security versus power consumption in wireless sensor networks237467/fulltext01.pdf · computers....

Master’s Thesis, IDE0601, January 2006

Security versus Power Consumptionin Wireless Sensor Networks

Master’s Thesis in Computer System Engineering

submitted by

Christine Fotschl

Stefan Rainer

School of Information Science, Computer and Electrical Engineering

Halmstad University

Security versus Power Consumptionin Wireless Sensor Networks

Master’s Thesis in Computer System Engineering

School of Information Science, Computer and Electrical EngineeringHalmstad University

Box 823, S-301 18 Halmstad, Sweden

January 2006

Affidavit

Affidavit

Herewith we, Christine Fotschl and Stefan Rainer, declare that we have written this master the-

sis fully on our own and that we have not used any other sources apart from those given.

Halmstad, January 2006

821112-N663

Matriculation number Christine Fotschl

820208-N298

Matriculation number Stefan Rainer

iii

Security versus Power Consumption in Wireless Sensor Networks

iv

Preface

Preface

Team Members: Christine Fotschl

Stefan Rainer

University: Halmstad University

Program of Study: Master’s Program for Computer System Engineering

Title of Master Thesis: Security versus Power Consumption in Wireless Sensor Networks

Supervisors: Markus Adolfsson

Tony Larsson

Opponent: Per-Arne Wiberg

Examinator: AndersAhlander

Keywords

1st Keyword: Wireless Sensor Networks

2nd Keyword: Security Algorithm Benchmarking

3th Keyword: Security

v


vi

Preface

Abstract

X3C is a Swedish company which develops a world wide good tracking system by using ARFID

tags placed on every item which has to be delivered and base stations as gateway in a wireless

sensor network. The requirement of a long lifespan of their ARFID tags made it difficult to

implement security. Firstly an evaluation of possible security mechanisms and their power

consumption was done by measuring the avalanche effect and character frequency of the sym-

metric algorithms Blowfish, RC2 and XTEA. Secondly, the required CPU time which is needed

by each algorithm for encrypting a demo plaintext, was measured and analyzed. Summariz-

ing both analysis, the XTEA algorithm, run in CBC mode, is the recommendation for the XC

ARFID tags. The testing processes and the results are presented in detail in this thesis.

vii


viii

List of Figures

List of Figures

2.1 X3C System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.1 System Architecture of a Common Wireless Sensor Node . . . . . . . . . . . . 11

4.2 Different Topologies for Wireless Sensor Networks . . . . . . . . . . . . . . . 12

6.1 Cipher Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

6.2 Electronic Codebook Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

6.3 Cipher Block Chaining Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

6.4 Cipher Feedback Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

6.5 Output Feedback Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

6.6 Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

6.7 Simplified Model of Symmetric Encryption . . . . . . . . . . . . . . . . . . . 26

6.8 Feistel Round . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

6.9 Simplified Model of Asymmetric Encryption . . . . . . . . . . . . . . . . . . 28

6.10 Authentication During Asymmetric Encryption . . . . . . . . . . . . . . . . . 29

9.1 nRF24E1 ARFID Tag as Used in the X3C System . . . . . . . . . . . . . . . . 41

11.1 Frequency Analysis of the Plaintext . . . . . . . . . . . . . . . . . . . . . . . 49

11.2 Frequency of Occurrence of Characters in Plaintext . . . . . . . . . . . . . . . 50

11.3 Frequency Analysis of the RC2 ECB Ciphertext . . . . . . . . . . . . . . . . . 52

11.4 Frequency of Occurrence of Characters in the RC2 ECB Ciphertext . . . . . . 52

11.5 Frequency Analysis of the Blowfish CBC Ciphertext . . . . . . . . . . . . . . 53

11.6 Frequency Analysis of the XTEA CBC Ciphertext . . . . . . . . . . . . . . . . 54

11.7 Frequency Analysis of the RC2 CBC Ciphertext . . . . . . . . . . . . . . . . . 54

11.8 Frequency of Occurrence of Characters in the CBC Mode Ciphertexts . . . . . 55

11.9 Frequency Analysis of the Blowfish and XTEA CFB Ciphertexts . . . . . . . . 56

11.10 Frequency Analysis of the RC2 CFB Ciphertext . . . . . . . . . . . . . . . . 57

11.11 Frequency of Occurrence of Characters in the Blowfish CFB Mode Ciphertext 57

11.12 Frequency of Occurrence of Characters in XTEA/RC2 CFB Mode Ciphertexts 58

12.1 Average CPU Time Needed by the Algorithms to Encrypt 1 Plaintext . . . . . . 62

ix


x

List of Tables

List of Tables

8.1 Possible Configuration Parameters for Blowfish . . . . . . . . . . . . . . . . . 35

8.2 Possible Configuration Parameters for XTEA . . . . . . . . . . . . . . . . . . 36

8.3 Possible Configuration Parameters for RC2 . . . . . . . . . . . . . . . . . . . 37

11.1 Configuration Parameters for the Comparison . . . . . . . . . . . . . . . . . . 50

11.2 Results of the Frequency Analysis . . . . . . . . . . . . . . . . . . . . . . . . 51

11.3 Results of the Avalanche Effect Analysis . . . . . . . . . . . . . . . . . . . . . 59

11.4 Recommended Ciphers for the X3C System regarding Security . . . . . . . . . 61

12.1 Recommended Ciphers for the X3C System regarding Energy Consumption . . 64

13.1 Recommended Ciphers for the X3C System . . . . . . . . . . . . . . . . . . . 65

xi


xii

List of Abbreviations

List of Abbreviations

µTESLA . . . . . . . . . . . . . . . Micro Timed Efficient Stream Losstolerant Authentication3DES . . . . . . . . . . . . . . . . . . Triple Data Encryption Standard3G . . . . . . . . . . . . . . . . . . . . Third GenerationAES . . . . . . . . . . . . . . . . . . . Advanced Encryption StandardARFID . . . . . . . . . . . . . . . . Active Radio Frequency IdentificationCBC . . . . . . . . . . . . . . . . . . . Cipher Block ChainingCFB . . . . . . . . . . . . . . . . . . . Cypher Feedback ModeCPU . . . . . . . . . . . . . . . . . . . Central Processing UnitCTR . . . . . . . . . . . . . . . . . . . CounterDES . . . . . . . . . . . . . . . . . . . Data Encryption StandardECB . . . . . . . . . . . . . . . . . . . Electronic Codebook ModeGPRS . . . . . . . . . . . . . . . . . General Packet Radio ServiceGPS . . . . . . . . . . . . . . . . . . . Global Positioning SystemGSM . . . . . . . . . . . . . . . . . . Global System for Mobile CommunicationsI/O . . . . . . . . . . . . . . . . . . . . Input/OutputIEEE . . . . . . . . . . . . . . . . . . Institute of Electrical and Electronics EngineersISO . . . . . . . . . . . . . . . . . . . . International Organization for StandardizationIV . . . . . . . . . . . . . . . . . . . . . Initializing VectorMAC . . . . . . . . . . . . . . . . . . Message Authentication CodeOFB . . . . . . . . . . . . . . . . . . . Output Feedback ModeOTB . . . . . . . . . . . . . . . . . . . One Time Key PadRF . . . . . . . . . . . . . . . . . . . . Radio FrequencyRFID . . . . . . . . . . . . . . . . . . Radio Frequency IdentificationRSA . . . . . . . . . . . . . . . . . . . Rives, Shamir, AdelmanSNEP . . . . . . . . . . . . . . . . . . Sensor Network Encryption ProtocolSPIN . . . . . . . . . . . . . . . . . . Sensor Protocols for Information via NegotiationSPMS . . . . . . . . . . . . . . . . . Shortest Path Minded SPINTinySec-AE . . . . . . . . . . . . TinySec Authenticated EncryptionTinySec-Auth . . . . . . . . . . TinySec AuthenticationWSN . . . . . . . . . . . . . . . . . . Wireless Sensor NetworkXOR . . . . . . . . . . . . . . . . . . Exclusive ORXTEA . . . . . . . . . . . . . . . . . Extended Tiny Encryption AlgorithmX3C . . . . . . . . . . . . . . . . . . . XCube Communication AB

xiii


xiv

Contents

Contents

I INTRODUCTION 1

1 Introduction 3

2 XCube Communication AB (X3C) 4

2.1 SEALTMARFID Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 SEALTMAccess Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.3 SEALTMPortal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.4 SEALTMManagement System . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Problem Definition 7

II BACKGROUND 9

4 Wireless Sensor Networks (WSN) 11

5 Theory of Security and Privacy 14

5.1 Introduction to Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . 14

5.2 Security Problems Concerning WSNs . . . . . . . . . . . . . . . . . . . . . . 18

5.2.1 Sensor Node Compromise . . . . . . . . . . . . . . . . . . . . . . . . 19

5.2.2 Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.2.3 Privacy of Sensed Data . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.2.4 Denial of Service (DoS) Attacks . . . . . . . . . . . . . . . . . . . . . 20

5.2.5 Malicious User of Commodity Networks . . . . . . . . . . . . . . . . 20

6 Cryptography 21

6.1 Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

6.2 One-Time Pad (OTB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

6.3 Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6.4 Hash Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.5 Digital Signatures (DS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

7 Related Work 31

7.1 SPINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

7.2 TinySec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

xv


III METHOD 33

8 Used Encryption Algorithms 35

8.1 Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

8.2 XTEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

8.3 RC2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

9 Measuring Methods 38

9.1 Measuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

9.1.1 Frequency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

9.1.2 Avalanche Effect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

9.2 Measuring Energy Consumption . . . . . . . . . . . . . . . . . . . . . . . . . 40

9.2.1 Ideal Measurement Environment . . . . . . . . . . . . . . . . . . . . . 40

9.2.2 Simulation Environment . . . . . . . . . . . . . . . . . . . . . . . . . 41

9.2.3 Measured Parameters Concerning Energy Consumption . . . . . . . . 42

10 Testing Environment 44

10.1 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

10.2 PHP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

IV RESULTS 47

11 Security Analysis Results 49

11.1 Ciphertext Frequency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 51

11.2 Avalanche Characteristic Analysis . . . . . . . . . . . . . . . . . . . . . . . . 59

11.3 Recommendable Ciphers Regarding Security . . . . . . . . . . . . . . . . . . 61

12 Energy Consumption Analysis Results 62

12.1 CPU Time Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

12.2 Memory Footprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

12.3 Recommended Ciphers Regarding Energy Consumption . . . . . . . . . . . . 64

13 Summary of Results 65

V CONCLUSION 67

xvi

Contents

14 Conclusion 69

15 Further Work 70

Bibliography 71

xvii


xviii

Part I

Part I

INTRODUCTION

1


2

Part I 1 Introduction

1 Introduction

Nowadays, where Information Technology becomes more and more powerful, major companies

want to use new technologies to observe their goods, which are sent all over the world by truck,

airplane or ship to know their actual position and condition. Therefore, there are currently lots

of investigations done regarding sensor networks and wireless communication. Sensor networks

consist of small sensor devices working together as a network which facilitate the reception of

environmental information over the air (e.g. temperature) without the necessity to place “big”

computers. These sensor networks enable real-time tracking and surveillance because of being

small, efficient and cheap. However, sending information over the air always demands the

implementation of security which causes higher energy consumption. As sensors have limited

energy resources this additional energy consumption raises problems.

This thesis gives an insight to the efficiency and suitability of encryption algorithms for wireless

sensor networks. Part I will present technical facts about XCube Communication AB, which

is a company that is specialized in using wireless sensor networks for observing goods all over

the world. Furthermore a detailed problem definition will be given. Part II introduces wireless

sensor networks as well as the theory and implementation methods concerning security and

privacy. Additionally former approaches of applying security to wireless sensor networks are

illustrated, named SPINS and TinySec. The methods, which were used for measuring the secu-

rity and the energy characteristics of different encryption algorithms are presented in Part III.

Furthermore, this part also contains the testing environment definitions. Part IV consists of the

measurement results, which are split into security analysis results, energy consumption results

and the final results that present the recommended algorithm for X3C. Part V is composed of

the final conclusion and the further work, which proposes supplementary research fields.

3


2 XCube Communication AB (X3C)

X3C is situated in Gothenborg in Sweden as a part of XCube Communication Inc., Boston,

USA. The goal of the company is to provide world-wide tracking of goods, disregarding the

environment (sea, air, land) by which they are transported. The basic idea is to have the ability

to inform a company where its goods are and if the environment is adequate (e.g. are the goods

in the right temperature range) at any time during their transportation. The underlaying system

of X3C is called SEALTM, which stands for a) see all, b) seal or c) sea-air-land. As illustrated

in Figure 2.1, it consists in general of SEALTM ARFID tags, SEALTM Access Points, SEALTM

Portals and the SEALTM Management System.

Figure 2.1: X3C System

2.1 SEALTM ARFID Tags

Radio Frequency Identification (RFID) was invented in the 70s and was mostly used for anti-

theft services and toll road systems. Whereas RFID technologies were developed by many dif-

ferent companies, today the EPCglobal is responsible for standardization of RFID applications

like the electronic product code (EPC).

