Upload
dangthuy
View
220
Download
3
Embed Size (px)
Citation preview
Communication Security in IEEE802.15.4 and ZigBee Networks
Communication Security in IEEE802.15.4 and ZigBee Networks
Page 2
Outline
• About Ventocom
• Security: objective, benefits, means
• Recall: relationship between IEEE 802.15.4 and ZigBee
• Security in IEEE 802.15.4
• Security in ZigBee
• Application example: the ZigBee Health Care profile
� Facilitates a good understanding of potential security implementations and
designer’s choices (for both 15.4 and ZigBee)
Page 3
About Ventocom
• Ventocom offers end-to-end engineering services
• Specializing in IEEE 802.15.4 and ZigBee applications since 2004
• Typical projects
� Requirement specifications
� Electronics and RF design
� Embedded and PC applications
� Test design and implementation
Page 4
Security: Objective, Benefits, Means
• Objective
� Establish confidentiality
� Authenticate information
• Benefits
� Infrastructure providers: avoid theft of service
� Solution providers: ensure safe use of devices
� Users: maintain privacy
• Means
� Encryption of transmitted information
� Integrity check of transmitted information
� Key distribution and management (not by 15.4, but ZigBee)
Page 5
Recall: IEEE 802.15.4 and ZigBee
IEEE 802.15.4 Physical Layer
IEEE 802.15.4 MAC Layer
ZigBee Network (NWK) Layer
ZB Application Support (APS) Layer ZDO Management
Plane
ZigBee Device Object(ZDO)
ApplicationObject #1
ApplicationObject #240
Security
Service
Provider
PD-SAP PLME-SAP
MLDE-SAP MLME-SAP
NLME-SAPNLDE-SAP
MLME-SAP
APSME-SAP
APSDE-SAPAPSDE-SAPAPSDE-SAP
ZDO public IF
Security
Management
Message
Broker
Routing
Management
Network
Management
Security
Management
Message
Broker
Reflector
Management
…
…
ZigBee does not use 15.4
security
Applications using
15.4 only can
optionally be
provided security
Security at
application layer is not
part of
presentation
Page 6
IEEE 802.15.4 Security: Regular Operation
• IEEE 802.15.4
� Without ZigBee (or similar) routing layers: capable of forming star networks
� Consists of PHY (radio) and MAC layer (medium access)
• Basic encryption algorithm: Advanced Encryption Standard (AES)
� Symmetric encryption: encryption and decryption rely on the same key
� Open, well-tested, freely available encryption system
� Known attacks on AES are brute-force
� NIST standard since 2000
• 15.4 allows to use either encryption, integrity checking, or both
� Security processing performed at MAC layer
� Security processing includes frame counters to avoid replay attacks
• No explicit support of distribution of encryption/authentication keys
� Subsequent slides offer a number of pointers…
Page 7
ZigBee Security: Regular Operation
• ZigBee
� Capable of forming mesh networks – routing alternatives
� Consists of NWK, APS, and profile layers
• Basic encryption algorithm: Advanced Encryption Standard (AES)
� Symmetric encryption: encryption and decryption rely on the same key
� ZigBee does not use IEEE802.15.4 security (MAC frames will not be secured)
• ZigBee allows to use both encryption and integrity checking
� Encryption and authentication: CCM* mode of AES
� Security processing performed at NWK and/or APS layer
� Security processing includes frame counters to avoid replay attacks
• Some support for the distribution of encryption/authentication keys
� Standard-defined services include key derivation, key transport, key update
� Centralized trust center (for example, ZigBee coordinator) responsible for the decision to admit joining device into network, key setup
Page 8
ZigBee Security: Regular operation
• Basic encryption algorithm: Advanced Encryption Standard
� Symmetric encryption: encryption and decryption rely on the same key
� Open, well-tested, freely available encryption system
� NIST standard since 2000
• ZigBee uses CCM* mode of AES
� Provides both encryption and authentication (message integrity check)
• Further facts:
� Security processing includes frame counters to avoid replay attacks
o Garage door scenario
� Responsibility of frame security rests with originating layer
o NWK layers secures network frames
o APS layer secures APS frames
