IoT-SecurityECC-v4

Internet of Things Security with Certificate Authority using

Elliptic Curve CryptographyZigBee Networks 802.15.4 Protocol

Abe Arredondo, aa44757Luis Stolk, les2862

Distributed Information System Security, Fall 2014Dr. William Bard

December 5th, 2014

IoT Security with CA & ECC 1

Table of Contents

Abstract

1. Introduction: The Internet of Things

2. ZigBee Access Point Antenna

3. IoT ECC & Medical Applications

4. The ZigBee Vulnerability Problem

5. Use Cases

6. Solution by Key Distribution Center

7. Innovative Proposed Solution using CA and ECC

8. ZigBee and X.509v3

References


Internet of Things Security with Certificate Authority using Elliptic Curve Cryptography

ZigBee Networks 802.15.4 Protocol

AbstractData communication from Machine to Machine (M2M) over the Internet of

Things (IoT) is increasing at an exponentially higher rate than human

communication over the existing World Wide Web internet of web sites. The

commercial adoption of ZigBee into smart devices presents security

vulnerabilities due to the constraints of the Wireless Sensor Network (WSN)

devices lacking standard security protocols usage, computing capacity, and

power limitations. In this paper, we show the vulnerabilities in the ZigBee

protocol, and propose an innovative hybrid solution for improved security

over ZigBee WSN for nodes entering and exiting a dynamic large scale IoT

mesh network.


1. Introduction: The Internet of Things The Internet of Things (IoT) is the integration of wireless sensors, diverse

networks, and protocol technologies; to ID, and monitor, all objects [8p].

Gartner estimates that by 2020 there will be 30 Billion devices connected to

the IoT [5p]. A wireless sensor is the primary atomic device of the IoT, and

could be as simple as a reflective label containing an ID and manufacturing

information. A wireless sensor Network (WSN) is a distributed Ad Hoc

autonomous architecture that makes decisions on sensed physical

environmental measurements. The WSN devices are inexpensive, low power,

and do not have much processing or storage capabilities. Figure 1 below

shows an example of a wireless sensor node from Myria-Node. [8]


Figure 1, Wireless Sensor

As the IoT interacts and bring value to the future of the connected world we

find that the communications protocols are different. Existing Wi-Fi uses

802.11 and the IoT uses 802.15.4. Early adopters of the IoT use an 802.15.4

protocol called Zigbee, which is used for creating IPv6 internet protocol mesh

networks for short range, line of sight and low rate data transfers. Because a

WSN devices could be battery operated ZigBee is intended to be simpler

than the Bluetooth or Wi-Fi networks [4]

Piro, et.al, in [2] his 802.15.4 security framework research refers to these

nodes as Reduced Functioning Devices (RFD) because they lack power and

communication resources. Although Myria and other TinyOS Nodes are

considered here as reduced function IoT devices they can routinely measure

the following.

● Temperature

● Humidity

● Air pressure

● Illumination

● CO2 concentrations

● Acceleration

● Mechanic pressure


● Passive infrared (movement)

● Reed switches

● Light beam (gate sensor)

● A/C current

● Heart rate

One of the fastest growing focus areas of the IoT includes wearable sensors

for health care to monitor patient medical information in real time. However,

there are ZigBee security vulnerabilities, which are explained later in this

paper, that could leak private information [1]. ZigBee security is based on

128 bit Advanced Encryption Standard (AES) Counter Cipher Block Chaining

Message Authentication Code (CCM) AES-128-CCM [7] algorithms and

provides support for public key infrastructure using standard X.509 v3

certificates including 256 bit Elliptic Curve Cryptography (ECC) cipher suite

[5].

In the following sections we will introduce our research focus area, that is,

the conjunction of the Internet of Things and Elliptic Curves Cryptography

implementation in Medical Applications. Later, this study explains the

security vulnerabilities that Zigbee devices present when implemented using

the original standard. Section 8 describes our final security solution using

certificate authorities (CA) and ECC. We will show that our proposal reduces


the vulnerability of these sensor devices as well the improves in the

reliability of such implementation

2. ZigBee Access Point Antenna

Multiple 802.15.4 access point antenna devices can be found at the ZigBee

alliance website [5]. This section outlines the Cisco 500 Series Wireless

Personal Area Network (WPAN) Figure 2 shows an Industrial Routers (IR500)

that provides unlicensed 915 MHz (902-928 MHz) medical band WPAN

communications. IoT wireless sensor networks are primarily AdHoc -- line of

sight -- mesh networks; however, these antennas enhance the range and

enable RF mesh connectivity of IEEE 802.15.4 g/e IETF IPv6 over Low power

WPAN (6LowPAN) IoT networks. Specifically, ZigBee antennas as described

here, provide the following network security features:

● Access control and authentication based on X.509 certs, IEEE

802.1x, and utility public key infrastructure (PKI) using AES-128

● Device and platform integrity based on firmware signing and

cert-based, role-based access control (RBAC) configuration


Figure 2. ZigBee Access Point Antenna

3. IoT ECC & Medical ApplicationsCryptographic algorithms such as the Data Encryption Standard (DES) have

been shown to be vulnerable for public key generation. Other techniques

have been created to offer better performance and security than DES public

key algorithms. Because of its security, combined with the performance and

efficiency, we chose the Elliptic Curve Cryptography as our proposed

algorithm to generate public keys. One of the advantages of the elliptic

curve implementation on the security side is that it relies on the hard elliptic

curve logarithmic problem. Another advantage is that ECC can use much

smaller key sizes than RSA, something that is ideal for wireless sensor

applications that rely on small data space.


The Elliptic Curve Cryptography is based in the usage of curves whose

variables and coefficients are finite; there are two type of curves that are

commonly used in the application of this algorithm: Prime curves and Binary

curves. Basically, the two of them can be distinguished easily from one to

another, the Prime curve is best when used on hardware applications, while

the Binary curve is usually better when applied over to software applications

[9]. Because the ECC generated key is much smaller in size, it is specifically

useful in mobile devices and wireless sensor networks. In fact, it should be

the appropriate implementation as the algorithm solution for public key

generation in this investigation.

In our use case, the large medical network would consist of a Body Area

Network, as shown in Figure 3. In this graphic from Young S. Lee, et.al. [1]

the body area network contains the ZigBee sensors that reads vital signs

from patients; a second layer is the Personal Area (off-body) Network, these

are computing devices that communicate from the body area network and

process the information received, like for example pagers, cell phones or a

personal computers. Finally, this data could be transmitted over the internet

providing the vital information to end points of importance that are allowed

to read the data: Physicians, Emergency Centers, Primary Care providers.


Figure 3. Medical use of WSN [1]

Medical network applications could be considered critical and delicate

because of the type of personal information that resides in it. In the Internet

of Things, when sensors are the principal point of the initial transaction of

information in the network, the risk of data being stolen increases as the

amount of sensors in the network increment. Having stronger security

measures helps to decrease the risk of attacks to the network and helps

protect patients personal data. This is why cryptographic algorithms play a

highly important role in the network security. But it is important as well that

these algorithms produces a highly secured key generation. ECC adds much

longer key sequences ensuring local IoT network security, the closing section

of this study shows how efficient certificate authority in combination with


ECC provides the best security and efficiency. The next section first

enumerates the security vulnerabilities of a standard ZigBee network.

4. The ZigBee Vulnerability ProblemAs explained by Wissam Razouka, et.al. the 802.15.4 ZigBee protocol

presents the following security weaknesses [3].

1. The first problem is with key distribution, as security keys are transmitted

in ZigBee networks either over-the-air or pre-installed onto the devices in

an insecure way [10]. There are different ZigBee key distribution

approaches depending on the security level as follows.

A. Using the ZigBee high security level, the network key is

encrypted and transmitted over the air using the Master key,

which is shared among all nodes. Thus, the compromise of one

single node leads to an untrusted relationship between all

communicating devices in the network.

B. Key Establishment is where the WSN device negotiates with the

Key Distribution Center and keys are established at either end

without being transported with the following methods.

● SKKE (Symmetric Key Establishment)


● CBKE (Certificate-based Key Establishment) This solution

with ECC is explained later in this study as the final

recommended solution

● ASKE (Alpha-secure Key Establishment)

C. Using the ZigBee Standard Security level, the safety of the

system becomes even more critical as the network key is

transmitted unencrypted over-the-air. This alternative reveals

the keys in clear text and cannot be recommended for security

purposes.

D. Using pre-installed network keys onto each legitimate device of

the ZigBee network. This is done manually using a

commissioning tool. This approach may be impractical for large

networks.

2. Razouka [3] explains the second ZigBee vulnerability is where the notion

of frame counter is offered as a security service and emphasized as the

freshness protection. It uses an ordered sequence of inputs to reject

frames that have been replayed. This is not a strong approach because an

adversary can choose superior values to avoid the rejection of specific

frames, as the standard ZigBee protocol frame counter uses incrementing

values rather than random values. It is also easy to overflow the frame

counters; as pointed out in previous published studies [11].


