An Efficient Cross Layer Approach for Object Security ...

An Efficient Cross Layer Approach for Object Security of CoAP (OSCoAP) Thesis-II by Rizwan Hamid Randhawa MSCS14014

Motivation: Why IoT Security?

2/46

Attacks on IoT Devices

3/46

Attacks Through IoT Devices

4/46

Attack Vector for an IoT Device

5/46

IoT Stack Vs Web Stack

6/46

CoAP [1]  









Constrained Application Protocol REST based API like HTTP GET, PUT, POST, DELETE Light Weight in terms of Message Size UDP based: means no reliability but less overheads than TCP For Reliability: CON, NON, ACK, RST Request / Response based

7/46

Secure CoAP or CoAPs[1]      

Secure CoAP uses DTLS Datagram Transport Layer Security Digital Signatures/Certificates Elliptic Curve Crypto Diffi-Hellman Key Exchange→ Public Private Key Symmetric→ Pre-shared Key

8/46

CoAPs Security Issues [2] 



 

CoAPs uses DTLS→ Datagram Transport Layer Security No end-to-end security → Only hop-by-hop DTLS terminates on Proxy Level Infected Proxy→ Prone to several attacks

9/46

CoAP Proxy Threat Model [2]

10/46

Attacks

Mitigation

Spoofing

Message Authentication

Delaying

Setting Max-Age = 0

Withholding

Not mitigated

Flooding

Replay Protection

Eavesdropping

Encryption

Traffic Analysis

Padding

OSCoAP[3]  











CoAP Object secures itself End-to-end Application Layer Protocol Provides Authentication, Message Integrity and Confidentiality Based on COSE → CBOR Object Signing and Encryption Selective Authentication and Encryption of CoAP Fields Proxy can not withhold a request/response No compromise on proxy operation

11/46

OSCoAP Existing Work  

 

 

12/46

Dedicated working group at IETF since 2014 [3]. So far 11 drafts have been published with latest on July 01, 2017 [4] Two theses on OSCoAP One from Royal KTH Sweden[5] and other from Lund University Sweden[6] We have used [7] OSCoAP implementation found at Github More than 10000 lines of Code, WG has been working on for last three years

Motivation 

  



13/46

[5] implemented only authentication of certain fields of CoAP and did not implement Encryption [6] implemented Encryption in [7] work [7] implemented Encryption in Software They have mentioned on their website that they will implement the hardware security Making OSCoAP more efficient in terms of energy and memory footprint to be used in IoT devices

COSE[8]    

  



14/46

CBOR Object Signing & Encryption[8] Object Signing & Encryption → AEAD OSCoAP used AES-CCM-64-64-128 mode 64 bit Nonce → unpredictable random value concatenated with Counter 64 bit Message Integrity Code → Used for Replay Protection 128 bit key → Used for AES Encryption Operation Other AES-CCM modes using 128 bit key include: AES-CCM16-64-128, AES-CCM-16-128-128, AES-CCM-64-128-128

CBOR[9] CBOR → Compact Binary Object Representation → Representation of eight different data types:         

Unsigned integers, Negative integers, Byte strings, Text strings, Array or data item, Map of pairs of data items, Floating-point numbers, Simple data types that need no content and Optional semantic tagging of these major types

15/46

AEAD[8] 

 





Authenticated Encryption with Additional Data Block Ciphers-AES128 Cipher Block Chaining Message Authenitcation Code (CBC-MAC) → Message Authentication Counter Mode (CTR) → Message Encryption CCM (CTR with CBC-MAC)

16/46

CBC-MAC[10]

17/46

X 1 := E ( K , B 0 ) X ( i+1) := E ( K , X i ⊕ Bi ) → for i=1,... , n T := first − M − octets ( X ( n+1) )

where E() is the block cipher encryption function, T is the MAC value

CTR[10]

18/46

Si := E ( K , Ai ) → for i =0,1, 2,....