� Many 15.4/ZigBee ICs offer AES accelerators for fast security computations
� As symmetric encryption requires key knowledge at both source and sink: necessity of key configuration and distribution (see next slides)
Page 9
SYNCPHY
HDR
MAC
HDR
NWK
HDR
APS
HDR
Auxiliary
HDR
Encrypted
APS PayloadMIC
Application of security adds
Auxiliary Header and Message Integrity Check (MIC)
Entire APS frame (APS Header, Aux Header
and Payload) will be integrity protected
SYNCPHY
HDR
MAC
HDR
NWK
HDR
Auxiliary
HDR
Encrypted
NWK PayloadMIC
Entire NWK frame (NWK Header, Aux Header
and Payload) will be integrity protected
ZigBee Security: Frame Formats
• Security processing adds additional information to frames (Auxiliary header, MIC)
• Additional information causes throughput penalty of 10-20%
APS Layer
NWK Layer
Page 10
ZigBee Key Types
• Network key: global key, known to all devices in a network� Used for secure communication at the NWK layer
� Can be pre-configured
� Can be changed in two steps: 1) key transport 2) update
• Link key: specific only to a pair of nodes� Used to secure communication at the APS layer
� Can be pre-configured, can be changed
• Master key: shared secret, used to derive link keys (via SKKE)� Not used for communication
� Used to derive shared secret (link key) from shared secret (master key)
� For example, used to establish link with between joiner and trust center
� Can be pre-configured, is not usually changed
Page 11
Encryption Keys: Standard Pre-Configuration Options
Open transmission of master, APS (link) or NWK
key – note: period of vulnerability!
No pre-configurationOption #4
Master key is used to establish TC link key
Joiner securely retrieves active NWK key using
TC link (APS) key
NWK and APS keys arbitrary (may change) until
device joins
Joiner has TC master
key and TC address
Option #3
Joiner securely retrieves active NWK key using
TC link (APS) key and TC address
NWK key may change between configuration
and join (but not the TC link – APS – key)
Joiner has trust center
(TC) link key and TC
address
Option #2
NWK key may not change after pre-configuration
until device has joined
Joiner has active
NWK key
Option #1
Page 12
ZigBee Security: Can you trust it?
Single-package radios limit attack options
Yet low-cost devices do not offer temper-
proof hardware
Un-configured devices: brief initial
vulnerability due to open key transmission
…the trust in the secure processing and
storage of security material
ZigBee-certified platforms have been
tested for errors in the security
implementation
…the trust in the security implementation
The level of security depends on…
• Note: the trust level does not depend on strength of encryption algorithm
� AES is considered secure
� Known attacks can still be considered “brute force”
Page 14
Application Example: ZB Health Care Profile
• Health Care profile:
� Defines profiles for assisted-living and low-acuity monitoring applications
� Applications include pulse oximeter, glucose meter, fall detector, …
� Defines optional application-level security (not in the focus of this presentation)
� Good example where security is definitely required, and needs to be set up even in disadvantageous deployment scenarios
• HC profile defines three deployment scenarios
� Service provider scenario
� In-house commissioning scenario
� Consumer scenario
• Deployment scenarios: good illustrations of alternatives for key setup
� Therefore further discussed subsequently
Page 15
Application Example: Security Startup Attribute Values
• HC profile defines attribute values common to all deployment scenarios
• Attributes with application to security include:
Value still needs to be
determined by HCP team
XYZPre-configured link key
Device is not to use
unsecure join as fallback
FALSEUnsecure Join attribute
Set as “unspecified”0Trust Center master key
RemarkValueAttribute
Page 16
Application Example: Service Provider Scenario
• Service provider: has control over devices and network operation (example: patient monitoring services in hospital / senior citizen home with assisted living services)
Before delivery to customer
Delivery
Commissioning
Join Procedure
