security versus power consumption in wireless sensor networks
TRANSCRIPT
Master’s Thesis, IDE0601, January 2006
Security versus Power Consumptionin Wireless Sensor Networks
Master’s Thesis in Computer System Engineering
submitted by
Christine Fotschl
Stefan Rainer
School of Information Science, Computer and Electrical Engineering
Halmstad University
Security versus Power Consumptionin Wireless Sensor Networks
Master’s Thesis in Computer System Engineering
School of Information Science, Computer and Electrical EngineeringHalmstad University
Box 823, S-301 18 Halmstad, Sweden
January 2006
Affidavit
Affidavit
Herewith we, Christine Fotschl and Stefan Rainer, declare that we have written this master the-
sis fully on our own and that we have not used any other sources apart from those given.
Halmstad, January 2006
821112-N663
Matriculation number Christine Fotschl
820208-N298
Matriculation number Stefan Rainer
iii
Security versus Power Consumption in Wireless Sensor Networks
iv
Preface
Preface
Team Members: Christine Fotschl
Stefan Rainer
University: Halmstad University
Program of Study: Master’s Program for Computer System Engineering
Title of Master Thesis: Security versus Power Consumption in Wireless Sensor Networks
Supervisors: Markus Adolfsson
Tony Larsson
Opponent: Per-Arne Wiberg
Examinator: AndersAhlander
Keywords
1st Keyword: Wireless Sensor Networks
2nd Keyword: Security Algorithm Benchmarking
3th Keyword: Security
v
Security versus Power Consumption in Wireless Sensor Networks
vi
Preface
Abstract
X3C is a Swedish company which develops a world wide good tracking system by using ARFID
tags placed on every item which has to be delivered and base stations as gateway in a wireless
sensor network. The requirement of a long lifespan of their ARFID tags made it difficult to
implement security. Firstly an evaluation of possible security mechanisms and their power
consumption was done by measuring the avalanche effect and character frequency of the sym-
metric algorithms Blowfish, RC2 and XTEA. Secondly, the required CPU time which is needed
by each algorithm for encrypting a demo plaintext, was measured and analyzed. Summariz-
ing both analysis, the XTEA algorithm, run in CBC mode, is the recommendation for the XC
ARFID tags. The testing processes and the results are presented in detail in this thesis.
vii
Security versus Power Consumption in Wireless Sensor Networks
viii
List of Figures
List of Figures
2.1 X3C System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1 System Architecture of a Common Wireless Sensor Node . . . . . . . . . . . . 11
4.2 Different Topologies for Wireless Sensor Networks . . . . . . . . . . . . . . . 12
6.1 Cipher Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
6.2 Electronic Codebook Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.3 Cipher Block Chaining Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.4 Cipher Feedback Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.5 Output Feedback Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.6 Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.7 Simplified Model of Symmetric Encryption . . . . . . . . . . . . . . . . . . . 26
6.8 Feistel Round . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6.9 Simplified Model of Asymmetric Encryption . . . . . . . . . . . . . . . . . . 28
6.10 Authentication During Asymmetric Encryption . . . . . . . . . . . . . . . . . 29
9.1 nRF24E1 ARFID Tag as Used in the X3C System . . . . . . . . . . . . . . . . 41
11.1 Frequency Analysis of the Plaintext . . . . . . . . . . . . . . . . . . . . . . . 49
11.2 Frequency of Occurrence of Characters in Plaintext . . . . . . . . . . . . . . . 50
11.3 Frequency Analysis of the RC2 ECB Ciphertext . . . . . . . . . . . . . . . . . 52
11.4 Frequency of Occurrence of Characters in the RC2 ECB Ciphertext . . . . . . 52
11.5 Frequency Analysis of the Blowfish CBC Ciphertext . . . . . . . . . . . . . . 53
11.6 Frequency Analysis of the XTEA CBC Ciphertext . . . . . . . . . . . . . . . . 54
11.7 Frequency Analysis of the RC2 CBC Ciphertext . . . . . . . . . . . . . . . . . 54
11.8 Frequency of Occurrence of Characters in the CBC Mode Ciphertexts . . . . . 55
11.9 Frequency Analysis of the Blowfish and XTEA CFB Ciphertexts . . . . . . . . 56
11.10 Frequency Analysis of the RC2 CFB Ciphertext . . . . . . . . . . . . . . . . 57
11.11 Frequency of Occurrence of Characters in the Blowfish CFB Mode Ciphertext 57
11.12 Frequency of Occurrence of Characters in XTEA/RC2 CFB Mode Ciphertexts 58
12.1 Average CPU Time Needed by the Algorithms to Encrypt 1 Plaintext . . . . . . 62
ix
Security versus Power Consumption in Wireless Sensor Networks
x
List of Tables
List of Tables
8.1 Possible Configuration Parameters for Blowfish . . . . . . . . . . . . . . . . . 35
8.2 Possible Configuration Parameters for XTEA . . . . . . . . . . . . . . . . . . 36
8.3 Possible Configuration Parameters for RC2 . . . . . . . . . . . . . . . . . . . 37
11.1 Configuration Parameters for the Comparison . . . . . . . . . . . . . . . . . . 50
11.2 Results of the Frequency Analysis . . . . . . . . . . . . . . . . . . . . . . . . 51
11.3 Results of the Avalanche Effect Analysis . . . . . . . . . . . . . . . . . . . . . 59
11.4 Recommended Ciphers for the X3C System regarding Security . . . . . . . . . 61
12.1 Recommended Ciphers for the X3C System regarding Energy Consumption . . 64
13.1 Recommended Ciphers for the X3C System . . . . . . . . . . . . . . . . . . . 65
xi
Security versus Power Consumption in Wireless Sensor Networks
xii
List of Abbreviations
List of Abbreviations
µTESLA . . . . . . . . . . . . . . . Micro Timed Efficient Stream Losstolerant Authentication3DES . . . . . . . . . . . . . . . . . . Triple Data Encryption Standard3G . . . . . . . . . . . . . . . . . . . . Third GenerationAES . . . . . . . . . . . . . . . . . . . Advanced Encryption StandardARFID . . . . . . . . . . . . . . . . Active Radio Frequency IdentificationCBC . . . . . . . . . . . . . . . . . . . Cipher Block ChainingCFB . . . . . . . . . . . . . . . . . . . Cypher Feedback ModeCPU . . . . . . . . . . . . . . . . . . . Central Processing UnitCTR . . . . . . . . . . . . . . . . . . . CounterDES . . . . . . . . . . . . . . . . . . . Data Encryption StandardECB . . . . . . . . . . . . . . . . . . . Electronic Codebook ModeGPRS . . . . . . . . . . . . . . . . . General Packet Radio ServiceGPS . . . . . . . . . . . . . . . . . . . Global Positioning SystemGSM . . . . . . . . . . . . . . . . . . Global System for Mobile CommunicationsI/O . . . . . . . . . . . . . . . . . . . . Input/OutputIEEE . . . . . . . . . . . . . . . . . . Institute of Electrical and Electronics EngineersISO . . . . . . . . . . . . . . . . . . . . International Organization for StandardizationIV . . . . . . . . . . . . . . . . . . . . . Initializing VectorMAC . . . . . . . . . . . . . . . . . . Message Authentication CodeOFB . . . . . . . . . . . . . . . . . . . Output Feedback ModeOTB . . . . . . . . . . . . . . . . . . . One Time Key PadRF . . . . . . . . . . . . . . . . . . . . Radio FrequencyRFID . . . . . . . . . . . . . . . . . . Radio Frequency IdentificationRSA . . . . . . . . . . . . . . . . . . . Rives, Shamir, AdelmanSNEP . . . . . . . . . . . . . . . . . . Sensor Network Encryption ProtocolSPIN . . . . . . . . . . . . . . . . . . Sensor Protocols for Information via NegotiationSPMS . . . . . . . . . . . . . . . . . Shortest Path Minded SPINTinySec-AE . . . . . . . . . . . . TinySec Authenticated EncryptionTinySec-Auth . . . . . . . . . . TinySec AuthenticationWSN . . . . . . . . . . . . . . . . . . Wireless Sensor NetworkXOR . . . . . . . . . . . . . . . . . . Exclusive ORXTEA . . . . . . . . . . . . . . . . . Extended Tiny Encryption AlgorithmX3C . . . . . . . . . . . . . . . . . . . XCube Communication AB
xiii
Security versus Power Consumption in Wireless Sensor Networks
xiv
Contents
Contents
I INTRODUCTION 1
1 Introduction 3
2 XCube Communication AB (X3C) 4
2.1 SEALTMARFID Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 SEALTMAccess Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 SEALTMPortal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4 SEALTMManagement System . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Problem Definition 7
II BACKGROUND 9
4 Wireless Sensor Networks (WSN) 11
5 Theory of Security and Privacy 14
5.1 Introduction to Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . 14
5.2 Security Problems Concerning WSNs . . . . . . . . . . . . . . . . . . . . . . 18
5.2.1 Sensor Node Compromise . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2.2 Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2.3 Privacy of Sensed Data . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2.4 Denial of Service (DoS) Attacks . . . . . . . . . . . . . . . . . . . . . 20
5.2.5 Malicious User of Commodity Networks . . . . . . . . . . . . . . . . 20
6 Cryptography 21
6.1 Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.2 One-Time Pad (OTB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.3 Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6.4 Hash Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.5 Digital Signatures (DS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7 Related Work 31
7.1 SPINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
7.2 TinySec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
xv
Security versus Power Consumption in Wireless Sensor Networks
III METHOD 33
8 Used Encryption Algorithms 35
8.1 Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
8.2 XTEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
8.3 RC2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
9 Measuring Methods 38
9.1 Measuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
9.1.1 Frequency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
9.1.2 Avalanche Effect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.2 Measuring Energy Consumption . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.2.1 Ideal Measurement Environment . . . . . . . . . . . . . . . . . . . . . 40
9.2.2 Simulation Environment . . . . . . . . . . . . . . . . . . . . . . . . . 41
9.2.3 Measured Parameters Concerning Energy Consumption . . . . . . . . 42
10 Testing Environment 44
10.1 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.2 PHP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
IV RESULTS 47
11 Security Analysis Results 49
11.1 Ciphertext Frequency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 51
11.2 Avalanche Characteristic Analysis . . . . . . . . . . . . . . . . . . . . . . . . 59
11.3 Recommendable Ciphers Regarding Security . . . . . . . . . . . . . . . . . . 61
12 Energy Consumption Analysis Results 62
12.1 CPU Time Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
12.2 Memory Footprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
12.3 Recommended Ciphers Regarding Energy Consumption . . . . . . . . . . . . 64
13 Summary of Results 65
V CONCLUSION 67
xvi
Contents
14 Conclusion 69
15 Further Work 70
Bibliography 71
xvii
Security versus Power Consumption in Wireless Sensor Networks
xviii
Part I
Part I
INTRODUCTION
1
Security versus Power Consumption in Wireless Sensor Networks
2
Part I 1 Introduction
1 Introduction
Nowadays, where Information Technology becomes more and more powerful, major companies
want to use new technologies to observe their goods, which are sent all over the world by truck,
airplane or ship to know their actual position and condition. Therefore, there are currently lots
of investigations done regarding sensor networks and wireless communication. Sensor networks
consist of small sensor devices working together as a network which facilitate the reception of
environmental information over the air (e.g. temperature) without the necessity to place “big”
computers. These sensor networks enable real-time tracking and surveillance because of being
small, efficient and cheap. However, sending information over the air always demands the
implementation of security which causes higher energy consumption. As sensors have limited
energy resources this additional energy consumption raises problems.
This thesis gives an insight to the efficiency and suitability of encryption algorithms for wireless
sensor networks. Part I will present technical facts about XCube Communication AB, which
is a company that is specialized in using wireless sensor networks for observing goods all over
the world. Furthermore a detailed problem definition will be given. Part II introduces wireless
sensor networks as well as the theory and implementation methods concerning security and
privacy. Additionally former approaches of applying security to wireless sensor networks are
illustrated, named SPINS and TinySec. The methods, which were used for measuring the secu-
rity and the energy characteristics of different encryption algorithms are presented in Part III.
Furthermore, this part also contains the testing environment definitions. Part IV consists of the
measurement results, which are split into security analysis results, energy consumption results
and the final results that present the recommended algorithm for X3C. Part V is composed of
the final conclusion and the further work, which proposes supplementary research fields.
3
Security versus Power Consumption in Wireless Sensor Networks
2 XCube Communication AB (X3C)
X3C is situated in Gothenborg in Sweden as a part of XCube Communication Inc., Boston,
USA. The goal of the company is to provide world-wide tracking of goods, disregarding the
environment (sea, air, land) by which they are transported. The basic idea is to have the ability
to inform a company where its goods are and if the environment is adequate (e.g. are the goods
in the right temperature range) at any time during their transportation. The underlaying system
of X3C is called SEALTM, which stands for a) see all, b) seal or c) sea-air-land. As illustrated
in Figure 2.1, it consists in general of SEALTM ARFID tags, SEALTM Access Points, SEALTM
Portals and the SEALTM Management System.
Figure 2.1: X3C System
2.1 SEALTM ARFID Tags
Radio Frequency Identification (RFID) was invented in the 70s and was mostly used for anti-
theft services and toll road systems. Whereas RFID technologies were developed by many dif-
ferent companies, today the EPCglobal is responsible for standardization of RFID applications
like the electronic product code (EPC).
