SPINS: Security Protocols for Sensor Networks

Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context of Crisis Management and Societal Security Dennis K. Nilsson 080415

Sensor Networks
Measurement Control Sensor node limitations

Processing power Storage Bandwidth Energy

Security Possible?

Current security algorithms

Computational and memory expensive

Authenticated broadcasting
Communication overhead TESLA suitable for desktop workstations

Agenda
System Description Security Requirements SNEP Sensor Network Encryption Protocol TESLA Authenticated broadcast Implementation and Evaluation Conclusion

System Description

Nodes and powerful base stations Communication

Node to base station Base station to node Base station to all nodes Individual nodes Wireless communication Symmetric cryptography single block cipher for all cryptographic primitives

Trust base stations but not

Design

Security Requirements

Data confidentiality

Sensitive data should be kept secret

Receiver verifies data was sent from claimed sender Ensures the receiver that data is unaltered in transit Implies that data is recent and not replayed

Data authentication

Data integrity

Data freshness

SNEP
Data confidentiality Two-party data authentication Data integrity Data freshness

Prerequisites:

Shared secret key (master key) between each node and the base station

SNEP

Low communication overhead

8 bytes per message

Keep state at both end points Randomization using shared counter

Does not transmit counter

Achieves semantic security

SNEP

Encryption

E = {D}<Kencr,C>
M = MAC(Kmac,C|E)

MAC

Message from A to B

A B: {D}<Kencr,C>, MAC(Kmac,C|{D}<Kencr,C>)

TESLA
Redesign of TESLA protocol TESLA not suitable for sensor networks

Authenticates initial packet with a digital signature Overhead of 24 bytes per packet (sensor node packet size ~30 bytes) Disclose key for previous intervals with every packet One-way key chain does not fit in memory

TESLA

Base station broadcasts authenticated messages to the nodes Base station and nodes loosely time synchronized Base station computes MAC on a packet with a key that is secret at that time Receiving node can verify that corresponding MAC key has not been disclosed MAC key chain Ki = F(Ki+1)

TESLA - Example
F K0 0 K1 1 P1 P2 F K2 2 P3 P4 K1 F K3 3 P5 F K4 4 P6 K2 P7 K3 K4 time

TESLA Example, dropped msg

F K0 0 K1 1 P1 P2 F K2 2 P3 P4 K1 3 P5 K2 4 time

TESLA

Sender setup

Generate one-way key chain of length n from randomly chosen Kn Each key is associated with one interval
A commitment of the key chain is stored in receiver, subsequent keys are selfauthenticated

Time is divided time intervals

Bootstrap receiver

TESLA

Authenticating broadcast packets

Receiver must ensure attacker does not know the disclosed key used for MAC (i.e., sender has not disclosed key yet) Sender-receiver must be loosely time synchronized and receivers must know the key disclosure schedule Authenticate received key Kj: Ki = Fj-i(Kj)

Implementation and evaluation

RC5 block cipher

small code size and high efficiency but 32-bit data rotates (8-bit CPU)
Counter mode (same function for encryption and decryption) MAC(Krand,C)

Encryption

Random-number generation

MAC

CBC-MAC: {M}Kencr, MAC(Kmac,{M}Kencr)

Kencr, Kmac, Krand derived from master key

Key setup

Implementation and evaluation

Code size

Crypto library and protocol implementation 2kB of program memory Key setup 8000 cycles, 8-byte encryption 120 cycles, twenty 30-byte messages per second
Encrypting and signing: 6 bytes overhead per message (~20%) MAC computation 2%

Performance

Energy costs

Conclusion

Designed and implemented security protocols for sensor networks

Authenticated and confidential communication Authenticated broadcast Use symmetric cryptography Code reuse Communication costs are small

Many elements of the design are universal and can be applied to other sensor networks