2.2.4 Definitions of Security Goals in Electronic Health Monitoring
Authentication ensures that only entitled users can access the HealthNet system,
and thereby, the health data and the settings in the system. This applies for stored data on the patient’s device as well as for data transmissions over any of the wireless interfaces. In the HealthNet solution, different data sets can be made available for different parties. Although the emergency physicians shall be able to bypass the authentication required for regular users on the patient’s phone, they must have physical access to the patient’s phone to tap a button. When the data was accessible without authentication, the patient’s data would be public. This is undesirable for most patients and illegal in many jurisdictions.
Confidentiality ensures that the medical data cannot be obtained by an attacker.
This applies both for data in storage and during data transmission to another device.
Integrity ensures that the recorded health data cannot be manipulated by an at-
tacker. Like Confidentiality, Integrity must be achieved during data storage and data transmission. Otherwise, the manipulated data could lead to medical malpractice of the patient, with possibly fatal consequences.
Perfect Forward Secrecy for transmitted data prevents decryption of exchanged
data by an attacker when he obtains a long-term secret. Perfect Forward Secrecy is desirable for the data transmissions.
2.2.5 Definitions of Privacy Goals in Electronic Health Monitoring
As described before, „Information Privacy is the interest an individual has in con- trolling, or at least significantly influencing, the handling of data about themselves [45].“ Information Privacy is required in the processing of health data. It ensures that the recorded data contains no unneeded details about the patient’s life, i.e., that no personal habits can be reconstructed. The measured medical data is pre- processed on the patient’s device. This allows removal of unnecessary details under full control of the owner.
Anonymity is required so that the data does not identify the patient. Also, it
should be impossible to use the data to uniquely identify the patient.
2.3
Time Synchronization in Wireless Sensor Networks
This section provides an introduction to the time synchronization in wireless sensor networks scenario, and the technologies and security and privacy definitions impor- tant in this context. We will reuse these in Chapter 6, where we propose a solution for time synchronization in wireless sensor networks.
24 Chapter 2. Preliminaries
2.3.1 Wireless Sensor Networks
Wireless sensor nodes are inexpensive, autonomous devices which are deployed in a monitoring environment and operate without user interaction. The nodes are equipped with a wireless networking interface so that they are able to communicate with each other. Wireless Sensor Networks (WSNs) are networks built by wireless sensor nodes. Often, a gateway node is present, which serves as a bridge from the WSN to another network, i.e., for analysis of the measurements within the WSN. In some scenarios, the nodes will be deployed in a hostile environment where they cannot be physically maintained, i.e., their batteries cannot be charged or replaced. Because wireless communication is energy intensive, the communication means are highly optimized to conserve energy and transmissions are reduced to a minimum. In some applications, the nodes do not communicate until a certain event was detected.
2.3.2 Technologies and Limits
WSN deployments may or may not follow a pattern. Therefore, sensor nodes need self-organizing networking capabilities. There is usually no central infrastructure in WSNs except for the gateway to another network. Messages to the gateway are relayed over the network by all the individual nodes. The gateway is used to forward the services provided by the network to the outside, i.e., to the owner.
Due to the nature of this scenario, sensor nodes need a long battery life, which implicates less powerful hardware than most other platforms. A typical sensor node is the TelosB crossbow, which is based on an 8 MHz TI MSP430 microcontroller, 10 kB RAM, 48 kB program flash and 1 MB measurement serial flash memory, and a IEEE 802.15.4 ZigBee radio with onboard antenna. Power consumption is especially low at 1.8 mA current draw during computing and 5.1 µA in sleep mode. The devices are often powered by 2 household 1.5V AA batteries.
