On the design of lightweight link-layer security ... · Italian Networking Workshop (INW) 2015, in...
Transcript of On the design of lightweight link-layer security ... · Italian Networking Workshop (INW) 2015, in...
On the design of lightweight link-layer security mechanisms
in IoT systems
Savio Sciancalepore*, Angelo Capossele**, Giuseppe Piro*, Gennaro Boggia* and Giuseppe Bianchi***
* Department of Electrical and Informational Engineering (DEI), Politecnico di Bari, e-mail: {name.surname}@poliba.it
** Department of Computer Science “Sapienza”, University of Rome, Italy; e-mail: [email protected]*** Department of Electronic Engineering, University of Rome 2 “Tor Vergata”, Italy; e-mail: [email protected]
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
2
Agenda
• IoT: a connected world
• Security issues
• Layer-2 security in IoT systems
• Efforts by the scientific community
• The proposed key management protocol
• Implementation challenges
• Performance Evaluation
• Conclusions & Future Works
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
3
Internet of Things
IoT: the 4th major evolution in computing history
Novel pervasive services
Smart Cities
Smart GridsSmart Homes
Smart HealthSmart Cars
Supply Chain Automation
Cisco, Ericsson, Samsung: 20 billions of devices connected by 2020
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
4
Security: a major concern
High volume of exchanged data and sensibility of conveyed information poses new security risks.
Threats
o Eavesdroppingo Unauthorized access to deviceso Tampering with deviceso Privacy issues
Layer-2 security
IEEE 802.15.4e provides MAC and PHY details for low power and lossy networks (LLN);
Security attributes;
Security Procedures for outgoing and incoming frames;
Auxiliary Security Header.
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
5
What else?
The IEEE 802.15.4 standard does not describe:
• How to handle the initialization of a secured IEEE 802.15.4 domain;
• How to generate and exchange keys;
• How to manage joining operations in a already secured IEEE 802.15.4 network
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
S.Sciancalepore, G.Piro, E.Vogli, G.Boggia, L.A. Grieco, On Securing IEEE 802.15.4 networks through a standard compliant framework, Proc. of IEEE Euro-Med Telco Conference, 12-15 Nov. 2014, Napoli (IT).
6
Efforts by the scientific community
ZigBee IP Specifications:
• Security at Network and Application layers through a dedicated entity: ZigBee Device Object (ZBO)
• Trust Center: handle distribution of keys• Three kind of keys: Master Key, Network Key, Link Key• Key Negotiation: SKKE protocol
IETF Working Groups:
CoRE: security at the application layer ROLL: threat analysis at the network layer 6tisch: security architecture for industrial environments, with minimal security
features for layer 2 and layer 4 of the protocol stacks
Literature:
o Adaption of well-known approacheso Design of new KMP procedures:
distributed approaches centralized approaches
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
7
Our contribution
Goals of our work:
1.Design of a key management protocol (KMP);
2.Implementation of the protocol in real IoT nodes;
3.Demonstration of advantages gained by using the proposed approach;
4.Experimental evaluation through real tests.
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
8
Goals of our work:
1.Design of a key management protocol (KMP);
2.Implementation of the protocol in real IoT nodes;
3.Demonstration of advantages gained by using the proposed approach;
4.Experimental evaluation through real tests.
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
9
What ?
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
We want to negotiate a shared secret between a couple of CONSTRAINED nodes
Diffie – Hellman Approach
IA IB
PublicKeyA (KP,A)
PublicKeyB (KP,B)
KP,A public key AKV,A private key AKP,B public key BKV,B private key A K = 𝐾𝑃, 𝐴
𝐾𝑉,𝐵= 𝐾𝑃, 𝐵
𝐾𝑉,𝐴
10
What ?
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
We want to negotiate a shared secret between a couple of CONSTRAINED nodes
Diffie – Hellman Approach
IA IB
PublicKeyA (KP,A)
PublicKeyB (KP,B)
KP,A public key AKV,A private key AKP,B public key BKV,B private key A K = 𝐾𝑃, 𝐴
𝐾𝑉,𝐵= 𝐾𝑃, 𝐵
𝐾𝑉,𝐴
Problem: Public keys are not strictly bind to their owner
11
What ?
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
We want to negotiate a shared secret between a couple of CONSTRAINED nodes
Diffie – Hellman Approach
IA IB
PublicKeyA (KP,A)
PublicKeyB (KP,B)
KP,A public key AKV,A private key AKP,B public key BKV,B private key A K = 𝐾𝑃, 𝐴
𝐾𝑉,𝐵= 𝐾𝑃, 𝐵
𝐾𝑉,𝐴
Problem: Public keys are not strictly bind to their owner
Man InThe Middle
Attack
12
X.509 certificates
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
When a PKI is used, X.509 certificates are used to bind a public key to its owner, through the sign of a trusted entity.
