Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security for Sensor Networks: Cryptography and Beyond David Wagner University of California at Berkeley In collaboration with: Chris Karlof, David Molnar,

Published byLeon Austin Modified over 9 years ago

Similar presentations

Presentation on theme: "Security for Sensor Networks: Cryptography and Beyond David Wagner University of California at Berkeley In collaboration with: Chris Karlof, David Molnar,"— Presentation transcript:

1 Security for Sensor Networks: Cryptography and Beyond David Wagner University of California at Berkeley In collaboration with: Chris Karlof, David Molnar, Naveen Sastry, Umesh Shankar

2 Learn From History… analog cellphones: AMPS1980 1990 2000 analog cloning, scanners  fraud pervasive & costly digital: TDMA, GSM TDMA eavesdropping [Bar] more TDMA flaws [WSK] GSM cloneable [BGW] GSM eavesdropping [BSW,BGW] Future: 3 rd gen.: 3GPP, … cellphones 802.11, WEP 2001 2002 WEP broken [BGW] WEP badly broken [FMS] WPA 2000 1999 Future: 802.11i 2003  attacks pervasive wireless networks Berkeley motes 2002 TinyOS 1.0 TinyOS 1.1, TinySec 2003 sensor networks Let’s get it right the first time!

3 Sensor Nets: So What? What’s different about sensor nets? Stringent resource constraints Insecure wireless networks No physical security Interaction with the physical environment Back to the 90’sNewBack to the 70’s

4 Where Are We Going? Some research challenges in sensor net security: Securing the communication link Securing distributed services Tolerating captured nodes In this talk: Techniques and thoughts on these problems.  Cryptography and beyond

5 I. Communications Security: The TinySec Architecture “It doesn’t matter how good your crypto is if it is never used.”

6

7

8

9 TinySec Design Philosophy The lesson from 802.11: Build crypto-security in, and turn it on by default! TinySec Design Goals: 1. Encryption turned on by default 2. Encryption turned on by default 3. Encryption turned on by default  Usage must be transparent and intuitive  Performance must be reasonable 4. As much security as we can get, within these constraints

10 Challenges Must avoid complex key management TinySec must be super-easy to deploy Crypto must run on wimpy devices We’re not talking 2GHz P4’s here! Dinky CPU (1-4 MHz), little RAM (  256 bytes), lousy battery Public-key cryptography is right out Need to minimize packet overhead Radio is very power-intensive: 1 bit transmitted  1000 CPU ops TinyOS packets are  28 bytes long Can’t afford to throw around an 128-bit IV here, a 128-bit MAC there

11 Easy Key Management networ k base station k k k k k k Making key management easy: global shared keys

12 Be Easy to Deploy Making deployment easy: plug-n-play crypto + link-layer security SecureGenericComm App Radio GenericComm App Radio

13 Perform Well on Tiny Devices Use a block cipher for both encryption & authentication Skipjack is good for 8-bit devices; low RAM overhead Radio Stack [MicaHighSpeedRadioM/ CC1000RadioIntM] TinySecM CBC-ModeM SkipJackM CBC-MACM

14 Minimize Packet Overhead Minimize overhead: cannibalize, cheat, steal dest AM IV len dataMAC 2141 4 Encrypted MAC’ed Key Differences No CRC -2 bytes No group ID -1 bytes MAC +4 bytes IV +4 bytes Total: +5 bytes

15 Tricks for Low Overhead CBC mode encryption, with encrypted IV Allows flexible IV formatting: 4 byte counter, + cleartext hdr fields (dest, AM type, length); gets the most bang for your birthday buck IV robustness: Even if IV repeats, plaintext variability may provide an extra layer of defense Ciphertext stealing avoids overhead on variable-length packets CBC-MAC, modified for variable-length packets Small 4-byte MAC trades off security for performance; the good news is that low-bandwidth radio limits chosen-ciphertext attacks Can replace the application CRC checksum; saves overhead On-the-fly crypto: overlap computation with I/O

16 More Tricks & Features Early rejection for packets destined elsewhere Stop listening & decrypting once we see dst addr  us Support for mixed-mode networks Interoperable packet format with unencrypted packets, so network can carry both encrypted + unencrypted traffic Crypto only where needed  better performance Length field hack: steal 2 bits to distinguish between modes Support fine-grained mixed-mode usage of TinySec Add 3 settings: no crypto, integrity only, integrity+secrecy These come with performance tradeoffs Select between settings on per-application or per-packet basis

17 More Performance Tricks App-level API for end-to-end encryption TinySec focuses mainly on link-layer crypto, but end-to-end crypto also has value End-to-end secrecy enables performance optimizations (don’t decrypt & re-encrypt at every hop), enables more sophisticated per-node keying, but incompatible with in-network transformation and aggregation; thus, not always appropriate End-to-end integrity less clear-cut, due to DoS attacks

18 TinySec: Current Status Design + implementation stable Released in TinyOS 1.1 Integration with RFM & Chipcon radio stacks; supports nesC 1.1 Simple key management; should be transparent Several external users Including: SRI, BBN, Bosch

19 TinySec Evaluation Wins: Performance is ok Integration seems truly easy Neutral: Out of scope: per-node keying, re-keying, sophisticated key mgmt; PKI; secure link-layer ACKs No security against insider attacks; What if a node is captured, stolen, or compromised? Losses: Not turned on by default in TinyOS yet 

Download ppt "Security for Sensor Networks: Cryptography and Beyond David Wagner University of California at Berkeley In collaboration with: Chris Karlof, David Molnar,"

Similar presentations

TinySec: Security for TinyOS C. Karlof, N. Sastry, D. Wagner November 20, 2002.

TinySec: Security for TinyOS C. Karlof, N. Sastry, D. Wagner November 20, 2002.
Chris Karlof and David Wagner

Chris Karlof and David Wagner
Cellphone Security David Wagner U.C. Berkeley. Cellular Systems Overview  Cellphone standards from around the world: North America AnalogAMPS DigitalCDMA,

Cellphone Security David Wagner U.C. Berkeley. Cellular Systems Overview  Cellphone standards from around the world: North America AnalogAMPS DigitalCDMA,
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.

Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Wireless Security David Wagner University of California at Berkeley.

Wireless Security David Wagner University of California at Berkeley.
Wireless Security David Wagner University of California, Berkeley.

Wireless Security David Wagner University of California, Berkeley.
TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003

TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.

Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.
Secure Routing in Sensor Networks: Attacks and Countermeasures First IEEE International Workshop on Sensor Network Protocols and Applications 5/11/2003.

Secure Routing in Sensor Networks: Attacks and Countermeasures First IEEE International Workshop on Sensor Network Protocols and Applications 5/11/2003.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
7/13/2007 AIIT Summer Course - F2 Security 1 Wireless Embedded Systems and Networking Foundations of IP-based Ubiquitous Sensor Networks WSN Security David.

7/13/2007 AIIT Summer Course - F2 Security 1 Wireless Embedded Systems and Networking Foundations of IP-based Ubiquitous Sensor Networks WSN Security David.
1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

Similar presentations

Ads by Google