Security Considerations for IEEE 802.15.4 NetworksKarthikeyan Mahadevan

Martin Coopers LawCooper's Law, (after ArrayComm Chairman, Martin Cooper), states that the number of conversations (voice and data) conducted over a given area, in all of the useful radio spectrum, has doubled every two and a half years for the last 105 years, ever since Marconi discovered radio in 1895

What is IEEE 802.15.4IEEE 802.15.4 LR WPAN is a task group for developing a standard for Low Rate Wireless Personal Area NetworksWireless is gone beyond office and home to new environments like factories, hospitals and military applications

Goals of IEEE 802.15.4Very low power consumption: The largest consumer of energy on a wireless device is the radio. Very low cost

Constraints Low power Energy is very limitedMust be carefully usedNo human interventionLifetime depends order of months to yearsIn summary the software must be correct and minimal

Why are we interested?Application domain ranges from wireless gaming to military applicationsCertain classes of these applications needs securityCommunication medium is RFThis concern is addressed in the 802.15.4 specification Link Layer Security

Contributions Critical analysis of the security features of 802.15.4Outlines the problems Recommendations Targeted audienceRadio designers Application Developers

Overview of 802.15.4 SecurityThe basic features provided by the link layer security protocol areAccess ControlMessage IntegrityMessage ConfidentialityReplay Protection

Access Control and Message IntegrityUnauthorized entities should not be part of a secure networkA mechanism to detect the above scenarioMessage integrity message tampering should be detected MACRequires communicating parties to share a secret

ConfidentialityMeans of achieving encryptionNotion of Semantic SecurityThe encryption must prevent an adversary from learning even partial information about the messageThis means that encryption of the same plaintext twice should result in different cipher textsNonce

Replay ProtectionAdversary eavesdrops a message from a legitimate sender and replays it after a time delay xSequence numbers increased with every packet

802.15.4 Stack LLC Logical Link ControlSSCS Service Specific Convergence Sub layer

802.15.4 ProtocolEach node has 64 bit Node ID16 bit Network ID(A node could use 16-bit Node ID)Two types of packets (relevant to security)Data ACK (Sender explicitly requests it)

Data and ACK packet formats

Where is security ?Handled by the Media access control layerThe application controls the security requiredBy default NO SecurityFour types of packetsBeacon, Data, ACK, Control packets for MAC LayerNO Security for ACK packetsThe other packets can optionally use encryption or integrity checks

Security SuitesNo security NULLAES-CTR - Encryption only, CTR ModeAES-CBC-MAC MAC only (options of 32bit, 64bit and 128bit MACs)AES-CCM Encryption and MAC (options of 32bit, 64bit and 128bit MACs)Replay protection can be turned on or off for any of the above

How does it work?Application decides the choices on the security level. (A bool value)Access Control Lists are used to enforce these security levels (max up to 255 entries)If security is enforced then the MAC layer looks up the ACL table for the cryptographic material for the destination

ContdOn packet reception, based on the flags the MAC layer decides how to process the packet

ACL Entry Format

Details of Security SuitesNULL no security, mandatory in all chipsAES-CTR (Confidentiality alone)Break plain text into 16-byte blocks p1,,pnCompute cipher text ci = pi xor Ek(xi)CTR or Nonce xi is necessary for the receiver to decrypt

NonceIs made up of Static flags fieldSenders address3 counters4 byte frame counter (identifies the packet)1 byte key counter2 byte block counter (numbers the 16 byte blocks in a packet)

More on NonceFrame counter controlled by the hardware radioSender increments it after every packetWhen reaches max value no further encryptions are possibleKey counter applications controlUsed when frame counter has reached its max valueGoal of frame and key counter is to prevent nonce reuse (in a single keys life-time)Use of block counter ensure different nonces are used for each block need not be transmitted

AES-CBC-MACSender has options of 4, 8 or 16 byte MACCommunicating parties have to share a key

AES-CCMApplies CBC-MAC over the header and the dataEncrypts the dataMAC on both using AES-CTR mode

Replay CounterApplicable to AES-CTR and AES-CCM suitesThe replay counter is 5 bytes long Frame counterKey Counter (MSB)Note: This is same as the nonce but is used for a different purpose.

ProblemsThree classesNonce managementKey managementIntegrity protection

Nonce ProblemsSame Key in Multiple ACL entriesIf used, very likely that nonce is also reusedThis could break the confidentialitySimple solutionIf using the same key then use only one ACL entry, after sending the first packet, change the ACL entry (the software must keep track of which destinations are in play)

Nonce ProblemsLoss of ACL Power FailureAssuming that the ACL is restored, what about the nonces?The authors say that the 802.15.4 lacks clarity in this issueRecommendation re-key after power failureRelated issue what happens when the node is sleeping Again there is presumably no clarity in the specification

Key Management ProblemsNo group keyingFirst approach: Assign different ACL entries for all the nodes in the group and use the same key (Nonce management problem, ACL will be large)Second approach: Single ACL entry heavy, since for every destination the ACL has to be changed. Assuming the receivers also employ the same strategy then the receiver must switch the ACL before a packet arrives from a destination other than that in the current ACL

Key Management ProblemsReplay protection is incompatible with group keyingNode x transmits 100 messages, so replay counter is at 99 nowNode y starts transmission, its replay counter is going to 0, so the packets are dropped.

Nonce and Replay CounterNonce is bound to the key incremented with every message that is sent should use a different nonce (if two different entries use the same key, they share a nonce)Replay counter is bound to the senders address. If two ACL entries share a key, they still have different replay counters.

Integrity protection ProblemsUnauthenticated encryption Recommendation do not use AES-CTRDoS on AES-CTRTwo parties X and Y communicating (Replay protection is enabled)Attacker sends a very high value for the key and frame counter with garbage with sender ID XThis would cause the messages from legitimate sender to be dropped.

Integrity protection ProblemsACK without MACSequence number sent in clearAdversary can send ACKs

Take - awayApplication DesignersDo not use AES-CTRDo not rely on ACKHardware DesignersSupport for 255 ACL entries (depends on the size of the network)Retail ACL in low power mode (if possible nonces too)Do not support AES-CTR

Take - awaySpecification writersWarn against Dangerous ACL configurationsBetter support for various keying modelsDo not support AES-CTRAuthenticated ACK

ReferencesNaveen Sastry and David Wagner, Security Considerations for IEEE 802.15.4 Networks. ACM Workshop on Wireless Security WiSe 2004, October 2004