Where i = 0, 1, 2, ... ,n E() is the block cipher encryption function, S is the Ciphertext Block and A is the counter Block

CCM[10] 

19/46

Concatenation of CBC-MAC and CTR

Message Integrity Code

Encrypted Message

Problem Statement

19/46

We need to make OSCoAP run on Zolertia Z1 motes efficiently in terms of energy and memory footprint while not compromising any functionality. OSCoAP uses AEAD implemented in software which performs expensive crypto operations for message encryption and authentication. If we offload these cryptos, we can save a significant amount of energy and memory. For this purpose, we will use hardware Inline security features of onboard radio CC2420 in Z1. The Inline security features are dedicated for Link layer but can be harnessed to implement AEAD for higher layers giving much better performance in terms of energy and memory footprint.

Methodology: Test Setup

20/46

PowerTrace + ObjDump

OSCoAP Client

Border Router

OSCoAP Server

MSP430 & CC2420 Interface [11]  

SPI Interface We can access internal RAM, set key, write/read AES standslone buffer, TXBUF, RXBUF, TXFIFO and RXFIFO

21/46

CC2420 Stand Alone AES [11]   

22/46

Only Standalone Encryption available Decryption Function not available on chip Get Lock & Release Lock for seamless SPI operation

Release Lock

Readback Ciphertext from SABUF

Encrypt

Get Lock

Write Plaintex in SABUF

Set Key

Set AES H/W Driver

CC2420 Inline Security[11]     



23/46

Performed within TXFIFO and RXFIFO dedicated for MAC Frame We can write/read TXFIFO and RXFIFO using SPI Setting Security Control Registers Write MPDU in TXFIFO for Encryption/Message Authentication Code and Transmission On data reception in RXFIFO, Decryption/Authentication operation is performed within RXFIFO Microcontroller reads data from RXFIFO

Implemented CTR in CC2420

24/46

Get Lock

Get Lock

Set SECCTRL0

Set SECCTRL0

Set TXNONCE

Set RXNONCE

Flush TXFIFO

Flush RXFIFO

Write TXFIFO Length

Write RXFIFO Length

Write Plaintext Message

Write Encrypted Message

STXENC

SRXDEC

Wait for operation to complete

Wait for operation to complete

Reset SECCTRL0

Reset SECCTRL0

Read back Encrypted Data from TXFIFO

Read back Decrypted Data from RXFIFO

Flush TXFIFO

Flush RXFIFO

Release Lock

Release Lock

Encryption

Decryption

Implemented CBC-MAC in CC2420

25/46

Get Lock

Get Lock

Set SECCTRL0 & SECCTRL1

Set SECCTRL0 & SECCTRL1

Set TXNONCE

Set RXNONCE

Flush TXFIFO

Flush RXFIFO

Write TXFIFO Length

Write RXFIFO Length

Write Additional Authentication Data + Plaintext

Write Additional Authentication Data + Ciphertext

Write Message

Write Message

STXENC

SRXDEC

Wait for operation to complete

Wait for operation to complete

Reset SECCTRL0 & SECCTRL1

Reset SECCTRL0 & SECCTRL1

Read back MIC from TXFIFO

Read 0x00 if authenticated 0xff if not + Plaintext

Flush FIFO

Flush FIFO

Release Lock

Release Lock

Forward Authentication

Reverse Authentication

Implemented CCM in CC2420

26/46

Get Lock

Get Lock

Set SECCTRL0 & SECCTRL1

Set SECCTRL0 & SECCTRL1

Set TXNONCE

Set RXNONCE

Flush TXFIFO

Flush RXFIFO

Write TXFIFO Length

Write RXFIFO Length

Write Additional Authentication Data

Write Additional Authentication Data

Write Message

Write Message

STXENC

SRXDEC

Wait for operation to complete

Wait for operation to complete

Reset SECCTRL0 & SECCTRL1

Reset SECCTRL0 & SECCTRL1

Read Encrypted Data & MIC

Read Decrypted Data & 0x00 if authenticated else 0xff

Flush FIFO

Flush FIFO

Release Lock

Release Lock

Forward AEAD

Reverse AEAD

TX/RXFIFO Fields for Inline Modes

27/46

Z1 Current Consumption at 3V

28/46

6 5

5

Current (mA)