13
X.509 certificates
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
When a PKI is used, X.509 certificates are used to bind a public key to its owner, through the sign of a trusted entity.
40 byte ECC Public Key
864 byte ECDSA signed X.509 certificate
14
X.509 certificates
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
When a PKI is used, X.509 certificates are used to bind a public key to its owner, through the sign of a trusted entity.
40 byte ECC Public Key
864 byte ECDSA signed X.509 certificate
11 MAC-layer messages
TOO MUCH!
15
Implicit certificates
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
Implicit Certificates
• no explicit sign of the CA’s signature on a certificate;
• Only the requester can generate the private key;
• Anyone who knows the CA can reconstruct the public key;
Advantages
Same level of security than explicit X.509 certificates;
Require less number of MAC-layer messages and less radio power
Computing the public key is much faster than a public key operation
16
ECQV implicit certificates
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
17
ECQV implicit certificates
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
18
ECQV implicit certificates
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
40 byte
19
The proposed KMP
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
Integration of ECQV implicit certificates, Station-to-Station and DTLS protocols
20
The proposed KMP
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
Integration of ECQV implicit certificates, Station-to-Station and DTLS protocols
21
The proposed KMP
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
Integration of ECQV implicit certificates, Station-to-Station and DTLS protocols
AES CBC-MAC
MGF1 KDF MGF1 KDF
22
Goals of our work:
1.Design of a key management protocol (KMP);
2.Implementation of the protocol in real IoT nodes;
3.Demonstration of advantages gained by using the proposed approach;
4.Experimental evaluation through real tests.
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
23
Implementation in real IoT motes
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
The proposed KMP has been implemented and experimentally evaluated, using:
The TelosB hardware platform- 48 kB ROM - 10 kB RAM- 16-bit microcontroller- 8 MHz maximum speed- CC2420 radio module
OpenWSN protocol stack- Most promising open-source protocol stack for IoT;- Based on IEEE 802.15.4e- 6LoWPAN, RPL, CoAP proposed standards
S.Sciancalepore, G.Piro, G.Boggia, L.A. Grieco, Application of IEEE 802.15.4 security procedures in OpenWSN protocol stack, IEEE Standards Education e-Magazine (eZine), no.4, vol.2, 4th quarter, 2014.
24
Implementation issues
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
Integration of KMP messages in a real protocol: Use of IEEE 802.15.4e Information Elements;
Implementation of optimized elliptic curve (ECC) operations: Large integers implemented using arrays; Use of HW registers for addition and multiplication on large integers; Fast modular reduction of large integers with Barrett Reduction; Adaptation of TinyECC and ContikiECC libraries; Double-and-add and sliding-windows methods for ECC multiplications
Management of time-expensive ECC operations: Increasing the task list depth (software overload); Disabling of hardware interrupts; Increasing super-frame length;
De-synchronization events: Increasing de-synchronization time-out.
Administration of the workload at coordinator side: single KMP at a time.
25
Goals of our work:
1.Design of a key management protocol (KMP);
2.Implementation of the protocol in real IoT nodes;
3.Demonstration of advantages gained by using the proposed approach;
4.Experimental evaluation through real tests.
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
26
Comparison: IKE and DTLS
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
ConsideredStrategy
LogicalMessages
MACpackets
Proposedapproach
4 4
DTLS [1] 7 60
IKE [2] 11 69
Considered Strategy ROM footprint
Proposed approach 5.8 kB
DTLS [1] 15 kB
IKE [2] 9 kB
1. S. Raza, D. Trabalza, and T. Voigt, “6lowpan compressed dtls for coap,” in IEEE Int. Conf. on Distrib. Comput. in Sensor Systems (DCOSS), May 2012, pp. 287–289.
2. S. Raza, D. Trabalza, and T. Voigt, “Lightweight IKEv2: A key Management Solution for both the Compressed IPsec and the IEEE 802.15.4 Security”, March 2012.
27
Goals of our work:
1.Design of a key management protocol (KMP);
2.Implementation of the protocol in real IoT nodes;
3.Demonstration of advantages gained by using the proposed approach;
4.Experimental evaluation through real tests.
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
28
KMP atomic durations
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
29
Time to create the secure domain
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
30
Conclusion and Future Works
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16
Goal of the work: design of a lightweight layer-2 key management protocol for IoT systems:
Protection against replays, eavesdropping, Man-In-The-Middle Attacks Lightweight for use in constrained nodes Small messages footprint Limited bandwidth requirements Lightweight re-keying
Future research:
Optimization of the protocol; Tests in more complex IoT deployments; Implementation in more capable motes; Integration of the procedure in higher-layer security suites.
31
Questions?
Savio Sciancalepore, Ph.D. Student
Department of Electrical and Informational Engineering (DEI),Politecnico di Bari
E-mail: [email protected]
Personal page: http://telematics.poliba.it/index.php/it/people/sciancalepore
Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16