The main task of Radio Frequency Identification (RFID) is providing a unique identity when

needed using wireless communication. Currently there exist many different RFID devices with

different functionalities like on-board storage or measuring sensors. X3C uses a so-called Ra-

dio Frequency Identification (RFID) tag which is a small microchip used for sensing and storing

data for its transmission to a special receiver. It works in the internationally un-licensed 2.4 GHz

4

Part I 2 XCube Communication AB (X3C)

frequency band, which allows the wireless communication to reach up to 30 meters by having

high bandwidth and low cost.

In the X3C framework each transported product should be given its own Active RFID (ARFID)

tag, which has its own CPU, memory and digital I/O to measure and forward important environ-

ment values like temperature or acceleration. It has to be mentioned that there is the possibility

to either put a lot of goods together into one “packet” with one ARFID tag (e.g. eggs) or put

one ARFID tag on each and every single product (e.g. an expensive sports car). The values,

which have been measured by the tags, are then sent to the SEALTM Access Point.

2.2 SEALTM Access Points

Within the X3C system, there are two different types of Access Points: Field clients, which

are situated on an ISO palette, and Base Stations, which are positioned at a source/destination

docking point like a harbor. In general, an Access Point acts as a master for “its” ARFID tags

and collects all the data they send for later analysis and relaying to the SEALTM Portal. It is

equipped with module-based communication devices like GSM, 3G or IEEE 802.11 and a GPS

receiver; therefore, it also needs higher power supply than the ARFID tags. All received mea-

sured values are analyzed and important data is sent via wireless technologies and the Internet

to the SEALTM Portal for further processing. Moreover, an Access Point has the possibility to

get a connection to other Access Points for exchanging information.

2.3 SEALTM Portal

The SEALTM Portal is the central storage point where all Access Points connect to and con-

tains the database with all registered measurements. Through the Access Points it receives data

from all ARFID tags around the world and provides all data concerning the goods and the sys-

tem devices through a central interface. Furthermore it has the functionality to handle suspect

communication and security attacks to ensure that no faked data enters the database and also

intruders are kept out.

2.4 SEALTM Management System

The SEALTM Management System provides maintenance scalability and accounting. It is

needed for managing the inter-communication between all parts of the X3C system and there-

5


fore offers service provisioning and multilevel user authentication. It is fully transparent, so no

user is aware of its existence, but it provides all essential management services needed to handle

the huge amount of data.

The cooperation of all these different parts of the system is needed to guarantee real-time track-

ing of goods. It is important to have a fast, bandwidth saving transmission of data and, at the

same time, implement as much security as possible to assure perfect cooperation and valid data.

Therefore, X3C provided this Master’s Thesis to obtain a better insight into the topic “Power

Consumption vs. Security in Wireless Sensor Networks”.

6

Part I 3 Problem Definition

3 Problem Definition

Sensor devices like the SEALTM ARFID tags are very far developed today and consist of the

latest hard- and software. They are used in many different applications and, therefore, provide

many features like power saving modes, flexible transmission speeds or frequency hopping

mechanisms.

Nevertheless, there is an important aspect which must not be neglected: the security of the

transmitted data has to be guaranteed. Due to the fact that sensor networks usually communicate

wirelessly, everybody could receive transmitted information, modify this information or invoke

new messages. Thus, it is very important to secure the communication between the different

sensors or base stations, depending on the specific security requirements. One of the most

common ways to integrate security into the wireless communication is the usage of encryption

algorithms, which ensures that no attacker is able to read a wiretapped message or change it in

an unnoticeable way.

Nowadays there exist many interesting and useful algorithms, which offer very high security,

but when constructing a secure wireless sensor network, there is one additional constraint to be

considered: The most limited resource in wireless environments is energy as the power supply

is mostly realized by using batteries with limited capacities.

As the energy and memory resources of the sensors are restricted, there is almost no possibility

of using usual algorithms like RSA or the Triple Digital Encryption Standard (3DES). 3DES

is a symmetric key cipher, which bases on two 56-bit keys (providing an effective key length

of 168 bit) and 64-bit blocks to be encrypted. RSA is an asymmetric key cipher which is

used for key exchange procedures. Asymmetric algorithms work with a private and a public

key, whereby a plaintext, which has been encrypted with the public key, can only be decrypted

with the private key and vice versa. These two algorithms are the state-of-the-art standards for

the encryption of data transfers, emails or web-banking. However, when regarding the energy

limitations of a wireless sensor network, these algorithms require too much CPU cycles and

memory management, thus the energy resources of the sensors would be depleted too quickly.

Therefore, it is necessary to implement a secure, but still power saving algorithm in wireless

sensor networks. Under these circumstances it is important to think about the security require-

ments very carefully to obtain the best algorithm for securing the transmitted data.

7


The goal of this thesis is to find the most suitable encryption algorithm for the X3C system,

which is described in chapter 2, whereas low power consumption and, therefore, a long lifespan

of the ARFID tags is more important than security. Different algorithms are tested concerning

their security and their energy consumption characteristics. The results of these measurements

have to be compared in order to present the most suitable algorithm for the wireless sensor

network of X3C.

8

Part II

Part II

BACKGROUND

9


10

Part II 4 Wireless Sensor Networks (WSN)

4 Wireless Sensor Networks (WSN)

In recent years the development of sensor nodes, which are small, low-cost and low-power de-

vices, has gone very far. A sensor node is able to observe condition values of a certain area

like temperature, sound, vibration, pressure, motion or pollutants. The measured values are

then forwarded to a data collection point which is in charge of their further processing. Sensor

nodes are often combined to sensor networks, which co-ordinate themselves to perform specific

measurements. In the past, sensor networks were made up of small numbers of sensor nodes

which were wired to the data collection point. These days, researches focus on wireless sensing

nodes which transfer the values without being dependent on wires. Moreover it is easier to put

the nodes nearer to the phenomenon which has to be observed. Wireless sensor nodes will be

produced in large numbers and so they might become cheaper, but their big disadvantages are

still the limitations in processing power, storage, bandwidth and energy supply.

Figure 4.1 shows the architecture of a typical wireless sensor mode, which is usually equipped

with a Radio Frequency (RF) transceiver, a microprocessor, a sensor board and a battery for the

power supply [1].

Figure 4.1: System Architecture of a Common Wireless Sensor Node

The microprocessor unit is the most important part of the sensor node. It processes all algo-

rithms and protocols and is responsible for switching between various operating modes. The

transceiver is used for maintaining the communication between the sensor nodes and normally

operates in the modes Transmit, Receive, Idle and Sleep. It is very important to accurately

switch between these modes due to the purpose of power saving. The sensors are responsible

for measuring data in its environment, which could for instance be temperature or moisture. As

wireless sensor nodes are not connected to a power supply, a battery is used to meet energy

requirements. The power consumption should be put to a minimum to increase the node’s life-

time, therefore an adequate power management has to be integrated.

11


As the energy resources are limited, the network topology is changing frequently due to new

added or removed devices. Therefore, WSNs have to possess self-organizing abilities. As

shown in figure 4.2, there are, in general, two different topologies which are used for wireless

sensor networks: the star topology and the mesh topology. The right choice of the topology

depends on available resources, the transmission distance and the used transmission frequency.

Figure 4.2: Different Topologies for Wireless Sensor Networks

A star topology is a single-hop system where all sensors are positioned in the range of the base

station. All communication is done by using the base station which could be a PDA, an Access

Point or a Gateway and which receives all data from its nodes. The star topology has two major

drawbacks: First of all, the transmission distance is limited, because the nodes have to be in the

range of the base station. Secondly, every node has just one link to the base station. If this link

breaks down, possibly by an obstacle which is put between the sensor and the base station, there

is no possibility to transfer measured data and the sensor node will be isolated. Nevertheless,

the star topology provides lowest overall power consumption abilities, because the sensors do

not have to forward data from other nodes.

In contrary to the star topology, the mesh topology is a multi-hop system where the sensor nodes

are also connected to each other and thus communication through the base station is avoided.

The design and implementation of such a decentralized system is complex, but its advantage is

the high fault tolerance, because every node has multiple paths to the base station and to other

nodes. Despite this, the mesh topology suffers from high latency in case of a large amount of

nodes and shows highest overall power consumption, because theoretically every sensor node

would have to listen for a possible communication all the time.

12

Part II 4 Wireless Sensor Networks (WSN)

A third possibility would be constituted by combining the two previously mentioned topologies

which would also be a merging of their advantages. The star topology brings simplicity and

low power consumption whereas the mesh topology imports higher transmission distances and

self-coordination. The network is then set up by two different kinds of sensor nodes: on the one

hand, there are sensor nodes which organize themselves and act as kind of “router” and on the

other hand, there are “normal” sensor nodes, which transmit measured data to a fixed “router”

sensor node.

To offer the advantages of a mesh topology, which are self-organization and higher transmis-

sion distances, there have to be special multi-hop routing methods for optimizing the power

consumption, performance analysis and network management of the nodes; furthermore, all

routing methods should help to overcome shadowing and path-loss effects. Until now, there

have been several attempts of creating such protocols, which try to combine topology man-

agement and energy-effectiveness. One would be LEACH (Low-Energy Adaptive Clustering

Hierarchy), “a clustering-based protocol that utilizes randomized rotation of local cluster base

stations (cluster-heads) to evenly distribute the energy load among the sensors in the network.”

[2] The authors present a protocol which provides scalability and robustness for dynamic net-

works and includes data compression for reducing the amount of transmitted data. Therefore

they achieve a decrease of power consumption and an increase of sensor node lifetime. Another

routing protocol for sensor networks, which is presented in [3], is called SPIN (Sensor Pro-

tocols for Information via Negotiation). The authors provide energy saving through reducing

the transmission of redundant data, which is done by defining meta-data to replace frequently

transmitted terms. Moreover, they use the SPMS protocol (Shortest Path Minded SPIN), which

fixes the transmission radius of each node as so-called zone. If a node wants to send data to a

sensor node outside of its own zone, the SPSM protocol provides transmission by using multi-

hop communication via the shortest path. SPIN offers an energy reduction between 5% and

21% compared to protocols which do not provide energy saving.

Despite these two, there are several other appendages of providing energy-efficient routing pro-

tocols for wireless sensor networks, but the most of them do not consider security issues. The

following two chapters will provide an outline concerning security and cryptography as a tech-

nique for providing security. Chapter 7 will then present two former approaches of integrating

security protocols into wireless sensor networks, which are TinySec and SPINS.

13


5 Theory of Security and Privacy

In 1941, Konrad Zuse invented the first computer called Z3 in Berlin (Germany) and he probably

had no idea how far his technology will develop and how important it will become. Only about

40 years later, the computers were that ”small” in size, powerful and affordable that the term

”home computer” was defined [4]. Nowadays it is usual that there is at least one computer

in every household and nearly every computer is connected to each other via the Internet, the

world’s biggest and most famous computer network, which allows the transmission of digital

data all over the wold within fractions of a second. On the one hand, this development has a lot

of advantages because information is more public and accessible to everyone everywhere and

people from all over the world can easily communicate with each other, whereas the distances

become rather unimportant. But on the other hand, there are a lot of problems attracting our

attention:

• Is my private data secure enough that no unauthorized user gets access to it? Is it possible

to give special access permissions to selected people?

• Will the message I send really reach its recipient without being read by an unauthorized

person?

• Is the message I have received really written by the sender and is it still the same text or

has it been modified by someone else?

This chapter deals with the theoretical background of security in general and offers an explana-

tion of special security needs in wireless sensor networks.

5.1 Introduction to Security and Privacy

It is not possible to define the goals of security services in general, but the following points try

to give an overview of the basic and most common issues in computer and network security.

The first part provides a definition of computer security, network security and privacy:

• Computer Security is defined in the RFC 2828 as follows: “Measures that implement

and assure security services in a computer system, particularly those that assure access

control service.” [5]

14

Part II 5 Theory of Security and Privacy

• Network Security is a more general term which is really complex to define. Although

the definition has to be general enough to cover the large field network security is dealing

with, it also has to be very detailed to fulfill the requirements of a “good” definition.

Within this thesis, Network Security is defined as: A process to improve the properties

(confidentiality, integrity, access control, availability and authentication - as explained in

chapter 5.1) of a distributed IT-system as much as possible and furthermore make every

operation against the security policy as hard as possible. [6]

• Privacy in terms of computing means that every user is the owner of his/her private data

and must have the privilege to know what is stored and where it is stored and he/she

should almost always be able to delete this private data. The term “private data” means

the data which was ”created“ by the user and also the data which contains information

about the user, which was sometimes even collected without his/her accordance (e.g.

communication protocols at Internet or telephone providers). Moreover, privacy means

to have the “access control” over the private data to keep it private or to offer it to a

selected group of people.

