PROJECTE FINAL DE CARRERA - COnnecting REpositories · PROJECTE FINAL DE CARRERA Anàlisi teòric...

PROJECTE FINAL DE CARRERA

Anàlisi teòric de les debilitats de seguretat dels

estàndards per a la Medició Intel· ligent

(Theoretical analysis of security features and weaknesses of telecommunication specifications for Smart Metering)

Estudis: Enginyeria de Telecomunicació

Autor: Albert Prats Vidal

Director/a: Ing. Zbyněk Kocur

Any: 2011/2012

2 Theoretical analysis of security features and weaknesses of telecommunication

CONTENTS

Collaborations ………………...…………………………………………. 8

Resum del projecte …………

Resumen del proyecto ………………………

Abstract …………………………………………

List of figur es …………………………………..

1. Introduction ……………………………………………………..…... 1

2. GPRS ………………………………………………………………… 1 2.1 Introduction ……………………………………………………………………... 1 2.2 GPRS network …………………………………………………………………... 1 2.2.1 Mobile stations (MS) ……………………………………………………….... 1 2.2.2 The fixed network ……………………………………………………………. 1 2.3 GPRS protocol stack …………………………………………………………….. 2.4 Security on GPRS ……………………………………………………… 2.4.1 Identities ……………………………………………………………………... 2.4.2 Subscriber identity confidentiality 2.4.3 GPRS Authentication ………………………………………………………... 2.4.4 GPRS Ciphering ……………………………………… 2.4.5 GPRS backbone se 2.5 Attacks on GPRS security ………………………………………………………. 2 2.5.1 Mobile Station and SIM ……………………………………………………... 2 2.5.1.1 Attacks on the S 2.5.2 Access network …………………………………………………………….… 2 2.5.2.1 Denial of Service (DoS 2.5.2.2 Man-in-the-Middle (Mi 2.5.3 Attacks on the GPRS co 2.5.3.1 Attacks on the IP te 2.5.3.2 Attacks on the SS7 te 2.5.3.3 Attacks on the interface between 2.5.3.4 Attacks on the interface to the 2.6 GPRS Solutions for smart 2.6.1 AEM Three-phase electricity 2.6.2 Digital Multi-tariff meter DMTZ

3. ZIGBEE/802.15.4 ……………………………………………………. 3 3.1 Introduction …………………………………………………………………...… 3 3.2 Physical layer overview …………………………………………………….……

Theoretical analysis of security features and weaknesses of telecommunication specifications for Smart Metering

Collaborations ………………...…………………………………………. 8

Resum del projecte ……………………………………...……………….

Resumen del proyecto ………………………………………………

Abstract ………………………………………………………………...

es …………………………………..………...……………..

1. Introduction ……………………………………………………..…... 1

PRS ………………………………………………………………… 1……………………………………………………………………... 1

…………………………………………………………………... 1MS) ……………………………………………………….... 1

work ……………………………………………………………. 1ack ……………………………………………………………..

RS ……………………………………………………………………………………………………………………………...

2.4.2 Subscriber identity confidentiality …………………………………………… tion ………………………………………………………...

ng ……………………………………………………………... 22.4.5 GPRS backbone security …………………………………………………….. 2

curity ………………………………………………………. 2d SIM ……………………………………………………... 2

2.5.1.1 Attacks on the SIM card ……………………………………………….…. 2ork …………………………………………………………….… 2

2.5.2.1 Denial of Service (DoS) attack ………………………………………….... 2Middle (MitM) attack ………………………………………... 2

2.5.3 Attacks on the GPRS core network ………………………………………….. 2.5.3.1 Attacks on the IP technology ……………………………………………... 2.5.3.2 Attacks on the SS7 technology ………………………………………….... 2.5.3.3 Attacks on the interface between network operators ……………………... 2.5.3.4 Attacks on the interface to the public Internet …………………………….

2.6 GPRS Solutions for smart metering …………………………………………….. 3phase electricity electronic meter Enerlux T …………………… 3tariff meter DMTZ-XC ……………………………………..….

02.15.4 ……………………………………………………. 3…………………………………………………………………...… 3

3.2 Physical layer overview …………………………………………………….……

Theoretical analysis of security features and weaknesses of telecommunication

Collaborations ………………...…………………………………………. 8

………………. 9

…………………………. 10

…………………….... 11

………...…………….. 12

1. Introduction ……………………………………………………..…... 15

PRS ………………………………………………………………… 17 ……………………………………………………………………... 17

…………………………………………………………………... 18 MS) ……………………………………………………….... 18

work ……………………………………………………………. 19 ack …………………………………………………………….. 20

RS ……………………………………………………………….. 21 ……………………………………………………………………... 21

…………………………………………… 22 tion ………………………………………………………... 22

……………………... 24 curity …………………………………………………….. 25

curity ………………………………………………………. 27 d SIM ……………………………………………………... 27

IM card ……………………………………………….…. 27 ork …………………………………………………………….… 28

) attack ………………………………………….... 28 tM) attack ………………………………………... 29

re network ………………………………………….. 30 ology ……………………………………………... 30

chnology ………………………………………….... 31 network operators ……………………... 32

……………………………. 33 metering …………………………………………….. 35

onic meter Enerlux T …………………… 35 XC ……………………………………..…. 36

02.15.4 ……………………………………………………. 37 …………………………………………………………………...… 37

3.2 Physical layer overview …………………………………………………….…… 38

3 Theoretical analysis of security features and weaknespecifications for Smart Metering

3.3 MAC layer overview ……………………………………………………………. 3 3.4 Network layer overview ……………………………………………………..….. 3.5 Application layer overview …………………………........... 3.6 Security on ZigBee …………………………………………………………...…. 3.6.1 802.15.4 MAC layer s 3.6.1.1 Security objective 3.6.1.2 Security modes …………………………………………………………… 4 3.6.1.3 Security suites ………………………………………………………….…. 4 3.6.1.4 AES-CTR suite …………………………………………………………… 4 3.6.1.5 AES-CBC-MAC suite ……………………………………………….…… 4 3.6.1.6 AES-CCM suite …………………………………………………… 3.6.1.7 PIB security mat 3.6.2 ZigBee specification secu 3.6.2.1 Security keys ……………………………………………………………… 3.6.2.2 Trust center …………………………………………………………..…… 3.6.2.3 Network layer secu 3.6.2.4 Application layer security ………………… 3.6.2.4.1 Symmetric-Key Key Estab 3.6.2.4.2 Mutual Entity Authentica 3.7 Possible attacks on 802.15 3.7.1 Same-nonce attack …………………………………………………………… 5 3.7.2 Replay-protection a 3.7.3 ACK attack ………………………………………………………...………… 5 3.7.4 Jamming attack ………………………………………………………………. 3.7.5 Exhaustion …………………………………………………………………… 3.7.6 Collision …………………………………………………………………….... 3.7.7 Unfairness ………………………………………………………….………… 3.8 Possible attacks to ZigBe 3.8.1 Route disruption in the cluster tree by 3.8.2 Route disruption in the cluster tree by a 3.8.3 Loop in the cluster t 3.9 ZigBee solutions ……………………………………………………………….... 3.9.1 Freescale solution ……………………………………………………………. 3.9.1.1 Freescale electronic three 3.9.2 Texas Instruments so 3.9.2.1 CC2530 ZigBee So

4. Raconet ………………………………………………...…………….. 6 4.1 Introduction ……………………………………………………………………... 6 4.2 Raconet network global per 4.3 Raconet layers ……………………………………………………………...……. 4.4 Security on raconet ……………………………………………………………… 4.5 Attacks that may be performed on


view ……………………………………………………………. 3iew ……………………………………………………..…..

3.5 Application layer overview ………………………….....................................….. ee …………………………………………………………...….

3.6.1 802.15.4 MAC layer security …………………………………………….3.6.1.1 Security objectives …………………………………………………......…. 4

modes …………………………………………………………… 4tes ………………………………………………………….…. 4

suite …………………………………………………………… 4C suite ……………………………………………….…… 4

ite ……………………………………………………3.6.1.7 PIB security material ……………………………………………………...

3.6.2 ZigBee specification security …………………………………………...…… keys ………………………………………………………………

…………………………………………………………..…… 3.6.2.3 Network layer security ………………………………………………...….. 3.6.2.4 Application layer security ………………………………………………....

Key Key Establishment Protocol …………………………. 53.6.2.4.2 Mutual Entity Authentication protocol …………………………..……. 5

3.7 Possible attacks on 802.15.4 security …………………………………………… 5tack …………………………………………………………… 5

protection attack ………………………………………………...…… 5………………………………………………………...………… 5ack ……………………………………………………………….

on …………………………………………………………………… …………………………………………………………………....

s ………………………………………………………….………… 3.8 Possible attacks to ZigBee NWK layer …………………………………………. 3.8.1 Route disruption in the cluster tree by a compromised device ………….……

2 Route disruption in the cluster tree by a compromised coordinator …………. 3.8.3 Loop in the cluster tree …………………………………………………...…..

……………………………………………………………….... tion …………………………………………………………….

3.9.1.1 Freescale electronic three-phase electricity meter …………………...…… 3.9.2 Texas Instruments solution ………………………………………………..…. 3.9.2.1 CC2530 ZigBee SoC solution ……………………………………….…… 6

………………………………………………...…………….. 6……………………………………………………………………... 6

4.2 Raconet network global performance ………………………………………….... 6……………………………………………………………...……. onet ………………………………………………………………

4.5 Attacks that may be performed on raconet ………………………………………

sses of telecommunication

view ……………………………………………………………. 39 iew ……………………………………………………..….. 41

..........................….. 43 ee …………………………………………………………...…. 45

ecurity ……………………………………………..…. 45 s …………………………………………………......…. 46

modes …………………………………………………………… 46 tes ………………………………………………………….…. 47

suite …………………………………………………………… 47 C suite ……………………………………………….…… 49

ite ……………………………………………………….….. 50 erial ……………………………………………………... 52

rity …………………………………………...…… 53 keys ……………………………………………………………… 53

…………………………………………………………..…… 54 rity ………………………………………………...….. 54

…………………………….... 55 lishment Protocol …………………………. 57

tion protocol …………………………..……. 57 .4 security …………………………………………… 59

tack …………………………………………………………… 59 ttack ………………………………………………...…… 59

………………………………………………………...………… 59 ack ………………………………………………………………. 60

on …………………………………………………………………… 60 ………………………………………………………………….... 61

s ………………………………………………………….………… 61 e NWK layer …………………………………………. 62

a compromised device ………….…… 62 compromised coordinator …………. 63

………………...….. 63 ……………………………………………………………….... 65 tion ……………………………………………………………. 65

lectricity meter …………………...…… 65 lution ………………………………………………..…. 66

C solution ……………………………………….…… 66

………………………………………………...…………….. 68 ……………………………………………………………………... 68

formance ………………………………………….... 69 ……………………………………………………………...……. 70 onet ……………………………………………………………… 70

raconet ……………………………………… 71


4.6 EMH-metering Racon 4.6.1 Raconet repeater RNRE ……………………………………………………… 4.6.2 Data collector RNDC ………………………………………………………… 4.6.3 Raconet MAUS RNMA ……………………………………………...………. 4.6.4 Raconet Gateway RNMB ……………………………………………….…… 4.6.5 Digital Multi-Rate Meter 4.6.6 Raconet software tools …………………………………………………..…… 7 4.6.6.1 Meter communication and configuration program EMH 4.6.6.2 EMH-COM Control 4.6.6.3 Meter communication and configuration program EMH2000 ……………………………………………………………………………….….. 7

5. Bluetooth …………………………………………………………….. 5.1 Introduction …………………… 5.2 Bluetooth RF layer overview ……………………………………………….…… 5.3 Bluetooth Baseband layer ov 5.4 Link Manager Protocol lay 5.5 Host Controller Interface (HCI) laye 5.6 Logical Link Control and Adaptation Protocol 5.7 RFCOMM protocol layer 5.8 Profiles overview ………………………………….……………………..……… 8 5.9 Security in Bluetooth ………………………………..…………………...……… 8 5.9.1 Security services ………………………………………………………...…… 8 5.9.2 Security modes ……………………………………………….…………...…. 8 5.9.3 Bluetooth security chain o 5.9.4 Security entities …………………… 5.9.5 Bluetooth security types 5.9.6 Algorithms in Bluetooth s 5.9.7 Link Key (LK) gener 5.9.8 Bluetooth Authentication … 5.9.9 Bluetooth confidential 5.9.10 Trust Levels, Service Levels and 5.10 Possible attacks to Bluetooth …… 5.10.1 BlueSnarfing …………………………………………....…………………... 5.10.2 BlueBugging …………………………………..……………………………. 5.10.3 Fuzzing attacks ……………………….…………………. 5.10.4 HeloMoto …………………………………..……………………………….. 9 5.10.5 BlueSmack ………………… 5.10.6 Relay attacks …………………………………..……………………...…….. 9 5.10.6.1 Two-Sided Relay a 5.10.6.2 One-Sided Relay a 5.10.7 Attack to the pairing process 5.11 Solution for Bluetooth …………………………………..…………


metering Raconet ……………………………………………………...….. er RNRE ………………………………………………………

r RNDC ………………………………………………………… RNMA ……………………………………………...……….

ay RNMB ……………………………………………….…… Rate Meter – ED2000 ……………………………………...….. 7

tools …………………………………………………..…… 74.6.6.1 Meter communication and configuration program EMH-COM …………..

COM Control Center ……………………………………...……….. 74.6.6.3 Meter communication and configuration program EMH-COMBI

………………………………………………………………….….. 7

oth …………………………………………………………….. 5.1 Introduction ……………………………………………………………….……..

verview ……………………………………………….…… 5.3 Bluetooth Baseband layer overview …………….………………………...…….. 5.4 Link Manager Protocol layer overview …………………………………………. 5.5 Host Controller Interface (HCI) layer overview ………...…………………...….. 5.6 Logical Link Control and Adaptation Protocol (L2CAP) layer overview ...……. 5.7 RFCOMM protocol layer overview ……………………………………………..

w ………………………………….……………………..……… 8h ………………………………..…………………...……… 8

es ………………………………………………………...…… 8……………………………………………….…………...…. 8

5.9.3 Bluetooth security chain of events ……………………….…………………... 85.9.4 Security entities ……………………………………………………..……….. 85.9.5 Bluetooth security types of keys ………………………………………...…… 85.9.6 Algorithms in Bluetooth security …………………………….…………...…. 5.9.7 Link Key (LK) generation ……………………………….…………………... 5.9.8 Bluetooth Authentication …………………………………..……………….... 5.9.9 Bluetooth confidentiality …………………………………………....……….. 5.9.10 Trust Levels, Service Levels and Authorization ……………………..……

5.10 Possible attacks to Bluetooth …………………………….………….............…. ………………………………………....…………………...

g …………………………………..……………………………. 5.10.3 Fuzzing attacks ……………………….…………………..............................

…………………………………..……………………………….. 95.10.5 BlueSmack ……………………….………………………………………..... 9

………………………………..……………………...…….. 9Sided Relay attack ……………………….……………………….... 9Sided Relay attack …………………………………..……………... 9

5.10.7 Attack to the pairing process ……………………….……………..………... 9uetooth …………………………………..…………


……………………………...….. 72 er RNRE ……………………………………………………… 72

r RNDC ………………………………………………………… 72 RNMA ……………………………………………...………. 74

ay RNMB ……………………………………………….…… 75 ED2000 ……………………………………...….. 77

tools …………………………………………………..…… 78 COM ………….. 78

Center ……………………………………...……….. 78 COMBI-MASTER

………………………………………………………………….….. 79

oth …………………………………………………………….. 80 …………………….…….. 80

verview ……………………………………………….…… 81 erview …………….………………………...…….. 82

er overview …………………………………………. 84 ………...…………………...….. 84

(L2CAP) layer overview ...……. 85 overview …………………………………………….. 85

w ………………………………….……………………..……… 86 h ………………………………..…………………...……… 87

es ………………………………………………………...…… 87 ……………………………………………….…………...…. 87

f events ……………………….…………………... 88 ………………………………..……….. 89

of keys ………………………………………...…… 89 ………………….…………...…. 90

ation ……………………………….…………………... 91 ………………………………..……………….... 92

ity …………………………………………....……….. 93 Authorization ……………………..……...94

……………………….………….............…. 95 ………………………………………....…………………... 95

g …………………………………..……………………………. 95 ............................. 95

…………………………………..……………………………….. 96 …….………………………………………..... 96

………………………………..……………………...…….. 96 ttack ……………………….……………………….... 97 ttack …………………………………..……………... 98

……………..………... 99 uetooth …………………………………..…………...……….. 100


5.11.1 Three phase remote disconnection and

6. PRIME ……………… 6.1 Introduction …………………………………… 6.2 Architecture of the system ………………… 6.3 Physical layer overview ………………………………… 6.4 MAC layer overview ……………………………………… 6.5 Convergence layer overview ………………………………… 6.6 Security on PRIME …………………………………………… 6.6.1 Security Profile 0 …………………………………………… 6.6.2 Security Profile 1 …………………………………………… 6.6.3 Negotiation of the Securi 6.6.4 Cryptographic algorithm 6.6.5 Algorithm for key deriva 6.6.6 Key Hierarchy …………………………………………...………………….. 10 6.6.7 Key distribution and m 6.6.8 Data encryption algorithm … 6.6.9 Transmitter MAC Securit 6.6.10 Receiver MAC Security 6.7. Possible attacks to PR 6.7.1 Exposition of the keys … 6.7.2 Denial of Service (DoS) a 6.7.3 Identity protection ………………………………………………….…….…. 1 6.8 PRIME solutions for smart 6.8.1 Landis+Gyr E450-PRIME ……… 6.8.2 ADDM2102 Modem boar

7. PLC G3 …………………………………………………….……….. 11 7.1 Introduction ………………………………………………………………...….. 11 7.2 Physical layer overview ……………………………………………………...… 11 7.3 MAC layer overview ……………… 7.4 6LoWPAN Adaptation layer 7.5 Security on PLC G3 ………………………………………….………………… 1 7.5.1 Access Control and Authen 7.5.2 Bootstrapping proced 7.5.3 Authentication and Key dist 7.5.4 Authorization and initial conf 7.5.5 Confidentiality and In 7.5.6 Cryptographic design of 7.5.7 Key Setup ……………………………………………………...…………… 12 7.5.8 The Authenticated Key 7.5.9 Protected Channel …………………………………………………………... 12 7.5.10 Key Hierarchy ………………………………………..……….…………… 12


5.11.1 Three phase remote disconnection and re-connection meter Eis RDC3 …

ME ……………………………………...………………………..1 Introduction ………………………………………………………….…

hitecture of the system ………………………………..……………….…… overview …………………………………..………………...

r overview ………………………………………..……………layer overview …………………………………..………

n PRIME ……………………………………………..……ty Profile 0 ……………………………………………..…

ity Profile 1 ………………………………………………..6.6.3 Negotiation of the Security Profile ………………………………….……… 106.6.4 Cryptographic algorithm …………………………………………..…...…… 106.6.5 Algorithm for key derivation ……………………………………..……...…. 10

…………………………………………...………………….. 106.6.7 Key distribution and management …………………………………….……. 106.6.8 Data encryption algorithm ……………………………………...…………... 106.6.9 Transmitter MAC Security Module …………………………………...……. 16.6.10 Receiver MAC Security Module ……………………………….………..... 1

6.7. Possible attacks to PRIME ……………………………………………....……. 16.7.1 Exposition of the keys …………………………………………….………... 16.7.2 Denial of Service (DoS) attacks ………………………………………....…. 1

on ………………………………………………….…….…. 16.8 PRIME solutions for smart metering …………………………………..………. 1

PRIME ……………………………………….............…. 16.8.2 ADDM2102 Modem board for PRIME ………………………………..…… 11

3 …………………………………………………….……….. 11…………………………………………………………...….. 11

iew ……………………………………………………...… 11AC layer overview …………………………………………………........

7.4 6LoWPAN Adaptation layer overview ……………………………………..…. 1G3 ………………………………………….………………… 1

7.5.1 Access Control and Authentication ………………………………….……... 1strapping procedure ………………………………………..…………... 1

7.5.3 Authentication and Key distribution phase ………………………………… 17.5.4 Authorization and initial configuration phase ……………………………… 17.5.5 Confidentiality and Integrity ……………………………………….………. 127.5.6 Cryptographic design of EAP-PSK ……………………………………….... 12

……………………………………………………...…………… 127.5.8 The Authenticated Key Exchange ……………………………………….…. 12

el …………………………………………………………... 12y ………………………………………..……….…………… 12


connection meter Eis RDC3 ….... 100

………………………. 101 ………….……….... 101 ……………….…… 102 ………………...….. 102

…………………. 104 …………...….. 104 ……...………. 105 …………….. 105 ..…..……… 105

……………………………….……… 106 …………………………………………..…...…… 106 tion ……………………………………..……...…. 106

…………………………………………...………………….. 107 anagement …………………………………….……. 109

…………………………………...…………... 109 y Module …………………………………...……. 111 Module ……………………………….………..... 112

………………………………....……. 113 ………………………………………….………... 113 ttacks ………………………………………....…. 113

on ………………………………………………….…….…. 114 metering …………………………………..………. 115

……………………………….............…. 115 d for PRIME ………………………………..…… 116

3 …………………………………………………….……….. 117 …………………………………………………………...….. 117

iew ……………………………………………………...… 118 …………………………………............... 120

overview ……………………………………..…. 120 G3 ………………………………………….………………… 122

tication ………………………………….……... 122 ure ………………………………………..…………... 124

ribution phase ………………………………… 125 iguration phase ……………………………… 125

tegrity ……………………………………….………. 126 PSK ……………………………………….... 127

……………………………………………………...…………… 128 Exchange ……………………………………….…. 128

el …………………………………………………………... 129 y ………………………………………..……….…………… 129


7.5.11 Group Master Key distri 7.6 Possible attacks to PLC G3 ……………………………………………………. 1 7.6.1 Denial of Service (DoS 7.6.2 Exposition of the PSK ……………………………………..……………….. 1 7.6.3 Identity protection ……………… 7.6.4 Packet modification 7.6.5 Weak ciphersuites ………………………………………………………...… 1 7.6.6 Separation of authe 7.6.7 Channel binding ………………………………………………………….…. 13 7.7 Maxim PLC G3 solutions ……………………………………………………… 13 7.7.1 Metering SoC ………………………………………………………..……… 13 7.7.1.1 71M6541D/41F, 71M654 7.7.2 Real-Time Clock (R 7.7.2.1 DS3231M ………………………………………………………….……. 1 7.7.3 Data Communications ………………… 7.7.3.1 MAX2990/MAX2991 ………… 7.7.3.2 MAX2992 ……………………………………………………………….. 1

8. IEC62056-21, FLAG Protocol ………………………………..…… 1 8.1 Introduction ……………………………………………………………………. 1 8.2 FLAG Manufacturers 8.3 Characteristics of the FLA 8.4 Physical medium for data tra 8.4.1 Electrical interface with c 8.4.2 Electricity V.24/V.28 in 8.4.3 Optical interface …………………………………………………………..... 146 8.4.3.1 Optical characte 8.4.3.2 Transmitter and 8.5 Character transmission ………………………………………………………… 14 8.6 Data transfer protocol …………………………………………………..……… 14 8.7 Security in IEC62056- 8.8 Possible attacks to IEC62056 8.8.1 Level 1, Basic ……………………………………………………...……….. 8.8.2 Level 2, Password ……… 8.8.2.1 Dictionary attacks …………………………………………….…………. 1 8.8.2.2 Brute force attac 8.8.3 Level 3, Secure ………………… 8.8.4 Level 4, Internal ………………………………………………… 8.9 Solutions for IEC62056 8.9.1 Single-phase electronic meter 8.9.2 ACE6000 DC4 commercial and industrial


7.5.11 Group Master Key distribution ……………………………………….….... 1PLC G3 ……………………………………………………. 1

7.6.1 Denial of Service (DoS) attacks ……………………………………………. 1PSK ……………………………………..……………….. 1

7.6.3 Identity protection ………………………………………………...............… 17.6.4 Packet modification attacks ………………………………………………… 1

es ………………………………………………………...… 17.6.6 Separation of authenticator and backend authentication server ………...….. 1

ng ………………………………………………………….…. 13utions ……………………………………………………… 13

C ………………………………………………………..……… 137.7.1.1 71M6541D/41F, 71M6542F (single phase), 71M6543/43H (polyphase) . 13

Time Clock (RTC) ……………………………………………...…….. 1M ………………………………………………………….……. 1

ons …………………………………………………..….. 17.7.3.1 MAX2990/MAX2991 …………………………………………..………. 1

2 ……………………………………………………………….. 1

AG Protocol ………………………………..…… 1………………………………………………………………. 1

8.2 FLAG Manufacturers ID …………………………………………………...….. 1cs of the FLAG Protocol ……………………………………….… 1

8.4 Physical medium for data transmission ………………………………...……… 18.4.1 Electrical interface with current loop ………………………………….…… 18.4.2 Electricity V.24/V.28 interface ……………………………………………... 14

…………………………………………………………..... 1468.4.3.1 Optical characteristics …………………………………………8.4.3.2 Transmitter and receiver ………………………………………………… 14

ssion ………………………………………………………… 14col …………………………………………………..……… 14

-21 (FLAG) ……………………………...……………… 148.8 Possible attacks to IEC62056-21 (FLAG) …………………………………..…. 1

……………………………………………………...……….. 8.8.2 Level 2, Password ………………………………………………………...… 1

acks …………………………………………….…………. 18.8.2.2 Brute force attacks ……………………………………………...……….. 1

e …………………………………………………………..…. 18.8.4 Level 4, Internal …………………………………………………

56-21 …………………………………………………….. 1phase electronic meter Enerlux Σ …………………………...………. 1

8.9.2 ACE6000 DC4 commercial and industrial multifunction meter ………..….. 15


bution ……………………………………….….... 132 PLC G3 ……………………………………………………. 133

) attacks ……………………………………………. 133 PSK ……………………………………..……………….. 133

………………………………...............… 133 attacks ………………………………………………… 134

es ………………………………………………………...… 135 tication server ………...….. 135

ng ………………………………………………………….…. 136 utions ……………………………………………………… 137

C ………………………………………………………..……… 138 ), 71M6543/43H (polyphase) . 138

TC) ……………………………………………...…….. 141 M ………………………………………………………….……. 141

………………………………..….. 142 ………………………………..………. 142

2 ……………………………………………………………….. 143

AG Protocol ………………………………..…… 144 ………………………………………………………………. 144

ID …………………………………………………...….. 144 G Protocol ……………………………………….… 144

nsmission ………………………………...……… 145 urrent loop ………………………………….…… 145

terface ……………………………………………... 146 …………………………………………………………..... 146

ristics …………………………………………………… 146 receiver ………………………………………………… 147

ssion ………………………………………………………… 148 col …………………………………………………..……… 148

(FLAG) ……………………………...……………… 149 21 (FLAG) …………………………………..…. 151

……………………………………………………...……….. 151 ………………………………………………...… 151

acks …………………………………………….…………. 151 ks ……………………………………………...……….. 151

………………………………………..…. 152 8.8.4 Level 4, Internal ………………………………………………………..…… 153

21 …………………………………………………….. 154 …………………………...………. 154

multifunction meter ………..….. 156


9. Comparisons between technolo 9.1 PRIME vs. PLC G3 ……………………………………………………………. 15 9.2 ZigBee vs. Raconet ……… 9.3 Bluetooth vs. Raconet ………………………………………………………….. 1 9.4 ZigBee vs. Bluetooth ……………………………………...…...…………….… 1 9.5 PLC vs. RF …………………………………………………………………….. 16 9.6 PLC vs. IEC62056-21 9.7 RF vs. IEC62056-21 ………………………………………………………….... 1

10. Tools for performing 10.1 Back Track ……………………………………… 10.1.1 Denial of Service (DoS) attack with 10.1.2 Man-in-the-Middle (MitM) attack 10.2 Specific attack to GPRS …… 10.3 Specific attack to wireless netwo 10.4 Specific attacks to ZigBee 10.5 Specific attacks to Bl 10.5.1 Blooover ……………………………….………................................…… 10.5.2 BTCrack ……………………………….……….........

