security tradeoffs in nest dec 16, 2003

1

Security Tradeoffs in NESTDec 16, 2003

C. M. Krishna, I. Koren, A. Ganz,

C. Andras Moritz (presenter)University of Massachusetts, Amherst

K. G. Shin University of Michigan

Y.-H. Lee Arizona State University

2

Administrative

• Project Title: Security Tradeoffs in NEST

• Program Manager: Vijay Raghavan

• PI Name(s): C. M. Krishna, Y.-H. Lee, K. G. Shin, A. Ganz, I. Koren, and C.A. Moritz

• PI Phone Number(s): (413) 545-0766

• PI E-Mail Address(es): [email protected]

• Company/Institution: Univ of Massachusetts at Amherst, Univ of Michigan, Arizona State University

• Contract Number: F33615-02-C-4031

• Award Start Date: 9/9/2002

• Award End Date: 9/9/2004

• Agent Name/Organization: Juan Carbonell, Wright-Patterson Air Force Base.

3

Subcontractors and Collaborators

• Subcontractors– University of Michigan– Arizona State University

• Collaborators– University of Virginia– BBN– UC Berkeley– SRI

4

Problem and ChallengeProblem and ChallengeProblem and ChallengeProblem and Challenge

ImpactImpactImpactImpact

New IdeasNew IdeasNew IdeasNew Ideas

ScheduleScheduleScheduleSchedule

• Adapting security level of each task to application requirements and system constraints.

• Security broker to select the appropriate security protocol.

• Fault-tolerance and performance integrated with security

Security Tradeoffs in NESTUniversity of Massachusetts; University of Michigan; Arizona State University

•Q4FY03 • Encryption mechanisms• Incorporating fault-tolerance• Intrusion detection• Secured wireless protocol

•Q2FY04 - Security Broker •Q2FY04 - IV Manager•Q3FY04 - Software prototype•Q4FY04 - Experimentation & validation

Ensures appropriate levels of security for application needs.

Integrates security with performance, reliability, power requirements and constraints.

Enables dynamic adjustments as needs and resource availability change.

PI NameAffiliation

Mid

dle

war

e

SystemConstraints

SecurityRequirements

ApplicationNeeds

TinyOSTinyOS

SERVICES • Security Broker• Power Management• Failure Handling• Intrusion Detection

SERVICES • Security Broker• Power Management• Failure Handling• Intrusion Detection

Other Services• Allocation• Scheduling• Routing• ….

Other Services• Allocation• Scheduling• Routing• ….

5

Problem Description/Objective

• NEST needs an integrated framework for a secure, resource-constrained system

• To preserve resources, it needs to dynamically determine appropriate security actions, given

– Application assurance requirements

– System state and configuration

– Operating environment (such as benign or hostile)

• Our project will enable NEST to

– Ensure appropriate security levels

– Integrate security with performance, power, and reliability

– Permit dynamic adjustments as needs/resources change

6

Key Project Directions

• Manage Security Actions/Levels – Security Broker– Coarse-grained: Pre-deployed security services– Fine-grained: embedded Initialization Vector (IV) Manager

• Manage Key Updates – Lightweight Security Protocol (LiSP)

• Provide Reliable Security– Detect if faults are injected or naturally present

• Security- and Power-Aware Routing/Transmission– Adapt routing by adjusting transmission range/power

7

Presentation Outline

• Brief Overview of Techniques Implemented• Update on Security Broker

• Security service composition• Embedded IV Manager• Application: “Waking Up Big Brother”

• Project Status, Success Criteria, Plans, Schedule, Milestones, Technology Transfer

8





9

Lightweight Security Protocol (LiSP)

Motivation:• Periodic key updates are necessary • Frequent key exchange, retransmissions (due to unreliable media)

and acknowledgements consume significant power

Solution:• Provide lightweight key update (to maximize sensor lifetime) by

exploiting information redundancy in key sequences

Summary Results:• Implicit authentication for new keys, easy recovery of keys, no

retransmissions • Resource consumption relatively low: less than 3 hash

computations even when more than 40% of the temporary keys are compromised or lost.

