Professional Documents
Culture Documents
net/publication/328027684
CITATIONS READS
0 646
2 authors:
All content following this page was uploaded by Konrad-Felix Krentz on 02 October 2018.
Abstract
Coordinated sampled listening (CSL) is a standardized medium access control protocol for IEEE 802.15.4 networks, also col-
loquially called “ZigBee networks”. Unfortunately, CSL comes without any protection against so-called denial-of-sleep attacks.
Such attacks deprive energy-constrained devices of entering low-power sleep modes, thereby draining their charge. Repercussions
of denial-of-sleep attacks include long outages, violated quality-of-service guarantees, and reduced customer satisfaction. How-
ever, while CSL has no built-in denial-of-sleep defenses, there already exist denial-of-sleep defenses for a predecessor of CSL,
namely ContikiMAC. In this paper, we make two main contributions. First, motivated by the fact that CSL has many advantages
over ContikiMAC, we tailor the existing denial-of-sleep defenses for ContikiMAC to CSL. Second, we propose several security
enhancements to these existing denial-of-sleep defenses. In effect, our denial-of-sleep defenses for CSL mitigate denial-of-sleep
attacks significantly better, as well as protect against a larger range of denial-of-sleep attacks than the existing denial-of-sleep de-
fenses for ContikiMAC. We show the soundness of our denial-of-sleep defenses for CSL both analytically, as well as empirically
using a whole new implementation of CSL.
Keywords: Internet of things, link layer security, MAC security, denial-of-sleep
Transmit
Receive
The IEEE 802.15.4 radio standard has become a main Sleep
choice for implementing Internet of things (IoT) applications periodic wake up wake-up payload acknowledgement
frame frame frame
[1]. Part of the success of IEEE 802.15.4 is the availability of
Receiver
Transmit
5 numerous energy-efficient medium access control (MAC) pro- Receive
tocols for IEEE 802.15.4 networks, all of which fall into one of Sleep
periodic wake up periodic wake up periodic wake up
two classes [2]. Synchronous MAC protocols, on the one hand,
depend on network-wide time synchronization. Such kind of
Figure 1: Transceiver modes while CSL transmits a unicast frame. The sender
MAC protocols often feature high reliability, but a basic issue shortly enables the receive mode before transmitting for doing a clear channel
10 with them is that, in wireless mesh networks like IEEE 802.15.4 assessment (CCA).
networks, securing network-wide time synchronization is noto-
riously difficult. Thus, unsurprisingly, many synchronous MAC
protocols were found vulnerable [3, 4]. Asynchronous MAC the payload frame is about to begin. If the payload frame is a
protocols, on the other hand, work without network-wide time unicast frame, CSL expects an “acknowledgement frame” in re-
15 synchronization and hence avoid many of the vulnerabilities of sponse. The absence of an acknowledgement frame causes CSL
synchronous MAC protocols in the first place. 30 to retransmit after a random back-off period, unless a maximum
number of retransmissions is reached already.
1.1. Coordinated Sampled Listening (CSL) Additionally, CSL comprises two crucial optimizations.
The first optimization relates to the length of wake-up se-
A standardized asynchronous MAC protocol is coordinated
quences. This length defaults to span a whole wake-up interval,
sampled listening (CSL) [1]. Its operation is shown in Figure
35 but is shortened in what the IEEE 802.15.4 radio standard calls
20 1. Rather than staying in the energy-consuming receive mode,
“synchronized transmissions”. As part of this optimization,
CSL wakes up periodically to scan the channel for a so-called
CSL piggybacks its current phase, i.e., the time until its next
“wake-up frame”. Wake-up frames are transmitted by CSL in
wake up, on acknowledgement frames, as well as, optionally, on
a continuous sequence before transmitting an actual “payload
payload frames. This piggybacked data enables CSL to learn
frame” and contain the time when the transmission of that pay-
40 and keep track of the wake-up times of neighboring nodes.
25 load frame begins. This hint enables the receiver of a wake-up
Later, when transmitting a unicast frame to a receiver whose
frame to temporarily go back to sleep until the transmission of
External Internal
2
every node along the path expends energy for receiving, pro-170 2. Related Work
120 cessing, and forwarding these packets. Second, a “deaf node”
intentionally acknowledges unicast frames only after a couple In this section, we complete our discussion of related work,
of retransmissions or not at all. beginning with efforts related to basic IEEE 802.15.4 security
and coming on to existing denial-of-sleep defenses thereafter.
1.3. Denial-of-Sleep Defenses for ContikiMAC
2.1. IEEE 802.15.4 Security
Thus far, there seems to be no effort on protecting CSL
125 against denial-of-sleep attacks, but there do exist defenses175 One major limitation of IEEE 802.15.4 security is that it
against external denial-of-sleep attacks for a predecessor of leaves session key establishment unspecified. The proposals for
CSL, namely ContikiMAC [10, 11, 5, 12]. Like CSL, Contiki- filling this gap can be clustered into public-key cryptography
MAC wakes up periodically to scan the channel for incoming (PKC)-based [14, 15, 16], key distribution center (KDC)-based
transmissions. Yet, unlike CSL, ContikiMAC does so by per- [17], and key predistribution-based protocols [18, 19]. Unfor-
130 forming two clear channel assessments (CCAs). If one of these180 tunately, all current PKC- and KDC-based protocols appear to
CCAs indicates a busy channel, ContikiMAC stays in receive be susceptible to denial-of-sleep attacks since, by injecting re-
mode to potentially receive a frame. Correspondingly, an out- quests for session key establishment, attackers can either trigger
going frame is repeatedly transmitted for a whole wake-up energy-consuming processing or communication [20]. By con-
interval, spaced by short silence periods in between. When re- trast, key predistribution-based protocols process requests for
135 peatedly transmitting a unicast frame, ContikiMAC breaks up185 session key establishment energy efficiently and can thus reach
prematurely if an acknowledgement frame is received within higher denial-of-sleep resilience.