IEEE 802.15.4 ZigBee radio is a standard [2] for low-power wireless networks in either star, tree, or mesh configuration. ZigBee operates in the industrial, scientific, and medical (ISM) radio bands: 868 MHz in Europe, 915 MHz in the USA and Australia, and also 2.4 GHz worldwide. The data rate is comparatively low at either 20, 40, or 250 kbit/s, as the transmission was specified to be energy efficient. ZigBee networks can be either beacon-enabled or non-beacon-enabled. In beacon- enabled networks, special nodes act as routers which transmit periodic broadcast messages. The regular nodes may switch off their radio interfaces between the beacon messages to save power. Beacon intervals range from 15 µs to 13 minutes. In non-beacon-enabled networks, the nodes must have their receiving radios switched on all the time, which is more power consuming, but allows all nodes to reach all other nodes at any time without having to wait for the next beacon. A collision detection and avoidance mechanism is used during transmission.
Any solution for wireless sensors networks must be energy conserving. There is very little memory and storage space, and the computing abilities of the processors used are limited. Therefore, the use security mechanisms established in fixed computers
2.3. Time Synchronization in Wireless Sensor Networks 25
is problematic. Easy deployment of the nodes must be considered, i.e., the network graph is not known beforehand, so that pre-installing pairwise keys is difficult.
2.3.3 Time Synchronization
Time synchronization in wireless sensor networks is important for many applications. In beacon-enabled mode, most stations are in a power saving sleep mode most of the time. They can only communicate with each other when their radio interfaces are switched on. A sensor node that cannot find out when to try to communicate to other stations will either drop from the network or need to try over and over again, which greatly reduces its battery life, as radio communication is the single most power consuming task of sensor nodes. In both cases, the desynchronized node quickly becomes useless for the purpose the sensor network was installed for. With more accurate time synchronization, the wake up schedule will be executed more efficiently. In addition, in many applications, data gathered by sensor nodes is meaningless if it cannot be bound to the time when it was gathered. For example, precise time tagging and thus synchronization is required for beam forming, tracking, and locating an object.
Time synchronization must resist modification attempts by attackers, especially in applications such as accounting, metering, and billing systems. In these applications, an attacker could gain direct profit beyond obstructing services from tampering with the time synchronization process.
2.3.4 Definitions of Security Goals in Time Synchronization
Authentication ensures that nodes will only synchronize to the clock of the le-
gitimate master node, i.e., attackers cannot force nodes to accept other values. By impersonating the master node, an attacker could force a node to change its clock to a different time. This would hinder operation of the node, because it will use more power to connect to other nodes. Also, measurements performed by the attacked node will be meaningless for the purpose of the network, and possibly obscure the data collected.
The Integrity of the broadcasted timestamp is achieved so that it cannot be ma- nipulated during transmission. Again, this prevents attackers from manipulating the message contents.
In the context of time synchronization, the meaning of a message does not only depend on its contents, but also on the time it was received. Client nodes are therefore able to filter messages that have been delayed by an attacker4. Otherwise, an attacker could replay an old synchronization message to adjust a client node’s clock back by a great amount of time. This is called a pulse delay attack.
In a node capture attack, an attacker gains physical control over a sensor node. The attacker is thus able to read, modify, and erase the contents of the memory
26 Chapter 2. Preliminaries
on the sensor node and to manipulate the sensor node’s behavior. Some protocols are only secure when less than a certain percentage of the sensor nodes have been captured, because nodes place trust on their neighbors. Our solution should be resistant to the capture of an arbitrary number of nodes, so that an attacker cannot use captured nodes to influence the remaining nodes.
2.3.5 Definitions of Privacy Goals in Time Synchronization
Definition 10. „Undetectability of an item of interest (IOI) from an attacker’s
perspective means that the attacker cannot sufficiently distinguish whether it exists or not [123].“
Undetectability requires protection of the IOI as such, whereas anonymity and link- ability only require protection of the relationships between IOIs, i.e., undetectable messages must be indistinguishable from random noise.
In the time synchronization for wireless sensor networks scenario, undetectability ensures that an attacker cannot determine whether a client node exists or not.