10

Fault Detection

Motivation:• Faults compromise security: may be maliciously injected by an

attacker to probe the system and extract the secret key • Faults should be detected to avoid transmission of erroneous

messages

Solution:• Check-bit prediction developed for RC5, AES• Detect faults to block output of erroneous results

Summary Results:• All single bit failures detected• Most of the multiple faults detected with the 4-bit parity and

Residue-15 codes – percentage undetected faults less than 1%

11

Transmission Scheme Tradeoffs

Motivation:• Radio communication is very energy-intensive• If multi-hop forwarding is used, nodes close to

the base station can rapidly deplete their batteries; reaching directly to BS requires high transmission power

• The network lifetime limited by the nodes with maximum power consumption

Solution:• Move hotspot from innermost annulus• Probabilistic traffic balancing

– Forward packets with probability – Transmit packets directly (high power) to the

BS with probabilitySummary:• Approach prolongs sensor network lifetime

(power saving depends on size of network, maximum range, density)

BS

Annulus Am

Need forwardingto reach BS

Capable of directtransmission

...

...

( )f k

( ) ( )1d k f k

12





13

Security Broker

Motivation:• Different applications require different security

services• Different environments (external/internal)

require different levels of security provision• Resource-limited devices cannot afford to

overprovision• No one-size-fits-all solution exists

Objective: Maximize sensor lifetime by providing applications “just enough” security protection

14

Approach

• Pre-deploy security components at the link layer

RFM

Radio byteb

itb

yte

Radio Packet

pa

ck

et

active messageactive message

application comp

me

ss

ag

e

Security Broker

Cipher Library

Service Library

• Runtime service composition – aspects of security

concerns (e.g., integrity, confidentiality, replay attacks)

– levels of security provision (e.g., encryption algorithm, # rounds, block size)

– react adaptively (external/internal requirements)

15

Packet Format – Security Encoding

Security Composition ID (SCID)– “C” = Confidentiality – “I” = Integrity– “S” = Semantic security

with implicit counter – “R” = Replay protection– “0000”, then no security

service is provided

dest AM* IVlength Data MAC CRC

Bytes 2 11 Block size/2 Block size/2 2

“X1” and “X2”, is used to represent the strength of the cipher used.

Mandatory fields for all services

Optional fields based on service composition

Bits

16

Energy Comparison

• SenseToRfm application with 8 byte payload• Picking a lower level of security can significantly prolong the

network lifetime– 31.4% savings for Confidentiality only (CISR=1000) – 22.2% savings for Integrity only (CISR=0100)– 18.6% saving for Confidentiality and Integrity (CISR=1100)

262,400 nJ16 bytesTinyOS

353,560 nJ20 bytesTinySec

353,560 nJ20 bytesCISR=1111

287,960 nJ (18.6%)16 bytesCISR=1100

275,180 nJ (22.2%)16 bytesCISR=0100

242,380 nJ (31.4%) 14 bytesCISR=1000

229,600 nJ14 bytesCISR=0000

Broker

Energy consumptionPacket sizes Systems

17

Embedded IV Manager

Part of Security Broker

Motivation:• Semantic security and defense against replay attacks

often requires using an Initialization Vector (IV) with every packet

• IVs consume a substantial amount of bandwidth (bits transmitted)

• Most power is consumed during communication, thus IVs increase power consumption significantly

Objective:• Maximize sensor lifetime by providing applications

“embedded” (vs. explicit) semantic security protection

18

How does it work?

