embedded security: from sensor networks to internet of...
TRANSCRIPT
Embedded Security: From Sensor Networks to Internet of Things (IoT)
Dr. Wen Hu, Michael Bruenig, Thomas Kothmayr (TUM), Corinna Schmitt (U Zurich) Principal Research Scientist/Research Project Leader CSIRO Digital Productivity Flagship, Australia
DIGITAL PRODUCTIVITY FLAGSHIP
• Wireless Sensor Networks – Homogenous devices – Resource, energy and form factor limited
Cryptography challenges in sensor networks
• Very limited resources • 8-bit/16-bit microcontrollers • Less than 10KB RAM • AA batteries
• Security algorithms are computational and memory intensives
SKC vs. PKC
• Symmetric Key Cryptography (SKC) • Low computation cost • Smaller key sizes
• Public Key Cryptography • It provides more security than SKC…but it requires a nontrivial amount
of processing power and memory
Past 2004 2007
Future Imposible to use PKC
Possible to use PKC
Doubt in using PKC
Cryptography engines
• Symmetric cryptography engine • AES 128-bit, new transceivers such as Atmel AT86RF212
and AT86RF230
• Asymmetric cryptography engine • SHA-1, 1024/2048-bit RSA
secFleck
CSIRO ICT Centre – Marine Robotics & Sensor Networks
Evaluation (I)
Evaluation (II)
CSIRO ICT Centre – Marine Robotics & Sensor Networks
Examples --- secure communications
Node A
CSIRO ICT Centre – Marine Robotics & Sensor Networks
Generates a random n u m b e r N a ( b y fos_tpm_rand)
Base
E(Pkbase, Na, Req) fos_tpm_encryption E(Pkbase, Na, Req)
Decrypt with Skbase, G e n e r a t e a n e w session key (KBA), (fos_tpm_decryption fos_tpm_rand)
E(PkA, Na, KBA) (fos_tpm_encryption)
Decrypt with SkA, (fos_tpm_decryption)
Secure communication using SKC with KBA
Examples --- remote attestation
Attestator A
Dur ing boot t ime, update PCR I (Pi) (fos_tpm_pcrExtend)
Base Obtain Pi and generate a signature (fos_tpm_pcrQuote)
Challenger C
Generates a random n u m b e r N a ( b y fos_tpm_rand)
Issue PCR challenge (index = i, Na)
Challenge response S(Pi, Na, Ska)
Ask for A’s public key
A’s public key (Pka)
Verify the value Pi and t h e s i g n a t u r e (fos_tpm_verifyPcrQuote)
Summary
• Strong (2048-bit) asymmetric key cryptography for message authenticity and
integrity, strong symmetric key cryptography for message confidentiality
• Affordable (financially, form factor, and energy consumption)
• Remote (platform and data) attestation for content trustworthiness
11
• Internet of Things – Heterogeneous devices (cortex M*) – Standard approach (802.15.4, RPL/6LoWPAN, COAP…)
13
Motivation • Current situa2on: • Many different use cases exist: Building system, medical apps, acquisi2on of resources.
• Main task of sensor networks is the collec2on and transmission of different data.
• Problem: • Data can include sensi2ve informa2on. • Trend: Integra2on of wireless sensor networks into the Internet (Internet of Things).
• Trustworthiness of par2cipants can differ.
• Requests for the security solu2on: • Confiden2ality • Data Integrity • Data authen2city
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
14
Usage of standards • Wireless Sensor Networks are comparable to Peer-‐to-‐Peer networks: • Self-‐organizing network of sensor nodes • Basic tasks of a node: Collect data, simple data processing, and forward data • Constrained memory, baRery and compua2onal power • IPv6 Connec2vity à Nodes connected to Internet
• Different standardized security solu2ons exist: • Technologies and implementa2ons (e.g. OpenSSL) exist and are well proven • Exis2ng infrastructures (e.g. cer2ficate authori2es) can be used again.
