TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003

Slides:

Advertisements

Similar presentations

TinySec: Security for TinyOS C. Karlof, N. Sastry, D. Wagner November 20, 2002.

Advertisements

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.

Wired Equivalent Privacy (WEP)

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry, David Wagner SenSys 2004.

1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry, David Wagner Presented by Paul Ruggieri.

Privacy and Security in Embedded Sensor Networks Daniel Turner 11/18/08 CSE237a.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

IEEE Wireless Local Area Networks (WLAN’s).

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.

SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.

TinySec: Performance Characteristics Chris K :: Naveen S :: David W January 16, 2004.

Lecture 23 Symmetric Encryption

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

KAIS T A lightweight secure protocol for wireless sensor networks 윤주범 ELSEVIER Mar

Security Considerations for IEEE Networks Karthikeyan Mahadevan.

1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Hai Yan Computer Science & Engineering University of Connecticut.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks – Chris Karlof, Naveen Sastry & David Wagner Dr. Xiuzhen Cheng Department of Computer.

SENSOR NETWORK SECURITY Group Members Pardeep Kumar Md. Iftekhar Salam Ahmed Galib Reza 1 Presented by: Iftekhar Salam 1.

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

Chapter 20 Symmetric Encryption and Message Confidentiality.

Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)

Chapter 4 Application Level Security in Cellular Networks.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

WEP Protocol Weaknesses and Vulnerabilities

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Network Security David Lazăr.

Security for Sensor Networks: Cryptography and Beyond David Wagner University of California at Berkeley In collaboration with: Chris Karlof, David Molnar,

Sensor Network Security: Survey Team Members Pardeep Kumar Md. Iftekhar Salam Ah. Galib Reza 110/28/2015.

Security on Sensor Networks Presented by Min-gyu Cho SPINS: Security Protocol for Sensor Networks TinySec: Security for TinyOS SPINS: Security Protocol.

Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)

Security in WSN Vinod Kulathumani West Virginia University.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Roh, Yohan October.

TinySec : Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Anil Karamchandani 10/01/2007.

TinySec: Performance Characteristics Chris K :: Naveen S :: David W January 16, 2004.

Intercepting Mobiles Communications: The Insecurity of ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson.

Computer Science 1 TinySeRSync: Secure and Resilient Time Synchronization in Wireless Sensor Networks Speaker: Sangwon Hyun Acknowledgement: Slides were.

WEP – Wireless Encryption Protocol A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University.

Lecture 23 Symmetric Encryption

Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam Modified by Sarjana Singh.

1 Symmetric-Key Encryption CSE 5351: Introduction to Cryptography Reading assignment: Chapter 2 Chapter 3 (sections ) You may skip proofs, but are.

802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.

Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.

WLAN Security1 Security of WLAN Máté Szalay

International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.

Security Review Q&A Session May 1. Outline  Class 1 Security Overview  Class 2 Security Introduction  Class 3 Advanced Security Constructions  Class.

MiniSec: A Secure Sensor Network Communication Architecture Carnegie Mellon UniversityUniversity of Maryland at College Park Mark Luk, Ghita Mezzour, Adrian.

EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

@Yuan Xue Case Study (Mid-term question) Bob sells BatLab Software License Alice buys BatLab Credit card information Number of.

@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.

TinySec: Security for TinyOS

Wireless Security Ian Bodley.

CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)

Security Of Wireless Sensor Networks

Security of Wireless Sensor Networks

Presentation transcript:

TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15,

Security Risks in Wireless Sensory Networks Eavesdropping –Confidentiality Packet Injection –Access control –Integrity Jamming Replay Denial of Service Adversary TinySec K K K K

TinySec Architectural Features Single shared global cryptographic key Link layer encryption and integrity protection  transparent to applications –New radio stack based on original Cryptography based on a block cipher KKK

Prior Wireless Security Schemes Sensor networks have tighter resource requirements Both & GSM use stream ciphers –Tricky to use correctly –Designed by non-cryptographers, in a committee b / WEPWeaknesses found GSMWeaknesses found IP /IPSECStill secure