• Setup IV once per session• Embed IV in the encryption of checksum after setup

– No explicit IV is sent– IV is calculated from the checksum at the receiver– Receiver uses difference between its expected IV and

received IV to accept or reject packets

• To counter packet loss and out of order packets– Allow outstanding IVs, but only within a predefined window– Two consecutive IVs ahead of window indicate

synchronization loss and trigger resetting IV at the receiver (to next expected IV)

19

At the Sender

MMHH EK1,IV(M)EK1,IV(M)

EK2(H | EK1,IV)

IV EK2(H | EK1,IV)IV

Encrypt with K3

C=EK3 (EK2(H | EK1,IV)IV)

EK1,IV(M)EK1,IV(M)HH CC

20

At the Receiver

Checksum EK3 (EK2(H | EK1)IV)

CiphertextEK1,IV(M)

HeaderH

EK1,IV(M)EK1,IV(M)HH CC

Calculate

EK2(H | EK1 )

Decrypt with K3

EK2(H | EK1)IV

IV This is IV used by sender!

IV can be calculated from checksum

21

Results and Benefits

• Trades transmission power with computation• 23% energy reduction possible

Energy vs Bit Error Ratio (Packet Retransmission)

0.E+00

1.E+10

2.E+10

3.E+10

4.E+10

5.E+10

6.E+10

7.E+10

8.E+10

9.E+10

200 400 600 800 1000 1200 1400 1600 1800 2000 2200 2400 2600 2800 3000 3200

1/BER

En

erg

y C

on

su

mp

tio

n (

nJ)

.

Explicit IV

Window size = 2

Window size = 4

Window size = 8

Window size = 16

22

Demonstration

• We add security services to the “Waking Up Big Brother” application – Developed by J. Stankovic, T. Abdelzaher (Virginia) and B.

Krogh (CMU), et al– Application is based on ad-hoc sensor network that tracks

intruders in a field and wakes up SOCOM sensor (“Big Brother”)

– A sentry-based aggressive power management scheme is used: only “sentry” motes are awake, other motes are in sleep mode to preserve battery power

• Our contributions: – Incorporate security services– Show defense against various security attacks– Show security - resource consumption tradeoffs– Port application to TinyOS 1.1

23

Phase I

25

Phase I

26



• Coarse-grained services• Fine-grained: embedded IV Manager• Application: “Waking Up Big Brother”


27

Project Status

• We are currently on target on milestones proposed– Initial version of Security Broker – LiSP demonstrated– Fault detection in encryption completed– Integration of security services into “Waking Up

Big Brother” application started• Simulation-level integration working• Demonstration on motes with all middleware security

techniques is work in progress

28

Goals and Success Criteria

• Goals

– Ensure appropriate security levels and prolong sensor network lifetime

– Integrate security with performance, power, and reliability

• Success criteria

– Software prototype (security services) integrated and demonstrated with one application

– Security capabilities for various attack scenarios and power saving demonstrated

29

Selected Recent Publications

Taejoon Park and Kang G. Shin, ``LiSP: A Lightweight Security Protocol forwireless sensor networks,'' ACM Transactions on Embedded Computer Systems (in press)

G. Bertoni, L. Breveglieri, I. Koren, P. Maistri and V. Piuri,``Detecting and Locating Faults in VLSI Implementations of the AdvancedEncryption Standard," Proc. of the 2003 IEEEInternational Symposium on Defect and Fault Tolerance in VLSI Systems,pp. 105-113, November 2003.

Q. Xue, A. Ganz, "Runtime Security Composition for Sensor Networks(SecureSense)", Vehicular Technology Conference, Orlando, FL, October2003. Q. Xue, A. Ganz, "Adaptive Mesh Routing in Mesh Wireless LANs",Vehicular Technology Conference, Orlando, FL, October 2003.

G. Bertoni, L. Breveglieri, I. Koren, P. Maistri and V. Piuri,``Concurrent Fault Detection in a Hardware Implementation of the RC5Encryption Algorithm," Proc. of ASAP'03 - the Internl. Conferenceon Application-Specific Systems, Architectures and Processors,pp. 423-432, June 2003.

G. Bertoni, L. Breveglieri, I. Koren, P. Maistri and V. Piuri, ``Error Analysis and Detection Procedures for a Hardware Implementationof the Advanced Encryption Standard," IEEE Trans. on Computers, Special Issue on Cryptographic Hardware and Embedded Systems, pp. 492-505, April 2003.

