iot-securityecc-v1
TRANSCRIPT
INTERNET OF THINGS SECURITY
ZigBee Networks 802.15.4 Protocol
Hierarchical Certificate Authority w/ ECC
Abe Arredondo
Luis Stolk
Agenda & Overview
Internet of Things (IoT) Wireless Sensor Networks (WSN)IoT Protocols and ZigBeeMedical Application Network Model ZigBee
Vulnerability ProblemsAlternative from Razouka [3]Our Innovative Idea
Hierarchical Certificate Authority w/ ECC
Internet of Things• Integration of wireless sensors, networks, protocols
technologies, ID’s, objects, etc.• Gartner estimates that by 2020 there will be 30 Billion
devices connected to the IoT [5]
WSN: What is it?
Infrastructure-less Ad Hoc autonomous node network to monitor environmental conditions.
Inexpensive, low power, does not have much processing or storage capabilities
IEEE: 802.15.4, Different Radio, Not TCP-IP [7]Achilles heel is that WSN are battery powered
Myria-Node device
WSN system are distributed decentralized architectures. Usually has a local Base Station (BS) with processing capabilities to make decisions on sensed physical environmental measurements
Internet of Things & ZigBee❖Existing Wi-Fi uses 802.11 and the IoT uses 802.15.4❖Early adopters of the IoT use an 802.15.4 protocol called
ZigBee (initial 2004, Trust Center 2007 & Security) ➢Short range 10 to 100 meters➢Line of sight (Mesh Networks) ➢Low rate data transfers
❖ZigBee security is based on 128 bit Advanced Encryption Standard (AES) Counter Cipher Block Chaining Message Authentication Code (CCM) AES-128-CCM
➢Provides support for public key infrastructure■X.509 v3 certificates■256 Elliptic Curve Cryptography cipher suite
Body Area Network
Medical App
Young Sil Lee [1]
Network Model: Medical Application
Design Goal
Our goal is to design a Confidential, Reliable / Available Fast, and Scalable 802.15.4 network possible
Based On:• Hierarchical Certificate
Authority (CA) wireless gateways
• Elliptic Curve Cryptographic (ECC) algorithm
Zigbee Vulnerability Problem
1) Key Distribution: Over the air or Pre-Installeda) ZigBee High Security: All nodes = E(Master Key)
b) Key Establishment:
i) Symmetric Key Establishment
ii) Certificate-based Key Establishment (X.509)
iii) Alpha-secure Key Establishment
c) ZigBee Standard Security: unencrypted Key over the air
d) Pre-Installed Keys: Manually with Commissioning Tool
2) Frame Counter using ordered sequence of inputs
3) Forward Security: Master and Link Keys are never revoked from sensor exiting a network (like WEP!)
ZigBee Vulnerability Page 2
4) Eavesdropping & Data Manipulation: traffic sniffing, data injection, packet decoding
a) Pre-install methods require re- flashing device to ch key
b) 802.15.4 has no replay protection, ZigBee small imp
c) KillerBee Software & Hardware http://www.willhackforsushi.com
i) AVR RZ Raven USB Stick (RZUSB, $40)
ii) sniff + inject
iii) AT90USB1287 uC w/ AT86RF230 802.15.4 transc
iv) 4 LED's, PCB antenna
Protocols - Trusted Center (~KDC)
Notation: IDA || NA || H [ NA || KRA ]
Pseudo Random # nonce to prevent replay attack
Razouka [3]
~ Key Distribution CenterDB: IDi Node ID KRi Node Private K Ks Session Key
IDA KRA
IDB KRB
Req for AuthN obtain Temp Ks
Hierarchical X.509 CA w/ ECC Venue Domain Wireless IoT GatewayCalculate, Store, & Distribute IoT Directory: IDi Node ID KRi Node Private K Ci Signed Certificate
The ZigBee method: X.509 Certificate-based Key Establishment (CBKE) using the ECC algorithm
IDA KUAuth
ECC
Review Q&A
Internet of Things (IoT) Wireless Sensor Networks (WSN)IoT Protocols and ZigBeeMedical Application Network Model ZigBee
Vulnerability ProblemsAlternative from Razouka [3]Our Innovative Idea
Hierarchical Certificate Authority w/ ECC
References1. An Efficient Encryption Scheme using Elliptic Curve Cryptography (ECC) with Symmetric
Algorithm for Healthcare System. Young Sil Lee, Esko Alasaarela and Hoon Jae Lee. Department of Ubiquitous IT, Dongseo University Graduate School, Department of Electronic Engineering, University of Oulu 47 Jurye-ro, Sasang-gu, Busan, Rep. of Korea FI-90014, Oulu, Finland.
2. A standard compliant security framework for IEEE 802.15.4 networks.G. Piro, G. Boggia, and L. A. Grieco Department of Electrical and Information Engineering (DEI) Email: {g.piro, g.boggia, a.grieco}@poliba.it Politecnico di Bari, Italy
3. New security approach for ZigBee Weaknesses. Wissam Razouka, Garth V. Crosbyb, Abderrahim Sekkakia. Hassan II University, Faculty of science, Dept of mathematics and computer science, 5366, Casablanca, Morocco Southern Illinois University, Dept of technology, Engineering building, 62901, Illinois, USA
4. Zigbee Gateway Patrick Kinney ([email protected]) https://www.zigbee.org/zigbee/en/events/documents/SensorsExpo/7-Sensors-Expo-kinney.pdf
Appendix
Service Scenario1. A collection of ZigBee devices sends data to a remote service over
IP. 802.15.42. A ZigBee security device is preconfigured to connect to a web
service through a gateway (Enter WSN, Exit WSN: Key Revocation)
IP Command Translation [1]When working through a ZigBee Gateway, an IP device sends a command:
• “Turn on the light in the northeast corner of Room 123”
✓Gateway translates this command to a packet that is compatible with the appropriate ZigBee lighting profile
✓Gateway also translates the logical address into a network address, and transmits the packet on behalf of the originator
✓Gateway acts as an agent on behalf of the IP device, isolating the IP device from the details of ZigBee operation and vice versa
ZigBee Gateway
A ZigBee Gateway is intended to provide an interface between ZigBee and IP devices through an abstracted interface on the IP side. The IP device is isolated from the ZigBee protocol by that interface. The ZigBee Gateway translates both addresses and commands between ZigBee and IP. [1]
Gateway Stack DiagramThe IP stack is terminated at the Gateway as is the ZigBee Stack. The Gateway provides translation between the respective
stack [1]
A ZigBee ZED extends the ZigBee network over an IP based network. Since the specific PHY and MAC layers are not pertinent as long as the
network layer is IP based, the ZED will work over Ethernet or Wi-Fi types of devices.