such a silence period. Conversely, if a unicast frame remains Accordingly, our denial-of-sleep defenses for CSL build
unacknowledged, ContikiMAC retransmits by repeatedly trans- upon a key predistribution-based protocol - the Adaptive Key
mitting that unicast frame after a random back-off period again, Establishment Scheme (AKES) in particular [18, 19]. AKES
140 unless a maximum number of retransmissions is reached al-190 establishes pairwise or group session keys by means of a three-
ready. Also like CSL, ContikiMAC learns the wake-up times way handshake. A node A initiates this three-way handshake
of neighboring nodes so as to shorten sequences of unicast by broadcasting a HELLO. The HELLO contains a cryptographic
frames. random number RA and is either authenticated with pairwise
or group session keys. However, only receivers that already
1.4. Contributions 195 established session keys with A can distinguish between fresh
authentic, and inauthentic or replayed HELLOs from A. Any
145 This paper makes two main contributions:
receiver B that wishes to establish session keys with A stores A
• We tailor the existing defenses against external denial-of- as a tentative neighbor and replies with a HELLOACK. Like A’s
sleep attacks for ContikiMAC to CSL. Switching from HELLO, B’s HELLOACK also contains a cryptographic random
ContikiMAC to CSL brings many advantages, as we de-200 number RB . Furthermore, the HELLOACK is authenticated with
0
tail in Section 5. Crucially, CSL does not depend on a pairwise session key KA,B that is derived from the predis-
150 CCAs to detect incoming transmissions, which makes tributed shared secret KA,B between A and B, as well as the
CSL more resilient to interference and easier to config- two cryptographic random numbers RA and RB . Optionally, the
ure [13]. HELLOACK also contains B’s group session key KB,∗ encrypted
0
205 with KA,B . Upon receipt of the HELLOACK from B, A checks
• In the course of tailoring the existing defenses against its authenticity, among others. If successful, A completes the
external denial-of-sleep attacks for ContikiMAC to CSL, three-way handshake by sending an ACK to B. Analogous to B’s
155 we apply several security enhancements to them. Gen- HELLOACK, A’s ACK is authenticated using the pairwise session
0
erally, we improve on their effectiveness, fix all their key KA,B and may carry A’s group session key KA,∗ encrypted
0
vulnerabilities we identified, as well as adapt them to210 with KA,B . After completing this three-way handshake, A and B
0
also protect against internal denial-of-sleep attacks. A store each other as permanent neighbors and can use KA,B - or
detailed description of all our security enhancements is their group session keys KA,∗ and KB,∗ - as CCM keys in IEEE
160 postponed to Section 4.3. 802.15.4 security.
Another major limitation is that IEEE 802.15.4 security
1.5. Organization 215 only provides sequential freshness, i.e., only ascertains that no
The rest of this paper is structured as follows. Section 2 frame is accepted more than once [21]. By contrast, strong
completes our discussion of related work. Section 3 presents freshness is provided if the receiver of a frame can additionally
the design of our denial-of-sleep defenses for CSL. Section 4 ensure that the frame was sent within a limited time span prior
165 analyzes the security of our denial-of-sleep defenses for CSL. to its reception [21]. Strong freshness is desirable in IEEE
Section 5 outlines our practical implementation. Section 6 re-220 802.15.4 networks since delaying data or control traffic may
ports on our empirical evaluation. Section 7 concludes and sug- cause various issues.
gests topics for future research. For reference, Appendix A Among the solutions for achieving strong freshness, Krentz
summarizes our notations. et al.’s Intra-Layer Optimization for IEEE 802.15.4 Security
3
(ILOS) appears to be unique in that it neither incurs a com- may also suspect a collision attack, potentially creating a snow-
225 munication overhead nor requires network-wide time synchro- ball effect. Alternatively, Krentz et al. proposed a proactive
nization [12]. The idea of ILOS is to let IEEE 802.15.4 security280 defense against collision attacks for ContikiMAC, entitled Se-
cooperate with ContikiMAC on replacing frame counters with a cure Phase-Lock Optimization (SPLO) [5]. The approach of
new concept called wake-up counters. As their name suggests, SPLO is to confine the maximum length of sequences of unicast
wake-up counters are incremented in lockstep with Contiki- frames throughout a session by sending a keep-alive frame to a
230 MAC’s wake ups, even if ContikiMAC has to skip over a wake permanent neighbor whose wake-up time was not updated for
up due to sending at that time. Furthermore, as we will dis-285 a critical period of time. The overhead of sending these keep-
cuss shortly, Krentz et al.’s denial-of-sleep-protected version of alive frames is considered low since AKES prescribes to send
ContikiMAC maintains precise estimates of the wake-up times keep-alive frames to uncommunicative permanent neighbors
of neighboring nodes, which enables the prediction and restora- anyway for the purpose of freeing allocated random-access
235 tion of a neighbor’s current wake-up counter. Thus, unlike memory (RAM) [18]. Further, as SPLO deletes permanent
frame counters, wake-up counters need not be sent along with290 neighbors that do not acknowledge keep-alive frames, collision
secured frames, which reduces the security-related per-frame attacks against the keep-alive frames themselves may actually
overhead. More importantly, if a secured frame is delayed by a reduce a victim node’s energy consumption. This is because
critical period of time, receivers will end up restoring a wrong no upper-layer traffic will be sent to a deleted neighbor up until
240 CCM nonce. Consequently, receivers consider delayed secured reestablishing session keys with him.
frames inauthentic, thereby achieving strong freshness. Addi-
tionally, ILOS also prevents pulse-delay attacks, at least when295 2.2.3. Pulse-Delay Attacks
delayed secured frames exceed ILOS’ quite loose bounds. In addition to mitigating collision attacks against Contiki-
MAC, SPLO also makes ContikiMAC resistant to pulse-delay
2.2. Denial-of-Sleep Defenses attacks. For this, the approach of SPLO is to exclusively use ac-
245 2.2.1. Ding-Dong Ditching knowledgement frames for learning wake-up times and to not
An effective pattern for defending against ding-dong ditch-300 only ensure the authenticity of acknowledgement frames, but
ing emerged to be the embedding of one-time passwords also their strong freshness [5]. SPLO inherits both these ideas
(OTPs) in synchronization or frame headers [22, 23, 24, 25, from Ganeriwal et al.’s Secure Pairwise Synchronization Proto-
26, 11, 12]. Here, the general idea is to validate the embedded col (SPS) [8]. However, note that neither SPS nor SPLO actu-
250 OTPs during reception and, if an OTP turns out invalid, to dis- ally prevent pulse-delay attacks. Rather, both confine the maxi-
card the incoming transmission without receiving the rest of it.305 mum offset due to pulse-delay attacks. This undetectable offset
For generating these OTPs, it is common to pass a key deriva- needs to be considered when estimating a receiver’s wake-up
tion function a symmetric key and a varying portion, such as a time. Fortunately, unlike in ILOS, this undetectable offset is
frame counter [23, 26, 11], a timeslot index [22, 24], a random tiny in SPS and SPLO.