Binding
Commissioning prior to delivery:Extended PAN ID (customer PAN ID)
Trust Center NW address
Pre-configured Trust Center link key
Network key 0 (remains unspecified)
Trust Center needs to be made aware
of joining device (out-of-band, for
example via secure Internet connection)
No additional commissioning required on-site
Joining the network:
1) Device scans for network with right EPID, joins (15.4 level), receives
short address (unauthenticated join)
2) Device communicates with TC using pre-configured TC address and TC
link key (authenticated join)
3) Device securely acquires active network key from TC
Subsequently: necessary binding steps (not related to security)
Commissioning prior to delivery:1) Extended PAN ID (customer PAN ID)
2) Trust Center address
3) Pre-configured Trust Center link key
4) Network key 0 (remains unspecified)
Page 17
Application Example: In-house Commissioning Scenario
• Network owner has its own secure commissioning facility, configuring the devices with all the information needed to securely join network and work together
Before delivery to customer
Delivery
Commissioning
Join Procedure
Binding
Commissioning for commissioning cluster:1) EPID 0x0050c27710000000 – commissioning
cluster EPID (reserved by ZigBee alliance)
2) Trust Center address: 0 (unspecified)
3) Network key 1 (commissioning NWK key)
Commissioning at commissioning facility:1) Device turned on, joins commission network
2) Commissioning tool – sets target EPID, target short address,
NWK key 0 (unspecified), pre-configured TC link key
Joining (note – same procedure as in service-provider scenario):
1) 15.4 level join
2) TC communication using TC link key
3) Secure acquisition of active NWK key
Subsequently: necessary binding steps (not related to security)
Trust Center needs to be made aware
of joining device (out-of-band, for
example via secure Internet connection)
Commissioning network
should be shielded from
eavesdroppers; or out-of-band commissioning
Page 18
Application Example: Consumer Scenario
• Consumer scenario is applicable for small network, devices from multiple vendors, and where the installation will be done by the “operator”
Before delivery to customer
Delivery
Commissioning
Join Procedure
Binding
Consumer purchases device with settings:
1) EPID unset
2) Trust Center address: 0 (unspecified)
3) Network key 0 (unspecified)
No commissioning will be done by the customer
Joining the network:
1) TC is set to allow nodes to join, for a short period (for example,
by pressing a button)
2) The new device is instructed to join (for example, by pressing a
button)
3) New device uses the pre-configured (default) link key (see page
13) to acquire EPID, active NWK key, operational TC link key
Subsequently: necessary binding steps (not related to security)
Brief period of vulnerability: execute join at very low power, requiring devices to be held close
together, mitigating the risk of eavesdropping
Page 19
Summary: HC Profile Security Setup
• Recall: ZigBee offers at least four pre-configuration options
� Pre-configuration with master key
� Pre-configuration with TC address and TC link key
� Pre-configured network key
� Un-configured device
• The HC profile standard makes use of two of these options
� Option TC address, TC link key used (high security) used at first “service provider”and “in-house commissioning” scenarios
� Un-configured option used in “consumer” scenario
• HC Profile: good illustration of alternatives to establish key configurations in different deployment scenarios
Page 20
Wrapping Up
• Security is an essential building block for 15.4 and ZigBee networks
� To repel network intruders and to avoid theft of service
� To protect confidential or personal information
• IEEE 802.15.4 and ZigBee share similar “operational” security based
on the Advanced Encryption Standard (AES)
� Symmetric cryptography
� Most 15.4/ZigBee ICs offer corresponding accelerators
• ZigBee offers different configuration procedures for key setup
� Users can trade the level of trust vs. the configuration effort
• Different key setup procedures were illustrated using the ZigBee
Health care profile