Embed Size (px)
Citation preview
A POWER EFFICIENT LINK-LAYER SECURITY PROTOCOL (LLSP)FOR WIRELESS SENSOR NETWORKS
Jian Ren Tongtong Li Dean AslamDepartment of Electrical and Computer Engineering
Michigan State UniversityEast Lansing, MI 48824-1226.
email: {renjian, tongli, aslam}@egr.msu.edu
ABSTRACT
Wireless sensor networks (WSNs) rely on wireless com-munications, which is by nature a broadcast medium and ismore vulnerable to security attacks than its wired counter-part due to lack of a physical boundary. Anybody with anappropriate transceiver can eavesdrop on, intercept, inject,and even alter the transmitted data. Security services are,therefore, urgently needed to ensure effective access controland information confidentiality.WSNs are severally energy constrained since many sen-
sor networks are designed to operate unattended for along time and battery recharging or replacement may beinfeasible or impossible. To optimize the limited capabilityof the sensor nodes, security requirements are generallyabandoned. This leaves WSNs under security attacks, whichcould cause more battery power consumption and reducedlifespan of the WSNs. In the worst case, an adversarymay be able to undetectably take control of some sensornodes, compromise the cryptographic keys and reprogramthe sensor nodes.
In this paper; a power efficient link-layer security proto-col (LLSP) is proposed. LLSP provides node authentication,message integrity check, and message semantic security ata minimal cost by minimizing the security overhead in datapacket and applying only symmetric security algorithms.The security analysis and performance analysis show thatLLSP is secure and computationally efficient.
I. INTRODUCTION
Along with the advances in micro-electro-mechanicalsystems (MEMS) technology, analog and digital electronics,computing, wireless communications and radio-frequency(RF) technologies, small and low-power wireless integratedmicrosystems (WIMS) [1] that combine sensing, signalprocessing, decision making and networking capabilitiesare getting ready to be deployed for versatile applica-tions [2]-[4]. While WIMS robots are already in the market
and have a volume of approx. 250 cc, the WIMS centerat UM/MSU/MTU will produce low power WIMS (totalpower budget is 1 mW) with a volume of 1 cc by year 2010.WINS will be so small that they will fit into shirt buttons,and perhaps in threads of clothes, and will not need batteriesbecause they can scavenge energy from their environmentor energy can be available on the nanochip. The WINSwill create revolution in health care, bioimplantable devices,environmental monitors (making air labeling a reality),wireless networks (wearable networks and PCs), homelandsecurity and in many other areas.
Sensor networks rely on wireless communications, whichis by nature a broadcast medium and is more vulnerable tosecurity attacks than its wired counterpart [5] due to thelack of a physical boundary. In wireless domain, anybodywith an appropriate transceiver can eavesdrop on, intercept,inject, and even alter the transmitted data. Security servicesin wireless sensor networks are, therefore, urgently neededto limit the amount of damage and to ensure effective accesscontrol and information confidentiality.
However, WSNs are severally energy constrained sincemany sensor networks are designed to operate unattendedfor a long time and battery recharging or replacementmay be infeasible or impossible. To optimize the sensornodes for the limited node capabilities and the applicationspecific nature of the networks, security requirements weregenerally not considered. This leaves WSNs under networksecurity attacks, which could consume excessively morebattery power and shrink the lifespan of the WSNs. Inthe worst case, an adversary may be able to undetectablytake control of some sensor nodes, compromise the crypto-graphic keys and reprogram the sensor nodes.
In this paper, a power efficient link-layer security pro-tocol (LLSP) is proposed. It achieves node authentication,message integrity check, and message semantic security ata minimal cost by minimizing the security overhead in datapacket and applying only symmetric security algorithms.
1 of 6
The security analysis and performance analysis show thatthe proposed protocol is secure and computationally effi-cient.
* *Q Base station or sink
Sensor node
Low-latency high-bandwidth link
----------0--- - -Low-power radio link,,---- ----- ,,,, "
Figure 1. A representative wireless sensor network architecture
II. SECURITY REQUIREMENTS FOR SENSORNETWORKS
The major challenges in securing wireless sensor networkcan be summarized as:
* Lack of a-priori knowledge ofpost-deployment config-uration. If a sensor network is deployed via randomscattering (e.g. from an airplane), the sensor networkprotocols cannot know beforehand which nodes willbe within communication range of each other afterdeployment. Even if the nodes are deployed by hand,the large number of nodes involved makes it costly topre-determine the location of every individual node.Hence, a security protocol should not assume priorknowledge of which nodes will be neighbors in anetwork.
