Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Mike Ludwig
dresden elektronik ingenieurtechnik gmbh
www.dresden-elektronik.de
Security Framework for IP based
Wireless Sensor Networks
Our framework
Security Framework Concept
Server SideNode Side
WSN
TrustedMediation
LayerEnd-User components
Security Framework Concept
Security Association
State
Identifier
…
Counter
Context
Security Association
State
Identifier
…
Counter
Context
Security Association
State
Identifier
…
Counter
Context
Security Framework node-side
Framework
Security AssociationSecurity
AssociationSecurity Association
Key Management
Security Provider
ModuleModule
ModuleModule
ModuleModuleModule N
Communication Stack
Ch1 Ch2 Ch3 ChX…
Application
Security Framework server-side
Mediation LayerWSN
Business Application
Site
Site
Site
Database
Trust Center
WSN
WSN
Business Application
based on PANA/EAP-PSK
based on a pre-shared secret
as result of an successful authentication a Master Session Key is derived
mediation layer follows two paradigms:
reject messages from not authenticated nodes
forbid business application access to not authenticated nodes
node follows the paradigm:
no communication without authentication
Security Framework – Authentication (AM)
WSN
Trust CenterPANA + Authenticator
EAP-PSK
configures framework modules as well as node application
allows registration of user/module parameter without itself knowing about the
content (Strings, 8-Bit / 16-Bit Integers, …)
Mediation Layer stores parameters per node in database
Security Framework – Parameter Manager (PM)
Database
WSN
Module n
Parameter 1
Mediation Layer
Parameter 2
…
Parameter n
Module n
Parameter 1
Parameter 2
…
Parameter n
Module n
Parameter 1
Parameter 2
…
Parameter n
Module n
Parameter 1
Parameter 2
…
Parameter nNode n
Module 1
Module 2
…
Module n
Node n
Module 1
Module 2
…
Module n
Node n
Module 1
Module 2
…
Module n
application sends (measurements) to and receives (commands) from the DAP
user application does not care about security – done by framework
user application does not care about aggregation – done by the framework
aggregation can be runtime configure via the mediation layer
configured aggregator node aggregates all data from any node
Security Framework – Data Aggregation & Processing
WSN
Mediation LayerGateway
A1 A2
to make management simple (taking wireless routing into account) only the
gateway can be chosen as enforcement point
only legitimate nodes can send data past the gateway towards mediation layer
Security Framework – Network Access Control (NAC)
WSN
Mediation LayerEnforcement
Point
only interprets the SA to process a packet
a firmware update can update existing/introduce new algorithms
Security Framework – Security Provider (SP)
Group Algorithm
Security Framework – Security Provider (SP)
,0
1,0
2,0
3,0
4,0
5,0
AES-128-CBCAES-192-CBC
AES-256-CBC
tim
e in
ms
Encryption Decryption
,0
50,0
100,0
150,0
NIST-P256NIST-B283
NIST-K283
tim
e in
ms
sign verify