Communication Security in IEEE802.15.4 and ZigBee Networks

Communication Security in IEEE802.15.4 and ZigBee Networks

Page 2

Outline

• About Ventocom

• Security: objective, benefits, means

• Recall: relationship between IEEE 802.15.4 and ZigBee

• Security in IEEE 802.15.4

• Security in ZigBee

• Application example: the ZigBee Health Care profile

� Facilitates a good understanding of potential security implementations and

designer’s choices (for both 15.4 and ZigBee)

Page 3

About Ventocom

• Ventocom offers end-to-end engineering services

• Specializing in IEEE 802.15.4 and ZigBee applications since 2004

• Typical projects

� Requirement specifications

� Electronics and RF design

� Embedded and PC applications

� Test design and implementation

Page 4

Security: Objective, Benefits, Means

• Objective

� Establish confidentiality

� Authenticate information

• Benefits

� Infrastructure providers: avoid theft of service

� Solution providers: ensure safe use of devices

� Users: maintain privacy

• Means

� Encryption of transmitted information

� Integrity check of transmitted information

� Key distribution and management (not by 15.4, but ZigBee)

Page 5

Recall: IEEE 802.15.4 and ZigBee

IEEE 802.15.4 Physical Layer

IEEE 802.15.4 MAC Layer

ZigBee Network (NWK) Layer

ZB Application Support (APS) Layer ZDO Management

Plane

ZigBee Device Object(ZDO)

ApplicationObject #1

ApplicationObject #240

Security

Service

Provider

PD-SAP PLME-SAP

MLDE-SAP MLME-SAP

NLME-SAPNLDE-SAP

MLME-SAP

APSME-SAP

APSDE-SAPAPSDE-SAPAPSDE-SAP

ZDO public IF

Security

Management

Message

Broker

Routing

Management

Network

Management

Security

Management

Message

Broker

Reflector

Management

…

…

ZigBee does not use 15.4

security

Applications using

15.4 only can

optionally be

provided security

Security at

application layer is not

part of

presentation

Page 6

IEEE 802.15.4 Security: Regular Operation

• IEEE 802.15.4

� Without ZigBee (or similar) routing layers: capable of forming star networks

� Consists of PHY (radio) and MAC layer (medium access)

• Basic encryption algorithm: Advanced Encryption Standard (AES)

� Symmetric encryption: encryption and decryption rely on the same key

� Open, well-tested, freely available encryption system

� Known attacks on AES are brute-force

� NIST standard since 2000

• 15.4 allows to use either encryption, integrity checking, or both

� Security processing performed at MAC layer

� Security processing includes frame counters to avoid replay attacks

• No explicit support of distribution of encryption/authentication keys

� Subsequent slides offer a number of pointers…

Page 7

ZigBee Security: Regular Operation

• ZigBee

� Capable of forming mesh networks – routing alternatives

� Consists of NWK, APS, and profile layers

• Basic encryption algorithm: Advanced Encryption Standard (AES)

� Symmetric encryption: encryption and decryption rely on the same key

� ZigBee does not use IEEE802.15.4 security (MAC frames will not be secured)

• ZigBee allows to use both encryption and integrity checking

� Encryption and authentication: CCM* mode of AES

� Security processing performed at NWK and/or APS layer

� Security processing includes frame counters to avoid replay attacks

• Some support for the distribution of encryption/authentication keys

� Standard-defined services include key derivation, key transport, key update

� Centralized trust center (for example, ZigBee coordinator) responsible for the decision to admit joining device into network, key setup

Page 8

ZigBee Security: Regular operation

• Basic encryption algorithm: Advanced Encryption Standard

� Symmetric encryption: encryption and decryption rely on the same key

� Open, well-tested, freely available encryption system

� NIST standard since 2000

• ZigBee uses CCM* mode of AES

� Provides both encryption and authentication (message integrity check)

• Further facts:

� Security processing includes frame counters to avoid replay attacks

o Garage door scenario

� Responsibility of frame security rests with originating layer

o NWK layers secures network frames

o APS layer secures APS frames

� Many 15.4/ZigBee ICs offer AES accelerators for fast security computations

� As symmetric encryption requires key knowledge at both source and sink: necessity of key configuration and distribution (see next slides)

Page 9

SYNCPHY

HDR

MAC

HDR

NWK

HDR

APS

HDR

Auxiliary

HDR

Encrypted

APS PayloadMIC

Application of security adds

Auxiliary Header and Message Integrity Check (MIC)

Entire APS frame (APS Header, Aux Header

and Payload) will be integrity protected

SYNCPHY

HDR

MAC

HDR

NWK

HDR

Auxiliary

HDR

Encrypted

NWK PayloadMIC

Entire NWK frame (NWK Header, Aux Header

and Payload) will be integrity protected

ZigBee Security: Frame Formats

• Security processing adds additional information to frames (Auxiliary header, MIC)

• Additional information causes throughput penalty of 10-20%

APS Layer

NWK Layer

Page 10

ZigBee Key Types

• Network key: global key, known to all devices in a network� Used for secure communication at the NWK layer

� Can be pre-configured

� Can be changed in two steps: 1) key transport 2) update

• Link key: specific only to a pair of nodes� Used to secure communication at the APS layer

� Can be pre-configured, can be changed

• Master key: shared secret, used to derive link keys (via SKKE)� Not used for communication

� Used to derive shared secret (link key) from shared secret (master key)

� For example, used to establish link with between joiner and trust center

� Can be pre-configured, is not usually changed

Page 11

Encryption Keys: Standard Pre-Configuration Options

Open transmission of master, APS (link) or NWK

key – note: period of vulnerability!

No pre-configurationOption #4

Master key is used to establish TC link key

Joiner securely retrieves active NWK key using

TC link (APS) key

NWK and APS keys arbitrary (may change) until

device joins

Joiner has TC master

key and TC address

Option #3

Joiner securely retrieves active NWK key using

TC link (APS) key and TC address

NWK key may change between configuration

and join (but not the TC link – APS – key)

Joiner has trust center

(TC) link key and TC

address

Option #2

NWK key may not change after pre-configuration

until device has joined

Joiner has active

NWK key

Option #1

Page 12

ZigBee Security: Can you trust it?

Single-package radios limit attack options

Yet low-cost devices do not offer temper-

proof hardware

Un-configured devices: brief initial

vulnerability due to open key transmission

…the trust in the secure processing and

storage of security material

ZigBee-certified platforms have been

tested for errors in the security

implementation

…the trust in the security implementation

The level of security depends on…

• Note: the trust level does not depend on strength of encryption algorithm

� AES is considered secure

� Known attacks can still be considered “brute force”

Page 13

ZigBee Health Care Profile: Security Solution

Page 14

Application Example: ZB Health Care Profile

• Health Care profile:

� Defines profiles for assisted-living and low-acuity monitoring applications

� Applications include pulse oximeter, glucose meter, fall detector, …

� Defines optional application-level security (not in the focus of this presentation)

� Good example where security is definitely required, and needs to be set up even in disadvantageous deployment scenarios

• HC profile defines three deployment scenarios

� Service provider scenario

� In-house commissioning scenario

� Consumer scenario

• Deployment scenarios: good illustrations of alternatives for key setup

� Therefore further discussed subsequently

Page 15

Application Example: Security Startup Attribute Values

• HC profile defines attribute values common to all deployment scenarios

• Attributes with application to security include:

Value still needs to be

determined by HCP team

XYZPre-configured link key

Device is not to use

unsecure join as fallback

FALSEUnsecure Join attribute

Set as “unspecified”0Trust Center master key

RemarkValueAttribute

Page 16

Application Example: Service Provider Scenario

• Service provider: has control over devices and network operation (example: patient monitoring services in hospital / senior citizen home with assisted living services)