3. Another weakness that is found in the ZigBee security model is that the

forward security requirement, that is, the master and link keys are never

revoked from a wireless sensor node exiting a network [3]. For example if

a hospital or hotel using ZigBee wishes to open doors, improve energy

efficiency, or collect patient vital signs such a venue needs a better

approach to manage thousands of ZigBee devices. A possible situation

explained in the use case below is where one -- or many -- of the ZigBee

devices are lost, misused, or stolen. The extraction of ZigBee data is

already demonstrated and published [12][13].

4. Eavesdropping and data manipulation is demonstrated using software and

hardware for attacking purposes such as traffic sniffing, data injection,

and packet decoding. A $40 AVR RZ Raven USB devices (RZUSB) can be

used to exploit many security vulnerabilities related to ZigBee enabled

systems. Another example is the KillerBee software suite freely available

[14].

Two solutions to handle the Zigbee vulnerabilities will be discussed in the

next sections of this paper.


5. Use CasesImagine that one of the node devices from a Zigbee network is lost or stolen.

The problem is that the Zigbee communications protocol provides an

attacker access to the network device Master Key, because the key is never

revoked. This problem promotes the vulnerability of all the sensors in the

network. If the compromised sensor was found in a hospital network

gathering constant vital information from patients, such as; pulse, blood

pressure, and temperature among others. The personal medical data being

transmitted among the sensors is at high risk of being compromised.

Figure 4 shows WSN type sensors that purpose to read specific vital signs

from patients. These sensors are spatially distributed and communicate

among each other continuously with the only purpose to transmit and read

data from the patients then deliver the messages up through a Gateway in

an 802.15.4 IoT network. The sensor data finally reaches to the end

recipients, in this case doctors, nurses or any other points of interest on a

Wi-Fi 802.11 network. As patients, and sensors, transition into and out of the

grid these Wireless Sensor must account for Key revocation [2].

In a WSN using a ZigBee protocol, the way that the node is able to enter the

network is by using a set of keys which enables the node to start

communicating with other existing nodes in the network. In the case of a

ZigBee device, these keys must be securely installed either pre-installed at


the point of manufacturing or over-the-air by an established Trust Center

[15]. Imagine that a specific WSB wants to enter to the Wireless Body Area

Network (WBAN), but this node could have been programmed to steal data

from patients, and because this node already has the master key installed, it

can easily be added to the network and directly establish communication in

order to retransmit data to a different location. Another similar case would

be when a node exits from the network, it carries the master key which is

never revoked from it; at any time the device could enter the network again

with malicious purposes.


Figure 4. Topology Layout Use Case

6. Solution by Key Distribution CenterThree entities are involved in the proposal as explained by Wissam Razouka,

et.al. [3]: the Trust Center or Key Distribution Center, the initiator node A,

and the responder node B. Each node i stores its identifier IDi and its secret


key Ki. The Key Distribution Center has access to a database where

information related to the network is stored (in this case we are interested in

the IDs and secret keys related to the nodes). No keys are shared

permanently among the nodes, which decreases considerably the ability to

compromise the network upon the exposure of one single node. Finally, the

temporary session key Ks, is a one-time-use key shared between both the

initiator and responder nodes during a given communication. In this

approach, Razouka proposes to use random numbers as nonces to ensure

the freshness of the messages containing the session keys. The nonce Ni is

updated after each communication to prevent replay attacks. An

improvement could be to use a timestamp as the nonce. In the figure below

Figure 5 the term Trust Center is interchangeable with Key Distribution

Center.

Figure 5. Key Distribution Center Zigbee Alternative


The following steps outline the algorithmic solution described by Razouka [3]

that map to a key distribution center model.

Step 1: As shown in the figure 5 above, the initiator A sends a request to

establish communication with the node B. The message (1)

contains the node’s identifier IDA , a nonce NA generated by A and

HA which is a hash of NA along with the private key KA . Razouka

adds the nonce to this step to provide freshness and ensure that

when receiving the next message, A will be sure that the

communication has not been replayed as NA is random and

different for each session. The authors of this report believe that a

time stamp is a better choice as a nonce. Only the Key Distribution

Center has access to KA and can rebuild HA to verify if A is a

legitimate node. Note that HA is a one way function, as hash

functions are required to be irreversible. Therefore, even if this

message is disclosed, the attack cannot be successful, as only

legitimate parties possess the secret key KA to recover the plain

message of the next step [3].

• Step 2: The responder B build its own message in the same way, and sends

the received information related to A along with its information to

the Key Distribution Center as a request for authentication and

also to obtain a new temporary session key.


