SPINS Security Protocols for Sensor SPINS Security Protocols for Sensor NetworksNetworks

By BHUMIKA SHAH(ME IT)

OutlineOutline Introduction to sensor networks

-What are sensor network

-Hardware

Security for sensor networks

- Research Problem

Proposed Techniques

- SPINS building blocks Applications Discussion Conclusion

Sensor networksSensor networksApplicationsenvironmental monitoring and disaster

preventionbuilding monitoring and automationmonitoring the physical conditions of patients

(eg elderly people) battlefield

Energy consumption is an issuemulti-hop communications in-network

processingspecially designed protocolssleep modeenergy harvesting

Hardware specification[1]Hardware specification[1]

Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-

-memory is not enough to store even the variables of standard asymmetric key crypto systems

-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory

-available memory may increase in the future (price is still an issue)

-some asymmetric crypto systems may require less resources

Processor-

-4 MHz 8 bit RISC processor with 32 general purpose registers

-limited instruction set

bull good support for bit- and byte-level IO operations

bull lack of arithmetic and logic operations

Battery power-

-will remain a crucial limitation for some time

-communications consume much more energy than computation

-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption

System AssumptionsSystem Assumptions

Communication patterns

-Node to base station (eg sensor readings)

-Base station to node (eg specific requests)

-Base station to all nodes Base Station

-Sufficient memory power

-Shares secret key with each node Node

-Limited resources limited trust

A

B

D

EF

G

C

Base Station

Communication architecture[23]Communication architecture[23] RF communications broadcast

ndash easy to eavesdrop messages

ndash easy to inject fake messages

ndash easy to delete messages (jamming)

ndash modification of messages on-the-fly is hard

ndash but delete ndash modify - re-inject may work Typical communication patterns

ndash many-to-one (nodes to base station) (measurement)

ndash one-to-many (base station to all nodes) (control information) Nodes can

ndash recognize packets addressed to them (addressing)

ndash handle broadcast messages

ndash forward packets toward the base station (using the routing topology)

The base station can access individual nodes using source routing if needed

Trust setup[1]Trust setup[1]

The base station is trusted by all nodes

Sensor nodes are untrusted

ndash they are unattended

ndash they are not tamper resistant

ndash they can be captured and compromised

RF communication channels are untrusted

Initial keys

ndash each node has a unique key that it shares with the base station

ndash compromise of this key affects only a single sensor

Time synchronization

ndash upper bound on the node lsquos clock drift

Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-

ndash it is easy to inject fake packets into the network

ndash special requirements of broadcast authentication

bull symmetric MAC cannot be used

bull asymmetric digital signatures are not feasible Data Confidentiality-

ndash sensor readings might be sensitive some control data (eg keys) must be kept secret

ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old

packets is easy

ndash weak freshness

bull provides partial message ordering but no delay information

bull useful for sensor readings

ndash strong freshness

bull allows delay estimation

bull required by time synchronization

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

OutlineOutline Introduction to sensor networks

-What are sensor network

-Hardware

Security for sensor networks

- Research Problem

Proposed Techniques

- SPINS building blocks Applications Discussion Conclusion

Sensor networksSensor networksApplicationsenvironmental monitoring and disaster

preventionbuilding monitoring and automationmonitoring the physical conditions of patients

(eg elderly people) battlefield

Energy consumption is an issuemulti-hop communications in-network

processingspecially designed protocolssleep modeenergy harvesting

Hardware specification[1]Hardware specification[1]

Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-

-memory is not enough to store even the variables of standard asymmetric key crypto systems

-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory

-available memory may increase in the future (price is still an issue)

-some asymmetric crypto systems may require less resources

Processor-

-4 MHz 8 bit RISC processor with 32 general purpose registers

-limited instruction set

bull good support for bit- and byte-level IO operations

bull lack of arithmetic and logic operations

Battery power-

-will remain a crucial limitation for some time

-communications consume much more energy than computation

-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption

System AssumptionsSystem Assumptions

Communication patterns

-Node to base station (eg sensor readings)

-Base station to node (eg specific requests)