. Limited memory resources. The amount of key-storagememory in a given node is highly constrained; it doesnot possess the resources to establish unique keys withevery one of the other nodes in the network.
. Limited bandwidth and transmission power. Typicalsensor network platforms have very low bandwidth.For example, the UC Berkeley Mica platforms trans-mitter has a bandwidth of 10 Kbps, and a packet sizeof about 30 bytes. Transmission reliability is oftenlow, making the communication of large blocks of dataparticularly infeasible.
This section summarizes the three security goals forwireless sensor networks. They are data authentication, dataintegrity, and data confidentiality.
A. Authentication
Authentication is one of the most important networksecurity services. It is even more true for wireless sensor
networks since (i) sensor networks rely on wireless com-munications that is accessible to everyone due to the lack ofphysical restrictions, and (ii) the limited and unreplaceablepower resource is a new target of attack for wireless sensornetworks.
In the context of communications across a wireless sensornetwork, authentication includes node or sender authentica-tion and data authentication. Node authentication enforcesaccess control and prevents unauthorized nodes from par-ticipating in the network. Communications are limited toonly authorized node. Legitimate nodes should have thecapability to detect messages from unauthorized nodes andreject them. Data authentication enables the integrity ofdata messages to be verified. If an adversary modifies amessage from an authorized sender while the message is intransit, the receiver should be able to detect this tampering.Authentication ensures altering of the transmitted messagebe detected.
B. Confidentiality
Data confidentiality means keeping information secretfrom eavesdroppers and unauthorized parties. It is typicallyachieved through data encryption with a shared secret keythat only intended receivers possess. Data encryption isespecially important for wireless communications. This isbecause wireless circuits are easier to "tap" than their hard-wired counterparts. The stronger the cipher, the harder it isfor unauthorized people to break it. However, as the strengthof encryption/decryption increases, so does the cost.To save the precious battery power, meanwhile address
the security requirements for different wireless sensor net-works, LLSP is designed to support multiple cryptographicalgorithms with different security parameters.
C. Replay Protection
Replay protection is the mechanism to ensure a receiverthat the received message is fresh and has never beentransmitted previously. Since wireless communications isa broadcast medium, the adversaries can easily eavesdroplegitimate messages sent between authorized nodes. For thereplayed message, unless there is a method to detect thatthe message is indeed a replay, the same receiver shouldaccept it again.A typical method to combat message replay is to include
a monotonically increasing counter with every messageand reject messages with old counter values. However,the power consumption for data transmission is generallyvery high. As an example, for Mica mote, transmission
2 of 6
of one bit consumes about as much power as executing800-1000 instructions [6]. Therefore, we propose that eachcommunication node maintains a 4-byte counter for eachnode within its direct communication (one hop) range. Thecontents of the counter is the last value of the sender itreceived from a particular sender.
III. SECURITY PRIMITIVES
The severely constrained resources of the wireless sensornodes differ from other distributed systems in importantways and many preconceptions about network security mustbe discarded. The wireless sensor nodes have very littlecomputational power, which is generally inadequate forpublic-key cryptosystems. The limited RAM in the nodesand the precious energy makes fast symmetric ciphers,which are orders-of-magnitude cheaper and faster thanpublic-key cryptosystems, the only option.A common solution for achieving message authenticity
and integrity is to use a message authentication code(MAC). A MAC can be viewed as a cryptographicallysecure checksum of a message. Computation of a MACrequires a shared secret key between the authorized senderand receiver, and this key is part of the input to a MACcomputation. The computed MAC is appended to the mes-sage packet to be transmitted. The receiver sharing the samesecret key can recompute the MAC in the same way andcompare it with the received MAC value. If the two areequal, then the receiver accepts the packet and rejects itotherwise.The computation of a MAC is easy, however, it is
computationally infeasible to forge it without the secret key.This implies that any modification of a valid message by anadversary will result in a different MAC value detectableby the authorized receiver of the message.
Message confidentiality is another major security serviceachieved through data encryption. For WSNs networks,only fast, efficient and well-studied cryptographic algo-rithms should be used as the security module to achievethe security goals.An initialization vector (IV) will also be used to achieve
semantic security [7] - encrypting the same plaintext twotimes should give two different ciphertexts. Semantic secu-rity can effectively eliminate playback and confidentialityattacks.
IV. SECURITY PROTOCOLS DESIGN
Sensor networks rely on wireless communications that ismore vulnerable to security attacks than its wired counter-part [5] due to lack of inherent physical security properties.
