Uses 128-bit AES algorithm ... Authentication is possible at network level or device level ..... A wireless network whic
Wireless Control That Simply Works
ZigBee Security Specification Overview
TM
Copyright © 2005 ZigBee
Alliance. All Rights Reserved.
Agenda
■ ZigBee Security Overview ■ Residential Applications ►
Guidelines
►
Typical configurations
■ Commercial Applications ►
Guidelines
►
Typical configurations
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
2
Describes Key setup and maintenance (Commercial, Residential) Types ZigBee 1.0Defines securityKey builds on 802.15.4 security (Master, Link, Network) CCM* (Unified/Simpler mode of operation) 802.15.4 Security AES encryption CCM security modes ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
ZigBee Security Uses 128-bit AES algorithm Strong, NIST approved security
ZigBee uses the basic security elements in 802.15.4 3
ZigBee Security Architecture
Application (APL) Layer Application Framework
ZigBee Device Object
…
ZDO Public
Object 30
Defines security for the MAC, NWK, and APS layers
(ZDO)
Application Object 1
Interfaces
Application
Endpoint 30
Endpoint 1
Endpoint 0
APSDE-SAP
APSDE-SAP
APSDE-SAP
Service
Management
-
NLDE-SAP
Provider
Network (NWK) Layer NWK Security
NWK Message
Management
Broker
Routing
Network
Management
Management
MLDE-SAP
NLME-SAP
Security
Reflector
Broker
Management
ZDO Management Plane
APS Message
ASL APS Security
APSME-SAP
Application Support Sublayer (APS)
MLME-SAP
Medium Access Control (MAC) Layer
PLME-SAP
PD-SAP
Physical (PHY) Layer 2.4 GHz Radio
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
868/915 MHz Radio
4
ZigBee Provides Freshness ■ Freshness check prevents replay attacks ( an attacker from
replaying messages )
■ ZigBee devices maintain incoming and outgoing freshness
counters ►
Counter is reset when a new key is created
►
Devices that communicate once per second will not overflow their freshness counters for 136 years
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
5
ZigBee Provides Message Integrity
■ Prevents an attacker from modifying the message in transit ■ Option of 0, 32, 64, or 128 bit integrity ►
Default is 64
■ Integrity options allow tradeoff between message protection
and message overhead
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
6
ZigBee provides Authentication ■
Authentication provides assurance about the originator of the message ►
■
Prevents an attacker from modifying a hacked device to impersonate another device
Authentication is possible at network level or device level ►
Network level authentication is achieved by using a common network key This prevents outsider attacks while adding very little in memory cost
►
Device level authentication is achieved by using unique link keys between pairs of devices This prevents insider and outsider attacks but has higher memory cost
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
7
ZigBee Provides Encryption ■
Prevents an eavesdropper from listening to messages ►
■
ZigBee uses 128-bit AES encryption
Encryption protection is possible at network level or device level ►
Network level encryption is achieved by using a common network key This prevents outsider attacks while adding very little in memory cost
►
Device level encryption is achieved by using unique link keys between pairs of devices This prevents insider and outsider attacks but has higher memory cost
■
Encryption can be turned off without impacting freshness, integrity, or authentication ►
Some applications may not need encryption protection
►
Could help to ease export control regulation issues
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
8
ZigBee frames with Security
Message Integrity Code
Application of security suite adds auxiliary header and also an integrity code
SYNC
PHY MAC NWK APS HDR HDR HDR HDR
Auxiliary HDR
Encrypted APS Payload
MIC
All of the above APS frame is integrity-protected
ZigBee Security could add headers to the data frames at the MAC, NWK, and APS layers
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
9
ZigBee introduces the concept of a Trust Center
ZigBee Network
• The trust center allows devices into the network and distributes keys • The ZigBee coordinator is assumed to be the trust center • It is possible for the trust center to be a dedicated device
Coordinator Router
Mesh Link
• e.g. a portable device
Star Link
End Device
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
10
Trust Center roles ■ Trust Manager ►
Authenticate device that request to join network
■ Network Manager ►
Maintains and distributes network keys
■ Configuration Manager ►
Enabling end-to-end security between devices
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
11
Trust Center modes ■
Residential Mode ►
►
►
■
The trust center allows devices to join the network, but does not establish keys with network devices The trust center cannot update keys periodically because it does not maintain keys with network devices The memory cost in the trust center is minimal and does not scale with the size of the network
Commercial Mode ►
The trust center establishes and maintains keys and freshness counters with every device in the network
►