11. Conclusion ……………………………………………………….... 18 12. Bibliography and ref

13. Glossary of terms …………………….....……………..………….. 1


9. Comparisons between technologies ……………..…………..……. 15G3 ……………………………………………………………. 15

9.2 ZigBee vs. Raconet ………………………………………….………..net ………………………………………………………….. 1

……………………………………...…...…………….… 1…………………………………………………………………….. 16

21 ……………………………………...…...……………… 11 ………………………………………………………….... 1

10. Tools for performing the attacks ……………..…………………. 110.1 Back Track ……………………………………………………………………. 110.1.1 Denial of Service (DoS) attack with Back Track……….……….......…….. 17

Middle (MitM) attack with Back Track …………………….... 110.2 Specific attack to GPRS ……………………………….……….......……..….. 1

ttack to wireless networks - Jamming ………………………..……. 110.4 Specific attacks to ZigBee - KillerBee ……………………………………….. 110.5 Specific attacks to Bluetooth …………………………………………………. 110.5.1 Blooover ……………………………….………................................……10.5.2 BTCrack ……………………………….……….................................…….. 18

on ……………………………………………………….... 18

12. Bibliography and references …………………….....…………….. 1

s …………………….....……………..………….. 1


gies ……………..…………..……. 157 G3 ……………………………………………………………. 157

………………………………….……….......…….. 160 net ………………………………………………………….. 162

……………………………………...…...…………….… 164 …………………………………………………………………….. 167

..……………… 170 1 ………………………………………………………….... 172

the attacks ……………..…………………. 174 ……………………………. 174

Back Track……….……….......…….. 179 with Back Track …………………….... 180

………………………….……….......……..….. 182 Jamming ………………………..……. 183 ……………………………………….. 184

uetooth …………………………………………………. 187 10.5.1 Blooover ……………………………….………................................…….. 187

........................…….. 188

on ……………………………………………………….... 189

erences …………………….....…………….. 191

s …………………….....……………..………….. 197


COLLABORATIONS Telecom BCN , UPC (Universitat Politècnica de Catalunya)

Department of Telecommunications Engineering, Faculty of Electrical Engineering, CTU (Czech Technical University)


LABORATIONS

Telecom BCN , UPC (Universitat Politècnica de Catalunya)

ment of Telecommunications Engineering, Faculty of Electrical Engineering, CTU (Czech Technical University)


ment of Telecommunications Engineering, Faculty of Electrical Engineering,


RESUM DEL PROJECTE

Aquest projecte realTechnical University, forma part d’un treball col·laboratiu dins el departament a llarg plaç per a l’estudi i el desenvolupament d’aplicacions software relacionades amb la seguretat de les tecnologieanalitzar els punts dèbils ,en quant a mecanismes de seguretat es refereix, dels estàndards de telecomunicacions que s’utilitzen per a la comunicació dels electròmetres intel·ligents dins del la tecnode aquests estàndards, s’han inclòs en el projecte estàndards basats en tecnologies dispars i diverses com poden ser la ràdiofreqüència, les PLC (PowerLine Communications) o els infrarojos.

Per a cadascuna d’aquestes tecnologies, podem trobar en el projecte una amplia descripció dels mecanismes de seguretat utilitzats per a cadascun per a l’encriptació dels missatges enviats, la protecció de les claus que utilitza, l’autentificació del terminals dla xarxa o la identificació per accedir a la xarxa. cada estàndard podem trobar una descripció dels possibles atacs que es factible realitzar per a vèncer les barreres de seguretat d’aquestes tecnologies. les característiques de cadascun dels estàndards, s’inclouen comparacions entre tots ells per destacar els punts dèbils i els punts forts vers la resta de tecnologies. I, per últim, podem trobar un recopilatori de un ampli ventall de eines tahardware, desenvolupades per telemàtica, que permeten realitzar varis dels atacs que poden afectar als protocols descrits.


RESUM DEL PROJECTE

Aquest projecte realitzat en el departament de telecomunicacions de la Czech Technical University, forma part d’un treball col·laboratiu dins el departament a llarg plaç per a l’estudi i el desenvolupament d’aplicacions software relacionades amb la seguretat de les tecnologies de Medició Intel· ligent. En aquest projecte es pretén analitzar els punts dèbils ,en quant a mecanismes de seguretat es refereix, dels estàndards de telecomunicacions que s’utilitzen per a la comunicació dels electròmetres intel·ligents dins del la tecnologia del Smart Metering. Per tal de veure un ampli ventall de aquests estàndards, s’han inclòs en el projecte estàndards basats en tecnologies dispars i diverses com poden ser la ràdiofreqüència, les PLC (PowerLine Communications) o els infrarojos.

cadascuna d’aquestes tecnologies, podem trobar en el projecte una amplia descripció dels mecanismes de seguretat utilitzats per a cadascun per a l’encriptació dels missatges enviats, la protecció de les claus que utilitza, l’autentificació del terminals dla xarxa o la identificació per accedir a la xarxa. Per acabar la descripció detallada de cada estàndard podem trobar una descripció dels possibles atacs que es factible realitzar per a vèncer les barreres de seguretat d’aquestes tecnologies. Un cop vistles característiques de cadascun dels estàndards, s’inclouen comparacions entre tots ells per destacar els punts dèbils i els punts forts vers la resta de tecnologies. I, per últim, podem trobar un recopilatori de un ampli ventall de eines tant de software com de hardware, desenvolupades per a l’investigació dels professionals de la seguretat en telemàtica, que permeten realitzar varis dels atacs que poden afectar als protocols


itzat en el departament de telecomunicacions de la Czech Technical University, forma part d’un treball col·laboratiu dins el departament a llarg plaç per a l’estudi i el desenvolupament d’aplicacions software relacionades amb la

En aquest projecte es pretén analitzar els punts dèbils ,en quant a mecanismes de seguretat es refereix, dels estàndards de telecomunicacions que s’utilitzen per a la comunicació dels electròmetres

logia del Smart Metering. Per tal de veure un ampli ventall de aquests estàndards, s’han inclòs en el projecte estàndards basats en tecnologies dispars i diverses com poden ser la ràdiofreqüència, les PLC (PowerLine

cadascuna d’aquestes tecnologies, podem trobar en el projecte una amplia descripció dels mecanismes de seguretat utilitzats per a cadascun per a l’encriptació dels missatges enviats, la protecció de les claus que utilitza, l’autentificació del terminals de

Per acabar la descripció detallada de cada estàndard podem trobar una descripció dels possibles atacs que es factible realitzar

Un cop vistes amb detall les característiques de cadascun dels estàndards, s’inclouen comparacions entre tots ells per destacar els punts dèbils i els punts forts vers la resta de tecnologies. I, per últim,

nt de software com de professionals de la seguretat en

telemàtica, que permeten realitzar varis dels atacs que poden afectar als protocols


RESUMEN DEL PROYECTO

Este proyecto realizadoTechnical University, forma parte de unlargo plazo para el estudioseguridad de las tecnologíaanalizar los puntos débiles,estándares de telecomunicacioneselectrómetros inteligentes amplio abanico de estos estándaresen tecnologías dispares y(PowerLine Communications

Para cada una de estasdescripción de los mecanismosde los mensajes enviados, la protección los terminales de la red odescripción detallada de cada estándarposibles ataques que es factible realizartecnologías. Una vez vistasse incluyen comparacionespuntos fuertes hacia el resto derecopilatorio de un amplio abanico dehardware, desarrolladas patelemática, que permiten realizarprotocolos descritos.


RESUMEN DEL PROYECTO

realizado en el departamento de telecomunicaciones de laforma parte de un trabajo colaborativo dentro del departamento

y el desarrollo de aplicaciones software relacionadas con la de las tecnologías de Medición Inteligente. En este proyecto

débiles, en cuanto a mecanismos de seguridad se refiere, dede telecomunicaciones que se utilizan para la comunicación de los

dentro del la tecnología del Smart Meteringestos estándares, se han incluido en el proyecto estándares

y diversas como pueden ser la radiofrecuencia,Communications) o los infrarrojos.

cada una de estas tecnologías, podemos encontrar en el proyectomecanismos de seguridad utilizados en cada uno para la encriptación

, la protección de las claves que utiliza, la autentificación dered o la identificación para acceder a la red. Para terminar la

cada estándar podemos encontrar una descripción de losfactible realizar para vencer las barreras de seguridad

vistas con detalle las características de cada uno de loscomparaciones entre todos ellos para destacar los puntos

hacia el resto de tecnologías. Y, por último, podemos encontrar un un amplio abanico de herramientas tanto de software como de

, desarrolladas para la investigación de los profesionales de la seguridad enque permiten realizar varios de los ataques que pueden afectar a los


de telecomunicaciones de la Czech dentro del departamento a

relacionadas con la proyecto se pretende

se refiere, de los la comunicación de los

Metering. Para ver un estándares basados

radiofrecuencia, las PLC

en el proyecto una amplia para la encriptación

la autentificación de Para terminar la

descripción de los de seguridad de estas

cada uno de los estándares, puntos débiles y los

, podemos encontrar un software como de de la seguridad en

pueden afectar a los


ABSTRACT

This project has been accomplished inEngineering of the Czech Technical University, as athe department to long-term study thesecurity in technologies weaknesses, concerned in standards that are used for communicationSmart Metering. A wide rangestandards based on different(PowerLine Communications

For each of these technologiesthe security mechanisms messages, protect the keys usedto access the network. To complete thedescription of possible attacksof these technologies. Oncenext steps for the analysis are the weaknesses and strengths finally, there can be foundhardware, developed for performing various attacks


project has been accomplished in the Department of Telecommunications Technical University, as a part of a collaborative work

term study the development of software applications for Smart Metering. This project aims to analyze terms of security mechanisms, of the telecommunications

for communication with smart meter technologyA wide range of these standards have been included in the draft

different technologies such as the radio frequencyCommunications) or infrared.

these technologies, there can be found an extensive used for each of them for the purpose of

keys used, authentication of terminals and networkTo complete the description of each standard there can be found

possible attacks that may make possible to overcome the Once viewed in detail the characteristics of each of the

next steps for the analysis are the comparisons between them to highlight of each one of them towards the other technologies

there can be found a compilation of a wide range of tools, both research of security professionals, which may that can affect the protocols described.


Department of Telecommunications collaborative work within

plications related to aims to analyze the

telecommunications with smart meter technology inside the

included in the draft the radio frequency, the PLC

an extensive description of of them for the purpose of encryption of

network identification there can be found a

security barriers of each of the standards,

to highlight the technologies. And both software and

which may allow


LIST OF FIGURES

Figure 2.1.GPRS network .....………………………………………………………..... 14Figure 2.2.GPRS Protocol stack …..…......…………………………………………… 16Figure 2.3.A3 and A8 algorithm ..…....……………………………………………….. 19Figure 2.4.GPRS Authentication and ciphering ...….………………………………… 20Figure 2.5.GPRS A5 algorithm ...…..………………………………………………… 21Figure 2.6.Man-in-the-middle attack ...…….........……………………………………. 25Figure 3.1.ZigBee/802.15.4 Communication stack …….....………………………...... 32Figure 3.2.Operational frequency bands 802.15.4 PHY ........………………………… 33Figure 3.3.Modulation and spreading functions ………….…………………………... 33Figure 3.4.PHY reference model …..………………………….……………………… 34Figure 3.5.MAC sublayer reference model ..……………….………………………… 35Figure 3.6.ZigBee Network Layer ...………………………….………………………. 36Figure 3.7.Architecture of wireless meterFigure 3.8.ZigBee Application Layer ...………………………………………………. 37Figure 3.9.ACL entry format ……………………………………………………….. ...40Figure 3.10.802.15.4 Security suites ...……………………………………………….. 41Figure 3.11.Format of the input xFigure 3.12.Formatting of the data field for AESFigure 3.13.AES-CTR suite ...………………………………………………………… 43Figure 3.14.AES-CBC-MAC suite …………………………………………………… 44Figure 3.15.ZigBee device and TC interaction …..…………………………………… 49Figure 3.16.NWK layer secured frame structure ……………………………………...Figure 3.17.APS Command frames ...………………………………………………… 50Figure 3.18.SKKE Protocol (H: Hash function, MAC: HMAC function, ||: Concatenation, 0x: Hexadecimal) …………………………………………………….. 51Figure 3.19.MEA Protocol (MAC: HMAC function, ||: Concatenation, 0x:Hexadecimal) .……………………………………………………………………........ 52Figure 3.20.Exhaustion attack ...……………………………………………………… 54Figure 3.21.Collision attack …………………………………………………………... 55Figure 3.22.Unfairness attack ...………………………………………………………. 56Figure 3.23.Route disruptionFigure 3.24.Route disruption in the cluster tree attack (compromised coordinator) ..... 57Figure 3.25.Loop in the clusterFigure 3.26.Polyphase electricity meter diaFigure 3.27.CC2530 block diagram …..……………………………………………… 60Figure 3.28.CC2530 general characteristics ..………………………………………… 61Figure 4.1.Raconet network example deployment ...…………………………………. 62Figure 4.2.System layout of a raconet netFigure 4.3.Route disruption in the cluster tree attack (compromised coordinator) …... 65Figure 4.4.Raconet MAUS functions ..……………………………………………….. 68


LIST OF FIGURES

Figure 2.1.GPRS network .....………………………………………………………..... 14Figure 2.2.GPRS Protocol stack …..…......…………………………………………… 16

lgorithm ..…....……………………………………………….. 19Figure 2.4.GPRS Authentication and ciphering ...….………………………………… 20Figure 2.5.GPRS A5 algorithm ...…..………………………………………………… 21

middle attack ...…….........……………………………………. 2515.4 Communication stack …….....………………………...... 32

Figure 3.2.Operational frequency bands 802.15.4 PHY ........………………………… 33Figure 3.3.Modulation and spreading functions ………….…………………………... 33Figure 3.4.PHY reference model …..………………………….……………………… 34

e 3.5.MAC sublayer reference model ..……………….………………………… 35Figure 3.6.ZigBee Network Layer ...………………………….………………………. 36Figure 3.7.Architecture of wireless meter-reading system ….………………………... 37Figure 3.8.ZigBee Application Layer ...………………………………………………. 37igure 3.9.ACL entry format ……………………………………………………….. ...40

Figure 3.10.802.15.4 Security suites ...……………………………………………….. 41Figure 3.11.Format of the input xi to the block cipher for the AES-CTR ...………….. 42Figure 3.12.Formatting of the data field for AES-CTR ……………………………… 42

CTR suite ...………………………………………………………… 43MAC suite …………………………………………………… 44

Figure 3.15.ZigBee device and TC interaction …..…………………………………… 49Figure 3.16.NWK layer secured frame structure ……………………………………...Figure 3.17.APS Command frames ...………………………………………………… 50Figure 3.18.SKKE Protocol (H: Hash function, MAC: HMAC function, ||: Concatenation, 0x: Hexadecimal) …………………………………………………….. 51Figure 3.19.MEA Protocol (MAC: HMAC function, ||: Concatenation, 0x:Hexadecimal) .……………………………………………………………………........ 52Figure 3.20.Exhaustion attack ...……………………………………………………… 54Figure 3.21.Collision attack …………………………………………………………... 55Figure 3.22.Unfairness attack ...………………………………………………………. 56Figure 3.23.Route disruption in the cluster tree attack (compromised device) ...…….. 56Figure 3.24.Route disruption in the cluster tree attack (compromised coordinator) ..... 57Figure 3.25.Loop in the cluster-tree ….………………………………………………. 58Figure 3.26.Polyphase electricity meter diagram …………………………………….. 59Figure 3.27.CC2530 block diagram …..……………………………………………… 60Figure 3.28.CC2530 general characteristics ..………………………………………… 61Figure 4.1.Raconet network example deployment ...…………………………………. 62Figure 4.2.System layout of a raconet network .…………………………………….... 63Figure 4.3.Route disruption in the cluster tree attack (compromised coordinator) …... 65Figure 4.4.Raconet MAUS functions ..……………………………………………….. 68


Figure 2.1.GPRS network .....………………………………………………………..... 14 Figure 2.2.GPRS Protocol stack …..…......…………………………………………… 16

lgorithm ..…....……………………………………………….. 19 Figure 2.4.GPRS Authentication and ciphering ...….………………………………… 20 Figure 2.5.GPRS A5 algorithm ...…..………………………………………………… 21

middle attack ...…….........……………………………………. 25 15.4 Communication stack …….....………………………...... 32

Figure 3.2.Operational frequency bands 802.15.4 PHY ........………………………… 33 Figure 3.3.Modulation and spreading functions ………….…………………………... 33 Figure 3.4.PHY reference model …..………………………….……………………… 34

e 3.5.MAC sublayer reference model ..……………….………………………… 35 Figure 3.6.ZigBee Network Layer ...………………………….………………………. 36

reading system ….………………………... 37 Figure 3.8.ZigBee Application Layer ...………………………………………………. 37 igure 3.9.ACL entry format ……………………………………………………….. ...40

Figure 3.10.802.15.4 Security suites ...……………………………………………….. 41 CTR ...………….. 42

R ……………………………… 42 CTR suite ...………………………………………………………… 43

MAC suite …………………………………………………… 44 Figure 3.15.ZigBee device and TC interaction …..…………………………………… 49 Figure 3.16.NWK layer secured frame structure ……………………………………... 49 Figure 3.17.APS Command frames ...………………………………………………… 50 Figure 3.18.SKKE Protocol (H: Hash function, MAC: HMAC function, ||: Concatenation, 0x: Hexadecimal) …………………………………………………….. 51 Figure 3.19.MEA Protocol (MAC: HMAC function, ||: Concatenation, 0x: Hexadecimal) .……………………………………………………………………........ 52 Figure 3.20.Exhaustion attack ...……………………………………………………… 54 Figure 3.21.Collision attack …………………………………………………………... 55 Figure 3.22.Unfairness attack ...………………………………………………………. 56

in the cluster tree attack (compromised device) ...…….. 56 Figure 3.24.Route disruption in the cluster tree attack (compromised coordinator) ..... 57

tree ….………………………………………………. 58 gram …………………………………….. 59

Figure 3.27.CC2530 block diagram …..……………………………………………… 60 Figure 3.28.CC2530 general characteristics ..………………………………………… 61 Figure 4.1.Raconet network example deployment ...…………………………………. 62

work .…………………………………….... 63 Figure 4.3.Route disruption in the cluster tree attack (compromised coordinator) …... 65 Figure 4.4.Raconet MAUS functions ..……………………………………………….. 68


Figure 4.5.Raconet network system connection through RNMB Gateway ..………… 69Figure 4.6.Dependence on cable diameters and cable lengths of data transfer rates ..... 70Figure 4.7.M-Bus Bit-transfer …...…………………………………………………… 70Figure 5.1.Bluetooth stack ……………………………………………………………. 74Figure 5.2.RSSI dynamic range and accuracy ………………………………Figure 5.3.Functional blocks of the Bluetooth system …………………………..…… 76Figure 5.4.Piconets with a single slave operation (a), a multiscatternet operation (c) …………………………………………………………..…… 77Figure 5.5.L2CAP within protocoFigure 5.6.Bluetooth Profiles …………………………………………………….…… 80Figure 5.7.Bluetooth security chain of eventsFigure 5.8.Bluetooth security entities ………………………………………...………. 83Figure 5.9.SAFER block cipher ……………Figure 5.10.Link Key generation ……………………………………………...……… 85Figure 5.11.Bluetooth Authentication……………………………………………….... 86Figure 5.12.Bluetooth encryption procedure …………………………….…………… 87Figure 5.13.Two-sided relay attackFigure 5.14.One-sided relay attack …………………………………………………… 92Figure 6.1.PRIME low voltage sample scenario …...………………………………… 95Figure 6.2.PRIME Layers definition …...…………………………………………….. 96Figure 6.3.PHY Layer transmitter block diagram ...………………………Figure 6.4.PRIME PHY layer parameters ...………………………………………….. 97Figure 6.5.Key derivation algorithm ………………………………………..……..... 101Figure 6.6.Encryption algorithm ...……………...…………………………………... 104Figure 6.7.Transmitter Module Architecture ……………………………Figure 6.8.Receiver Module Architecture ………………………………………..…. 106Figure 6.9.ADD1021 SoC block diagram ……………………………………...…… 110Figure 7.1.PLC OFDM G3 metering communication profile …………………..…... 111Figure 7.2.OFDM Block transceiver …………………………………Figure 7.3.PLC G3 PHY layer parameters ………………………………………….. 113Figure 7.4.RADIUS Authentication procedure ……………………………………... 118Figure 7.5.LBP and EAP Relaying capabilities …………………………………….. 120Figure 7.6.Confidentiality at MAC and EAPFigure 7.7.AKEP2 round trip exchange …………………………………………….. 122Figure 7.8.EAP-PSK Key Hierarchy overview …………………………………...… 125Figure 7.9.Smart meter block diagram ……………………………………………… 131Figure 7.10.71M6543F/71M6543H polyphase meterinFigure 7.11.71M6541D/71M6541F singleFigure 7.12.DS3231M RTC block diagram ………………………………………… 135Figure 7.13.MAX2990 and MAX2991 block diagrams …………………………….. 136Figure 7.14.MAX2992 block dFigure 8.1.Electrical interface parameters …………………………………………... 139Figure 8.2.Arrangement and dimensions of components of probe heads …………... 140


Figure 4.5.Raconet network system connection through RNMB Gateway ..………… 69ure 4.6.Dependence on cable diameters and cable lengths of data transfer rates ..... 70

transfer …...…………………………………………………… 70Figure 5.1.Bluetooth stack ……………………………………………………………. 74Figure 5.2.RSSI dynamic range and accuracy ………………………………Figure 5.3.Functional blocks of the Bluetooth system …………………………..…… 76

Piconets with a single slave operation (a), a multi-slave operation (b) and a ) …………………………………………………………..…… 77

Figure 5.5.L2CAP within protocol layers ……………………………………………. 79Figure 5.6.Bluetooth Profiles …………………………………………………….…… 80

Bluetooth security chain of events ………………………………………... 82Figure 5.8.Bluetooth security entities ………………………………………...………. 83Figure 5.9.SAFER block cipher ……………………………………………………… 84Figure 5.10.Link Key generation ……………………………………………...……… 85Figure 5.11.Bluetooth Authentication……………………………………………….... 86Figure 5.12.Bluetooth encryption procedure …………………………….…………… 87

sided relay attack ……………………………………..sided relay attack …………………………………………………… 92

Figure 6.1.PRIME low voltage sample scenario …...………………………………… 95Figure 6.2.PRIME Layers definition …...…………………………………………….. 96Figure 6.3.PHY Layer transmitter block diagram ...………………………Figure 6.4.PRIME PHY layer parameters ...………………………………………….. 97Figure 6.5.Key derivation algorithm ………………………………………..……..... 101Figure 6.6.Encryption algorithm ...……………...…………………………………... 104Figure 6.7.Transmitter Module Architecture ……………………………Figure 6.8.Receiver Module Architecture ………………………………………..…. 106Figure 6.9.ADD1021 SoC block diagram ……………………………………...…… 110Figure 7.1.PLC OFDM G3 metering communication profile …………………..…... 111Figure 7.2.OFDM Block transceiver …………………………………………...….... 112Figure 7.3.PLC G3 PHY layer parameters ………………………………………….. 113Figure 7.4.RADIUS Authentication procedure ……………………………………... 118Figure 7.5.LBP and EAP Relaying capabilities …………………………………….. 120Figure 7.6.Confidentiality at MAC and EAP-PSK levels …………………………... 121Figure 7.7.AKEP2 round trip exchange …………………………………………….. 122

PSK Key Hierarchy overview …………………………………...… 125Figure 7.9.Smart meter block diagram ……………………………………………… 131Figure 7.10.71M6543F/71M6543H polyphase metering SoCs diagram …………… 133Figure 7.11.71M6541D/71M6541F single-phase metering SoCs block diagram …... 134Figure 7.12.DS3231M RTC block diagram ………………………………………… 135Figure 7.13.MAX2990 and MAX2991 block diagrams …………………………….. 136Figure 7.14.MAX2992 block diagram ……………………………………………… 137Figure 8.1.Electrical interface parameters …………………………………………... 139Figure 8.2.Arrangement and dimensions of components of probe heads …………... 140


Figure 4.5.Raconet network system connection through RNMB Gateway ..………… 69 ure 4.6.Dependence on cable diameters and cable lengths of data transfer rates ..... 70

transfer …...…………………………………………………… 70 Figure 5.1.Bluetooth stack ……………………………………………………………. 74 Figure 5.2.RSSI dynamic range and accuracy ………………………………………... 75 Figure 5.3.Functional blocks of the Bluetooth system …………………………..…… 76

slave operation (b) and a ) …………………………………………………………..…… 77

l layers ……………………………………………. 79 Figure 5.6.Bluetooth Profiles …………………………………………………….…… 80

………………………………………... 82 Figure 5.8.Bluetooth security entities ………………………………………...………. 83

………………………………………… 84 Figure 5.10.Link Key generation ……………………………………………...……… 85 Figure 5.11.Bluetooth Authentication……………………………………………….... 86 Figure 5.12.Bluetooth encryption procedure …………………………….…………… 87