4 3 2 1 0.43 0

0 CPU (Active)

CPU (LPM)

Radio (Idle)

Energy Consumption Client Total Energy 6

Energy (mJ)

5 4 3 2 1 0

Server Total Energy

29/46

Client CPU

Server CPU

Client Crypto

ServerCrypto

Energy Consumption Client Total Energy

3

Energy (mJ)

2.5 2 1.5 1 0.5 0

Server Total Energy

30/46

Client CPU

Server CPU

Client Crypto

ServerCrypto

Energy of Individual Functions Client-Set_Key()[S/W] Server-CBC-MAC [S/W] Client-encrypt() [H/W] Server-CTR [H/W] 0.8 0.7

Energy (mJ)

0.6 0.5 0.4 0.3 0.2 0.1 0

Server-Set_Key()[S/W] Client-CTR [S/W] Server-encrypt() [H/W] Clinet-CCM[H/W]

Client-encrypt() [S/W] Server-CTR [S/W] Client-CBC-MAC [H/W] Server-CCM[H/W]

Server-encrypt() [S/W] Client-set_key() [H/W] Server-CBC-MAC [H/W]

31/46

Client-CBC-MAC [S/W] Server-set_key() [H/W] Client-CTR [H/W]

Energy of Individual Functions Client-Set_Key()[S/W] Server-CBC-MAC [S/W] Client-encrypt() [H/W] Server-CTR [H/W] 0.14 0.12

Energy (mJ)

0.1 0.08 0.06 0.04 0.02 0

Server-Set_Key()[S/W] Client-CTR [S/W] Server-encrypt() [H/W] Clinet-CCM[H/W]

Client-encrypt() [S/W] Server-CTR [S/W] Client-CBC-MAC [H/W] Server-CCM[H/W]

Server-encrypt() [S/W] Client-set_key() [H/W] Server-CBC-MAC [H/W]

32/46

Client-CBC-MAC [S/W] Server-set_key() [H/W] Client-CTR [H/W]

Memory Consumption (.fartext) Client

33/46

Server

7000 5932

6000

5170 5000 Bytes

5302

5124

5236

4874

4000 3000

3006 2322

2322

2414

) W / H R( T C

/ (S R CT

2322

2000

1950

1000 0 W S/

CB

A S/ ( AC M C

)+

/ (S R CT

A)

A S/ ( AC M C CB

)+

)+ W / (H AC M CB C

A) )+ W / (H AC M CB C

) W / H R( T C

W H/

Wireshark

35/46

Significance & Novelty     



36/46

Better security Less energy consumption Low memory footprint Useful for AES-CCM Implementation at any upper layer First ever work to introduce the idea of using hardware Inline security features for higher layer Single function for security implementation on each higher layer with no additional memory consumption

Future Work     



37/46

Implementation of IPSec [13] Implementation of DTLS [14] Experiments on other motes having CC2420 radio onboard Individual and composite security implementation on each layer Further experiments with more than 37 bytes authentication and 7 bytes message size Implementation of AES-CCM-16-64-128, AES-CCM-16-128128, AES-CCM-64-128-128 using Hardware Inline Security

References  





  

  