255 number [25, 11], or a wake-up counter [12].
2.2.4. Chatty Nodes
Krentz et al.’s Practical On-The-fly Rejection (POTR) ap-
plies the “OTP pattern” to ContikiMAC and AKES [11]. Nor-310 Many so-called en-route filtering schemes were proposed to
mally, POTR derives OTPs from wake-up counters, as well as mitigate PDoS attacks [28, 29, 9]. Their common idea is to add
AKES’ group session keys [12]. However, since group session extra authentication tags to packets so that intermediary nodes
260 keys are not in place while AKES establishes them, POTR de- can filter out packets “en-route”. However, current en-route fil-
rives the OTPs of AKES’ HELLOACKs and ACKs from a predis- tering schemes incur a high communication overhead and do
tributed network-wide key and AKES’ cryptographic random315 not protect against chatty nodes that inject or replay broadcast
numbers instead. The OTPs of HELLOs, on the other hand, are frames. Hence, we conjecture that a more lightweight, as well
also derived from wake-up counters and group session keys, but as more holistic defense would be to rate-limit the number of
265 only permanent neighbors of a HELLO sender can validate them. frames that a node is willing to receive from a particular neigh-
To prevent ding-dong ditching with HELLOs anyway, POTR co- bor. Furthermore, if a neighbor exceeded this rate, its frames
operates with AKES. More specifically, as AKES rate-limits the320 could be rejected on the fly. In this paper, we build the foun-
number of outgoing HELLOACKs, POTR rejects HELLOs with in- dation of such a defense by enabling receivers to attribute valid
valid OTPs during reception at times when AKES will not send OTPs to particular neighbors already during reception. Cur-
270 a HELLOACK due its rate limitation anyway [19]. rently, this is hardly feasible either due to deriving OTPs from
group keys [26, 11, 12] or due to leaving out support for broad-
2.2.2. Collision Attacks 325 cast frames in the first place [7, 23, 24, 25].
There is comparatively little research on protecting against
2.2.5. Deaf Nodes
collision attacks [22, 27, 5]. Ren et al. proposed to reactively
switch to a low-power sleep mode upon detecting a collision at- Though only designed to protect from collision and pulse-
275 tack [27]. Yet, their reactive defense suffers from the issue that, delay attacks, SPLO actually mitigates deaf nodes, too [5]. This
if a victim node detects collision attacks, unicast transmissions is because SPLO confines the maximum length of sequences of
to this node will fail. As a result, a victim node’s neighbors330 unicast frames and thereby lowers the worst-case energy con-
sumption for retransmissions.
4
3. Denial-of-Sleep Defenses for CSL in this way, pairwise session keys can serve to secure broad-
385 cast transmissions without difficulty, (ii) that broadcast trans-
To protect CSL against all of the above denial-of-sleep at- missions securely update stored wake-up times as a side effect
tacks, we propose CSL-enabled and security-enhanced versions (thanks to SPLO++), thereby lowering the amount of keep-
335 of POTR, SPLO, and ILOS, named POTR++, SPLO++, and alive frames, and (iii) that failed broadcast transmissions are
ILOS++, respectively. The focus of this section is on introduc- recognized and retried, thus improving reliability.
ing the design of POTR++, SPLO++, and ILOS++. Then, in390 HELLOs, however, are still to be broadcasted as usual since
Section 4 we analyze the security of POTR++, SPLO++, and not-yet-discovered neighbors should receive HELLOs, as well.
ILOS++, as well as point out their security enhancements over This leaves the problem of how to authenticate HELLOs with
340 POTR, SPLO, and ILOS. pairwise session keys. To this end, POTR++ includes multiple
CCM message integrity codes (MICs) in a HELLO, one for each
3.1. POTR++: CSL-Enabled and Enhanced POTR 395 permanent neighbor, and generates them using the respective
The basic design of POTR and POTR++ is quite similar. pairwise session key. The ordering of the CCM MICs corre-
Both introduce a special frame format, as well as correspond- sponds to the ordering of the sender’s neighbor list. Thus, for
ing procedures for validating incoming frames during recep- extracting its MIC, the receiver of a HELLO from a permanent
345 tion. Also, both integrate with AKES so as to resolve the con- neighbor needs to know its index within the sender’s neighbor
flict that frames exchanged during session key establishment400 list. Fortunately, AKES exchanges these indices while estab-
have to be protected against ding-dong ditching without ses- lishing session keys. POTR++ also uses these indices as 1-byte
sion keys in place. Finally, both POTR and POTR++ derive source addresses in some types of wake-up frames.
OTPs from wake-up counters. On the other hand, a fundamen-
350 tal difference between POTR and POTR++ is that POTR++ ex- 3.1.2. On-the-Fly Rejection
clusively derives OTPs from pairwise session keys in order to Depending on which type of frame is being received,
provide a basis for pinpointing and evicting chatty nodes, too.405 POTR++ performs different checks, which we detail below.
Another notable difference between POTR and POTR++ is that Throughout, if any check fails, POTR++ disables the receive
POTR++ includes support for burst forwarding. mode immediately.