……………………………………...…………… 91 sided relay attack …………………………………………………… 92

Figure 6.1.PRIME low voltage sample scenario …...………………………………… 95 Figure 6.2.PRIME Layers definition …...…………………………………………….. 96 Figure 6.3.PHY Layer transmitter block diagram ...………………………………….. 97 Figure 6.4.PRIME PHY layer parameters ...………………………………………….. 97 Figure 6.5.Key derivation algorithm ………………………………………..……..... 101 Figure 6.6.Encryption algorithm ...……………...…………………………………... 104 Figure 6.7.Transmitter Module Architecture ………………………………..………. 105 Figure 6.8.Receiver Module Architecture ………………………………………..…. 106 Figure 6.9.ADD1021 SoC block diagram ……………………………………...…… 110 Figure 7.1.PLC OFDM G3 metering communication profile …………………..…... 111

………...….... 112 Figure 7.3.PLC G3 PHY layer parameters ………………………………………….. 113 Figure 7.4.RADIUS Authentication procedure ……………………………………... 118 Figure 7.5.LBP and EAP Relaying capabilities …………………………………….. 120

evels …………………………... 121 Figure 7.7.AKEP2 round trip exchange …………………………………………….. 122

PSK Key Hierarchy overview …………………………………...… 125 Figure 7.9.Smart meter block diagram ……………………………………………… 131

g SoCs diagram …………… 133 phase metering SoCs block diagram …... 134

Figure 7.12.DS3231M RTC block diagram ………………………………………… 135 Figure 7.13.MAX2990 and MAX2991 block diagrams …………………………….. 136

iagram ……………………………………………… 137 Figure 8.1.Electrical interface parameters …………………………………………... 139 Figure 8.2.Arrangement and dimensions of components of probe heads …………... 140


Figure 8.3.Testing for the transmitter and receiver arrangement …………………… 141Figure 8.4.Setting the block check character ………………………………………... 143Figure 10.1.PLC Back Track 5 ………………………………………………….…... 167Figure 10.2.Network analysis menu in Back Track 5 ………………………………. 168Figure 10.3.Wireshark ……………………………………………………….……… 169Figure 10.4.John the ripper password cracker……………………………………...... 170Figure 10.5.GNU MAC Changer ………………………………………………….... 171Figure 10.6.Zenmap network scan ……………………………………………...…... 172Figure 10.7.Jammers ……………………………………………………………….... 176Figure 10.8.AVZ RZ Raven USB sFigure 10.9.Zbdsniff network key capture ……………………………………..…… 178Figure 10.10.Zbreplay performing a replay attack ………………………………..… 178Figure 10.11.Zbfind searching ZigBee devices ……………………………………... 178Figure 10.12.Bloover II settings ………………………………………………..…… 179Figure 10.13.BTCrack example ………………………………………………...…… 180


Figure 8.3.Testing for the transmitter and receiver arrangement …………………… 141ure 8.4.Setting the block check character ………………………………………... 143

Figure 10.1.PLC Back Track 5 ………………………………………………….…... 167Figure 10.2.Network analysis menu in Back Track 5 ………………………………. 168Figure 10.3.Wireshark ……………………………………………………….……… 169

ohn the ripper password cracker……………………………………...... 170Figure 10.5.GNU MAC Changer ………………………………………………….... 171Figure 10.6.Zenmap network scan ……………………………………………...…... 172Figure 10.7.Jammers ……………………………………………………………….... 176Figure 10.8.AVZ RZ Raven USB sticks, AT90USB1287 and AT86RF230 ……….. 177Figure 10.9.Zbdsniff network key capture ……………………………………..…… 178Figure 10.10.Zbreplay performing a replay attack ………………………………..… 178Figure 10.11.Zbfind searching ZigBee devices ……………………………………... 178

Bloover II settings ………………………………………………..…… 179Figure 10.13.BTCrack example ………………………………………………...…… 180


Figure 8.3.Testing for the transmitter and receiver arrangement …………………… 141 ure 8.4.Setting the block check character ………………………………………... 143

Figure 10.1.PLC Back Track 5 ………………………………………………….…... 167 Figure 10.2.Network analysis menu in Back Track 5 ………………………………. 168 Figure 10.3.Wireshark ……………………………………………………….……… 169

ohn the ripper password cracker……………………………………...... 170 Figure 10.5.GNU MAC Changer ………………………………………………….... 171 Figure 10.6.Zenmap network scan ……………………………………………...…... 172 Figure 10.7.Jammers ……………………………………………………………….... 176

ticks, AT90USB1287 and AT86RF230 ……….. 177 Figure 10.9.Zbdsniff network key capture ……………………………………..…… 178 Figure 10.10.Zbreplay performing a replay attack ………………………………..… 178 Figure 10.11.Zbfind searching ZigBee devices ……………………………………... 178

Bloover II settings ………………………………………………..…… 179 Figure 10.13.BTCrack example ………………………………………………...…… 180


1. Introduction

Electricity suppliers and researchers have been developing since a few time ago communication systems to impurposes on electricity. Many deployments have been installed already and many devices and different technologies have appeared on the market already. This system is known as Automated Meter Reading o

During the past years, meters have been improving a lot and this improvement is going to go further by providing more services. Nowadays they are capable of performing a lot more functions than they used to, its accuracy has improved andincorporate capabilities for control configuration and avoiding tampering.

The goal of smart metering technologies is being capable of collecting data from electricity meters automatically as well as sends commands to the meters remotely and protecting the energy supplying companies from energy theft or tampering on the electricity meters. This way meter measurements can reach the electricity supplying company and customers billing can be performed without the need of an operator visiting customer’s home either if it is a private user or an enterprise. Obviously, onmetering can be done with this meters too, which is not useless since it may be necessary for revising the well performance of the meter and because many information can be obtained from smart meters apart from billing. Smart meters register energy consumption not only monthly but from their registers energy consumption from short periods of time can be obtained which may lead to a wide range of applications both for users and for energy suppliers such as time-of-use concept for billing or enabling customers to make informed decisions.

The most important element for implementing such a system is communications between meters and energy sutechnologies as well as different standards and private system architectures to use these technologies are presented and compared between them. The paper is focused on a key aspect of these technologies which is its security features and the possible attacks they may suffer. Since one of the goals of smart metering technologies is protecting the meters from tampering and manipulation of the data on the network, security features became one of the most important parts of this technologies deployment.

Many different technologies are described here including two narrowband PLC implementations, PRIME and G3; three radiofrequency implementations Raconet, Bluetooth and ZigBee; GPRS and optical infrared implementations only implement the physical, MAC, and adaptation layers of the system and require application layer protocols such as DLMS/COSEM, which is widely used, in order to implement smart metering networks. In the radiofrequency technologies, they implement all layers so they can directly implement smart metering networks without the need of any other protocols. Finally, regarding to the IEC62056-21 protocol it is significantly different from all o


Electricity suppliers and researchers have been developing since a few time ago communication systems to improve the system used nowadays for metering and billing purposes on electricity. Many deployments have been installed already and many devices and different technologies have appeared on the market already. This system is known as Automated Meter Reading or smart metering.

During the past years, meters have been improving a lot and this improvement is going to go further by providing more services. Nowadays they are capable of performing a lot more functions than they used to, its accuracy has improved andincorporate capabilities for control configuration and avoiding tampering.

The goal of smart metering technologies is being capable of collecting data from electricity meters automatically as well as sends commands to the meters remotely and

ing the energy supplying companies from energy theft or tampering on the electricity meters. This way meter measurements can reach the electricity supplying company and customers billing can be performed without the need of an operator

home either if it is a private user or an enterprise. Obviously, onmetering can be done with this meters too, which is not useless since it may be necessary for revising the well performance of the meter and because many information

rom smart meters apart from billing. Smart meters register energy consumption not only monthly but from their registers energy consumption from short periods of time can be obtained which may lead to a wide range of applications both for

gy suppliers such as reducing peak demand for energy, supporting the use concept for billing or enabling customers to make informed decisions.

The most important element for implementing such a system is communications between meters and energy supplier facilities. In the first part of this paper different technologies as well as different standards and private system architectures to use these technologies are presented and compared between them. The paper is focused on a key

ologies which is its security features and the possible attacks they may suffer. Since one of the goals of smart metering technologies is protecting the meters from tampering and manipulation of the data on the network, security features

most important parts of this technologies deployment.

Many different technologies are described here including two narrowband PLC implementations, PRIME and G3; three radiofrequency implementations Raconet, Bluetooth and ZigBee; GPRS and optical infrared protocol IEC62056-21. The two PLC implementations only implement the physical, MAC, and adaptation layers of the system and require application layer protocols such as DLMS/COSEM, which is widely used, in order to implement smart metering networks. In the case of the three radiofrequency technologies, they implement all layers so they can directly implement smart metering networks without the need of any other protocols. Finally, regarding to

21 protocol it is significantly different from all others. Capabilities of this


Electricity suppliers and researchers have been developing since a few time ago prove the system used nowadays for metering and billing

purposes on electricity. Many deployments have been installed already and many devices and different technologies have appeared on the market already. This system is

During the past years, meters have been improving a lot and this improvement is going to go further by providing more services. Nowadays they are capable of performing a lot more functions than they used to, its accuracy has improved and they incorporate capabilities for control configuration and avoiding tampering.

The goal of smart metering technologies is being capable of collecting data from electricity meters automatically as well as sends commands to the meters remotely and

ing the energy supplying companies from energy theft or tampering on the electricity meters. This way meter measurements can reach the electricity supplying company and customers billing can be performed without the need of an operator

home either if it is a private user or an enterprise. Obviously, on-site metering can be done with this meters too, which is not useless since it may be necessary for revising the well performance of the meter and because many information

rom smart meters apart from billing. Smart meters register energy consumption not only monthly but from their registers energy consumption from short periods of time can be obtained which may lead to a wide range of applications both for

reducing peak demand for energy, supporting the use concept for billing or enabling customers to make informed decisions.

The most important element for implementing such a system is communications pplier facilities. In the first part of this paper different

technologies as well as different standards and private system architectures to use these technologies are presented and compared between them. The paper is focused on a key

ologies which is its security features and the possible attacks they may suffer. Since one of the goals of smart metering technologies is protecting the meters from tampering and manipulation of the data on the network, security features

most important parts of this technologies deployment.

Many different technologies are described here including two narrowband PLC implementations, PRIME and G3; three radiofrequency implementations Raconet,

21. The two PLC implementations only implement the physical, MAC, and adaptation layers of the system and require application layer protocols such as DLMS/COSEM, which is widely

case of the three radiofrequency technologies, they implement all layers so they can directly implement smart metering networks without the need of any other protocols. Finally, regarding to

thers. Capabilities of this


protocol permit only local data readout exchange from smart meters. However, by using other protocols such as DLMS/COSEM for application implementations, it can lead to the deployment of smart metering systems too. Besides, thisused with smart meters when local readout of data is to be made since is very simple and quickly to use with a hand held unit in front of a smart meter.

Finally on this paper, a description about the tools that may be used to pattacks to the technologies described can be found. Many of them, as well as, tools for performing attacks, are tools used by security professionals in order to test the security of the networks an enterprise may plan and to study the attacks that min order to improve security features.


protocol permit only local data readout exchange from smart meters. However, by using other protocols such as DLMS/COSEM for application implementations, it can lead to the deployment of smart metering systems too. Besides, this protocol is the one mainly used with smart meters when local readout of data is to be made since is very simple and quickly to use with a hand held unit in front of a smart meter.

Finally on this paper, a description about the tools that may be used to pattacks to the technologies described can be found. Many of them, as well as, tools for performing attacks, are tools used by security professionals in order to test the security of the networks an enterprise may plan and to study the attacks that may be performed in order to improve security features.


protocol permit only local data readout exchange from smart meters. However, by using other protocols such as DLMS/COSEM for application implementations, it can lead to

protocol is the one mainly used with smart meters when local readout of data is to be made since is very simple

Finally on this paper, a description about the tools that may be used to perform attacks to the technologies described can be found. Many of them, as well as, tools for performing attacks, are tools used by security professionals in order to test the security

ay be performed


2. GPRS

2.1 Introduction

The General Packet Radio Service (GPRS) is a service that provides packet radio access for GSM users. Its core network allows transmit IP packets to external networks such as the integrated part of the GSM

Taking advantage of these features, GPRS enables the packet-oriented multimedia applications and services to mobile users, realizing the concept mobile Internet. For the successful implementation of the new emerging applications and services over GPRS, security is considered as a vibecause of the fact that wireless access is inherently less secure, and the radio transmission is by nature more susceptible to eavesdropping and fraud in use than wireline transmission. In addition, users mobility and the universal ahigher security risks compared to those encountered in fixed networks. In order to meet security objectives, GPRS uses a specific security architecture, which aims at protecting the network against unauthorized access and the primainly based on the security measures applied in GSM, since the GPRS system is built on the GSM infrastructure.

However, GPRS differs from GSM in certain operational and service points, which require a different securitis an open and wide deployed technology that presents many vulnerable points. Similarly to IP networks, intruders to the GPRS system may attempt to breach the confidentiality, integrity, availability oto compromise services, defraud users or any part of it. These attacks threaten network operation and data transfer through it, compromising end

Apart from security implementatiosaid. A huge range of different applications can be implemented using GPRS, such as the one this document talks about, Automated Meter Reading (AMR). In opposition to other technologies described in this document,data directly from the smart meters. Its propose is incorporating smart meter networks that directly extract data from meters, which implemented with short range standards such as IEC62056-21 or ZigBee, to Wide Area to note that those devices that are named in the GPRS standard as Mobile Stations (MS) are the smart meters in AMR applications and they are not mobile in this case.


The General Packet Radio Service (GPRS) is a service that provides packet radio access for GSM users. Its core network allows 2G, 3G and WCDMA

packets to external networks such as the Internet. The GPRS system is an network switching subsystem.

Taking advantage of these features, GPRS enables the provision of a variety of oriented multimedia applications and services to mobile users, realizing the

concept mobile Internet. For the successful implementation of the new emerging applications and services over GPRS, security is considered as a vital factor. This is because of the fact that wireless access is inherently less secure, and the radio transmission is by nature more susceptible to eavesdropping and fraud in use than wireline transmission. In addition, users mobility and the universal access to the network imply higher security risks compared to those encountered in fixed networks. In order to meet security objectives, GPRS uses a specific security architecture, which aims at protecting the network against unauthorized access and the privacy of users. This architecture is mainly based on the security measures applied in GSM, since the GPRS system is built

However, GPRS differs from GSM in certain operational and service points, which require a different security analysis. This is because GPRS is based on IP, which is an open and wide deployed technology that presents many vulnerable points. Similarly to IP networks, intruders to the GPRS system may attempt to breach the confidentiality, integrity, availability or otherwise attempt to abuse the system in order to compromise services, defraud users or any part of it. These attacks threaten network operation and data transfer through it, compromising end-users and network security.

Apart from security implementations, a few words about applications must be said. A huge range of different applications can be implemented using GPRS, such as the one this document talks about, Automated Meter Reading (AMR). In opposition to other technologies described in this document, GPRS technology is not used to extract data directly from the smart meters. Its propose is incorporating smart meter networks that directly extract data from meters, which implemented with short range standards

21 or ZigBee, to Wide Area Networks (WANs). It is also important to note that those devices that are named in the GPRS standard as Mobile Stations (MS) are the smart meters in AMR applications and they are not mobile in this case.


The General Packet Radio Service (GPRS) is a service that provides packet WCDMA networks to

. The GPRS system is an

provision of a variety of oriented multimedia applications and services to mobile users, realizing the

concept mobile Internet. For the successful implementation of the new emerging tal factor. This is

because of the fact that wireless access is inherently less secure, and the radio transmission is by nature more susceptible to eavesdropping and fraud in use than wireline

ccess to the network imply higher security risks compared to those encountered in fixed networks. In order to meet security objectives, GPRS uses a specific security architecture, which aims at protecting

vacy of users. This architecture is mainly based on the security measures applied in GSM, since the GPRS system is built

However, GPRS differs from GSM in certain operational and service points, y analysis. This is because GPRS is based on IP, which

is an open and wide deployed technology that presents many vulnerable points. Similarly to IP networks, intruders to the GPRS system may attempt to breach the

r otherwise attempt to abuse the system in order to compromise services, defraud users or any part of it. These attacks threaten network

users and network security.

ns, a few words about applications must be said. A huge range of different applications can be implemented using GPRS, such as the one this document talks about, Automated Meter Reading (AMR). In opposition to

GPRS technology is not used to extract data directly from the smart meters. Its propose is incorporating smart meter networks that directly extract data from meters, which implemented with short range standards

Networks (WANs). It is also important to note that those devices that are named in the GPRS standard as Mobile Stations (MS) are the smart meters in AMR applications and they are not mobile in this case.


2.2 GPRS network

The GPRS network has two major pmay be called the network itself, and the mobile stations (MS). The mobile users subscribed to network use its service to communicate over the radio interface. In the following figure the architecture of the G

2.2.1 Mobile stations (MS)

Two major components form a mobile station (MS): the mobile equipment (ME) and the SIM module.

A personal chip card SIM can be a fixed installed chip (plugexchangeable SIM module. The SIM is a secure microprocessorimplemented on a credit-cardtypes of SIM cards are used in GPRS, IDmemory, ROM, RAM, and EEPROM.

The ROM contains the operating system, the applications, and security algorithms A3 and A8, which implements important functions for the authentication and user data encryption based on the subscriber identity IMSI and secret keys. RAM is used to buffering transmission data and executing. The EEPROM consists of subscriber


The GPRS network has two major parts, the fixed installed infrastructure which may be called the network itself, and the mobile stations (MS). The mobile users subscribed to network use its service to communicate over the radio interface. In the following figure the architecture of the GPRS system is presented:

Figure 2.1. GPRS network [1]

2.2.1 Mobile stations (MS)

Two major components form a mobile station (MS): the mobile equipment (ME)

A personal chip card SIM can be a fixed installed chip (plugexchangeable SIM module. The SIM is a secure microprocessor-based environment

card-sized platform with on-board non-volatile memory. Two types of SIM cards are used in GPRS, ID-1 and plug-in card; and three types of

M, and EEPROM.

The ROM contains the operating system, the applications, and security algorithms A3 and A8, which implements important functions for the authentication and user data encryption based on the subscriber identity IMSI and secret keys. RAM is sed to buffering transmission data and executing. The EEPROM consists of subscriber


arts, the fixed installed infrastructure which may be called the network itself, and the mobile stations (MS). The mobile users subscribed to network use its service to communicate over the radio interface. In the

Two major components form a mobile station (MS): the mobile equipment (ME)

A personal chip card SIM can be a fixed installed chip (plug-in SIM) or an based environment

volatile memory. Two in card; and three types of

The ROM contains the operating system, the applications, and security algorithms A3 and A8, which implements important functions for the authentication and user data encryption based on the subscriber identity IMSI and secret keys. RAM is sed to buffering transmission data and executing. The EEPROM consists of subscriber


identification (IMSI, PIN), call number (IMSI and MSISDN), keys Knetwork-related information (TMSI, LAI), and the equipment identifier IMEI.

The security features supported by the SIM are authentication of the subscriber identity to the network, data confidentiality over the air interface, and file access conditions. It can support five access conditions. One of them is PIN which is used to control user access to the SIM. [1] [8]

2.2.2 The fixed network

From the side of the network, different system and database form it:

• The BSS (Base Station Subsystem):Station) and the BSC (Base Station Controller) together form the BSS. In theBSS the radio path is controlled. There, the BTS is responsible the radio coverage of a geographical area, while BSC maintains radio connections towards MSs and terrestrial connections towards the fixed core network.

• The HLR (Home Location Register):permanent subscriber data and the relevant temporary data of all subscribers permanently registered in the HLR. The IMSI (International Mobile Subscriber Identity) and authentication data are stored in it.

• The VLR (Visitor Location Regall MSs which are currently staying in the administrative area of the associated MSC. • The EIR (Equipment Identity Register):(supplied by the manufacturer) of the terminals (IMEI).• The AuC (Authentication Center):stored and generated in this subsystem.• The Mobile Service Switching Centre (MSC):network element responsible for circuit

The GPRS Support Nodes (GSN), adata packets between a MS and an external packet data network (PDN). More specifically, a Serving GSN (SGSN) is responsible for the delivery of data packets from, and to, a MS within its service area. Its taskmobility management, logical link management, and authentication and charging functions. A Gateway GSN (GGSN) acts as an interface between the GPRS backbone and an external PDN. It converts the GPRS packets coming froappropriate packet data protocol (PDP) format, which may be IP, X.25, etc, and forwards them to the corresponding PDN. Similar is the functionality of GGSN in the opposite direction. The communication between GSNs is based on IP tunnelsthe use of the GPRS Tunneling Protocol (GTP). [7] [8] [9]


identification (IMSI, PIN), call number (IMSI and MSISDN), keys Kirelated information (TMSI, LAI), and the equipment identifier IMEI.

y features supported by the SIM are authentication of the subscriber identity to the network, data confidentiality over the air interface, and file access conditions. It can support five access conditions. One of them is PIN which is used to

ccess to the SIM. [1] [8]

2.2.2 The fixed network

From the side of the network, different system and database form it:

The BSS (Base Station Subsystem): The BTS (Base Transceiver Station) and the BSC (Base Station Controller) together form the BSS. In theBSS the radio path is controlled. There, the BTS is responsible the radio coverage of a geographical area, while BSC maintains radio connections towards MSs and terrestrial connections towards the fixed core network.

The HLR (Home Location Register): This database stores all permanent subscriber data and the relevant temporary data of all subscribers permanently registered in the HLR. The IMSI (International Mobile Subscriber Identity) and authentication data are stored in it.

The VLR (Visitor Location Register): This database stores the data of all MSs which are currently staying in the administrative area of the associated

The EIR (Equipment Identity Register): stores the serials numbers (supplied by the manufacturer) of the terminals (IMEI).

(Authentication Center): Confidential data and keys are stored and generated in this subsystem.

The Mobile Service Switching Centre (MSC): This subsystem is a network element responsible for circuit-switched services. [13]

The GPRS Support Nodes (GSN), are responsible for the delivery and routing of data packets between a MS and an external packet data network (PDN). More specifically, a Serving GSN (SGSN) is responsible for the delivery of data packets from, and to, a MS within its service area. Its tasks include packet routing and transfer, mobility management, logical link management, and authentication and charging functions. A Gateway GSN (GGSN) acts as an interface between the GPRS backbone and an external PDN. It converts the GPRS packets coming from the SGSN into the appropriate packet data protocol (PDP) format, which may be IP, X.25, etc, and forwards them to the corresponding PDN. Similar is the functionality of GGSN in the opposite direction. The communication between GSNs is based on IP tunnelsthe use of the GPRS Tunneling Protocol (GTP). [7] [8] [9]


(128 bits long), related information (TMSI, LAI), and the equipment identifier IMEI.

y features supported by the SIM are authentication of the subscriber identity to the network, data confidentiality over the air interface, and file access conditions. It can support five access conditions. One of them is PIN which is used to

The BTS (Base Transceiver Station) and the BSC (Base Station Controller) together form the BSS. In the BSS the radio path is controlled. There, the BTS is responsible the radio coverage of a geographical area, while BSC maintains radio connections towards MSs and terrestrial connections towards the fixed core network.

database stores all permanent subscriber data and the relevant temporary data of all subscribers permanently registered in the HLR. The IMSI (International Mobile Subscriber

This database stores the data of all MSs which are currently staying in the administrative area of the associated

stores the serials numbers

Confidential data and keys are

This subsystem is a

re responsible for the delivery and routing of data packets between a MS and an external packet data network (PDN). More specifically, a Serving GSN (SGSN) is responsible for the delivery of data packets

s include packet routing and transfer, mobility management, logical link management, and authentication and charging functions. A Gateway GSN (GGSN) acts as an interface between the GPRS backbone

m the SGSN into the appropriate packet data protocol (PDP) format, which may be IP, X.25, etc, and forwards them to the corresponding PDN. Similar is the functionality of GGSN in the opposite direction. The communication between GSNs is based on IP tunnels through


2.3 GPRS protocol stack

A wide range of specific protocols are used in GPRS to cover the control and management of all layers and data transferring. Brief descriptions of their functionaliare presented below: [10]

• GPRS Tunneling Protocol (GTP):through the IP backbone by adding routing information. All other protocols described below are encapsulated in it.• Sub-Network Dependent Convergence Protocol (SNthat maps a networkprovides many others functions such as compression, segmentation and multiplexing of NWK layer messages to a single virtual connection.

• Logical Link Control reliable transfer of user data across a wireless network.• Base Station System GPRS Protocol (BSSGP):routing and QoS information for the BSS. It uses Frame Relay Q.922 core protocol as its transport mechanism.• GPRS Mobility Management (GMM):signalling plane of GPRS and handles mobility issues such as roaming, authentication and selection of encryption algorithms.• Network Service:between BSSGP and Frame Relay Q.922 core by mapping the first one’s service requests to the adequate Frame Relay services.• Base Station System Application Partdata connections and optimizes paging forcharge of location and routing update tasks as well as mobile station alerts. [10]• Radio Link Control MAC (RLC MAC):management of radio resources (frequency and time slots) are used and shared by the diverse mobile users. The uplink resources are shared based on a requestreservation mechanism, slotted

Figure 2.2. GPRS Protocol stack [77]


2.3 GPRS protocol stack

A wide range of specific protocols are used in GPRS to cover the control and management of all layers and data transferring. Brief descriptions of their functionali

GPRS Tunneling Protocol (GTP): This protocol tunnels data units through the IP backbone by adding routing information. All other protocols described below are encapsulated in it.

Network Dependent Convergence Protocol (SNDCP):that maps a network-level protocol, such as IP or X.25, to the underlying LLC. It provides many others functions such as compression, segmentation and multiplexing of NWK layer messages to a single virtual connection.

Logical Link Control (LLC): A data link layer protocol that assures the reliable transfer of user data across a wireless network.

Base Station System GPRS Protocol (BSSGP): This protocol processes routing and QoS information for the BSS. It uses Frame Relay Q.922 core

as its transport mechanism. GPRS Mobility Management (GMM): This protocol operates in the

signalling plane of GPRS and handles mobility issues such as roaming, authentication and selection of encryption algorithms.

Network Service: It manages the convergence sub-between BSSGP and Frame Relay Q.922 core by mapping the first one’s service requests to the adequate Frame Relay services.

Base Station System Application Part (BSSAP): It manages paging for data connections and optimizes paging for mobile subscribers. It is also in charge of location and routing update tasks as well as mobile station alerts. [10]

Radio Link Control MAC (RLC MAC): It is responsible for the management of radio resources (frequency and time slots) are used and shared y the diverse mobile users. The uplink resources are shared based on a request

reservation mechanism, slotted-ALOHA. [12]

Figure 2.2. GPRS Protocol stack [77]


A wide range of specific protocols are used in GPRS to cover the control and management of all layers and data transferring. Brief descriptions of their functionalities

This protocol tunnels data units through the IP backbone by adding routing information. All other protocols

DCP): A protocol level protocol, such as IP or X.25, to the underlying LLC. It

provides many others functions such as compression, segmentation and multiplexing of NWK layer messages to a single virtual connection.