38/46

[1] Z. Shelby, K. Hartke, and C. Bormann, “The Constrained Application Protocol (CoAP),” 2014. [2] G. Selander, F. Polambini, K. Hartke, and L. Seitz, “Requirements for CoAP End-To-End Security,” IETF RFC, vol. 53, no. 9, pp. 1689–1699, 2016. [3] G. Selander, J. Mattsson, F. Palombini, and L. Seitz, “Object Security of CoAP (OSCOAP),” 2016. [4] G. Selander, J. Mattsson, F. Palombini, and L. Seitz, “Object Security of CoAP (OSCOAP),” 2017. [5] Francesca Palombini, “Object Security in the Internet of Things,” 2015. [6] J. Brorsson and L. Seitz, “Compact Object Security for the Internet of Things,” 2016. [7] Martin Gunnarsson, contiki-oscoap, (2016), GitHub repository, https://github.com/Gunzter/contiki-oscoap [6] Zolertia, “Z1 Datasheet,” pp. 1–20, 2010. [7] P. Description and K. Features, “IEEE 802.15.4 / ZigBee-ready RF Transceiver.” 2004. [8] J. Schaad, “CBOR Object Signing and Encryption (COSE) draft-ietf-cose-msg-18,” 2016.

References  

  



39/46

[9] C. Bormann and P. Hoffman, “Concise binary object representation.” pp. 1–54, 2013. [10] LAN-MAN Standards Committee of the IEEE Computer Society, Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (LR-WPANs), no. October. 2003. [11] Datasheet, “CC2420 Radio,” [12] Datasheet, “MSP430F261x MSP430F241x,” 2011. [13] R. Housley, “Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP),” pp. 1–13, 2005. [14] D. Bailey, “AES-CCM Cipher Suites for Transport Layer Security (TLS),” pp. 1–8, 2012.

Previous Study 





 





  

40/46

[1] G. Selander, S. Ab, and H. Tschofenig, “Authentication and Authorization for Constrained Environments (ACE),” no. c, pp. 1–53, 2016. [2] A. Capossele, V. Cervo, G. De Cicco, and C. Petrioli, “Security as a CoAP resource : an optimized DTLS implementation for the IoT,” pp. 549–554, 2015. [3] A. A. Chavan and M. K. Nighot, “Secure CoAP Using Enhanced DTLS for Internet of Things,” pp. 7601– 7608, 2014. [4] D. Trabalza, S. Raza, and T. Voigt, “INDIGO : Secure CoAP for Smartphones.” [5] J. Granjal, E. Monteiro, and J. S. Silva, “Application-layer security for the WoT : Extending CoAP to support end-to-end message security for Internet-integrated sensing applications 1 Introduction.” [6] R. Bonetto, N. Bui, V. Lakkundi, A. Olivereau, A. Serbanati, and M. Rossi, “Secure Communication for Smart IoT Objects : Protocol Stacks , Use Cases and Practical Examples,” 2012. [7] J. Singh, T. Pasquier, J. Bacon, H. Ko, and D. Eyers, “Twenty Security Considerations for Cloud-Supported Internet of Things,” vol. 3, no. 3, pp. 269–284, 2016. [8] T. Heer and O. Garcia-morchon, “Security Challenges in the IP-based Internet of Things ∗.” [9] F. K. Santoso and N. C. H. Vun, “Securing IoT for Smart Home System,” pp. 5–6, 2015. [10] S. Raza, S. Duquennoy, H. Joel, U. Roedig, and T. Voigt, “Secure Communication for the Internet of Things – A Comparison of Link-Layer Security and IPsec for 6LoWPAN,” pp. 1–14, 2011.

Previous Study 





  