The main task of Radio Frequency Identification (RFID) is providing a unique identity when
needed using wireless communication. Currently there exist many different RFID devices with
different functionalities like on-board storage or measuring sensors. X3C uses a so-called Ra-
dio Frequency Identification (RFID) tag which is a small microchip used for sensing and storing
data for its transmission to a special receiver. It works in the internationally un-licensed 2.4 GHz
4
Part I 2 XCube Communication AB (X3C)
frequency band, which allows the wireless communication to reach up to 30 meters by having
high bandwidth and low cost.
In the X3C framework each transported product should be given its own Active RFID (ARFID)
tag, which has its own CPU, memory and digital I/O to measure and forward important environ-
ment values like temperature or acceleration. It has to be mentioned that there is the possibility
to either put a lot of goods together into one “packet” with one ARFID tag (e.g. eggs) or put
one ARFID tag on each and every single product (e.g. an expensive sports car). The values,
which have been measured by the tags, are then sent to the SEALTM Access Point.
2.2 SEALTM Access Points
Within the X3C system, there are two different types of Access Points: Field clients, which
are situated on an ISO palette, and Base Stations, which are positioned at a source/destination
docking point like a harbor. In general, an Access Point acts as a master for “its” ARFID tags
and collects all the data they send for later analysis and relaying to the SEALTM Portal. It is
equipped with module-based communication devices like GSM, 3G or IEEE 802.11 and a GPS
receiver; therefore, it also needs higher power supply than the ARFID tags. All received mea-
sured values are analyzed and important data is sent via wireless technologies and the Internet
to the SEALTM Portal for further processing. Moreover, an Access Point has the possibility to
get a connection to other Access Points for exchanging information.
2.3 SEALTM Portal
The SEALTM Portal is the central storage point where all Access Points connect to and con-
tains the database with all registered measurements. Through the Access Points it receives data
from all ARFID tags around the world and provides all data concerning the goods and the sys-
tem devices through a central interface. Furthermore it has the functionality to handle suspect
communication and security attacks to ensure that no faked data enters the database and also
intruders are kept out.
2.4 SEALTM Management System
The SEALTM Management System provides maintenance scalability and accounting. It is
needed for managing the inter-communication between all parts of the X3C system and there-
5
Security versus Power Consumption in Wireless Sensor Networks
fore offers service provisioning and multilevel user authentication. It is fully transparent, so no
user is aware of its existence, but it provides all essential management services needed to handle
the huge amount of data.
The cooperation of all these different parts of the system is needed to guarantee real-time track-
ing of goods. It is important to have a fast, bandwidth saving transmission of data and, at the
same time, implement as much security as possible to assure perfect cooperation and valid data.
Therefore, X3C provided this Master’s Thesis to obtain a better insight into the topic “Power
Consumption vs. Security in Wireless Sensor Networks”.
6
Part I 3 Problem Definition
3 Problem Definition
Sensor devices like the SEALTM ARFID tags are very far developed today and consist of the
latest hard- and software. They are used in many different applications and, therefore, provide
many features like power saving modes, flexible transmission speeds or frequency hopping
mechanisms.
Nevertheless, there is an important aspect which must not be neglected: the security of the
transmitted data has to be guaranteed. Due to the fact that sensor networks usually communicate
wirelessly, everybody could receive transmitted information, modify this information or invoke
new messages. Thus, it is very important to secure the communication between the different
sensors or base stations, depending on the specific security requirements. One of the most
common ways to integrate security into the wireless communication is the usage of encryption
algorithms, which ensures that no attacker is able to read a wiretapped message or change it in
an unnoticeable way.
Nowadays there exist many interesting and useful algorithms, which offer very high security,
but when constructing a secure wireless sensor network, there is one additional constraint to be
considered: The most limited resource in wireless environments is energy as the power supply
is mostly realized by using batteries with limited capacities.
As the energy and memory resources of the sensors are restricted, there is almost no possibility
of using usual algorithms like RSA or the Triple Digital Encryption Standard (3DES). 3DES
is a symmetric key cipher, which bases on two 56-bit keys (providing an effective key length
of 168 bit) and 64-bit blocks to be encrypted. RSA is an asymmetric key cipher which is
used for key exchange procedures. Asymmetric algorithms work with a private and a public
key, whereby a plaintext, which has been encrypted with the public key, can only be decrypted
with the private key and vice versa. These two algorithms are the state-of-the-art standards for
the encryption of data transfers, emails or web-banking. However, when regarding the energy
limitations of a wireless sensor network, these algorithms require too much CPU cycles and
memory management, thus the energy resources of the sensors would be depleted too quickly.
Therefore, it is necessary to implement a secure, but still power saving algorithm in wireless
sensor networks. Under these circumstances it is important to think about the security require-
ments very carefully to obtain the best algorithm for securing the transmitted data.
7
Security versus Power Consumption in Wireless Sensor Networks
The goal of this thesis is to find the most suitable encryption algorithm for the X3C system,
which is described in chapter 2, whereas low power consumption and, therefore, a long lifespan
of the ARFID tags is more important than security. Different algorithms are tested concerning
their security and their energy consumption characteristics. The results of these measurements
have to be compared in order to present the most suitable algorithm for the wireless sensor
network of X3C.
8
Part II
Part II
BACKGROUND
9
Security versus Power Consumption in Wireless Sensor Networks
10
Part II 4 Wireless Sensor Networks (WSN)
4 Wireless Sensor Networks (WSN)
In recent years the development of sensor nodes, which are small, low-cost and low-power de-
vices, has gone very far. A sensor node is able to observe condition values of a certain area
like temperature, sound, vibration, pressure, motion or pollutants. The measured values are
then forwarded to a data collection point which is in charge of their further processing. Sensor
nodes are often combined to sensor networks, which co-ordinate themselves to perform specific
measurements. In the past, sensor networks were made up of small numbers of sensor nodes
which were wired to the data collection point. These days, researches focus on wireless sensing
nodes which transfer the values without being dependent on wires. Moreover it is easier to put
the nodes nearer to the phenomenon which has to be observed. Wireless sensor nodes will be
produced in large numbers and so they might become cheaper, but their big disadvantages are
still the limitations in processing power, storage, bandwidth and energy supply.
Figure 4.1 shows the architecture of a typical wireless sensor mode, which is usually equipped
with a Radio Frequency (RF) transceiver, a microprocessor, a sensor board and a battery for the
power supply [1].
Figure 4.1: System Architecture of a Common Wireless Sensor Node
The microprocessor unit is the most important part of the sensor node. It processes all algo-
rithms and protocols and is responsible for switching between various operating modes. The
transceiver is used for maintaining the communication between the sensor nodes and normally
operates in the modes Transmit, Receive, Idle and Sleep. It is very important to accurately
switch between these modes due to the purpose of power saving. The sensors are responsible
for measuring data in its environment, which could for instance be temperature or moisture. As
wireless sensor nodes are not connected to a power supply, a battery is used to meet energy
requirements. The power consumption should be put to a minimum to increase the node’s life-
time, therefore an adequate power management has to be integrated.
11
Security versus Power Consumption in Wireless Sensor Networks
As the energy resources are limited, the network topology is changing frequently due to new
added or removed devices. Therefore, WSNs have to possess self-organizing abilities. As
shown in figure 4.2, there are, in general, two different topologies which are used for wireless
sensor networks: the star topology and the mesh topology. The right choice of the topology
depends on available resources, the transmission distance and the used transmission frequency.
Figure 4.2: Different Topologies for Wireless Sensor Networks
A star topology is a single-hop system where all sensors are positioned in the range of the base
station. All communication is done by using the base station which could be a PDA, an Access
Point or a Gateway and which receives all data from its nodes. The star topology has two major
drawbacks: First of all, the transmission distance is limited, because the nodes have to be in the
range of the base station. Secondly, every node has just one link to the base station. If this link
breaks down, possibly by an obstacle which is put between the sensor and the base station, there
is no possibility to transfer measured data and the sensor node will be isolated. Nevertheless,
the star topology provides lowest overall power consumption abilities, because the sensors do
not have to forward data from other nodes.
In contrary to the star topology, the mesh topology is a multi-hop system where the sensor nodes
are also connected to each other and thus communication through the base station is avoided.
The design and implementation of such a decentralized system is complex, but its advantage is
the high fault tolerance, because every node has multiple paths to the base station and to other
nodes. Despite this, the mesh topology suffers from high latency in case of a large amount of
nodes and shows highest overall power consumption, because theoretically every sensor node
would have to listen for a possible communication all the time.
12
Part II 4 Wireless Sensor Networks (WSN)
A third possibility would be constituted by combining the two previously mentioned topologies
which would also be a merging of their advantages. The star topology brings simplicity and
low power consumption whereas the mesh topology imports higher transmission distances and
self-coordination. The network is then set up by two different kinds of sensor nodes: on the one
hand, there are sensor nodes which organize themselves and act as kind of “router” and on the
other hand, there are “normal” sensor nodes, which transmit measured data to a fixed “router”
sensor node.
To offer the advantages of a mesh topology, which are self-organization and higher transmis-
sion distances, there have to be special multi-hop routing methods for optimizing the power
consumption, performance analysis and network management of the nodes; furthermore, all
routing methods should help to overcome shadowing and path-loss effects. Until now, there
have been several attempts of creating such protocols, which try to combine topology man-
agement and energy-effectiveness. One would be LEACH (Low-Energy Adaptive Clustering
Hierarchy), “a clustering-based protocol that utilizes randomized rotation of local cluster base
stations (cluster-heads) to evenly distribute the energy load among the sensors in the network.”
[2] The authors present a protocol which provides scalability and robustness for dynamic net-
works and includes data compression for reducing the amount of transmitted data. Therefore
they achieve a decrease of power consumption and an increase of sensor node lifetime. Another
routing protocol for sensor networks, which is presented in [3], is called SPIN (Sensor Pro-
tocols for Information via Negotiation). The authors provide energy saving through reducing
the transmission of redundant data, which is done by defining meta-data to replace frequently
transmitted terms. Moreover, they use the SPMS protocol (Shortest Path Minded SPIN), which
fixes the transmission radius of each node as so-called zone. If a node wants to send data to a
sensor node outside of its own zone, the SPSM protocol provides transmission by using multi-
hop communication via the shortest path. SPIN offers an energy reduction between 5% and
21% compared to protocols which do not provide energy saving.
Despite these two, there are several other appendages of providing energy-efficient routing pro-
tocols for wireless sensor networks, but the most of them do not consider security issues. The
following two chapters will provide an outline concerning security and cryptography as a tech-
nique for providing security. Chapter 7 will then present two former approaches of integrating
security protocols into wireless sensor networks, which are TinySec and SPINS.
13
Security versus Power Consumption in Wireless Sensor Networks
5 Theory of Security and Privacy
In 1941, Konrad Zuse invented the first computer called Z3 in Berlin (Germany) and he probably
had no idea how far his technology will develop and how important it will become. Only about
40 years later, the computers were that ”small” in size, powerful and affordable that the term
”home computer” was defined [4]. Nowadays it is usual that there is at least one computer
in every household and nearly every computer is connected to each other via the Internet, the
world’s biggest and most famous computer network, which allows the transmission of digital
data all over the wold within fractions of a second. On the one hand, this development has a lot
of advantages because information is more public and accessible to everyone everywhere and
people from all over the world can easily communicate with each other, whereas the distances
become rather unimportant. But on the other hand, there are a lot of problems attracting our
attention:
• Is my private data secure enough that no unauthorized user gets access to it? Is it possible
to give special access permissions to selected people?
• Will the message I send really reach its recipient without being read by an unauthorized
person?
• Is the message I have received really written by the sender and is it still the same text or
has it been modified by someone else?
This chapter deals with the theoretical background of security in general and offers an explana-
tion of special security needs in wireless sensor networks.
5.1 Introduction to Security and Privacy
It is not possible to define the goals of security services in general, but the following points try
to give an overview of the basic and most common issues in computer and network security.
The first part provides a definition of computer security, network security and privacy:
• Computer Security is defined in the RFC 2828 as follows: “Measures that implement
and assure security services in a computer system, particularly those that assure access
control service.” [5]
14
Part II 5 Theory of Security and Privacy
• Network Security is a more general term which is really complex to define. Although
the definition has to be general enough to cover the large field network security is dealing
with, it also has to be very detailed to fulfill the requirements of a “good” definition.
Within this thesis, Network Security is defined as: A process to improve the properties
(confidentiality, integrity, access control, availability and authentication - as explained in
chapter 5.1) of a distributed IT-system as much as possible and furthermore make every
operation against the security policy as hard as possible. [6]
• Privacy in terms of computing means that every user is the owner of his/her private data
and must have the privilege to know what is stored and where it is stored and he/she
should almost always be able to delete this private data. The term “private data” means
the data which was ”created“ by the user and also the data which contains information
about the user, which was sometimes even collected without his/her accordance (e.g.
communication protocols at Internet or telephone providers). Moreover, privacy means
to have the “access control” over the private data to keep it private or to offer it to a
selected group of people.
According to the standard “Security Architecture for Open Systems Interconnection for CCITT
applications” which has been published by the ITU [7], and according to the RFC 2828 [5], the
main requirements that have to be fulfilled by security mechanisms are: authentication, access
control, data confidentiality, data integrity, non-repudiation and availability. [7]
Because of their importance for the general understanding of computer security and network
security, these requirements are explained in the following paragraphs.
