Security Tradeoffs in NEST Dec 16, 2003

1
Security Tradeoffs in NESTDec 16, 2003

• C. M. Krishna, I. Koren, A. Ganz,
• C. Andras Moritz (presenter)
• University of Massachusetts, Amherst
• K. G. Shin
• University of Michigan
• Y.-H. Lee
• Arizona State University

2
Administrative

• Project Title Security Tradeoffs in NEST
• Program Manager Vijay Raghavan
• PI Name(s) C. M. Krishna, Y.-H. Lee, K. G. Shin,
  A. Ganz, I. Koren, and C.A. Moritz
• PI Phone Number(s) (413) 545-0766
• PI E-Mail Address(es) krishna_at_ecs.umass.edu
• Company/Institution Univ of Massachusetts at
  Amherst, Univ of Michigan, Arizona State
  University
• Contract Number F33615-02-C-4031
• Award Start Date 9/9/2002
• Award End Date 9/9/2004
• Agent Name/Organization Juan Carbonell,
  Wright-Patterson Air Force Base.

3
Subcontractors and Collaborators

• Subcontractors
• University of Michigan
• Arizona State University
• Collaborators
• University of Virginia
• BBN
• UC Berkeley
• SRI

4
PI Name Affiliation
Security Tradeoffs in NESTUniversity of
Massachusetts University of Michigan Arizona
State University
Problem and Challenge
New Ideas
System Constraints
Application Needs
Security Requirements

• Adapting security level of each task to
  application requirements and system constraints.
• Security broker to select the appropriate
  security protocol.
• Fault-tolerance and performance integrated with
  security

• SERVICES
• Security Broker
• Power Management
• Failure Handling
• Intrusion Detection

• Other Services
• Allocation
• Scheduling
• Routing
• .

Middleware
TinyOS
Impact
Schedule

• Q4FY03
• Encryption mechanisms
• Incorporating fault-tolerance
• Intrusion detection
• Secured wireless protocol
• Q2FY04 - Security Broker
• Q2FY04 - IV Manager
• Q3FY04 - Software prototype
• Q4FY04 - Experimentation validation

• Ensures appropriate levels of security for
  application needs.
• Integrates security with performance,
  reliability, power requirements and constraints.
• Enables dynamic adjustments as needs and resource
  availability change.

5
Problem Description/Objective

• NEST needs an integrated framework for a secure,
  resource-constrained system
• To preserve resources, it needs to dynamically
  determine appropriate security actions, given
• Application assurance requirements
• System state and configuration
• Operating environment (such as benign or hostile)
• Our project will enable NEST to
• Ensure appropriate security levels
• Integrate security with performance, power, and
  reliability
• Permit dynamic adjustments as needs/resources
  change

6
Key Project Directions

• Manage Security Actions/Levels Security Broker
• Coarse-grained Pre-deployed security services
• Fine-grained embedded Initialization Vector (IV)
  Manager
• Manage Key Updates
• Lightweight Security Protocol (LiSP)
• Provide Reliable Security
• Detect if faults are injected or naturally
  present
• Security- and Power-Aware Routing/Transmission
• Adapt routing by adjusting transmission
  range/power

7
Presentation Outline

• Brief Overview of Techniques Implemented
• Update on Security Broker
• Security service composition
• Embedded IV Manager
• Application Waking Up Big Brother
• Project Status, Success Criteria, Plans,
  Schedule, Milestones, Technology Transfer

8
Presentation Outline

• Brief Overview of Techniques Implemented
• Update on Security Broker
• Security service composition
• Embedded IV Manager
• Application Waking Up Big Brother
• Project Status, Success Criteria, Plans,
  Schedule, Milestones, Technology Transfer

9
Lightweight Security Protocol (LiSP)

• Motivation
• Periodic key updates are necessary
• Frequent key exchange, retransmissions (due to
  unreliable media) and acknowledgements consume
  significant power
• Solution
• Provide lightweight key update (to maximize
  sensor lifetime) by exploiting information
  redundancy in key sequences
• Summary Results
• Implicit authentication for new keys, easy
  recovery of keys, no retransmissions
• Resource consumption relatively low less than 3
  hash computations even when more than 40 of the
  temporary keys are compromised or lost.