355 3.1.1. Frame Format Wake-Up Frames. When receiving a wake-up frame, POTR++
When we defined the frame format of POTR++, a first de- first checks that its length complies with POTR++’s frame
sign decision was where to embed OTPs. A first option is to410 format. Then, POTR++ proceeds to perform special checks,
leave wake-up frames unsecured and to embed OTPs in payload depending on which type of payload frame follows. If a HELLO
frames. But, a drawback of this first option is that receivers of follows, POTR++ ensures (i) that the HELLO is not destined
360 unwanted payload frames will always need to receive both an to a co-located IEEE 802.15.4 network by inspecting the des-
entire wake-up frame plus the beginning of the payload frame tination personal area network identifier (PAN ID) contained
before they can reject it. A second option is to embed OTPs in415 in the wake-up frame and (ii) that receiving the HELLO does
wake-up frames along with all necessary information for decid- not result in exceeding a maximum rate of incoming HELLOs.
ing whether to receive the payload frame. Yet, while this second POTR++ implements this rate limitation via a leaky bucket
365 option accelerates the rejection of unwanted payload frames, counter (LBC), as shown in Figure 6. This nicely allows the
it will extend wake-up frames and hence necessitate prolong- short-term rate of incoming HELLOs to overshoot, while still
ing the time in receive mode during CSL’s periodic wake ups.420 enforcing a maximum long-term rate of incoming HELLOs [19].
Thus, there is a trade-off between rejection speed and the dura- Yet, to avoid penalizing authentic HELLOs, the LBC is decre-
tion of periodic wake ups. As shown in Figure 5, POTR++ goes mented again if a HELLO turns out authentic. If a HELLOACK fol-
370 for faster rejection speed. In that figure, l denotes the length of lows, POTR++ validates (i) that AKES recently sent a HELLO
an OTP in bits. The choice of l is a trade-off between per-frame at all, (ii) that AKES can reply with an ACK, which may not
overhead and resistance to guessing attacks. Furthermore, λ de-425 be true since AKES restricts itself to sending a maximum rate
notes the “burst index” - the first payload frame after a wake-up of ACKs, (iii) that the HELLOACK is not destined to a co-located
sequence always has burst index λ = 0, a payload frame that IEEE 802.15.4 network by inspecting the destination PAN ID
375 follows right after has burst index λ = 1, and so on. contained in the wake-up frame, and (iv) that receiving the
Note that a format for broadcast frames is missing in Figure HELLOACK does not ensue exceeding a maximum rate of in-
5. This is because POTR++ requires sending broadcast frames430 coming HELLOACKs. Again, POTR++ implements this rate
as normal unicast frames to each permanent neighbor one after limitation via an LBC and decrements that LBC if a HELLOACK
another. Though this seems to incur a high overhead, this way turns out authentic. If an ACK or normal unicast frame follows,
380 of transmitting broadcast frames may actually save energy, es- POTR++ ascertains that the OTP matches the expected one.
pecially when it comes to implementing channel hopping, as Concretely, if A sends an ACK or normal unicast frame to B, the
we demonstrate in Section 6.1. Three further advantages of435 OTP is expected to match the l-bit truncated CCM MIC over the
sending broadcast frames as normal unicast frames are (i) that, frame length of the ACK or normal unicast frame. Furthermore,
this CCM MIC is to be generated using the pairwise session
0
key KA,B between A and B as CCM key, and the CCM nonce
5
5 bytes 1 bit 7 bits 6 bits 2 bits 2 bytes 1 byte 1 byte bits 2 bytes 1 byte
HELLO: Destination Rendezvous Time
PAN ID
HELLOACK: Frame Extended
SHR Unused Length Frame Subtype Rendezvous
ACK: Type Source Payload OTP Time
normal unicast: Address Frame’s
Length
(a)
5 bytes 1 bit 7 bits 6 bits 1 bit 1 bit 2/8 bytes 1 byte 1 byte
HELLO: CCM MICs
Source
HELLOACK: Frame Extended
SHR Unused Length Frame
Unused Address Payload
ACK: Type CCM MIC
normal unicast: Command Frame Pending Sequence Number Pe di g Fra e’s Le gth
distinguishes upper-layer traffic and link-layer commands, such as keep-alive frames omitted if no frame is pending
(b)
omitted if
(c)
Figure 5: POTR++’s format of (a) wake-up frames, (b) payload frames, and (c) acknowledgement frames. Sticking with the standardized format of these frames
would require transmitting many more fields that are functionally unnecessary, only delaying on-the-fly rejection and increasing energy consumption. Therefore,
POTR++ departs from the standardized format of CSL frames by leveraging the IEEE 802.15.4-compliant customization mechanism of “extended frame types”.
7
acknowledgement frame containing B’s CSL phase. If A finds
B’s authenticated acknowledgement frame authentic, A uses ϕ3
605 to correct its value of τA,B and updates ωA,B to B’s correctly
predicted wake-up counter at time of receiving A’s ACK.
4. Security Analysis
Figure 8: Initialization of wake-up counters and wake-up times in parallel to
AKES’ three-way handshake
In this section, we analyze the security of POTR++, SPLO++,
and ILOS++. We start with showing that basic IEEE 802.15.4
610 security is preserved if using wake-up counter-based CCM
time of A, ωB,A is A’s wake-up counter at time τB,A , t is when nonces and replay protection. Next, we argue that POTR++
the HELLO’s SHR arrived, and ηB,A = 1 if not yet initialized. and SPLO++ greatly mitigate denial-of-sleep attacks against
560 For implementing the prediction and restoration of wake- CSL. Finally, in Section 4.3, we point out our security enhance-
up counters, ILOS++ requires a node A to store each perma- ments over POTR, SPLO, and ILOS.