• Authentication: The security mechanisms have to ensure that the parties initiating a
communication are really the parties they claim to be, which means that their identities
are proofed. Furthermore, it is needed to ensure that an already established connection is
not interfered by a third (not authorized) party within the communication. [8]
Peer entity authenticationprovides the confidence that no one is masquerading and/or
claims to be someone else, whereasdata origin authentication provides the confidence
that the source of a data is really the source it should be or one believes it to be. [8]
• Access Controlshould provide the availability to regulate and control the access from
its own interfaces or from the network to data, applications and resources on a system.
15
Security versus Power Consumption in Wireless Sensor Networks
Every entity that wants to get access has to be identified first and afterwards be restricted
to its user-based-privileges defined in the general security policy. [8][5]
• Data Confidentiality means the protection of data against a passive attack like traffic
analysis. The data must not be read by someone else, except the sender and the recipient
(or the group of recipients) and it should also be impossible to identify the source or the
destination of the data stream. [8]
• Data Integrity: Data sent via communication links must not be modified unnoticed in
any way, regardless if the modification was done by a third (not authorized) party or even
happened accidently. Data integrity should at least provide the possibility to recognize
modifications of the data and furthermore provide mechanisms to recover this data. A
message has to be marked as “modified” irrespective if data was inserted, reordered,
modified, deleted or duplicated. [8][5]
• Non-Repudiation: In general, repudiation has two different meanings: Either the recip-
ient claims that the data has never been received, although it was received correctly, or
the sender claims that the data has never been sent, even if the message was indeed initi-
ated by him/her and correctly delivered from the sender to the recipient. Security systems
must prohibit repudiation to improve the traceability of messages in the network which is
especially important in any kind of e-commerce. [8][5]
• Availability refers to the property of a system to be accessible by an authorized entity
within the specified parameters. Availability is not provided if the system is not able to
fulfill authorized requests because it is overloaded with denying unauthorized requests.
[8]
Implementing security into a computer network is a hard work by itself and it is definitely
impossible to implement perfect and total security. Nevertheless this should remain the target
of every security implementation because only considering the mentioned requirements is not
enough. Security starts at the human being, which is the very beginning of every data transmis-
sion; then the data passes a lot of computers and different kind of network nodes, known and
controlled ones and also unknown ones, before it is finally received by a human being. So there
are a lot of other issues one has to think about when designing, developing or implementing
security in a network. Some of the most important security issues are stated below:
16
Part II 5 Theory of Security and Privacy
• Password Security,which is a basic security method in IT-systems, is simple and freely
implementable. There are a lot of different easy-to-understand rules one should respect
when choosing a password, e.g. not to use your name, birthdate, name of friend or family.
Secure passwords should have a length of at least 8 characters and should consist of
upper-, lowercase and special characters; furthermore, it is recommended to change the
password frequently. [9]
• Social Engineering is the process of informing your employee and respectively every
user of a single part of the whole network about the security policy and to provide methods
for maintaining the policy. It should always be easier for the user to do the right thing, as it
is demanded in the security policy, than to do the wrong thing, which might compromise
the computer and network security.
• Data Security is depending on the value of the data which is stored. The more impor-
tant the stored data is, the better and more advanced data security mechanisms have to be
designed, which might comprise mirroring them with the use of a RAID system, regu-
larly backups on long time storage medias like magnet bands or strict access control and
management of privileges on file layer.
• Access Securityregulates the access to resources of a network from “outside”, which
means that only those resources that are really needed by external users are available
from outside the network. All other resources have to be protected from unauthorized
access, whereas this must not interfere with the availability of the system. Also bandwidth
management and load sharing can be realized by the access security. Load sharing in this
case means to manage the Internet access via two or more providers on the one hand and
to distribute the requests to (redundant) servers equally.
Computer or network security is a complex area and there have already been a lot of studies
carried out in this field, but there is still no checklist-based guideline how to secure a (distrib-
uted) IT-system.
Today, an administrator has to analyze and document the structure of the system and find the
easiest ways of penetration for attacker or the most likely problem (e.g. data loss). Then the
design of security mechanisms and their implementation can start, whereas the mechanisms al-
ways have to be monitored, controlled and documented to optimize their efficiency. The next
steps will be the design and implementation of further security mechanism.
17
Security versus Power Consumption in Wireless Sensor Networks
These general security thoughts are also valid when talking about security in WSNs, which re-
quire some additional security issues to be examined that are discussed in the next subchapter.
5.2 Security Problems Concerning WSNs
A lot of research work has been carried out on security and privacy in computing and computer
networks and the results are also well documented. But nowadays totally different kinds of
computer networks establish themselves and raise their importance - the so called Wireless
Sensor Networks (WSNs), which have already been explained in chapter 4.
These WSNs mostly consist of a lot of independent “nodes”, which measure some parameters,
any kind of access points organizing the transmission and a backoffice which is storing all the
data. At the backoffice, which is a “normal” server, the security rules are valid and probably
sufficient, but at the other end of this communication is a totally new kind of computer, an
unclear number of “nodes”. These nodes, which have to resist against total different kind of
active and passive attacks have only limited resources (e.g. power supply and memory size). It
has to be considered that every single node represents a potential point of attack on the whole
sensor network [10].
According to the ITU-T Standard X.800 [7] and the RFC 2828 [5], attacks on systems or net-
works can be classified as “passive” and “active” attacks. This classification is also applicable
to WSNs.
• Passive Attacks: The goal of “Passive attacks” is to observe some transmitted informa-
tion on the one hand, and to analyze the traffic behavior on the other hand. It is quite hard
to recognize passive attacks as they are only “listening” to the network traffic and do not
interact with the network. As passive attacks are really hard to detect, the security system
should concentrate on prevention instead of detection. [7][5]
• Active Attacks are all the attacks which modify, insert or delete some data or attacks
which are using the resources of the target system without being authorized. The most
famous active attack is the “Denial of Service” attack, which will be explained in chapter
5.2.4. This attack decreases the availability of the target system dramatically. Since active
attacks can be recognized, the system has to be protected against them; furthermore, an
attack should at least be detected and - much better - stopped or interrupted by so called
“Intrusion Detection Systems”. [7][5]
18
Part II 5 Theory of Security and Privacy
Some of the most important attacks against WSNs are presented:
5.2.1 Sensor Node Compromise
Every node is a potential point of an attack; therefore, it has to be considered that attackers can
obtain their own nodes and induce the network to accept them as authorized nodes. It is also
possible that the intruders control some “native” nodes, which means to obtain the possibility to
cause a variety of attacks: falsification of sensor data, observing sensor data or starting denial of
service attacks. To minimize this risk, each node must be produced in a physically very robust
way and needs complicate authentication mechanisms. As a sensor network consists of up to
thousands of nodes, it would be too expensive to improve every node to a considerable level.
Thus, the maintainer of a WSN must consider that attackers can control some of the nodes,
which has to be considered when designing the security concept. [10]
5.2.2 Eavesdropping
Since the communication of sensor networks is mostly wireless, it is easy for an attacker to
observe some data streams and collect sensor data if it is not encrypted adequately. Therefore,
it is also possible to collect some private data by placing “listening nodes” at important places.
To protect the WSN against eavesdropping, an encryption mechanism is needed, which is no
problem to implement in wired and powerful environments. In sensor nodes this can become a
substantially problem because these nodes are limited in processing power, power supply and
memory size. As asymmetric encryption (described in chapter 6.3) uses public and private keys
and consumes a lot of energy, only symmetric encryption is suitable, which uses the same key
for encryption and decryption. An adequate key distribution scheme has to be implemented and
it has to be ensured that the attacker does not obtain too much information about the security
mechanisms and their keys when some of the nodes are compromised. [10]
5.2.3 Privacy of Sensed Data
WSNs collect quite a lot of data because there can be thousands of sensors working in the same
network. This data is transmitted through the whole sensor network and is thereby accessible
from any point in the network, which offers attackers a great possibility to infiltrate some nodes
into the network and gather all the information they need. Furthermore, it will be hard to avoid
19
Security versus Power Consumption in Wireless Sensor Networks
such attacks and impossible to detect them. Therefore, when designing a WSN, one should
concentrate on the required data and discard details that are not needed. For example, if only
the average temperatures are needed, only these average temperatures and not the time, place,
temperature, humidity, CPU performance or other (in this case) unnecessary details should be
transmitted, which could be interesting for some attackers. A minimization of the transferred
data also means a minimization of the interests of attackers on the data.
5.2.4 Denial of Service (DoS) Attacks
A Denial of Service attack has the target of disabling a special host or server, which can be done
by sending loads of unauthorized data at the same time. It is hard to protect a WSN against this
kind of attacks which can occur on a physical layer (e.g. radio jamming) or on communication
layer, e.g. by involving malicious transmissions into the network. Such attackers can also cause
an abnormal energy consumption and thus decrease the lifespan of the sensor nodes or the
access points. Although there are a lot of mechanism to protect a WSN against DoS attacks, the
creativity of these attacks is boundless. [10]
5.2.5 Malicious User of Commodity Networks
As WSNs become more efficient, cheaper and easier to manage, some criminals can also get
interested in using them. Placing some nodes in the private sphere of a target makes it is easy
to gather some information like behaviors, health or passwords of the person. Developing some
kind of sensor detectors will be important to avoid such attacks or at least make them more
complicated and expensive.
There are many security risks which have to be considered especially when a wireless sensor
network is designed. Thus, there have been a lot of attempts to develop a security method
which prevents potential attackers from entering secure parts of the network. Those techniques
want to guarantee the security principles, which are authentication, confidentiality and integrity.
The next chapter will give an introduction to cryptography, which is on of the most important
security mechanism that is used these days in different kinds of areas. Chapter 7 it will then
present former approaches of securing wireless sensor networks, namely TinySec and SPINS.
20
Part II 6 Cryptography
6 Cryptography
Unlike “normal networks”, which use cables as data transmission medium, wireless sensor net-
works use the air for transferring data. The major drawback of this transmission medium is that
wiretapping the communication is eased, which causes huge security problems. Consequently,
all transferred data has to be secured to ensure the security principles like confidentiality, au-
thentication, integrity and availability (see chapter 5.1). During the transmission of data from
sender to receiver there are four major threats to the security of a message, which have the po-
tential to cause loss or harm: interruption, interception, modification and fabrication. [11, p.
3f]
• Interruption , which affects availability, is the case when a file is made unusable or does
not even reach the destination.
• Interception perturbs confidentiality, privacy and secrecy because the message is read by
an uncertified person.
• Modification , which disturbs message integrity, occurs when an intruder changes a mes-
sage and forwards it to the receiver. In wireless networks, this threat can be detected,
because all messages are sent by broadcast; therefore the receiver would get both mes-
sages, the original and the faked, and is able to compare them.
• Fabrication means inserting counterfeit data into a data stream, which affects authenti-
cation and is therefore a major problem when security has to be guaranteed.
To protect personal data from these threats and guarantee availability, integrity, confidentiality
and authentication, there are a lot of different methods of resolution, all having one major target:
Securing data which is transmitted in an insecure environment.
One security technique is known for a very long time and has experienced a great develop-
ment: Cryptography. This science is a part of Cryptology and is described as the science of
encrypting information by transforming it and, therefore, hiding its information content and
preventing unknown modification or unauthorized use. Cryptography includes two basic func-
tions, namely encryption and decryption: Encryption is the procedure of converting original
data, called plaintext, into a secret ciphertext which contains all plaintext information which is
not obviously readable anymore. On the other hand, decryption is used to recover the original
plaintext from the given ciphertext. Encryption and decryption, which are put together in a
21
Security versus Power Consumption in Wireless Sensor Networks
cryptosystem, are performed by a so-called cipher that is a mathematical algorithm performing
different arithmetic operations.
As it is impossible to generate a new algorithm for every plaintext, another essential compo-
nent, the secret key, is used. It is an auxiliary character or byte string known by the sender and
the receiver that defines how the ciphertext is produced by being the major part of the cipher.
Without the key a cipher cannot be used neither for encoding nor for decoding. The key design
is specialized for every cipher and may be very different from each other especially concerning
the bit length, which starts from 64 bits to nowadays more than 1024 bits.
Since over 2000 years there have been many different approaches to get secure encryption al-
gorithms, all mainly based on character changing by using substitution or transposition of char-
acters. Substitution is the technique of replacing every character of the plaintext with another
character, whereas transposition means the re-ordering of characters to hide the right character
sequence. In former times the security level was reached by keeping the algorithm secret, a
method called “security through obscurity”. As the ciphertexts, in these times, had to be de-
crypted by hand, it was very hard to find the right cipher. [11]
Figure 6.1: Cipher Categories
Encryption procedures nowadays are performed by computers, thus modern ciphers mainly de-
pend on the secret key whereas the complex algorithms are public and analyzable for everyone.
