on the design of lightweight link-layer security ... · italian networking workshop (inw) 2015, in...

On the design of lightweight link-layer security mechanisms

in IoT systems

Savio Sciancalepore*, Angelo Capossele**, Giuseppe Piro*, Gennaro Boggia* and Giuseppe Bianchi***

* Department of Electrical and Informational Engineering (DEI), Politecnico di Bari, e-mail: {name.surname}@poliba.it

** Department of Computer Science “Sapienza”, University of Rome, Italy; e-mail: [email protected]*** Department of Electronic Engineering, University of Rome 2 “Tor Vergata”, Italy; e-mail: [email protected]

Italian Networking Workshop (INW) 2015, in Cavalese (IT), January 14-16

2

Agenda

• IoT: a connected world

• Security issues

• Layer-2 security in IoT systems

• Efforts by the scientific community

• The proposed key management protocol

• Implementation challenges

• Performance Evaluation

• Conclusions & Future Works


3

Internet of Things

IoT: the 4th major evolution in computing history

Novel pervasive services

Smart Cities

Smart GridsSmart Homes

Smart HealthSmart Cars

Supply Chain Automation

Cisco, Ericsson, Samsung: 20 billions of devices connected by 2020


4

Security: a major concern

High volume of exchanged data and sensibility of conveyed information poses new security risks.

Threats

o Eavesdroppingo Unauthorized access to deviceso Tampering with deviceso Privacy issues

Layer-2 security

IEEE 802.15.4e provides MAC and PHY details for low power and lossy networks (LLN);

Security attributes;

Security Procedures for outgoing and incoming frames;

Auxiliary Security Header.


5

What else?

The IEEE 802.15.4 standard does not describe:

• How to handle the initialization of a secured IEEE 802.15.4 domain;

• How to generate and exchange keys;

• How to manage joining operations in a already secured IEEE 802.15.4 network


S.Sciancalepore, G.Piro, E.Vogli, G.Boggia, L.A. Grieco, On Securing IEEE 802.15.4 networks through a standard compliant framework, Proc. of IEEE Euro-Med Telco Conference, 12-15 Nov. 2014, Napoli (IT).

6

Efforts by the scientific community

ZigBee IP Specifications:

• Security at Network and Application layers through a dedicated entity: ZigBee Device Object (ZBO)

• Trust Center: handle distribution of keys• Three kind of keys: Master Key, Network Key, Link Key• Key Negotiation: SKKE protocol

IETF Working Groups:

CoRE: security at the application layer ROLL: threat analysis at the network layer 6tisch: security architecture for industrial environments, with minimal security

features for layer 2 and layer 4 of the protocol stacks

Literature:

o Adaption of well-known approacheso Design of new KMP procedures:

distributed approaches centralized approaches


7

Our contribution

Goals of our work:

1.Design of a key management protocol (KMP);

2.Implementation of the protocol in real IoT nodes;

3.Demonstration of advantages gained by using the proposed approach;

4.Experimental evaluation through real tests.


8

Goals of our work:






9

What ?


We want to negotiate a shared secret between a couple of CONSTRAINED nodes

Diffie – Hellman Approach

IA IB

PublicKeyA (KP,A)

PublicKeyB (KP,B)

KP,A public key AKV,A private key AKP,B public key BKV,B private key A K = 𝐾𝑃, 𝐴

𝐾𝑉,𝐵= 𝐾𝑃, 𝐵

𝐾𝑉,𝐴

10

What ?




IA IB

PublicKeyA (KP,A)

PublicKeyB (KP,B)



𝐾𝑉,𝐴

Problem: Public keys are not strictly bind to their owner

11

What ?




IA IB

PublicKeyA (KP,A)

PublicKeyB (KP,B)



𝐾𝑉,𝐴

Problem: Public keys are not strictly bind to their owner

Man InThe Middle

Attack

12

X.509 certificates


When a PKI is used, X.509 certificates are used to bind a public key to its owner, through the sign of a trusted entity.