nent neighbor B’s wake-up counter ωA,B at time τA,B . In this
regard, note that when SPLO++ updates τA,B to τ0A,B , A already615 4.1. IEEE 802.15.4 Security
knows B’s wake-up counter ω0A,B at time τ0A,B because A had to 4.1.1. Uniqueness of CCM Nonces
565 correctly predict B’s wake-up counter ω0A,B at time τ0A,B . Thus, In order for CCM nonces to be secure, they must never reoc-
whenever SPLO++ updates τA,B to τ0A,B , ILOS++ updates ωA,B cur in conjunction with the same key. Owing to using pairwise
to the correctly predicted wake-up counter ω0A,B of B at time session keys and since all CCM nonces include the sender’s
τ0A,B without any additional calculations. 620 MAC address and the distinguishing field α, it suffices to ensure
that no CCM nonce coincides with other CCM nonces from a
3.3.2. Initialization of Wake-Up Counters and Times particular sender to a particular receiver for each value of α
570 SPLO++ and ILOS++ initialize wake-up times and coun- within a session:
ters in parallel to AKES’ three-way handshake, as shown in Fig-
ure 8. Therein, the HELLO carries A’s current wake-up counter HELLOs. As for α = 1, the inclusion of the sender’s wake-up
ωA . Though attackers can delay HELLOs, B takes this informa-625 counter ensures that such CCM nonces differ from previous
tion for granted and initializes ωB,A to ωA and τB,A to the time ones of a particular sender within a session since CSL needs
575 when the HELLO’s SHR arrived minus t2w . As B generates the to transmit wake-up frames for an entire wake-up interval be-
CCM nonce of the HELLOACK, B uses this data for the first time fore sending another HELLO, thus causing a sender’s wake-up
so as to predict A’s wake-up counter. If this prediction is in- counter to increment in the meantime.
correct, B will not receive an ACK in response and eventually
delete A from its list of tentative neighbors. Otherwise, it may630 Unicast Frames. As for α = 2, CCM nonces include the burst
580 still be the case that τB,A is slightly offset due to pulse-delay at- index and the receiver’s wake-up counter at time of receiving
tacks. Hence, B corrects τB,A upon receiving A’s ACK like is ex- the wake-up frame that led to receiving the unicast frame. The
plained shortly. Similarly, B’s HELLOACK carries B’s CSL phase inclusion of the burst index distinguishes CCM nonces of nor-
ϕ1 and B’s current wake-up counter ωB . A also takes this data mal unicast frames within a burst. Thus, it remains to ensure
for granted and uses it to initialize τA,B and ωA,B . In addition,635 that the included wake-up counter differs in “spaced” transmis-
585 the HELLOACK carries a cryptographic random number Q that sions of unicast frames from a particular sender to a particular
is newly generated for each transmission and retransmission. receiver within a session. As SPLO++ keeps the uncertainty
After receiving B’s HELLOACK, A acknowledges with an unau- about a receiver’s wake-up time below tw within a session, CSL
thenticated acknowledgement frame. As opposed to authenti- will arrange the wake-up sequences of spaced transmissions
cated acknowledgement frames, unauthenticated acknowledge-640 of unicast frames around distinct wake ups within a session.
590 ment frames can be sent immediately without executing AKES’ Hence, the included wake-up counter indeed differs in spaced
checks beforehand. If all of AKES’ checks turn out to succeed, transmissions of unicast frames within a session.
A then sends an ACK to B, containing ϕ2 and Q, where ϕ2 is A’s
Authenticated Acknowledgement Frames. As for α = 3, CCM
CSL phase when receiving the HELLOACK’s SHR. When gen-
nonces include the burst index of the acknowledged unicast
erating the CCM nonce of the ACK, A uses τA,B and ωA,B for
645 frame and the sender’s wake-up counter at time of receiving
595 the first time so as to predict B’s wake-up counter. Likewise,
the wake-up frame that led to receiving the acknowledged uni-
only if A predicts B’s wake-up counter correctly, A will get an
cast frame. Since the burst index differs when acknowledging
authentic acknowledgement frame in response and, else, will
individual normal unicast frames of a burst, it remains to ensure
delete B from its list of permanent neighbors. Next, upon re-
that the included wake-up counter differs when acknowledging
ceiving an authentic ACK from A, B ensures that Q is unmod-
spaced transmissions of unicast frames within a session. This
ified and uses ϕ2 to correct its value of τB,A . Also, B updates
650
600
holds true since CSL can receive at most one wake-up frame
ωB,A to A’s correctly predicted wake-up counter at time of re-
per wake up and because the wake-up counter at time of a wake
ceiving B’s HELLOACK. Lastly, B replies with an authenticated
up is unique within a session.
8
4.1.2. Freshness Guarantees 705 4.2. Denial-of-Sleep Resilience
655 Recall that strong freshness is provided if a receiver can not 4.2.1. Ding-Dong Ditching
only ensure that a frame was never accepted before, but also that Below, we argue that POTR++ mitigates ding-dong ditch-
it was sent within a limited time span prior to its reception [21]. ing, regardless of which type of frame a ding-dong ditcher in-
Together, SPLO++ and ILOS++ do achieve strong freshness, jects or replays.
as we argue below.
710 HELLOs and HELLOACKs. POTR++ mitigates ding-dong ditch-
660 HELLOs. Let A be a permanent neighbor of B. Suppose B re- ing with HELLOs and HELLOACKs by only letting such types of
ceives a HELLO from A delayed by ≥ tw . Then, B will round A’s frames pass at a maximum rate, if they seem valid and are of
wake-up counter to a different value than was used by A to gen- interest at all. To exemplify the effectiveness of this defense, let
erate the CCM nonce of the HELLO. As a result, B will consider us compare the time that CSL needs to spend in receive mode
the HELLO inauthentic. The same reasoning applies to why B715 during its periodic wake ups if tw = 125ms and l = 16 any-
665 never considers the same HELLO authentic twice. way with the additional worst-case time in receive mode when
1
accepting HELLOs at a rate of 15 Hz. Assuming the standard
Unicast Frames. Suppose B receives A’s unicast frame f de- data rate of IEEE 802.15.4 in the 2.4-GHz band of 250 kbit s ,
layed by ≥ tw . Then, B will derive f ’s CCM nonce from a the time in receive mode per wake up is ((12+5)×8) = 0.544ms
250
different wake-up counter than was predicted by A. Hence, B720 minimum. Here, 12 is the number of bytes of a maximum-
will consider f ’s CCM MIC inauthentic and discard f . How- length wake-up frame as per POTR++’s frame format and +5
670 ever, a subtlety is that the sender of a unicast frame may miss allows for detecting a wake-up frame’s SHR when the begin-
the corresponding acknowledgement frame and decide to re- ning of the previous wake-up frame was just missed. Thus, on
transmit. As a result, a receiver may accept the same unicast a percentage basis, the base time in receive mode is 100% ×
frame twice. To this end, ILOS++ adds “sequence numbers”725 0.544ms
= 0.43%. For comparison, receiving one maximum-
tw
to normal unicast frames, as shown in Figure 5b. These se-
675 quence numbers are maintained on a per-neighbor basis and are length HELLO takes (133×8)
250 = 4.256ms. Moreover, we have to
incremented each time a normal unicast frame is transmitted account for the unfortunate case that the SHR of the wake-up
to a permanent neighbor, yet not incremented when retransmit- frame of a HELLO may be detected right at the end of a peri-
ting the last normal unicast frame. Consequently, receivers can odic wake up. In such cases, receivers need to stay in receive
identify and filter out duplicates. On the other hand, adding se-730 mode slightly longer to see whether the SHR is the beginning
680 quence numbers to ACKs and HELLOACKs is unnecessary since of a wake-up frame. In the case of a HELLO, receivers may need
AKES detects duplicated ACKs and HELLOACKs by itself. to receive up to 6 more bytes as per Figure 5a, which trans-
lates into an additional time in receive mode of up to 0.192ms.