A data link layer protocol that assures the

This protocol processes routing and QoS information for the BSS. It uses Frame Relay Q.922 core

This protocol operates in the signalling plane of GPRS and handles mobility issues such as roaming,

-layer operating between BSSGP and Frame Relay Q.922 core by mapping the first one’s service

It manages paging for mobile subscribers. It is also in

charge of location and routing update tasks as well as mobile station alerts. [10] It is responsible for the

management of radio resources (frequency and time slots) are used and shared y the diverse mobile users. The uplink resources are shared based on a request-


2.4 Security on GPRS

In order to meet security objectives, GPRS employs a set of security mechanisms that constitute the GPRS security architecture. Most of these mechanisms have been originally designed for GSM, but they have been modified to adapt to the packet oriented traffic nature and the GPRS network components. The GPRS security architecture includes the following components:

• Identities • Subscriber identity confidentiality

• GPRS Authentication• GPRS Ciphering

• GPRS backbone security

2.4.1 Identities

The association of the most important identifiers and their storage locations are summarized as follows: Subscriber is identified by IMSI, MSISDN, TMSI, MSRN; Mobile Equipment is identified by IMEI; IMSI, MSISDN, and MSRN are stored in HLR; The LMSI, MSRN, IMSI, TMSI, MSISDN, and LAI are stored in VLR; The IMSI, RAND, SRES, Ki, K

When registering for service with a mobile network operator, each subscriber receives a unique identifier, the IMSI is stored in the SIM. A mobile station can only be operated,IMSI is inserted into equipment with a valid IMSI, since this is the only way to correctly bill the appropriate subscriber. The IMSI consists of several parts: mobile country code (MCC): 3 decimal digits, internationally standardizedcode (MNC): 2 decimal digits, for unique identification of mobile networks within a country; Mobile Subscriber Identification Number (MSIN): maximum 10 decimal digits, identification number of the subscriber in his mobile home network.

The real telephone number of MS is MSISDN (Mobile Subscriber ISDN Number). The VLR responsible for the current location of a subscriber can assign a TMSI (Temporary Mobile Subscriber Identity) which has only local significance in the area handled by the VLR. addressing of the MS. This way nobody can determine the identity of the subscriber by listening to the radio channel, since this TMSI is only assigned during the mobile stations presence in the area of one VLR, and can even be changed during this period. The mobile station stores the TMSI on the SIM card. The TMSI is stored on the network side only in the VLR and is not passed to the HLR. The association between IMSI and TMSI is stored in the


2.4 Security on GPRS

In order to meet security objectives, GPRS employs a set of security hanisms that constitute the GPRS security architecture. Most of these mechanisms

have been originally designed for GSM, but they have been modified to adapt to the packet oriented traffic nature and the GPRS network components. The GPRS security

re includes the following components:

Subscriber identity confidentiality

GPRS Authentication GPRS Ciphering

GPRS backbone security

The association of the most important identifiers and their storage locations are s follows: Subscriber is identified by IMSI, MSISDN, TMSI, MSRN;

Mobile Equipment is identified by IMEI; IMSI, MSISDN, and MSRN are stored in HLR; The LMSI, MSRN, IMSI, TMSI, MSISDN, and LAI are stored in VLR; The

, Kc are stored in AUC. IMEI is stored in EIR.

When registering for service with a mobile network operator, each subscriber receives a unique identifier, the IMSI (International Mobile Subscriber Identity). This IMSI is stored in the SIM. A mobile station can only be operated, if a SIM with a valid IMSI is inserted into equipment with a valid IMSI, since this is the only way to correctly bill the appropriate subscriber. The IMSI consists of several parts: mobile country code (MCC): 3 decimal digits, internationally standardized; mobile Network code (MNC): 2 decimal digits, for unique identification of mobile networks within a country; Mobile Subscriber Identification Number (MSIN): maximum 10 decimal digits, identification number of the subscriber in his mobile home network.

e real telephone number of MS is MSISDN (Mobile Subscriber ISDN Number). The VLR responsible for the current location of a subscriber can assign a

(Temporary Mobile Subscriber Identity) which has only local significance in the It is used in place of the IMSI for definite identification and

addressing of the MS. This way nobody can determine the identity of the subscriber by listening to the radio channel, since this TMSI is only assigned during the mobile

he area of one VLR, and can even be changed during this period. The mobile station stores the TMSI on the SIM card. The TMSI is stored on the network side only in the VLR and is not passed to the HLR. The association between IMSI and TMSI is stored in the VLR.


In order to meet security objectives, GPRS employs a set of security hanisms that constitute the GPRS security architecture. Most of these mechanisms

have been originally designed for GSM, but they have been modified to adapt to the packet oriented traffic nature and the GPRS network components. The GPRS security

The association of the most important identifiers and their storage locations are s follows: Subscriber is identified by IMSI, MSISDN, TMSI, MSRN;

Mobile Equipment is identified by IMEI; IMSI, MSISDN, and MSRN are stored in HLR; The LMSI, MSRN, IMSI, TMSI, MSISDN, and LAI are stored in VLR; The

When registering for service with a mobile network operator, each subscriber (International Mobile Subscriber Identity). This

if a SIM with a valid IMSI is inserted into equipment with a valid IMSI, since this is the only way to correctly bill the appropriate subscriber. The IMSI consists of several parts: mobile

; mobile Network code (MNC): 2 decimal digits, for unique identification of mobile networks within a country; Mobile Subscriber Identification Number (MSIN): maximum 10 decimal digits, identification number of the subscriber in his mobile home network.

e real telephone number of MS is MSISDN (Mobile Subscriber ISDN Number). The VLR responsible for the current location of a subscriber can assign a

(Temporary Mobile Subscriber Identity) which has only local significance in the It is used in place of the IMSI for definite identification and

addressing of the MS. This way nobody can determine the identity of the subscriber by listening to the radio channel, since this TMSI is only assigned during the mobile

he area of one VLR, and can even be changed during this period. The mobile station stores the TMSI on the SIM card. The TMSI is stored on the network side only in the VLR and is not passed to the HLR. The association between


The MSRN (Mobile station Roaming Number) is a temporary locationdependent ISDN number which is assigned by the local VLR in its area. The (International Mobile Station Equipment Identity) uniquely identifies mobile equipment internationally. It is a kind of serial number. The IMEI is allocated by the equipment manufacture and registered by the network operator who stores it in EIR. By means of the IMEI one recognizes obsolete, stolen, or nonfunctional equipment. [1]

2.4.2 Subscriber identity co

Subscriber identity confidentiality includes mechanisms for the protection of the permanent identity (IMSI) when it is transferred in signaling messages, as well as measures that preclude the possibility to derive it indirectly from listenininformation at the radio path. Subscriber identity confidentiality is mainly achieved by using a Temporary Mobile subscriber Identity (TMSI), which identifies the mobile user in both the wireless and wired network segments. The TMSI has a locand, thus, it must be accompanied by the routing area identity (RAI) in order to avoid confusions. Only the MS, the serving VLR and SGSN know the relation between the active TMSI and the IMSI. [8]

The allocation of a new TMSI corresponds allocation of the previous one. When a new TMSI is allocated to the MS, it is transmitted to it in a ciphered mode. The MS stores the current TMSI and the associated RAI in a non-volatile memory, so that these data are not loff. Further to the TMSI, a Temporary Logical Link Identity (TLLI) identifies also a GPRS user on the radio interface of a routing area. Since the TLLI has a local significance, when it is exchanged between the MS and the SGSN, accompanied by the RAI. The TLLI is either derived from the TMSI allocated by the SGSN or built by the MS randomly, and, thus, provides identity confidentiality. The relationship between the TLLI and the IMSI is only known by the MS and the SG[1] [7] [8]

2.4.3 GPRS Authentication

When a MS starts a connection to GPRS network, it has to be authenticated before it is allowed to access to the network services. GPRS authentication procedures must be started as soon as one of the following sce

• A routing area update• A GPRS attach or detach

• A GPRS packet transfer


(Mobile station Roaming Number) is a temporary locationdependent ISDN number which is assigned by the local VLR in its area. The (International Mobile Station Equipment Identity) uniquely identifies mobile equipment

is a kind of serial number. The IMEI is allocated by the equipment manufacture and registered by the network operator who stores it in EIR. By means of the IMEI one recognizes obsolete, stolen, or nonfunctional equipment. [1]

2.4.2 Subscriber identity confidentiality

Subscriber identity confidentiality includes mechanisms for the protection of the permanent identity (IMSI) when it is transferred in signaling messages, as well as measures that preclude the possibility to derive it indirectly from listenininformation at the radio path. Subscriber identity confidentiality is mainly achieved by using a Temporary Mobile subscriber Identity (TMSI), which identifies the mobile user in both the wireless and wired network segments. The TMSI has a locand, thus, it must be accompanied by the routing area identity (RAI) in order to avoid confusions. Only the MS, the serving VLR and SGSN know the relation between the active TMSI and the IMSI. [8]

The allocation of a new TMSI corresponds implicitly for the MS to the deallocation of the previous one. When a new TMSI is allocated to the MS, it is transmitted to it in a ciphered mode. The MS stores the current TMSI and the associated

volatile memory, so that these data are not lost when the MS is switched off. Further to the TMSI, a Temporary Logical Link Identity (TLLI) identifies also a GPRS user on the radio interface of a routing area. Since the TLLI has a local significance, when it is exchanged between the MS and the SGSN, accompanied by the RAI. The TLLI is either derived from the TMSI allocated by the SGSN or built by the MS randomly, and, thus, provides identity confidentiality. The relationship between the TLLI and the IMSI is only known by the MS and the SG

2.4.3 GPRS Authentication

When a MS starts a connection to GPRS network, it has to be authenticated before it is allowed to access to the network services. GPRS authentication procedures must be started as soon as one of the following scenarios happens:

A routing area update A GPRS attach or detach

A GPRS packet transfer


(Mobile station Roaming Number) is a temporary location-dependent ISDN number which is assigned by the local VLR in its area. The IMEI (International Mobile Station Equipment Identity) uniquely identifies mobile equipment

is a kind of serial number. The IMEI is allocated by the equipment manufacture and registered by the network operator who stores it in EIR. By means of the IMEI one recognizes obsolete, stolen, or nonfunctional equipment. [1]

Subscriber identity confidentiality includes mechanisms for the protection of the permanent identity (IMSI) when it is transferred in signaling messages, as well as measures that preclude the possibility to derive it indirectly from listening to specific information at the radio path. Subscriber identity confidentiality is mainly achieved by using a Temporary Mobile subscriber Identity (TMSI), which identifies the mobile user in both the wireless and wired network segments. The TMSI has a local significance, and, thus, it must be accompanied by the routing area identity (RAI) in order to avoid confusions. Only the MS, the serving VLR and SGSN know the relation between the

implicitly for the MS to the de-allocation of the previous one. When a new TMSI is allocated to the MS, it is transmitted to it in a ciphered mode. The MS stores the current TMSI and the associated

ost when the MS is switched off. Further to the TMSI, a Temporary Logical Link Identity (TLLI) identifies also a GPRS user on the radio interface of a routing area. Since the TLLI has a local significance, when it is exchanged between the MS and the SGSN, it should be accompanied by the RAI. The TLLI is either derived from the TMSI allocated by the SGSN or built by the MS randomly, and, thus, provides identity confidentiality. The relationship between the TLLI and the IMSI is only known by the MS and the SGSN.

When a MS starts a connection to GPRS network, it has to be authenticated before it is allowed to access to the network services. GPRS authentication procedures


The GPRS operator wants to know who is trying to initiate a connection with the network. The aim of the authentication process is to identify that the user has a correctSIM card with a valid Ki key. This process must be verified without sending Kradio interface. The authentication process is initiated and controlled by SGSN, supported by AuC and MS. During GPRS attach process, SGSN sends a message containing the IMSI of the subscriber to the AuC and requests triplets, as shown in Figure XX. A triplet is composed of three keys called RAND, SRES and Kexplained below:

• RAND: It is a randomly generated 128 bit number used for providing triples always different.• SRES (Signed RESponse):algorithm and used as digital signature of MS.

• GPRS-Kc: Itused for encrypting data between MS and SGSN.

A3 and A8 security algorithms both use Ki and RAND as input parameters. A3 and A8 algorithms are deployments are illustrated in Figure 2.3. After getting triplets from AuC, SGSN sends RAND number to MS for authentication. SIM generates SRES based on RAND and Ki by using A3 algorithm. The MS transmits its SRES value to the SGSN that compares it with SRES from AuC. If both values agree, the authentication is successful. All this procedure is shown in Figures 2.3 and 2.4.

Figure 2.3. A3 and A8 algorithms [78]


The GPRS operator wants to know who is trying to initiate a connection with the network. The aim of the authentication process is to identify that the user has a correct

key. This process must be verified without sending Kradio interface. The authentication process is initiated and controlled by SGSN, supported by AuC and MS. During GPRS attach process, SGSN sends a message

he IMSI of the subscriber to the AuC and requests triplets, as shown in Figure XX. A triplet is composed of three keys called RAND, SRES and K

is a randomly generated 128 bit number used for providing fferent.

(Signed RESponse): It is a 32 bit long number generated by A3 algorithm and used as digital signature of MS.

It is a 64 bit ciphering key generated by A8 algorithm and used for encrypting data between MS and SGSN.

algorithms both use Ki and RAND as input parameters. A3 and A8 algorithms are deployments are illustrated in Figure 2.3. After getting triplets from AuC, SGSN sends RAND number to MS for authentication. SIM generates SRES based on

algorithm. The MS transmits its SRES value to the SGSN that compares it with SRES from AuC. If both values agree, the authentication is successful. All this procedure is shown in Figures 2.3 and 2.4. [6]

Figure 2.3. A3 and A8 algorithms [78]


The GPRS operator wants to know who is trying to initiate a connection with the network. The aim of the authentication process is to identify that the user has a correct

key. This process must be verified without sending K i over the radio interface. The authentication process is initiated and controlled by SGSN, supported by AuC and MS. During GPRS attach process, SGSN sends a message

he IMSI of the subscriber to the AuC and requests triplets, as shown in Figure XX. A triplet is composed of three keys called RAND, SRES and Kc, which are

is a randomly generated 128 bit number used for providing

It is a 32 bit long number generated by A3

is a 64 bit ciphering key generated by A8 algorithm and

algorithms both use Ki and RAND as input parameters. A3 and A8 algorithms are deployments are illustrated in Figure 2.3. After getting triplets from AuC, SGSN sends RAND number to MS for authentication. SIM generates SRES based on

algorithm. The MS transmits its SRES value to the SGSN that compares it with SRES from AuC. If both values agree, the authentication is successful. All


Each execution of the algorithm A3 is performed with a new value of the RAND which cannot be predetermined; in this way recording the channel transmission and playing it back cannot be used to fake an identity. Security conscious users worry that if someone manages to intercept RAND and SRES as they are transmitted over the radio interface, and if this person knows the algorithm A3, it may be possible to reverse the calculation to derive Ki. In fact the algorithms used in GSM/GPRS are designed to make extremely difficult to calculate the input Kwhich is completely necessary because by using Kkey GPRS-Kc which influences data confidentiality of the subscriber.

Figure 2.4. GPRS Authe

2.4.4 GPRS Ciphering

When authentication process is successfully completed, SGSN sends a message “Authentication is successful”. a response message to SGSN and starts cip

Ciphering process in GPRS needs a ciphering key and a ciphering algorithm. On the fixed network side, SGSN has GPRSciphering algorithm. The SGSN receives GPRSwhile the MS generates GPRS

Although GPRS system uses the same ciphering key and similar algorithm as in GSM, there are some differences between ciphering in GSM and GPRS. In GSM, ciphering is performed between MS and BTS and uses one of three versions of A5 (A50, A5-1 or A5-2), depending on the level of ciphering permitted. In GPRS, ciphering is performed between MS and SGSN and it uses a new version of A5 developed especially for packet transmission (A5algorithm GPRS-A5 does not use only GPRStwo additional parameters defined as confidentiality. If GPRS K(Ciph-S) would be the same for every GPRS session. One of input parameters is the


ution of the algorithm A3 is performed with a new value of the RAND which cannot be predetermined; in this way recording the channel transmission and playing it back cannot be used to fake an identity. Security conscious users worry that if

to intercept RAND and SRES as they are transmitted over the radio interface, and if this person knows the algorithm A3, it may be possible to reverse the

. In fact the algorithms used in GSM/GPRS are designed to make icult to calculate the input Ki (128 bits) from the output SRES (32 bits),

which is completely necessary because by using Ki, it is possible to generate ciphering which influences data confidentiality of the subscriber.

Figure 2.4. GPRS Authentication and ciphering [6]

2.4.4 GPRS Ciphering

When authentication process is successfully completed, SGSN sends a message “Authentication is successful”. At the time of receiving that message from MS, it sends a response message to SGSN and starts ciphering the text as shown in Figure 2.4.

Ciphering process in GPRS needs a ciphering key and a ciphering algorithm. On the fixed network side, SGSN has GPRS-Kc key as ciphering key and GPRSciphering algorithm. The SGSN receives GPRS-Kc key as part of the triplet from AuC, while the MS generates GPRS-Kc in SIM after receiving RAND from network.

Although GPRS system uses the same ciphering key and similar algorithm as in GSM, there are some differences between ciphering in GSM and GPRS. In GSM,

ing is performed between MS and BTS and uses one of three versions of A5 (A52), depending on the level of ciphering permitted. In GPRS, ciphering is

performed between MS and SGSN and it uses a new version of A5 developed especially t transmission (A5-3) which is also known as GPRS-A5. GPRS ciphering

A5 does not use only GPRS-Kc key during ciphering, but it also uses two additional parameters defined as input and direction to protect subscriber data

GPRS Kc was the only input parameter, the ciphering bit sequence S) would be the same for every GPRS session. One of input parameters is the


ution of the algorithm A3 is performed with a new value of the RAND which cannot be predetermined; in this way recording the channel transmission and playing it back cannot be used to fake an identity. Security conscious users worry that if

to intercept RAND and SRES as they are transmitted over the radio interface, and if this person knows the algorithm A3, it may be possible to reverse the

. In fact the algorithms used in GSM/GPRS are designed to make (128 bits) from the output SRES (32 bits),

, it is possible to generate ciphering

When authentication process is successfully completed, SGSN sends a message At the time of receiving that message from MS, it sends

hering the text as shown in Figure 2.4.

Ciphering process in GPRS needs a ciphering key and a ciphering algorithm. On key as ciphering key and GPRS-A5 as

f the triplet from AuC, in SIM after receiving RAND from network.

Although GPRS system uses the same ciphering key and similar algorithm as in GSM, there are some differences between ciphering in GSM and GPRS. In GSM,

ing is performed between MS and BTS and uses one of three versions of A5 (A5-2), depending on the level of ciphering permitted. In GPRS, ciphering is

performed between MS and SGSN and it uses a new version of A5 developed especially A5. GPRS ciphering

key during ciphering, but it also uses to protect subscriber data

was the only input parameter, the ciphering bit sequence S) would be the same for every GPRS session. One of input parameters is the


LLC layer frame number; the other parameter, direction. As a result, each LLC layer frame is ciphered with a different Ciphthe same length as the LLC layer frame being ciphered. The length of the LLC layer frames is variable and may be up to 1523 octets long. [6]

Figure 2.5. GPRS A5 algorithm [6]

2.4.5 GPRS backbone security

The GPRS backbone network includes the fixed network elements and their physical connections that convey user data and signaling information. Signaling exchange in GPRS is mainly based on the Signaling System 7 (SS7) technology, which does not support any security measure for the GPRS deployment. Similarly, the GTP protocol that is employed for communication between GSNs does not support security. Thus, user data and signaling information in the GPRS backbone network are conveyed in clear-text exposing them to various security threats. In addition, intercommunications (between different operators) are based on the public Internet, which enables IP spoofing to any malicious third party who gets access to it.

The responsibility for snetwork communications belongs to mobile operators. An operator utilizes private IP addressing and Network Address Translation (NAT) to restrict unauthorized access to the GPRS backbone. He may also network in order to protect it from unauthorized penetrations.

Firewalls protect the network by enforcing security policies. Using them the GPRS operator can make sure that only traffic initiated from ththrough a firewall. This is done for two reasons:

• To restrict traffic in order to protect the MS and the network elements from external attacks


LLC layer frame number; the other parameter, direction, depends on data transmission each LLC layer frame is ciphered with a different Ciph

the same length as the LLC layer frame being ciphered. The length of the LLC layer frames is variable and may be up to 1523 octets long. [6]

Figure 2.5. GPRS A5 algorithm [6]

ckbone security

The GPRS backbone network includes the fixed network elements and their physical connections that convey user data and signaling information. Signaling exchange in GPRS is mainly based on the Signaling System 7 (SS7) technology, which

not support any security measure for the GPRS deployment. Similarly, the GTP protocol that is employed for communication between GSNs does not support security. Thus, user data and signaling information in the GPRS backbone network are conveyed

ext exposing them to various security threats. In addition, intercommunications (between different operators) are based on the public Internet, which enables IP spoofing to any malicious third party who gets access to it.

The responsibility for security protection of the GPRS backbone as well as internetwork communications belongs to mobile operators. An operator utilizes private IP addressing and Network Address Translation (NAT) to restrict unauthorized access to the GPRS backbone. He may also apply firewalls at the borders of the GPRS backbone network in order to protect it from unauthorized penetrations.

Firewalls protect the network by enforcing security policies. Using them the GPRS operator can make sure that only traffic initiated from the MS should pass through a firewall. This is done for two reasons:

To restrict traffic in order to protect the MS and the network elements from external attacks


depends on data transmission each LLC layer frame is ciphered with a different Ciph-S. It has

the same length as the LLC layer frame being ciphered. The length of the LLC layer

The GPRS backbone network includes the fixed network elements and their physical connections that convey user data and signaling information. Signaling exchange in GPRS is mainly based on the Signaling System 7 (SS7) technology, which

not support any security measure for the GPRS deployment. Similarly, the GTP protocol that is employed for communication between GSNs does not support security. Thus, user data and signaling information in the GPRS backbone network are conveyed

ext exposing them to various security threats. In addition, inter-network communications (between different operators) are based on the public Internet, which

ecurity protection of the GPRS backbone as well as inter-network communications belongs to mobile operators. An operator utilizes private IP addressing and Network Address Translation (NAT) to restrict unauthorized access to

apply firewalls at the borders of the GPRS backbone

Firewalls protect the network by enforcing security policies. Using them the e MS should pass

To restrict traffic in order to protect the MS and the network elements


• To protect the MS from receiving un

Since firewalls do not provide privacy aNetwork (VPN) technology is used to complement the firewall protection. It is used for the authentication and the authorization of user access to corporate resources, the establishment of secure tunnels between the cencapsulation and protection of the data transmitted by the network. The border gateway, which resides at the border of the GPRS backbone, is a network element that provides firewall capabilities and also maintains static, prepeers. [8]


To protect the MS from receiving un-requested traffic

Since firewalls do not provide privacy and confidentiality, the Virtual Private Network (VPN) technology is used to complement the firewall protection. It is used for the authentication and the authorization of user access to corporate resources, the establishment of secure tunnels between the communicating parties, and the encapsulation and protection of the data transmitted by the network. The border gateway, which resides at the border of the GPRS backbone, is a network element that provides firewall capabilities and also maintains static, pre configured VPNs to specific


nd confidentiality, the Virtual Private Network (VPN) technology is used to complement the firewall protection. It is used for the authentication and the authorization of user access to corporate resources, the

ommunicating parties, and the encapsulation and protection of the data transmitted by the network. The border gateway, which resides at the border of the GPRS backbone, is a network element that

configured VPNs to specific


2.5 Attacks on GRPS security

2.5.1 Mobile Station and SIM

MSs mostly operate in public places where the concentration of people is high and physical access controls are omitted. These facts increthe MS usage and enable adversaries to perform various attacks. However, not only the MS but also the SIM module can be targeted by adversaries. Since the SIM module is implemented on a smart card, any vulnerability of smart cthe security of the information stored in the SIM. [8]

2.5.1.1 Attacks on the SIM card

The security model of GPRS is based on the secret key, KSIM-card. If an attacker is able to retrieve this key, between the MS and the SGSN, or he can produce a clone of the original SIM card, and, thus, engage in transactions, which are billed to the original subscriber. The implementation of A3 and A8 the COMP128, which is an examplein the GSM memorandum of understanding, may be used. Although never officially published, COMP128 description was found and cryptoto find the shared key (Ki) of the MS and the network.

The attack is achieved by sending a set of chosen challenges to the SIManalyzing the responses. This attack exploits the lack of diffusion, since there is a narrow pipe inside COMP128. Specifically, after the second round of the first iterative loop the bytes

depend only on the input bytes

Two of these bytes are key bytes, namely

X[i]=K i[i] and X[i+8]=K

Therefore, performing a chosen challenge attack, it is possible to find a collisfour bytes after the second round. Once a collision occurs on the second round, it propagates right through the hash function until the end of the last round. Comparing the MACs that are sent back by the SIMperforming a 2R-attack, which is the term of differential cryptoof the secret key involved in the collision are recovered. This attack can be iterated for each pair of key bytes, and, thus, the whole secret key K


2.5 Attacks on GRPS security

2.5.1 Mobile Station and SIM

MSs mostly operate in public places where the concentration of people is high and physical access controls are omitted. These facts increase the risks associated with the MS usage and enable adversaries to perform various attacks. However, not only the MS but also the SIM module can be targeted by adversaries. Since the SIM module is implemented on a smart card, any vulnerability of smart cards, immediately, affects on the security of the information stored in the SIM. [8]

2.5.1.1 Attacks on the SIM card

The security model of GPRS is based on the secret key, Ki, which is stored in the card. If an attacker is able to retrieve this key, he can intercept data conveyed

between the MS and the SGSN, or he can produce a clone of the original SIM card, and, thus, engage in transactions, which are billed to the original subscriber. The implementation of A3 and A8 the COMP128, which is an example algorithm included in the GSM memorandum of understanding, may be used. Although never officially published, COMP128 description was found and crypto-analyzed allowing an attacker

) of the MS and the network.

ved by sending a set of chosen challenges to the SIManalyzing the responses. This attack exploits the lack of diffusion, since there is a narrow pipe inside COMP128. Specifically, after the second round of the first iterative

X[i], X[i+8], X[i+16], X[i+24]

depend only on the input bytes

i, i+8, i+16, i+24

Two of these bytes are key bytes, namely

[i] and X[i+8]=K i[i+8] (for every i from 0 to 7).

Therefore, performing a chosen challenge attack, it is possible to find a collisfour bytes after the second round. Once a collision occurs on the second round, it propagates right through the hash function until the end of the last round. Comparing the MACs that are sent back by the SIM-card, this collision can be recognize

attack, which is the term of differential crypto-analysis, the two bytes of the secret key involved in the collision are recovered. This attack can be iterated for each pair of key bytes, and, thus, the whole secret key Ki can be recovered.