• Different standards for network stack in WSNs already exist: • Physical & MAC Layer: IEEE 802.15.4 • Rou2ng & Transport Layer: 6LoWPAN, RPL • Applica2on Layer: CoAP
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
15
Benefits of a standards based approach Reuse of: • Implementa2ons (OpenSSL, etc..) • Engineering techniques • Infrastructure (Cer2ficate Authori2es, etc..) • Exper2se and Experience
à Easier security uptake Hardware used: • TelosB / IRIS • OPAL-‐Mote • 50kbyte SRAM • 48 MHz Microcontroller • Trusted Plaaorm Module
Medium Access /Physical
Network
Transport
Security
Application
IEEE 802.15.4
UDP
IPv6BLIP, RPL
DTLSDTLS
CoAP, XML, ...
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
Opal node (front)
Radio
Microcontroller (32-bit)
LED
Opal node (back)
CSIRO ICT Centre – Marine Robotics & Sensor Networks
TPM
Radio Micro SD card slot
18
DTLS – Ultra short introduction DTLS:
• Adap2on of TLS for datagram transport
• Server and Client nego2ate Hash algorithm and Cipher in Handshake
• Different authen2ca2on methods – RSA, DAS, DH, ECC, PSK,… – For us: RSA and later PSK
ClientHello*
ClientHelloVerify*
ClientHello
ServerHelloCertificate
[CertificateRequest]ServerHelloDone
[Certificate]ClientKeyExchange[CertificateVerify]ChangeCipherSpec
Finished
ChangeCipherSpecFinished
Flight 1
Flight 3
Flight 5
Flight 2
Flight 4
Flight 6
[…] Omission during server authenticated handshake. * Optional messages Encrypted up now
Client Server
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
19
Connecting to data sink
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
20
P2P Connection
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
21
Evaluation - DTLS Handshake • Least understood component in IoT context
• Previous work evaluated other components • „Sizzle: A standards-‐based end-‐to-‐end security architecture for the embedded internet” à Server authen2cated handshake with RSA and ECC
• “Securing Communica2on in 6LoWPAN with Compressed IPSec” à Compression techniques for IPSec header during applica2on data transfer
Challenge: IoT embedded nodes are limited to their resources! • System’s performance – Packet handling – DTLS handshake performance
• Energy consump2on • Memory consump2on
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
22
Evaluation - System’s performance (packet handling) • Linear increase of round trip 2me • Jumps approximately every 100 bytes à 128 bytes maximum MTU in layer 2 by IEEE 802.15.4
à Including header and tailer • Jumps occur earlier when sending DTLS protected
packets à Addi2onal DTLS header, HMAC size, Ini2aliza2on Vector
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
0
100
200
300
400
500
600
8 32 64 96 128 160 192 224 255
Roun
d-‐Trip-‐Tim
e (m
s)
Data packets per Template packetAES-‐128 Multihop (4)
AES-‐128 Single Hop
SHA-‐1 Multihop (4)
SHA-‐1 Single Hop
Ping Multihop (4)
Ping Single Hop
à Increasing packet size and processing overhead lead to an increased end-to-end transmission latency for DTLS packets compared to plaintext packets.
à The decreased performance for transmission latency is mostly due to the large packet overhead of up to 64 bytes.
à Calculation times DOES NOT contribute significantly: - SHA-1 hash of 255 bytes plain text message: 9 ms - Encryption with AES-128: 12 ms
23
Evaluation - System’s performance (DTLS handshake)
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
• Measurement duration: – Beginning of the handshake establishment – Client received a „FINISHED“ message
• 15 measurements for each type of handshake
• Timeout: 5 sec
à Large standard deviation is caused by implementation behavior when messages lost.
- DTLS states that an implementation should wait for an answer for a set amount of time after sending a flight. - Retransmission if no answer is received during this period.
à Time to execute a handshale is shorter for smaller RSA-keys and reduced by almost 2 sec when client authentication is omitted in the handshake.