Authenticated Acknowledgement Frames. Suppose B receives Altogether, the additional worst-case time in receive mode is
an authenticated acknowledgement frame f delayed by > ta .735 0.192ms + 4.256ms. Yet, on a percentage basis, receiving one
1
Since B only accepts acknowledgement frames for ta , f must maximum-length HELLO at 15 Hz only adds 0.03% to the base
685 originally have been sent in response to a different unicast time in receive mode at most. Thus, when configuring POTR++
frame. There are two cases how this may happen. First, f was to only let HELLOs and HELLOACKs pass at a moderate rate,
originally sent in response to a different normal unicast frame POTR++ makes CSL practically resistant to ding-dong ditch-
of the same burst. In this case, B will include a different burst740 ing with HELLOs and HELLOACKs.
index in f ’s CCM nonce. Second, f was originally sent in ACKs and Normal Unicast Frames. One method for ding-dong
690 response to a previous spaced transmission of a unicast frame. ditching with ACKs or normal unicast frames is to (i) inject or
In this case, B will include a different wake-up counter in f ’s replay a wake-up sequence and (ii) inject or replay an ACK or
CCM nonce. In both cases, B ends up considering the CCM normal unicast frame. However, for this method to work out,
MIC of f inauthentic and rejects f . 745 ding-dong ditchers need to come up with valid OTPs as in-
valid OTPs trigger an on-the-fly rejection. Crafting a valid OTP
Unauthenticated Acknowledgement Frames. The strong fresh-
seems impossible since a ding-dong ditcher has, by definition,
695 ness of unauthenticated acknowledgement frames, which are
no cryptographic key of the victim network. Also, guessing
solely sent in response to HELLOACKs, is ensured only after
the corresponding ACK comes in. Suppose B receives an unau- an OTP or replaying an OTP that is older than ≥ tw is point-
thenticated acknowledgement frame f from A delayed by > ta .750 less because such an OTP will turn out invalid with probability
Since B only accepts acknowledgement frames for ta , f must 1 − 2−l . On the other hand, a victim may consider a replayed
OTP that is younger than < tw valid, but this means that the
700 originally have been sent in response to a different HELLOACK.
victim node missed the original transmission. Hence, in terms
However, the originally acknowledged HELLOACK contained a
of energy consumption, there will be no difference compared
different cryptographic random number Q, thus causing B to
reject A’s ACK and AKES’ three-way handshake to remain in-755 to receiving the original transmission. This even holds true if a
complete. ding-dong ditcher tampers with the length of an ACK or normal
unicast frame because this invalidates the replayed OTP.
Another method for ding-dong ditching with ACKs or nor-
mal unicast frames is to “jump on” the unicast transmissions of
9
760 legitimate nodes. That is, after a victim node received a wake- 4.2.4. Chatty Nodes
up frame or a normal unicast frame with the Frame Pending POTR++ provides a basis for detecting chatty nodes through
flag set, a ding-dong ditcher can inject or replay an ACK or nor-810 the adoption of pairwise session keys. In fact, owing to deriv-
mal unicast frame. But, the only repercussion of such an attack ing OTPs from pairwise session keys, a chatty node that sends
is that the victim node receives the ding-dong ditcher’s frame plenty of normal unicast frames or ACKs with valid OTPs can
765 instead of the legitimate frame. This does not result in an in- be considered compromised as no other node than the chatty
creased energy consumption because, if the attacker’s frame has node and the victim node can access their pairwise session key.
a different length than was previously announced, the attacker’s815 Likewise, authentic HELLOs and HELLOACKs can be attributed
frame will be rejected on the fly. to the sender due to authenticating them with pairwise session
keys.
Acknowledgement Frames. Since POTR++ validates the length
770 of acknowledgement frames during reception, ding-dong ditch- 4.2.5. Deaf Nodes
ers can not cause a higher energy consumption by injecting Deaf nodes are also mitigated by SPLO++ by confining the
long ones. 820 maximum length of wake-up sequences.
Figure 11: Consumed charge due to (a) unicast attacks and (b) collision attacks
hence learns the other OpenMote’s wake-up time. Beyond that,1095 [3] X. Lu, M. Spear, K. Levitt, N. S. Matloff, S. F. Wu, A synchronization
1055 AKES sends keep-alive frames so as to check if a permanent attack and defense in energy-efficient listen-sleep slotted MAC protocols,
in: Proceedings of the Second International Conference on Emerging
neighbor is still in range. As a side effect, these keep-alive Security Information, Systems and Technologies (SECURWARE 2008),
frames update wake-up times and hence reduce the uncertainty IEEE, 2008, pp. 403–411.
about the other OpenMote’s wake-up time. Of course, an at-1100 [4] W. Yang, Q. Wang, Y. Qi, S. Sun, Time synchronization attacks in
tacker can also interfere with these keep-alive frames, but, as IEEE802.15.4e networks, in: Proceedings of the International Conference
on Identification, Information and Knowledge in the Internet of Things
1060 discussed in Section 2.2.2, this will usually decrease the energy (IIKI 2014), IEEE, 2014, pp. 166–169.