According to the standard “Security Architecture for Open Systems Interconnection for CCITT

applications” which has been published by the ITU [7], and according to the RFC 2828 [5], the

main requirements that have to be fulfilled by security mechanisms are: authentication, access

control, data confidentiality, data integrity, non-repudiation and availability. [7]

Because of their importance for the general understanding of computer security and network

security, these requirements are explained in the following paragraphs.

• Authentication: The security mechanisms have to ensure that the parties initiating a

communication are really the parties they claim to be, which means that their identities

are proofed. Furthermore, it is needed to ensure that an already established connection is

not interfered by a third (not authorized) party within the communication. [8]

Peer entity authenticationprovides the confidence that no one is masquerading and/or

claims to be someone else, whereasdata origin authentication provides the confidence

that the source of a data is really the source it should be or one believes it to be. [8]

• Access Controlshould provide the availability to regulate and control the access from

its own interfaces or from the network to data, applications and resources on a system.

15


Every entity that wants to get access has to be identified first and afterwards be restricted

to its user-based-privileges defined in the general security policy. [8][5]

• Data Confidentiality means the protection of data against a passive attack like traffic

analysis. The data must not be read by someone else, except the sender and the recipient

(or the group of recipients) and it should also be impossible to identify the source or the

destination of the data stream. [8]

• Data Integrity: Data sent via communication links must not be modified unnoticed in

any way, regardless if the modification was done by a third (not authorized) party or even

happened accidently. Data integrity should at least provide the possibility to recognize

modifications of the data and furthermore provide mechanisms to recover this data. A

message has to be marked as “modified” irrespective if data was inserted, reordered,

modified, deleted or duplicated. [8][5]

• Non-Repudiation: In general, repudiation has two different meanings: Either the recip-

ient claims that the data has never been received, although it was received correctly, or

the sender claims that the data has never been sent, even if the message was indeed initi-

ated by him/her and correctly delivered from the sender to the recipient. Security systems

must prohibit repudiation to improve the traceability of messages in the network which is

especially important in any kind of e-commerce. [8][5]

• Availability refers to the property of a system to be accessible by an authorized entity

within the specified parameters. Availability is not provided if the system is not able to

fulfill authorized requests because it is overloaded with denying unauthorized requests.

[8]

Implementing security into a computer network is a hard work by itself and it is definitely

impossible to implement perfect and total security. Nevertheless this should remain the target

of every security implementation because only considering the mentioned requirements is not

enough. Security starts at the human being, which is the very beginning of every data transmis-

sion; then the data passes a lot of computers and different kind of network nodes, known and

controlled ones and also unknown ones, before it is finally received by a human being. So there

are a lot of other issues one has to think about when designing, developing or implementing

security in a network. Some of the most important security issues are stated below:

16


• Password Security,which is a basic security method in IT-systems, is simple and freely

implementable. There are a lot of different easy-to-understand rules one should respect

when choosing a password, e.g. not to use your name, birthdate, name of friend or family.

Secure passwords should have a length of at least 8 characters and should consist of

upper-, lowercase and special characters; furthermore, it is recommended to change the

password frequently. [9]

• Social Engineering is the process of informing your employee and respectively every

user of a single part of the whole network about the security policy and to provide methods

for maintaining the policy. It should always be easier for the user to do the right thing, as it

is demanded in the security policy, than to do the wrong thing, which might compromise

the computer and network security.

• Data Security is depending on the value of the data which is stored. The more impor-

tant the stored data is, the better and more advanced data security mechanisms have to be

designed, which might comprise mirroring them with the use of a RAID system, regu-

larly backups on long time storage medias like magnet bands or strict access control and

management of privileges on file layer.

• Access Securityregulates the access to resources of a network from “outside”, which

means that only those resources that are really needed by external users are available

from outside the network. All other resources have to be protected from unauthorized

access, whereas this must not interfere with the availability of the system. Also bandwidth

management and load sharing can be realized by the access security. Load sharing in this

case means to manage the Internet access via two or more providers on the one hand and

to distribute the requests to (redundant) servers equally.

Computer or network security is a complex area and there have already been a lot of studies

carried out in this field, but there is still no checklist-based guideline how to secure a (distrib-

uted) IT-system.

Today, an administrator has to analyze and document the structure of the system and find the

easiest ways of penetration for attacker or the most likely problem (e.g. data loss). Then the

design of security mechanisms and their implementation can start, whereas the mechanisms al-

ways have to be monitored, controlled and documented to optimize their efficiency. The next

steps will be the design and implementation of further security mechanism.

17


These general security thoughts are also valid when talking about security in WSNs, which re-

quire some additional security issues to be examined that are discussed in the next subchapter.

5.2 Security Problems Concerning WSNs

A lot of research work has been carried out on security and privacy in computing and computer

networks and the results are also well documented. But nowadays totally different kinds of

computer networks establish themselves and raise their importance - the so called Wireless

Sensor Networks (WSNs), which have already been explained in chapter 4.

These WSNs mostly consist of a lot of independent “nodes”, which measure some parameters,

any kind of access points organizing the transmission and a backoffice which is storing all the

data. At the backoffice, which is a “normal” server, the security rules are valid and probably

sufficient, but at the other end of this communication is a totally new kind of computer, an

unclear number of “nodes”. These nodes, which have to resist against total different kind of

active and passive attacks have only limited resources (e.g. power supply and memory size). It

has to be considered that every single node represents a potential point of attack on the whole

sensor network [10].

According to the ITU-T Standard X.800 [7] and the RFC 2828 [5], attacks on systems or net-

works can be classified as “passive” and “active” attacks. This classification is also applicable

to WSNs.

• Passive Attacks: The goal of “Passive attacks” is to observe some transmitted informa-

tion on the one hand, and to analyze the traffic behavior on the other hand. It is quite hard

to recognize passive attacks as they are only “listening” to the network traffic and do not

interact with the network. As passive attacks are really hard to detect, the security system

should concentrate on prevention instead of detection. [7][5]

• Active Attacks are all the attacks which modify, insert or delete some data or attacks

which are using the resources of the target system without being authorized. The most

famous active attack is the “Denial of Service” attack, which will be explained in chapter

5.2.4. This attack decreases the availability of the target system dramatically. Since active

attacks can be recognized, the system has to be protected against them; furthermore, an

attack should at least be detected and - much better - stopped or interrupted by so called

“Intrusion Detection Systems”. [7][5]

18


Some of the most important attacks against WSNs are presented:

5.2.1 Sensor Node Compromise

Every node is a potential point of an attack; therefore, it has to be considered that attackers can

obtain their own nodes and induce the network to accept them as authorized nodes. It is also

possible that the intruders control some “native” nodes, which means to obtain the possibility to

cause a variety of attacks: falsification of sensor data, observing sensor data or starting denial of

service attacks. To minimize this risk, each node must be produced in a physically very robust

way and needs complicate authentication mechanisms. As a sensor network consists of up to

thousands of nodes, it would be too expensive to improve every node to a considerable level.

Thus, the maintainer of a WSN must consider that attackers can control some of the nodes,

which has to be considered when designing the security concept. [10]

5.2.2 Eavesdropping

Since the communication of sensor networks is mostly wireless, it is easy for an attacker to

observe some data streams and collect sensor data if it is not encrypted adequately. Therefore,

it is also possible to collect some private data by placing “listening nodes” at important places.

To protect the WSN against eavesdropping, an encryption mechanism is needed, which is no

problem to implement in wired and powerful environments. In sensor nodes this can become a

substantially problem because these nodes are limited in processing power, power supply and

memory size. As asymmetric encryption (described in chapter 6.3) uses public and private keys

and consumes a lot of energy, only symmetric encryption is suitable, which uses the same key

for encryption and decryption. An adequate key distribution scheme has to be implemented and

it has to be ensured that the attacker does not obtain too much information about the security

mechanisms and their keys when some of the nodes are compromised. [10]

5.2.3 Privacy of Sensed Data

WSNs collect quite a lot of data because there can be thousands of sensors working in the same

network. This data is transmitted through the whole sensor network and is thereby accessible

from any point in the network, which offers attackers a great possibility to infiltrate some nodes

into the network and gather all the information they need. Furthermore, it will be hard to avoid

19


such attacks and impossible to detect them. Therefore, when designing a WSN, one should

concentrate on the required data and discard details that are not needed. For example, if only

the average temperatures are needed, only these average temperatures and not the time, place,

temperature, humidity, CPU performance or other (in this case) unnecessary details should be

transmitted, which could be interesting for some attackers. A minimization of the transferred

data also means a minimization of the interests of attackers on the data.

5.2.4 Denial of Service (DoS) Attacks

A Denial of Service attack has the target of disabling a special host or server, which can be done

by sending loads of unauthorized data at the same time. It is hard to protect a WSN against this

kind of attacks which can occur on a physical layer (e.g. radio jamming) or on communication

layer, e.g. by involving malicious transmissions into the network. Such attackers can also cause

an abnormal energy consumption and thus decrease the lifespan of the sensor nodes or the

access points. Although there are a lot of mechanism to protect a WSN against DoS attacks, the

creativity of these attacks is boundless. [10]

5.2.5 Malicious User of Commodity Networks

As WSNs become more efficient, cheaper and easier to manage, some criminals can also get

interested in using them. Placing some nodes in the private sphere of a target makes it is easy

to gather some information like behaviors, health or passwords of the person. Developing some

kind of sensor detectors will be important to avoid such attacks or at least make them more

complicated and expensive.

There are many security risks which have to be considered especially when a wireless sensor

network is designed. Thus, there have been a lot of attempts to develop a security method

which prevents potential attackers from entering secure parts of the network. Those techniques

want to guarantee the security principles, which are authentication, confidentiality and integrity.

The next chapter will give an introduction to cryptography, which is on of the most important

security mechanism that is used these days in different kinds of areas. Chapter 7 it will then

present former approaches of securing wireless sensor networks, namely TinySec and SPINS.

20

Part II 6 Cryptography

6 Cryptography

Unlike “normal networks”, which use cables as data transmission medium, wireless sensor net-

works use the air for transferring data. The major drawback of this transmission medium is that

wiretapping the communication is eased, which causes huge security problems. Consequently,

all transferred data has to be secured to ensure the security principles like confidentiality, au-

thentication, integrity and availability (see chapter 5.1). During the transmission of data from

sender to receiver there are four major threats to the security of a message, which have the po-

tential to cause loss or harm: interruption, interception, modification and fabrication. [11, p.

3f]

• Interruption , which affects availability, is the case when a file is made unusable or does

not even reach the destination.

• Interception perturbs confidentiality, privacy and secrecy because the message is read by

an uncertified person.

• Modification , which disturbs message integrity, occurs when an intruder changes a mes-

sage and forwards it to the receiver. In wireless networks, this threat can be detected,

because all messages are sent by broadcast; therefore the receiver would get both mes-

sages, the original and the faked, and is able to compare them.

• Fabrication means inserting counterfeit data into a data stream, which affects authenti-

cation and is therefore a major problem when security has to be guaranteed.

To protect personal data from these threats and guarantee availability, integrity, confidentiality

and authentication, there are a lot of different methods of resolution, all having one major target:

Securing data which is transmitted in an insecure environment.

One security technique is known for a very long time and has experienced a great develop-

ment: Cryptography. This science is a part of Cryptology and is described as the science of

encrypting information by transforming it and, therefore, hiding its information content and

preventing unknown modification or unauthorized use. Cryptography includes two basic func-

tions, namely encryption and decryption: Encryption is the procedure of converting original

data, called plaintext, into a secret ciphertext which contains all plaintext information which is

not obviously readable anymore. On the other hand, decryption is used to recover the original

plaintext from the given ciphertext. Encryption and decryption, which are put together in a

21


cryptosystem, are performed by a so-called cipher that is a mathematical algorithm performing

different arithmetic operations.

As it is impossible to generate a new algorithm for every plaintext, another essential compo-

nent, the secret key, is used. It is an auxiliary character or byte string known by the sender and

the receiver that defines how the ciphertext is produced by being the major part of the cipher.

Without the key a cipher cannot be used neither for encoding nor for decoding. The key design

is specialized for every cipher and may be very different from each other especially concerning

the bit length, which starts from 64 bits to nowadays more than 1024 bits.

Since over 2000 years there have been many different approaches to get secure encryption al-

gorithms, all mainly based on character changing by using substitution or transposition of char-

acters. Substitution is the technique of replacing every character of the plaintext with another

character, whereas transposition means the re-ordering of characters to hide the right character

sequence. In former times the security level was reached by keeping the algorithm secret, a

method called “security through obscurity”. As the ciphertexts, in these times, had to be de-

crypted by hand, it was very hard to find the right cipher. [11]

Figure 6.1: Cipher Categories

Encryption procedures nowadays are performed by computers, thus modern ciphers mainly de-

pend on the secret key whereas the complex algorithms are public and analyzable for everyone.

