Presentation is loading. Please wait.

Presentation is loading. Please wait.

TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003"— Presentation transcript:

1 TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003 http://www.cs.berkeley.edu/~nks/tinysec

2 Security Risks in Wireless Sensory Networks Eavesdropping –Confidentiality Packet Injection –Access control –Integrity Jamming Replay Denial of Service Adversary TinySec K K K K

3 TinySec Architectural Features Single shared global cryptographic key Link layer encryption and integrity protection  transparent to applications –New radio stack based on original Cryptography based on a block cipher KKK

4 Prior Wireless Security Schemes Sensor networks have tighter resource requirements Both 802.11 & GSM use stream ciphers –Tricky to use correctly –Designed by non-cryptographers, in a committee 802.11b / WEPWeaknesses found GSMWeaknesses found IP /IPSECStill secure

5 TinySec Summary Security properties –Access control –Integrity –Confidentiality Performance –5 bytes / packet overhead –Peak bandwidth (8 bytes data): 25 packets/sec vs. 40 packets/sec (TinySec) (MHSR)

6 Block Ciphers Pseudorandom permutation (invertible) –DES, RC5, Skipjack, AES –Maps n bits of plaintext to n bits of ciphertext Used to build encryption schemes and message authentication codes (MAC)

7 Packet Format dest AM IV length dataMAC 21414 Encrypted MAC’ed Key Differences No CRC -2 bytes No group ID -1 bytes MAC +4 bytes IV +4 bytes Total: +5 bytes

8 TinySec Interfaces MHSRTinySecM TinySecM CBC-ModeM RC5M CBC-MACM TinySec –TinySecM: bridges radio stack and crypto libraries BlockCipher –3 Implementations: RC5M, SkipJackM, IdentityCipher (SRI has implemented AES) BlockCipherMode –CBCModeM: handles cipher text stealing No length expansion when encrypting data MAC –CBCMACM: computes message authentication code using CBC

9 Security Analysis Access control and integrity –Probability of blind MAC forgery 1/2 32 –Replay protection not provided, but can be done better at higher layers Confidentiality – Reused IVs can leak information –IV reuse will occur after 2 16 messages from each node [1 msg / min for 45 days] –Solutions increase IV length  adds packet overhead key update protocol  adds complexity –Applications have different confidentiality requirements Need a mechanism to easily quantify and configure confidentiality guarantees –Applications may provide IVs implicitly Apps may be able to guarantee sufficient variability in their messages (eg through timestamps)

10 Cipher Performance ImplementationBlock Operation Time (cycles) Block Operation Time (ms) RC5C only~5750 +1.70 ms RC5SPINS: C + asm~2775 avg0.75 ms SkipJackTinySec: C only~25000.70 ms RC5TinySec: C + asm~1775 avg0.50 ms 2 block cipher operations per block, which take 1.0 ms/block For comparison, takes an ~4.8 ms to send one block over radio Encryption and MAC can be overlapped with transmission/reception

11 Discussion Short packets have more overhead –Min data size is 8 bytes (size of block cipher) –Packet length not affected for more than 8 bytes of data Acknowledgments can be authenticated with no extra work or overhead –1/256 chance of forgery Group ID no longer supported

12 Usage: How does this change my life? Need to be aware of keys & keyfile –Currently, keys part of program, not intrinsic to mote (similar to moteID) –Plan to use EEPROM to tie key to mote –Makerules generates a keyfile if none exists and then uses it for programming all motes; –Keyfiles resides in user’s home directory. Manual transfer needed to install motes from different computers. Only application level code change: –Just use SecureGenericComm instead of GenericComm Works in simulator Who is using it? –Pursuer-Evader demo –Bosch

13 Conclusions TinySec can provide transparent security for applications –Access control –Integrity –Confidentiality Problems not addressed: –Jamming –Node or key compromise –Replay –Denial of service Future work –Performance improvements –Finer granularity key management –Replay protection

14 Extra slides

15 Symmetric key encryption Confidentiality achieved by encryption Encryption schemes (modes) can be built using block ciphers –CBC-mode: break a m bit message into 64 bit chunks (m 1,m 2,..) –Transmit (c 1, c 2, …) and iv iv m2m2 m1m1 c1c1 c2c2 EkEk EkEk EkEk CBC-Mode iv is needed to achieve semantic security –A message looks different every time it is encrypted –iv reuse may leak information

16 Message Authentication Codes Encryption is not enough to ensure message integrity –Receiver cannot detect changes in the ciphertext –Resulting plaintext will still be valid Integrity achieved by a message authentication code –A t bit cryptographic checksum with a k bit key from an m bit message –Can detect both malicious changes and random errors –Replaces CRC –Can be built using a block cipher –MAC key should be different than encryption key length m2m2 m1m1 MAC EkEk EkEk EkEk CBC-MAC Mode

Download ppt "TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003"

Similar presentations

TinySec: Security for TinyOS C. Karlof, N. Sastry, D. Wagner November 20, 2002.

TinySec: Security for TinyOS C. Karlof, N. Sastry, D. Wagner November 20, 2002.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry, David Wagner SenSys 2004.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry, David Wagner SenSys 2004.
1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry, David Wagner Presented by Paul Ruggieri.

1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry, David Wagner Presented by Paul Ruggieri.
Privacy and Security in Embedded Sensor Networks Daniel Turner 11/18/08 CSE237a.

Privacy and Security in Embedded Sensor Networks Daniel Turner 11/18/08 CSE237a.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.

TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.

Similar presentations

Ads by Google