In broadcast medium, anybody with a wireless receivercan be an adversary and eavesdrop on, intercept, inject,and alter transmitted data. In addition, adversaries may useexpensive radio transceivers and powerful workstations andinteract with the network from a distance since they are notrestricted to using sensor network hardware.
Sensor networks are also vulnerable to power consump-tion attacks. Adversaries can repeatedly send packets to thesensor networks to consume the sensor nodes' preciousbatteries which will shorten the lifespan of the batter-ies and also waste the network bandwidth. In addition,the traditional security protocols are primarily end-to-endprotocols, while the dominant communication pattern insensor networks is many-to-one, with many sensor nodescommunicating sensor readings or network event over amultihop topology to a central base station. These sensornodes often witness the same or correlated event. Therefore,in-network process such as aggregation and redundant dataelimination can reduce traffic and save battery power [8],[9]. This implies that the intermediate nodes should haveaccess to the contents of the message and the end-to-endsecurity protocols are unlikely to be used.
Motivated by these observations, in this paper, wepropose a link-layer security protocol (LLSP) for sensornetworks. While permitting in-network processing, link-layer security mechanisms also guarantee the authenticity,integrity, and confidentiality of messages between neighbor-ing nodes and detect unauthorized packets when they arefirst injected into the network.
A. Message Integrity and Authentication
LLSP provides message integrity and authentication ser-vices that can effectively eliminate security attacks suchas selective message forwarding, sinkhole attacks, directeddiffusion, and general routing attacks. Message integrityand authentication service can be achieved using a messageauthentication code (MAC). MAC is a commonly usedlow-complexity solution for achieving authentication andintegrity of information transmitted over or stored in anunreliable medium. A MAC is essentially a cryptograph-ically secure checksum of a message. The security of aMAC is generally based on a cryptographic hash functionin conjunction with a secret key shared between the senderand the receiver [10]. The MAC for a message m can berepresented as
MACn = H(k, mIICtr), (1)
3 of 6
where k is the shared secret key between the sender andthe receiver, Ctr is the counter value described in SectionIV-B and H is a secure hash function [10], which impliesthat for a given m, it must be hard to find another possiblemessage m' such that
H(k, m') = H(k, mr Ctr).
Before a sender transmits a message m, she computeMACr. Since the receiver also has the secret key k, hecan recompute MAC,, in the same way that the sendercomputes it. The two values should be equal. If theyare equal, the receiver accepts the packet and rejects itotherwise. The hash function implies that if an adversaryalters a valid message or injects a bogus message, he cannotcompute the corresponding MAC value, therefore, thesemessages will be rejected by the authorized receiver.
The security of a MAC is directly related to the length ofthe MAC. In conventional security protocols, the sizes thathave been used include 8, 10, 12, 16 and 20 bytes [11].However, it has been argued in [12] that in WSNs, thechoice of a 4-byte MAC may be adequate. The basic ideais that for a 4-byte MAC, the probability for a blind forgingto be valid is 1 in 232. This means that an adversary needs torepeatedly try about 231 times in order to get a valid MAC.Note that whether or not a blind forgery is valid has to bedetermined by the authorized receiver on-line. This meansthat the adversary has to send about 231 packets beforehe can succeed at forging the MAC for a single maliciouspacket. Though this number may not be large enough forconventional systems. It might be enough for WSNs sincethe low application bandwidth on a single shared channel.As an example, the representative Mica2 sensor node thatfeatures a low-powered radio from Chipcon can deliverup to 19.2 Kbps application bandwidth on a single sharedchannel and with a range of up to around hundred meters.At this speed, one can only transfer 40 forgery attempts persecond. Therefore, the transmission of 231 packets wouldtake over 20 months. In fact, at full power, the Mica2 sensornode can run for only two weeks or so before exhaustingits batteries, which exceeds the battery life by more than40 times.
To be conservative, a longer MAC can be used. However,it comes with excessively more power budget. For Mica2,the transmission of one bit would consume about as muchpower as executing 800-1000 instructions [6].
B. Replay Protection
Replay protection is a difficult problem when there isonly a limited number of states that each node keeps. An ad-versary replays a legitimate message that he eavesdroppedat an early time sent between two authorized nodes. Unlessthere is a record of the previously transmitted messages,the same message from an authorized sender should beaccepted again. On the other hand, the large number ofnodes in WSNs makes it impractical for a node to keep acounter for each node in the WNSs. However, if a nodehas knowledge of the network topology and power-efficientrouting, then counters are only necessary for the nodesthat directly communicate with this node, and the numberof such nodes can be small. It is practical for a node tomaintain a counter for each node that directly communicateswith it.