MSs mostly operate in public places where the concentration of people is high ase the risks associated with

the MS usage and enable adversaries to perform various attacks. However, not only the MS but also the SIM module can be targeted by adversaries. Since the SIM module is

ards, immediately, affects on

, which is stored in the he can intercept data conveyed

between the MS and the SGSN, or he can produce a clone of the original SIM card, and, thus, engage in transactions, which are billed to the original subscriber. The

algorithm included in the GSM memorandum of understanding, may be used. Although never officially

analyzed allowing an attacker

ved by sending a set of chosen challenges to the SIM-card and analyzing the responses. This attack exploits the lack of diffusion, since there is a narrow pipe inside COMP128. Specifically, after the second round of the first iterative

[i+8] (for every i from 0 to 7).

Therefore, performing a chosen challenge attack, it is possible to find a collision on the four bytes after the second round. Once a collision occurs on the second round, it propagates right through the hash function until the end of the last round. Comparing

card, this collision can be recognized. Then, analysis, the two bytes

of the secret key involved in the collision are recovered. This attack can be iterated for ecovered.


Another type of attacks against the SIMattacks allow an adversary to obtain sensitive information from sidecryptographic implementations, mainly, in constrained devices such as the SIMIn view of these exposures, some vendors of cryptographic systems employ a variety of software and hardware countermeasures to harden their implementations against sidechannel attacks. However, many of these measures are inadequate in cases that an algorithm implementation employs large table lookups. The COMP128 algorithm, which is used for the implementation of A3 and A8 in the SIMlookup of large tables. This lookup on simple devices, such as the SIMbe achieved in a complicated way resulting in the leakage of sensitive information into the side channels. An improved class of sideattack implementations that may otherwise resist some sidepartitioning attacks. The partitioning attack on COMP128 exploits weaknesses and vulnerabilities in the implementation of table lookups, which introduce nona very effective way. Specifically, the entire 128SIM card using less than 1000 invocations with random inputs, or 255 chosen inputs, or only 8 adaptively chosen inputs. Thus, an adversary who possesses a SIM card for a minute can easily extract the key.

Finally, a peculiar attack on smart cards, which is called opticawas revealed by Skorobogatov and Anderson. They exposed to light the microprocessor circuit, embedded in a smart card, by scraping most of the protective coating from its surface. By focusing the light on individual transistors within thsequentially changing the values of the transistors used to store data, they were able to reverse engineer the memory address map, which allows them to extract the secret data from the smart card. [8]

2.5.2 Access network

The interface between the MS and the SGSN is amongst the most exposed elements of the GPRS architecture. The GPRS system protects this part of the network by employing a set of security mechanisms that ensure authentication of mobile users, confidentiality of users identitexchanged. However, exploiting some weaknesses that these mechanisms present, an adversary may perform the following attacks: [8]

2.5.2.1 Denial of Service (DoS) attack

One of the attacks that maynetworks is the DoS attack. This attack aims at preventing transmission of user data,


Another type of attacks against the SIM-cards is side channel attacks. These attacks allow an adversary to obtain sensitive information from sidecryptographic implementations, mainly, in constrained devices such as the SIM

view of these exposures, some vendors of cryptographic systems employ a variety of software and hardware countermeasures to harden their implementations against sidechannel attacks. However, many of these measures are inadequate in cases that an

m implementation employs large table lookups. The COMP128 algorithm, which is used for the implementation of A3 and A8 in the SIM-cards, requires the lookup of large tables. This lookup on simple devices, such as the SIM

mplicated way resulting in the leakage of sensitive information into the side channels. An improved class of side-channel attacks, which can be used to attack implementations that may otherwise resist some side-channel attacks, is called

ks. The partitioning attack on COMP128 exploits weaknesses and vulnerabilities in the implementation of table lookups, which introduce nona very effective way. Specifically, the entire 128-bit key (Ki) can be recovered from a

less than 1000 invocations with random inputs, or 255 chosen inputs, or only 8 adaptively chosen inputs. Thus, an adversary who possesses a SIM card for a minute can easily extract the key.

Finally, a peculiar attack on smart cards, which is called optical fault induction, was revealed by Skorobogatov and Anderson. They exposed to light the microprocessor circuit, embedded in a smart card, by scraping most of the protective coating from its surface. By focusing the light on individual transistors within the chip, and by sequentially changing the values of the transistors used to store data, they were able to reverse engineer the memory address map, which allows them to extract the secret data

ween the MS and the SGSN is amongst the most exposed elements of the GPRS architecture. The GPRS system protects this part of the network by employing a set of security mechanisms that ensure authentication of mobile users, confidentiality of users identity, and ciphering of users data and signalling information exchanged. However, exploiting some weaknesses that these mechanisms present, an adversary may perform the following attacks: [8]

2.5.2.1 Denial of Service (DoS) attack

One of the attacks that may be performed on the wireless interface of wireless networks is the DoS attack. This attack aims at preventing transmission of user data,


cards is side channel attacks. These attacks allow an adversary to obtain sensitive information from side-channels of cryptographic implementations, mainly, in constrained devices such as the SIM-cards.

view of these exposures, some vendors of cryptographic systems employ a variety of software and hardware countermeasures to harden their implementations against side-channel attacks. However, many of these measures are inadequate in cases that an

m implementation employs large table lookups. The COMP128 algorithm, cards, requires the

lookup of large tables. This lookup on simple devices, such as the SIM-cards, can only mplicated way resulting in the leakage of sensitive information into

channel attacks, which can be used to channel attacks, is called

ks. The partitioning attack on COMP128 exploits weaknesses and vulnerabilities in the implementation of table lookups, which introduce non-linearity, in

) can be recovered from a less than 1000 invocations with random inputs, or 255 chosen inputs, or

only 8 adaptively chosen inputs. Thus, an adversary who possesses a SIM card for a

l fault induction, was revealed by Skorobogatov and Anderson. They exposed to light the microprocessor circuit, embedded in a smart card, by scraping most of the protective coating from its

e chip, and by sequentially changing the values of the transistors used to store data, they were able to reverse engineer the memory address map, which allows them to extract the secret data

ween the MS and the SGSN is amongst the most exposed elements of the GPRS architecture. The GPRS system protects this part of the network by employing a set of security mechanisms that ensure authentication of mobile users,

y, and ciphering of users data and signalling information exchanged. However, exploiting some weaknesses that these mechanisms present, an

be performed on the wireless interface of wireless networks is the DoS attack. This attack aims at preventing transmission of user data,


and signaling and control information over the air interface, disrupting communication and network operation. It can b

• Jam user data and signaling traffic using special devices called jammers• Induce specific protocol failures

• Impersonate as network elements and then prevent data traffic, either user traffic, signaling traffic or c

2.5.2.2 Man-in-the-Middle (MitM) attack

GPRS is vulnerable to a MitM attack, which allows an attacker to impersonate a false base station to a victim MS and, at the same time, impersonate the victim to a real network. It is assumed that the attacker has a device capable of emulating a BS, which is integrated with a MS with a valid GPRS network subscription as shown in Figure XX.

This attack can be performed because the MS is authenticated to the network, but the network is not authenticated to the MS. In order to mount this attack, the attacker forces the MS to connect to a false base station by broadcasting the network code of the subscriber’s home network in best signal quality. Then, the false base station impersonates the MS to the GPRS network. In the subsequent authentication process, the attacker can either simply forward the authentication traffic between the MS and the real network, or he can be authenticated to the network using his own subscription discarding the MS authentication data.

Figure 2.6. Man

Since the encryption between the MS and the network (SGSN) is not mandatory and the related signaling data are exchanged unencrypted without origin authentication, the attacker can request to turn off the encryption between the MS and the false base station. Additionally, if the attacker chooses not to be authenticated to the network, he can disable the encryption between the false base station (him) and the network by sending false information about his encryption capabilities (his device) to the network.


and signaling and control information over the air interface, disrupting communication and network operation. It can be achieved by malicious third parties who:

Jam user data and signaling traffic using special devices called jammersInduce specific protocol failures

Impersonate as network elements and then prevent data traffic, either user traffic, signaling traffic or control traffic, from being transmitted. [8]

Middle (MitM) attack

GPRS is vulnerable to a MitM attack, which allows an attacker to impersonate a false base station to a victim MS and, at the same time, impersonate the victim to a real etwork. It is assumed that the attacker has a device capable of emulating a BS, which is

integrated with a MS with a valid GPRS network subscription as shown in Figure XX.

This attack can be performed because the MS is authenticated to the network, he network is not authenticated to the MS. In order to mount this attack, the

attacker forces the MS to connect to a false base station by broadcasting the network code of the subscriber’s home network in best signal quality. Then, the false base

mpersonates the MS to the GPRS network. In the subsequent authentication process, the attacker can either simply forward the authentication traffic between the MS and the real network, or he can be authenticated to the network using his own

scarding the MS authentication data.

Figure 2.6. Man-in-the-Middle attack [102]

Since the encryption between the MS and the network (SGSN) is not mandatory and the related signaling data are exchanged unencrypted without origin authentication,

cker can request to turn off the encryption between the MS and the false base station. Additionally, if the attacker chooses not to be authenticated to the network, he can disable the encryption between the false base station (him) and the network by

ng false information about his encryption capabilities (his device) to the network.


and signaling and control information over the air interface, disrupting communication e achieved by malicious third parties who:

Jam user data and signaling traffic using special devices called jammers

Impersonate as network elements and then prevent data traffic, either ontrol traffic, from being transmitted. [8]

GPRS is vulnerable to a MitM attack, which allows an attacker to impersonate a false base station to a victim MS and, at the same time, impersonate the victim to a real etwork. It is assumed that the attacker has a device capable of emulating a BS, which is

integrated with a MS with a valid GPRS network subscription as shown in Figure XX.

This attack can be performed because the MS is authenticated to the network, he network is not authenticated to the MS. In order to mount this attack, the

attacker forces the MS to connect to a false base station by broadcasting the network code of the subscriber’s home network in best signal quality. Then, the false base

mpersonates the MS to the GPRS network. In the subsequent authentication process, the attacker can either simply forward the authentication traffic between the MS and the real network, or he can be authenticated to the network using his own

Since the encryption between the MS and the network (SGSN) is not mandatory and the related signaling data are exchanged unencrypted without origin authentication,

cker can request to turn off the encryption between the MS and the false base station. Additionally, if the attacker chooses not to be authenticated to the network, he can disable the encryption between the false base station (him) and the network by

ng false information about his encryption capabilities (his device) to the network.


Thus, the attacker mediates in the communication between the MS and the network allowing him to eavesdrop on, insert, and modify traffic. In case that the attacker has been authenticated to the network using his own subscription, he pays the transaction. Otherwise, the transaction is paid by the victim MS. Besides the deactivation of the encryption process over the air interface, the MitM attack may result in the retrieval othe encryption key used. In this form of the attack, the attacker listens to the GPRSRAND sent by the network to the MS under attack for authentication purposes. Then, the attacker impersonates a voice network that initiates a radio session with the MS,starts the authentication procedure using the GPRSa GSM-voice RAND).

After authentication completion, the attacker asks from the MS to start encrypting with A5/2, which is a weak version of the A5 algorithm that isBy receiving a few encrypted voice traffic (4 frames), the attacker is able to recover the corresponding encryption key, Kthan a second, and ends the voiceKc, the attacker is able to decrypt the GPRS traffic exchanged between the MS under attack and the legitimate network. Alternatively, the attacker can record this traffic, and performs the impersonation attack in order to retrieve therecorded data can be decrypted, at any later time.

In case that A5/2 is not supported by the MS, but A5/1 is supported, which is a stronger version of A5, then, the aforementioned attack against A5/1 and GPRS can be performed using cryptanalysis of A5/1, instead of A5/2. Since many network operators initiate a new authentication process, rarely, and use the key created in the last authentication, the attacker can use the retrieved key to intercept more than one session between the MS and the GPRS network. [8]

2.5.3 Attacks on the GPRS core network

The GPRS backbone network, which connects the fixed nodes of the GPRS architecture, is also threatened by malicious actions. These actions refer to both IP and SS7 technologies that are ethe GPRS backbone. [8]

2.5.3.1 Attacks on the IP technology (G

The IP technology is used to connect the SGSN and the GGSN of the same network operator (Gn interface). This connection maexisting IP network, which is not dedicated to the GPRS traffic. Therefore, traffic that originates from outside of the GPRS network shares the GPRS backbone links with the GPRS traffic. The latter is conveyed in clearprotocol, which is employed for both signaling and user data, does not support any


Thus, the attacker mediates in the communication between the MS and the network allowing him to eavesdrop on, insert, and modify traffic. In case that the attacker has

authenticated to the network using his own subscription, he pays the transaction. Otherwise, the transaction is paid by the victim MS. Besides the deactivation of the encryption process over the air interface, the MitM attack may result in the retrieval othe encryption key used. In this form of the attack, the attacker listens to the GPRSRAND sent by the network to the MS under attack for authentication purposes. Then, the attacker impersonates a voice network that initiates a radio session with the MS,starts the authentication procedure using the GPRS-RAND value that he intercepted (as

After authentication completion, the attacker asks from the MS to start encrypting with A5/2, which is a weak version of the A5 algorithm that isBy receiving a few encrypted voice traffic (4 frames), the attacker is able to recover the corresponding encryption key, Kc, by performing the ciphertext- only attack within less than a second, and ends the voice-session. Since the retrieved Kc equals to the GPRS

, the attacker is able to decrypt the GPRS traffic exchanged between the MS under attack and the legitimate network. Alternatively, the attacker can record this traffic, and performs the impersonation attack in order to retrieve the GPRS-Kc recorded data can be decrypted, at any later time.

In case that A5/2 is not supported by the MS, but A5/1 is supported, which is a stronger version of A5, then, the aforementioned attack against A5/1 and GPRS can be

cryptanalysis of A5/1, instead of A5/2. Since many network operators initiate a new authentication process, rarely, and use the key created in the last authentication, the attacker can use the retrieved key to intercept more than one session

S and the GPRS network. [8]

2.5.3 Attacks on the GPRS core network

The GPRS backbone network, which connects the fixed nodes of the GPRS architecture, is also threatened by malicious actions. These actions refer to both IP and SS7 technologies that are employed to convey user data and signalling information in

2.5.3.1 Attacks on the IP technology (Gn Interface)

The IP technology is used to connect the SGSN and the GGSN of the same interface). This connection may be built on the top of an already

existing IP network, which is not dedicated to the GPRS traffic. Therefore, traffic that originates from outside of the GPRS network shares the GPRS backbone links with the GPRS traffic. The latter is conveyed in clear-text in the GPRS backbone since the GTP protocol, which is employed for both signaling and user data, does not support any


Thus, the attacker mediates in the communication between the MS and the network allowing him to eavesdrop on, insert, and modify traffic. In case that the attacker has

authenticated to the network using his own subscription, he pays the transaction. Otherwise, the transaction is paid by the victim MS. Besides the deactivation of the encryption process over the air interface, the MitM attack may result in the retrieval of the encryption key used. In this form of the attack, the attacker listens to the GPRS-RAND sent by the network to the MS under attack for authentication purposes. Then, the attacker impersonates a voice network that initiates a radio session with the MS, and

RAND value that he intercepted (as

After authentication completion, the attacker asks from the MS to start encrypting with A5/2, which is a weak version of the A5 algorithm that is widely used. By receiving a few encrypted voice traffic (4 frames), the attacker is able to recover the

only attack within less equals to the GPRS-

, the attacker is able to decrypt the GPRS traffic exchanged between the MS under attack and the legitimate network. Alternatively, the attacker can record this traffic, and

with which the

In case that A5/2 is not supported by the MS, but A5/1 is supported, which is a stronger version of A5, then, the aforementioned attack against A5/1 and GPRS can be

cryptanalysis of A5/1, instead of A5/2. Since many network operators initiate a new authentication process, rarely, and use the key created in the last authentication, the attacker can use the retrieved key to intercept more than one session

The GPRS backbone network, which connects the fixed nodes of the GPRS architecture, is also threatened by malicious actions. These actions refer to both IP and

mployed to convey user data and signalling information in

The IP technology is used to connect the SGSN and the GGSN of the same y be built on the top of an already

existing IP network, which is not dedicated to the GPRS traffic. Therefore, traffic that originates from outside of the GPRS network shares the GPRS backbone links with the

ext in the GPRS backbone since the GTP protocol, which is employed for both signaling and user data, does not support any


security measure. The above situation might cause performance problems to the GPRS backbone and expose the GPRS traffic to security thspoofing, compromise of confidentiality and privacy etc., that the public Internet encounters.

Since the IP network that is used as a basis for the GPRS backbone is not dedicated to it, a malicious third party may present itGPRS network by spoofing the address of a GPRS network. By executing commands that normally a legitimate network component does, the attack remains undetected until its results are noticeable. One of these attacks is relatespecifically to the exploitation of the GTP commands like PDP context create, PDP context delete, PDP context update, etc.. The attacker, who has access to the GPRS backbone network, is able to get information regarding the monitoring the GTP traffic, which is unencrypted. Possessing the appropriate information, the attacker may create and forward to the GGSN of the network PDP context create, delete and update commands.

These commands overload the GGcontexts of the mobile users that are currently served by the network, resulting in DoS. In addition to malicious third parties that get access to the GPRS backbone network, the mobile users may represent a threat tis located between the GGSN and the public Internet, they may get access to the network elements of the GPRS. Having access to these elements, a malicious MS may perform various attacks such as DoS, IP spoprivacy, etc. In addition, once the malicious MS gets access to the GPRS network, it may send massive amounts of data to unsuspecting users. Since the GPRS is a usagebased service, the mobile users under attack arerequest for. [13]

Finally, a malicious MS in cooperation with a malicious server, which is located outside of the GPRS network, may also perform an over billing attack to a legitimate mobile subscriber. The malicand invokes a download from the malicious server. Once the downloading begins, the malicious MS exits the session. The legitimate MS receives and gets charged for traffic that never requests for. The broadcasts of unsolicited data to legitimate mobile subscribers. The result is still the same: the subscribers are billed for data that they did not solicited and might not have wanted. [2] [8]

2.5.3.2 Attacks on the SS7 technology

If an attacker gets access to the GPRS backbone, he may also gain access to the signaling part of the network, and consequently to the network components that are


security measure. The above situation might cause performance problems to the GPRS backbone and expose the GPRS traffic to security threats, such as DoS attacks, IP spoofing, compromise of confidentiality and privacy etc., that the public Internet

Since the IP network that is used as a basis for the GPRS backbone is not dedicated to it, a malicious third party may present itself as a legitimate part of the GPRS network by spoofing the address of a GPRS network. By executing commands that normally a legitimate network component does, the attack remains undetected until its results are noticeable. One of these attacks is related to the GTP protocol, and more specifically to the exploitation of the GTP commands like PDP context create, PDP context delete, PDP context update, etc.. The attacker, who has access to the GPRS backbone network, is able to get information regarding the GTP tunneling by simply monitoring the GTP traffic, which is unencrypted. Possessing the appropriate information, the attacker may create and forward to the GGSN of the network PDP context create, delete and update commands.

These commands overload the GGSN under attack and change the servicing contexts of the mobile users that are currently served by the network, resulting in DoS. In addition to malicious third parties that get access to the GPRS backbone network, the mobile users may represent a threat to it. Since the MSs are behind the firewall, which is located between the GGSN and the public Internet, they may get access to the network elements of the GPRS. Having access to these elements, a malicious MS may perform various attacks such as DoS, IP spoofing, compromise of confidentiality and privacy, etc. In addition, once the malicious MS gets access to the GPRS network, it may send massive amounts of data to unsuspecting users. Since the GPRS is a usagebased service, the mobile users under attack are over billed for content that they did not

Finally, a malicious MS in cooperation with a malicious server, which is located outside of the GPRS network, may also perform an over billing attack to a legitimate mobile subscriber. The malicious MS may hijack the IP address of the legitimate MS, and invokes a download from the malicious server. Once the downloading begins, the malicious MS exits the session. The legitimate MS receives and gets charged for traffic that never requests for. The malicious parties could also execute this attack by sending broadcasts of unsolicited data to legitimate mobile subscribers. The result is still the same: the subscribers are billed for data that they did not solicited and might not have

.5.3.2 Attacks on the SS7 technology



security measure. The above situation might cause performance problems to the GPRS reats, such as DoS attacks, IP

spoofing, compromise of confidentiality and privacy etc., that the public Internet

Since the IP network that is used as a basis for the GPRS backbone is not self as a legitimate part of the

GPRS network by spoofing the address of a GPRS network. By executing commands that normally a legitimate network component does, the attack remains undetected until

d to the GTP protocol, and more specifically to the exploitation of the GTP commands like PDP context create, PDP context delete, PDP context update, etc.. The attacker, who has access to the GPRS

GTP tunneling by simply monitoring the GTP traffic, which is unencrypted. Possessing the appropriate information, the attacker may create and forward to the GGSN of the network PDP

SN under attack and change the servicing contexts of the mobile users that are currently served by the network, resulting in DoS. In addition to malicious third parties that get access to the GPRS backbone network, the

o it. Since the MSs are behind the firewall, which is located between the GGSN and the public Internet, they may get access to the network elements of the GPRS. Having access to these elements, a malicious MS may

ofing, compromise of confidentiality and privacy, etc. In addition, once the malicious MS gets access to the GPRS network, it may send massive amounts of data to unsuspecting users. Since the GPRS is a usage-

over billed for content that they did not

Finally, a malicious MS in cooperation with a malicious server, which is located outside of the GPRS network, may also perform an over billing attack to a legitimate

ious MS may hijack the IP address of the legitimate MS, and invokes a download from the malicious server. Once the downloading begins, the malicious MS exits the session. The legitimate MS receives and gets charged for traffic

malicious parties could also execute this attack by sending broadcasts of unsolicited data to legitimate mobile subscribers. The result is still the same: the subscribers are billed for data that they did not solicited and might not have



connected through it, such as the AuC, the HLR, the VLRsignaling part of the network, the attacker is able to listen to critical information for the mobile subscribers and the network operation such as the permanent identities of mobile users (IMSI), temporary identities (TMSI, TLLItriplets (RAND, SRES, Kc), charging and billing data, etc. This is feasible because the signaling network (SS7), used in GSM/GPRS, does not support security measures.

While listening to the critical information exchperform DoS attacks to the GPRS signaling components or try to retrieve the sensitive information that they hold. For example, the AuC contains authentication information of the subscribed home users. A similar attack to thatSIM-card can also be carried out to retrieve the Kanswer to a request made by a GPRS network component and returns valid triples to be used in the authentication procedure of the involved of authentication and integrity protection mechanisms in SS7, a malicious party may present itself as a network element and retrieve critical information that should be kept confidential. [8] [13]

2.5.3.3 Attacks on the interface between network operators (G

The Gp Interface is also vulnerable to attacks. This interface supports users roaming and conveys:

• GTP traffic between a local network and the home network of a roaming user.

• Roaming information between a GExchange (GRX) operator, which provides roaming services to cooperating networks.

• Domain Name Server (DNS) information.

The security threats to the Gresources and services, the authentication and authorization of users and actions, and the integrity and confidentiality of the data transferred. A vital security issue of the Ginterface is the lack of security measures in the GTP protocol. [13]

Trust and reliability between the level of security that each operator supports. A malicious operator has the ability to generate a sufficient amount of traffic directed at the border gateway, the SGSN or the GGSN of an operator under atuseless and unwanted traffic that consumes the majority of processing and communication resources. This may result in preventing subscribers from being able to roam, to be attached to the GPRS network, to addition, the attacker might perform attacks that target the GTP protocol, such as deleting or updating PDP contexts. These actions remove or modify the GTP tunnels


connected through it, such as the AuC, the HLR, the VLR, etc. Having access to the signaling part of the network, the attacker is able to listen to critical information for the mobile subscribers and the network operation such as the permanent identities of mobile users (IMSI), temporary identities (TMSI, TLLI), location information, authentication

), charging and billing data, etc. This is feasible because the signaling network (SS7), used in GSM/GPRS, does not support security measures.

While listening to the critical information exchanged, the attacker may either perform DoS attacks to the GPRS signaling components or try to retrieve the sensitive information that they hold. For example, the AuC contains authentication information of the subscribed home users. A similar attack to that performed to retrieve the K

card can also be carried out to retrieve the Ki from the AuC. The AuC has to answer to a request made by a GPRS network component and returns valid triples to be used in the authentication procedure of the involved MS. Thus, exploiting the absence of authentication and integrity protection mechanisms in SS7, a malicious party may present itself as a network element and retrieve critical information that should be kept

terface between network operators (Gp Interface)

Interface is also vulnerable to attacks. This interface supports users

GTP traffic between a local network and the home network of a roaming

Roaming information between a GPRS network and a GPRS Routing Exchange (GRX) operator, which provides roaming services to cooperating

Domain Name Server (DNS) information.

The security threats to the Gp interface mainly concern with the availability of the authentication and authorization of users and actions, and the

integrity and confidentiality of the data transferred. A vital security issue of the Ginterface is the lack of security measures in the GTP protocol. [13]

Trust and reliability between the cooperating GPRS network operators influence the level of security that each operator supports. A malicious operator has the ability to generate a sufficient amount of traffic directed at the border gateway, the SGSN or the GGSN of an operator under attack. In this way, the GPRS nodes are flooded with useless and unwanted traffic that consumes the majority of processing and communication resources. This may result in preventing subscribers from being able to roam, to be attached to the GPRS network, to forward data to external networks, etc. In addition, the attacker might perform attacks that target the GTP protocol, such as deleting or updating PDP contexts. These actions remove or modify the GTP tunnels


, etc. Having access to the signaling part of the network, the attacker is able to listen to critical information for the mobile subscribers and the network operation such as the permanent identities of mobile

), location information, authentication ), charging and billing data, etc. This is feasible because the

signaling network (SS7), used in GSM/GPRS, does not support security measures.

anged, the attacker may either perform DoS attacks to the GPRS signaling components or try to retrieve the sensitive information that they hold. For example, the AuC contains authentication information of

performed to retrieve the Ki from a from the AuC. The AuC has to

answer to a request made by a GPRS network component and returns valid triples to be MS. Thus, exploiting the absence

of authentication and integrity protection mechanisms in SS7, a malicious party may present itself as a network element and retrieve critical information that should be kept

Interface)

Interface is also vulnerable to attacks. This interface supports users

GTP traffic between a local network and the home network of a roaming

PRS network and a GPRS Routing Exchange (GRX) operator, which provides roaming services to cooperating

interface mainly concern with the availability of the authentication and authorization of users and actions, and the

integrity and confidentiality of the data transferred. A vital security issue of the Gp

the cooperating GPRS network operators influence the level of security that each operator supports. A malicious operator has the ability to generate a sufficient amount of traffic directed at the border gateway, the SGSN or the

tack. In this way, the GPRS nodes are flooded with useless and unwanted traffic that consumes the majority of processing and communication resources. This may result in preventing subscribers from being able to

forward data to external networks, etc. In addition, the attacker might perform attacks that target the GTP protocol, such as deleting or updating PDP contexts. These actions remove or modify the GTP tunnels


between the SGSN and the GGSN that are used for creating a DoS attack to users service.