consumption of victim nodes. Nevertheless, AKES does not [5] K.-F. Krentz, Ch. Meinel, H. Graupner, Countering three denial-of-sleep
reliably defend against collision attacks because AKES sup-1105 attacks on ContikiMAC, in: Proceedings of the International Conference
presses keep-alive frames to permanent neighbors that recently on Embedded Wireless Systems and Networks (EWSN 2017), Junction,
2017, pp. 108–119.
sent a fresh authentic broadcast frame, which do not neces- [6] M. Brownfield, Y. Gupta, N. Davis, Wireless sensor network denial of
1065 sarily update wake-up times as a side effect. Our denial-of- sleep attack, in: Proceedings of the Sixth Annual IEEE SMC Information
sleep-protected version of CSL further reduces the mean con-1110 Assurance Workshop (IAW ’05), IEEE, 2005, pp. 356–364.
sumed charge due to collision attacks from 1.76mJ to 1.045mJ [7] A. D. Wood, J. A. Stankovic, Denial of service in sensor networks, IEEE
Computer 35 (10) (2002) 54–62.
by leveraging the predictability of clock drifts. Additionally, [8] S. Ganeriwal, C. Pöpper, S. Čapkun, M. B. Srivastava, Secure time syn-
SPLO++ enforces a maximum uncertainty about a permanent chronization in sensor networks, ACM Transactions on Information and
1070 neighbor’s wake-up time throughout a session. Similar to an1115 System Security (TISSEC) 11 (4) (2008) 23:1–23:35.
[9] J. Deng, R. Han, S. Mishra, Defending against path-based DoS attacks in
unsecured version of CSL, an unsecured version of Contiki-
wireless sensor networks, in: Proceedings of the 3rd ACM Workshop on
MAC strobes for a whole wake-up interval if the receiver’s Security of Ad Hoc and Sensor Networks (SASN ’05), ACM, 2005, pp.
wake-up time is unknown, thereby rendering collision attacks 89–96.
severe. Again, enabling AKES and SPLO greatly alleviates the1120 [10] A. Dunkels, The ContikiMAC radio duty cycling protocol, Tech. Rep.
T2011:13, Swedish Institute of Computer Science (2011).
1075 effects of collision attacks, but less than our version of SPLO. [11] K.-F. Krentz, Ch. Meinel, M. Schnjakin, POTR: practical on-the-fly re-
jection of injected and replayed 802.15.4 frames, in: Proceedings of the
International Conference on Availability, Reliability and Security (ARES
7. Conclusions and Future Work 1125 2016), IEEE, 2016, pp. 59–68.
[12] K.-F. Krentz, Ch. Meinel, H. Graupner, More Lightweight, yet Stronger
While IEEE 802.15.4 security protects CSL against basic 802.15.4 security through an intra-layer optimization, in: Proceedings of
eavesdropping, injection, and replay attacks, it offers no denial- the 10th International Symposium on Foundations & Practice of Security
of-sleep protection. To fill this gap, we have proposed CSL- (FPS 2017), Springer, 2017.
1130 [13] M. Sha, G. Hackmann, C. Lu, Energy-efficient low power listening for
1080 enabled and security-enhanced versions of POTR, SPLO, and wireless sensor networks in noisy environments, in: Proceedings of the
ILOS. Together, POTR++, SPLO++, and ILOS++ turned out 12th International Conference on Information Processing in Sensor Net-
to make CSL resistant to ding-dong ditching and pulse-delay works (IPSN ’13), ACM, 2013, pp. 277–288.
[14] A. d. l. Piedra, A. Braeken, A. Touhafi, Extending the IEEE 802.15.4
attacks, as well as resilient to collision attacks and deaf nodes.1135 security suite with a compact implementation of the NIST P-192/B-163
Furthermore, we have argued that POTR++ and ILOS++ pro- elliptic curves, Sensors 13 (8) (2013) 9704–9728.
1085 vide a basis for pinpointing and evicting chatty nodes. For fu- [15] G. Piro, G. Boggia, L. A. Grieco, Layer-2 security aspects for the IEEE
ture work, it remains to actually counter chatty nodes. Another 802.15.4e MAC, Internet-Draft, version 3 (2014).
[16] S. Sciancalepore, G. Piro, E. Vogli, G. Boggia, L. A. Grieco, G. Cavone,
interesting direction for future research is to further mitigate1140 LICITUS: a lightweight and standard compatible framework for securing
collision attacks by, e.g., adjusting transmission powers or re- layer-2 communications in the IoT, Computer Networks 108 (Supplement
acting to anomalous numbers of retransmissions. C) (2016) 66–77.
[17] A. Perrig, R. Szewczyk, J. Tygar, V. Wen, D. E. Culler, SPINS: security
protocols for sensor networks, Wireless networks 8 (5).
1090 References 1145 [18] K.-F. Krentz, Ch. Meinel, Handling reboots and mobility in 802.15.4 se-
curity, in: Proceedings of the 31st Annual Computer Security Applica-
[1] IEEE Standard 802.15.4 (2015). tions Conference (ACSAC ’15), ACM, 2015, pp. 121–130.
[2] P. Huang, L. Xiao, S. Soltani, M. Mutka, N. Xi, The evolution of MAC [19] K.-F. Krentz, Ch. Meinel, H. Graupner, Denial-of-sleep-resilient session
protocols in wireless sensor networks: a survey, IEEE Communications key establishment for 802.15.4 security: from adaptive to responsive, in:
Surveys Tutorials 15 (1) (2013) 101–120. 1150 Proceedings of the International Conference on Embedded Wireless Sys-
tems and Networks (EWSN 2018), Junction, 2018.