• Step 3: The Key Distribution Center receives the message (2) from B, and

verifies at first whether the forwarded message is valid or not by

rebuilding H’A and H’B using KA and KB for the stored IDA and IDB

respectively. Comparing H’A with HA and H’B with HB proves the

message is legitimate as only A and B possess the secret keys KA

and KB and are able to build a valid message. Steps 3 and 4 are

almost simultaneous each with its own nodes private key.

• Step 4: The Key Distribution Center generate a the session key KS, and

sends it in an encrypted form using KA and KB to both A and B

respectively. The nonces NA and NB provide protection against

replay attacks. Note that in this solution, both nodes A and B

authenticate as legitimate nodes, and can verify the freshness of

the received messages from the Key Distribution Center.

• Step 5: Finally the nodes A and B receive the encrypted information, and

retrieve the secret session key using their private keys KA and KB

respectively. A and B are sure that the received message is fresh

as it contains the nonces NA and NB. At this point, both the initiator

A and the responder B can communicate in a secure way using the

session key KS.

The Key Distribution Center can make a periodical verification, and verify if

all nodes are still in the WSN. If not, the KDC can revoke the access from a


specific node simply by deleting or disabling its related information in the

database. This technique prevents from exploiting secret information by an

adversary. While Razouka solution is secure it is also slow, our proposed

innovative solution extends the Key Distribution Center using faster

Certificate Authorities and is explained in the next section.

7. Innovative Proposed Solution using CA and ECC

Our Proposal is to use a hybrid of cryptographic methods, algorithms, and

security policies to form a combined innovative solution, fully compliant with

the ZigBee standard and wireless sensor networks. Our goal is to design the

most secure, fastest, and scalable 802.15.4 network possible. Our

contributions include policies and ECC key distribution methods for wireless

sensor nodes specifically when entering and exiting the local IoT network. As

explained in section 4, ZigBee vulnerabilities, the ZigBee security model

neglects the forward security requirement of revoking keys from a node

when a sensor leaves the grid [3]. The proposal is based on hierarchical

Certificate Authority (CA) wireless gateways that can calculate, store, and

distribute private keys, the directory of ID name identifiers, and digitally

signed certificates. [16, pp 423]. This local CA is responsible for only its

domain or venue. If 2 entities wish to communicate from different domains


then the CA gateways can exchange keys by a global CA wireless gateway.

Our innovative solution uses Elliptic Curve Cryptographic algorithm to

generate the initial asymmetric key only when a new node enters the local

IoT network. The ZigBee method followed is Certificate-based Key

Establishment (CBKE) using the ECC algorithm. Figure 6 shows a

representation of the CA cryptographic method outlined in the following

paragraphs.

Figure 6. Certificate Authority Cryptographic Scheme [16]


To make our proposed solution fast we follow the approach, first suggested

by Kohnfelder [17], and that is, to use certificates that can be used by

participants -- in our case IoT nodes -- to exchange keys without contacting a

public-key authority, in a way that is as reliable as if the keys were obtained

directly from a public-key authority. A certificate consists of a public key, an

identifier of the key owner, and the whole block signed by a trusted third

party. In this case the certificate authority is the hierarchical gateway trusted

by the WSN IoT community. A node can present its public key to the

authority in a secure manner and obtain a certificate. The node can then

publish the certificate. Anyone needing this sensor’s public key can obtain

the certificate and verify that it is valid by way of the attached trusted

signature. A sensor can also convey its key information to another by

transmitting its certificate. Other nodes can verify that the certificate was

created by the authority. Each sensor node applies to the certificate

authority, supplying a public key and requesting a certificate. Application

must be done when the sensor was manufactured or my manual sensor

configuration. Viewing figure 6, for sensor A, the authority provides a

certificate of the form shown where the private key used by the authority

and a timestamp. Sensor A may then pass this certificate on to any other

sensor on the grid, who reads and verifies the certificate. The recipient

sensor uses the authority’s public key to decrypt the certificate. Because the

certificate is readable only using the gateway authority’s public key, this


verifies that the certificate came from the certificate authority. The sensor’s

ID and Public Key provide the recipient with the name and public key of the

certificate’s holder. The timestamp validates the currency of the certificate

and serves as an expiration date. If a certificate is sufficiently old, it is

assumed to be expired [16,pp 429]. One of the policies of the Gateway is to

poll the local IoT network every night to see if any node has left the grid and

thus revoke its keys. The X.509 standards has become universally accepted

for formatting public-key certificates. X.509 certificates are used in most

network security applications, including IP security, transport layer security

(TLS), which are discussed in detail in the next section.

8. ZigBee and X.509v3The ZigBee standard calls for compatibility with X.509 Version 3. As

explained in Stallings [16, pp 435] X.509 defines a framework for the

provision of authentication services by the X.500 directory to its users, in out

IoT study users are wireless sensor nodes. The directory serves as a

repository of public-key certificates and is located on the local IoT Gateway.