-Base station to all nodes Base Station

-Sufficient memory power

-Shares secret key with each node Node

-Limited resources limited trust

A

B

D

EF

G

C

Base Station

Communication architecture[23]Communication architecture[23] RF communications broadcast

ndash easy to eavesdrop messages

ndash easy to inject fake messages

ndash easy to delete messages (jamming)

ndash modification of messages on-the-fly is hard

ndash but delete ndash modify - re-inject may work Typical communication patterns

ndash many-to-one (nodes to base station) (measurement)

ndash one-to-many (base station to all nodes) (control information) Nodes can

ndash recognize packets addressed to them (addressing)

ndash handle broadcast messages

ndash forward packets toward the base station (using the routing topology)

The base station can access individual nodes using source routing if needed

Trust setup[1]Trust setup[1]

The base station is trusted by all nodes

Sensor nodes are untrusted

ndash they are unattended

ndash they are not tamper resistant

ndash they can be captured and compromised

RF communication channels are untrusted

Initial keys

ndash each node has a unique key that it shares with the base station

ndash compromise of this key affects only a single sensor

Time synchronization

ndash upper bound on the node lsquos clock drift

Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-

ndash it is easy to inject fake packets into the network

ndash special requirements of broadcast authentication

bull symmetric MAC cannot be used

bull asymmetric digital signatures are not feasible Data Confidentiality-

ndash sensor readings might be sensitive some control data (eg keys) must be kept secret

ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old

packets is easy

ndash weak freshness

bull provides partial message ordering but no delay information

bull useful for sensor readings

ndash strong freshness

bull allows delay estimation

bull required by time synchronization

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Sensor networksSensor networksApplicationsenvironmental monitoring and disaster

preventionbuilding monitoring and automationmonitoring the physical conditions of patients

(eg elderly people) battlefield

Energy consumption is an issuemulti-hop communications in-network

processingspecially designed protocolssleep modeenergy harvesting

Hardware specification[1]Hardware specification[1]

Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-

-memory is not enough to store even the variables of standard asymmetric key crypto systems

-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory

-available memory may increase in the future (price is still an issue)

-some asymmetric crypto systems may require less resources

Processor-

-4 MHz 8 bit RISC processor with 32 general purpose registers

-limited instruction set

bull good support for bit- and byte-level IO operations

bull lack of arithmetic and logic operations

Battery power-

-will remain a crucial limitation for some time

-communications consume much more energy than computation

-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption

System AssumptionsSystem Assumptions

Communication patterns

-Node to base station (eg sensor readings)

-Base station to node (eg specific requests)

-Base station to all nodes Base Station

-Sufficient memory power

-Shares secret key with each node Node

-Limited resources limited trust

A

B

D

EF

G

C

Base Station

Communication architecture[23]Communication architecture[23] RF communications broadcast

ndash easy to eavesdrop messages

ndash easy to inject fake messages

ndash easy to delete messages (jamming)

ndash modification of messages on-the-fly is hard

ndash but delete ndash modify - re-inject may work Typical communication patterns

ndash many-to-one (nodes to base station) (measurement)

ndash one-to-many (base station to all nodes) (control information) Nodes can

ndash recognize packets addressed to them (addressing)

ndash handle broadcast messages

ndash forward packets toward the base station (using the routing topology)

The base station can access individual nodes using source routing if needed

Trust setup[1]Trust setup[1]

The base station is trusted by all nodes

Sensor nodes are untrusted

ndash they are unattended

ndash they are not tamper resistant

ndash they can be captured and compromised

RF communication channels are untrusted

Initial keys

ndash each node has a unique key that it shares with the base station

ndash compromise of this key affects only a single sensor

Time synchronization

ndash upper bound on the node lsquos clock drift

Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-

ndash it is easy to inject fake packets into the network

ndash special requirements of broadcast authentication

bull symmetric MAC cannot be used

bull asymmetric digital signatures are not feasible Data Confidentiality-

ndash sensor readings might be sensitive some control data (eg keys) must be kept secret

ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old

packets is easy

ndash weak freshness

bull provides partial message ordering but no delay information

bull useful for sensor readings

ndash strong freshness

bull allows delay estimation

bull required by time synchronization

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Hardware specification[1]Hardware specification[1]

Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-

-memory is not enough to store even the variables of standard asymmetric key crypto systems

-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory

-available memory may increase in the future (price is still an issue)