In LLSP, each communication sender and receiver pairmaintain a synchronous 4-byte counter updated througha feedback shift register (FSR) shown in Figure 2. Inaddition to security, this design also enables power savingas described in Section IV-D.
C. Message Confidentiality
For wireless communications, anybody with a wirelessreceiver can be an adversary and eavesdrop on, intercept,inject, and alter transmitted data. While injection and al-tering of a message can be effectively detected througha MAC, data encryption service is needed to achievedata confidentiality. In LLSP, we propose that AdvancedEncryption Standard (AES) with a mode of operation whichis essentially a combination of the cipher block chain (CBC)mode and the counter (CTR) mode as shown in Figure 3.
To achieve semantic security [7], that is to prevent theadversaries from learning even partial information about themessage that has been encrypted, a unique initializationvector (IV) is needed for each encryption, where it isthe counter value at time instance t. Depending upon thesecurity requirements and the battery lifespan, to ensurethe uniqueness of the IV for each packet, the size of theIV can vary from 4 bytes to 16 bytes concatenated with theexisting header fields: SrcIlDes, where Src and Des arethe addresses of the sender and the receiver respectively.This design allows a short dynamic IV be used since therequirement of global repetition in this case is equivalentto the local repetition.
4 of 6
Figure 2. The structure of a feedback shift register for initialization vector.
Counter value it-
Cl
PN
CN-1j
C2 CN
Figure 3. Counter encryption mode.
D. Message Packet Format
In LLSP, to reduce power consumption without decreas-ing security, we propose a method that can reduce 2 bytesof communication overhead for each message packet. Thepower saving for each packet is equivalent to executingof 12800-16000 instructions when applied to Mica2 [6].The main idea is that instead of transferring the counter
values in the message packets, each communication senderand receiver pair maintain a synchronous counter generatedthrough a feedback shift register (FSR) shown in Figure 2.
Header
MAC(4)
Figure 4. Message Packet Format.
The proposed message format is given in Figure 4. Notethat even though the counter values do not need to betransferred, the MAC must be generated with the counter
value concatenated. Equation (1) can be expressed in more
detail as follows:
LLSP allows the receiver to determine the number oflost message packets based on the correct counter valuethat generates the MAC. It should also be pointed out thatin Figure 4, the MAC is not encrypted, this design enablesthe receiver to determine the authenticity of the message
with minimum power consumption since the decision can
be made without requiring decryption of the data packet.
V. KEYING MECHANISMS
Keying mechanisms determine key management issuesthroughout the wireless sensor network. It consists of howcryptographic keys are distributed, shared and updated.The appropriate keying mechanism for a particular net-
work depends on several factors such as the target threatmodel, the networking and security requirements of ap-
plications, and ease of use. The general discussion ofkeying mechanisms are out of the scope of this paper.
However, the tradeoffs among different keying mechanismsin sensor networks, including single network-wide keying,link keying and groups keying, are compared in Table 1.
VI. EVALUATION
MAC =H(K,Dest |AMI Len lSrc| CtrI Data), (2)
where Des t is the destination identity, AM is the activemessage handler type [13], which is similar to the portnumber in TCP/IP. The AM type specifies the appropriatehandler function to extract and interpret the message on thereceiver, Len is the data length, Src is the source address,Ctr is the counter value and Data is the sensor readingsor other information.
A. Security Analysis
Wireless communications are more security susceptibleto link attacks and mobile nodes compromise. Sensor net-
works are also vulnerable to resource consumption attacks.LLSP focuses on the three most important data securityservices, including authenticity, integrity, and confidential-ity. LLSP does not limit the cryptographic algorithms thatcan be applied to achieve these security services, yet it
5 of 6
K
TABLE I
A SUMMARY OF DIFFERENT KEYING MECHANISMS FOR LINK-LAYER SECURITY [12]
is strongly recommended that only well-known symmet-
ric cryptographic algorithms be applied to ensure sensor
network security and implementation efficiency. It is alsorecommended that cryptographic algorithms with config-urable security parameters be integrated so that the same
design can be applied to various sensor networks that havedifferent security objectives and available system resources.