The idea of publishing the algorithm and securing the key was defined by Auguste Kerckhoff
and Kerckhoffs’ law [12], which provides more security by allowing many people to test the
algorithms for leaks. In 1949 Claude Shannon specified confusion and diffusion as two char-
acteristics of a good cipher: Confusion, on the one hand, is the inserting of complexity into
the key-ciphertext relationship, which means an intruder should not be able to predict how the
ciphertext changes if one character of the plaintext is changed. On the other hand, there is the
necessity that any change in the plaintext should affect as many parts as possible in the resulting
22
Part II 6 Cryptography
ciphertext, which is called diffusion. These two characteristic prevent unauthorized ciphertext
decryption based on statistical methods and are implemented by adding substitution and trans-
position in the encryption process. [13]
Moreover, real strong ciphers are created by using semantic security, which constitutes that en-
crypting the same plaintext two times should result in different ciphertexts, even if the same
key and the same algorithm are used. Thus, it is not possible to decrypt even parts of the
information although one possesses several ciphertexts comprising nearly the same plaintext
information. One solution for guaranteeing semantic security is using a special character or
byte string as start value (e.g. server time, source/destination address). This start value is often
called Initialization Vector (IV) and it helps to change the plaintext slightly so no ciphertext
looks like the other.
In general, there are two basic categories of key-based encryption algorithms, namely symmet-
ric (or secret key) and asymmetric (or public key) algorithms. Their basic difference consists
in their different key usage. Symmetric algorithms, on the one hand, use the same key for en-
cryption and decryption (or the decryption key can be easily derived from the encryption key)
and asymmetric algorithms, on the other hand, use different keys for encryption and decryption,
whereas it is not possible to derive the decryption key from the encryption key.
6.1 Symmetric Encryption
A symmetric key cipher uses only one key which has to be known by both the sender and
the receiver and constitutes the basis for the generation of the encryption and decryption keys.
In general, symmetric ciphers are divided into block ciphers and stream ciphers; the stream
ciphers encrypt each single element of the plaintext continuously, whereas block ciphers use a
fixed amount of elements (e.g. 8 bits) for producing an output of the same size. Modern ciphers
are almost always block ciphers because they enable better performance and more security.
There are several different modes, in which the block ciphers can operate; among them, the 5
mostly used operation modes are: ECB, CBC, CFB, OFB and CTR mode.
ECB - Electronic Code Book Mode:This mode encrypts one data block after the other without
any conjunction between them, as shown in figure 6.2. EBC does not realize the concepts of
diffusion and confusion, thus it is very insecure, but it also very fast and simple.
23
Security versus Power Consumption in Wireless Sensor Networks
Figure 6.2: Electronic Codebook Mode
CBC - Cipher Block Chaining Modeis the mostly utilized operation mode with block ciphers. It
encrypts the data blocks and conjuncts them by taking the XOR of it together with the previous
ciphertext block (see figure 6.3). As there is no ciphertext block for the first plaintext block, a
so-called Initializing Vector (IV) is needed, which may consist of e.g. a timestamp or a random
number sequence. The IV changes with every plaintext; therefore, every resulting ciphertext is
unique even if two identical plaintexts are encrypted. The security of the algorithm must not
depend on the IV because it should only apply semantic security to the cipher and, therefore,
IVs are typically added clear to the ciphertext.
Figure 6.3: Cipher Block Chaining Mode
CFB - Cipher Feedback Mode:The CFB mode converts the block cipher into a stream cipher by
generating random blocks which are XORed with the data blocks for obtaining the ciphertext
blocks. As shown in figure 6.4, the IV is only used for encrypting the first block, whereas for
encrypting all other blocks the respectively previous ciphertext is used. CBC is almost identical
with OFB with one difference: The new input is not constituted by the prior generated random
bit stream but by the created ciphertext block.
24
Part II 6 Cryptography
Figure 6.4: Cipher Feedback Mode
OFB - Output Feedback Mode:The OFB mode is very similar to the CFB mode. The difference
lies in the kind of data which is passed as input value to the next block encryption. The OFB
mode takes the previous random block instead of the ciphertext block, which is seen in figure
6.5.
Figure 6.5: Output Feedback Mode
CTR - Counter Mode:The counter mode also converts the block cipher into a stream cipher like
the OFB mode, but instead of taking an input from the previous encrypted data block, it uses
the IV together with a counter (see figure 6.6).
Figure 6.6: Counter Mode
25
Security versus Power Consumption in Wireless Sensor Networks
Every block cipher operation mode has advantages and disadvantages and the right choice de-
pends on the purpose of the algorithm. The general symmetric encryption/decryption procedure
is illustrated in figure 6.7: the sender encrypts a plaintext message with the secret key and deliv-
ers the ciphertext via an insecure transmission channel. The receiver then decrypts the ciphertext
by using the same key (or a key which can be simply derived from the encryption key) together
with the reverse algorithm.
Figure 6.7: Simplified Model of Symmetric Encryption
The outstanding advantage of symmetric algorithms is the small amount of computational
power they need, whereas the key exchange, which is more difficult, complicates a merchant-
client relationship.
One of the first attempts of constructing a symmetric ci-
Figure 6.8: Feistel Round
pher was invented by Horst Feistel in 1973, called Feis-
tel Network [14]. The encryption procedure functions as
follows: The plaintext is divided into blocks (e.g. 64-bit
blocks). Each block has to pass a certain numbern of en-
cryption rounds which results in obtaining the ciphertext
block. Before each roundi, the block is again split into
two equal sized halves Li and Ri. First a certain algo-
rithm function is applied to the right halve together with
a subkey Ki, which is based on the main key K and is
computed by using a subkey generation algorithm. The next step is to take the exclusive-OR
(XOR) of the function together with Li, which is the left halve of the block. The resulting
halve becomes the next right halve, Ri−1, whereas the former right halve Ri serves as next left
halve, being Li−1. Therefore, a significant number of permutations is included. The security of
a Feistel network depends on the right choice of the parameters block size, key size, number
of rounds, subkey generation algorithm and round function, but in general the Feistel network
serves as a basis for many symmetric encryption algorithms used today. [8][14]
26
Part II 6 Cryptography
The two most utilized algorithms today are the Triple Data Encryption Standard (3DES) and
the Advanced Encryption Standard (AES), which have different features and security levels.
TheTriple Data Encryption Standard (3DES)is based on the Data Encryption Standard (DES),
which was developed in 1976 using 64-bit blocks and a key length of 56 bits (7.2 x 1016 possible
keys). The DES algorithm, which performs 16 rounds, each using a subkey that is generated by
the main 56-bit key. This algorithm was criticized in the beginning of the 90s, because of the
expeditiously increasing computer performance power which rendered the success of a brute-
force attack (trying all possible keys) possible. Therefore, the Triple DES (3DES) algorithm,
which uses three different DES keys, was developed. It encodes every block by encrypting it
with the first key, then decrypts it with the second key and encrypting it again with the first
key, providing an effective security of a 112-bit key. 3DES is more secure than DES, but its
drawback are the huge computational costs because the DES algorithm has to be executed three
times. [11][8]
TheAdvanced Encryption Standard (AES), which was developed by Joan Daemen and Vincent
Rijmen, is the official standard since 2000. It is a symmetric block cipher using 128-bit blocks
combined with a key of variable length (128, 192 or 256 bits). AES is not based on the Feistel
structure but operates on the whole data block during each round. Every block is converted
into a Matrix, which is altered at each stage of encryption of decryption. Unlike Feistel, AES
applies different parts of the key successively to the plaintext blocks, whereas the number of
rounds varies depending on the key length and the block size. Therefore, AES, that is much
faster and more secure than 3DES, is prognosticated to be secure for about 20 years. [8]
These symmetric algorithms allow the re-usage of the same secret key, which lowers the security
level. There is only one symmetric algorithm which is said to be (theoretically) totally secure,
the so-called One-Time Pad.
6.2 One-Time Pad (OTB)
A One-Time Pad, also called Vernam-Code, is the only unbreakable encryption method (at least
in theory), but in practice it is very laborious. Each plaintext gets its own secret key, which is
a character string having the same length as the plaintext. It consists of absolutely stochastic
values which do not have any statistical dependencies. Due to the fact that every key is only
used once, there is no method to break the cipher without knowing the key. [15, p. 621]
OTB has already been known for a long time, but it is hardly utilized because of the need for
27
Security versus Power Consumption in Wireless Sensor Networks
secure key distribution. Until a recent time, this was mostly solved by using asymmetric or
symmetric encryption methods, but in the near future it could be solved by quantum key dis-
tribution, which uses the different types of polarization of photons. The principal advantage of
quantum cryptography is the immediate discovery of potential eavesdropper as every tapping of
the photon stream, which is used for key transportation, leads to noise which will be interpreted
as manipulation. There have been several attempts of implementing quantum cryptography,
but still the transmission and encryption speed is not high enough to compete with symmetric
encryption. However, quantum cryptography will become more and more important due to the
total randomness of its values and high tapping security. [16][17]
Even though the security of symmetric encryption is very high, the key allocation remains the
weak part of it. As soon as an intruder is able to get a key, the whole cryptographic system
becomes valueless. Therefore, two scientists of the Stanford University, Whitfield Diffie and
Martin E. Hellman, proposed a new cryptosystem, which allows two parties to establish a secure
communication channel even if they do not know each other.
6.3 Asymmetric Encryption
Other than symmetric encryption, asymmetric encryption assumes every person to have two
different keys, a private key and a public key, whereas no key can be derived from the other.
Moreover, there are two different algorithms for encryption and decryption (see figure 6.9).
After generating those elements, the algorithms and the public key are published and become
accessible to everybody, thus the only secret element is the private key. If somebody wants to
encrypt a message, he/she takes this person’s public key and encrypts the message using the
specified algorithm and the key. For decrypting the message again the second algorithm and the
private key are needed; therefore, only one person is able to decrypt the cipher as long as he/she
keeps his private key secret. [18]
Figure 6.9: Simplified Model of Asymmetric Encryption
28
Part II 6 Cryptography
Asymmetric encryption does not only solve the key distribution problem, but also the authenti-
cation problem originating from Man-In-The-Middle attacks. As illustrated in figure 6.10, the
sender has to encrypt the message first with his private key and then with the public key of
the receiver. For decrypting the message, the receiver also has to use the decryption algorithm
twice, first with his private key then with the public key of the sender.
Figure 6.10: Authentication During Asymmetric Encryption
By doing this double encryption/decryption, one can be sure that no modification has occured
to the text because there is always the necessity to have one private key. The most important
implementation of the Diffie-Hellman encryption is called RSA, named after its inventors Ron
Rivest, Adi Shamir and Leonard Adleman.
RSA, which was developed in 1977, is the most popular and most accepted asymmetric algo-
rithm scheme worldwide. It is a block cipher which is based on the principles of the theoretical
arithmetic, using exponentiation in a finite field over integer numbers modulo a prime number.
RSA security arises from the cost of factoring large numbers (e.g. 1024 bits). [15]
Asymmetric encryption algorithms are regarded to be very secure, but the longer the keys, the
more calculating capacity is needed to encrypt and decrypt messages. As the processing power
of today’s computers increases permanently, the key length must also raise to maintain a higher
security. Actually there is a mixture of security algorithms used. First an asymmetric algorithm
is used for maintaining a secure communication tunnel, then the symmetric key is distributed
and all further communication is secured by using a faster symmetric algorithm, which needs
less resources.
6.4 Hash Algorithms
A hash algorithm receives an arbitrary big message as input and produces a fixed-size string
which is called the hash value. This value gives a “footprint” of the original message and will
always be the same if the message does not change. As soon as only one character of the
29
Security versus Power Consumption in Wireless Sensor Networks
original message is modified, the hash value will change and any potential intrusion attempt
will be detected. Hash values are very important when using digital signatures to provide data
integrity. [11]
6.5 Digital Signatures (DS)
Digital signatures are based on asymmetric cryptosystems and are used for guaranteeing au-
thentication and integrity of electronic data as well as proofing the identity of the signer. It
should become the equivalent to a “normal” signature and can be seen as electronic signet.
Some e-mail securing systems use RSA for signing, but there are also special ciphers like the
El-Gamal algorithm which was especially developed to be used as digital signature algorithm.
[11]
30
Part II 7 Related Work
7 Related Work
Security in wireless sensor networks becomes more significant as new technologies arise and
wireless communication is used to a much greater extent. There are several approaches for
securing data, namely SPINS and TinySec, which are very important for wireless networks. A
brief outline of those approaches is presented below:
7.1 SPINS
SPINS, which is a set of two protocols, SNEP andµTESLA, provides adequate security mech-
anisms especially adjusted to the requirements of wireless sensor networks. On the one hand,
data integrity, two-party data authentication and data confidentiality are implemented by SNEP
(Sensor Network Encryption Protocol) and on the other handµTESLA (Micro Timed Efficient
Stream Losstolerant Authentication) is responsible for authenticated broadcast.
SNEP uses the symmetric RC5 algorithm for securing the data because of its low overhead and
memory requirements. Furthermore, this algorithm allows flexibility when choosing the para-
meter lengths and produces a ciphertext of the same length as the plaintext. To realize semantic
security, a shared counter is inserted into the encryption operation, which increments after each
block. The authentication is ensured by adding a Message Authentication Code (MAC), which
is a digital signature. In case of sending one package to all sensors in the network, producing a
single message for each sensor would be very time and power consuming, thus an authenticated
broadcast can be sent by usingµTESLA. Authenticated broadcast has to be an asymmetric op-
eration, otherwise the sender and receiver cannot be distinguished because of having the same
key. Asymmetric algorithms like RSA are not suitable for sensor networks because of the big
overhead, butµTESLA solves the problem by using delayed key release. Instead of using a
single key, a key chain is utilized, which is generated by applying a one way function several
times to the original key. This one way function has to be easy to calculate but hard to invert
so it is almost impossible to find the input to the given output. InµTESLA, the base station
is responsible for generating this key chain and distributing it to the sensor nodes per SNEP,
where the time is divided into intervals and every interval receives its own authentication key.