-some asymmetric crypto systems may require less resources

Processor-

-4 MHz 8 bit RISC processor with 32 general purpose registers

-limited instruction set

bull good support for bit- and byte-level IO operations

bull lack of arithmetic and logic operations

Battery power-

-will remain a crucial limitation for some time

-communications consume much more energy than computation

-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption

System AssumptionsSystem Assumptions

Communication patterns

-Node to base station (eg sensor readings)

-Base station to node (eg specific requests)

-Base station to all nodes Base Station

-Sufficient memory power

-Shares secret key with each node Node

-Limited resources limited trust

A

B

D

EF

G

C

Base Station

Communication architecture[23]Communication architecture[23] RF communications broadcast

ndash easy to eavesdrop messages

ndash easy to inject fake messages

ndash easy to delete messages (jamming)

ndash modification of messages on-the-fly is hard

ndash but delete ndash modify - re-inject may work Typical communication patterns

ndash many-to-one (nodes to base station) (measurement)

ndash one-to-many (base station to all nodes) (control information) Nodes can

ndash recognize packets addressed to them (addressing)

ndash handle broadcast messages

ndash forward packets toward the base station (using the routing topology)

The base station can access individual nodes using source routing if needed

Trust setup[1]Trust setup[1]

The base station is trusted by all nodes

Sensor nodes are untrusted

ndash they are unattended

ndash they are not tamper resistant

ndash they can be captured and compromised

RF communication channels are untrusted

Initial keys

ndash each node has a unique key that it shares with the base station

ndash compromise of this key affects only a single sensor

Time synchronization

ndash upper bound on the node lsquos clock drift

Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-

ndash it is easy to inject fake packets into the network

ndash special requirements of broadcast authentication

bull symmetric MAC cannot be used

bull asymmetric digital signatures are not feasible Data Confidentiality-

ndash sensor readings might be sensitive some control data (eg keys) must be kept secret

ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old

packets is easy

ndash weak freshness

bull provides partial message ordering but no delay information

bull useful for sensor readings

ndash strong freshness

bull allows delay estimation

bull required by time synchronization

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-

-memory is not enough to store even the variables of standard asymmetric key crypto systems

-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory

-available memory may increase in the future (price is still an issue)

-some asymmetric crypto systems may require less resources

Processor-

-4 MHz 8 bit RISC processor with 32 general purpose registers

-limited instruction set

bull good support for bit- and byte-level IO operations

bull lack of arithmetic and logic operations

Battery power-

-will remain a crucial limitation for some time

-communications consume much more energy than computation

-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption

System AssumptionsSystem Assumptions

Communication patterns

-Node to base station (eg sensor readings)

-Base station to node (eg specific requests)

-Base station to all nodes Base Station

-Sufficient memory power

-Shares secret key with each node Node

-Limited resources limited trust

A

B

D

EF

G

C

Base Station

Communication architecture[23]Communication architecture[23] RF communications broadcast

ndash easy to eavesdrop messages

ndash easy to inject fake messages

ndash easy to delete messages (jamming)

ndash modification of messages on-the-fly is hard

ndash but delete ndash modify - re-inject may work Typical communication patterns

ndash many-to-one (nodes to base station) (measurement)

ndash one-to-many (base station to all nodes) (control information) Nodes can

ndash recognize packets addressed to them (addressing)

ndash handle broadcast messages

ndash forward packets toward the base station (using the routing topology)

The base station can access individual nodes using source routing if needed

Trust setup[1]Trust setup[1]

The base station is trusted by all nodes

Sensor nodes are untrusted

ndash they are unattended

ndash they are not tamper resistant

ndash they can be captured and compromised

RF communication channels are untrusted

Initial keys

ndash each node has a unique key that it shares with the base station

ndash compromise of this key affects only a single sensor

Time synchronization

ndash upper bound on the node lsquos clock drift

Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-

ndash it is easy to inject fake packets into the network

ndash special requirements of broadcast authentication

bull symmetric MAC cannot be used

bull asymmetric digital signatures are not feasible Data Confidentiality-

ndash sensor readings might be sensitive some control data (eg keys) must be kept secret

ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old

packets is easy

ndash weak freshness

bull provides partial message ordering but no delay information

bull useful for sensor readings

ndash strong freshness

bull allows delay estimation

bull required by time synchronization

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

System AssumptionsSystem Assumptions

Communication patterns

-Node to base station (eg sensor readings)

-Base station to node (eg specific requests)

