TinySec: A Link Layer Security Architecture for Wireless Sensor ...

TinySec: A Link Layer
Security Architecture for
Wireless Sensor Networks
Chris Karlof, Naveen Sastr,
David Wagner
Presented By: Tristan Brown

Outline
• Motivation
• Cryptography Overview
• TinySec Design
• Implementation and Evaluation
• Results

Motivation
• Need a secure communications
platform for sensor networks
– Data is broadcast for all to hear.
– Sensor network nodes have severely
limited resources.
– Can’t use existing architectures designed
for powerful devices.

Cryptography Overview
• Why use crypto
• Provide probabilistic guarantees about
messages sent/received on the
network.
– Access control/message integrity
– Confidentiality
– Replay Protection

Access Control/Message
Integrity
• Ensure only authorized senders are
allowed to send messages.
• Ensure messages are unmodified after
transmission.
• Can achieve both with a Message
Authentication Code (MAC).

Message Authentication
Codes
• Essentially a keyed checksum of the
message
• Access Control: Cannot compute MAC
without the key.
• Message Integrity: Any change to the
message invalidates the MAC.

Confidentiality
• Keep message content from
unauthorized viewers.
• Semantic security: ideally should
prevent adversary from learning
anything about the encrypted message.
• Achieved by message encryption with
an Initialization Vector (IV)

Initialization Vector
• Plaintext prefix to the encrypted
message
• Used to add variation to otherwise
identical messages
– Without, identical messages would encrypt
identically, violating semantic security.

Replay Protection
• Prevent a legitimate message from
being resent later.
• Can be achieved by a monotonically
increasing message counter.
• Not addressed by TinySec; authors
believe higher layer protocols should
handle this.

TinySec Design
• Unsuitability of existing schemes
requires a new design
– High level protocols like SSL or IPSEC are
too heavyweight.
– Existing wireless security designs are still
too limiting
• Insecure (WEP)
• Incomplete (SNEP)

Two-teir design
• Based on the TinyOS Packet
• TinySec-Auth replaces the CRC and
group field with a MAC
• TinySec-AE adds encryption to
TinySec-Auth

Packet Format

MAC
• Protects the entire packet (except the
MAC itself).
• Uses CBC-MAC with packet length
XORed with the first block.
• Store 4 bytes of the result.

MAC
• Is 4 bytes secure
– Requires 2 31 tries on average to brute force
a single message.
– Given a 20kbps channel would take 20
months; far longer than a node lifetime.
– Numerous MAC failures would give away
the attacker.

MAC
• Remove the CRC and group field to
make room for the MAC.
– Groups can be created by using different
keys for the CBC.
– MAC provides integrity protection making
the CRC redundant
– Result: MAC increases packet size by only
1 byte.

Encryption
• Two components
– Initialization Vector
– Cipher
• Encrypt only the message
– Allows nodes to perform early rejection
based on AM.

Initialization Vector
• 8 byte IV
– 4 bytes are taken from TinySec-Auth
header fields
– 2 bytes are source address
– 2 bytes are a simple counter
• Results in 4 byte packet size increase

Initialization Vector
• How secure is this
– Assuming all other header fields don’t
change, takes 2 16 packets to repeat an IV.
• At 1 packet/minute, will take 45 days to repeat
an IV
– Repeated IV leaks limited information (due
to cipher choice).
– If cipher is rekeyed, repeated IV isn’t a
problem.

Cipher
• What kind of cipher should be used
– Stream cipher
• Use key and IV to generate keystream, XOR
with data
• If IV is repeated, can recover XOR of plaintexts.
– Block Cipher (CBC)
• XOR first block with IV, encrypt
• For successive blocks XOR with prior
ciphertext and encrypt.

CBC
• In case of a repeated IV only leaks the
similarity of the first n identical blocks.
• Uses same cipher construct as CBC-
MAC (save on code space)
• Must not use same key for encryption
and CBC-MAC!

Keying
• Simple mechanism: use a single pair of keys
for all nodes
– Entire network vulnerable to a single-node exploit.
• Link keying: use separate keys for every pair
of nodes that communicates
– Key distribution is complex
• Group keying: Group nodes together, use
different keys for each group.

Implementation and
Evaluation
• Implemented for TinyOS on Mica
platform
• Used skipjack as the block cipher for
CBC/CBC-MAC
– Unencumbered by patents (unlike rc5)
– High performance and secure.
• Used single network-wide keypair for
simplicity.

Performance
• Small throughput drop/latency rise consistent with the
increased packet size
• No other noticeable difference (all computation can
be completed as the packet is transmitted/received)

Power Consumption

Results
• Mostly effective
authentication/encryption for sensor
network environment
– Reduced size IV/MAC offset by inability to
exploit the network without severely
impacting it (node death)
– Some assumptions might not hold in all
environments

Results
• Open Problems
– No keying mechanism (area of active
research)
– Security assumptions made based on node
lifetime; keys may outlive nodes.