Signed messages are sent per broadcast and after a certain amount of intervals the base station
sends the key, which means that all sensors have to buffer the message for this amount of time
before they receive the authentication key to validate and process the message.
31
Security versus Power Consumption in Wireless Sensor Networks
In general, SPINS offers these two protocols to provide sensor network security, but there are
some restrictions: there has to be a central base station which handles communication and au-
thentication that can also be seen as bottleneck of the network. This base station has to have
enough resources to store all master keys and counter values, and the time of the sensor nodes
has to be synchronized to ensure that the right interval key is used. Moreover, they need enough
storage to buffer a broadcast message between the reception of the message and the reception of
the authentication key. Besides these restrictions, SPINS needs additional 8 Bytes per signature,
which provide acceptable security by not using extra storage place and power.
7.2 TinySec
TinySec, which has been developed at the Berkeley University, is “a lightweight, generic secu-
rity package that developers can easily integrate into sensor network applications” [19], because
it is tailored to the special security requirements of wireless sensor networks. TinySec provides
two basic security features: authentication via Message Authentication Codes (MAC), encryp-
tion using a CBC algorithm (see chapter 6.1) and a shared global cryptographic key. There
are two different possible security schemes, namely TinySec-AE which provides authenticated
encryption and TinySec-Auth which provides data authentication only.
Data authentication is one of the most important security issues when designing a wireless
network due to the fact that a package can easily be faked and inserted into the data stream.
Therefore, the TinySec developers use MACs, which are small tags of a fixed length (e.g. 8
Byte) that are produced by applying a special algorithm to the plaintext. Each package has its
own MAC which is attached: therefore, the receiver has the possibility of building his/her own
MAC and comparing it to the attached sender MAC. If they are equal, both authenticity and
integrity are proved, otherwise a modification to the message has occurred.
The TinySec-AE mode provides both, authentication via MACs and encryption via Skipjack
[20], which is a strong block cipher that was developed in 1980 by the NSA. It uses 64-bit
blocks and a 80-bit secret key, and performs 32 encryption steps whereas the algorithm itself
consists of a complex nonlinear function. By using this algorithm, TinySec produces only a
small amount of overhead and therefore, only a small package size increase is observed which
will have only little impact on the power consumption.
The result of TinySec, which was tested with Mica2 sensor nodes, showed that the increase of
energy, bandwidth and latency is less than 10% for TinySec-AE. [19]
32
Part III
Part III
METHOD
33
Security versus Power Consumption in Wireless Sensor Networks
34
Part III 8 Used Encryption Algorithms
8 Used Encryption Algorithms
In general, wireless sensor networks impose two major restrictions concerning the implemen-
tation of an encryption algorithm. On the one hand, the source code of the algorithm has to be
as small and efficient as possible, because there are strong limitations of available storage. On
the other hand, the actual encryption process must be very efficient and should consume as low
power as possible. The advantages of symmetric ciphers are obvious: It is only necessary to
store one single key which is used for encryption and decryption and the algorithm code can be
held very small, because of the similarity of the encryption and decryption functions. Asym-
metric algorithms are not appropriate for WSNs, because of the necessity of storing two keys
and two different algorithms for encryption and decryption.
The following paragraphs will give a survey of three encryption algorithms which are interest-
ing for being used in WSNs and especially for X3C, because of having special advantages like
requiring little storage, being suitable for smaller processors or being extremely efficient on em-
bedded devices. The three algorithms Blowfish, XTEA and RC2 will be compared concerning
their security and power consumption.
8.1 Blowfish
The Blowfish algorithm was designed in 1993 by Bruce Schneier, who published it for the first
time in the Doctor Dobb’s Journal in 1994 [21]. It is fast and not patented and has an excellent
performance even if running on small processors. It can be run by using less than 5KB of
memory, which proposes it for being implemented on small devices like RFID tags. Blowfish is
based on the Feistel Network with 64-bit blocks passing 16 encryption rounds. The algorithm
is initialized by the key, which has a variable length between 32 and 448 bits. It is very secure,
but it loses performance if there is the necessity of many key changes, because every new key
requires the algorithm to run 521 times for pre-processing all needed subkeys.
Block Size Number of Rounds Key Length
Blowfish 64 bits 16 32 - 448 bits
Table 8.1: Possible Configuration Parameters for Blowfish
Attacks: Until now, there is no effective attack on Blowfish published. Nevertheless, some
theoretical approaches on breaking the cipher have been reported. Among them, the best attack
35
Security versus Power Consumption in Wireless Sensor Networks
has been found by Serge Vaudenay [22], who noticed the possibility to perform differential
cryptanalysis on Blowfish for recovering the key of a reduced 8-round cipher with the use of
248 chosen plaintexts. One weakness of the key expansion function was published by Dieter
Schmidt in 2005 [23], who noted an independency between the third and fourth subkey and the
first 64-bit of the main key.
Blowfish is very interesting for being run on X3C’s sensor nodes because of its high security
and high performance on small processors. Within the X3C system it is not necessary to change
the key often. Therefore, Blowfish is applicable, although its memory requirements are very
high, because examining “only” encryption and decryption are very fast and energy saving.
8.2 XTEA - Extended Tiny Encryption Algorithm
XTEA is a revised edition of the TEA algorithm, which has been published in 1994 by David
Wheeler and Roger Needham [24]. TEA is very simple end effective, but has a very weak key
scheduling algorithm which lowers the actual key size from 128 to 126 bit and enables key-
related attacks [25][26]. Therefore it was necessary to renew the code for eliminating security
vulnerabilities, which was done in 1997 by Wheeler and Needham who published the XTEA
algorithm [27]. XTEA uses a Feistel network, suggesting 64 encryption rounds, which are
implemented in pairs calledcycles. Moreover it uses a block size of 64 bit, a 128-bit key and
a slightly different key schedule than TEA, which performs exactly the same mixing function
for obtaining the subkeys. Therefore previous mentioned attacks have been eliminated or at
least aggravated. XTEA has high efficiency and good performance and does not require a lot of
memory resources. Therefore it is very simple to be implemented on software and hardware.
Block Size Number of Rounds Key Length
XTEA 64 bits 64 (suggested) 128 bits
Table 8.2: Possible Configuration Parameters for XTEA
Attacks: In 2002, Moon et al. [28] presented impossible differential attacks on reduced versions
of XTEA which used the weak diffusion property of the cipher. Thereby they derived the 128-
bit key of a 14 round XTEA by applying the 12-round-impossible characteristic to262.5 chosen
plaintexts for285 encryption times. Other differential attacks have been published by Hong et
al. [29] in 2003, which broke a 15-round XTEA by using259 rounds. Another attack is called
related-key attack, which was utilized by Ko et al. on a 27-round XTEA by requiring220.5
36
Part III 8 Used Encryption Algorithms
chosen plaintexts and2115.5 encryption units.
Even if XTEA has minor weaknesses there are two advantages which are very important for a
WSN: On the one hand, it is very simple and therefore efficient, and on the other hand it does
not need a large amount of memory.
8.3 RC2
RC2 [30] was developed in 1989 by Ronald L. Rivest, who created it for replacing the DES al-
gorithm. The cipher possesses new design filters and provides good performance especially on
16-bit processors, which predestinates it for being implemented in WSNs. Rivest generated a
new key expansion function which permits a flexible key length up to 1024 bits. Therefore, the
RC2 is more secure than DES and is said to be equally fast at every key length. Furthermore, the
cipher uses an unbalanced Feistel network [31], which splits the 64-bit blocks into fourwordsof
16 bits and then performs substitution and transposition features, which Rivest called MIXING
and MASHING. For obtaining reasonable security, Rivest recommends 18 rounds. Table 8.3
shows all possible values for word size, number of rounds and key length:
Block Size Number of Rounds Key Length
RC2 64 bits 18 8 - 1024 bits
Table 8.3: Possible Configuration Parameters for RC2
Due to the complex key expansion system, the code for encrypting and decrypting is kept very
small, which is important for being implemented in WSNs.
Attacks: There have been some studies about the security of the RC2 algorithm and possi-
ble attacks. In 1997, Kelsey et al [25] published the possibility of cracking RC2 by utilizing
single-bit differential characteristics which needs one related-key query and 234 chosen plain-
texts. Another cryptanalytic study was included in the RC2 paper [32], which was published
in 1998 by Rivest together with 3 other authors. Therein they documented possible linear and
differential attacks they used to break the cipher. They stated that differential attacks are only
possible if a subkey could be discovered. The effectiveness of a linear attack could not be de-
termined because of the complex iterations between the different steps of RC2.
There is the possibility of undocumented attacks which could break RC2, but until now it is
said to be reasonably secure. Its advantage is the good performance on 16-bit processors which
makes it interesting for the X3C system.
37
Security versus Power Consumption in Wireless Sensor Networks
9 Measuring Methods
For obtaining a classification of the different encryption algorithms it was necessary to deter-
mine several factors, which can be used for a general comparison. The following subchapters
present the measured parameters which were utilized for the security and energy consumption
evaluation.
9.1 Measuring Security
The most popular way to ensure security and its principles is the usage of cryptology. Thus,
many different symmetric, asymmetric, hash and digital signature algorithms have been devel-
oped. Each of these algorithms has special performance and input parameters, which compli-
cates the comparison of them. Therefore, it is very difficult to define the security level of an
algorithm, because it needs a detailed study of the mathematical characteristics of the cipher to
find statistical relations between the plaintext, the ciphertext and the key. Thus, the ciphers are
often published to allow as many people as possible to analyze them for finding backdoors and
vulnerabilities.
WSNs have further characteristics one has to pay attention to. First of all, the encryption code
has to be very small because of the limited storage provided by the sensor node. Secondly, the
efficiency of the algorithm has to be very high, because slow encryption means higher power
consumption which leads to lower sensor node lifespans. These two characteristics will be dis-
cussed in chapter 12.
X3C’s wireless sensor nodes transfer only small strings, each of which containing very simi-
lar information. The most important thing concerning these strings is the randomness of the
ciphertext characters to anticipate any associations between the plaintext and the ciphertext,
which should not even be possible if the attacker possesses several ciphertexts. Therefore, the
randomness characteristics of the cipher can be used for classifying the security of algorithms.
The measuring of randomness can be done by statistical analysis of the character occurrence
in the ciphertext by performing a frequency analysis. Further characteristics are the avalanche
and the completeness effect, which measure diffusion and confusion of a cipher. Two of those
tests, which were used in the thesis and whose results are eligible for comparing the security of
different ciphers follow:
38
Part III 9 Measuring Methods
9.1.1 Frequency Analysis
Every language has a specific number of letters which are used more often than others. When
analyzing a long English article, the three mostly used letters will almost always be “e”, “t” and
“a”, whereas “x” will be seldom found [33, p. 247]. If the resulting ciphertext also shows this
characteristic, there is the possibility of obtaining the plaintext by performing statistic inference
between plaintext and ciphertext. Symmetric block ciphers are a combination of substitution
and transposition, which allows better hiding of letter frequencies, but nevertheless it is impor-
tant to have a random uniformly distributed characters in a ciphertext. Therefore, frequency
analysis is used for figuring out the occurrence frequency of a bit or character string. The best
result would be to obtain a uniform character distribution within the ciphertext as a whole and
within all the blocks.
One defining characteristic is the standard deviation, which is a measure of statistical spread of
the characters referring to their average occurrence. Before calculating the standard deviation,
it is necessary to obtain the mean value of character appearances. The mean value of a text with
N characters, where each character appearsx times, is calculated by
x =1
N
N∑i=1
(xi) (9.1)
The mean value indicates the average amount of occurrence of each character within the text, but
it does not give any information about the average diffusion of the characters. This information
is maintained by the standard deviation, which is calculated by
σ =
√√√√ 1
N
N∑i=1
(xi − x)2 (9.2)
The mean value and the standard deviation were used for defining the randomness of the ci-
phertexts which have been produced by the different algorithms. A random ciphertext has to
have a very small standard deviation to ensure that attacks which are based on the frequency of
different characters are not successful.
39
Security versus Power Consumption in Wireless Sensor Networks
9.1.2 Avalanche Effect
In [13], Shannon defines Diffusion1 as important cryptographic characteristic of a block cipher.
According to its definition, every output bit of a cipher should be dependent on every input bit,
which means that even a small change of the input plaintext should initiate an “avalanche” of
changes in the ciphertext. Annxnsubstitution box (S-box) of a block cipher should satisfy the
avalanche criterionkAV AL, which constitutes that whenever one input bit is changed, an average
of 1/2 of the output bits should also be changed.
For classifying the algorithms, two different plaintexts were used which differed in only one
bit. The two plaintexts were encrypted by the ciphers, all having the same key and IV as input
parameters. Then the two resulting ciphertexts were compared and the number of bits which
flipped were counted. The results of these tests are presented in chapter 11.
