1. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security clarifications] Date Submitted: [19 January, 2005] Source: [Robert Cragie] Company [Jennic Ltd.] Address [Furnival Street, Sheffield, S1 4QT, UK] Voice:[+44 114 281 4512], FAX: [+44 114 281 2951], EMail:[rcc@jennic.com] Re: [Response to the call for proposal of IEEE 802.15.4b, Security enhancements] Abstract:[Discussion for several potential enhancements for current IEEE 802.15.4 MAC] Purpose:[For the discussion at IEEE 802.15.4b Study Group] Notice:This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release:The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.

2. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 2 Security Clarifications Robert Cragie Jennic Limited

3. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 3 Introduction Proposes data structures for enhancements to security Companion document in 15-04-0539

4. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 4 Outgoing frame security parameters Key Nonce –Frame Counter –Source Extended Address –Security Control Where the authentication data ends and where the encrypted data starts –Dependent on frame type and security level

5. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 5 Security Material classes Two classes of Security Material –Link Key –Network Key The names may not be entirely appropriate but are familiar to the security subgroup

6. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 6 Link key Key shared between two devices only Point-to-point frame (source to destination) Implicit lookup information at destination Source address could also be transported (see also Device Lookup table optimisations) Source: –Key Lookup: Destination address –Device Lookup: Source address (i.e. self) Destination –Key Lookup: Source address –Device Lookup: Source address

7. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 7 Network key (1) Key sequence shared across multiple devices Owner is Key Source, which has an Identifier (e.g. a Trust Centre combined with a Key Sequence Number) The Key Source Identifier is unique over the lifetime of the system There is a notion of ‘current Key Source Identifier’, which is always used by the source device to lookup key Current Key Source Identifier is always transported in frame to provide explicit lookup information at destination

8. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 8 Network key (2) Source address could also be transported (see also Device Lookup table optimisations) Point-to-point, broadcast or group address frame (source to destination(s)) Source: –Key Lookup: Key Source Identifier –Device Lookup: Source address (i.e. self) Destination –Key Lookup: Key Source Identifier –Device Lookup: Source address

9. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 9 Key sequence Network Key is infact a sequence of keys The current yey being used is indicated by the Key Sequence Number When a particular key in a sequence cannot be used any more, e.g. due to frame counter wrapping, it is ‘retired’ and never used again The Key Sequence Number is then incremented, indicating that the next key in the sequence is then used

10. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 10 MAC PIB tables for security Key Table lookupKey Table entry Device Table lookupDevice Table entry MAC PIB Destination Filter Table lookup Destination Filter Table Destination Filter Table entry Source Filter Table lookupSource Filter Table entry Destination Filter Table Source Filter Table Destination Filter Table Device Table Destination Filter Table Key Table

11. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 11 Key Table A table of keys which can be matched to to retrieve the key information for the unsecuring process

12. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 12 Device Table A table of devices which can be matched to to retrieve –Nonce extended address –Frame counter for freshness checking –Security level for checking

13. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 13 Source Filter Table A table of source addresses which can be matched to to allow limiting of devices you wish to receive from ‘backwards group addressing’ Perhaps should not be considered as part of security but frame filtering process

14. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 14 Destination Filter Table A table of destination addresses which can be matched to to allow group addressing Perhaps should not be considered as part of security but frame filtering process Already done in a fashion; broadcast address and self-address matching already specified in 802.15.4-2003

15. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 15 Lookup method As tables are used, there must be some sort of lookup method; Idea is to capture only what data and class of data can be used for the lookup Data used to lookup can conceptually be anything up to 8 octets (i.e. extended address) It may be possible to have more than one matching method per table entry (e.g. short address and extended address matching) How the lookup list and matching method is implemented is deliberately not specified and left to the implementer (e.g. could be hash table, relational database etc.)

16. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 16 Key Table entry Key Device List –A list of devices using this key, including whether they are blacklisted

17. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 17 Key Table lookup Lookup List –A list of Lookup Descriptors which are used to match to PAN ID and short address pair Extended address Trust centre number and key sequence number pair In the most generic case, a variable length number which needs to be bitwise matched with another number of the same length

18. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 18 Device Table entry Extended Address –Used for nonce Frame Counter –Used for freshness checking Minimum Security Level –Used to discard frames which do not meet minimum security level –Depends on frame type as well There is one entry for yourself and one entry for each device you are in communication with

19. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 19 Device Table lookup Lookup Entry –A Lookup Descriptor which is used to match to Can only be PAN ID and short address pair Device Table entry’s Extended Address can always be used to match to In the most generic case, a variable length number which needs to be bitwise matched with another number of the same length

20. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 20 Device Table lookup optimisations If the extended address can always be implied from the frame, there is no need to store an extended address in a Device Table entry This means: –Either explicitly transporting the extended address –Or always using source address mode equal to 3 Tradeoff: ↓Longer frames or less room for payload ↑Less storage requirement

21. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 21 Source Filter Table entry No data – purely used for membership testing

22. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 22 Source Filter Table lookup Lookup Entry –A Lookup Descriptor which is used to match to PAN ID and Short Address Extended Address In the most generic case, a variable length number which needs to be bitwise matched with another number of the same length

23. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 23 ACL mode Simply implemented Device table is used If matched in Device Table, can be considered to be pass filtering

24. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 24 Restricting mandates Propose not use any text which implies: –Sharing of MAC PIB with higher layers –Single-threaded operation These are entirely implementation-specific issues and have no place in a specification This categorically does not preclude an implementation from implementing it in this fashion should it so choose.This categorically does not preclude an implementation from implementing it in this fashion should it so choose.

25. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 25 Frame counters Propose to not use compressed form, as wraparound can occur quite quickly Propose to have a Frame Counter per protocol stack level, e.g. the one used at the MAC level is independent from the one used at a network layer level This is because essentially the frame counter is changes on every frame secured at that particular stack level.

26. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 26 Group addressing Simply a form of packet filtering using the Destination Filter Table Network Key essentially becomes a ‘Group Key’, i.e. is distributed only to nodes in the group Propose to base it on bitmap and mask No further implication as destination address of frame is never used for Network Key lookup.

27. doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 27 Automatic Device Table entry addition A method to prevent having to preconfigure the Device Table If you receive a frame and it successfully looks up the key, then allocate a temporary Device Table entry for it If the unsecuring process passes, install the Device Table entry into the Device Table Need a PIB attribute to allow this or not