TinySec Summary Security properties –Access control –Integrity –Confidentiality Performance –5 bytes / packet overhead –Peak bandwidth (8 bytes data): 25 packets/sec vs. 40 packets/sec (TinySec) (MHSR)

Block Ciphers Pseudorandom permutation (invertible) –DES, RC5, Skipjack, AES –Maps n bits of plaintext to n bits of ciphertext Used to build encryption schemes and message authentication codes (MAC)

Packet Format dest AM IV length dataMAC Encrypted MAC’ed Key Differences No CRC -2 bytes No group ID -1 bytes MAC +4 bytes IV +4 bytes Total: +5 bytes

TinySec Interfaces MHSRTinySecM TinySecM CBC-ModeM RC5M CBC-MACM TinySec –TinySecM: bridges radio stack and crypto libraries BlockCipher –3 Implementations: RC5M, SkipJackM, IdentityCipher (SRI has implemented AES) BlockCipherMode –CBCModeM: handles cipher text stealing No length expansion when encrypting data MAC –CBCMACM: computes message authentication code using CBC

Security Analysis Access control and integrity –Probability of blind MAC forgery 1/2 32 –Replay protection not provided, but can be done better at higher layers Confidentiality – Reused IVs can leak information –IV reuse will occur after 2 16 messages from each node [1 msg / min for 45 days] –Solutions increase IV length  adds packet overhead key update protocol  adds complexity –Applications have different confidentiality requirements Need a mechanism to easily quantify and configure confidentiality guarantees –Applications may provide IVs implicitly Apps may be able to guarantee sufficient variability in their messages (eg through timestamps)

Cipher Performance ImplementationBlock Operation Time (cycles) Block Operation Time (ms) RC5C only~ ms RC5SPINS: C + asm~2775 avg0.75 ms SkipJackTinySec: C only~ ms RC5TinySec: C + asm~1775 avg0.50 ms 2 block cipher operations per block, which take 1.0 ms/block For comparison, takes an ~4.8 ms to send one block over radio Encryption and MAC can be overlapped with transmission/reception

Discussion Short packets have more overhead –Min data size is 8 bytes (size of block cipher) –Packet length not affected for more than 8 bytes of data Acknowledgments can be authenticated with no extra work or overhead –1/256 chance of forgery Group ID no longer supported

Usage: How does this change my life? Need to be aware of keys & keyfile –Currently, keys part of program, not intrinsic to mote (similar to moteID) –Plan to use EEPROM to tie key to mote –Makerules generates a keyfile if none exists and then uses it for programming all motes; –Keyfiles resides in user’s home directory. Manual transfer needed to install motes from different computers. Only application level code change: –Just use SecureGenericComm instead of GenericComm Works in simulator Who is using it? –Pursuer-Evader demo –Bosch

Conclusions TinySec can provide transparent security for applications –Access control –Integrity –Confidentiality Problems not addressed: –Jamming –Node or key compromise –Replay –Denial of service Future work –Performance improvements –Finer granularity key management –Replay protection

Extra slides

Symmetric key encryption Confidentiality achieved by encryption Encryption schemes (modes) can be built using block ciphers –CBC-mode: break a m bit message into 64 bit chunks (m 1,m 2,..) –Transmit (c 1, c 2, …) and iv iv m2m2 m1m1 c1c1 c2c2 EkEk EkEk EkEk CBC-Mode iv is needed to achieve semantic security –A message looks different every time it is encrypted –iv reuse may leak information

Message Authentication Codes Encryption is not enough to ensure message integrity –Receiver cannot detect changes in the ciphertext –Resulting plaintext will still be valid Integrity achieved by a message authentication code –A t bit cryptographic checksum with a k bit key from an m bit message –Can detect both malicious changes and random errors –Replaces CRC –Can be built using a block cipher –MAC key should be different than encryption key length m2m2 m1m1 MAC EkEk EkEk EkEk CBC-MAC Mode