Data transportation layer security schemes

This subsection presents the three established data transportation security schemes found in the literature. The solutions are presented in chronological order; SPINS, TinySec, MiniSec and SenSec. These mechanisms form the basis of comparison for this proposal, which is also a security mechanism for the data transportation layer.

The SPINS proposal

SPINS [29] by Perrig et al. published in 2002 was the earliest attempt to evaluate and implement secure wireless sensor networks. The work provided two protocols, a network encryption protocol named SNEP and µTESLA, an authentication protocol. At the time of development, sensor networks were expected to suffer from unrealistically low resources and thus the authors discuss if a secure sensor network is even a realistic target.

To facilitate the realism argument, the authors list a set of requirements that a system must fulfil in order to be regarded as secure6. Briefly, they are confidentiality, authentication, integrity and freshness. They define that nodes should never be trusted, they rule out public- key cryptography as an option and then they proceed into describing their protocols.

From an operational point of view, the authors identify base station to node (broadcast) communication as the fundamental communication primitive but they also distinguish node to base station and base station to node communication as possible patterns.

Their security protocols are regarded as security primitives, building blocks. They are provided in the basis that future work will build upon them to achieve the security requirements. SNEP provides for all requirements except authenticated broadcast. It operates

42 by encrypting messages using a private key shared by the communication pair. In addition, it uses a secret counter, which is incremented by 1 after each communication but not transmitted with the message. µTESLA uses a symmetric encryption mechanism to authenticate messages from a small number of authenticated broadcasters. Both protocols seemed promising but they were never implemented[2].

The TinySec mechanism

TinySec [2] was the first protocol to ignore hardware security, ignore key management and simply provide security at the data transportation layer. It is currently considered the standard security mechanism for sensor networks by many literature articles [95-97]. TinySec introduces about 10% increase of energy consumption compared with unsecured TinyOS operation.

The protocol is built as an extension to the TinyOS platform and it alters the original packet format to facilitate the security features. TinySec meets each of the security requirements set by SPINS [29] . It achieves confidentiality by encrypting message contents using SkipJack [98]. Authenticity and integrity is facilitated with a 4-Byte message authentication code (MAC) which is also generated by the SkipJack cipher under the CMAC standard [99]. Finally, freshness and semantic security are achieved via an initialisation vector.

TinySec provides two packet types in an attempt to increase energy efficiency: the TinySec-A

packet, which only provides message authentication and the TinySec-AE packet, which complies with all the basic security requirements.

The MiniSec mechanism

MiniSec improves the performance of TinySec, is more resilient to network error and uses a different approach to generate and transmit the initialisation vector. MiniSec uses SkipJack in OCB [100] mode of operation as encryption function. This mode of operation provides encryption and authentication. MiniSec seems to be an equally secure optimisation of TinySec while it otherwise offers very few innovative security features.

MiniSec greatly optimises the way the initialisation vector (IV) is implemented by using a number of solutions including overloading, Bloom Filters [101], epochs and time synchronisation protocols [102-103]. In further optimises the efficiency of the network by

43 introducing packets that are suitable for different communication types. Figure 4 illustrates the security-related radio overhead of various solutions.

The SenSec mechanism

TheSenSec[30] framework is promoted as a TinySec alternative as well. It is solely based on TinySec and aims to improve its security provision and some of the performance. SenSec employs a packet format which is very similar to TinySec [2] but claims that it is slightly better than it. The major difference in packet format from the TinySec scheme is the way the IV (Initialisation Vector) is constructed.

A custom and improved variant of SkipJack [98] is used in SenSec. The customisation claims to provide 144-bit security and is based on the DES-X [104] method. They call this variant SkipJack-X. They also aim to reduce the computation cost of MAC processing by using a one-pass MAC computation mechanism. They claim that their MAC mechanism is secure as long as “the total amount of packets being encrypted and authenticated with the same key is much less than 232.”

SenSec defines a hierarchical access control scheme divided in three levels and thus they use three levels of keys; global key, cluster key and sensor key. By using these three keys, they can produce three packet types for use in the appropriate context. They claim that this method is resilient to node capturing attack as well since revealing the keys in one node will not compromise the whole network but only one group of nodes.

Figure 4: Packet overhead of TinyOS, TinySec-AE, MiniSec-U and SenSec. Numbers represent the size of packet‟s header and MAC/CRC in bytes.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 TinyOS TinySec-AE TinySec-… SenSec-AE Bytes

44

Other mechanisms

As this research was been conducted, more security schemes have appeared in the literature. Recent mechanisms like, ContikiSec [93] and FlexiSec [94] will be discussed in Chapter 6.

Finally, an alternative solution to data transportation security is ZigBee [105]. It is the lightest, fully developed security standard for small devices and it might be suitable for high- end sensor boards but it is still extremely costly for the low-end devices that this project targets.

Discussion

TinySec and MiniSec offer 80-bit complexity which is deemed unacceptable by 2010 [71-73] but both research groups claim that their mechanism can be used with any encryption algorithm and thus the possibility of higher complexity is not ruled out. The encryption function is indeed a black-box type of component, which can be upgraded without redesign of the system. However, the related implications in energy efficiency have to be taken into consideration. Should such an update be ever implemented, the mechanism would have to be re-evaluated and comparisons with other mechanisms would need to be discussed again.

On the other hand, the authors of MiniSec apply the key whitening technique to SkipJack and they call it SkipJack-X. Key whitening is an anecdotal term coined by J. Rivest and it is briefly explained by Schneier [4]. The scheme is better than plain SkipJack but not as good as a cipher that would natively offer greater cryptographic strength. This solution poses two problems, which are discussed next.

The first problem regards the effective key length. According to Schneier‟s explanation, SkipJack-X should increase the complexity to 2n + (m/p) where n is the key length, m is the block size and p is the number of known plaintexts. Therefore, SkipJack-X does offer greater complexity but the true effective key length is reduced if the attacker is able to obtain a number of key lengths. Sensor networks whose purpose is to report a single value to the base station allow the attacker to guess possible plaintexts and reduce the complexity to unacceptable standards.7

7 _{Suppose that a network measures ambient temperature. The attacker can use a thermometer to find the temperature that nodes should be}

reporting and monitor the network for 24 hours. Using the method, the attacker might be able to obtain 10 plaintext-ciphertext pairs. That would reduce the complexity to ~2^87 bits, way below acceptable standards of 2^128 bits.

45 Secondly, the approach might be problematic because the specific application of key whitening for SkipJack has not been crypt-analysed. There is no information on the security of SkipJack-X on the published literature. It is unknown if other limitations of the SkipJack cipher might cause further reductions to complexity and it is unknown if whitening can protect the particular cipher from future cryptanalytic attacks. If that is true then MiniSec might not provide the required 128-bits of complexity.

It seems that no existing data-transportation security mechanism is up to date with modern security requirements and that none provides a comprehensive solution, as they lack key management.

Implications

It is rather clear that a system that would provide an acceptable level of confidentiality, authentication and integrity is missing from the current literature. Even more modern mechanisms than the established TinySec, MiniSec, SenSec triplet, do not offer 128-bits encryption while simultaneously being capable of operating in low-end devices like the MICA2 node.

This research aims to provide a mechanism that would provide acceptable level of security and meet modern requirements for encryption complexity.