Each certificate contains (1) the public key of a node and (2) is signed with

the private key of a trusted certification authority. X.509 is based on the use

of public-key cryptography and digital signatures. The standard does not

dictate the use of a specific algorithm but recommends RSA.


The unique identifier fields in the X.509 standard are intended to handle the

possible reuse of subject and/or issuer names over time; in our case a WSN

that enters and exits the network multiple times. The CA signs the certificate

with its private key. If the corresponding public key is known to a node, then

that node can verify that a certificate signed by the CA is valid. All node

certificates can be placed in the IoT Gateway directory for access by all

nodes. A node can transmit its certificate directly to other nodes. In either

case, once B is in possession of A’s certificate, B has confidence that

messages it encrypts with A’s public key will be secure from eavesdropping.

With a large community of nodes X.509 suggests using a hierarchy of CAs.

An arbitrarily long path of CAs can be followed to produce a chain. An IoT

chain where any node can communicate with any other node following a

path to another user’s X.509 public key certificate. When a node receives a

certificate in a message, the node must determine whether the certificate

has been revoked. The node can check the directory each time a certificate

is received.To avoid the delays, and power consumption associated with

directory searches, it is likely that the node would maintain a local cache of

certificates and lists of revoked certificates.


References

[1] An Efficient Encryption Scheme using Elliptic Curve Cryptography (ECC) with Symmetric Algorithm for Healthcare System. Young Sil Lee, Esko Alasaarela and Hoon Jae Lee. Department of Ubiquitous IT, Dongseo University Graduate School, Department of Electronic Engineering, University of Oulu 47 Jurye-ro, Sasang-gu, Busan, Rep. of Korea FI-90014, Oulu, Finland.

[2] A standard compliant security framework for IEEE 802.15.4 networks.G. Piro, G. Boggia, and L. A. Grieco Department of Electrical and Information Engineering (DEI) Email: {g.piro, g.boggia, a.grieco}@poliba.it Politecnico di Bari, Italy

[3] New security approach for ZigBee Weaknesses. Wissam Razouka, Garth V. Crosbyb, Abderrahim Sekkakia. Hassan II University, Faculty of science, Dept of mathematics and computer science, 5366, Casablanca, Morocco Southern Illinois University, Dept of technology, Engineering building, 62901, Illinois, USA

[4] Wikipeida ZigBee Definition: https://en.wikipedia.org/wiki/ZigBee

[5] ZigBee Organization Allicance: http://www.zigbee.org/News/AlliancePressReleases.aspx?Contenttype=ArticleDet&moduleId=778&Aid=446&PR=PR

[6] Cisco 500 Series WPAN Industrial Routers http://www.cisco.com/c/en/us/products/routers/500-series-wpan-industrial-routers/index.html#

[7] Wikepedia CCM Mode (Counter CBC-MAC) http://en.wikipedia.org/wiki/CCM_mode


[8] Myria Node Motes Wireless Sensor Devices http://www.sense-os.nl/-/internet-of-things-wireless-sensor-networks

[9] Bard William. Distributed Information System Security, Fall 2014. Course slides. Session 2 - ESE02n.ppt, Page 5: Elliptic Curves Over Zp

[10] Kyung Choi, Minjung Yun, Kijoon Chae, and Mihui Kim. An enhanced key management using zigbee pro for wireless sensor networks. Information Networking (ICOIN), 2012 International Conference on, pages 399–403. IEEE, 2012.

[11] Naveen Sastry and David Wagner. Security considerations for ieee 802.15. 4 networks. In Proceedings of the 3rd ACM workshop on Wireless security, pages 32–42. ACM, 2004.

[12] Travis Goodspeed. Extracting keys from second generation zigbee chips. Black Hat USA, 2009.

[13] GoodFET Project. [online]. available: http://goodfet.sourceforge. net.

[14] Joshua Wright Killerbee: Practical zigbee exploitation framework or wireless hacking and the kinetic world available:http://www.willhackforsushi.com/presentations/ toorcon11-wright.pdf.

[15] ZigBee Security Document by Robert Cragie https://docs.zigbee.org/zigbee-docs/dcn/09-5378.pdf

[16] William Stallings. Cryptography and Network Security, Sixth Edition. Pearson education inc. 2014

[17] Kohnfelder. L. Towards a Practical Public Key Cryptosystem. Machelor’s Thesis M.I.T. 1978


IoT-SecurityECC-v4

Documents

Transcript of IoT-SecurityECC-v4