B. Performance Analysis
Similar to other security protocols, LLSP increases thecomputational cost and power consumption for packet trans-
mission. The selection of fast symmetric cryptosystemsensure only a modest increase in process and RAM. Figure4 shows that the overall packet header for LLSP is onlyabout 10 bytes when both authentication and encryption are
provided. However, even for non-security mode, Des t, AM
and Len are necessary and their size is 4 bytes. Generally,the minimum cyclical redundancy checking (CRC), suchas CRC-16, is also necessary. In order to do this, thesource address should be specified in the message packetwhich contributes to at least another 1 byte. In summary,
the overall message header size for the non-security modeshould be 7 bytes and that the overall size increase for thesecurity mode is only about 3 bytes, or only 10% of thedata packet size, which is a very modest increase.
VII. CONCLUSION
Wireless sensor networks have great potential to bebroadly adopted to create revolution in health care, bioim-plantable devices, environmental monitors (making air la-beling a reality), wireless networks (wearable networks andPCs), homeland security and in many other areas. However,security of wireless sensor network can be a great barrierfor these applications to ensure the integrity of data commu-nications. LLSP addresses security in sensor nodes whereenergy and computation power present significant resource
limitations. LLSP relies on cryptographic primitives thathave undergone a broad public scrutiny in the securitycommunity for many years. The proposed link layer security
protocol is simple enough to be integrated into the existingapplications with a minimal application overhead.
REFERENCES
[1] D.M. Aslam, K. Najafi, K.D. Wise, and T. Zellers. Poly-carbon nano- and micro-technologies for wireless integrated micro-systems. In Proc. COMS 2002, Ypsilanti, MI, 2002.
[2] C.-Y. Chong and S.P. Kumar. Sensor networks: evolution, oppor-
tunities, and challenges. Proceedings of the IEEE, 91:1247-1256,August 2003.
[3] B. Warneke, M. Last, B. Liebowitz, and K.S.J. Pister. Sensornetworks: evolution, opportunities, and challenges. Computer,34:44-51, January 2003.
[4] X. Zhu, D.M. Aslam, Y. Tang, B. Stark, and K. Najafi. The fabrica-tion of all diamond packaging panels with built-in interconnects forwireless integrated micro-systems. IEEE J. Micro Electro Mechan.Sys, 13:396-405, 2004.
[5] Tongtong Li, Jian Ren, Qi Ling, and Weiguo Liang. Physical LayerBuilt-in Security Analysis and Enhancement of CDMA Systems.In Proc. Conference on Information Sciences and Systems, 2004.
[6] J. Hill, R. Szewczyk, S. Hollar A. Woo, D. Culler, and K. Pister.System architecture directions for networked sensors. In Proceed-ings ofACM ASPLOS IX, November 2000.
[7] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concretesecurity treatment of symmetric encryption: Analysis of the desmodes of operation. In Proceedings of 38th Annual Symposium on
Foundations of Computer Science (FOCS 97), 1997.[8] S.R. Madden, M.J. Franklin, J.M. Hellerstein, and W. Hong. Tag:
A tiny aggregation service for ad-hoc sensor networks. In TheFifth Symposium on Operating Systems Design and Implementation(OSDI 2002), 2002.
[9] S.R. Madden, R. Szewczyk, M.J. Franklin, and D. Culler. Sup-porting aggregate queries over ad-hoc wireless sensor networks. InWorkshop on Mobile Computing and Systems Applications, 2002.
[10] National Bureau of Standards. FIPS Publication 197: AdvancedEncryption Standard (AES). http://csrc.nist.gov/publications/fips/fipsl98/fips-198a.pdf, March
2002.[11] H. Krawczyk, M. Bellare, and R. Canetti. RFC2104: HMAC:
Keyed-Hashing for Message Authentication. http://www.rfc-editor.org/rfc/rfc2104.txt, February 1997.
[12] C. Karlof, N. Sastry, and D. Wagner. Tinysec: A link-layer securityarchitecture for wireless sensor networks. In SenSys'04, 2004.
[13] P. Buonadonna, J. Hill, and D. Culler. Active message communica-tion for tiny networked sensors. http: www. tinyos .netpapers/ammote.pdf.
6 of 6
Keying Mechanism T Benefits I Costs
Single key Simple; easy to deploy; supports passive participation Not robust to node compromiseand local broadcastGraceful degradation in the presence of compromised Needs a key distribution protocol; prohibits passivenodes participation and local broadcastGiraceful degradation in the presence of compromised Requires key distribution; trades of robustness to node
Group keys nodes; supports passive participation and local broad- compromise for added functionalitycast