41/46

[11] S. Raza, L. Seitz, D. Sitenkov, and G. Selander, “S3K : Scalable Security With Symmetric Keys — DTLS Key Establishment for the Internet of Things,” pp. 1–11, 2015. [12] S. Babar, A. Stango, N. Prasad, J. Sen, and R. Prasad, “Proposed Embedded Security Framework for Internet of Things (IoT),” pp. 1–5. [13] J. Zaddach, L. Bruno, and D. Balzarotti, “Avatar : A Framework to Support Dynamic Security Analysis of Embedded Systems ’ Firmwares.” [14] W. Trappe, R. Howard, and R. S. Moore, “Low-Energy Security : Limits and Opportunities in the Internet of,” 2015. [15] S. Everywhere, “Learning Internet-of- ings Security,” no. February, 2016. [16] Z. Peng, T. Kato, H. Takahashi, and T. Kinoshita, “Intelligent Home Security System Using Agent-based IoT Devices,” pp. 313– 314, 2015. [17] H. M. Aldosari, V. Snasel, and A. Abraham, “A New Security Layer for Improving the security of internet of things ( IoT ),” vol. 8, pp. 275–283, 2016. [18] J. Granjal, E. Monteiro, and J. S. Silva, “End-to-end transport-layer security for Internet-integrated sensing applications with mutual and delegated ECC public-key authentication,” pp. 1–9, 2013. [19] T. Kothmayr, C. Schmitt, W. Hu, M. Br, and G. Carle, “DTLS based Security and Two-Way Authentication for the Internet of Things,” no. May, 2013. [20] A. Riahi, Y. Challal, E. Natalizio, Z. Chtourou, and A. Bouabdallah, “A systemic approach for IoT security,” pp. 351–355, 2013.

Previous Study 

 



  







42/46

[21] R. Amin and G. P. Biswas, “A secure lightweight scheme for user authentication and key agreement inmultigateway basedwireless sensor networks,” Ad Hoc Networks, vol. 36, pp. 58–80, 2016. [22] C. Liu, Y. Zhang, and H. Zhang, “A Novel Approach to IoT Security Based on Immunology,” 2013. [23] S. Kumari, “An efficient user authentication and key agreement scheme for heterogeneouswireless sensor network tailored for the Internet of Things environment,” vol. 36, pp. 152–176, 2016. [24] J. King and A. I. Awad, “A Distributed Security Mechanism for Resource-Constrained IoT Devices Preliminaries,” vol. 40, pp. 133–143, 2016. [25] A. Riahi et al., “A Systemic Approach for IoT Security,” 2013. [26] M. Abomhara, “Security and Privacy in the Internet of Things : Current Status and Open Issues.” [27] K. Thuat, M. Laurent, and N. Oualha, “Survey on secure communication protocols for the Internet of Things,” Ad Hoc Networks, vol. 32, pp. 17–31, 2015. [28] S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-porisini, “Security , privacy and trust in Internet of Things : The road ahead,” Comput. NETWORKS, vol. 76, pp. 146–164, 2015. [29] Q. Jing, A. V Vasilakos, and J. Wan, “Security of the Internet of Things : perspectives and challenges,” 2014. [30] T. Xu, J. B. Wendt, and M. Potkonjak, “Security of IoT Systems : Design Challenges and Opportunities,” pp. 417–423, 2014.

Previous Study  





 

 



43/46

[31] S. A. Survey, “Securing the ‘ Internet of Things ’ Survey,” no. January, 2014. [32] S. L. Keoh, S. S. Kumar, and H. Tschofenig, “Securing the Internet of Things : A Standardization Perspective,” vol. 1, no. 3, pp. 265–275, 2014. [33] O. Arias, S. Member, J. Wurm, and S. Member, “Privacy and Security in Internet of Things and Wearable Devices,” vol. 1, no. 2, pp. 99–109, 2015. [34] B. A. Mukherjee, “Physical-Layer Security in the Internet of Things : Sensing and Communication Confidentiality Under Resource Constraints,” vol. 103, no. 10, 2015.[35] R. Roman, J. Zhou, and J. Lopez, “On the features and challenges of security and privacy in distributed internet of things,” Comput. NETWORKS, 2013. [36] K. Gaurav, P. Goyal, V. Agrawal, and S. L. Rao, “IoT Transaction Security,” pp. 5–6, 2015. [37] R. Mahmoud, T. Yousuf, F. Aloul, and I. Zualkernan, “Internet of Things ( IoT ) Security : Current Status , Challenges and Prospective Measures,” pp. 336–341, 2015. [38] Y. Wang, “A Survey of Security Issues In Wireless Sensor Networks,” pp. 1–23, 2006. [39] Z. Zhang, M. Cheng, Y. Cho, S. Shieh, and I. Fellow, “Emerging Security Threats and Countermeasures in IoT,” pp. 1–6, 2015. [40] M. Asplund and S. Nadjm-tehrani, “Attitudes and Perceptions of IoT Security in Critical Societal Services,” vol. 4, 2016.

