1. SPINS: Security Protocols for Sensor Networks
Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J. D. Tygar
Department of Electrical Engineering and Computer Sciences
University of California, Berkeley

2. Agenda Introduction to Sensor Network
Sensor Network Hardware and Requirements
SPINS Security Blocks
SNEP
μTESLA
Implementation
Evaluation
Applications
Conclusions

3. Introduction to Sensor Network

4. Introduction to Sensor Networks
What are Sensor Networks?
A wireless sensor network consists of a number of sensors spread across a geographical area. Each sensor has wireless communication capability and some level of intelligence for signal processing and networking of the data.
Sensor monitor conditions such as:
Temperature Motion
Sound Pollution
Pressure Chemical concentrations
Vibrations Illumination

5. Introduction to Sensor Networks
Sensor Network Applications

7. Introduction to Sensor Networks
Common Areas of Research
Lifetime maximization
Robustness and fault tolerance
Self-configuration
Mobility (when sensor nodes or base stations are moving)
Security

8. Sensor Network Hardware & Requirements

9. Sensor Network Hardware & Requirements
The Sensor Network Components
Nodes - Small battery powered device.
Base Station – A more powerful device which provides the connection to an outside network.

10. Sensor Network Hardware & Requirements
The Sensor Network Limitations
The hardware constraints of the nodes make most of the known security protocol impractical.
For example, the working memory of the sensor node is insufficient to even hold the variables that are required by asymmetric cryptographic algorithms, such are RSA or Diffie-Hellman.
Existing broadcast authentication are also impractical, as the communication over head of existing protocols requires bytes per packet.

11. Sensor Network Hardware & Requirements
System Assumptions
The basic communication method is broadcast RF transmissions.
The sensor nodes establish a routing forest, with a base stations and the root of each tree.
The base stations has similar capabilities to a node, except it has much more energy and much more memory space.
Basic communication patterns are:
Base Station to Node (e.g. Request from sensor)
Node to Base Station (e.g. Sensor readings)
Base Station Broadcast (e.g. Routing beacon)

12. Sensor Network Hardware & Requirements
Security Assumptions
Individual nodes might be compromised.
The base station is trusted by all nodes.
At creation, each node shared a secrete master key which it shares with the base station.
Nodes and base station have a shared clock which is trusted to have a limited drift.

13. Sensor Network Hardware & Requirements
Security Requirements
Data Confidentiality – Eavesdroppers should not be able to read the message content.
Semantic Security – Protection against an eavesdropped which obtains plaintext-cipher text pairs.
Data Authentication – Verifying the message originated from the claimed source.
Data Integrity – Knowing the information has not been tempered by an adversary.
Data Freshness – Knowing the data is ’fresh’
Weak Freshness – Message ordering.
Strong Freshness – Knowing a message was received in response to a message send earlier.

14. SPINS – Secure Protocol for Sensor Networks

15. SPINS – Secure Protocol for Sensor Networks
SPINS Building Blocks
SPINS is built out of 2 main building blocks – SNEP and μTESLA.
SNEP – provides data confidentiality, 2-way party data authentication, integrity and freshness.
μTESLA – Provides authentication for data broadcast.

16. SPINS – Secure Protocol for Sensor Networks
Notations
A, B – The communication nodes
NA – A random bit string generated by A
M1| M2 – A concatenation of message M1 and M2
KAB – A symmetric secret key shared by A and B
{M}KAB – Message M encrypted by key KAB
{M} {KAB, IV} – Message M encrypted by key KAB and the initialization vector IV

17. SPINS – Secure Protocol for Sensor Networks
SNEP – Message Format
Kencr, Kmac are derived from the shared master key.
C – A counter value, which is shared by both sides (but not transmitted). The value of ‘C’ is incremented after each block.
MAC – Message authentication Code.

18. SPINS – Secure Protocol for Sensor Networks
SNEP – What did we achieve?
Data Authentication – the MAC ensures the message is authentic.
Semantic Security – Achieved by the use of the counter value, which is long enough not to be repeated in a lifetime.
Replay Protection – Achieved by using the counter.
Weak Freshness – Using the counter value, messages can be ordered.
Overhead is only 8 bytes per message

19. SPINS – Secure Protocol for Sensor Networks
SNEP – Achieving Strong Freshness
In this format, we also achieve strong freshness.
Notes that the value of NA is not sent as a part of the message data, rather it is only used in the MAC calculation.