The idea of publishing the algorithm and securing the key was defined by Auguste Kerckhoff

and Kerckhoffs’ law [12], which provides more security by allowing many people to test the

algorithms for leaks. In 1949 Claude Shannon specified confusion and diffusion as two char-

acteristics of a good cipher: Confusion, on the one hand, is the inserting of complexity into

the key-ciphertext relationship, which means an intruder should not be able to predict how the

ciphertext changes if one character of the plaintext is changed. On the other hand, there is the

necessity that any change in the plaintext should affect as many parts as possible in the resulting

22


ciphertext, which is called diffusion. These two characteristic prevent unauthorized ciphertext

decryption based on statistical methods and are implemented by adding substitution and trans-

position in the encryption process. [13]

Moreover, real strong ciphers are created by using semantic security, which constitutes that en-

crypting the same plaintext two times should result in different ciphertexts, even if the same

key and the same algorithm are used. Thus, it is not possible to decrypt even parts of the

information although one possesses several ciphertexts comprising nearly the same plaintext

information. One solution for guaranteeing semantic security is using a special character or

byte string as start value (e.g. server time, source/destination address). This start value is often

called Initialization Vector (IV) and it helps to change the plaintext slightly so no ciphertext

looks like the other.

In general, there are two basic categories of key-based encryption algorithms, namely symmet-

ric (or secret key) and asymmetric (or public key) algorithms. Their basic difference consists

in their different key usage. Symmetric algorithms, on the one hand, use the same key for en-

cryption and decryption (or the decryption key can be easily derived from the encryption key)

and asymmetric algorithms, on the other hand, use different keys for encryption and decryption,

whereas it is not possible to derive the decryption key from the encryption key.

6.1 Symmetric Encryption

A symmetric key cipher uses only one key which has to be known by both the sender and

the receiver and constitutes the basis for the generation of the encryption and decryption keys.

In general, symmetric ciphers are divided into block ciphers and stream ciphers; the stream

ciphers encrypt each single element of the plaintext continuously, whereas block ciphers use a

fixed amount of elements (e.g. 8 bits) for producing an output of the same size. Modern ciphers

are almost always block ciphers because they enable better performance and more security.

There are several different modes, in which the block ciphers can operate; among them, the 5

mostly used operation modes are: ECB, CBC, CFB, OFB and CTR mode.

ECB - Electronic Code Book Mode:This mode encrypts one data block after the other without

any conjunction between them, as shown in figure 6.2. EBC does not realize the concepts of

diffusion and confusion, thus it is very insecure, but it also very fast and simple.

23


Figure 6.2: Electronic Codebook Mode

CBC - Cipher Block Chaining Modeis the mostly utilized operation mode with block ciphers. It

encrypts the data blocks and conjuncts them by taking the XOR of it together with the previous

ciphertext block (see figure 6.3). As there is no ciphertext block for the first plaintext block, a

so-called Initializing Vector (IV) is needed, which may consist of e.g. a timestamp or a random

number sequence. The IV changes with every plaintext; therefore, every resulting ciphertext is

unique even if two identical plaintexts are encrypted. The security of the algorithm must not

depend on the IV because it should only apply semantic security to the cipher and, therefore,

IVs are typically added clear to the ciphertext.

Figure 6.3: Cipher Block Chaining Mode

CFB - Cipher Feedback Mode:The CFB mode converts the block cipher into a stream cipher by

generating random blocks which are XORed with the data blocks for obtaining the ciphertext

blocks. As shown in figure 6.4, the IV is only used for encrypting the first block, whereas for

encrypting all other blocks the respectively previous ciphertext is used. CBC is almost identical

with OFB with one difference: The new input is not constituted by the prior generated random

bit stream but by the created ciphertext block.

24


Figure 6.4: Cipher Feedback Mode

OFB - Output Feedback Mode:The OFB mode is very similar to the CFB mode. The difference

lies in the kind of data which is passed as input value to the next block encryption. The OFB

mode takes the previous random block instead of the ciphertext block, which is seen in figure

6.5.

Figure 6.5: Output Feedback Mode

CTR - Counter Mode:The counter mode also converts the block cipher into a stream cipher like

the OFB mode, but instead of taking an input from the previous encrypted data block, it uses

the IV together with a counter (see figure 6.6).

Figure 6.6: Counter Mode

25


Every block cipher operation mode has advantages and disadvantages and the right choice de-

pends on the purpose of the algorithm. The general symmetric encryption/decryption procedure

is illustrated in figure 6.7: the sender encrypts a plaintext message with the secret key and deliv-

ers the ciphertext via an insecure transmission channel. The receiver then decrypts the ciphertext

by using the same key (or a key which can be simply derived from the encryption key) together

with the reverse algorithm.

Figure 6.7: Simplified Model of Symmetric Encryption

The outstanding advantage of symmetric algorithms is the small amount of computational

power they need, whereas the key exchange, which is more difficult, complicates a merchant-

client relationship.

One of the first attempts of constructing a symmetric ci-

Figure 6.8: Feistel Round

pher was invented by Horst Feistel in 1973, called Feis-

tel Network [14]. The encryption procedure functions as

follows: The plaintext is divided into blocks (e.g. 64-bit

blocks). Each block has to pass a certain numbern of en-

cryption rounds which results in obtaining the ciphertext

block. Before each roundi, the block is again split into

two equal sized halves Li and Ri. First a certain algo-

rithm function is applied to the right halve together with

a subkey Ki, which is based on the main key K and is

computed by using a subkey generation algorithm. The next step is to take the exclusive-OR

(XOR) of the function together with Li, which is the left halve of the block. The resulting

halve becomes the next right halve, Ri−1, whereas the former right halve Ri serves as next left

halve, being Li−1. Therefore, a significant number of permutations is included. The security of

a Feistel network depends on the right choice of the parameters block size, key size, number

of rounds, subkey generation algorithm and round function, but in general the Feistel network

serves as a basis for many symmetric encryption algorithms used today. [8][14]

26


The two most utilized algorithms today are the Triple Data Encryption Standard (3DES) and

the Advanced Encryption Standard (AES), which have different features and security levels.

TheTriple Data Encryption Standard (3DES)is based on the Data Encryption Standard (DES),

which was developed in 1976 using 64-bit blocks and a key length of 56 bits (7.2 x 1016 possible

keys). The DES algorithm, which performs 16 rounds, each using a subkey that is generated by

the main 56-bit key. This algorithm was criticized in the beginning of the 90s, because of the

expeditiously increasing computer performance power which rendered the success of a brute-

force attack (trying all possible keys) possible. Therefore, the Triple DES (3DES) algorithm,

which uses three different DES keys, was developed. It encodes every block by encrypting it

with the first key, then decrypts it with the second key and encrypting it again with the first

key, providing an effective security of a 112-bit key. 3DES is more secure than DES, but its

drawback are the huge computational costs because the DES algorithm has to be executed three

times. [11][8]

TheAdvanced Encryption Standard (AES), which was developed by Joan Daemen and Vincent

Rijmen, is the official standard since 2000. It is a symmetric block cipher using 128-bit blocks

combined with a key of variable length (128, 192 or 256 bits). AES is not based on the Feistel

structure but operates on the whole data block during each round. Every block is converted

into a Matrix, which is altered at each stage of encryption of decryption. Unlike Feistel, AES

applies different parts of the key successively to the plaintext blocks, whereas the number of

rounds varies depending on the key length and the block size. Therefore, AES, that is much

faster and more secure than 3DES, is prognosticated to be secure for about 20 years. [8]

These symmetric algorithms allow the re-usage of the same secret key, which lowers the security

level. There is only one symmetric algorithm which is said to be (theoretically) totally secure,

the so-called One-Time Pad.

6.2 One-Time Pad (OTB)

A One-Time Pad, also called Vernam-Code, is the only unbreakable encryption method (at least

in theory), but in practice it is very laborious. Each plaintext gets its own secret key, which is

a character string having the same length as the plaintext. It consists of absolutely stochastic

values which do not have any statistical dependencies. Due to the fact that every key is only

used once, there is no method to break the cipher without knowing the key. [15, p. 621]

OTB has already been known for a long time, but it is hardly utilized because of the need for

27


secure key distribution. Until a recent time, this was mostly solved by using asymmetric or

symmetric encryption methods, but in the near future it could be solved by quantum key dis-

tribution, which uses the different types of polarization of photons. The principal advantage of

quantum cryptography is the immediate discovery of potential eavesdropper as every tapping of

the photon stream, which is used for key transportation, leads to noise which will be interpreted

as manipulation. There have been several attempts of implementing quantum cryptography,

but still the transmission and encryption speed is not high enough to compete with symmetric

encryption. However, quantum cryptography will become more and more important due to the

total randomness of its values and high tapping security. [16][17]

Even though the security of symmetric encryption is very high, the key allocation remains the

weak part of it. As soon as an intruder is able to get a key, the whole cryptographic system

becomes valueless. Therefore, two scientists of the Stanford University, Whitfield Diffie and

Martin E. Hellman, proposed a new cryptosystem, which allows two parties to establish a secure

communication channel even if they do not know each other.

6.3 Asymmetric Encryption

Other than symmetric encryption, asymmetric encryption assumes every person to have two

different keys, a private key and a public key, whereas no key can be derived from the other.

Moreover, there are two different algorithms for encryption and decryption (see figure 6.9).

After generating those elements, the algorithms and the public key are published and become

accessible to everybody, thus the only secret element is the private key. If somebody wants to

encrypt a message, he/she takes this person’s public key and encrypts the message using the

specified algorithm and the key. For decrypting the message again the second algorithm and the

private key are needed; therefore, only one person is able to decrypt the cipher as long as he/she

keeps his private key secret. [18]

Figure 6.9: Simplified Model of Asymmetric Encryption

28


Asymmetric encryption does not only solve the key distribution problem, but also the authenti-

cation problem originating from Man-In-The-Middle attacks. As illustrated in figure 6.10, the

sender has to encrypt the message first with his private key and then with the public key of

the receiver. For decrypting the message, the receiver also has to use the decryption algorithm

twice, first with his private key then with the public key of the sender.

Figure 6.10: Authentication During Asymmetric Encryption

By doing this double encryption/decryption, one can be sure that no modification has occured

to the text because there is always the necessity to have one private key. The most important

implementation of the Diffie-Hellman encryption is called RSA, named after its inventors Ron

Rivest, Adi Shamir and Leonard Adleman.

RSA, which was developed in 1977, is the most popular and most accepted asymmetric algo-

rithm scheme worldwide. It is a block cipher which is based on the principles of the theoretical

arithmetic, using exponentiation in a finite field over integer numbers modulo a prime number.

RSA security arises from the cost of factoring large numbers (e.g. 1024 bits). [15]

Asymmetric encryption algorithms are regarded to be very secure, but the longer the keys, the

more calculating capacity is needed to encrypt and decrypt messages. As the processing power

of today’s computers increases permanently, the key length must also raise to maintain a higher

security. Actually there is a mixture of security algorithms used. First an asymmetric algorithm

is used for maintaining a secure communication tunnel, then the symmetric key is distributed

and all further communication is secured by using a faster symmetric algorithm, which needs

less resources.

6.4 Hash Algorithms

A hash algorithm receives an arbitrary big message as input and produces a fixed-size string

which is called the hash value. This value gives a “footprint” of the original message and will

always be the same if the message does not change. As soon as only one character of the

29


original message is modified, the hash value will change and any potential intrusion attempt

will be detected. Hash values are very important when using digital signatures to provide data

integrity. [11]

6.5 Digital Signatures (DS)

Digital signatures are based on asymmetric cryptosystems and are used for guaranteeing au-

thentication and integrity of electronic data as well as proofing the identity of the signer. It

should become the equivalent to a “normal” signature and can be seen as electronic signet.

Some e-mail securing systems use RSA for signing, but there are also special ciphers like the

El-Gamal algorithm which was especially developed to be used as digital signature algorithm.

[11]

30

Part II 7 Related Work

7 Related Work

Security in wireless sensor networks becomes more significant as new technologies arise and

wireless communication is used to a much greater extent. There are several approaches for

securing data, namely SPINS and TinySec, which are very important for wireless networks. A

brief outline of those approaches is presented below:

7.1 SPINS

SPINS, which is a set of two protocols, SNEP andµTESLA, provides adequate security mech-

anisms especially adjusted to the requirements of wireless sensor networks. On the one hand,

data integrity, two-party data authentication and data confidentiality are implemented by SNEP

(Sensor Network Encryption Protocol) and on the other handµTESLA (Micro Timed Efficient

Stream Losstolerant Authentication) is responsible for authenticated broadcast.