30

Project Plans

• Demonstrate security services in the “Waking Up Big Brother” application

• Performance goals– Provide “just enough” security to reduce power

consumption– Up to 35% energy saving depending on security

attack, channel noise, and application

• How progress will be measured– Energy security tradeoffs evaluated– Energy reduction for various scenarios evaluated– Software prototype of application with security

middleware (TinyOS 1.1, Mica 2) deployed

31

Project Milestones

• Key 3 tasks remaining:– Security Broker integrated with IV Manager

(Q3FY04)– Integration with the LISP lightweight key exchange

(Q3FY04)– Incorporate security services into the “Waking Up

Big Brother” application (Q4FY04)

• Demonstration event (Q4FY04)– Security middleware software prototype

incorporated into the “Waking Up Big Brother” application

– Resource consumption tradeoffs and security services demonstrated

32

Overall Project Schedule

• Q1FY03 Evaluation of Encryption Techniques• Q4FY03 Incorporating fault-tolerance• Q4FY03 Lightweight security protocol • Q3FY04 Security Broker with other Integrated

Middleware Techniques• Q3FY04 Software prototype• Q4FY04 Experimentation & validation

33

Technology Transfer

• CASA Engineering Research Center– Collaborative multi-University effort led by UMass

ECE department– Intelligent network of radars and sensors –

targeting severe weather prediction and tracking– Longer term use of information includes: air traffic

controllers, civil defense• Security aspect is critical

34

Program Issues

• Quality of hardware platform• Development tools

35

Thank you!

37

How does it work?

• Temporal keys (TKs) and refresh interval sent to sensors for encrypting/decrypting data

• TKs distributed well before their use• Sensors buffer sequence and generate TKs

using a cryptographic one-way function TKi = H(TKi+1)

38

TK Management Steps at Sensors

buffer• Receive a TK (way ahead

of its use)• Verify authenticity

• Buffer TKk if correct

• Recover missing TK from later TK with help of hash function

• Rekey after half the refresh interval to next TK

39

Impact of TK Loss

40

Summary of LiSP

• Resource consumption relatively low: less than 3 hash computations even when more than 40% of the TKs are compromised or lost.– No retransmissions or acknowledgements– Implicit authentication for new keys– Easy recovery of lost keys– Tolerance to clock skews allows us to refresh keys

on a slightly non-periodic basis

41

Transmission Cost/Tradeoffs

• Possible approaches to deliver information:– Reach directly to BS if in range using

• High-power consumed per transmission

Transmission power (Pt) law:

– a,b are constants; α is related to attenuation; r is range

– Power is increasing exponentially with range

– Multi-hop forwarding • Total transmission energy declines (due to exponentially

lower power cost for shorter transmissions)• Channel congestion decreases (due to shorter range)• But, nodes in the inner annuli consume battery fast!

42

Devised Transmission Schemes

• P-hybrid – probabilistic traffic balancing (assume within range)– Move the hot spot from the inner-

most Annulus– Forward packets with probability – Transmit packets directly to the

BS with probability:

• T-hybrid – combine P-hybrid with threshold – Transmit first to cells within range – Use P-hybrid within range

• Evaluation is ongoing work

( )f k

( ) ( )1d k f k

BS

Annulus Am

Need forwardingto reach BS

Capable of directtransmission

...

...

43

Fault Detection for RC5

• We have focused on four detection techniques:Type of EDC # of redundant bits Redundancy Word parity 1 3% Byte parity 4 12.5% Residue 3 2 6.25%

Residue 15 4 12.5%

• Check-bit prediction schemes were developed for all four techniques

• All single bit failures were detected by all four schemes

44

Multiple Fault Coverage

• Summary: The 4-bit parity and Residue-15 codes achieve the highest coverage of multiple faulty bits – percentage undetected faults less than 1% in most cases

security tradeoffs in nest dec 16, 2003

Documents

appropriate security

appropriate security

deployed security servicesfine

power requirements

application needs

univ of massachusetts

univ of michigan

dynamic adjustments