Since the GTP protocol provides no authentication for SGSNs and GGSNs, a malicious operator or an attacker with access to the GSGSN. The bogus SGSN may cGGSN. After the establishment of such tunnels, the network, where the legitimate GGSN belongs to, provides unauthorized Internet access to the attacker and, possibly, access to cooperating networks. In addicontext request messages to a legitimate SGSN, which is handling the GTP sessions of a mobile subscriber. In this way, the bogus SGSN takes the responsibility for handling the GTP sessions of the user. Thus, the attthe sessions, compromising end

2.5.3.4 Attacks on the interface to the public Internet (G

The Gi interface connects the GPRS network to the public Internet and service providers that provide services to mobile subscribers. Since the applications of mobile subscribers can be whatever is carried by the Internet technology, the Gcarry any type of traffic.

This fact exposes the GPRS network elements and the mobivariety of threats that the public Internet encounters, such as viruses, Trojan horses, worms, and other malicious network traffic. A Trojan horse is a malicious piece of software hidden in a program that performs normal tasks. When stabehaves as expected by the user and, then, stealthily executes the Trojan horse payload. On the other hand, worms are selfpropagate from one computer/device to another via a network link. Ta Trojan horse or a worm usually is a DoS attack. This kind of attacks represents the largest threat to the Gi interface. Attackers may be able to flood the links that connect the GPRS network to external packet data networks with useleprohibiting legitimate traffic to pass. The flood traffic might target to the MSs or the network elements causing availability problems to the followed network paths and the involved components. [13]

Apart from harm to the network avaunprotected over the public Internet enabling anyone to read and/or manipulate them, and, thus, compromising user data confidentiality and integrity. In addition, an adversary may exploit the unprotected user related iGPRS users. This is feasible because the GPRS billing system is based on the amount of traffic transmitted and received. The overbilling attack can be achieved by sending large e-mails from a malicious external network


between the SGSN and the GGSN that are used for user data transfer, and, thus, creating a DoS attack to users service.

Since the GTP protocol provides no authentication for SGSNs and GGSNs, a malicious operator or an attacker with access to the Gp interface may create a bogus SGSN. The bogus SGSN may create GTP tunnels between itself and a legitimate GGSN. After the establishment of such tunnels, the network, where the legitimate GGSN belongs to, provides unauthorized Internet access to the attacker and, possibly, access to cooperating networks. In addition, the bogus SGSN may send Update PDP context request messages to a legitimate SGSN, which is handling the GTP sessions of a mobile subscriber. In this way, the bogus SGSN takes the responsibility for handling the GTP sessions of the user. Thus, the attacker may intercept the user data exchanged by the sessions, compromising end-user security. [2] [8]

2.5.3.4 Attacks on the interface to the public Internet (Gi Interface)

interface connects the GPRS network to the public Internet and service iders that provide services to mobile subscribers. Since the applications of mobile

subscribers can be whatever is carried by the Internet technology, the G

This fact exposes the GPRS network elements and the mobile subscribers to a variety of threats that the public Internet encounters, such as viruses, Trojan horses, worms, and other malicious network traffic. A Trojan horse is a malicious piece of software hidden in a program that performs normal tasks. When started, this program behaves as expected by the user and, then, stealthily executes the Trojan horse payload. On the other hand, worms are self-propagating pieces of malicious software. They propagate from one computer/device to another via a network link. The ultimate goal of a Trojan horse or a worm usually is a DoS attack. This kind of attacks represents the

interface. Attackers may be able to flood the links that connect the GPRS network to external packet data networks with useless traffic, thereby, prohibiting legitimate traffic to pass. The flood traffic might target to the MSs or the network elements causing availability problems to the followed network paths and the

Apart from harm to the network availability, the GPRS data are conveyed unprotected over the public Internet enabling anyone to read and/or manipulate them, and, thus, compromising user data confidentiality and integrity. In addition, an adversary may exploit the unprotected user related information causing huge bills to the GPRS users. This is feasible because the GPRS billing system is based on the amount of traffic transmitted and received. The overbilling attack can be achieved by sending large

mails from a malicious external network to the MSs, or by creating viruses that are


user data transfer, and, thus,

Since the GTP protocol provides no authentication for SGSNs and GGSNs, a interface may create a bogus

reate GTP tunnels between itself and a legitimate GGSN. After the establishment of such tunnels, the network, where the legitimate GGSN belongs to, provides unauthorized Internet access to the attacker and, possibly,

tion, the bogus SGSN may send Update PDP context request messages to a legitimate SGSN, which is handling the GTP sessions of a mobile subscriber. In this way, the bogus SGSN takes the responsibility for handling the

acker may intercept the user data exchanged by

interface connects the GPRS network to the public Internet and service iders that provide services to mobile subscribers. Since the applications of mobile

subscribers can be whatever is carried by the Internet technology, the Gi interface may

le subscribers to a variety of threats that the public Internet encounters, such as viruses, Trojan horses, worms, and other malicious network traffic. A Trojan horse is a malicious piece of

rted, this program behaves as expected by the user and, then, stealthily executes the Trojan horse payload.

propagating pieces of malicious software. They he ultimate goal of

a Trojan horse or a worm usually is a DoS attack. This kind of attacks represents the interface. Attackers may be able to flood the links that connect

ss traffic, thereby, prohibiting legitimate traffic to pass. The flood traffic might target to the MSs or the network elements causing availability problems to the followed network paths and the

ilability, the GPRS data are conveyed unprotected over the public Internet enabling anyone to read and/or manipulate them, and, thus, compromising user data confidentiality and integrity. In addition, an

nformation causing huge bills to the GPRS users. This is feasible because the GPRS billing system is based on the amount of traffic transmitted and received. The overbilling attack can be achieved by sending large

to the MSs, or by creating viruses that are


transferred to the MSs. A virus may have the property to send dummy packets from the infected MS to a malicious server, without any notice to the user. [2] [8]






2.6 GPRS solutions for smart

Many corporations dedicated to the smart meters development include a GPRS/GSM modem in the communication module of their smart meters. The following are some examples.

2.6.1 AEM Three-phase electricity meter Enerlux T

Some of its mechanical and equipment characteristics are the following: The meter operates in the 45 to 65 Hz frequency range in conditions of temperature between -40 to +60ºC. It includes sealable buttons for maximum demand reset and for blocking parameters changing for ensuring security goals according to the IEC 62056standard. The Enerlux T meter enables tariffying the energy in up to 4 time zones whose metering program is annual. The time zones metering program is annual. There can be defined up to 12 seasons idefined, it being made up of 7 types of days chosen from the 24 types of days which can be defined. Every day there can be defined up to 12 switchings for each of the two sequences of the daily progr

This meter is meant for electric energy metering either for residential consumers or for commercial and industrial agents that use multi-tariff systems for electric energy billing on lomedium and high voltage networks. It is able to measure electrical consumption in both directions of energy circulation.

It is optionally provided with the GPRS modem since it can operate directly through the optical port and current loop according to the IEC 62056-21 standard for direct local data exchange.


2.6 GPRS solutions for smart metering

Many corporations dedicated to the smart meters development include a GPRS/GSM modem in the communication module of their smart meters. The following

phase electricity meter Enerlux T

echanical and equipment characteristics are the following: The meter operates in the 45 to 65 Hz frequency range in conditions of temperature between 40 to +60ºC. It includes sealable buttons for maximum demand reset and for blocking

or ensuring security goals according to the IEC 62056

The Enerlux T meter enables tariffying the energy in up to 4 time zones whose metering program is annual. The time zones metering program is annual. There can be defined up to 12 seasons in a year. Within each season, the weekly program will be defined, it being made up of 7 types of days chosen from the 24 types of days which can be defined. Every day there can be defined up to 12 switchings for each of the two sequences of the daily program. The programming resolution is of 30 minutes. The

is meant for electric energy metering either for residential consumers or for commercial and industrial agents

tariff systems for electric energy billing on low, medium and high voltage networks. It is able to measure electrical consumption in both directions of

It is optionally provided with the GPRS modem since it can operate directly through the optical port and current loop according to

21 standard for


Many corporations dedicated to the smart meters development include a GPRS/GSM modem in the communication module of their smart meters. The following

echanical and equipment characteristics are the following: The meter operates in the 45 to 65 Hz frequency range in conditions of temperature between 40 to +60ºC. It includes sealable buttons for maximum demand reset and for blocking

or ensuring security goals according to the IEC 62056-21

The Enerlux T meter enables tariffying the energy in up to 4 time zones whose metering program is annual. The time zones metering program is annual. There can be

n a year. Within each season, the weekly program will be defined, it being made up of 7 types of days chosen from the 24 types of days which can be defined. Every day there can be defined up to 12 switchings for each of the two

am. The programming resolution is of 30 minutes. The


meter is also provided with 8 cumulative registers for 8 demands which can be programmed with 5, 10, 15, 20, 30 or 60 min measuring time interval. [44]

For further information on the Enerlux T meter go

2.6.2 Digital Multi- tariff meter DMTZ

The DMTZ-XC is a multiindustrial applications. It incorporates an integrated tariff switching clock with an accuracy of +/-5ppm synchronizemeter operates in 50 Hz frequency within a it presents a class 1 accuracy according to IEC 62053

Interfaces

The plugable communication module forimplements many communication technologies. The GPRS/GSM is the first one and permits connection with the worldwide GSM network. Another option that can be used as its communication protocol is the IEC62056complemented with DLMS/COSEM protocol for implementing the application layer. In any case, 19200 is the maximum baud rate that can be reached. [46]

For further information on the DMTZ

This meter operates 2 tariff registers but it can implement up to 4, it is an optional feature offered by the manufacturer. optional to incorporate a fourdisplay for simultaneous presentation of two of those energy registers. Finally, another of the options to incorporate is the maximum demand measurement and load profile making possible to perform up registering with a registering period length of 15 minutes with three different types of registering: power, energy or energy feed.



For further information on the Enerlux T meter go to: www.aem.ro

tariff meter DMTZ -XC

XC is a multi-tariff smart meter designed for both residential and industrial applications. It incorporates an integrated tariff switching clock with an

5ppm synchronized via data interfaces and a ripple control receiver. This meter operates in 50 Hz frequency within a -25 to 55ºC temperature range. In addition, it presents a class 1 accuracy according to IEC 62053-21.

The plugable communication module for the DMTZ-XC multiimplements many communication technologies. The GPRS/GSM is the first one and permits connection with the worldwide GSM network. Another option that can be used as its communication protocol is the IEC62056-21 standard also known as FLAG complemented with DLMS/COSEM protocol for implementing the application layer. In any case, 19200 is the maximum baud rate that can be reached. [46]

For further information on the DMTZ-XC smart meter go to: www.emh

This meter operates 2 tariff registers but it can implement up to 4, it is an optional feature offered by the manufacturer. It is also optional to incorporate a four-line statical display for simultaneous presentation of two of those energy registers. Finally, another of the options to incorporate is the maximum demand measurement and load profile making possible to perform up to 3 years of registering with a registering period length of 15 minutes with three different types of registering: power, energy or energy feed.



tariff smart meter designed for both residential and industrial applications. It incorporates an integrated tariff switching clock with an

d via data interfaces and a ripple control receiver. This 25 to 55ºC temperature range. In addition,

XC multi-tariff meter implements many communication technologies. The GPRS/GSM is the first one and permits connection with the worldwide GSM network. Another option that can be used

known as FLAG complemented with DLMS/COSEM protocol for implementing the application layer. In

www.emh-metering.com


3. ZIGBEE/802.15.4

3.1 Introduction

ZigBee is a trademark of the ZigBee Alliance, an association of companies set up by Philips Honeywell and Ivensys working together to enable reliable, costlow-power, wirelessly networked, monitoring and control products global standard.

The ZigBee specification provides a lownetworking technology. The low cost allows this technology to be widely deployed in wireless control and monitoring applications such as Automated Met(AMM) which is the one we are interested in, the low powerwith smaller batteries, and the mesh networking provides high reliability and larger range.

As shown in figure below, ZigBee specifies the upper layers and Istandard specifies the lower protocol layers: the physical layer (PHY), and the medium access control (MAC) portion of the data link layer (DLL)end manufacturer has to define the final application software for implemeapplication.

Figure 3.1. ZigBee/802.15.4 Communication stack [80]


15.4

ZigBee is a trademark of the ZigBee Alliance, an association of companies set up by Philips Honeywell and Ivensys working together to enable reliable, cost

power, wirelessly networked, monitoring and control products based on an open

The ZigBee specification provides a low-cost, low-power, wireless mesh networking technology. The low cost allows this technology to be widely deployed in wireless control and monitoring applications such as Automated Met(AMM) which is the one we are interested in, the low power-usage allows longer life with smaller batteries, and the mesh networking provides high reliability and larger

As shown in figure below, ZigBee specifies the upper layers and Istandard specifies the lower protocol layers: the physical layer (PHY), and the medium access control (MAC) portion of the data link layer (DLL). Complementing that, the end manufacturer has to define the final application software for impleme



ZigBee is a trademark of the ZigBee Alliance, an association of companies set up by Philips Honeywell and Ivensys working together to enable reliable, cost-effective,

based on an open

power, wireless mesh networking technology. The low cost allows this technology to be widely deployed in wireless control and monitoring applications such as Automated Meter Management

usage allows longer life with smaller batteries, and the mesh networking provides high reliability and larger

As shown in figure below, ZigBee specifies the upper layers and IEEE 802.15.4 standard specifies the lower protocol layers: the physical layer (PHY), and the medium

Complementing that, the end manufacturer has to define the final application software for implementing a real



3.2 Physical layer overview

The physical layer of 802.15.4 standard establishes different operative frequency bands within the ISM (Industrial, Scientific and Medical) band geographic area as it can be seen in the following chart:

Figure 3.2. Operational frequency bands on 802.15.4 PHY [36]

The ZigBee standard uses the 868 MHz channel, which is exclusively used in Europe at a 20 Kbps rate. Its center frecomprises from 868 MHz to 868.6 MHz. It employs direct sequence spread spectrum (DSSS) with binary phase-shift keying (BPSK) used for chip modulation of 15obtaining a 300 kchip/s rate and differential encodfollowing the whole process for each bit from the PPDU (PHY Protocol Data Unit) as the following figure shows:

Figure 3.3. Modulation and spreading functions [35]

The PHY provides an interface between the MAC sublayerchannel, via RF firmware and hardware. It includes a management entity called the PLME (PHY Layer Management Entity) that provides management service interfaces through which layer management functions may be invoked. It is also maintaining database of managed object belonging to the PHY called the PHY PAN Information Base (PIB). The following figure shows the described structure: [35]



The physical layer of 802.15.4 standard establishes different operative frequency bands within the ISM (Industrial, Scientific and Medical) band depending of the geographic area as it can be seen in the following chart:


The ZigBee standard uses the 868 MHz channel, which is exclusively used in Europe at a 20 Kbps rate. Its center frequency is at 868.3 MHz and its bandwidth comprises from 868 MHz to 868.6 MHz. It employs direct sequence spread spectrum

shift keying (BPSK) used for chip modulation of 15obtaining a 300 kchip/s rate and differential encoding used for data symbol encoding following the whole process for each bit from the PPDU (PHY Protocol Data Unit) as the following figure shows:

Figure 3.3. Modulation and spreading functions [35]

The PHY provides an interface between the MAC sublayerchannel, via RF firmware and hardware. It includes a management entity called the PLME (PHY Layer Management Entity) that provides management service interfaces through which layer management functions may be invoked. It is also maintaining database of managed object belonging to the PHY called the PHY PAN Information Base (PIB). The following figure shows the described structure: [35]


The physical layer of 802.15.4 standard establishes different operative frequency depending of the


The ZigBee standard uses the 868 MHz channel, which is exclusively used in quency is at 868.3 MHz and its bandwidth

comprises from 868 MHz to 868.6 MHz. It employs direct sequence spread spectrum shift keying (BPSK) used for chip modulation of 15-chip PN

ing used for data symbol encoding following the whole process for each bit from the PPDU (PHY Protocol Data Unit) as

The PHY provides an interface between the MAC sublayer and the radio channel, via RF firmware and hardware. It includes a management entity called the PLME (PHY Layer Management Entity) that provides management service interfaces through which layer management functions may be invoked. It is also maintaining a database of managed object belonging to the PHY called the PHY PAN Information


Figure 3.4. PHY reference model [35]

Two services are provided by the PHY accessed through two SAPs:

• The PHY Data SAP (PDbetween peer MAC sublayer entities.• The PHY Management Service (PLMEcapability for transporting management commands between the MLME of the MAC and the PLME of the PHY.

All characteristics and functions provided by the PHY can be summarized into:

• Transmitting and receiving packets through the radio channel• Channel selection

• Energy detection• Activation and deactivation of the radio transceiver

• The Link Quality Indicator (LQI) wquality of the received packets using signal• The Clear Channel Assessment (CCA) for reporting the current state of the radio channel in order to know when it is free [35]

3.3 MAC layer overview

The MAC sublayer handles all access to the physical radio channel and is responsible for all the following tasks:

• Generating the network beacons if the device is a coordinator• Synchronizing to the beacons

• Supporting PAN association disassociation


Figure 3.4. PHY reference model [35]

Two services are provided by the PHY accessed through two SAPs:

e PHY Data SAP (PD-SAP): It supports the transport of MPDUs between peer MAC sublayer entities.

The PHY Management Service (PLME-SAP): Implements the capability for transporting management commands between the MLME of the MAC and the PLME of the PHY.

haracteristics and functions provided by the PHY can be summarized into:

Transmitting and receiving packets through the radio channelChannel selection

Energy detection Activation and deactivation of the radio transceiver

The Link Quality Indicator (LQI) which is a characterization of the quality of the received packets using signal-to-noise ratio estimation

The Clear Channel Assessment (CCA) for reporting the current state of the radio channel in order to know when it is free [35]


The MAC sublayer handles all access to the physical radio channel and is responsible for all the following tasks:

Generating the network beacons if the device is a coordinatorSynchronizing to the beacons

Supporting PAN association disassociation


It supports the transport of MPDUs

Implements the capability for transporting management commands between the MLME of the

haracteristics and functions provided by the PHY can be summarized into:

Transmitting and receiving packets through the radio channel

hich is a characterization of the noise ratio estimation

The Clear Channel Assessment (CCA) for reporting the current state of

The MAC sublayer handles all access to the physical radio channel and is

Generating the network beacons if the device is a coordinator


• Supporting device security• Employing the CSMA

• Handling and maintaining the GTS mechanism• Providing a reliable link between to MAC peer entities

The MAC sublayer provides an interface between the Service Specific Convergence Sublayer (SSCS) and the PHY. It includes a management entity called the MLME that entity provides the service interfaces through which layer management functions may be invoked. The MLME is also responsible for maintaining a database of managed objects pertaining to the MAC sublayer called the MAC sublayer PIB.

Figure 3.5. MAC sublayer reference model [35]

As it can be seen in the previous figure, the MAC sublayer provides two services, accessed through two SAPs:

• The MAC data serviceSublayer (MCPS) data SAP (MCPSprotocol data units (SPDUs) between SSCS peer entities.• The MAC management serviceallows the transport of management commands between and the MLME

These two services provide the interface between the SSCS and the PHY, via the PD-SAP and PLME-SAP interfaces. In addition to these external interfaces, an implicit interface also exists between the MLME and the MCPS thathe MAC data service. [35]


ng device security Employing the CSMA-CA mechanism for channel access

Handling and maintaining the GTS mechanism Providing a reliable link between to MAC peer entities

The MAC sublayer provides an interface between the Service Specific er (SSCS) and the PHY. It includes a management entity called the

MLME that entity provides the service interfaces through which layer management functions may be invoked. The MLME is also responsible for maintaining a database of

g to the MAC sublayer called the MAC sublayer PIB.

Figure 3.5. MAC sublayer reference model [35]

As it can be seen in the previous figure, the MAC sublayer provides two services, accessed through two SAPs:

The MAC data service, accessed through the MAC Common Part Sublayer (MCPS) data SAP (MCPS-SAP). It supports the transport of SSCS protocol data units (SPDUs) between SSCS peer entities.

The MAC management service, accessed through the MLMEallows the transport of management commands between the next higher layer

These two services provide the interface between the SSCS and the PHY, via the SAP interfaces. In addition to these external interfaces, an implicit

interface also exists between the MLME and the MCPS that allows the MLME to use the MAC data service. [35]


CA mechanism for channel access

The MAC sublayer provides an interface between the Service Specific er (SSCS) and the PHY. It includes a management entity called the

MLME that entity provides the service interfaces through which layer management functions may be invoked. The MLME is also responsible for maintaining a database of

g to the MAC sublayer called the MAC sublayer PIB.

As it can be seen in the previous figure, the MAC sublayer provides two

C Common Part SAP). It supports the transport of SSCS

, accessed through the MLME-SAP that the next higher layer

These two services provide the interface between the SSCS and the PHY, via the SAP interfaces. In addition to these external interfaces, an implicit

t allows the MLME to use


3.4 Network layer overview

Two entities are conforming the ZigBee Network layer as seen in the following figure each one with its own functions:

• The Network Layer Data Entity (NLDE):transmitting NPDUs to the appropriate device which is either the final destination or the next step towards the final destination in the communication chain • The Network Layer Management Entity(NLME):many operations which are:

� Establ� Joining and leaving a network� Configuring the stack for operation of a new device� Assign addresses to devices joining the network (only for Full Function Devices (FFD))� One-� Routing frames to their destinations (only for Full Function Devices (FFD))

Figure 3.6. ZigBee Network Layer [36]

As it can be seen in figure 3.7, a ZigBee wireless meterof two parts: the Database Management System and the cluster composed by routers, end devices and a network coordinator. The topology of the ZigBee network may be mesh or star rather than a cluster tree if it fits better the objectives of the network designer. The routers and coordinator must be devices (FFD) while the end devices can be reduced function devices (RFD). [35]

After collected the required information from users, an end device transports it to the relevant FFD. A FFD acts as a router whose function is to synchronize serother devices/FFD and one of them shall be the overall coordinator of the network. End


3.4 Network layer overview

Two entities are conforming the ZigBee Network layer as seen in the following figure each one with its own functions:

The Network Layer Data Entity (NLDE): It is in charge of transmitting NPDUs to the appropriate device which is either the final destination or the next step towards the final destination in the communication

The Network Layer Management Entity(NLME): It is responsible for many operations which are:

Establishing a new network (only for the network coordinator)Joining and leaving a network Configuring the stack for operation of a new deviceAssign addresses to devices joining the network (only for Full

Function Devices (FFD)) hop neighbors discovery

ting frames to their destinations (only for Full Function Devices (FFD))

Figure 3.6. ZigBee Network Layer [36]

As it can be seen in figure 3.7, a ZigBee wireless meter-reading system consists of two parts: the Database Management System and the cluster tree ZigBee network composed by routers, end devices and a network coordinator. The topology of the ZigBee network may be mesh or star rather than a cluster tree if it fits better the objectives of the network designer. The routers and coordinator must be devices (FFD) while the end devices can be reduced function devices (RFD). [35]

After collected the required information from users, an end device transports it to the relevant FFD. A FFD acts as a router whose function is to synchronize serother devices/FFD and one of them shall be the overall coordinator of the network. End


Two entities are conforming the ZigBee Network layer as seen in the following

It is in charge of transmitting NPDUs to the appropriate device which is either the final destination or the next step towards the final destination in the communication

It is responsible for

ishing a new network (only for the network coordinator)

Configuring the stack for operation of a new device Assign addresses to devices joining the network (only for Full

ting frames to their destinations (only for Full Function

reading system consists tree ZigBee network

composed by routers, end devices and a network coordinator. The topology of the ZigBee network may be mesh or star rather than a cluster tree if it fits better the objectives of the network designer. The routers and coordinator must be full function devices (FFD) while the end devices can be reduced function devices (RFD). [35]

After collected the required information from users, an end device transports it to the relevant FFD. A FFD acts as a router whose function is to synchronize services to other devices/FFD and one of them shall be the overall coordinator of the network. End


devices and the collector intermediately form a star network locally. The collector that can be connected with 254 end devices at most is responsible for the mastar network. Data stored in collectors is transported to the coordinator, which manages the overall ZigBee network such as initialization, association and disassociation of devices. The coordinator communicates with computer

Figure 3.7. Architecture of wireless meter


devices and the collector intermediately form a star network locally. The collector that can be connected with 254 end devices at most is responsible for the mastar network. Data stored in collectors is transported to the coordinator, which manages the overall ZigBee network such as initialization, association and disassociation of devices. The coordinator communicates with computer through RS-232.

Figure 3.7. Architecture of wireless meter-reading system [34]


devices and the collector intermediately form a star network locally. The collector that can be connected with 254 end devices at most is responsible for the management of the star network. Data stored in collectors is transported to the coordinator, which manages the overall ZigBee network such as initialization, association and disassociation of

. [36]

reading system [34]


3.5 Application layer overview

The ZigBee Application layer consists of the Application Support sublayer (APS), ZigBee Device Object (ZDO) and Application Framework contaimanufacturer-defined application objects each interfacing an endpoint indexed from 1 to 240. The following figure shows the describe scheme:

Figure 3.8. ZigBee Application Layer [80]

The Application Support sublayer (APS) provides an intenetwork layer and the application layer through a general set of services and is formed by two parts:

• The Application Support sublayer Data Entity (APSDE):the data transmission service for the transport of application PDUs bor more devices of the network, supports fragmentation and reassembly of packets and provides reliable data transport.

• The Application Support sublayer Management Entity (APSME):provides security services, binding of devices, establishment agroup addresses and also maintains a database of managed objects

The Application Framework is the environment for hosting manufacturerdefined application objects on ZigBee devices. It uses the APSDEexecuting standard network functions and managing protocol layers in the ZigBee device. The application objects that it contains, represent different application types that can be defined in a ZigBee device, each one of them addressed by an 8These application types can either be profiles or objects. The first ones, are agreements for processing actions that enable applications to create an interoperable application between applications that reside in different devices and they are identified with a clusterId. The application objects (APOs), encapsulate a set of attributes and provide functionalities to implement an application.


3.5 Application layer overview

The ZigBee Application layer consists of the Application Support sublayer (APS), ZigBee Device Object (ZDO) and Application Framework contai

defined application objects each interfacing an endpoint indexed from 1 to 240. The following figure shows the describe scheme:

Figure 3.8. ZigBee Application Layer [80]

The Application Support sublayer (APS) provides an interfaces between the network layer and the application layer through a general set of services and is formed

The Application Support sublayer Data Entity (APSDE):the data transmission service for the transport of application PDUs bor more devices of the network, supports fragmentation and reassembly of packets and provides reliable data transport.

