1
TinySec A Link Layer Security Architecture for
Wireless Sensor Networks

• Chris Karlof, Naveen Sastry, David Wagner
• UC Berkeley

Summary presented by Gary Woo
2
Outline

• Sensor Networks
• Design goals
• Design
• Analysis
• Implementation
• Evaluation
• Conclusion

3
Sensor Networks

• heterogeneous system combining tiny sensors and
  actuators with general-purpose computing
  elements
• Nodes are low cost and low power
• Applications
• Habitat monitoring
• Burglar alarms
• Medical monitoring
• Emergency response
• Battlefield management

4
Design goals

• Security
• Message integrity (MAC)
• Confidentiality (Encryption)
• Replay protection (Counter/IV)
• Performance
• Increase in processor/RAM demand is bad
• Increase in message length is worse
• Ease of use
• Transparency
• Portability

5
Design

• Modes
• Authentication (TinySec-Auth)
• Authenticated encryption (TinySec-AE)
• Encryption
• Cipher Block Chaining
• IV (8 bytes) formed by destination address,
  Active Message type, length, source, and 2 byte
  counter
• Message Integrity
• MAC computed over entire message

6
Cipher Block Chaining

• All nodes share secret key
• Provable secure when IV not repeated
• Pre-encrypt IV to avoid IV and Plain text
  incremented by 1 leakage
• Ciphertext stealing, min size 8 bytes,
  otherwise same size as plaintext

7
Initialization Vector

• Counters provides 2n 1 packets before reuse
• Random provides 2n/2 packets before reuse due to
  the birthday paradox (for any 23 people two will
  have matching birthdays greater than 50 of the
  time)
• Reuse destination address, active message type,
  and length
• New fields source, 2 byte counter

8
CBC MAC

• Ensures that bits changed in the message will be
  detected
• Reuse of CBC algorithm saves code space
• XORs the encryption of the message length with
  the first plaintext block (uses encrypted message
  length as IV)

9
Packet format

• Early rejection (header not encrypted)
• Replaces 2 byte CRC and 1 byte group field with
  MAC
• TinySec-AE has Src (2 bytes) and Ctr (2 bytes)
  that TinySec-Auth doesnt, which has 1 more byte
  than TinyOS

10
Analysis

• MAC is 4 bytes, 1 in 232 chance of forging
  correctly
• 19.2kb/s channels allows only 40 attempts per
  second (231 attempts will take 20 months!)
• Denial of service, as link will be captured
• Avoids birthday paradox (uses counter)
• Each node can send 216 messages before reuse of
  IV
• CBC mode with IV reuse leaks longest shared
  prefix of the 2 messages (must be same src/dst
  pair, length, AM type)
• Should update keys before reuse

11
Implementation

• Security
• MAC and CBC for encryption
• Performance
• Runs with 728 bytes of ram and 7146 bytes of
  program space
• Ease of use
• Add TINYSECtrue when making code

12
Implementation (cont.)

• Transparency
• Runs at the Link Layer
• Portability
• Distributed with TinyOS

13
Implementation (cont.)

• TinySec implemented in 3000 lines of nesC
• Modified task scheduler (cryptographic operations
  higher priority than others)
• Uses top 2 bits of length selects TinySec mode
• Max payload length is 29 bytes

14
Evaluation

• Increased message length
• Reduces bandwidth
• Increase latency
• Increases energy consumption
• Added cryptography
• Increased computation time
• Increased energy consumption

15
Evaluation (Increased send time)

• Increased send time depends on TinySec mode
• About 1.6 increase for each byte

16
Evaluation (Encryption computation time)

• Byte time must be small
• CBC operates on blocks of 8 bytes
• Rule of thumb less than a few byte times

17
Evaluation (Energy costs)

• Yellow shading shows extra energy costs of
  computing MAC and performing CBC
• Blue shading shows extra energy from increased
  message length

18
Evaluation (Energy costs cont.)

• Increase for TinySec-Auth
• 1 from increased packet length
• 2 from extra computation
• Increase for TinySec-AE
• 6 from increased packet length
• 4 from extra computation

19
Evaluation (Throughput)

• TinySec-Auth performs just as No TinySec
• TinySec-AE performs 6 lower at gt5 senders

20
Evaluation (Latency)

• Increased message length
• TinySec-Auth 1 byte
• TinySec-AE 5 bytes

21
Evaluation (Latency cont.)

• TinySec-Auth increase by 1.1 byte times
• TinySec-AE increase by 4.6 byte times

22
Evaluation (Ease of use)

• No changes needed to higher layers (TinySec is at
  Link Layer)
• Need to modify makefile to enable TinySec
• Current work
• TinyPK (RSA to exchange keys)
• TinyCrypt (elliptical curve cryptography)
• SRIs key exchange
• SecureSenses dynamic security service
• Bosch burglar alarm

23
Conclusion

• TinySec-Auth
• Provides message integrity
• Increases energy consumption by 3
• TinySec-AE
• Provides message integrity and confidentiality
• Increases energy consumption by 10
• Limited gains switching to hardware as increase
  message length is the cause

24
References and Acknowledgements

• Authors electronic version of paper (other
  figures and tables were taken from this
  document)
• http//www.cs.berkeley.edu/nks/papers/tinysec-sen
  sys04.pdf