Previous Study   

    

  



44/46

[41] K. Zhao and L. Ge, “A Survey on the Internet of Things Security Kai,” 2013. [42] D. S. Management, “A PPLICATION L AYER S ECURITY P ROTOCOLS FOR,” 1999. [43] G. Selander, F. Polambini, K. Hartke, and L. Seitz, “Requirements for CoAP End-To-End Security,” IETF RFC, vol. 53, no. 9, pp. 1689–1699, 2016. [44] G. Selander, J. Mattsson, F. Palombini, and L. Seitz, “Object Security of CoAP (OSCOAP),” 2016. [45] U. P. Consumption et al., “MSP430F261x MSP430F241x,” 2011. [46] J. Brorsson and L. Seitz, “Compact Object Security for the Internet of Things,” 2016. [47] J. Schaad, “CBOR Object Signing and Encryption (COSE) draft-ietf-cose-msg-18,” 2016. [48] N. M. Rescorla, E., “Datagram Transport Layer Security Version 1.2 Abstract,” in Internet Engineering Task Force (IETF) Request for Comments: 6347 Obsoletes: 4347 Category: Standards Track ISSN: 2070-1721, 2012, pp. 1–32. [49] J. Schaad, “CBOR Object Signing and Encryption (COSE),” 2016. [50] C. Bormann and P. Hoffman, “Concise Binary Object Representation (CBOR).” pp. 1–54, 2013. [51] R. Housley, “Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP),” Netw. Work. Gr., no. January 2004, pp. 1–14, 2005. [52] D. Whiting, R. Housley, and N. Ferguson, “Counter with CBC-MAC (CCM),” 2003.

Previous Study      











45/46

[53] P. Description and K. Features, “IEEE 802.15.4 / ZigBee-ready RF Transceiver.” 2004. [54] Francesca Palombini, “Object Security in the Internet of Things,” 2015. [55] Z. Shelby, K. Hartke, and C. Bormann, “The Constrained Application Protocol (CoAP),” 2014. [56] Zolertia, “Z1 Datasheet,” pp. 1–20, 2010. [57] D. Systems, “Master ’ s Thesis Securing the Constrained Application Protocol by Stefan Jucker,” no. October, 2012. [58] R. A. Rahman and B. Shah, “Security analysis of IoT protocols: A focus in CoAP,” in 2016 3rd MEC International Conference on Big Data and Smart City (ICBDSC), 2016, pp. 1–7. [59] S. Raza, H. Shafagh, and K. Hewage, “Lithe : Lightweight Secure CoAP for the Internet of Things,” vol. X, no. FEBRUARY, pp. 1–11, 2013. [60] T. A. Alghamdi, A. Lasebae, and M. Aiash, “Security analysis of the constrained application protocol in the Internet of Things,” in 2nd International Conference on Future Generation Communication Technologies, FGCT 2013, 2013, pp. 163–168. [61] B. Tourancheau, F. Rousseau, A. Duda, L. Damon, and R. Guizzetti, “OSCAR : Object Security Architecture for the Internet of Things.” [62] J. Granjal, E. Monteiro, and J. S. Silva, “Security for the Internet of Things : A Survey of Existing Protocols and Open Research Issues,” vol. 17, no. 3, pp. 1294–1312, 2015. [63] M. Kirsche, M. Brachmann, O. Garcia-morchon, and M. Kirsche, “Security for Practical CoAP Applications : Issues and Solution Approaches Security for Practical CoAP Applications : Issues and Solution Approaches,” no. June, 2016.

Thank You