9.2 Measuring Energy Consumption
Additionally to the measurement of the security of the different algorithms, an analysis of their
efficiency and power consumption was performed. Especially in WSNs it is substantial that the
ciphertext generation is done in an efficient and power saving way to increase the lifespan of the
nodes. Thus, the algorithms should not have too complex and time-consuming functions and
their source code length should fit to the storage limitations of the sensor nodes. X3C ARFID
tags have to travel all around the world with little power resources and therefore, the lifespan of
them is very important.
9.2.1 Ideal Measurement Environment
The ideal way of measuring the energy consumption is the implementation of the ciphers on an
SEALTM ARFID tag of X3C. Therefore, it would be necessary to cross-compile the C source
code for the target platform, to run the code on the tag and to measure the energy which is
needed by each cipher to encrypt a certain amount of plaintexts. The results of this analysis
would give a clear decision about which cipher is most suitable for the X3C environment.
The SEALTM ARFID tag, as described briefly in chapter 2.1, is equipped with its own CPU, I/O,
memory, sensor and transceiver. The transceivernRF24E1is build by Nordic Semiconductor
1for more information, see chapter 6
40
Part III 9 Measuring Methods
and supports data rates from 0 to 1 Mbit/s by consuming extremely low power. Thereby it ranges
up to 30 meter by using the 2.45 GHz ISM band, it has internal voltage regulators, frequency
hopping support and 0 dBm output power. Moreover, it has a 8051-compatible micro-controller
which allows software development using C or assembly code with a ranging clock frequency
from 1 to 16 MHz. The memory of the tag consists of a up to 1 Mbit RAM and a serial 256Kbit
EEPROM. The tag receives its power from two CR2032 3.0V lithium batteries which ensure
the needed voltage of 1.7V to 3.9V for the tag to be operational. [34]
A picture of an nRF24E1 ARFID tag as it is used in the X3C system is presented in figure 9.1:
Figure 9.1: nRF24E1 ARFID Tag as Used in the X3C System
After studying the X3C hardware and development environments it became clear that the imple-
mentation of the C code, its cross-compilation and the transfer onto the tag was not achievable
due to limited time and measurement resources; furthermore, there was no real electronic labo-
ratory available. It was decided to run the tests as a kind of simulation on a Linux environment
as further explained in chapter 9.2.2.
9.2.2 Simulation Environment
The project target consists of comparing the power consumption and security of different en-
cryption algorithms. For obtaining comparable test results it is not implicitly necessary to mea-
sure the actual power which is consumed by the ARFID tags, but the important fact is the
41
Security versus Power Consumption in Wireless Sensor Networks
time each cipher consumes for encrypting a specific number of plaintexts, which can then be
apportioned to the energy consumption.
Therefore, the tests were done on a Linux PC, which had two basic advantages: Firstly, it was
not necessary to do all the development environment and communication setup for the ARFID
tag which would have been very time consuming. Secondly, the energy tests could be done
with exactly the same cipher implementations which were utilized for the security analysis.
Due to this fact it was possible to obtain objective comparisons between the ciphers to get
their efficiency concerning their CPU time consumption which is also decisive for their power
consumption.
9.2.3 Measured Parameters Concerning Energy Consumption
As it is not significant how much energy the Linux PC uses for encrypting the plaintexts, the
main measurement focus was set on two other important parameters, which are crucial for
the energy consumption of an ARFID tag: The CPU time, which is needed for encrypting a
plaintext, and the memory footprint, which shows the amount of memory a program needs.
CPU Time: Each program has a special execution time which can be measured. For obtaining a
comparison between the different encryption algorithms this CPU time is very important,
because it is also a measure for the energy which is consumed during the execution. It is
very important that the CPU time is very small to hold down the time for the sensor to be
activated. The faster an algorithm encrypts the plaintexts, the faster it is able to switch to
the sleep mode, which is important for saving energy.
Memory Footprint: Like the CPU time, the memory footprint is an indication for the energy
consumption, because it shows the actual memory which is needed by each program. To
obtain good efficiency, it is necessary that the memory footprint is small to not produce
too much memory management overhead (read/write) and to reduce the risk of failures
due to memory limitations.
Both parameters, CPU time and memory footprint, can be used for analyzing how much energy
will additionally be used for the encryption of the plaintext. The more extra time a wireless
sensor node has to be active, the more energy is consumed and therefore lost. Moreover, the
memory footprint gives and indication of how much more storage has to be managed by the
sensor node, which also decreases energy.
42
Part III 9 Measuring Methods
After having decided which factors were the most important ones regarding the security and
the energy consumption of the different ciphers it was possible to generate a test environment,
which is further described in chapter 10.
43
Security versus Power Consumption in Wireless Sensor Networks
10 Testing Environment
As mentioned in chapter 9.2.1, the implementation of the ciphers on the X3C ARFID tags would
have been too time-consuming; therefore, it was decided to use a Linux PC instead for doing the
security and energy consumption tests. These tests have been done by using an Ubuntu Linux,
an Apache-2 webserver and the PHP4 module, which are explained in detail in the following
subchapters.
10.1 Hardware
The tests have been done on an ASUS 3500 notebook, which is equipped with an Athlon XP-M
CPU working at a (constant) clockrate of 1.8 GHz and a physical RAM of 512 MB. The CPU
power management was switched off to get no influences on the tests because of reduced CPU
clock rate. The operating system was Ubuntu with a Kernel 2.6.12-10-386, which bases on the
Debian Distribution and is designed for workstations.
The simulations were done by utilizing the PHP4 module (version 4.4.4.0-3) and an Apache-
2 webserver (version 2.0.54-5ubuntu2) for data presentation and interpretation. During the
simulation were no other tasks running on the system except the system tasks including the
X-Server.
10.2 PHP4
PHP is an open-source programming language which is normally used for generating dynamic
web pages and server-side applications. Moreover, it allows the interaction with a large amount
of database management systems like MySQL and Oracle. Additional to the libraries which
are necessary for developing dynamic web pages, there have recently been developed further
libraries, whereby one of them is called MCRYPT. This library allows the usage of diverse
algorithms, among them also Blowfish, XTEA and RC2. Moreover, it is possible to run the
algorithms in different modes, which allows the analysis of the algorithms and the different
modes regarding security and power consumption. It was important to have roughly equal im-
plementations of all encryption algorithms to obtain comparable results, therefore the MCRYPT
library was the first choice.
The library that was used for the analysis isMCRYPT library for PHP4and bases on the Linux
44
Part III 10 Testing Environment
library libmcrypt4 (version 2.5.7-5). As mentioned before, it provides the required algorithms
and allows their usage in the different modes ECB, CBC, CFB, OFB and CTR (see chapter 6.1).
More detailed information on the MCRYPT module can be found in [35].
45
Security versus Power Consumption in Wireless Sensor Networks
46
Part IV
Part IV
RESULTS
47
Security versus Power Consumption in Wireless Sensor Networks
48
Part IV 11 Security Analysis Results
11 Security Analysis Results
For comparing the encryption algorithms a demo plaintext was generated, which contained
the information that an X3C ARFID tag has to send to the Base Station. The content of the
messages, which are generated by a sensor node, will only change slightly, due to the fact that,
except of the sensed data and the timestamp, all other information like the sensor ID will stay
the same. Therefore it is possible to perform the characteristic tests in reference to this demo
message.
The plaintext length is 6680 bits and it contains 835 characters. As can be seen in figure 11.1,
the 8-bit ASCII characters are not well distributed in the plaintext; furthermore, there exist only
66 out of 256 possible characters.
Figure 11.1: Frequency Analysis of the Plaintext
The 4 mostly used characters have the ASCII codes 127 (“0”), 32 (“space”), 40 (“(”) and 41
(“)”), and the overall mean value is 3.26, which means that each character occurs in average
3.26 times. Within the plaintext there are only about 25% out of the possible 256 characters,
which can be seen clearly in figure 11.2. Another drawback is the fact that there are several
characters among those which appear very often (up to 127 times). Therefore, the standard
deviation of 12.42 is very high, which is an indicate of low randomness and low distribution.
The most important issue of the encryption algorithms is to produce a ciphertext which consists
of 256 different characters that are uniformly distributed. Moreover, the standard deviation
should be very small to aggravate any frequency analysis.
49
Security versus Power Consumption in Wireless Sensor Networks
Figure 11.2: Frequency of Occurrence of Characters in Plaintext
In the X3C system, the sensor tags will use only one key per mission, which means that every
ciphertext will be produced by using the same key, but different IV values. For the comparison
of ciphertexts, these IV values and the secret key will be randomly chosen and each algorithm
will take them as input values. Therefore, every algorithm has the same starting position, which
enables an objective comparison. The configuration parameters of each algorithm are shown in
table 11.1:
Cipher Name Block Size Number of Rounds Key Length Modes of Operation
Blowfish 64 bits 16 rounds 128 bits ECB, CBC, CFB, OFB, CTR
XTEA 64 bits 64 rounds 128 bits ECB, CBC, CFB, OFB, CTR
RC2 64 bits 18 rounds 128 bits ECB, CBC, CFB, OFB, CTR
Table 11.1: Configuration Parameters for the Comparison
For obtaining a comparable test result, each algorithm has to encrypt the plaintext 50 times in
every mode. This value was chosen, because it can be seen as an average number of messages
that have to be sent by a sensor node per mission. The resulting 50 ciphertexts are then analyzed
to obtain the mean value, the standard deviation and the avalanche effect characteristic. After
the ciphertext generation and analysis, the average of all values is taken to be able to perform a
comparison.
50
Part IV 11 Security Analysis Results
11.1 Ciphertext Frequency Analysis
A block cipher can be used in different modes of operation, as described in chapter 6.1. Not
only the “real” block cipher modes CBC and ECB were tested, but also CFB, OFB and CTR,
which convert the block cipher into stream ciphers.
Ciphertext Standard Mostly Occurring Least Occurring
Mode Algorithm Length Mean Value Deviation Character Character
ECB Blowfish 840 chars 3.28 ± 2.21 11× ASCII 56 20 characters 0×XTEA 840 chars 3.28 ± 2.27 11× ASCII 93 18 characters 0×RC2 840 chars 3.28 ± 2.20 13× ASCII 1 21 characters 0×
CBC Blowfish 840 chars 3.28 ± 0.24 4.06× ASCII 220 2.7× ASCII 70
XTEA 840 chars 3.28 ± 0.26 4.1× ASCII 49 2.66× ASCII 201
RC2 840 chars 3.28 ± 0.27 4.06× ASCII 78 2.6× ASCII 225
CFB Blowfish 835 chars 3.26 ± 0.26 4.18× ASCII 193 2.64× ASCII 30
XTEA 835 chars 3.26 ± 0.24 4× ASCII 201 2.66× ASCII 1
RC2 835 chars 3.26 ± 0.25 4× ASCII 132 2.58× ASCII 189
OFB Blowfish 835 chars 3.26 ± 0.27 3.98× ASCII 138 2.58× ASCII 41
XTEA 835 chars 3.26 ± 0.27 4.06× ASCII 83 2.62× ASCII 238
RC2 835 chars 3.26 ± 0.25 3.86× ASCII 49 2.64× ASCII 61
CTR Blowfish 835 chars 3.26 ± 0.25 3.9× ASCII 116 2.6× ASCII 158
XTEA 835 chars 3.26 ± 0.26 3.82× ASCII 166 2.82× ASCII 138
RC2 835 chars 3.26 ± 0.26 3.94× ASCII 145 2.4× ASCII 214
Table 11.2: Results of the Frequency Analysis
The results of the standard deviation, which are presented in table 11.2, show that the ciphertext
length and the mean values of the “real” block cipher modes, ECB and CBC, are a slightly
higher than the mean values of the other modes, because they have to perform some padding
for obtaining a plaintext which is a multiple of 64 bits. CFB, OFB and CTR mode are only
generating a random character stream which is XORed with the plaintext used for producing
the ciphertext, thus they do not need to perform any padding and the ciphertext length is the
same as the plaintext length.
The ciphertexts produced by using the ECB mode have a very high standard deviation that is
beyond 2.20, and consequently, their character distribution is very weak, which results from the
fact that every single block is coded independently from each other. Therefore, it is not possible
for an input bit to affect each output bit, which is also observed when analyzing the avalanche
characteristic of the ciphers that is described in chapter 11.2.
51
Security versus Power Consumption in Wireless Sensor Networks
Figure 11.3: Frequency Analysis of the RC2 ECB Ciphertext
Figure 11.3 shows the character distribution of the ciphertext, which has been encrypted by RC2
in the ECB mode and that has the best ECB mode characteristics of all the three algorithms.
The characters of the ciphertext are much wider spread than in the plaintext, but there are still
some which do not appear at all, whereas other characters appear up to 11 times. This fact is
more clearly seen in figure 11.4, which shows the occurrence of the characters in descendent
order according to their frequency of appearance. The curve converges to the mean value line,
which is 3.28, but it has still a lot of outliers.
Figure 11.4: Frequency of Occurrence of Characters in the RC2 ECB Ciphertext
52
Part IV 11 Security Analysis Results
The bad frequency characteristics of the ECB mode, which is derived from the fact that every
block is encrypted independently from the previous and next ones, casts this encryption method
into doubt. The results of the frequency analysis of the Blowfish and XTEA ciphertexts are very
similar to those from RC2. The character distribution is very weak and the standard deviation is
very high; therefore, this mode can be considered as not random enough and not recommendable
for the X3C system.