This allows centralized control and update of keys
►
Cost memory in the trust center could scale with the size of the network
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
12
ZigBee uses three fundamental key types Can be setup over the air or using out-of-band mechanisms (eavesdropping should be prevented when this is setup)
Can also be factory installed option
Master Key Basis for long-term security between two devices
Can also be factory installed option
Link Key Basis of security between two devices
Can also be factory installed option
Network Key Basis of security across the network ( protects against outsiders )
Link and Network keys can be updated periodically
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
13
Setup of Link and Network keys Master keys are installed first: A) Installed in factory or out of band B) Sent from Trust Center Master Key Basis for long-term security between two devices
Options for installation of Link and Network Keys: A) Installed in factory or out of band B) SKKE handshake between devices ( Link keys ) C) Key transport from trust center ( Link and Network keys ) ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
Link Key Basis of security between two devices
Network Key Basis of security across the network
14
Keys need to be setup with and between new devices that join the network
Existing Network B
A
X
Y
E (Empty Device)
C
Coordinator
Mesh Link
Router
Star Link
End Device
Binding Link
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
15
If keys are setup over-the-air only the last link is vulnerable to a one time eavesdropper attack
Existing Network B
A
X Secure
Y Secure
Unsecured
E (Empty Device)
C
Coordinator
Mesh Link
Router
Star Link
End Device
Binding Link
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
16
After a devices joins it needs to store multiple keys Existing Network B
A
X
Possible security material
Y
MAC Security: MKYE = Master Key LKYE = Link Key
Trust Center Security: MKBE = Master Key LKBE = Link Key
E
C
(Secured Device)
Infrastructure Security: KNWK = Network Key Application Security: MKCE = Master Key LKCE = Link Key
Coordinator
Mesh Link
Router
Star Link
End Device
Binding Link
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
17
ZigBee allows options to reduce storage cost, but the highest possible security is always used
B
LKBC = Link Key KNWK = Network Key
If two devices have a link key, it is always used instead of the network key
C B
KNWK = Network Key
C ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
Storage cost can be reduced by using the network key. However, this reduces security since the network key is used in many devices and cannot prevent insider attacks. 18
Policy decisions not defined in ZigBee Specification
■
Out of band methods for key setup
■
Cost/Security tradeoff for number of link keys needed ►
Choosing Commercial/Residential modes is starting point for this decision
■
Handling security error conditions
■
Handling loss of counter synchronization
■
Handling loss of key synchronization
■
Policy for expiration and update of keys
■
Policy for accepting new devices
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
19
Agenda
■ ZigBee Security Overview ■ Residential Applications ►
Guidelines
►
Typical configurations
■ Commercial Applications ►
Guidelines
►
Typical configurations
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
20
Definition of Residential Application (from a security viewpoint) ■
■
A secure wireless network that can be installed and maintained by a homeowner with no knowledge of security ►
Security is transparent during setup
►
Must still provide best security possible
The homeowners takes no active role in maintaining security of network ►
Homeowner may discard devices without revocation of keys
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
21
Residential Keys Wireless Network Coordinator KN KN
A
B
Router
KN
X
Y KN
End Device
KN Network Key KN KN
D C
A minimum number of keys/storage is used for low cost ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
22
Residential Trust Center is Low Cost ■ Residential Trust Center only needs to store network key ►
Minimizes storage
►
Low capability device can act as trust center
►
Trust center can be easily replaced with another device without homeowner intervention When another Coordinator takes over, it becomes the trust center
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
23
Key and Frame Counter Storage Requirements for Residential Devices
■
All Devices require network key and frame counters ►
One outgoing network frame counter
►
Incoming network frame counters FFD: one per child RFD: one for parent
■
Provides only network level authentication, integrity and encryption protection ►
Vulnerable to insider attacks
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
24
Example of Residential-Mode Authentication
Trust Center
Joiner
Router Joined (unauthenticated) Update-Device Command
Decision to accept new device 1
Secured Transport-Key Command(NWK key)
1
Unsecured Transport-Key Command(NWK key) Joined (authenticated)
Note: 1. The trust center sends a dummy all-zero NWK key if the joiner securely joined using a preconfigured network key.