SNEP uses the symmetric RC5 algorithm for securing the data because of its low overhead and

memory requirements. Furthermore, this algorithm allows flexibility when choosing the para-

meter lengths and produces a ciphertext of the same length as the plaintext. To realize semantic

security, a shared counter is inserted into the encryption operation, which increments after each

block. The authentication is ensured by adding a Message Authentication Code (MAC), which

is a digital signature. In case of sending one package to all sensors in the network, producing a

single message for each sensor would be very time and power consuming, thus an authenticated

broadcast can be sent by usingµTESLA. Authenticated broadcast has to be an asymmetric op-

eration, otherwise the sender and receiver cannot be distinguished because of having the same

key. Asymmetric algorithms like RSA are not suitable for sensor networks because of the big

overhead, butµTESLA solves the problem by using delayed key release. Instead of using a

single key, a key chain is utilized, which is generated by applying a one way function several

times to the original key. This one way function has to be easy to calculate but hard to invert

so it is almost impossible to find the input to the given output. InµTESLA, the base station

is responsible for generating this key chain and distributing it to the sensor nodes per SNEP,

where the time is divided into intervals and every interval receives its own authentication key.

Signed messages are sent per broadcast and after a certain amount of intervals the base station

sends the key, which means that all sensors have to buffer the message for this amount of time

before they receive the authentication key to validate and process the message.

31


In general, SPINS offers these two protocols to provide sensor network security, but there are

some restrictions: there has to be a central base station which handles communication and au-

thentication that can also be seen as bottleneck of the network. This base station has to have

enough resources to store all master keys and counter values, and the time of the sensor nodes

has to be synchronized to ensure that the right interval key is used. Moreover, they need enough

storage to buffer a broadcast message between the reception of the message and the reception of

the authentication key. Besides these restrictions, SPINS needs additional 8 Bytes per signature,

which provide acceptable security by not using extra storage place and power.

7.2 TinySec

TinySec, which has been developed at the Berkeley University, is “a lightweight, generic secu-

rity package that developers can easily integrate into sensor network applications” [19], because

it is tailored to the special security requirements of wireless sensor networks. TinySec provides

two basic security features: authentication via Message Authentication Codes (MAC), encryp-

tion using a CBC algorithm (see chapter 6.1) and a shared global cryptographic key. There

are two different possible security schemes, namely TinySec-AE which provides authenticated

encryption and TinySec-Auth which provides data authentication only.

Data authentication is one of the most important security issues when designing a wireless

network due to the fact that a package can easily be faked and inserted into the data stream.

Therefore, the TinySec developers use MACs, which are small tags of a fixed length (e.g. 8

Byte) that are produced by applying a special algorithm to the plaintext. Each package has its

own MAC which is attached: therefore, the receiver has the possibility of building his/her own

MAC and comparing it to the attached sender MAC. If they are equal, both authenticity and

integrity are proved, otherwise a modification to the message has occurred.

The TinySec-AE mode provides both, authentication via MACs and encryption via Skipjack

[20], which is a strong block cipher that was developed in 1980 by the NSA. It uses 64-bit

blocks and a 80-bit secret key, and performs 32 encryption steps whereas the algorithm itself

consists of a complex nonlinear function. By using this algorithm, TinySec produces only a

small amount of overhead and therefore, only a small package size increase is observed which

will have only little impact on the power consumption.

The result of TinySec, which was tested with Mica2 sensor nodes, showed that the increase of

energy, bandwidth and latency is less than 10% for TinySec-AE. [19]

32

Part III

Part III

METHOD

33


34

Part III 8 Used Encryption Algorithms

8 Used Encryption Algorithms

In general, wireless sensor networks impose two major restrictions concerning the implemen-

tation of an encryption algorithm. On the one hand, the source code of the algorithm has to be

as small and efficient as possible, because there are strong limitations of available storage. On

the other hand, the actual encryption process must be very efficient and should consume as low

power as possible. The advantages of symmetric ciphers are obvious: It is only necessary to

store one single key which is used for encryption and decryption and the algorithm code can be

held very small, because of the similarity of the encryption and decryption functions. Asym-

metric algorithms are not appropriate for WSNs, because of the necessity of storing two keys

and two different algorithms for encryption and decryption.

The following paragraphs will give a survey of three encryption algorithms which are interest-

ing for being used in WSNs and especially for X3C, because of having special advantages like

requiring little storage, being suitable for smaller processors or being extremely efficient on em-

bedded devices. The three algorithms Blowfish, XTEA and RC2 will be compared concerning

their security and power consumption.

8.1 Blowfish

The Blowfish algorithm was designed in 1993 by Bruce Schneier, who published it for the first

time in the Doctor Dobb’s Journal in 1994 [21]. It is fast and not patented and has an excellent

performance even if running on small processors. It can be run by using less than 5KB of

memory, which proposes it for being implemented on small devices like RFID tags. Blowfish is

based on the Feistel Network with 64-bit blocks passing 16 encryption rounds. The algorithm

is initialized by the key, which has a variable length between 32 and 448 bits. It is very secure,

but it loses performance if there is the necessity of many key changes, because every new key

requires the algorithm to run 521 times for pre-processing all needed subkeys.

Block Size Number of Rounds Key Length

Blowfish 64 bits 16 32 - 448 bits

Table 8.1: Possible Configuration Parameters for Blowfish

Attacks: Until now, there is no effective attack on Blowfish published. Nevertheless, some

theoretical approaches on breaking the cipher have been reported. Among them, the best attack

35


has been found by Serge Vaudenay [22], who noticed the possibility to perform differential

cryptanalysis on Blowfish for recovering the key of a reduced 8-round cipher with the use of

248 chosen plaintexts. One weakness of the key expansion function was published by Dieter

Schmidt in 2005 [23], who noted an independency between the third and fourth subkey and the

first 64-bit of the main key.

Blowfish is very interesting for being run on X3C’s sensor nodes because of its high security

and high performance on small processors. Within the X3C system it is not necessary to change

the key often. Therefore, Blowfish is applicable, although its memory requirements are very

high, because examining “only” encryption and decryption are very fast and energy saving.

8.2 XTEA - Extended Tiny Encryption Algorithm

XTEA is a revised edition of the TEA algorithm, which has been published in 1994 by David

Wheeler and Roger Needham [24]. TEA is very simple end effective, but has a very weak key

scheduling algorithm which lowers the actual key size from 128 to 126 bit and enables key-

related attacks [25][26]. Therefore it was necessary to renew the code for eliminating security

vulnerabilities, which was done in 1997 by Wheeler and Needham who published the XTEA

algorithm [27]. XTEA uses a Feistel network, suggesting 64 encryption rounds, which are

implemented in pairs calledcycles. Moreover it uses a block size of 64 bit, a 128-bit key and

a slightly different key schedule than TEA, which performs exactly the same mixing function

for obtaining the subkeys. Therefore previous mentioned attacks have been eliminated or at

least aggravated. XTEA has high efficiency and good performance and does not require a lot of

memory resources. Therefore it is very simple to be implemented on software and hardware.


XTEA 64 bits 64 (suggested) 128 bits

Table 8.2: Possible Configuration Parameters for XTEA

Attacks: In 2002, Moon et al. [28] presented impossible differential attacks on reduced versions

of XTEA which used the weak diffusion property of the cipher. Thereby they derived the 128-

bit key of a 14 round XTEA by applying the 12-round-impossible characteristic to262.5 chosen

plaintexts for285 encryption times. Other differential attacks have been published by Hong et

al. [29] in 2003, which broke a 15-round XTEA by using259 rounds. Another attack is called

related-key attack, which was utilized by Ko et al. on a 27-round XTEA by requiring220.5

36

Part III 8 Used Encryption Algorithms

chosen plaintexts and2115.5 encryption units.

Even if XTEA has minor weaknesses there are two advantages which are very important for a

WSN: On the one hand, it is very simple and therefore efficient, and on the other hand it does

not need a large amount of memory.

8.3 RC2

RC2 [30] was developed in 1989 by Ronald L. Rivest, who created it for replacing the DES al-

gorithm. The cipher possesses new design filters and provides good performance especially on

16-bit processors, which predestinates it for being implemented in WSNs. Rivest generated a

new key expansion function which permits a flexible key length up to 1024 bits. Therefore, the

RC2 is more secure than DES and is said to be equally fast at every key length. Furthermore, the

cipher uses an unbalanced Feistel network [31], which splits the 64-bit blocks into fourwordsof

16 bits and then performs substitution and transposition features, which Rivest called MIXING

and MASHING. For obtaining reasonable security, Rivest recommends 18 rounds. Table 8.3

shows all possible values for word size, number of rounds and key length:


RC2 64 bits 18 8 - 1024 bits

Table 8.3: Possible Configuration Parameters for RC2

Due to the complex key expansion system, the code for encrypting and decrypting is kept very

small, which is important for being implemented in WSNs.

Attacks: There have been some studies about the security of the RC2 algorithm and possi-

ble attacks. In 1997, Kelsey et al [25] published the possibility of cracking RC2 by utilizing

single-bit differential characteristics which needs one related-key query and 234 chosen plain-

texts. Another cryptanalytic study was included in the RC2 paper [32], which was published

in 1998 by Rivest together with 3 other authors. Therein they documented possible linear and

differential attacks they used to break the cipher. They stated that differential attacks are only

possible if a subkey could be discovered. The effectiveness of a linear attack could not be de-

termined because of the complex iterations between the different steps of RC2.

There is the possibility of undocumented attacks which could break RC2, but until now it is

said to be reasonably secure. Its advantage is the good performance on 16-bit processors which

makes it interesting for the X3C system.

37


9 Measuring Methods

For obtaining a classification of the different encryption algorithms it was necessary to deter-

mine several factors, which can be used for a general comparison. The following subchapters

present the measured parameters which were utilized for the security and energy consumption

evaluation.

9.1 Measuring Security

The most popular way to ensure security and its principles is the usage of cryptology. Thus,

many different symmetric, asymmetric, hash and digital signature algorithms have been devel-

oped. Each of these algorithms has special performance and input parameters, which compli-

cates the comparison of them. Therefore, it is very difficult to define the security level of an

algorithm, because it needs a detailed study of the mathematical characteristics of the cipher to

find statistical relations between the plaintext, the ciphertext and the key. Thus, the ciphers are

often published to allow as many people as possible to analyze them for finding backdoors and

vulnerabilities.

WSNs have further characteristics one has to pay attention to. First of all, the encryption code

has to be very small because of the limited storage provided by the sensor node. Secondly, the

efficiency of the algorithm has to be very high, because slow encryption means higher power

consumption which leads to lower sensor node lifespans. These two characteristics will be dis-

cussed in chapter 12.

X3C’s wireless sensor nodes transfer only small strings, each of which containing very simi-

lar information. The most important thing concerning these strings is the randomness of the

ciphertext characters to anticipate any associations between the plaintext and the ciphertext,

which should not even be possible if the attacker possesses several ciphertexts. Therefore, the

randomness characteristics of the cipher can be used for classifying the security of algorithms.

The measuring of randomness can be done by statistical analysis of the character occurrence

in the ciphertext by performing a frequency analysis. Further characteristics are the avalanche

and the completeness effect, which measure diffusion and confusion of a cipher. Two of those

tests, which were used in the thesis and whose results are eligible for comparing the security of

different ciphers follow:

38

Part III 9 Measuring Methods

9.1.1 Frequency Analysis

Every language has a specific number of letters which are used more often than others. When

analyzing a long English article, the three mostly used letters will almost always be “e”, “t” and

“a”, whereas “x” will be seldom found [33, p. 247]. If the resulting ciphertext also shows this

characteristic, there is the possibility of obtaining the plaintext by performing statistic inference

between plaintext and ciphertext. Symmetric block ciphers are a combination of substitution

and transposition, which allows better hiding of letter frequencies, but nevertheless it is impor-

tant to have a random uniformly distributed characters in a ciphertext. Therefore, frequency

analysis is used for figuring out the occurrence frequency of a bit or character string. The best

result would be to obtain a uniform character distribution within the ciphertext as a whole and

within all the blocks.

One defining characteristic is the standard deviation, which is a measure of statistical spread of

the characters referring to their average occurrence. Before calculating the standard deviation,

it is necessary to obtain the mean value of character appearances. The mean value of a text with

N characters, where each character appearsx times, is calculated by

x =1

N

N∑i=1

(xi) (9.1)

The mean value indicates the average amount of occurrence of each character within the text, but

it does not give any information about the average diffusion of the characters. This information

is maintained by the standard deviation, which is calculated by

σ =

√√√√ 1

N

N∑i=1

(xi − x)2 (9.2)

The mean value and the standard deviation were used for defining the randomness of the ci-

phertexts which have been produced by the different algorithms. A random ciphertext has to

have a very small standard deviation to ensure that attacks which are based on the frequency of

different characters are not successful.

39


9.1.2 Avalanche Effect

In [13], Shannon defines Diffusion1 as important cryptographic characteristic of a block cipher.

According to its definition, every output bit of a cipher should be dependent on every input bit,

which means that even a small change of the input plaintext should initiate an “avalanche” of

changes in the ciphertext. Annxnsubstitution box (S-box) of a block cipher should satisfy the

avalanche criterionkAV AL, which constitutes that whenever one input bit is changed, an average

of 1/2 of the output bits should also be changed.