In contrary to the ECB mode, there is a low standard deviation when the CBC mode is used,
which is the second “real” block cipher mode that is discussed. The results of the standard
deviation vary between 0.24 and 0.27, which is very low and that ensures a very good character
distribution. Blowfish outpaces XTEA and RC2 not only by having the lowest result of 0.24,
but it also shows very constant character occurrences with only few vertices above the standard
deviation, which can be seen in figure 11.5.
Figure 11.5: Frequency Analysis of the Blowfish CBC Ciphertext
The XTEA ciphertext has a standard deviation of 0.26, which is only a bit higher than the Blow-
fish result, but compared to the Blowfish frequency analysis graph, it shows some more vertices
especially between the ASCII characters 205 and 250, as mapped in figure 11.6. Moreover,
there are much fewer characters near the mean value, but instead there is a large number of
jumps between the higher and the lower deviation.
The RC2 cipher has the worst standard deviation of the three ciphers, which is 0.27; further-
more, it also produces many vertices, especially between the ASCII characters 16 and 50 and
53
Security versus Power Consumption in Wireless Sensor Networks
the characters 155 and 200. The frequency analysis graph of RC2 is shown in figure 11.7.
Figure 11.6: Frequency Analysis of the XTEA CBC Ciphertext
Figure 11.7: Frequency Analysis of the RC2 CBC Ciphertext
The character distribution can also be shown by the occurrence curves of the ciphertexts, which
are presented in figure 11.8. As shown in the first quarter of the graphs, the Blowfish curve
adjusts itself a bit faster to the mean value than the other two curves, which means there are
fewer outliers in this ciphertext, whereas the RC2 ciphertext has the slowest drop. In the center
section the Blowfish is also the best, whereas XTEA decreases more slowly than RC2, which
54
Part IV 11 Security Analysis Results
has a slightly steeper curve than Blowfish. In the end part, XTEA is also the worst, because it
decreases very fast in contrary to Blowfish and RC2, which have a very similar curve, whereas
RC2 declines a little faster in the very end.
Figure 11.8: Frequency of Occurrence of Characters in the CBC Mode Ciphertexts
55
Security versus Power Consumption in Wireless Sensor Networks
In addition to the CBC mode, there is only the CFB mode, which provides good results con-
cerning the standard deviation and avalanche effect. In this mode, the ciphertexts are produced
by creating a random bit-stream and XOR it with the plaintext, wherefore the IV is absolutely
needed as input parameter. The best cipher in this mode is XTEA, which has a standard devi-
ation of 0.24, whereas RC2 (0.25) and Blowfish (0.26) are a bit worse. The frequency analysis
graphs of Blowfish and XTEA (figure 11.9) are very similar to each other, as both have many
jumps between the higher and lower standard deviation lines. Moreover, the vertices of the
graphs are almost at the same places.
Figure 11.9: Frequency Analysis of the Blowfish and XTEA CFB Ciphertexts
56
Part IV 11 Security Analysis Results
The RC2 graph (figure 11.10), on the other side, is more even, especially in the first 70 ASCII
characters and its vertices are higher than those of the other two.
Figure 11.10: Frequency Analysis of the RC2 CFB Ciphertext
Despite the slight differences between the ciphers, one can say that their frequency analysis
graphs are very similar and there is no big character distribution lack. This fact can also be seen
in the character distribution curves (figures 11.11 and 11.12), which are ordered descending
according to the character occurrence. In the beginning of the curve, the Blowfish curve (figure
11.11) shows the best characteristic, because it decreases rather fast and approaches the mean
value line very good. In the end, the curve also declines fast, which indicates that there are
many character occurrences under the lower standard deviation.
Figure 11.11: Frequency of Occurrence of Characters in the Blowfish CFB Mode Ciphertext
57
Security versus Power Consumption in Wireless Sensor Networks
The XTEA and RC2 character occurrence curves (figure 11.12) are very similar; they differ
only slightly in the beginning and the end. Both curves decrease rather slowly at first, but then
they have a relatively good approximation to the mean value line and, in the end, they are both
very good, because their decline is late; therefore, they do not have many occurrences below
the lower standard deviation.
Figure 11.12: Frequency of Occurrence of Characters in XTEA/RC2 CFB Mode Ciphertexts
The OFB and CTR modes work relatively similar to the CFB mode, namely producing pseudo-
random streams which are XOR-ed with the data blocks. All ciphers produce good results
within every mode during the frequency analysis, but their character occurrence are slightly
worse compared to those of the CBC and CFB modes. They show many outliers both above
and below the standard deviation and can, therefore, be classified as being less random. More-
over, they produce almost no avalanche effect (see chapter 11.2), which is very important for
the X3C system. Therefore, their graphs will not be discussed in detail in this chapter, but all
the graphs will be listed in Appendix A.
58
Part IV 11 Security Analysis Results
11.2 Avalanche Characteristic Analysis
For testing the avalanche effect2, the plaintext had to be changed slightly because, to acquire the
avalanche characteristics of the cipher, it is necessary to have a second plaintext, which differs
from the first one in just one bit. For each of the 50 ciphertexts which were generated for the
frequency analysis, a new ciphertext was produced, using the new demo plaintext and the same
IV values and key as before.
After the generation of the new ciphertexts, they were compared with the 50 previous cipher-
texts of each cipher in each mode to obtain the amount of bit differences between them. Table
11.3 shows the averaged results of this comparison:
Mode Cipher Bits Altogether Same Bits Different Bits Avalanche Characteristic
Plaintext 1 & 2 6680 6679 1 0.01%
ECB Blowfish 6720 6689 31 0.46%
XTEA 6720 6695 25 0.37%
RC2 6720 6688 32 0.48%
CBC Blowfish 6720 6423 3297 49.06%
XTEA 6720 3421 3299 49.09%
RC2 6720 3425 3295 49.03%
CFB Blowfish 6680 3421 3259 48.79%
XTEA 6680 3411 3269 48.94%
RC2 6680 3401 3279 49.09%
OFB Blowfish 6680 6679 1 0.01%
XTEA 6680 6679 1 0.01%
RC2 6680 6679 1 0.01%
CTR Blowfish 6680 6679 1 0.01%
XTEA 6680 6679 1 0.01%
RC2 6680 6679 1 0.01%
Table 11.3: Results of the Avalanche Effect Analysis
As illustrated in chapter 9.1.2, the avalanche effect should be around 50% to guarantee good
diffusion. Table 11.3 clearly points out that not all the modes provide this characteristic.
2A detailed description of the avalanche effect can be found in chapter 9.1.2.
59
Security versus Power Consumption in Wireless Sensor Networks
The ECB mode shows very weak diffusion characteristics between 0.37% and 0.48%, which
are very low and not enough to disguise the similarity between the different plaintexts. This
low characteristic arises from the fact that blocks are encrypted independently from the other
and, therefore, a bit change in one block has almost no effect within the other blocks. Thus, the
ECB mode is not recommendable for the X3C system.
In contrast to the ECB mode, the CBC mode shows rather perfect diffusion. Among all three
ciphers, the XTEA algorithm has the best value with 49.09%, whereas Blowfish and RC2 are
closely behind with 49.06% and 49.03%. These values are signs for good diffusion and, there-
fore, this mode could be used within the X3C system. The only drawback is the plaintext
padding which is necessary to have equal sized blocks of 64 bits, which means that the tags
have to send more text that increases the required power consumption.
The plaintext padding is not observed in the CFB mode. The ciphertext length equates the plain-
text length; therefore, no additional power is required because of the message length that has to
be sent. Moreover, the avalanche characteristic is similar to the characteristic of the CBC mode,
whereas the RC2 cipher is the best with 49.09%. XTEA also provides good diffusion with
48.94%, whereas Blowfish is worse with only 48.79%. Nevertheless, these values are enough
to maintain adequate security; therefore, this mode is very preferable for the X3C system.
The last two modes, OFB and CTR, do not have any disguising characteristic, as seen in table
11.3. The ciphertexts do only differ within one bit and this bit differs at the same place where
the plaintext bit differs. Therefore, these two modes are completely excepted from being used
in the X3C system, because an attacker could detect a correlation between the ciphertexts which
could lead him to the plaintexts.
60
Part IV 11 Security Analysis Results
11.3 Recommendable Ciphers Regarding Security
The most important thing for the X3C system, regarding the security of an algorithm, is the dis-
guising of the plaintexts, which are very similar and will differ in only few characters. Therein,
the results of chapter 11.2 are very important for the recommendation of the ciphers. Not only
the diffusion, but also the randomness of the ciphertext characters should not be neglected, be-
cause it provides another security factor which is important for having disguised plaintexts.
Regarding the results of chapters 11.1 and 11.2, it was possible to generate a classification ta-
ble. Therefore, the avalanche characteristics were taken slightly more into account than the
standard deviation, due to the fact that it is more important to achieve good diffusion than to
have absolutely random ciphertexts. Table 11.4 presents the recommended ciphers regarding
their security:
Cipher Mode Avalanche Characteristic Standard Deviation
1. RC2 CFB 49.09% ± 0.25
2. XTEA CBC 49.09% ± 0.26
3. Blowfish CBC 49.06% ± 0.24
4. RC2 CBC 49.03% ± 0.27
5. XTEA CFB 48.94% ± 0.24
6. Blowfish CFB 48.79% ± 0.26
Table 11.4: Recommended Ciphers for the X3C System regarding Security
As can be seen in table 11.4 it is clearly possible to state that the CFB and CBC modes are
the best ones concerning the security. This fact has already been obvious during the avalanche
analysis, which showed very low diffusion in the ECB, OFB and CTR modes, although the
standard deviation of all 5 modes only slightly vary.
The RC2 shows very good results when running in the CFB mode, whereas XTEA and Blow-
fish are better when using CBC. This may refer to the different functions which are used during
the encryption and the different number of rounds. All in all, those 6 ciphers showed very good
results and especially RC2 and XTEA will be useful for X3C system.
Nevertheless, for obtaining a final result, the energy consumption of the ciphers has also to be
measured to create a final table which considers randomness, diffusion and energy consumption.
Those energy consumption measurements will be presented in chapter 12.
61
Security versus Power Consumption in Wireless Sensor Networks
12 Energy Consumption Analysis Results
As described in chapter 9.2.3, the classification of the encryption algorithms regarding their
energy consumption was made by measuring the CPU time and the memory footprint during
the encryption of a certain amount of plaintexts.
12.1 CPU Time Measurement
The CPU time was measured by using the PHP functionmicrotime(), which returns the current
timestamp in microseconds. For obtaining an average value it was necessary to run several tests
to minimize the influence of measurement errors, which were generated by the system tasks,
on the result. These tests comprised measuring the time the algorithms needed in each mode to
encrypt 10, 100, 1000 and 10000 plaintexts, which were the same as for the frequency analysis
with a length of 835 characters. The results of these measurements, which are presented in
Appendix B, were averaged to get the encryption time for 1 plaintext.
Figure 12.1: Average CPU Time Needed by the Algorithms to Encrypt 1 Plaintext
Figure 12.1 shows that XTEA is clearly the fastest and, therefore, also the most efficient ci-
pher, whereas the Blowfish cipher is very slow in almost all modes. In general, the ECB,
CBC and CTR modes are very fast in contrast to the CFB and OFB modes, which take up to
3.21 ms for encrypting one plaintext. This results from the fact that ECB, CBC and CTR en-
crypt sequentially one block after the other, whereby either no previously calculated additional
62
Part IV 12 Energy Consumption Analysis Results
input parameter is needed or the additional input parameters are obtained from the previous
ciphertext block or a special counter. In contrast to that, the CFB and OFB modes require the
pre-computation of the pseudorandom bit-stream which is then XORed with the plaintext3.
As XTEA is a very slim and tiny cipher, the time consumption for encrypting the plaintexts with
this cipher is the best, whereby the CBC mode stands out with only 1.16 ms encryption time.
The RC2 cipher is slightly behind, having the best result in the CTR mode, which is 1.36 ms.
The Blowfish cipher has the worst results regarding the CBC, ECB and CTR modes, whereby
its best value is in the ECB mode, which needs 1.60 ms, but is, therefore, 0.40 ms slower than
XTEA.
The CFB and OFB modes are behind the three other modes and, therefore, take very long time
for the encryption. The XTEA cipher is again the best one, whereas Blowfish is hardly behind
in both nodes. Nevertheless, the values, which range from 2.01 ms to 2.25 ms, are very high
and consequently, the energy consumption of them can also be seen as very high. The RC2
algorithm was the worst one regarding the CFB and OFB modes by requiring more than 3 ms
for the encryption of one plaintext.
12.2 Memory Footprint
The memory footprint was measured by using the PHP functionmemoryget usage(), which
returns the amount of memory actually allocated to PHP [36]. Therefore, it was not possible to
measure a footprint of a single encryption, but only to measure the footprint of the whole PHP
module. Furthermore there was no way found to define the exact measurement inaccuracies of
the used PHP function and no documentation about it could be retrieved. Altogether the results
of the memory footprint measurements, which are presented in Appendix C, are not significant
enough to provide a reliable classification of the used algorithms.
Summarizing, the memory footprint results proved the outcome of the frequency analysis,
which identified longer ciphertexts in the CBC and ECB mode that results from the plaintext
padding.
3For further explanation of the different modes, see chapter 6.1.