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
25
Agenda
■ ZigBee Security Overview ■ Residential Applications ►
Guidelines
►
Typical configurations
■ Commercial Applications ►
Guidelines
►
Typical configurations
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
26
Definition of Commercial Application (from a security viewpoint) ■
■
A wireless network which is controlling mission critical applications ►
Commercial lighting, HVAC, Alarm
►
Production monitoring and control
►
Critical residential applications might use commercial security
A wireless network which is actively monitored and maintained ►
Scheduled key updates
►
Controlled addition of new devices
►
Revocation of discarded devices
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
27
Commercial System Guidelines
■
Trust Center should only admit new devices when manually enabled ►
■
■
Prevents unauthorized devices from joining
Trust Center should update network key for legitimate devices periodically ►
Encrypt with link key (not network key)
►
Compromised devices will not get updated key
Network key should only be used by the network layer ►
Prevents attacker from using network key to control devices
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
28
Commercial Keys
Wireless Network Coordinator
KN, KABM, KACM KAXM, KAYM, KADM KABL, KACL, KAXL, KAYL, KADL
KN KABM B KABL KBCM KBCL
A
Router
X
KN KAXM, KCXM, KXYM, KAXL, KCXL, KXYL KN, KBCM, KACM, KXCM, KBCL,KACL, KXCL
Y
KN, KXYM, KYAM, KXYL, KYAL
End Device
KN Network Key KABM Master Key
KN, KADM, KADL
D
KABL Link Key
C
Keys with trust center allow periodic update of network keys ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
29
Example commercial-mode authentication procedure Joiner
Router
Trust Center
Joined (unauthenticated) Update-Device Command Decision to accept new device 1
Secured Transport-Key Command (Master key)
1
Unsecured Transport-Key Command (Master key) SKKE-1 Command SKKE-2 Command See Note 2
SKKE-3 Command
SKKE-4 Command Secured Transport-Key Command(NWK key) Joined (authenticated) Notes: 1. The trust center does not send a master key if it already shares one with the joiner device (i.e., the pre-configured situation) 2. SKKE commands shall be sent using the router as a liaison when the nwkSecureAllFrame NIB attribute is TRUE (i.e., these commands will be secured between the trust center and router at the NWK layer, but not between the router and joiner).
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
30
Example of Network Key-Update
Trust Center
Device 1
Device 2
Transport-Key Command(NWK key, N)
Can only store one Network Key
Replace alternate network key with network key N. Transport-Key Command(NWK key, N)
Replace active network key with network key N.
Switch-Key Command(N) Make network key N the active network key. Switch-Key Command(N)
Ignore command.
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
31
Example Network Key-Recovery
Device A
Trust Center Request-Key Command(NWK key) Make sure device A is part of the network. Transport-Key Command(NWK key, N)
Switch-Key Command(N)
Replace alternate network key with network key N.
Make network key N the active network key.
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
32
Example End-to-End Application key establishment Initiator
Responder
Trust Center
Learn address of responder via discovery or other means (e.g., preloaded) Request-Key Command(key, responder address) Start a timer and send a link or master key to initiator and responder. The trust center shall discard new request-key commands for this pair of devices, unless they are from the initiator, until after the timer expires. Transport-Key Command(key, Initiator=TRUE, PartnerAddress = Responder’s address)
Transport-Key Command(key, Initiator=FALSE, PartnerAddress = Initiator’s address)
Stores key and, if a master key, initiates key establishment
Decides whether to the store key
SKKE-1 Command Responder decides whether to run key-establishment protocol SKKE-2 Command SKKE-3 Command SKKE-4 Command Status of SKKE reported to ZDO
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
Status of SKKE reported to ZDO
33
Example Remove-Device Procedure
Trust Center
Device
Router 1
Remove-Device Command
2
Disassociation Notification Command
Note: 1. If a trust center wants a device to leave and if the trust center is not the router for that device, the trust center shall send the router a remove-device command with the address of the device it wishes to leave the network. 2. A router shall send a disassociation command to cause one of its children to leave the network.
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
34
Example Device-Leave procedure
Trust Center
Device
Router 1
Disassociation Notification Command 2
Update-Device Command
Note: 1. A device leaving the network shall send a disassociation command to its router. 2. Upon receipt of a valid disassociation command, a router shall send an update-device command to the trust center to inform it that a device has left the network.
ZigBeeTM Alliance | Wireless Control That Simply Works Copyright © 2005. All Rights Reserved.
35