The Application Support sublayer Management Entity (APSME):provides security services, binding of devices, establishment agroup addresses and also maintains a database of managed objects

The Application Framework is the environment for hosting manufacturerdefined application objects on ZigBee devices. It uses the APSDE-SAP interface for

ork functions and managing protocol layers in the ZigBee device. The application objects that it contains, represent different application types that can be defined in a ZigBee device, each one of them addressed by an 8

s can either be profiles or objects. The first ones, are agreements for processing actions that enable applications to create an interoperable application between applications that reside in different devices and they are identified with a

pplication objects (APOs), encapsulate a set of attributes and provide functionalities to implement an application.


The ZigBee Application layer consists of the Application Support sublayer (APS), ZigBee Device Object (ZDO) and Application Framework containing up to 240

defined application objects each interfacing an endpoint indexed from 1 to

rfaces between the network layer and the application layer through a general set of services and is formed

The Application Support sublayer Data Entity (APSDE): It provides the data transmission service for the transport of application PDUs between two or more devices of the network, supports fragmentation and reassembly of

The Application Support sublayer Management Entity (APSME): It provides security services, binding of devices, establishment and removal of group addresses and also maintains a database of managed objects

The Application Framework is the environment for hosting manufacturer-SAP interface for

ork functions and managing protocol layers in the ZigBee device. The application objects that it contains, represent different application types that can be defined in a ZigBee device, each one of them addressed by an 8-bit endpoint.

s can either be profiles or objects. The first ones, are agreements for processing actions that enable applications to create an interoperable application between applications that reside in different devices and they are identified with a

pplication objects (APOs), encapsulate a set of attributes and provide


The last part of the layer is the ZDO. It implements in all network nodes and provides a base class of functionality that provides an interobjects, the device profile and the APS implementing a fourcommunication functions: Device and Service Discovery, end device bind and unbind, binding table management and network management.

During the Device Discovery ZigBee devices initiate queries either broadcast or unicast to discover other ZigBee devices on the network. On the other hand, on the Service Discovery process, services available on endpoints at the receiving device are discovered by external devices. [37]


The last part of the layer is the ZDO. It implements in all network nodes and provides a base class of functionality that provides an interface between the application objects, the device profile and the APS implementing a four-key intercommunication functions: Device and Service Discovery, end device bind and unbind, binding table management and network management.

Discovery ZigBee devices initiate queries either broadcast or unicast to discover other ZigBee devices on the network. On the other hand, on the Service Discovery process, services available on endpoints at the receiving device are

devices. [37]


The last part of the layer is the ZDO. It implements in all network nodes and face between the application

key inter-device communication functions: Device and Service Discovery, end device bind and unbind,

Discovery ZigBee devices initiate queries either broadcast or unicast to discover other ZigBee devices on the network. On the other hand, on the Service Discovery process, services available on endpoints at the receiving device are


3.6 Security on ZigBee

3.6.1 802.15.4 MAC layer security

The 802.15.4 security layer is handled at the MAC layer, below application control. The application specifies its security requirements by setting the appropriate control parameters into the radio stack. If an application does not set any parameters, then security is not enabled by default.

An application has a choice of security suites that control the type of security protection that is provided for the transmittset of security properties and guarantees, and ultimately different packet formats. The 802.15.4 specification defines eight different security suites, presented below. We can broadly classify the suites by t(AES-CTR), authentication only (AES(AES-CCM). Each category that supports authentication comes in three variants depending on the size of the MAC that security suite and has its own name. The MAC can be either 4, 8, or 16 bytes long. The tradeoff is a larger packet size for increased protection against authenticity attacks. Additionally, for each suite threplay protection.

An application indicates its choice of security suites based on source and destination addresses. 802.15.4 radio chips have an access control list (ACL) that controls what security suite and keying information to use. Compliant devices may support up to 255 ACL entries. When replay protection is invoked, the security material also includes a high water mark of the most recently received packet's identifier. As a part of the interface for sending packets, the application must specify a boolean indicating whether security is enabled. If no security is requested, the packet is sent out as it is. If security is enabled, the MAC layer looks up the destination address in its ACL table. If there is a match ACL entry, the security suite, key, and nonce specified in that ACL entry are used to encrypt and/or authenticate the outgoing packet, and the flags field on outgoing packet is set accordingly. If the destination address is not listed inACL table, a default ACL entry is used instead; the default ACL entry is similar to the other ACL entries except that it matches all destination addresses. If the default ACL entry is empty and the application has requested security, the MAC layer reterror code. On packet reception, MAC layer consults the flags field in the packet to determine if any security suites have been applied to that packet. If no security was used, the packet is passed as it is to the application. Otherwise, MAC layer similar process to find the appropriate ACL entry, this time based on the sender's address. It then applies the appropriate security suite, key, and replay counter to the incoming packet, presenting the application with an error message if no appropACL entry could be located. [35]


3.6 Security on ZigBee

3.6.1 802.15.4 MAC layer security

The 802.15.4 security layer is handled at the MAC layer, below application control. The application specifies its security requirements by setting the appropriate control parameters into the radio stack. If an application does not set any parameters, then security is not enabled by default.

An application has a choice of security suites that control the type of security protection that is provided for the transmitted data. Each security suite offers a different set of security properties and guarantees, and ultimately different packet formats. The 802.15.4 specification defines eight different security suites, presented below. We can broadly classify the suites by the properties that they offer: no security, encryption only

CTR), authentication only (AES-CBC-MAC), and encryption and authentication CCM). Each category that supports authentication comes in three variants

depending on the size of the MAC that it offers. Each variant is considered a different security suite and has its own name. The MAC can be either 4, 8, or 16 bytes long. The tradeoff is a larger packet size for increased protection against authenticity attacks. Additionally, for each suite that offers encryption, the recipient can optionally enable

An application indicates its choice of security suites based on source and destination addresses. 802.15.4 radio chips have an access control list (ACL) that

ty suite and keying information to use. Compliant devices may support up to 255 ACL entries. When replay protection is invoked, the security material also includes a high water mark of the most recently received packet's identifier. As a

ace for sending packets, the application must specify a boolean indicating whether security is enabled. If no security is requested, the packet is sent out as it is. If security is enabled, the MAC layer looks up the destination address in its ACL

f there is a match ACL entry, the security suite, key, and nonce specified in that ACL entry are used to encrypt and/or authenticate the outgoing packet, and the flags field on outgoing packet is set accordingly. If the destination address is not listed inACL table, a default ACL entry is used instead; the default ACL entry is similar to the other ACL entries except that it matches all destination addresses. If the default ACL entry is empty and the application has requested security, the MAC layer reterror code. On packet reception, MAC layer consults the flags field in the packet to determine if any security suites have been applied to that packet. If no security was used, the packet is passed as it is to the application. Otherwise, MAC layer similar process to find the appropriate ACL entry, this time based on the sender's address. It then applies the appropriate security suite, key, and replay counter to the incoming packet, presenting the application with an error message if no appropACL entry could be located. [35]


The 802.15.4 security layer is handled at the MAC layer, below application control. The application specifies its security requirements by setting the appropriate control parameters into the radio stack. If an application does not set any parameters,

An application has a choice of security suites that control the type of security ed data. Each security suite offers a different

set of security properties and guarantees, and ultimately different packet formats. The 802.15.4 specification defines eight different security suites, presented below. We can

he properties that they offer: no security, encryption only MAC), and encryption and authentication

CCM). Each category that supports authentication comes in three variants it offers. Each variant is considered a different

security suite and has its own name. The MAC can be either 4, 8, or 16 bytes long. The tradeoff is a larger packet size for increased protection against authenticity attacks.

at offers encryption, the recipient can optionally enable

An application indicates its choice of security suites based on source and destination addresses. 802.15.4 radio chips have an access control list (ACL) that

ty suite and keying information to use. Compliant devices may support up to 255 ACL entries. When replay protection is invoked, the security material also includes a high water mark of the most recently received packet's identifier. As a

ace for sending packets, the application must specify a boolean indicating whether security is enabled. If no security is requested, the packet is sent out as it is. If security is enabled, the MAC layer looks up the destination address in its ACL

f there is a match ACL entry, the security suite, key, and nonce specified in that ACL entry are used to encrypt and/or authenticate the outgoing packet, and the flags field on outgoing packet is set accordingly. If the destination address is not listed in the ACL table, a default ACL entry is used instead; the default ACL entry is similar to the other ACL entries except that it matches all destination addresses. If the default ACL entry is empty and the application has requested security, the MAC layer returns an error code. On packet reception, MAC layer consults the flags field in the packet to determine if any security suites have been applied to that packet. If no security was used, the packet is passed as it is to the application. Otherwise, MAC layer uses a similar process to find the appropriate ACL entry, this time based on the sender's address. It then applies the appropriate security suite, key, and replay counter to the incoming packet, presenting the application with an error message if no appropriate


3.6.1.1 Security objectives

There are four defined objectives in the 802.15.4 MAC layer security:

• Access control:devices from which can receive frames. This mechanismunauthorized devices to communicate to the network.• Data encryption:encryption algorithms. Only the devices that are sharing the network secret key are able to decrypt messages and commun• Frame integrity:invalid intruder and to provide assurance that the messages from the source device have not been manipulated by an invalid intruder.• Sequential freshness:accepted by the receiver and to ensure that the frame that has arrived is the recent one and not a replayed one. This is achieved by which a receiver checks the recent counter and rejects the frame which has the counless than the previous obtained counter value. [35]

3.6.1.2 Security modes

Three security modes are defined in the specification to achieve different security objectives: unsecured mode, ACL mode, and secured mode. Figure 3.9 shows the format of the ACL entry, and an ACL list includes multiple ACL entries. In Figure 3.9, the address field is composed of the source and the destination addresses. The last Initial Vector (IV) and the replay counter are the same except that the last IV ithe source device when it sends the packet, and the replay counter is used by the destination device to maintain the high water mark to avoid the replay attack. The key is a symmetric key shared between the devices. [35]

The three available security modes are described as follows:

• Unsecured mode:applications that do not require any kind of security at all.

• ACL mode: as in Figure 3.9. In the ACL mode, limited security services are provided via the ACL. In this mode only frames received from devices present in the ACL are accepted. However, no cryptographic encryption of the data is provided in ACL mode so only the first field of the ACL entry is used in this mode.


3.6.1.1 Security objectives

There are four defined objectives in the 802.15.4 MAC layer security:

Access control: It provides an Access Control List (ACL) of valid devices from which can receive frames. This mechanismunauthorized devices to communicate to the network.

Data encryption: It prevents messages from the unauthorized access via encryption algorithms. Only the devices that are sharing the network secret key are able to decrypt messages and communicate over the network.

Frame integrity: This objective is to prevent changes to be made by an invalid intruder and to provide assurance that the messages from the source device have not been manipulated by an invalid intruder.

Sequential freshness: This is to prevent the replayed message to be accepted by the receiver and to ensure that the frame that has arrived is the recent one and not a replayed one. This is achieved by which a receiver checks the recent counter and rejects the frame which has the counter value equal to or less than the previous obtained counter value. [35]

Three security modes are defined in the specification to achieve different security objectives: unsecured mode, ACL mode, and secured mode. Figure 3.9 shows the format of the ACL entry, and an ACL list includes multiple ACL entries. In Figure 3.9, the address field is composed of the source and the destination addresses. The last Initial Vector (IV) and the replay counter are the same except that the last IV ithe source device when it sends the packet, and the replay counter is used by the destination device to maintain the high water mark to avoid the replay attack. The key is a symmetric key shared between the devices. [35]

Figure 3.9. ACL entry format [30]

The three available security modes are described as follows:

Unsecured mode: This mode is to be used for those low cost applications that do not require any kind of security at all.

ACL mode: In this mode each device includes its own ACL with enas in Figure 3.9. In the ACL mode, limited security services are provided via the ACL. In this mode only frames received from devices present in the ACL are accepted. However, no cryptographic encryption of the data is provided in ACL

e first field of the ACL entry is used in this mode.


It provides an Access Control List (ACL) of valid devices from which can receive frames. This mechanism prevents the

It prevents messages from the unauthorized access via encryption algorithms. Only the devices that are sharing the network secret key

icate over the network. This objective is to prevent changes to be made by an

invalid intruder and to provide assurance that the messages from the source

s to prevent the replayed message to be accepted by the receiver and to ensure that the frame that has arrived is the recent one and not a replayed one. This is achieved by which a receiver checks

ter value equal to or

Three security modes are defined in the specification to achieve different security objectives: unsecured mode, ACL mode, and secured mode. Figure 3.9 shows the format of the ACL entry, and an ACL list includes multiple ACL entries. In Figure 3.9, the address field is composed of the source and the destination addresses. The last Initial Vector (IV) and the replay counter are the same except that the last IV is used by the source device when it sends the packet, and the replay counter is used by the destination device to maintain the high water mark to avoid the replay attack. The key is

This mode is to be used for those low cost

In this mode each device includes its own ACL with entries as in Figure 3.9. In the ACL mode, limited security services are provided via the ACL. In this mode only frames received from devices present in the ACL are accepted. However, no cryptographic encryption of the data is provided in ACL

e first field of the ACL entry is used in this mode.


• Secured mode: the corresponding security suite in use. It provides the confidentiality of the frame along with the message integrity, access contAll ACL entry field are used and the security suite on the entry is the one implemented. [35]

3.6.1.3 Security suites

Security suites may be used when a device is operating in secured mode. A security suite consists of a setsecurity services. The security suite name indicates the symmetric cryptography algorithm, mode, and integrity code bit length. The bit length of the integrity code is less than or equal to the block sizprobability that a random guess of the integrity code would be correct. This bit length does not correspond to the strength of the underlying algorithm. For all security suites in this standard, the algorithmdevice that implements security shall support the AES CCMor more additional security suites. Each security suite is specified by a 1 octet value as shown in following table; an identifier of 0x00 indicates that secured mode is not used.

Identifier Security suite name

0x00 None0x01 AES-CTR0x02 AES-CCM0x03 AES-CCM0x04 AES-CCM0x05 AES-CBC-MAC0x06 AES-CBC-0x07 AES-CBC-

Figure 3.10. 802.15.4 Security suites [35]

3.6.1.4 AES-CTR suite

This suite provides confidentiality protection usingcounter mode. To encrypt data under this mode, the sender break the cleartext packet to be sent into 16-byte blocks p

ci = pi (+) Ek(x


Secured mode: This mode provides all the security services according to the corresponding security suite in use. It provides the confidentiality of the frame along with the message integrity, access control and sequential freshness. All ACL entry field are used and the security suite on the entry is the one

Security suites may be used when a device is operating in secured mode. A security suite consists of a set of operations to perform on MAC frames that provide security services. The security suite name indicates the symmetric cryptography algorithm, mode, and integrity code bit length. The bit length of the integrity code is less than or equal to the block size of the symmetric algorithm and determines the probability that a random guess of the integrity code would be correct. This bit length does not correspond to the strength of the underlying algorithm. For all security suites in this standard, the algorithm used shall be advanced encryption standard (AES). Each device that implements security shall support the AES CCM- 64 security suite and zero or more additional security suites. Each security suite is specified by a 1 octet value as

e; an identifier of 0x00 indicates that secured mode is not used.

Security suite name

Security services

Access control

Data encryption

Frame integrity

None CTR X X

CCM-128 X X X CCM-64 X X X CCM-32 X X X

MAC-128 X X -MAC-64 X X -MAC-32 X X

Figure 3.10. 802.15.4 Security suites [35]

This suite provides confidentiality protection using the AES block cipher with counter mode. To encrypt data under this mode, the sender break the cleartext packet to

byte blocks p1..pn and computes it the following way:

(xi) where xi is each block varying counter


This mode provides all the security services according to the corresponding security suite in use. It provides the confidentiality of the

rol and sequential freshness. All ACL entry field are used and the security suite on the entry is the one

Security suites may be used when a device is operating in secured mode. A of operations to perform on MAC frames that provide

security services. The security suite name indicates the symmetric cryptography algorithm, mode, and integrity code bit length. The bit length of the integrity code is

e of the symmetric algorithm and determines the probability that a random guess of the integrity code would be correct. This bit length does not correspond to the strength of the underlying algorithm. For all security suites in

used shall be advanced encryption standard (AES). Each 64 security suite and zero

or more additional security suites. Each security suite is specified by a 1 octet value as e; an identifier of 0x00 indicates that secured mode is not used.

Security services

Frame integrity

Sequential freshness (optional)

X X X X

the AES block cipher with counter mode. To encrypt data under this mode, the sender break the cleartext packet to

is each block varying counter


The recipient recovers the original plaintext by computing:

Obviously, the recipient needs the xoriginal payload. This counter, also called nonce, is composed of a static field, the sender’s address and 3 separate counters: a 4 byte counter frame that identifies the packet, a 1 byte key counter field and a 2 byte block counter that numbers the 16 byte blocks within the packet as shown the following figure: [35]

Figure 3.11. Format of the input x

The frame counter is maintained by the hardware radio. The sender increments this counter after encrypting a new packet. As soon as it gets to the maximum value, the radio returns an error code and no more encryptions arone byte counter under the application’s control. It can be incremented in the case that the frame counter reaches its maximum possible value. The requirement is that the nonce must never repeat within the lifetime of any sand key counter is to prevent nonce reuse. The 2 byte block counter ensures that each block will use a different nonce value and it is not necessary for the sender to include it in the packet because the receiver can in

Figure 3.12. Formatting of the data field for AES

To sum up, as shown in the previous figure, the sender includes the key counter, the frame counter and the encrypted payload into the data payload field of tThe complete scheme of the CTR mode implement


recovers the original plaintext by computing:

pi = ci (+) Ek(xi)

Obviously, the recipient needs the xi counter value in order to reconstruct the original payload. This counter, also called nonce, is composed of a static field, the

separate counters: a 4 byte counter frame that identifies the packet, a 1 byte key counter field and a 2 byte block counter that numbers the 16 byte blocks within the packet as shown the following figure: [35]

Figure 3.11. Format of the input xi to the block cipher for the AES

The frame counter is maintained by the hardware radio. The sender increments this counter after encrypting a new packet. As soon as it gets to the maximum value, the radio returns an error code and no more encryptions are possible. The key counter is a one byte counter under the application’s control. It can be incremented in the case that the frame counter reaches its maximum possible value. The requirement is that the nonce must never repeat within the lifetime of any single key, and the role of the frame and key counter is to prevent nonce reuse. The 2 byte block counter ensures that each block will use a different nonce value and it is not necessary for the sender to include it in the packet because the receiver can infer its value for each block. [35]

Figure 3.12. Formatting of the data field for AES-CTR [30]

To sum up, as shown in the previous figure, the sender includes the key counter, the frame counter and the encrypted payload into the data payload field of tThe complete scheme of the CTR mode implementation is shown in Figure 3.13.


counter value in order to reconstruct the original payload. This counter, also called nonce, is composed of a static field, the

separate counters: a 4 byte counter frame that identifies the packet, a 1 byte key counter field and a 2 byte block counter that numbers the 16 byte

block cipher for the AES-CTR [30]

The frame counter is maintained by the hardware radio. The sender increments this counter after encrypting a new packet. As soon as it gets to the maximum value, the

e possible. The key counter is a one byte counter under the application’s control. It can be incremented in the case that the frame counter reaches its maximum possible value. The requirement is that the

ingle key, and the role of the frame and key counter is to prevent nonce reuse. The 2 byte block counter ensures that each block will use a different nonce value and it is not necessary for the sender to include it

fer its value for each block. [35]

CTR [30]

To sum up, as shown in the previous figure, the sender includes the key counter, the frame counter and the encrypted payload into the data payload field of the packet.

ation is shown in Figure 3.13.


3.6.1.5 AES-CBC-MAC suite

In this security suite the cryptographic operations consist on performing AESCBC-MAC authentication on the128 bit integrity codes. Access control and frame integrity are provided in this suite.

The CBC-MAC algorithm makes use of an underlying block cipher to provide data integrity on input data. The block coutput vectors of the block size using a cryptographic key. Being once a key has been selected. The vector of length equal to the block size, the output of the block cipher whrepresented as follows:

O = e(D)

The data to be authenticated is grouped into contiguous blocks, each one with length equal to the block size. If the number of data bits is not a multipof the block size, then the final input block will be a partial block of data, left justified, with zeroes appended to form a full block. The calculation of the MIC is given by the following equations where (+) represents the XOR of two vectors. [35]

O1 = e(D1)

O2 = e(D2 (+) O1)


Figure 3.13. AES-CTR suite [35]

MAC suite

In this security suite the cryptographic operations consist on performing AESMAC authentication on the MHR and MAC payload using either 32 bit, 64 bit or

128 bit integrity codes. Access control and frame integrity are provided in this suite.

MAC algorithm makes use of an underlying block cipher to provide data integrity on input data. The block cipher encrypts input vectors of the block size to output vectors of the block size using a cryptographic key. Being D any input vector once a key has been selected. The vector of length equal to the block size, the output of the block cipher when applied to D, using the enciphering operation, is

The data to be authenticated is grouped into contiguous blocks, each one with length equal to the block size. If the number of data bits is not a multipof the block size, then the final input block will be a partial block of data, left justified, with zeroes appended to form a full block. The calculation of the MIC is given by the following equations where (+) represents the XOR of two vectors. [35]


In this security suite the cryptographic operations consist on performing AES-MHR and MAC payload using either 32 bit, 64 bit or

128 bit integrity codes. Access control and frame integrity are provided in this suite.

MAC algorithm makes use of an underlying block cipher to provide ipher encrypts input vectors of the block size to

any input vector once a key has been selected. The vector of length equal to the block size, O, which is

, using the enciphering operation, is

The data to be authenticated is grouped into contiguous blocks, D1, D2, ..., Dn, each one with length equal to the block size. If the number of data bits is not a multiple of the block size, then the final input block will be a partial block of data, left justified, with zeroes appended to form a full block. The calculation of the MIC is given by the


O3 = e(D3 (+) O2)

…..

On = e(Dn (+) On–1)

The MIC is selected from capable of selecting the leftmost a multiple of 8. A block diagr

Figure 3.14. AES

3.6.1.6 AES-CCM suite

The CTR-CBC-MAC (CCM) is an authenticateusing a block cipher with 128 bit block size (AES). The CCM elements: the payload, to be both encrypted and authenticated, header, to be authenticated but not encrypted, and and the associated data. The CCM provides both the authentic


The MIC is selected from On. Devices that implement CBCcapable of selecting the leftmost M bits of On as the MIC, where 32 < M a multiple of 8. A block diagram of the MIC generation is given in the following figure:

Figure 3.14. AES-CBC-MAC suite [35]

MAC (CCM) is an authenticate-and-encrypt block cipher mode, using a block cipher with 128 bit block size (AES). The CCM requires three input elements: the payload, to be both encrypted and authenticated, associated data as the header, to be authenticated but not encrypted, and a nonce to be assigned to the payload and the associated data. The CCM provides both the authentication and encryption and


. Devices that implement CBC-MAC shall be M < 128 and M is

am of the MIC generation is given in the following figure:

encrypt block cipher mode, requires three input

associated data as the to be assigned to the payload

ation and encryption and


uses the techniques of the CTR for encryption and the CBCThe CCM is composed of two methods: generation of the MIC first and then the encryption, and requires first the decryption of the ciphertext and then the verification of the MIC.

A sender requires an input of {N is a nonce of 15 – L octets, where 0≤l(m)<28L to be encoded in a field of data consisting of a string of l(a) octets where authenticated, but not encrypted, and are not included in the output of thiFurthermore, they can be used to authenticate plaintext headers that affect the interpretation of the message. For authentication, the authentication field using the CBC-MAC. [35]

From B0, B1, ... Bn being a sequence of blocks for thblock of:

where F is one octet in length with the information:

F={Reserved

N is the nonce with Adata-bit is 0 if l(a) = 0 andM, the size of the authentication field, and 4, 6, 8, 10, 12, 14, or 16 octets, has an encoding field of off between message expansion and the probability that an attacker can undetectably modify a message. L can either be 2 to 8 octets, has an encoding field of requires a trade-off between the maximum message size and the size of the nonce based on applications. If l(a) > 0 and consequently authentication data are added including l(a) < 216-28, the length field is encoded as 2 octets. If 216field is encoded as 6 octets consisting of the octets 0 x ff, 0 x fe, and 4 octets encoding l(a). If 232≤ l(a) < 264, the length field is encoded as 10 octets consisting of the octets 0 x ff, 0 x ff, and 8 octets encoding

The blocks encoding with a and splitting the result into 16 octet blocks, padding the last block with zeroes if necessary. These blocks are appended to the first block authentication blocks have been added, add thformed by splitting the message zeroes if necessary. If m sequence of blocks B0, B1, ...


uses the techniques of the CTR for encryption and the CBC-MAC for authentication. The CCM is composed of two methods: generation-encryption that requires the generation of the MIC first and then the encryption, and decryption-requires first the decryption of the ciphertext and then the verification of the MIC.

A sender requires an input of {K, N, m, a}, where K is the AES encryption key, octets, m is the message consisting of a string of

to be encoded in a field of L octets, and a is additional authenticated data consisting of a string of l(a) octets where 0≤l(a)<264. Additional data authenticated, but not encrypted, and are not included in the output of thiFurthermore, they can be used to authenticate plaintext headers that affect the interpretation of the message. For authentication, the authentication field

being a sequence of blocks for the CBC-MAC. Consisting a

B0={F, N, l(m)}

is one octet in length with the information:

F={Reserved-bit, Adata-bit,(M-2)/2, L-1}

is the nonce with 15-L octets in length, and l(m) has L octets in length. The ) = 0 and 1 if l(a) > 0. The CCM mode has two parameter choices:

, the size of the authentication field, and L, the size of the length field. 4, 6, 8, 10, 12, 14, or 16 octets, has an encoding field of (M-2)/2, and involves a trade

age expansion and the probability that an attacker can undetectably can either be 2 to 8 octets, has an encoding field of

off between the maximum message size and the size of the nonce based ) > 0 and consequently Adata-bit=1, one or more blocks of

authentication data are added including l(a) and a encoded in a reversible manner. If 0 < 28, the length field is encoded as 2 octets. If 216-28≤ l(a) < 232, the length

ed as 6 octets consisting of the octets 0 x ff, 0 x fe, and 4 octets encoding ) < 264, the length field is encoded as 10 octets consisting of the octets 0

x ff, 0 x ff, and 8 octets encoding l(a).