63
Security versus Power Consumption in Wireless Sensor Networks
12.3 Recommended Ciphers Regarding Energy Consumption
The most important fact for the X3C system, regarding the energy consumption, is energy ef-
ficiency of an algorithm, which can be measured by the CPU time they need for encrypting a
plaintext and how much memory they need to run faultless. Therefore, the results of chapter
12 are very important for recommending special ciphers. According to the results of the energy
analysis, the following ciphers are suggested to be used within the X3C system:
Cipher Mode CPU Time
1. XTEA CBC 1.16 ms
2. XTEA ECB 1.20 ms
3. XTEA CTR 1.21 ms
4. RC2 CTR 1.36 ms
5. RC2 CBC 1.42 ms
6. RC2 ECB 1.46 ms
Table 12.1: Recommended Ciphers for the X3C System regarding Energy Consumption
Table 12.1 shows that the XTEA algorithm is generally favored over the RC2 algorithm, and
the Blowfish does not even exist within the best 6 ciphers. This results from the fact that the
three ciphers have very different functions, which distinctly affect the encryption duration. This
duration is a general sign to get to know how much power a sensor tag will consume if a specific
algorithm is used.
All in all, the ciphers have been analyzed regarding their security and their energy consumption,
which allows a final recommendation for the X3C system. This resume can be found in chapter
13, which sums up the results and gives a general conclusion about the subject “Security vs.
Power Consumption in Wireless Sensor Networks”.
64
Part IV 13 Summary of Results
13 Summary of Results
As described in chapter 11 and 12 the three encryption algorithms Blowfish, XTEA and RC2
were tested in the different operation modes ECB, CBC, CFB, OFB and CTR regarding their
security and energy consumption. On the one hand, the security of the ciphers was evaluated
on the basis of their frequency analysis and the avalanche effect, which provides information
about the randomness of the resulting ciphertexts. On the other hand, the energy consumption
had to be taken into consideration for obtaining a final cipher which could be recommended to
X3C. As it would have been too time-consuming to run each cipher on the X3C hardware, the
tests were made on a Linux PC which measured the time each cipher needed for encrypting a
specific amount of plaintexts, which consisted of respectively 835 characters (= 6680 bits). The
additionally tested memory footprint was not reliable because of not mensurable uncertainties.
For obtaining a final result, all the analysis results have been taken into account. During the
frequency analysis it was stated that only the CFB and CBC modes are recommendable regard-
ing the security. Regarding the energy consumption, it is obviously seen in chapter 12.1 that all
algorithms needed very long time in the CFB mode, compared to the CBC mode. Especially
the RC2 cipher requires much time for encrypting one plaintext in the CFB mode. The ECB
and the CTR mode, which would have very good results concerning the energy consumption,
failed by reason of their weak avalanche characteristics.
Table 13.1 shows the final classification of the tested algorithms in reference to their security
and energy consumption characteristics:
Avalanche Standard
Algorithm Mode Characteristic Deviation CPU Time
1. XTEA CBC 49.09% ±0.26 1.16 ms
2. RC2 CBC 49.03% ±0.27 1.42 ms
3. Blowfish CBC 49.06% ±0.24 1.73 ms
Table 13.1: Recommended Ciphers for the X3C System
As it is more important for X3C to use an energy efficient algorithm, the CPU time results have
been weighted stronger than the security analysis results. Therefore, Blowfish is considered to
be the worst algorithm because its required CPU time is almost 22% higher than the required
CPU time of RC2.
65
Security versus Power Consumption in Wireless Sensor Networks
Nevertheless, the XTEA algorithm shows very good results in both security and energy con-
sumption. It is very fast in all modes, and especially in the CBC mode it is unbeaten. Fur-
thermore, this mode has also been stated very secure, with a very high avalanche characteristic,
which is 49.09%; therewith it is very near to the ideal 50%. The standard deviation, which is
0.26, is also representative, even if it has not been the best during the tests.
In general, the XTEA algorithm is predestinated to be used in the X3C system, because it is
very thin and effective and provides good security. Moreover, the randomness and disguising
factor is very important for X3C, which is perfectly offered by XTEA. The disadvantage of
the algorithm is the low knowledge about the effectiveness of linear and differential attacks.
Although there have been several tests, no reliable results have been published, which show if
these attacks have been successful.
Recapitulatory, it was very interesting to see that the different operation modes have very much
influence on the security and the effectiveness of a cipher. Therefore, it is very important
to weigh which factors and parameters are more important to be able to find the right mode.
For X3C, these factors are effectiveness and energy saving, which have been considered when
classifying the ciphers. The best results have been stated by the XTEA cipher in the CBC
mode, which is, therefore, recommended to X3C for encrypting the communication between
the SEALTM ARFID tags and the SEALTM Access Points.
66
Part V
Part V
CONCLUSION
67
Security versus Power Consumption in Wireless Sensor Networks
68
Part V 14 Conclusion
14 Conclusion
The goal of this thesis is to present the most suitable security algorithm for WSNs and especially
for the applications of the X3C company. On the one hand the communication between the
ARFID tags and the base-stations has to be secure, but on the other hand, the lifespan of a
tag must not be decreased dramatically by the security mechanism; thus, a security algorithm
consuming as little energy as possible had to be found.
It was obvious that only symmetric encryption is useful in such resource limited environments
and a way to compare the security level of the different (symmetric) algorithms had to be
defined. Important characteristics of encryption algorithms are the letter frequencies and the
avalanche effect. An analysis regarding these characteristics was done and the detailed results
are presented in chapter 11. The algorithms RC2 (in CFB mode) and XTEA (in CBC mode) are
the best concerning the two mentioned characteristics.
Secondly, the energy consumption of these algorithms had to be examined because the lifespan
of a tag is more important for X3C than the security. This examination was done by measur-
ing the required CPU time and the memory footprint needed by each algorithm to encrypt the
demo plaintext provided by X3C. These two parameters have a great influence on the energy
consumption and it was interesting to realize that choosing the right mode of an encryption
algorithm is roughly as important as choosing the right algorithm. XTEA is, by far, the most
efficient and power saving algorithms and it needed the shortest CPU time in CBC mode; more
detailed explanation can be found in chapter 12.
Since every kind of security needs additional energy, a detailed investigation should be done
that shows which part of the communication has to be encrypted and which parts might be
transmitted in plaintext to increase the lifespan the ARFID tags. Summarizing the two different
analysis, the encryption algorithm of choice is the XTEA, to be run in CBC mode as it was the
best cipher regarding the energy consumption and security analysis. A smart implementation
of this algorithm will fulfill the needs of the X3C applications. The security and energy an-
alyzing methods also enable the comparison of other security algorithms and, therefore, their
classification regarding security and power consumption.
69
Security versus Power Consumption in Wireless Sensor Networks
15 Further Work
The simulations for the analysis were done in PHP on a Linux computer. Whereas this was
a good an suitable way to compare the differences between the algorithms, it is not suitable
to get any absolute values, neither concerning the real power consumption nor concerning the
efficiency of the algorithms on the special CPU of the ARFID tags. Therefore the next step
would comprise the implementation of the best algorithms in C and run them on the tags for
measuring the time each one needs for the encryption of a plaintext. The results of such tests
would provide a good result about the efficiency of the different algorithms and would maybe
show a difference to our results on the test computer.
If other cryptography algorithms seem to be interesting as well, they could be analyzed in the
same way as it was done with the three presented algorithms. The results could be compared
with the already classified algorithms and it is easy to compare them concerning security and
energy consumption. If another testing environment is used, first of all a reference value with
the same PHP version and implementations has to be calculated, in order to get comparable
results.
A totally other way to ensure security could also be to develop a smart and very simple algo-
rithm to use a secret way of substitution. This possibility was not respected at all in this thesis
because it provides “security through obscurity”. As mentioned in chapter 6, security should
only depend on the secrecy of the key and not on the secrecy of the algorithm.
70
Part V Bibliography
Bibliography
[1] M. Tubaishat and S. Madria. Sensor Networks: An Overview.IEEE Potentials, 22(2):20–
23, April-May 2003.
[2] W. R. Heinzelman, A. Chandrakasan and H. Balakrishnan. Energy-Efficient Communi-
cation Protocol for Wireless Microsensor Networks. InProceedings of the 33rd Annual
Hawaii International Conference on System Sciences (HICSS-33), volume 2, page 10pp,
January 2000.
[3] G. Khanna, S. Bagchi, and Y.-S. Wu. Fault Tolerant Energy Aware Data Dissemination
Protocol in Sensor Networks. InProceedings of the 2004 International Conference on
Dependable Systems and Networks (DSN’ 04), pages 795–804, June-July 2004.
[4] F. J. Burghardt (2001). Entwicklung des Computers.
http://www.k.shuttle.de/k/hoelderlin-gymnasium/informat/pcgesch.htm (October 13,
2005).
[5] R. Shirey. Internet Security Glossary (RFC 2828). The Internet Society, May 2000.
[6] S. T. Ross.UNIX System Security Tools. McGraw-Hill Companies, September 1999.
[7] ITU. Security architecture for Open Systems Interconnection for CCITT applications
(ITU-T Recommendation X.800). March 1991.
[8] W. Stallings.Network Security Essentials (2nd Edition). Pearson Education, 2nd edition,
2003.
[9] P. Brauch. Sichere Worter. c’t, 17, August 2002.
[10] H. Chan and A. Perrig. Security and Privacy in Sensor Networks.Computer, 36(10):103–
105, October 2003.
[11] C. P. Pfleeger.Security in Computing (2nd Edition). Prentice Hall PTR, 2nd edition, 1997.
[12] A. Kerckhoffs. La cryptographie militaire.Journal des sciences militaires, IX :5–38,
January 1883.
[13] C. E. Shannon. Communication Theory of Secrecy Systems.Bell System Technical Jour-
nal, 28(4):656–715, 1949.
71
Security versus Power Consumption in Wireless Sensor Networks
[14] H. Feistel. Cryptography and Computer Privacy.Scientific American, 228(5):15–23, May
1973.
[15] A. S. Tanenbaum.Computernetzwerke. Pearson Studium, 3rd edition, 2000.
[16] A. Ekert. Cracking codes, part II.Plus Internet Magazine (http://plus.maths.org), issue
35, May 2005.
[17] C. Elliott. Quantum Cryptography.IEEE Security & Privacy Magazine, 2(4):57–61, July-
August 2004.
[18] W. Diffie and M. E. Hellman. New Directions in Cryptography.IEEE Transactions on
Information Theory, 22(6):644–654, November 1976.
[19] C. Karlof, N. Sastry and D. Wagner. TinySec: A Link Layer Security Architecture for
Wireless Sensor Networks. InProceedings of Second ACM Conference on Embedded
Networked Sensor Systems (SenSys 2004), November 2004.
[20] E. F. Brickell et al. Interim report: The skipjack algorithm, July 1993. An online
version is available at http://www.alw.nih.gov/Security/FIRST/papers/crypto/skipjack.txt
(15.11.2005).
[21] B. Schneier. Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish).
In Ross J. Anderson, editor,Fast Software Encryption, volume809 of Lecture Notes in
computer Science, pages 191–204. Springer, 1994.
[22] S. Vaudenay. On the Weak Keys of Blowfish. InFast Software Encryption, pages 27–32,
1996.
[23] D. Schmidt. On the Key Schedule of Blowfish. Technical report, February 2005.
[24] D. J. Wheeler and R. M. Needham. TEA, a Tiny Encryption Algorithm. InFast Software
Encryption, Second International Workshop Proceedings, pages 97–110. Springer, 1995.
[25] J. Kelsey et al. Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X,
NewDES, RC2,. InICICS ’97 Proceedings, pages 223–246. Springer, November 1997.
[26] F. Mirza. Block Ciphers And Cryptanalysis. Technical report, Royal Holloway University,
1998.
72
Part V Bibliography
[27] R. M. Needham and D. J. Wheeler. Tea extensions. Technical report, University of Cam-
bridge, October 1997.
[28] D. Moon et al. Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA.
In FSE ’02: Revised Papers from the 9th International Workshop on Fast Software En-
cryption, volume2365, pages 49–60, London, UK, 2002. Springer.
[29] S. Hong et al. Differential cryptanalysis of TEA and XTEA. InProceedings of ICISC
2003, 2003.
[30] R. Rivest. A Description of the RC2(r) Encryption Algorithm (RFC 2268). Network
Working Group, March 1998.
[31] B. Schneier and J. Kelsey. Unbalanced Feistel Networks and Block Cipher Design. In
FSE ’96: Proceedings of the 5th International Workshop on Fast Software Encryption,
pages 121–144. Springer, 1996.
[32] L. R. Knudsen et al. On the Design and Security of RC2. InFSE ’98: Proceedings of the
5th International Workshop on Fast Software Encryption, pages 206–211. Springer, 1998.
[33] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone.Handbook of Applied Cryptogra-
phy. CRC Press, 1996.
[34] Nordic Semiconductor. nRF24E1 - 2.4GHz RF transceiver with embedded 8051 compat-
ible micro-controller and 9 input, 10 bit ADC. Revision 1.2. Product Specification, June
2004. available at http://www.nordicsemi.no.
[35] The PHP Documentation Group. Lxxiii. mcrypt encryption functions. Manual, November
2005. http://www.php.net (06.12.2005).
[36] The PHP Documentation Group. memoryget usage. Manual, November 2005.
http://www.php.net (06.12.2005).
73