Before delivery to customer

Delivery

Commissioning

Join Procedure

Binding

Commissioning prior to delivery:Extended PAN ID (customer PAN ID)

Trust Center NW address

Pre-configured Trust Center link key

Network key 0 (remains unspecified)

Trust Center needs to be made aware

of joining device (out-of-band, for

example via secure Internet connection)

No additional commissioning required on-site

Joining the network:

1) Device scans for network with right EPID, joins (15.4 level), receives

short address (unauthenticated join)

2) Device communicates with TC using pre-configured TC address and TC

link key (authenticated join)

3) Device securely acquires active network key from TC

Subsequently: necessary binding steps (not related to security)

Commissioning prior to delivery:1) Extended PAN ID (customer PAN ID)

2) Trust Center address

3) Pre-configured Trust Center link key

4) Network key 0 (remains unspecified)

Page 17

Application Example: In-house Commissioning Scenario

• Network owner has its own secure commissioning facility, configuring the devices with all the information needed to securely join network and work together

Before delivery to customer

Delivery

Commissioning

Join Procedure

Binding

Commissioning for commissioning cluster:1) EPID 0x0050c27710000000 – commissioning

cluster EPID (reserved by ZigBee alliance)

2) Trust Center address: 0 (unspecified)

3) Network key 1 (commissioning NWK key)

Commissioning at commissioning facility:1) Device turned on, joins commission network

2) Commissioning tool – sets target EPID, target short address,

NWK key 0 (unspecified), pre-configured TC link key

Joining (note – same procedure as in service-provider scenario):

1) 15.4 level join

2) TC communication using TC link key

3) Secure acquisition of active NWK key

Subsequently: necessary binding steps (not related to security)

Trust Center needs to be made aware

of joining device (out-of-band, for

example via secure Internet connection)

Commissioning network

should be shielded from

eavesdroppers; or out-of-band commissioning

Page 18

Application Example: Consumer Scenario

• Consumer scenario is applicable for small network, devices from multiple vendors, and where the installation will be done by the “operator”

Before delivery to customer

Delivery

Commissioning

Join Procedure

Binding

Consumer purchases device with settings:

1) EPID unset

2) Trust Center address: 0 (unspecified)

3) Network key 0 (unspecified)

No commissioning will be done by the customer

Joining the network:

1) TC is set to allow nodes to join, for a short period (for example,

by pressing a button)

2) The new device is instructed to join (for example, by pressing a

button)

3) New device uses the pre-configured (default) link key (see page

13) to acquire EPID, active NWK key, operational TC link key

Subsequently: necessary binding steps (not related to security)

Brief period of vulnerability: execute join at very low power, requiring devices to be held close

together, mitigating the risk of eavesdropping

Page 19

Summary: HC Profile Security Setup

• Recall: ZigBee offers at least four pre-configuration options

� Pre-configuration with master key

� Pre-configuration with TC address and TC link key

� Pre-configured network key

� Un-configured device

• The HC profile standard makes use of two of these options

� Option TC address, TC link key used (high security) used at first “service provider”and “in-house commissioning” scenarios

� Un-configured option used in “consumer” scenario

• HC Profile: good illustration of alternatives to establish key configurations in different deployment scenarios

Page 20

Wrapping Up

• Security is an essential building block for 15.4 and ZigBee networks

� To repel network intruders and to avoid theft of service

� To protect confidential or personal information

• IEEE 802.15.4 and ZigBee share similar “operational” security based

on the Advanced Encryption Standard (AES)

� Symmetric cryptography

� Most 15.4/ZigBee ICs offer corresponding accelerators

• ZigBee offers different configuration procedures for key setup

� Users can trade the level of trust vs. the configuration effort

• Different key setup procedures were illustrated using the ZigBee

Health care profile

Page 21

Feedback and Contact

Contact information

menno.mennenga@ventocom.com

+49 173 565 8134

Thank You!Thank You!