13
[20] J. Großschädl, A. Szekely, S. Tillich, The energy cost of cryptographic Appendix A. Notations
key establishment in wireless sensor networks, in: Proceedings of the
2nd ACM Symposium on Information, Computer and Communications1220 • IDA : the 2- or 8-byte MAC address of A, depending on
1155 Security (ASIACCS ’07), ACM, 2007, pp. 380–382.
which kind of IEEE 802.15.4 addresses are used
[21] D. R. Raymond, R. C. Marchany, S. F. Midkiff, Scalable, cluster-based
anti-replay protection for wireless sensor networks, in: Proceedings of 0
the IEEE SMC Information Assurance and Security Workshop (IAW ’07), • KA,B : the predistributed pairwise key between A and B
IEEE, 2007, pp. 127–134. 0
1160 [22] A. Wood, J. Stankovic, G. Zhou, DEEJAM: defeating energy-efficient • KA,B : the pairwise session key between A and B
jamming in IEEE 802.15.4-based wireless networks, in: Proceedings of
the 4th Annual IEEE Communications Society Conference on Sensor, • KA,∗ : A’s group session key
Mesh and Ad Hoc Communications and Networks (SECON ’07), IEEE,
2007, pp. 60–69. 1225 • l: the length of an OTP in bits
1165 [23] R. Falk, H.-J. Hof, Fighting insomnia: a secure wake-up scheme for wire-
less sensor networks, in: Proceedings of the Third International Confer- • ta : the duration of the reception window for acknowl-
ence on Emerging Security Information, Systems and Technologies (SE- edgement frames
CURWARE ’09), 2009, pp. 191–196.
[24] S. Aljareh, A. Kavoukis, Efficient time synchronized one-time password • tu : the maximum uncertainty about a permanent neigh-
1170 scheme to provide secure wake-up authentication on wireless sensor net-
works, International Journal of Advanced Smart Sensor Network Systems bor’s wake-up time
(IJASSN) 3 (2013) 1–11.
[25] C.-T. Hsueh, C.-Y. Wen, Y.-C. Ouyang, A secure scheme against power1230 • tw : the interval of CSL’s periodic wake ups
exhausting attacks in hierarchical wireless sensor networks, IEEE Sensors
1175 Journal 15 (6) (2015) 3590–3602. • α a field within the CCM nonces generated by ILOS++
[26] A. T. Capossele, V. Cervo, C. Petrioli, D. Spenza, Counteracting denial-
of-sleep attacks in wake-up-based sensing systems, in: Proceedings of • ηA,B : an estimate of the clock drift of A against B
the IEEE International Conference on Sensing, Communication and Net-
working (SECON 2016), IEEE, 2016, pp. 1–9. • θ: the frequency tolerance of the employed clocks
1180 [27] Q. Ren, Q. Liang, Secure media access control (MAC) in wireless sensor
networks: intrusion detections and countermeasures, in: Proceedings of • θη : the frequency tolerance of ηA,B
the 15th IEEE International Symposium on Personal, Indoor and Mobile
Radio Communications (PIMRC 2004), IEEE, 2004, pp. 3025–3029. 1235 • λ: a burst index - the first payload frame after a wake-up
[28] S. Zhu, S. Setia, S. Jajodia, P. Ning, An interleaved hop-by-hop authen-
1185 tication scheme for filtering of injected false data in sensor networks, in:
sequence always has burst index λ = 0, a payload frame
Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P that follows right after has burst index λ = 1, and so on
’04), IEEE, 2004, pp. 259–271.
[29] F. Ye, H. Luo, S. Lu, L. Zhang, Statistical en-route filtering of injected • τA,B : B’s last wake-up time that is known to A
false data in sensor networks, IEEE Journal on Selected Areas in Com-
1190 munications 23 (4) (2005) 839–850. • ϕ: a CSL phase - unless otherwise mentioned, measured
[30] T. Chang, T. Watteyne, K. Pister, Q. Wang, Adaptive compensation for1240 as the time between when the SHR of the frame contain-
time-slotted synchronization in wireless sensor network, International
Journal of Distributed Sensor Networks.
ing ϕ was transmitted and the sender’s next wake-up time
[31] R. Hummen, J. Hiller, H. Wirtz, M. Henze, H. Shafagh, K. Wehrle,
1195 6LoWPAN fragmentation attacks and mitigation mechanisms, in: Pro- • ωA . the wake-up counter of A - A increments ωA in lock-
ceedings of the Sixth ACM Conference on Security and Privacy in Wire- step with CSL’s periodic wake ups, even if CSL skips
less and Mobile Networks (WiSec ’13), ACM, 2013, pp. 55–66. over a wake up due to sending at that time
[32] S. S. Guclu, T. Ozcelebi, J. J. Lukkien, Dependability analysis of asyn-
chronous radio duty cycling protocols, in: Proceedings of the 25th In-1245 • ωA,B : the wake-up counter of B at time τA,B
1200 ternational Conference on Computer Communication and Networks (IC-
CCN), IEEE, 2016, pp. 1–11.
[33] X. Vilajosana, P. Tuset, T. Watteyne, K. Pister, OpenMote: open-source
prototyping platform for the industrial IoT., in: Ad Hoc Networks, Vol.
155, Springer, 2015, pp. 211–222.
1205 [34] A. Tinka, T. Watteyne, K. S. J. Pister, A. M. Bayen, A decentralized
scheduling algorithm for time synchronized channel hopping, EAI En-
dorsed Transactions on Mobile Communications and Applications 11 (1).
[35] B. Al Nahas, S. Duquennoy, V. Iyer, T. Voigt, Low-power listening goes
multi-channel, in: Proceedings of the 2014 IEEE International Confer-
1210 ence on Distributed Computing in Sensor Systems (DCOSS), IEEE, 2014,
pp. 2–9.
[36] A. Dunkels, F. Osterlind, N. Tsiftes, Z. He, Software-based on-line en-
ergy estimation for sensor nodes, in: Proceedings of the 4th Workshop on
Embedded Networked Sensors (EmNets ’07), ACM, 2007, pp. 28–32.
1215 [37] J. Eriksson, N. Finne, N. Tsiftes, S. Duquennoy, T. Voigt, Scaling RPL
to dense and large networks with constrained memory, in: Proceedings
of the International Conference on Embedded Wireless Systems and Net-
works (EWSN 2018), Junction, 2018.
14