-Base station to all nodes Base Station

-Sufficient memory power

-Shares secret key with each node Node

-Limited resources limited trust

A

B

D

EF

G

C

Base Station

Communication architecture[23]Communication architecture[23] RF communications broadcast

ndash easy to eavesdrop messages

ndash easy to inject fake messages

ndash easy to delete messages (jamming)

ndash modification of messages on-the-fly is hard

ndash but delete ndash modify - re-inject may work Typical communication patterns

ndash many-to-one (nodes to base station) (measurement)

ndash one-to-many (base station to all nodes) (control information) Nodes can

ndash recognize packets addressed to them (addressing)

ndash handle broadcast messages

ndash forward packets toward the base station (using the routing topology)

The base station can access individual nodes using source routing if needed

Trust setup[1]Trust setup[1]

The base station is trusted by all nodes

Sensor nodes are untrusted

ndash they are unattended

ndash they are not tamper resistant

ndash they can be captured and compromised

RF communication channels are untrusted

Initial keys

ndash each node has a unique key that it shares with the base station

ndash compromise of this key affects only a single sensor

Time synchronization

ndash upper bound on the node lsquos clock drift

Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-

ndash it is easy to inject fake packets into the network

ndash special requirements of broadcast authentication

bull symmetric MAC cannot be used

bull asymmetric digital signatures are not feasible Data Confidentiality-

ndash sensor readings might be sensitive some control data (eg keys) must be kept secret

ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old

packets is easy

ndash weak freshness

bull provides partial message ordering but no delay information

bull useful for sensor readings

ndash strong freshness

bull allows delay estimation

bull required by time synchronization

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Communication architecture[23]Communication architecture[23] RF communications broadcast

ndash easy to eavesdrop messages

ndash easy to inject fake messages

ndash easy to delete messages (jamming)

ndash modification of messages on-the-fly is hard

ndash but delete ndash modify - re-inject may work Typical communication patterns

ndash many-to-one (nodes to base station) (measurement)

ndash one-to-many (base station to all nodes) (control information) Nodes can

ndash recognize packets addressed to them (addressing)

ndash handle broadcast messages

ndash forward packets toward the base station (using the routing topology)

The base station can access individual nodes using source routing if needed

Trust setup[1]Trust setup[1]

The base station is trusted by all nodes

Sensor nodes are untrusted

ndash they are unattended

ndash they are not tamper resistant

ndash they can be captured and compromised

RF communication channels are untrusted

Initial keys

ndash each node has a unique key that it shares with the base station

ndash compromise of this key affects only a single sensor

Time synchronization

ndash upper bound on the node lsquos clock drift

Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-

ndash it is easy to inject fake packets into the network

ndash special requirements of broadcast authentication

bull symmetric MAC cannot be used

bull asymmetric digital signatures are not feasible Data Confidentiality-

ndash sensor readings might be sensitive some control data (eg keys) must be kept secret

ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old

packets is easy

ndash weak freshness

bull provides partial message ordering but no delay information

bull useful for sensor readings

ndash strong freshness

bull allows delay estimation

bull required by time synchronization

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Trust setup[1]Trust setup[1]

The base station is trusted by all nodes

Sensor nodes are untrusted

ndash they are unattended

ndash they are not tamper resistant

ndash they can be captured and compromised

RF communication channels are untrusted

Initial keys

ndash each node has a unique key that it shares with the base station

ndash compromise of this key affects only a single sensor

Time synchronization

ndash upper bound on the node lsquos clock drift

Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-

ndash it is easy to inject fake packets into the network

ndash special requirements of broadcast authentication

bull symmetric MAC cannot be used

bull asymmetric digital signatures are not feasible Data Confidentiality-

ndash sensor readings might be sensitive some control data (eg keys) must be kept secret

ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old

packets is easy

ndash weak freshness

bull provides partial message ordering but no delay information

bull useful for sensor readings

ndash strong freshness

bull allows delay estimation

bull required by time synchronization

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-

ndash it is easy to inject fake packets into the network

ndash special requirements of broadcast authentication

bull symmetric MAC cannot be used

bull asymmetric digital signatures are not feasible Data Confidentiality-

ndash sensor readings might be sensitive some control data (eg keys) must be kept secret

ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old

packets is easy

ndash weak freshness

bull provides partial message ordering but no delay information

bull useful for sensor readings

ndash strong freshness

bull allows delay estimation

bull required by time synchronization

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Notation[4]Notation[4]

