You are on page 1of 20

Outline

A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J.


D. Tygar. SPINS: Security protocols for sensor
networks. In Proceedings of MOBICOM, 2001
Sensor networks and security are important
Sensors are deployed in hostile territory. The
communications are sparse because of energy
constraints, the computational resources are sparse.
However, attackers need not be energy constrained, they
can replay packets, inject spurious packets etc. and
affect the system
How do we make security (heavy weight) fit into sensor
scenarios (low resources)
Slides courtesy Adrian Perrig

11/29/07

CSE 4/60484: Networked Sensor Systems

page 1

Security in sensor networks


Emergency response: responders need security
Medical monitoring: automated drug delivery need security to ensure safety
Logistics and inventory management:
Battlefield management
Security:
Authentication
Ensures data integrity & origin
Prevents injecting bogus messages

Confidentiality
Ensures secrecy of data
Prevents eavesdropping
11/29/07

CSE 4/60484: Networked Sensor Systems

page 2

Challenges
Integrity of sensor: hard to manage without
expensive crypto processors or ensuring physical
security
Key distribution is a challenge
Dont want to store private keys in sensors
Key strength weakens with time

Freshness important
Prevent replay attack
Define notions of strong freshness (delay estimation, total
ordering) and weak freshness (partial ordering)

Keys are too long to store, much less process


Authenticated broadcast challenging
11/29/07

CSE 4/60484: Networked Sensor Systems

page 3

Challenge: Resource Constraints


Limited energy
Limited computation (4 MHz 8-bit)
Limited memory (512 bytes)
Limited code size (8 Kbytes)
~3.5 K base code (TinyOS + radio encoder)
Only 4.5 K for application & security

Limited communication (30 byte packets)


Energy-consuming communication
1 byte transmission = 11000 instructions

11/29/07

CSE 4/60484: Networked Sensor Systems

page 4

SPINS: Our Solution


SNEP
Sensor-Network Encryption Protocol
Secures point-to-point communication

TESLA
Micro Timed Efficient Stream Loss-tolerant Authentication
Provides broadcast authentication

11/29/07

CSE 4/60484: Networked Sensor Systems

page 5

System Assumptions
Communication patterns
Frequent node-base station exchanges
Frequent network flooding from base
Node-node interactions infrequent

Base station
Sufficient memory, power
Shares secret key with each node

Node
Limited resources, limited trust

11/29/07

CSE 4/60484: Networked Sensor Systems

page 6

SNEP Security Goals


Secure point-to-point communication
Confidentiality, secrecy
Authenticity and integrity
Message freshness to prevent replay

Why not use existing protocols?


E.g. SSL/TLS, IPSEC

11/29/07

CSE 4/60484: Networked Sensor Systems

page 7

Encryption methods (background)


Symmetric cryptography
Sender and receiver know the secret key (apriori )
Fast encryption, but key exchange should happen outside
the system

Asymmetric cryptography
Each person maintains two keys, public and private
M PrivateKey(PublicKey(M))
M PublicKey (PrivateKey(M))

Public part is available to anyone, private part is only


known to the sender
E.g. Pretty Good Privacy (PGP), RSA

11/29/07

CSE 4/60484: Networked Sensor Systems

page 8

Asymmetric Cryptography is Unsuitable


Overhead of digital signatures

High generation cost


High verification cost
High memory requirement
High communication cost

O(minutes)
O(seconds)
~128 bytes

SNEP only uses symmetric crypto

11/29/07

CSE 4/60484: Networked Sensor Systems

page 9

Basic Crypto Primitives


Code size constraints code reuse
Only use block cipher encrypt function
Counter mode encryption
Cipher-block-chaining message authentication code
(MAC)
Pseudo-Random Generator

11/29/07

CSE 4/60484: Networked Sensor Systems

page 10

SNEP Protocol Details


A and B share
Encryption keys: KAB KBA
MAC keys: K'AB K'BA
Counters: CA CB

To send data D, A sends to B:


A B:
{D}
<KAB, CA>

MAC( K'AB , [CA || {D}<K

11/29/07

CSE 4/60484: Networked Sensor Systems

]
,
>
C
AB A

page 11

SNEP Properties
Secrecy & confidentiality
Semantic security against chosen ciphertext attack
(strongest security notion for encryption)

Authentication
Replay protection
Code size: 1.5 Kbytes
Strong freshness protocol in paper

11/29/07

CSE 4/60484: Networked Sensor Systems

page 12

Broadcast Authentication
Broadcast is basic communication mechanism
Sender broadcasts data
Each receiver verifies data origin

Alice

Sender

M
Bob
11/29/07

Dave

M
Carol
CSE 4/60484: Networked Sensor Systems

page 13

Simple MAC Insecure for Broadcast

K
Sender

M, MAC(K,M)

K
11/29/07

Alice

M, MAC(K,M)
Bob

M', MAC(K,M') K
CSE 4/60484: Networked Sensor Systems

page 14

TESLA: Authenticated Broadcast


Uses purely symmetric primitives
Asymmetry from delayed key disclosure
Self-authenticating keys
Requires loose time synchronization
Use SNEP with strong freshness

11/29/07

CSE 4/60484: Networked Sensor Systems

page 15

TESLA Quick Overview I


Keys disclosed 2 time intervals after use
Receiver knows authentic K3

Authentication of P1: MAC(K5, P1 )


Authenticate K5
K3

K4

Time 4
Verify MAC

11/29/07

K5
Time 5

K6
Time 6

K7
Time 7

P1

P2

K3

K5

CSE 4/60484: Networked Sensor Systems

page 16

TESLA Quick Overview II


Perfect robustness to packet loss

Authenticate K5
K3

K4
Time 4
P1

K5

K6

Time 5

Time 6

K7
Time 7

P2

P3

P4

P5

K2 K2

K3

K4

K5

Verify MACs
11/29/07

CSE 4/60484: Networked Sensor Systems

page 17

TESLA Properties
Low overhead (1 MAC)
Communication (same as SNEP)
Computation (~ 2 MAC computations)

Perfect robustness to packet loss


Independent of number of receivers

11/29/07

CSE 4/60484: Networked Sensor Systems

page 18

Energy Cost for Sending a Message


Typical packet size: 28 bytes

Security Computation 2%
MAC transmission
21%
Data
transmission
77%

11/29/07

CSE 4/60484: Networked Sensor Systems

page 19

Conclusion
Strong security protocols affordable
First broadcast authentication

Low security overhead


Computation, memory, communication

Apply to future sensor networks


Energy limitations persist
Tendency to use minimal hardware

Base protocol for more sophisticated security


services

11/29/07

CSE 4/60484: Networked Sensor Systems

page 20