à Packet loss mainly in multi-hop environment and larger DTLS messages are sent. à Total energy consumption of client does not increase significantly
- All TPM operations are only executed after successful receipt of all relevant server messages.
Average latency for a fully authenticated and a server authenticated DTLS handshake
24
Evaluation - Energy consumption Energy draw for a fully authenticated DTLS
handshake on OPAL node
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
Energy cost =
25
Evaluation - Memory consumption
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
ROM consumption (byte)à Total: 63,383 byte ROM
RAM consumption (byte)à Total: 17,839 byte RAM
• Fully authenticates handshake with 2048-bit RSA keys • OPAL resources: 48 kB RAM / 256 kB ROM
26
Established WSN at Department
Recording of received TinyIPFIX messages in Listerner provided by TinyOS
DTL
S ha
ndsh
ake
mes
sage
s
Dat
a tr
ansm
issi
on v
ia s
ecur
e co
nnec
tion
Wireshark recording on tun0 (only UDP packets)
IRIS with mts300 or mts400 S
Nodes with data collection purpose:
TelosB with activated sensors T
T
T
S
SS
T
S
SS
SS
S
S
Gateway (TelosB)
TelosB with aggregation purpose
2232 2270 11042222
1108 2250
1105
2243
1102 1106 11101107
11011103
X
X Opal
12
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
Gateway
12
11072270
1110
2243
2222
22501108
1104 1102
1105
1101
2232
1103
1106
27
Summary • Today’s challenge:
• Connec2on of different infrastructures on base of IP-‐communica2on • Internet of Things
• Adop2on of powerful and well known protocols is suitable! • A standard based security architecture with two-‐way authen2ca2on for the Internet of Things was developed. • The authen2ca2on is performed during a fully authen2cated DTLS handshake.
– Exchange of X.509 cer2ficates containing RSA keys • Secure provisioning:
– Message integrity – Confiden2ality – Authen2city
• Solu2on has affordable energy, end-‐to-‐end latency, and memory overhead
• Interoperability can be ensured with different vendors • Applica2on scenarios exchangeable
A DTLS Based End-To-End Security Architecture for the Internet of Things with Two-Way Authentication
On-‐going work • Opal on a chip (TI CC2538)
• Cortex M3 (32KB RAM and 512KB ROM) • IEEE 802.15.4 radio • RSA, ECC in hardware • ~$6
• OpenMote
• Has the dominated factor moved back to wireless transmissions?
• More advanced crypto approaches?
• Bluetooth LE security?
29
References 1. "secFleck: A Public Key Technology Plaaorm for Wireless Sensor Networks", Wen Hu, Peter Corke,
Wen Chan Shih, Leslie Overs. In Proceedings of 6th European Conference on Wireless Sensor Networks (EWSN 09), February 11th-‐13th, Cork, Ireland.
2. "Towards Trusted Wireless Sensor Networks". Wen Hu, Hailun Tan, Peter Corke, Wen Chan Shih,
Sanjay Jha. ACM Transac2ons on Sensor Networks (TOSN), Volume 7, Issue 1, August 2010. 3. "DTLS based Security and Two-‐Way Authen2ca2on for the Internet of Things", Thomas Kothmayr,
Corinna SchmiR, Wen Hu, Michael Bruenig and Georg Carle. Ad Hoc Networks (Elsevier), Vol. 11 Issue 8, Page 2710 -‐ 2723 Nov 2013.
4. “TLS-‐based Security with two-‐way Authen2ca2on for IoT”, C. SchmiR, B. S2ller, T. Kothmayr and Wen Hu, IETF Internet Drav, July 2013.
5. "Towards Trustworthy Par2cipatory Sensing”, Akshay Dua, Nirupama Bulusu, Wuchang Feng, Wen Hu. In Proceedings of 4th USENIX Workshop on Hot Topics in Security (HotSec '09), August, 2009, Montreal, Canada.