For classifying the algorithms, two different plaintexts were used which differed in only one

bit. The two plaintexts were encrypted by the ciphers, all having the same key and IV as input

parameters. Then the two resulting ciphertexts were compared and the number of bits which

flipped were counted. The results of these tests are presented in chapter 11.

9.2 Measuring Energy Consumption

Additionally to the measurement of the security of the different algorithms, an analysis of their

efficiency and power consumption was performed. Especially in WSNs it is substantial that the

ciphertext generation is done in an efficient and power saving way to increase the lifespan of the

nodes. Thus, the algorithms should not have too complex and time-consuming functions and

their source code length should fit to the storage limitations of the sensor nodes. X3C ARFID

tags have to travel all around the world with little power resources and therefore, the lifespan of

them is very important.

9.2.1 Ideal Measurement Environment

The ideal way of measuring the energy consumption is the implementation of the ciphers on an

SEALTM ARFID tag of X3C. Therefore, it would be necessary to cross-compile the C source

code for the target platform, to run the code on the tag and to measure the energy which is

needed by each cipher to encrypt a certain amount of plaintexts. The results of this analysis

would give a clear decision about which cipher is most suitable for the X3C environment.

The SEALTM ARFID tag, as described briefly in chapter 2.1, is equipped with its own CPU, I/O,

memory, sensor and transceiver. The transceivernRF24E1is build by Nordic Semiconductor

1for more information, see chapter 6

40


and supports data rates from 0 to 1 Mbit/s by consuming extremely low power. Thereby it ranges

up to 30 meter by using the 2.45 GHz ISM band, it has internal voltage regulators, frequency

hopping support and 0 dBm output power. Moreover, it has a 8051-compatible micro-controller

which allows software development using C or assembly code with a ranging clock frequency

from 1 to 16 MHz. The memory of the tag consists of a up to 1 Mbit RAM and a serial 256Kbit

EEPROM. The tag receives its power from two CR2032 3.0V lithium batteries which ensure

the needed voltage of 1.7V to 3.9V for the tag to be operational. [34]

A picture of an nRF24E1 ARFID tag as it is used in the X3C system is presented in figure 9.1:

Figure 9.1: nRF24E1 ARFID Tag as Used in the X3C System

After studying the X3C hardware and development environments it became clear that the imple-

mentation of the C code, its cross-compilation and the transfer onto the tag was not achievable

due to limited time and measurement resources; furthermore, there was no real electronic labo-

ratory available. It was decided to run the tests as a kind of simulation on a Linux environment

as further explained in chapter 9.2.2.

9.2.2 Simulation Environment

The project target consists of comparing the power consumption and security of different en-

cryption algorithms. For obtaining comparable test results it is not implicitly necessary to mea-

sure the actual power which is consumed by the ARFID tags, but the important fact is the

41


time each cipher consumes for encrypting a specific number of plaintexts, which can then be

apportioned to the energy consumption.

Therefore, the tests were done on a Linux PC, which had two basic advantages: Firstly, it was

not necessary to do all the development environment and communication setup for the ARFID

tag which would have been very time consuming. Secondly, the energy tests could be done

with exactly the same cipher implementations which were utilized for the security analysis.

Due to this fact it was possible to obtain objective comparisons between the ciphers to get

their efficiency concerning their CPU time consumption which is also decisive for their power

consumption.

9.2.3 Measured Parameters Concerning Energy Consumption

As it is not significant how much energy the Linux PC uses for encrypting the plaintexts, the

main measurement focus was set on two other important parameters, which are crucial for

the energy consumption of an ARFID tag: The CPU time, which is needed for encrypting a

plaintext, and the memory footprint, which shows the amount of memory a program needs.

CPU Time: Each program has a special execution time which can be measured. For obtaining a

comparison between the different encryption algorithms this CPU time is very important,

because it is also a measure for the energy which is consumed during the execution. It is

very important that the CPU time is very small to hold down the time for the sensor to be

activated. The faster an algorithm encrypts the plaintexts, the faster it is able to switch to

the sleep mode, which is important for saving energy.

Memory Footprint: Like the CPU time, the memory footprint is an indication for the energy

consumption, because it shows the actual memory which is needed by each program. To

obtain good efficiency, it is necessary that the memory footprint is small to not produce

too much memory management overhead (read/write) and to reduce the risk of failures

due to memory limitations.

Both parameters, CPU time and memory footprint, can be used for analyzing how much energy

will additionally be used for the encryption of the plaintext. The more extra time a wireless

sensor node has to be active, the more energy is consumed and therefore lost. Moreover, the

memory footprint gives and indication of how much more storage has to be managed by the

sensor node, which also decreases energy.

42


After having decided which factors were the most important ones regarding the security and

the energy consumption of the different ciphers it was possible to generate a test environment,

which is further described in chapter 10.

43


10 Testing Environment

As mentioned in chapter 9.2.1, the implementation of the ciphers on the X3C ARFID tags would

have been too time-consuming; therefore, it was decided to use a Linux PC instead for doing the

security and energy consumption tests. These tests have been done by using an Ubuntu Linux,

an Apache-2 webserver and the PHP4 module, which are explained in detail in the following

subchapters.

10.1 Hardware

The tests have been done on an ASUS 3500 notebook, which is equipped with an Athlon XP-M

CPU working at a (constant) clockrate of 1.8 GHz and a physical RAM of 512 MB. The CPU

power management was switched off to get no influences on the tests because of reduced CPU

clock rate. The operating system was Ubuntu with a Kernel 2.6.12-10-386, which bases on the

Debian Distribution and is designed for workstations.

The simulations were done by utilizing the PHP4 module (version 4.4.4.0-3) and an Apache-

2 webserver (version 2.0.54-5ubuntu2) for data presentation and interpretation. During the

simulation were no other tasks running on the system except the system tasks including the

X-Server.

10.2 PHP4

PHP is an open-source programming language which is normally used for generating dynamic

web pages and server-side applications. Moreover, it allows the interaction with a large amount

of database management systems like MySQL and Oracle. Additional to the libraries which

are necessary for developing dynamic web pages, there have recently been developed further

libraries, whereby one of them is called MCRYPT. This library allows the usage of diverse

algorithms, among them also Blowfish, XTEA and RC2. Moreover, it is possible to run the

algorithms in different modes, which allows the analysis of the algorithms and the different

modes regarding security and power consumption. It was important to have roughly equal im-

plementations of all encryption algorithms to obtain comparable results, therefore the MCRYPT

library was the first choice.

The library that was used for the analysis isMCRYPT library for PHP4and bases on the Linux

44

Part III 10 Testing Environment

library libmcrypt4 (version 2.5.7-5). As mentioned before, it provides the required algorithms

and allows their usage in the different modes ECB, CBC, CFB, OFB and CTR (see chapter 6.1).

More detailed information on the MCRYPT module can be found in [35].

45


46

Part IV

Part IV

RESULTS

47


48

Part IV 11 Security Analysis Results

11 Security Analysis Results

For comparing the encryption algorithms a demo plaintext was generated, which contained

the information that an X3C ARFID tag has to send to the Base Station. The content of the

messages, which are generated by a sensor node, will only change slightly, due to the fact that,

except of the sensed data and the timestamp, all other information like the sensor ID will stay

the same. Therefore it is possible to perform the characteristic tests in reference to this demo

message.

The plaintext length is 6680 bits and it contains 835 characters. As can be seen in figure 11.1,

the 8-bit ASCII characters are not well distributed in the plaintext; furthermore, there exist only

66 out of 256 possible characters.

Figure 11.1: Frequency Analysis of the Plaintext

The 4 mostly used characters have the ASCII codes 127 (“0”), 32 (“space”), 40 (“(”) and 41

(“)”), and the overall mean value is 3.26, which means that each character occurs in average

3.26 times. Within the plaintext there are only about 25% out of the possible 256 characters,

which can be seen clearly in figure 11.2. Another drawback is the fact that there are several

characters among those which appear very often (up to 127 times). Therefore, the standard

deviation of 12.42 is very high, which is an indicate of low randomness and low distribution.

The most important issue of the encryption algorithms is to produce a ciphertext which consists

of 256 different characters that are uniformly distributed. Moreover, the standard deviation

should be very small to aggravate any frequency analysis.

49


Figure 11.2: Frequency of Occurrence of Characters in Plaintext

In the X3C system, the sensor tags will use only one key per mission, which means that every

ciphertext will be produced by using the same key, but different IV values. For the comparison

of ciphertexts, these IV values and the secret key will be randomly chosen and each algorithm

will take them as input values. Therefore, every algorithm has the same starting position, which

enables an objective comparison. The configuration parameters of each algorithm are shown in

table 11.1:

Cipher Name Block Size Number of Rounds Key Length Modes of Operation

Blowfish 64 bits 16 rounds 128 bits ECB, CBC, CFB, OFB, CTR

XTEA 64 bits 64 rounds 128 bits ECB, CBC, CFB, OFB, CTR

RC2 64 bits 18 rounds 128 bits ECB, CBC, CFB, OFB, CTR

Table 11.1: Configuration Parameters for the Comparison

For obtaining a comparable test result, each algorithm has to encrypt the plaintext 50 times in

every mode. This value was chosen, because it can be seen as an average number of messages

that have to be sent by a sensor node per mission. The resulting 50 ciphertexts are then analyzed

to obtain the mean value, the standard deviation and the avalanche effect characteristic. After

the ciphertext generation and analysis, the average of all values is taken to be able to perform a

comparison.

50


11.1 Ciphertext Frequency Analysis

A block cipher can be used in different modes of operation, as described in chapter 6.1. Not

only the “real” block cipher modes CBC and ECB were tested, but also CFB, OFB and CTR,

which convert the block cipher into stream ciphers.

Ciphertext Standard Mostly Occurring Least Occurring

Mode Algorithm Length Mean Value Deviation Character Character

ECB Blowfish 840 chars 3.28 ± 2.21 11× ASCII 56 20 characters 0×XTEA 840 chars 3.28 ± 2.27 11× ASCII 93 18 characters 0×RC2 840 chars 3.28 ± 2.20 13× ASCII 1 21 characters 0×

CBC Blowfish 840 chars 3.28 ± 0.24 4.06× ASCII 220 2.7× ASCII 70

XTEA 840 chars 3.28 ± 0.26 4.1× ASCII 49 2.66× ASCII 201

RC2 840 chars 3.28 ± 0.27 4.06× ASCII 78 2.6× ASCII 225

CFB Blowfish 835 chars 3.26 ± 0.26 4.18× ASCII 193 2.64× ASCII 30

XTEA 835 chars 3.26 ± 0.24 4× ASCII 201 2.66× ASCII 1

RC2 835 chars 3.26 ± 0.25 4× ASCII 132 2.58× ASCII 189

OFB Blowfish 835 chars 3.26 ± 0.27 3.98× ASCII 138 2.58× ASCII 41



CTR Blowfish 835 chars 3.26 ± 0.25 3.9× ASCII 116 2.6× ASCII 158



Table 11.2: Results of the Frequency Analysis

The results of the standard deviation, which are presented in table 11.2, show that the ciphertext

length and the mean values of the “real” block cipher modes, ECB and CBC, are a slightly

higher than the mean values of the other modes, because they have to perform some padding

for obtaining a plaintext which is a multiple of 64 bits. CFB, OFB and CTR mode are only

generating a random character stream which is XORed with the plaintext used for producing

the ciphertext, thus they do not need to perform any padding and the ciphertext length is the

same as the plaintext length.

The ciphertexts produced by using the ECB mode have a very high standard deviation that is

beyond 2.20, and consequently, their character distribution is very weak, which results from the

fact that every single block is coded independently from each other. Therefore, it is not possible

for an input bit to affect each output bit, which is also observed when analyzing the avalanche

characteristic of the ciphers that is described in chapter 11.2.

51


Figure 11.3: Frequency Analysis of the RC2 ECB Ciphertext

Figure 11.3 shows the character distribution of the ciphertext, which has been encrypted by RC2

in the ECB mode and that has the best ECB mode characteristics of all the three algorithms.

The characters of the ciphertext are much wider spread than in the plaintext, but there are still

some which do not appear at all, whereas other characters appear up to 11 times. This fact is

more clearly seen in figure 11.4, which shows the occurrence of the characters in descendent

order according to their frequency of appearance. The curve converges to the mean value line,

which is 3.28, but it has still a lot of outliers.

Figure 11.4: Frequency of Occurrence of Characters in the RC2 ECB Ciphertext

52


The bad frequency characteristics of the ECB mode, which is derived from the fact that every

block is encrypted independently from the previous and next ones, casts this encryption method

into doubt. The results of the frequency analysis of the Blowfish and XTEA ciphertexts are very

similar to those from RC2. The character distribution is very weak and the standard deviation is

very high; therefore, this mode can be considered as not random enough and not recommendable

for the X3C system.

