIT Summer Course - F2 Security
9
TinySEC Challenges
• Must avoid complex key management– TinySec must be super-easy to deploy
• Crypto must run on wimpy devices– We’re not talking 2GHz P4’s here!
– Dinky CPU (1-4 MHz), little RAM ( 256 bytes), lousy battery
– Public-key cryptography is right out
• Need to minimize packet overhead– Radio is very power-intensive:
1 bit transmitted 1000 CPU ops
– TinyOS packets are 28 bytes long
– Can’t afford to throw around an 128-bit IV here, a 128-bit MAC there
• Today: AES128 in hardware. 802.15.4 defines the frame – with the crypto. Main issue is key management
7/13/2007AIIT Summer Course - F2 Security
10
Easy Key Management
networkbase
station
k
k
k
k
k
k
Making key management easy: global shared keys
7/13/2007AIIT Summer Course - F2 Security
11
Be Easy to Deploy
Making deployment easy:plug-n-play crypto + link-layer security
SecureGenericComm
App
Radio
GenericComm
App
Radio
7/13/2007AIIT Summer Course - F2 Security
12
Perform Well on Tiny Devices
• Use a block cipher for both encryption & authentication
• Skipjack is good for 8-bit devices; low RAM overhead
Radio Stack[MicaHighSpeedRadioM/
CC1000RadioIntM]
TinySecM
CBC-ModeM
SkipJackM
CBC-MACM
7/13/2007AIIT Summer Course - F2 Security
13
Minimize Packet Overhead
Minimize overhead: cannibalize, cheat, steal
dest AM
IVlen
data MAC
2 1 41 4
Encrypted
MAC’ed
Key DifferencesNo CRC -2 bytes
No group ID -1 bytes
MAC +4 bytes
IV +4 bytes
Total: +5 bytes
7/13/2007AIIT Summer Course - F2 Security
14
Tricks for Low Overhead
• CBC mode encryption, with encrypted IV– Allows flexible IV formatting:
4 byte counter, + cleartext hdr fields (dest, AM type, length);gets the most bang for your birthday buck
– IV robustness: Even if IV repeats, plaintext variability may provide an extra layer of defense
– Ciphertext stealing avoids overhead on variable-length packets
• CBC-MAC, modified for variable-length packets– Small 4-byte MAC trades off security for performance; the good news is
that low-bandwidth radio limits chosen-ciphertext attacks
– Can replace the application CRC checksum; saves overhead
• On-the-fly crypto: overlap computation with I/O
7/13/2007AIIT Summer Course - F2 Security
15
More Tricks & Features
• Early rejection for packets destined elsewhere– Stop listening & decrypting once we see dst addr us
• Support for mixed-mode networks– Interoperable packet format with unencrypted packets,
so network can carry both encrypted + unencrypted traffic
– Crypto only where needed better performance
– Length field hack: steal 2 bits to distinguish between modes
• Support fine-grained mixed-mode usage of TinySec– Add 3 settings: no crypto, integrity only, integrity+secrecy
– These come with performance tradeoffs
– Select between settings on per-application or per-packet basis
7/13/2007AIIT Summer Course - F2 Security
16
More Performance Tricks
• App-level API for end-to-end encryption– TinySec focuses mainly on link-layer crypto,
but end-to-end crypto also has value
– End-to-end secrecy enables performance optimizations (don’t decrypt & re-encrypt at every hop), enables more sophisticated per-node keying, but incompatible with in-network transformation and aggregation; thus, not always appropriate
– End-to-end integrity less clear-cut, due to DoS attacks
7/13/2007AIIT Summer Course - F2 Security
17
TinySec: Status
• Design + implementation stable
• Released in TinyOS 1.1– Integration with RFM & Chipcon radio stacks; supports nesC 1.1
– Simple key management; should be transparent
• Widely used for research.
• Basis for much of the WSN security research.
7/13/2007AIIT Summer Course - F2 Security
18
TinySec Evaluation
Wins:
• Performance ok
• Integration seems truly easy
Neutral:
• Out of scope: per-node keying, re-keying, sophisticated key mgmt; PKI; secure link-layer ACKs
• No security against insider attacks;What if a node is captured, stolen, or compromised?
Losses:
• Not turned on by default in TinyOS. • Not turned on in TinyOS 2.0…
7/13/2007AIIT Summer Course - F2 Security
19
AES128 Era
• Almost all IEEE 802.15.4 radios provide AES-128 in hardware
– except Atmel RF230
• Encryption and Authentication ON BY DEFAULT in AR TinyOS2.0-based Primer Pack / IP
• Completely transparent under UDP/TCP over 6LoWPAN
• Simple network-wide key established through secure physical exchange at commissioning.
– Key transferred over wired USB
– Physical proximity and security
– Stored in config flash
7/13/2007AIIT Summer Course - F2 Security
20
AES128 Block Cypher
• KeyExpansion using Rijndael's key schedule
• Initial Round – AddRoundKey
• Rounds – SubBytes — a non-linear substitution step
where each byte is replaced with another according to a lookup table.
– ShiftRows — a transposition step where each row of the state is shifted cyclically a certain number of steps.
– MixColumns — a mixing operation which operates on the columns of the state, combining the four bytes in each column
– AddRoundKey — each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule.
• Final Round (no MixColumns) – SubBytes – ShiftRows – AddRoundKey