13

X.509 certificates



40 byte ECC Public Key

864 byte ECDSA signed X.509 certificate

14

X.509 certificates



40 byte ECC Public Key

864 byte ECDSA signed X.509 certificate

11 MAC-layer messages

TOO MUCH!

15

Implicit certificates


Implicit Certificates

• no explicit sign of the CA’s signature on a certificate;

• Only the requester can generate the private key;

• Anyone who knows the CA can reconstruct the public key;

Advantages

Same level of security than explicit X.509 certificates;

Require less number of MAC-layer messages and less radio power

Computing the public key is much faster than a public key operation

16

ECQV implicit certificates


17



18



40 byte

19

The proposed KMP


Integration of ECQV implicit certificates, Station-to-Station and DTLS protocols

20

The proposed KMP



21

The proposed KMP



AES CBC-MAC

MGF1 KDF MGF1 KDF

22

Goals of our work:






23

Implementation in real IoT motes


The proposed KMP has been implemented and experimentally evaluated, using:

The TelosB hardware platform- 48 kB ROM - 10 kB RAM- 16-bit microcontroller- 8 MHz maximum speed- CC2420 radio module

OpenWSN protocol stack- Most promising open-source protocol stack for IoT;- Based on IEEE 802.15.4e- 6LoWPAN, RPL, CoAP proposed standards

S.Sciancalepore, G.Piro, G.Boggia, L.A. Grieco, Application of IEEE 802.15.4 security procedures in OpenWSN protocol stack, IEEE Standards Education e-Magazine (eZine), no.4, vol.2, 4th quarter, 2014.

24

Implementation issues


Integration of KMP messages in a real protocol: Use of IEEE 802.15.4e Information Elements;

Implementation of optimized elliptic curve (ECC) operations: Large integers implemented using arrays; Use of HW registers for addition and multiplication on large integers; Fast modular reduction of large integers with Barrett Reduction; Adaptation of TinyECC and ContikiECC libraries; Double-and-add and sliding-windows methods for ECC multiplications

Management of time-expensive ECC operations: Increasing the task list depth (software overload); Disabling of hardware interrupts; Increasing super-frame length;

De-synchronization events: Increasing de-synchronization time-out.

Administration of the workload at coordinator side: single KMP at a time.

25

Goals of our work:






26

Comparison: IKE and DTLS


ConsideredStrategy

LogicalMessages

MACpackets

Proposedapproach

4 4

DTLS [1] 7 60

IKE [2] 11 69

Considered Strategy ROM footprint

Proposed approach 5.8 kB

DTLS [1] 15 kB

IKE [2] 9 kB

1. S. Raza, D. Trabalza, and T. Voigt, “6lowpan compressed dtls for coap,” in IEEE Int. Conf. on Distrib. Comput. in Sensor Systems (DCOSS), May 2012, pp. 287–289.

2. S. Raza, D. Trabalza, and T. Voigt, “Lightweight IKEv2: A key Management Solution for both the Compressed IPsec and the IEEE 802.15.4 Security”, March 2012.

27

Goals of our work:






28

KMP atomic durations


29

Time to create the secure domain


30

Conclusion and Future Works


Goal of the work: design of a lightweight layer-2 key management protocol for IoT systems:

Protection against replays, eavesdropping, Man-In-The-Middle Attacks Lightweight for use in constrained nodes Small messages footprint Limited bandwidth requirements Lightweight re-keying

Future research:

Optimization of the protocol; Tests in more complex IoT deployments; Implementation in more capable motes; Integration of the procedure in higher-layer security suites.

31

Questions?

Savio Sciancalepore, Ph.D. Student

Department of Electrical and Informational Engineering (DEI),Politecnico di Bari

E-mail: [email protected]

Personal page: http://telematics.poliba.it/index.php/it/people/sciancalepore


mailto:[email protected]

on the design of lightweight link-layer security ... · italian networking workshop (inw) 2015, in...

Documents