10
Fault Detection

• Motivation
• Faults compromise security may be maliciously
  injected by an attacker to probe the system and
  extract the secret key
• Faults should be detected to avoid transmission
  of erroneous messages
• Solution
• Check-bit prediction developed for RC5, AES
• Detect faults to block output of erroneous
  results
• Summary Results
• All single bit failures detected
• Most of the multiple faults detected with the
  4-bit parity and Residue-15 codes percentage
  undetected faults less than 1

11
Transmission Scheme Tradeoffs

• Motivation
• Radio communication is very energy-intensive
• If multi-hop forwarding is used, nodes close to
  the base station can rapidly deplete their
  batteries reaching directly to BS requires high
  transmission power
• The network lifetime limited by the nodes with
  maximum power consumption
• Solution
• Move hotspot from innermost annulus
• Probabilistic traffic balancing
• Forward packets with probability
• Transmit packets directly (high power) to the BS
  with probability
• Summary
• Approach prolongs sensor network lifetime (power
  saving depends on size of network, maximum range,
  density)

12
Presentation Outline

• Brief Overview of Techniques Implemented
• Update on Security Broker
• Security service composition
• Embedded IV Manager
• Application Waking Up Big Brother
• Project Status, Success Criteria, Plans,
  Schedule, Milestones, Technology Transfer

13
Security Broker

• Motivation
• Different applications require different security
  services
• Different environments (external/internal)
  require different levels of security provision
• Resource-limited devices cannot afford to
  overprovision
• No one-size-fits-all solution exists
• Objective Maximize sensor lifetime by providing
  applications just enough security protection

14
Approach

• Pre-deploy security components at the link layer

• Runtime service composition
• aspects of security concerns (e.g., integrity,
  confidentiality, replay attacks)
• levels of security provision (e.g., encryption
  algorithm, rounds, block size)
• react adaptively (external/internal requirements)
  

15
Packet Format Security Encoding
X1 and X2, is used to represent the
strength of the cipher used.

• Security Composition ID (SCID)
• C Confidentiality
• I Integrity
• S Semantic security with implicit counter
  
• R Replay protection
• 0000, then no security service is provided

16
Energy Comparison

• SenseToRfm application with 8 byte payload
• Picking a lower level of security can
  significantly prolong the network lifetime
• 31.4 savings for Confidentiality only
  (CISR1000)
• 22.2 savings for Integrity only (CISR0100)
• 18.6 saving for Confidentiality and Integrity
  (CISR1100)

17
Embedded IV Manager

• Part of Security Broker
• Motivation
• Semantic security and defense against replay
  attacks often requires using an Initialization
  Vector (IV) with every packet
• IVs consume a substantial amount of bandwidth
  (bits transmitted)
• Most power is consumed during communication, thus
  IVs increase power consumption significantly
• Objective
• Maximize sensor lifetime by providing
  applications embedded (vs. explicit) semantic
  security protection

18
How does it work?

• Setup IV once per session
• Embed IV in the encryption of checksum after
  setup
• No explicit IV is sent
• IV is calculated from the checksum at the
  receiver
• Receiver uses difference between its expected IV
  and received IV to accept or reject packets
• To counter packet loss and out of order packets
• Allow outstanding IVs, but only within a
  predefined window
• Two consecutive IVs ahead of window indicate
  synchronization loss and trigger resetting IV at
  the receiver (to next expected IV)

19
At the Sender
EK1,IV(M)
20
At the Receiver
21
Results and Benefits

• Trades transmission power with computation
• 23 energy reduction possible

22
Demonstration

• We add security services to the Waking Up Big
  Brother application
• Developed by J. Stankovic, T. Abdelzaher
  (Virginia) and B. Krogh (CMU), et al
• Application is based on ad-hoc sensor network
  that tracks intruders in a field and wakes up
  SOCOM sensor (Big Brother)
• A sentry-based aggressive power management scheme
  is used only sentry motes are awake, other
  motes are in sleep mode to preserve battery power
• Our contributions
• Incorporate security services
• Show defense against various security attacks
• Show security - resource consumption tradeoffs
• Port application to TinyOS 1.1

23
Phase I
24
(No Transcript)
25
Phase I
26
Presentation Outline

• Brief Overview of Techniques Implemented
• Update on Security Broker
• Coarse-grained services
• Fine-grained embedded IV Manager
• Application Waking Up Big Brother
• Project Status, Success Criteria, Plans,
  Schedule, Milestones, Technology Transfer

27
Project Status

• We are currently on target on milestones proposed
• Initial version of Security Broker
• LiSP demonstrated
• Fault detection in encryption completed
• Integration of security services into Waking Up
  Big Brother application started
• Simulation-level integration working
• Demonstration on motes with all middleware
  security techniques is work in progress

28
Goals and Success Criteria

• Goals
• Ensure appropriate security levels and prolong
  sensor network lifetime
• Integrate security with performance, power, and
  reliability
• Success criteria
• Software prototype (security services) integrated
  and demonstrated with one application
• Security capabilities for various attack
  scenarios and power saving demonstrated