In contrary to the ECB mode, there is a low standard deviation when the CBC mode is used,

which is the second “real” block cipher mode that is discussed. The results of the standard

deviation vary between 0.24 and 0.27, which is very low and that ensures a very good character

distribution. Blowfish outpaces XTEA and RC2 not only by having the lowest result of 0.24,

but it also shows very constant character occurrences with only few vertices above the standard

deviation, which can be seen in figure 11.5.

Figure 11.5: Frequency Analysis of the Blowfish CBC Ciphertext

The XTEA ciphertext has a standard deviation of 0.26, which is only a bit higher than the Blow-

fish result, but compared to the Blowfish frequency analysis graph, it shows some more vertices

especially between the ASCII characters 205 and 250, as mapped in figure 11.6. Moreover,

there are much fewer characters near the mean value, but instead there is a large number of

jumps between the higher and the lower deviation.

The RC2 cipher has the worst standard deviation of the three ciphers, which is 0.27; further-

more, it also produces many vertices, especially between the ASCII characters 16 and 50 and

53


the characters 155 and 200. The frequency analysis graph of RC2 is shown in figure 11.7.

Figure 11.6: Frequency Analysis of the XTEA CBC Ciphertext

Figure 11.7: Frequency Analysis of the RC2 CBC Ciphertext

The character distribution can also be shown by the occurrence curves of the ciphertexts, which

are presented in figure 11.8. As shown in the first quarter of the graphs, the Blowfish curve

adjusts itself a bit faster to the mean value than the other two curves, which means there are

fewer outliers in this ciphertext, whereas the RC2 ciphertext has the slowest drop. In the center

section the Blowfish is also the best, whereas XTEA decreases more slowly than RC2, which

54


has a slightly steeper curve than Blowfish. In the end part, XTEA is also the worst, because it

decreases very fast in contrary to Blowfish and RC2, which have a very similar curve, whereas

RC2 declines a little faster in the very end.

Figure 11.8: Frequency of Occurrence of Characters in the CBC Mode Ciphertexts

55


In addition to the CBC mode, there is only the CFB mode, which provides good results con-

cerning the standard deviation and avalanche effect. In this mode, the ciphertexts are produced

by creating a random bit-stream and XOR it with the plaintext, wherefore the IV is absolutely

needed as input parameter. The best cipher in this mode is XTEA, which has a standard devi-

ation of 0.24, whereas RC2 (0.25) and Blowfish (0.26) are a bit worse. The frequency analysis

graphs of Blowfish and XTEA (figure 11.9) are very similar to each other, as both have many

jumps between the higher and lower standard deviation lines. Moreover, the vertices of the

graphs are almost at the same places.

Figure 11.9: Frequency Analysis of the Blowfish and XTEA CFB Ciphertexts

56


The RC2 graph (figure 11.10), on the other side, is more even, especially in the first 70 ASCII

characters and its vertices are higher than those of the other two.

Figure 11.10: Frequency Analysis of the RC2 CFB Ciphertext

Despite the slight differences between the ciphers, one can say that their frequency analysis

graphs are very similar and there is no big character distribution lack. This fact can also be seen

in the character distribution curves (figures 11.11 and 11.12), which are ordered descending

according to the character occurrence. In the beginning of the curve, the Blowfish curve (figure

11.11) shows the best characteristic, because it decreases rather fast and approaches the mean

value line very good. In the end, the curve also declines fast, which indicates that there are

many character occurrences under the lower standard deviation.

Figure 11.11: Frequency of Occurrence of Characters in the Blowfish CFB Mode Ciphertext

57


The XTEA and RC2 character occurrence curves (figure 11.12) are very similar; they differ

only slightly in the beginning and the end. Both curves decrease rather slowly at first, but then

they have a relatively good approximation to the mean value line and, in the end, they are both

very good, because their decline is late; therefore, they do not have many occurrences below

the lower standard deviation.

Figure 11.12: Frequency of Occurrence of Characters in XTEA/RC2 CFB Mode Ciphertexts

The OFB and CTR modes work relatively similar to the CFB mode, namely producing pseudo-

random streams which are XOR-ed with the data blocks. All ciphers produce good results

within every mode during the frequency analysis, but their character occurrence are slightly

worse compared to those of the CBC and CFB modes. They show many outliers both above

and below the standard deviation and can, therefore, be classified as being less random. More-

over, they produce almost no avalanche effect (see chapter 11.2), which is very important for

the X3C system. Therefore, their graphs will not be discussed in detail in this chapter, but all

the graphs will be listed in Appendix A.

58


11.2 Avalanche Characteristic Analysis

For testing the avalanche effect2, the plaintext had to be changed slightly because, to acquire the

avalanche characteristics of the cipher, it is necessary to have a second plaintext, which differs

from the first one in just one bit. For each of the 50 ciphertexts which were generated for the

frequency analysis, a new ciphertext was produced, using the new demo plaintext and the same

IV values and key as before.

After the generation of the new ciphertexts, they were compared with the 50 previous cipher-

texts of each cipher in each mode to obtain the amount of bit differences between them. Table

11.3 shows the averaged results of this comparison:

Mode Cipher Bits Altogether Same Bits Different Bits Avalanche Characteristic

Plaintext 1 & 2 6680 6679 1 0.01%

ECB Blowfish 6720 6689 31 0.46%

XTEA 6720 6695 25 0.37%

RC2 6720 6688 32 0.48%

CBC Blowfish 6720 6423 3297 49.06%

XTEA 6720 3421 3299 49.09%

RC2 6720 3425 3295 49.03%

CFB Blowfish 6680 3421 3259 48.79%

XTEA 6680 3411 3269 48.94%

RC2 6680 3401 3279 49.09%

OFB Blowfish 6680 6679 1 0.01%

XTEA 6680 6679 1 0.01%

RC2 6680 6679 1 0.01%

CTR Blowfish 6680 6679 1 0.01%

XTEA 6680 6679 1 0.01%

RC2 6680 6679 1 0.01%

Table 11.3: Results of the Avalanche Effect Analysis

As illustrated in chapter 9.1.2, the avalanche effect should be around 50% to guarantee good

diffusion. Table 11.3 clearly points out that not all the modes provide this characteristic.

2A detailed description of the avalanche effect can be found in chapter 9.1.2.

59


The ECB mode shows very weak diffusion characteristics between 0.37% and 0.48%, which

are very low and not enough to disguise the similarity between the different plaintexts. This

low characteristic arises from the fact that blocks are encrypted independently from the other

and, therefore, a bit change in one block has almost no effect within the other blocks. Thus, the

ECB mode is not recommendable for the X3C system.

In contrast to the ECB mode, the CBC mode shows rather perfect diffusion. Among all three

ciphers, the XTEA algorithm has the best value with 49.09%, whereas Blowfish and RC2 are

closely behind with 49.06% and 49.03%. These values are signs for good diffusion and, there-

fore, this mode could be used within the X3C system. The only drawback is the plaintext

padding which is necessary to have equal sized blocks of 64 bits, which means that the tags

have to send more text that increases the required power consumption.

The plaintext padding is not observed in the CFB mode. The ciphertext length equates the plain-

text length; therefore, no additional power is required because of the message length that has to

be sent. Moreover, the avalanche characteristic is similar to the characteristic of the CBC mode,

whereas the RC2 cipher is the best with 49.09%. XTEA also provides good diffusion with

48.94%, whereas Blowfish is worse with only 48.79%. Nevertheless, these values are enough

to maintain adequate security; therefore, this mode is very preferable for the X3C system.

The last two modes, OFB and CTR, do not have any disguising characteristic, as seen in table

11.3. The ciphertexts do only differ within one bit and this bit differs at the same place where

the plaintext bit differs. Therefore, these two modes are completely excepted from being used

in the X3C system, because an attacker could detect a correlation between the ciphertexts which

could lead him to the plaintexts.

60


11.3 Recommendable Ciphers Regarding Security

The most important thing for the X3C system, regarding the security of an algorithm, is the dis-

guising of the plaintexts, which are very similar and will differ in only few characters. Therein,

the results of chapter 11.2 are very important for the recommendation of the ciphers. Not only

the diffusion, but also the randomness of the ciphertext characters should not be neglected, be-

cause it provides another security factor which is important for having disguised plaintexts.

Regarding the results of chapters 11.1 and 11.2, it was possible to generate a classification ta-

ble. Therefore, the avalanche characteristics were taken slightly more into account than the

standard deviation, due to the fact that it is more important to achieve good diffusion than to

have absolutely random ciphertexts. Table 11.4 presents the recommended ciphers regarding

their security:

Cipher Mode Avalanche Characteristic Standard Deviation

1. RC2 CFB 49.09% ± 0.25

2. XTEA CBC 49.09% ± 0.26

3. Blowfish CBC 49.06% ± 0.24

4. RC2 CBC 49.03% ± 0.27

5. XTEA CFB 48.94% ± 0.24

6. Blowfish CFB 48.79% ± 0.26

Table 11.4: Recommended Ciphers for the X3C System regarding Security

As can be seen in table 11.4 it is clearly possible to state that the CFB and CBC modes are

the best ones concerning the security. This fact has already been obvious during the avalanche

analysis, which showed very low diffusion in the ECB, OFB and CTR modes, although the

standard deviation of all 5 modes only slightly vary.

The RC2 shows very good results when running in the CFB mode, whereas XTEA and Blow-

fish are better when using CBC. This may refer to the different functions which are used during

the encryption and the different number of rounds. All in all, those 6 ciphers showed very good

results and especially RC2 and XTEA will be useful for X3C system.

Nevertheless, for obtaining a final result, the energy consumption of the ciphers has also to be

measured to create a final table which considers randomness, diffusion and energy consumption.

Those energy consumption measurements will be presented in chapter 12.

61


12 Energy Consumption Analysis Results

As described in chapter 9.2.3, the classification of the encryption algorithms regarding their

energy consumption was made by measuring the CPU time and the memory footprint during

the encryption of a certain amount of plaintexts.

12.1 CPU Time Measurement

The CPU time was measured by using the PHP functionmicrotime(), which returns the current

timestamp in microseconds. For obtaining an average value it was necessary to run several tests

to minimize the influence of measurement errors, which were generated by the system tasks,

on the result. These tests comprised measuring the time the algorithms needed in each mode to

encrypt 10, 100, 1000 and 10000 plaintexts, which were the same as for the frequency analysis

with a length of 835 characters. The results of these measurements, which are presented in

Appendix B, were averaged to get the encryption time for 1 plaintext.

Figure 12.1: Average CPU Time Needed by the Algorithms to Encrypt 1 Plaintext

Figure 12.1 shows that XTEA is clearly the fastest and, therefore, also the most efficient ci-

pher, whereas the Blowfish cipher is very slow in almost all modes. In general, the ECB,

CBC and CTR modes are very fast in contrast to the CFB and OFB modes, which take up to

3.21 ms for encrypting one plaintext. This results from the fact that ECB, CBC and CTR en-

crypt sequentially one block after the other, whereby either no previously calculated additional

62

Part IV 12 Energy Consumption Analysis Results

input parameter is needed or the additional input parameters are obtained from the previous

ciphertext block or a special counter. In contrast to that, the CFB and OFB modes require the

pre-computation of the pseudorandom bit-stream which is then XORed with the plaintext3.

As XTEA is a very slim and tiny cipher, the time consumption for encrypting the plaintexts with

this cipher is the best, whereby the CBC mode stands out with only 1.16 ms encryption time.

The RC2 cipher is slightly behind, having the best result in the CTR mode, which is 1.36 ms.

The Blowfish cipher has the worst results regarding the CBC, ECB and CTR modes, whereby

its best value is in the ECB mode, which needs 1.60 ms, but is, therefore, 0.40 ms slower than

XTEA.

The CFB and OFB modes are behind the three other modes and, therefore, take very long time

for the encryption. The XTEA cipher is again the best one, whereas Blowfish is hardly behind

in both nodes. Nevertheless, the values, which range from 2.01 ms to 2.25 ms, are very high

and consequently, the energy consumption of them can also be seen as very high. The RC2

algorithm was the worst one regarding the CFB and OFB modes by requiring more than 3 ms

for the encryption of one plaintext.

12.2 Memory Footprint

The memory footprint was measured by using the PHP functionmemoryget usage(), which

returns the amount of memory actually allocated to PHP [36]. Therefore, it was not possible to

measure a footprint of a single encryption, but only to measure the footprint of the whole PHP

module. Furthermore there was no way found to define the exact measurement inaccuracies of

the used PHP function and no documentation about it could be retrieved. Altogether the results

of the memory footprint measurements, which are presented in Appendix C, are not significant

enough to provide a reliable classification of the used algorithms.

Summarizing, the memory footprint results proved the outcome of the frequency analysis,

which identified longer ciphertexts in the CBC and ECB mode that results from the plaintext

padding.

3For further explanation of the different modes, see chapter 6.1.