20. SPINS – Secure Protocol for Sensor Networks
μTESLA – Authenticated Broadcast
Authenticating a broadcast using a symmetric key is problematic. Assuming an individual node can be compromised, if a ‘rogue’ node knows the symmetric key used to authenticate the broadcast messages, it can impersonate the broadcast source.
Most broadcast authentication proposals are impractical for our limited resourced network, either because they use long asymmetric digital signatures, or require too much computational overhead.
μTESLA achieves broadcast authentication with symmetric primitives, with asymmetry achieved through time delayed release of keys.

21. SPINS – Secure Protocol for Sensor Networks
μTESLA – Protocol Overview
Time is divided into intervals, which are known to all parties. We also remember that one of the system assumptions is that nodes and base station have a common clock which is synchronized (with a limited drift).
The sender (the base station) sends packets which are signed which a MAC key which is not yet known to the receivers at the time they receive the message. The receiving node stores the packets.
At a later time interval, the sender will send the MAC key for a previous time interval, and the receiver would be able to authenticate the MAC on the packet.

22. SPINS – Secure Protocol for Sensor Networks
μTESLA – Protocol Overview (Cont.)
Each MAC key is a key of key chain which is generated using a one-way function.
The sender generates randomly the key Kn (the key for time interval n). The key chain is generated as follows: Ki = F(Ki+1)
Note that a node which receives Ki cannot compute Ki+1 due to the nature of the one-way function. However it can easily verify the correctness of Ki+1 when it is received by testing that Ki = F(Ki+1).

23. SPINS – Secure Protocol for Sensor Networks
μTESLA – Example
We assume K0 is known in an authenticated way, and serves as the commitment to the key chain.
Messages P1 and P2 are signed using K1, P3 is signed using K2 and so on…
Assuming a two intervals delay, at time interval 3 the sender will reveal MAC key K1. The node will be then able to verify the K0 = F(K1), and verify the messages.

24. SPINS – Secure Protocol for Sensor Networks
μTESLA – More Detailed
Send setup – Sender needs generate Kn, then compute and store the keys of the key chain using a one-way function (For example – MD5).
Bootstrapping a new receiver means the receiver needs to know one authentic key of the key chain. Using this key it will later be able to authenticate all the next keys in the chain. Time synchronization can be achieved as follows:

25. SPINS Implementation

26. SPINS Implementation Block Cipher
Due to the limited program store, all cryptographic primitives are derived from a single block cipher.
Due to the stringent resource constraint, many known block cipher algorithms (like AES and DES) are inapplicable.
RC5 was chosen due to its small code size and high efficiency.
Still, the RC5 common libraries are too large to fit into the platform. A lighter version with reduced functionality provided 40% code size reduction.

27. SPINS Implementation Encryption Function
The block cipher was chosen to work in counter mode (CTR).
The major benefits are that the counter provides semantic security, and that this mode does not require padding for messages with varying length.

28. SPINS Implementation MAC Creation
MAC is produced using a CBC-MAC cipher block mode.

29. SPINS Implementation Random Number Generation and Key Setup
Random number are generated using the MAC in the following way: NA = MAC (Krand, C)
As mention before, all keys are derived from a master key the node and the base station share. This is also done using the MAC function:
Fk(x) = MAC (MasterKey, x)

30. SPINS Evaluation

31. SPINS Evaluation
Code Size

32. SPINS Evaluation
Energy Cost

33. SPINS Applications

34. SPINS Applications Ad-Hoc Routing Protocol
The basic idea is to send periodic beacons. A node which hears the beacon from the base station forwards the beacon to other nodes.
The key disclosure messages used in μTESLA can serve as the beacon from the base station.
Late key disclosure and key authentication can verify that no attacker injected false messages to the network.

35. SPINS Applications Node to Node Key Agreement
Note that this protocol uses the strong freshness mechanism.
Another nice feature is that most of the communication is made by the base station and not by the nodes.

36. Conclusion

37. Conclusion
The article suggests that security for sensor networks is feasible even when using extremely limited sensor platform.
There are still several issues which are not answered by the suggested protocol, such as denial-of-service attacks.

38. Questions?