29
Selected Recent Publications

• Taejoon Park and Kang G. Shin, LiSP A
  Lightweight Security Protocol forwireless sensor
  networks,'' ACM Transactions on Embedded Computer
  Systems (in press)
• G. Bertoni, L. Breveglieri, I. Koren, P. Maistri
  and V. Piuri,Detecting and Locating Faults in
  VLSI Implementations of the AdvancedEncryption
  Standard,"  Proc. of the 2003 IEEEInternational
  Symposium on Defect and Fault Tolerance in VLSI
  Systems,pp. 105-113, November 2003.
• Q. Xue, A. Ganz, "Runtime Security Composition
  for Sensor Networks(SecureSense)", Vehicular
  Technology Conference, Orlando, FL, October2003.
   Q. Xue, A. Ganz, "Adaptive Mesh Routing in
  Mesh Wireless LANs",Vehicular Technology
  Conference, Orlando, FL, October 2003.
• G. Bertoni, L. Breveglieri, I. Koren, P.
  Maistri and V. Piuri,Concurrent Fault
  Detection in a Hardware Implementation of the
  RC5Encryption Algorithm,"  Proc. of ASAP'03 -
  the Internl. Conferenceon Application-Specific
  Systems, Architectures and Processors,pp.
  423-432, June 2003.G. Bertoni, L. Breveglieri,
  I. Koren, P. Maistri and V. Piuri,  Error
  Analysis and Detection Procedures for a Hardware
  Implementationof the Advanced Encryption
  Standard,"  IEEE Trans. on Computers, Special
  Issue on Cryptographic Hardware and Embedded
  Systems, pp. 492-505, April 2003.

30
Project Plans

• Demonstrate security services in the Waking Up
  Big Brother application
• Performance goals
• Provide just enough security to reduce power
  consumption
• Up to 35 energy saving depending on security
  attack, channel noise, and application
• How progress will be measured
• Energy security tradeoffs evaluated
• Energy reduction for various scenarios evaluated
• Software prototype of application with security
  middleware (TinyOS 1.1, Mica 2) deployed

31
Project Milestones

• Key 3 tasks remaining
• Security Broker integrated with IV Manager
  (Q3FY04)
• Integration with the LISP lightweight key
  exchange (Q3FY04)
• Incorporate security services into the Waking Up
  Big Brother application (Q4FY04)
• Demonstration event (Q4FY04)
• Security middleware software prototype
  incorporated into the Waking Up Big Brother
  application
• Resource consumption tradeoffs and security
  services demonstrated

32
Overall Project Schedule

• Q1FY03 Evaluation of Encryption Techniques
• Q4FY03 Incorporating fault-tolerance
• Q4FY03 Lightweight security protocol
• Q3FY04 Security Broker with other Integrated
  Middleware Techniques
• Q3FY04 Software prototype
• Q4FY04 Experimentation validation

33
Technology Transfer

• CASA Engineering Research Center
• Collaborative multi-University effort led by
  UMass ECE department
• Intelligent network of radars and sensors
  targeting severe weather prediction and tracking
• Longer term use of information includes air
  traffic controllers, civil defense
• Security aspect is critical

34
Program Issues

• Quality of hardware platform
• Development tools

35
Thank you!
36
(No Transcript)
37
How does it work?

• Temporal keys (TKs) and refresh interval sent to
  sensors for encrypting/decrypting data
• TKs distributed well before their use
• Sensors buffer sequence and generate TKs using a
  cryptographic one-way function TKi H(TKi1)

38
TK Management Steps at Sensors
buffer

• Receive a TK (way ahead of its use)
• Verify authenticity

• Buffer TKk if correct
• Recover missing TK from later TK with help of
  hash function
• Rekey after half the refresh interval to next TK

39
Impact of TK Loss
40
Summary of LiSP

• Resource consumption relatively low less than 3
  hash computations even when more than 40 of the
  TKs are compromised or lost.
• No retransmissions or acknowledgements
• Implicit authentication for new keys
• Easy recovery of lost keys
• Tolerance to clock skews allows us to refresh
  keys on a slightly non-periodic basis

41
Transmission Cost/Tradeoffs

• Possible approaches to deliver information
• Reach directly to BS if in range using
• High-power consumed per transmission
• Transmission power (Pt) law
• a,b are constants a is related to attenuation r
  is range
• Power is increasing exponentially with range
• Multi-hop forwarding
• Total transmission energy declines (due to
  exponentially lower power cost for shorter
  transmissions)
• Channel congestion decreases (due to shorter
  range)
• But, nodes in the inner annuli consume battery
  fast!

42
Devised Transmission Schemes

• P-hybrid probabilistic traffic balancing
  (assume within range)
• Move the hot spot from the inner-most Annulus
• Forward packets with probability
• Transmit packets directly to the BS with
  probability
• T-hybrid combine P-hybrid with threshold
• Transmit first to cells within range
• Use P-hybrid within range
• Evaluation is ongoing work

43
Fault Detection for RC5

• We have focused on four detection techniques
• Type of EDC of redundant bits
  Redundancy
• Word parity 1
  3
• Byte parity 4
  12.5
• Residue 3 2
  6.25
• Residue 15 4
  12.5
• Check-bit prediction schemes were developed for
  all four techniques
• All single bit failures were detected by all four
  schemes

44
Multiple Fault Coverage

• Summary The 4-bit parity and Residue-15 codes
  achieve the highest coverage of multiple faulty
  bits percentage undetected faults less than 1
  in most cases

45
(No Transcript)