63


12.3 Recommended Ciphers Regarding Energy Consumption

The most important fact for the X3C system, regarding the energy consumption, is energy ef-

ficiency of an algorithm, which can be measured by the CPU time they need for encrypting a

plaintext and how much memory they need to run faultless. Therefore, the results of chapter

12 are very important for recommending special ciphers. According to the results of the energy

analysis, the following ciphers are suggested to be used within the X3C system:

Cipher Mode CPU Time

1. XTEA CBC 1.16 ms

2. XTEA ECB 1.20 ms

3. XTEA CTR 1.21 ms

4. RC2 CTR 1.36 ms

5. RC2 CBC 1.42 ms

6. RC2 ECB 1.46 ms

Table 12.1: Recommended Ciphers for the X3C System regarding Energy Consumption

Table 12.1 shows that the XTEA algorithm is generally favored over the RC2 algorithm, and

the Blowfish does not even exist within the best 6 ciphers. This results from the fact that the

three ciphers have very different functions, which distinctly affect the encryption duration. This

duration is a general sign to get to know how much power a sensor tag will consume if a specific

algorithm is used.

All in all, the ciphers have been analyzed regarding their security and their energy consumption,

which allows a final recommendation for the X3C system. This resume can be found in chapter

13, which sums up the results and gives a general conclusion about the subject “Security vs.

Power Consumption in Wireless Sensor Networks”.

64

Part IV 13 Summary of Results

13 Summary of Results

As described in chapter 11 and 12 the three encryption algorithms Blowfish, XTEA and RC2

were tested in the different operation modes ECB, CBC, CFB, OFB and CTR regarding their

security and energy consumption. On the one hand, the security of the ciphers was evaluated

on the basis of their frequency analysis and the avalanche effect, which provides information

about the randomness of the resulting ciphertexts. On the other hand, the energy consumption

had to be taken into consideration for obtaining a final cipher which could be recommended to

X3C. As it would have been too time-consuming to run each cipher on the X3C hardware, the

tests were made on a Linux PC which measured the time each cipher needed for encrypting a

specific amount of plaintexts, which consisted of respectively 835 characters (= 6680 bits). The

additionally tested memory footprint was not reliable because of not mensurable uncertainties.

For obtaining a final result, all the analysis results have been taken into account. During the

frequency analysis it was stated that only the CFB and CBC modes are recommendable regard-

ing the security. Regarding the energy consumption, it is obviously seen in chapter 12.1 that all

algorithms needed very long time in the CFB mode, compared to the CBC mode. Especially

the RC2 cipher requires much time for encrypting one plaintext in the CFB mode. The ECB

and the CTR mode, which would have very good results concerning the energy consumption,

failed by reason of their weak avalanche characteristics.

Table 13.1 shows the final classification of the tested algorithms in reference to their security

and energy consumption characteristics:

Avalanche Standard

Algorithm Mode Characteristic Deviation CPU Time

1. XTEA CBC 49.09% ±0.26 1.16 ms

2. RC2 CBC 49.03% ±0.27 1.42 ms

3. Blowfish CBC 49.06% ±0.24 1.73 ms

Table 13.1: Recommended Ciphers for the X3C System

As it is more important for X3C to use an energy efficient algorithm, the CPU time results have

been weighted stronger than the security analysis results. Therefore, Blowfish is considered to

be the worst algorithm because its required CPU time is almost 22% higher than the required

CPU time of RC2.

65


Nevertheless, the XTEA algorithm shows very good results in both security and energy con-

sumption. It is very fast in all modes, and especially in the CBC mode it is unbeaten. Fur-

thermore, this mode has also been stated very secure, with a very high avalanche characteristic,

which is 49.09%; therewith it is very near to the ideal 50%. The standard deviation, which is

0.26, is also representative, even if it has not been the best during the tests.

In general, the XTEA algorithm is predestinated to be used in the X3C system, because it is

very thin and effective and provides good security. Moreover, the randomness and disguising

factor is very important for X3C, which is perfectly offered by XTEA. The disadvantage of

the algorithm is the low knowledge about the effectiveness of linear and differential attacks.

Although there have been several tests, no reliable results have been published, which show if

these attacks have been successful.

Recapitulatory, it was very interesting to see that the different operation modes have very much

influence on the security and the effectiveness of a cipher. Therefore, it is very important

to weigh which factors and parameters are more important to be able to find the right mode.

For X3C, these factors are effectiveness and energy saving, which have been considered when

classifying the ciphers. The best results have been stated by the XTEA cipher in the CBC

mode, which is, therefore, recommended to X3C for encrypting the communication between

the SEALTM ARFID tags and the SEALTM Access Points.

66

Part V

Part V

CONCLUSION

67


68

Part V 14 Conclusion

14 Conclusion

The goal of this thesis is to present the most suitable security algorithm for WSNs and especially

for the applications of the X3C company. On the one hand the communication between the

ARFID tags and the base-stations has to be secure, but on the other hand, the lifespan of a

tag must not be decreased dramatically by the security mechanism; thus, a security algorithm

consuming as little energy as possible had to be found.

It was obvious that only symmetric encryption is useful in such resource limited environments

and a way to compare the security level of the different (symmetric) algorithms had to be

defined. Important characteristics of encryption algorithms are the letter frequencies and the

avalanche effect. An analysis regarding these characteristics was done and the detailed results

are presented in chapter 11. The algorithms RC2 (in CFB mode) and XTEA (in CBC mode) are

the best concerning the two mentioned characteristics.

Secondly, the energy consumption of these algorithms had to be examined because the lifespan

of a tag is more important for X3C than the security. This examination was done by measur-

ing the required CPU time and the memory footprint needed by each algorithm to encrypt the

demo plaintext provided by X3C. These two parameters have a great influence on the energy

consumption and it was interesting to realize that choosing the right mode of an encryption

algorithm is roughly as important as choosing the right algorithm. XTEA is, by far, the most

efficient and power saving algorithms and it needed the shortest CPU time in CBC mode; more

detailed explanation can be found in chapter 12.

Since every kind of security needs additional energy, a detailed investigation should be done

that shows which part of the communication has to be encrypted and which parts might be

transmitted in plaintext to increase the lifespan the ARFID tags. Summarizing the two different

analysis, the encryption algorithm of choice is the XTEA, to be run in CBC mode as it was the

best cipher regarding the energy consumption and security analysis. A smart implementation

of this algorithm will fulfill the needs of the X3C applications. The security and energy an-

alyzing methods also enable the comparison of other security algorithms and, therefore, their

classification regarding security and power consumption.

69


15 Further Work

The simulations for the analysis were done in PHP on a Linux computer. Whereas this was

a good an suitable way to compare the differences between the algorithms, it is not suitable

to get any absolute values, neither concerning the real power consumption nor concerning the

efficiency of the algorithms on the special CPU of the ARFID tags. Therefore the next step

would comprise the implementation of the best algorithms in C and run them on the tags for

measuring the time each one needs for the encryption of a plaintext. The results of such tests

would provide a good result about the efficiency of the different algorithms and would maybe

show a difference to our results on the test computer.

If other cryptography algorithms seem to be interesting as well, they could be analyzed in the

same way as it was done with the three presented algorithms. The results could be compared

with the already classified algorithms and it is easy to compare them concerning security and

energy consumption. If another testing environment is used, first of all a reference value with

the same PHP version and implementations has to be calculated, in order to get comparable

results.

A totally other way to ensure security could also be to develop a smart and very simple algo-

rithm to use a secret way of substitution. This possibility was not respected at all in this thesis

because it provides “security through obscurity”. As mentioned in chapter 6, security should

only depend on the secrecy of the key and not on the secrecy of the algorithm.

70

Part V Bibliography

Bibliography

[1] M. Tubaishat and S. Madria. Sensor Networks: An Overview.IEEE Potentials, 22(2):20–

23, April-May 2003.

[2] W. R. Heinzelman, A. Chandrakasan and H. Balakrishnan. Energy-Efficient Communi-

cation Protocol for Wireless Microsensor Networks. InProceedings of the 33rd Annual

Hawaii International Conference on System Sciences (HICSS-33), volume 2, page 10pp,

January 2000.

[3] G. Khanna, S. Bagchi, and Y.-S. Wu. Fault Tolerant Energy Aware Data Dissemination

Protocol in Sensor Networks. InProceedings of the 2004 International Conference on

Dependable Systems and Networks (DSN’ 04), pages 795–804, June-July 2004.

[4] F. J. Burghardt (2001). Entwicklung des Computers.

http://www.k.shuttle.de/k/hoelderlin-gymnasium/informat/pcgesch.htm (October 13,

2005).

[5] R. Shirey. Internet Security Glossary (RFC 2828). The Internet Society, May 2000.

[6] S. T. Ross.UNIX System Security Tools. McGraw-Hill Companies, September 1999.

[7] ITU. Security architecture for Open Systems Interconnection for CCITT applications

(ITU-T Recommendation X.800). March 1991.

[8] W. Stallings.Network Security Essentials (2nd Edition). Pearson Education, 2nd edition,

2003.

[9] P. Brauch. Sichere Worter. c’t, 17, August 2002.

[10] H. Chan and A. Perrig. Security and Privacy in Sensor Networks.Computer, 36(10):103–

105, October 2003.

[11] C. P. Pfleeger.Security in Computing (2nd Edition). Prentice Hall PTR, 2nd edition, 1997.

[12] A. Kerckhoffs. La cryptographie militaire.Journal des sciences militaires, IX :5–38,

January 1883.

[13] C. E. Shannon. Communication Theory of Secrecy Systems.Bell System Technical Jour-

nal, 28(4):656–715, 1949.

71


[14] H. Feistel. Cryptography and Computer Privacy.Scientific American, 228(5):15–23, May

1973.

[15] A. S. Tanenbaum.Computernetzwerke. Pearson Studium, 3rd edition, 2000.

[16] A. Ekert. Cracking codes, part II.Plus Internet Magazine (http://plus.maths.org), issue

35, May 2005.

[17] C. Elliott. Quantum Cryptography.IEEE Security & Privacy Magazine, 2(4):57–61, July-

August 2004.

[18] W. Diffie and M. E. Hellman. New Directions in Cryptography.IEEE Transactions on

Information Theory, 22(6):644–654, November 1976.

[19] C. Karlof, N. Sastry and D. Wagner. TinySec: A Link Layer Security Architecture for

Wireless Sensor Networks. InProceedings of Second ACM Conference on Embedded

Networked Sensor Systems (SenSys 2004), November 2004.

[20] E. F. Brickell et al. Interim report: The skipjack algorithm, July 1993. An online

version is available at http://www.alw.nih.gov/Security/FIRST/papers/crypto/skipjack.txt

(15.11.2005).

[21] B. Schneier. Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish).

In Ross J. Anderson, editor,Fast Software Encryption, volume809 of Lecture Notes in

computer Science, pages 191–204. Springer, 1994.

[22] S. Vaudenay. On the Weak Keys of Blowfish. InFast Software Encryption, pages 27–32,

1996.

[23] D. Schmidt. On the Key Schedule of Blowfish. Technical report, February 2005.

[24] D. J. Wheeler and R. M. Needham. TEA, a Tiny Encryption Algorithm. InFast Software

Encryption, Second International Workshop Proceedings, pages 97–110. Springer, 1995.

[25] J. Kelsey et al. Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X,

NewDES, RC2,. InICICS ’97 Proceedings, pages 223–246. Springer, November 1997.

[26] F. Mirza. Block Ciphers And Cryptanalysis. Technical report, Royal Holloway University,

1998.

72

Part V Bibliography

[27] R. M. Needham and D. J. Wheeler. Tea extensions. Technical report, University of Cam-

bridge, October 1997.

[28] D. Moon et al. Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA.

In FSE ’02: Revised Papers from the 9th International Workshop on Fast Software En-

cryption, volume2365, pages 49–60, London, UK, 2002. Springer.

[29] S. Hong et al. Differential cryptanalysis of TEA and XTEA. InProceedings of ICISC

2003, 2003.

[30] R. Rivest. A Description of the RC2(r) Encryption Algorithm (RFC 2268). Network

Working Group, March 1998.

[31] B. Schneier and J. Kelsey. Unbalanced Feistel Networks and Block Cipher Design. In

FSE ’96: Proceedings of the 5th International Workshop on Fast Software Encryption,

pages 121–144. Springer, 1996.

[32] L. R. Knudsen et al. On the Design and Security of RC2. InFSE ’98: Proceedings of the

5th International Workshop on Fast Software Encryption, pages 206–211. Springer, 1998.

[33] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone.Handbook of Applied Cryptogra-

phy. CRC Press, 1996.

[34] Nordic Semiconductor. nRF24E1 - 2.4GHz RF transceiver with embedded 8051 compat-

ible micro-controller and 9 input, 10 bit ADC. Revision 1.2. Product Specification, June

2004. available at http://www.nordicsemi.no.

[35] The PHP Documentation Group. Lxxiii. mcrypt encryption functions. Manual, November

2005. http://www.php.net (06.12.2005).

[36] The PHP Documentation Group. memoryget usage. Manual, November 2005.

http://www.php.net (06.12.2005).

73

security versus power consumption in wireless sensor networks237467/fulltext01.pdf · computers....

Documents