LiLightweight ghtweight SSecurity ecurity PProtocolrotocolLiLightweight ghtweight SSecurity ecurity PProtocolrotocol

TTAEJOONAEJOON P PARKARK

Real-Time Computing Laboratory

Department of EECS

The University of Michigan

““Security in Networked Embedded Systems”Security in Networked Embedded Systems”

CHALLENGES

• Security Efficiency, user-friendlyness

• Dynamic, unmanned, renewable

• Compatible with existing app/svc

KEY MANAGEMENT

• Process to generate, store, protect, transfer, use & destroy key

• Also trust management, pricing, privacy

• e-Business, PayTV, Internet

CRYPTO KEY• Secure only if key length large enough

>> 75 bits (M. Blaze)

• Same key forever ?

• Nullifying effect of key in ciphertext ?e.g., 802.11 WEP

CRYPTOGRAPHY

• Only use ciphers carefully studied

• Resistence to cryptanalysis Processing

• Key search attack ?e.g., DES ~ 256

How to Secure Systems How to Secure Systems ??How to Secure Systems How to Secure Systems ??

Secure System• Confidentiality• Integrity, Authenticity• Access Control• Availability

Security in Networked Embedded SystemsSecurity in Networked Embedded SystemsSecurity in Networked Embedded SystemsSecurity in Networked Embedded Systems

No fixed infrastructure, self-organizing

Battery-powered

A large number of nodes

Dynamic addition / removal

Possibly mobile, unattended

CHALLENGES

Wireless

Limited Energy

Large-scale

easier eavesdropping, jamming

OUR APPROACH

Lightweight Not sacrificing security level

Distributed, P2P

Tailored to Threat / Svc

Threat ModelThreat ModelThreat ModelThreat Model

OUTSIDER INSIDER

Data Attacks• Traffic capture / replay• Spoofing if unencrypted• Man-in-the-middle attack

Radio Attacks• High-power jamming• Detection of radio sources,

Hot spots

Physical Attacks• Reprogram as malicious• Destroy device• Extract key material

Data Attacks• Traffic injection / flooding• Unlimited spoofing• DoS attack

Service Disruption Attacks• Routing – altered route

updates, selective relaying• Disruption of clock synch.

Misc.• Service/data to adversary• Malicious service to net.

Why LiSP Why LiSP ??Why LiSP Why LiSP ??THREATTHREAT DEFENSEDEFENSE PROBLEMPROBLEM SOLUTIONSOLUTION

Shared secret-key

Re-keying

• Globally• Group-based• Pairwise

• Periodically• Event-triggered

SoftTamper-Proofing

via

Program-IntegrityVerification

H/WH/W

S/WS/W

Tamperresistance

• Obfuscation

• Result Checking

• Self-Decrypting programs

• Expensive• Not absolutely safe

• O: No security• RC,SD: Incurs

runtime overhead• SD: How to protect

decryption routine?

Attack on DataAttack on Data

• Eavesdropping

• Data Modification/ injection

• Service disruptionDoS

Attack on DevicesAttack on Devices

The adversary can• capture• reverse-engineer• re-program• clonesensor device(s)

• Large overhead of (unicast) re-keying

Group-shared

Pairwise-shared• Large overhead of

encr/decr per link

Globally shared

• Vulnerable to node compromises

Group-basedKey Management

• Hierarchical nets• via Key Broadcast

DistributedKey Management

• Peer-to-peer nets

• via Distributed Key Servers

LiSP ArchitectureLiSP ArchitectureLiSP ArchitectureLiSP Architecture

Goal: A lightweight security framework for various NEST applicationsGoal: A lightweight security framework for various NEST applications

PROGRAM

INTEGRITY

VERIFICATION

PROGRAM

INTEGRITY

VERIFICATION

INTRUSION

DETECTION

INTRUSION

DETECTION KEY

MANAGEMENT

KEY

MANAGEMENT

SECURITY TRADEOFFSECURITY TRADEOFF

Probe Monitor

Re-key

Activate / Locknew

sensor

suspicioussensor

compromisedsensor

Reconfigure

Reconfigure

Group Key ManagementGroup Key ManagementGroup Key ManagementGroup Key Management

OBJECTIVEOBJECTIVE

Static Preloaded Key Dynamic Key

Periodic Renewal of Group-Key (GK)

Maximize Performance given Key Renewal Frequency

KEY IDEAKEY IDEA

Unicasting Broadcasting (without retransmissions / ACKs)

Authentication & Recovery of GK using One-Way Hash FunctionAuthenticate GK without dedicated MAC field

Detect / recover lost (corrupted) GK

Double-Buffering for Robustness to Inter-Sensor Clock Skews

Key Buffer

Key Slots

SENSOR

Group Key ManagementGroup Key ManagementGroup Key ManagementGroup Key Management

GK6GK4 GK5 GK7

HHHHGK3

HGK2

HGK1

Ucast Bcast Bcast

KEY

SERVERGK5

lost/corrupted

GK3

GK2 = H(GK3)GK1 = H(GK2)

GK1

GK2

GK4

GK3

GK3

GK2

GK4

GK3

GK4

GK4

GK5 = H(GK6)

GK5

GK4

GK6

Communicationvs Processing

Much less C at the expense of reasonable P

Energy-efficient because C >>> P

DARPA DemoDARPA DemoDARPA DemoDARPA Demo

Visualize rekeying process via GUI & Mote LEDs

1. Key Distribution

2. Key Recovery

Randomly skipping key disclosure(s)

3. Tradeoffs

Adjust rekeying period & length of key buffer

Tool for Visualizing Key Management