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

ContributionsContributions

SNEP

-Sensor Network Encryption Protocol

-Secures point-to-point communication

microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication

-Provides broadcast authentication

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Properties of SNEP[1]Properties of SNEP[1]

Semantic security

ndash same messages are encrypted differently each time due to the different counter value

Data authentication and integrity by using MAC Weak freshness and replay protection

ndash counter is part of the MAC

ndash it ensures message ordering Low communication overhead

ndash counter is not sent it is maintained locally by both parties

ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages

ndash MAC adds only 8 bytes per message Reduced computational overhead

ndash MAC verification doesnrsquot need decryption

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Key Generation Setup[4]Key Generation Setup[4]

Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key

Encryption key

Message Authentication code key

Random number generator key

Counter

RC5 BlockCipherKey Master KeyMAC

KeyEncryption

Keyrandom

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Building blocks SNEP[1]Building blocks SNEP[1]

Sensor Network Encryption Protocol (SNEP)

A B encKencC(data) | macKmac(C|encKencC(data))

where

ndash encKencC is encryption in CTR mode with key Kenc and counter C

ndash macKmac is CBC-MAC computation with key Kmac

ndash MAC is computed over the encrypted data and counter C

ndash MAC length is 64 bits

ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function

Kenc = macK(1)

Kmac = macK(2)

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Authentication Confidentiality[1] Authentication Confidentiality[1]

Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node

Node A

M MAC(Kmac M)

MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)

Node B

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

SNEP with strong freshness[1]SNEP with strong freshness[1]

A B NA request

B A encKencC(response) | macKmac(NA|C|encKencC(response))

where

ndash the request can use plain SNEP for confidentiality and authentication

ndash NA is an unpredictable random number computed as

NA = macKrnd(S)ndash after generating a random number S is incremented by one

ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function

Krnd = macK(3)and regenerated from time to time

Krndrsquo = macK (Krnd)

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Strong Freshness[1]Strong Freshness[1]

bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply

Node A

Request NA

ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)

Node B

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values

Node A

CA

CB MAC(Kmac CA||CB)

Node B

To synchronizeA rarrB CA

B rarrA CB MAC(KmacCA || CB)

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Code re-use in SNEP[2]Code re-use in SNEP[2]

Only encryption part of RC5 is implemented This is used

ndash to encrypt and to decrypt (due to CTR mode) data

ndash to implement the MAC function

ndash to generate encryption and MAC keys from the master key

ndash to generate random numbers

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast

Main idea asymmetry through delayed disclosure of authentication keys

ndash base station computes a MAC with a key unknown to the sensors

ndash base station sends and sensors receive the message with the MAC

ndash later the base station discloses the key used to compute the MAC

Assumptions

ndash loose time synchronization between the base station and the sensors

ndash each sensor knows an upper bound on the maximum synchronization error

ndash initial secret between the base station and each sensor to bootstrap the whole mechanism

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Key Setup[1]Key Setup[1]

Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes

Kn Kn-1 K1 K0

X

helliphellipF(Kn) F(K1)F(K2)

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Broadcast[1]Broadcast[1]

Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 hellip

0 1 2 3 4 time

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]

In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Node authenticating packets[1]Node authenticating packets[1]

After disclosure interval base station broadcasts Kj

Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg

Node A Base Station

Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)

Nonce

Msg MAC(Kj Msg)

Kj

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]

Self-authenticating keys[1]

Requires loose time synchronization[3]

Low overhead (1 MAC)

- Communication (same as SNEP)

- Computation (~ 2 MAC computations) Independent of number of receivers

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Applications[1]Applications[1]

Authenticated RoutingNode to Node Agreement

A B NA A

B S NANB A B MAC(KrsquoBS NA || NB || A || B)

S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )

S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]

- require initial key commitment with each nodes which is very communication intensive

SPINS uses source routing so vulnerable to traffic analysis[23]

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Conclusion[13]Conclusion[13]

Strong security protocols affordable

- First broadcast authentication

Low security overhead

- Computation memory communication

Apply to future sensor networks

-Energy limitations persist

-Tendency to use minimal hardware

Base protocol for more sophisticated security services

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D

TygarrdquoSPINS Security Protocols for Sensor Networksrdquo

[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo

[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo

[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo

Thank youThank you

Thank youThank you