The blocks encoding a are formed by concatenating the string that encodes and splitting the result into 16 octet blocks, padding the last block with zeroes if

necessary. These blocks are appended to the first block B0. After the additional authentication blocks have been added, add the message blocks. The message blocks are formed by splitting the message m into 16 octet blocks, padding the last block with

m is an empty string, no blocks are added. The result is a , ... Bn. The CBC-MAC is now computed by:

X1= Ek(B0)


MAC for authentication. that requires the -verification that

requires first the decryption of the ciphertext and then the verification of the MIC.

is the AES encryption key, is the message consisting of a string of l(m) octets

is additional authenticated . Additional data a are

authenticated, but not encrypted, and are not included in the output of this mode. Furthermore, they can be used to authenticate plaintext headers that affect the interpretation of the message. For authentication, the authentication field T is computed

MAC. Consisting a

octets in length. The ) > 0. The CCM mode has two parameter choices:

, the size of the length field. M can either be , and involves a trade-

age expansion and the probability that an attacker can undetectably can either be 2 to 8 octets, has an encoding field of L-1, and

off between the maximum message size and the size of the nonce based , one or more blocks of

encoded in a reversible manner. If 0 < ) < 232, the length

ed as 6 octets consisting of the octets 0 x ff, 0 x fe, and 4 octets encoding ) < 264, the length field is encoded as 10 octets consisting of the octets 0

tenating the string that encodes l(a) and splitting the result into 16 octet blocks, padding the last block with zeroes if

. After the additional e message blocks. The message blocks are

into 16 octet blocks, padding the last block with is an empty string, no blocks are added. The result is a


The CTR mode is used for encryption, and key stream blocks are defined as follows:

where

and

F={ Reserved

N is the nonce with The message is encrypted by XORing the octets of message octets of S1||S2||S3, ... , and note that authentication value is obtained as follows: is m(+) S||U.

For decryption, the receiver needs the encryption key additional authenticated data the key stream is generated to recover the message additional authentication data is then used to recheck T. If the T value is not correct, the receiver shexcept for the fact that T decrypted message, the value

3.6.1.7 PIB Security material

The information stored in the MAC PIB issuite selected. The symmetric key is the AES key for this ACL entry that shall be used to perform exactly one of (CTR encryption) or (CCM encryption and authentication) or (CBC-MAC authentication).

The frame counter ifield in the MAC payload of the MAC frame. This counter is incremented each time a secure frame is transmitted. This counter will not roll over. This value helps to ensure that the CCM nonce is unfreshness.

The key sequence counter is a counter that is fixed by the higher layer and that shall be included in the payload field in the MAC payload of the MAC frame. The key


Xi+1= Ek(Xi(+)Bi) for i = 1, ... , n

T= first-M-octets(Xn+1)

The CTR mode is used for encryption, and key stream blocks are defined as

Si = EK(Ai) for i = 0, 1, 2, ...

Ai ={F, N, Counter i}

F={ Reserved-bits (2 bits), 0 (3 bits), L-1 (3 bits)}

is the nonce with 15-L octets in length, and Counter has L The message is encrypted by XORing the octets of message m (+) S, where S=

, ... , and note that S0 is not used to encrypt the message. The authentication value is obtained as follows: U= T (+) first-M-octets(S0). The ciphertext

For decryption, the receiver needs the encryption key K, the nonce additional authenticated data a, and the encrypted and authenticated message the key stream is generated to recover the message m and the value T. The message and additional authentication data is then used to re-compute the CBC-MAC value and

value is not correct, the receiver shall not reveal any information T is incorrect. In particular, the receiver shall not reveal the

decrypted message, the value T, or any other information. [35]

3.6.1.7 PIB Security material

The information stored in the MAC PIB is dependent on the individual security suite selected. The symmetric key is the AES key for this ACL entry that shall be used to perform exactly one of (CTR encryption) or (CCM encryption and authentication) or

MAC authentication).

The frame counter is the running counter that shall be included in the payload field in the MAC payload of the MAC frame. This counter is incremented each time a secure frame is transmitted. This counter will not roll over. This value helps to ensure that the CCM nonce is unique and allows the recipient to use the counter to ensure



The CTR mode is used for encryption, and key stream blocks are defined as

L octets in length. (+) S, where S=l(m)

encrypt the message. The ). The ciphertext

, the nonce N, the nd authenticated message c. First,

. The message and MAC value and

all not reveal any information is incorrect. In particular, the receiver shall not reveal the

dependent on the individual security suite selected. The symmetric key is the AES key for this ACL entry that shall be used to perform exactly one of (CTR encryption) or (CCM encryption and authentication) or

s the running counter that shall be included in the payload field in the MAC payload of the MAC frame. This counter is incremented each time a secure frame is transmitted. This counter will not roll over. This value helps to ensure

ique and allows the recipient to use the counter to ensure



sequence counter can be used, for instance, if the frame counter is exhausted. This value helps to ensures that the CCM nonce is unique and allows the recipient to use the counter to ensure freshness.

The optional external frame counter and optional external key sequence couare fields that may be stored in the ACL entry that represent the values of the last received frame counter and key sequence counter, respectively, in secure frames corresponding to this ACL entry. If the optional external frame counter and optional external key sequence counter fields are included in the ACL entry, the MAC will use them to verify the sequential freshness of received secure frames. [35]

3.6.2 ZigBee specification security

3.6.2.1 Security keys

128-bit symmetric keys are used by ZigBnetwork. For unicast communication between APL entities two ZigBee devices share a Link Key (LK). It is used as the basis of security services in High Security mode (HS). All the devices on the network share a Network broadcast communications. The NK is used as the basis of security services in Standard Security mode (SS). A Master Key (MK) is used to establish a key and it is shared pairwise between two ZigBee devices.

The security keysestablishment, key transport or preCenter of the network sends the key to the device. Key Establishment is the method that is used to establish a pairwise key between two devices. Note that for this method, a pre-shared key is required between two devices. Predevice acquires the key before joining the network.

In order to avoid reuse of keys across different securiderive different keys from the LK. Uncorrelated keys can be derived using a onefunction so that execution of different security protocols can be logically separated. Three types of secret keys can be derived from a LK: aor a Key-Load Key. The derivation of these keys, except Data Key, requires computation of a Keyed-Hashing for Message Authentication Code (HMAC). All the derived keys must share the associated frame counters. [29]


be used, for instance, if the frame counter is exhausted. This value helps to ensures that the CCM nonce is unique and allows the recipient to use the counter to ensure freshness.

The optional external frame counter and optional external key sequence couare fields that may be stored in the ACL entry that represent the values of the last received frame counter and key sequence counter, respectively, in secure frames corresponding to this ACL entry. If the optional external frame counter and optional xternal key sequence counter fields are included in the ACL entry, the MAC will use

them to verify the sequential freshness of received secure frames. [35]

3.6.2 ZigBee specification security

bit symmetric keys are used by ZigBee devices to provide security to the network. For unicast communication between APL entities two ZigBee devices share a Link Key (LK). It is used as the basis of security services in High Security mode (HS). All the devices on the network share a Network Key (NK) and it is used for all broadcast communications. The NK is used as the basis of security services in Standard Security mode (SS). A Master Key (MK) is used to establish a key and it is shared pairwise between two ZigBee devices.

The security keys can be acquired in different ways, either using key establishment, key transport or pre-installation. Key Transport is the case that the Trust Center of the network sends the key to the device. Key Establishment is the method that

airwise key between two devices. Note that for this method, a shared key is required between two devices. Pre-installation is the case that the

device acquires the key before joining the network.

In order to avoid reuse of keys across different security services, it is possible to derive different keys from the LK. Uncorrelated keys can be derived using a onefunction so that execution of different security protocols can be logically separated. Three types of secret keys can be derived from a LK: a Key-Transport Key, a Data Key

Load Key. The derivation of these keys, except Data Key, requires Hashing for Message Authentication Code (HMAC). All the

derived keys must share the associated frame counters. [29]


be used, for instance, if the frame counter is exhausted. This value helps to ensures that the CCM nonce is unique and allows the recipient to use the

The optional external frame counter and optional external key sequence counter are fields that may be stored in the ACL entry that represent the values of the last received frame counter and key sequence counter, respectively, in secure frames corresponding to this ACL entry. If the optional external frame counter and optional xternal key sequence counter fields are included in the ACL entry, the MAC will use

ee devices to provide security to the network. For unicast communication between APL entities two ZigBee devices share a Link Key (LK). It is used as the basis of security services in High Security mode (HS).

Key (NK) and it is used for all broadcast communications. The NK is used as the basis of security services in Standard Security mode (SS). A Master Key (MK) is used to establish a key and it is shared

can be acquired in different ways, either using key installation. Key Transport is the case that the Trust

Center of the network sends the key to the device. Key Establishment is the method that airwise key between two devices. Note that for this method, a

installation is the case that the

ty services, it is possible to derive different keys from the LK. Uncorrelated keys can be derived using a one-way function so that execution of different security protocols can be logically separated.

Transport Key, a Data Key Load Key. The derivation of these keys, except Data Key, requires

Hashing for Message Authentication Code (HMAC). All the


3.6.2.2 Trust center

In each secure ZigBee network, there exists a unique Trust Center (TC) application which is trusted by all the devices in the network. TC distributes keys as part of network and end-toapplications devices are using MK, whereas in lowusing NK to initiate secure communication with TC. MK and NK can be obtained by either pre-installation or a kind of key transport which is called intransport. The interaction between a ZigBee device and the TC for different purposes is given in the table at next page: [29]

Figure 3.15. ZigBee device and TC interaction [29]

Security Modes TC can be configured to operate in either Standard Security mode (SS) or High Security mode (HS). In SS mode, the TC is required to maintain the SNK and control the policies of network admittance. In HS mode, the TC is required to maintain a list of all the devices in the network, all the relevant keys (MKs, LKs, HSNKs) and control the policies of network admittance. As a result, the required memory of the TC grows with the number of the devices in the network in HS mode, but not in SS mode. In addition, the implementation of the SymmetricExchange and the Mutual Entity Authentication protocols are mandatory in HS mode. [29]

3.6.2.3 Network layer security

When a NWK layer frame needs to be secured, it is secured by using AES encryption/authentication in the CCM mode of operation. The upper layers control the security processing operations by setting up the security keys, frame counters and the security level.

As shown in Figure 3.16, the secured NWK layer frame is the one that includes an Auxiliary header, and it is indicated in the Frame Control field of the header.

The Auxiliary Header includes the Frame Counter, which has the purpose of providing frame freshness and preventing processing of duplicate frames. A Secured Payload does not need to have an encrypted payload in the case only integrity prois applied.


In each secure ZigBee network, there exists a unique Trust Center (TC) application which is trusted by all the devices in the network. TC distributes keys as

to-end application configuration management. In highapplications devices are using MK, whereas in low-security applications devices are using NK to initiate secure communication with TC. MK and NK can be obtained by

installation or a kind of key transport which is called in-band unsecured key ansport. The interaction between a ZigBee device and the TC for different purposes is

given in the table at next page: [29]

Figure 3.15. ZigBee device and TC interaction [29]

Security Modes TC can be configured to operate in either Standard Security e (SS) or High Security mode (HS). In SS mode, the TC is required to maintain the

SNK and control the policies of network admittance. In HS mode, the TC is required to maintain a list of all the devices in the network, all the relevant keys (MKs, LKs,

s) and control the policies of network admittance. As a result, the required memory of the TC grows with the number of the devices in the network in HS mode, but not in SS mode. In addition, the implementation of the Symmetric

al Entity Authentication protocols are mandatory in HS mode.

3.6.2.3 Network layer security

When a NWK layer frame needs to be secured, it is secured by using AES encryption/authentication in the CCM mode of operation. The upper layers control the ecurity processing operations by setting up the security keys, frame counters and the

As shown in Figure 3.16, the secured NWK layer frame is the one that includes an Auxiliary header, and it is indicated in the Frame Control field of the

The Auxiliary Header includes the Frame Counter, which has the purpose of providing frame freshness and preventing processing of duplicate frames. A Secured Payload does not need to have an encrypted payload in the case only integrity pro


In each secure ZigBee network, there exists a unique Trust Center (TC) application which is trusted by all the devices in the network. TC distributes keys as

end application configuration management. In high-security security applications devices are

using NK to initiate secure communication with TC. MK and NK can be obtained by band unsecured key

ansport. The interaction between a ZigBee device and the TC for different purposes is

Security Modes TC can be configured to operate in either Standard Security e (SS) or High Security mode (HS). In SS mode, the TC is required to maintain the

SNK and control the policies of network admittance. In HS mode, the TC is required to maintain a list of all the devices in the network, all the relevant keys (MKs, LKs,

s) and control the policies of network admittance. As a result, the required memory of the TC grows with the number of the devices in the network in HS mode, but not in SS mode. In addition, the implementation of the Symmetric-Key Key

al Entity Authentication protocols are mandatory in HS mode.

When a NWK layer frame needs to be secured, it is secured by using AES encryption/authentication in the CCM mode of operation. The upper layers control the ecurity processing operations by setting up the security keys, frame counters and the

As shown in Figure 3.16, the secured NWK layer frame is the one that includes an Auxiliary header, and it is indicated in the Frame Control field of the network

The Auxiliary Header includes the Frame Counter, which has the purpose of providing frame freshness and preventing processing of duplicate frames. A Secured Payload does not need to have an encrypted payload in the case only integrity protection


The Security Level field in the Security Control part of the Auxiliary Header indicates which security level is applied. The level can be None, MIC (integrity protection only, with three different MIC lengths: MIC(encryption only), and ENCdifferent MIC lengths: ENCIntegrity Code (MIC) is computed using the NWK header, the Auxiliary Header and the encrypted payload.

An interesting security precaution here is hiding the security level in the last step of Outgoing Frames Processing. Although the rationale behind this action is not defined in the specification, it is clear that it is not a significant protectioeight choices. [29]

Figure 3.16. NWK layer secured frame structure [29]

3.6.2.4 Application layer security

When an APL layer frame needs to be secured, the APS sublayer is in charge to cover those security requests and it is secuin the CCM mode of operation. The APS provides an interface between NWK and APL layers through a general set of service for use of ZDO and Application Objects. The upper layers issue primitives to APS sublayer to Security includes the following services:

• The Establish KeyLink Key (LK) between two ZigBee devices. The method used for key establishment is Symmetric(MK) is the trust information used in the key establishment.

• The Transport Keytransport either a NK, LK or MK.• The Update DeviceZigBee router in order to inform the TC about an update on a device status.• The Remove Device his children should be removed from the network.


The Security Level field in the Security Control part of the Auxiliary Header indicates which security level is applied. The level can be None, MIC (integrity protection only, with three different MIC lengths: MIC-32, MIC-64, MIC(encryption only), and ENC-MIC (both encryption and integrity protection with three different MIC lengths: ENC-MIC-32, ENC-MIC-64, ENC-MIC-128). The Message Integrity Code (MIC) is computed using the NWK header, the Auxiliary Header and the

An interesting security precaution here is hiding the security level in the last step of Outgoing Frames Processing. Although the rationale behind this action is not defined in the specification, it is clear that it is not a significant protection since there are only

Figure 3.16. NWK layer secured frame structure [29]

3.6.2.4 Application layer security

When an APL layer frame needs to be secured, the APS sublayer is in charge to cover those security requests and it is secured by using AES encryption/authentication in the CCM mode of operation. The APS provides an interface between NWK and APL layers through a general set of service for use of ZDO and Application Objects. The upper layers issue primitives to APS sublayer to use its services. The APS Layer Security includes the following services:

Establish Key service, which is the mechanism for establishing a Link Key (LK) between two ZigBee devices. The method used for key establishment is Symmetric-Key Key Exchange (SKKE). Besides, Master Key (MK) is the trust information used in the key establishment.

Transport Key service provides secure or unsecure means to transport either a NK, LK or MK.

Update Device service is meant to provide secure means for a uter in order to inform the TC about an update on a device status.

Remove Device service is used to inform a ZigBee router that one of his children should be removed from the network.


The Security Level field in the Security Control part of the Auxiliary Header indicates which security level is applied. The level can be None, MIC (integrity

64, MIC-128), ENC MIC (both encryption and integrity protection with three

128). The Message Integrity Code (MIC) is computed using the NWK header, the Auxiliary Header and the

An interesting security precaution here is hiding the security level in the last step of Outgoing Frames Processing. Although the rationale behind this action is not defined

n since there are only

When an APL layer frame needs to be secured, the APS sublayer is in charge to red by using AES encryption/authentication

in the CCM mode of operation. The APS provides an interface between NWK and APL layers through a general set of service for use of ZDO and Application Objects. The

use its services. The APS Layer

service, which is the mechanism for establishing a Link Key (LK) between two ZigBee devices. The method used for key

KE). Besides, Master Key

service provides secure or unsecure means to

service is meant to provide secure means for a uter in order to inform the TC about an update on a device status.

service is used to inform a ZigBee router that one of


• The Request Keyor the end-to-end application MK from another device.

• The Switch Keydevices to switch to the alternate NK.• The Entity Authenticationdevices based on a sha• The Permission Configuration Table (PCT) which devices have authorization to perform which commands and if security based on LK is necessary.

The services of the APS sublayer are issued in APS Command Frames. The structure of the APS Command Frames is given in Figure. XX. The first two fields of all the frames, the Frame Counter and the APS Counter, form the APS Header. The remaining fields form the APS Payload, whose first field APS Command Identifier indicates the type of the command frame.

There are some important points regarding the APS command frames. Key Establishment command frames are sent unsecured. The Status field of the UpdateDevice command indicates the security mode (SS/HS), the security of the frame (Secured/Unsecured), and the type of the join (Join/Rejoin); unless the device is leaving. Partner Address field of the Requesttype is NK or TCLK (TCLK means LK of the TC). The MK/LK pairs and the relevant information are stored in the APS Layer Information Base (AIB). [29]

Figure 3.17. APS Command frames [29]


Request Key service is used for a device request for the active end application MK from another device.

Switch Key service provides secure means for TC to inform network devices to switch to the alternate NK.

Entity Authentication service provides authenticity between two devices based on a shared secret.

Permission Configuration Table (PCT) stores the information of which devices have authorization to perform which commands and if security based on LK is necessary.

The services of the APS sublayer are issued in APS Command Frames. The cture of the APS Command Frames is given in Figure. XX. The first two fields of

all the frames, the Frame Counter and the APS Counter, form the APS Header. The remaining fields form the APS Payload, whose first field APS Command Identifier

pe of the command frame.

There are some important points regarding the APS command frames. Key Establishment command frames are sent unsecured. The Status field of the UpdateDevice command indicates the security mode (SS/HS), the security of the frame

ecured/Unsecured), and the type of the join (Join/Rejoin); unless the device is leaving. Partner Address field of the Request-Key command is not present when the key type is NK or TCLK (TCLK means LK of the TC). The MK/LK pairs and the relevant

are stored in the APS Layer Information Base (AIB). [29]

Figure 3.17. APS Command frames [29]


service is used for a device request for the active NK

service provides secure means for TC to inform network

service provides authenticity between two

stores the information of which devices have authorization to perform which commands and if security

The services of the APS sublayer are issued in APS Command Frames. The cture of the APS Command Frames is given in Figure. XX. The first two fields of

all the frames, the Frame Counter and the APS Counter, form the APS Header. The remaining fields form the APS Payload, whose first field APS Command Identifier

There are some important points regarding the APS command frames. Key Establishment command frames are sent unsecured. The Status field of the Update-Device command indicates the security mode (SS/HS), the security of the frame

ecured/Unsecured), and the type of the join (Join/Rejoin); unless the device is Key command is not present when the key

type is NK or TCLK (TCLK means LK of the TC). The MK/LK pairs and the relevant


3.6.2.4.1 Symmetric-Key Key Establishment Protocol

In the Symmetric-Key Key Establishment (SKKE) protocol, an initiator device U establishes a LK, or LKMKUV. In the first two messages, the devices exchange their 16last two messages, the devices exchange the data they have computed using the challenges and the device identities. Ntakes two parameters: the shared secret bit string, and the length of the keying data to be generated. After verifying that they received the correct values, they use another value as the LK that both of them can compute. The Data field in a SKKE frame stores the value of either a challenge or a MAC tag. [29]

Figure 3.18. SKKE Protocol (H: Hash function, MAC: HMAC function, ||: Concatenation, 0x: Hexadecimal) [29]

3.6.2.4.2 Mutual Entity Authentication pro

In the Mutual Entity Authentication (MEA) protocol, an initiator device U and a responder device V mutually authenticate each other based on a secret key (NK). The devices authenticate each other by using random challenges with responses based on a


Key Key Establishment Protocol

Key Key Establishment (SKKE) protocol, an initiator device U establishes a LK, or LKUV, with a responder device V using a shared secret MK or

. In the first two messages, the devices exchange their 16-byte challenges. In the last two messages, the devices exchange the data they have computed using the challenges and the device identities. Note that kdf is the key derivation function that takes two parameters: the shared secret bit string, and the length of the keying data to be generated. After verifying that they received the correct values, they use another value

m can compute. The Data field in a SKKE frame stores the value of either a challenge or a MAC tag. [29]

Figure 3.18. SKKE Protocol (H: Hash function, MAC: HMAC function, ||: Concatenation, 0x: Hexadecimal) [29]

3.6.2.4.2 Mutual Entity Authentication protocol



Key Key Establishment (SKKE) protocol, an initiator device th a responder device V using a shared secret MK or

byte challenges. In the last two messages, the devices exchange the data they have computed using the

is the key derivation function that takes two parameters: the shared secret bit string, and the length of the keying data to be generated. After verifying that they received the correct values, they use another value

m can compute. The Data field in a SKKE frame stores the

Figure 3.18. SKKE Protocol (H: Hash function, MAC: HMAC function, ||:



NK. In the first two messages, the devices exchange their challenges. Note that, OFC stands for the Outgoing Frame Counter of the device. In the last two messages, the devices exchange the data they have computed using their information and their frame counter values. They use the frame counter values they received and their previous knowledge to verify that they received the correct values, and thereby authenticate each other. [29]

Figure 3.19. MEA Protocol (MAC: HMAC function, ||: Concatenation, 0x:


NK. In the first two messages, the devices exchange their challenges. Note that, OFC stands for the Outgoing Frame Counter of the device. In the last two messages, the devices exchange the data they have computed using their information and their frame

nter values. They use the frame counter values they received and their previous knowledge to verify that they received the correct values, and thereby authenticate each

Figure 3.19. MEA Protocol (MAC: HMAC function, ||: Concatenation, 0x: Hexadecimal) [29]


NK. In the first two messages, the devices exchange their challenges. Note that, OFC stands for the Outgoing Frame Counter of the device. In the last two messages, the devices exchange the data they have computed using their information and their frame

nter values. They use the frame counter values they received and their previous knowledge to verify that they received the correct values, and thereby authenticate each

Figure 3.19. MEA Protocol (MAC: HMAC function, ||: Concatenation, 0x:


3.7 Possible attacks on 802.15.4 security

3.7.1 Same-nonce attack

There is a chance that in a sender’s ACL entry table, there are entries with the same key and the same nonce. If such a thing happens, a security attack is posNote that the nonce is also used as the frame counter. The risky scenario happens when there are two plaintexts (P1

and the same nonce (N), and an attacker can obtain CP2. Then the adversary can obtain Pand the keys are the same although the adversary does not know the key. The adversary may obtain much useful information from Psituations such as power failure, sleep mode, and etc. Same keys happen in many situations too such as using broadcasting key, using grouping key, and etc. [31]

3.7.2 Replay-protection attack

In the IEEE 802.15.4 specification, the replayed messreplay protection mechanism known as sequential freshness. This is achieved by which a receiver checks the recent counter and rejects the frame which has the counter value equal to or less than the previous obtained counter. Howevermechanism is subjected to another attack, called Replaykind of Denial-of-Service attacks. Replayattacker is capable of sending many frames containing diffa receiver, who performs replay protection and raises the replay counter up as the largest frame counter in the receiver so far. Then, when a normal station sends a frame with a reasonable size of frame counter that is smallermaintained at the receiver, the frame will be discarded for the replayand consequently the service will be denied. [31]

3.7.3 ACK attack

There is no integrity protection provided on ACK frames. When a sender sframe, it can request an ACK frame from the receiver by setting the bit flags in the outgoing data frame.

The eavesdropper can forge the ACK frame by using the unnumber from the data frame. If an attacker does not want a particureceived by the receiver, he can send interference to the receiver at the same time when


3.7 Possible attacks on 802.15.4 security

nonce attack

There is a chance that in a sender’s ACL entry table, there are entries with the same key and the same nonce. If such a thing happens, a security attack is posNote that the nonce is also used as the frame counter. The risky scenario happens when

1, P2) and two ciphertexts (C1 and C2) using the same key (K) and the same nonce (N), and an attacker can obtain C1 and C2, but cannot

. Then the adversary can obtain P1 (+) P2 = C1 (+) C1 since the counters are the same and the keys are the same although the adversary does not know the key. The adversary may obtain much useful information from P1 (+) P2. Same nonce occurssituations such as power failure, sleep mode, and etc. Same keys happen in many situations too such as using broadcasting key, using grouping key, and etc. [31]

protection attack

In the IEEE 802.15.4 specification, the replayed message is prevented by the replay protection mechanism known as sequential freshness. This is achieved by which a receiver checks the recent counter and rejects the frame which has the counter value equal to or less than the previous obtained counter. However, this replay protection mechanism is subjected to another attack, called Replay-Protection attack, which is one

Service attacks. Replay-protection attacks may be launched when an attacker is capable of sending many frames containing different large frame counters to a receiver, who performs replay protection and raises the replay counter up as the largest frame counter in the receiver so far. Then, when a normal station sends a frame with a reasonable size of frame counter that is smaller than the replay counter maintained at the receiver, the frame will be discarded for the replay-protection purpose and consequently the service will be denied. [31]

There is no integrity protection provided on ACK frames. When a sender sframe, it can request an ACK frame from the receiver by setting the bit flags in the

The eavesdropper can forge the ACK frame by using the un-encrypted sequence number from the data frame. If an attacker does not want a particureceived by the receiver, he can send interference to the receiver at the same time when


There is a chance that in a sender’s ACL entry table, there are entries with the same key and the same nonce. If such a thing happens, a security attack is possible. Note that the nonce is also used as the frame counter. The risky scenario happens when

) using the same key (K) , but cannot obtain P1 and

since the counters are the same and the keys are the same although the adversary does not know the key. The adversary

. Same nonce occurs in many situations such as power failure, sleep mode, and etc. Same keys happen in many situations too such as using broadcasting key, using grouping key, and etc. [31]

age is prevented by the replay protection mechanism known as sequential freshness. This is achieved by which a receiver checks the recent counter and rejects the frame which has the counter value

, this replay protection Protection attack, which is one

protection attacks may be launched when an erent large frame counters to

a receiver, who performs replay protection and raises the replay counter up as the largest frame counter in the receiver so far. Then, when a normal station sends a frame

than the replay counter protection purpose

There is no integrity protection provided on ACK frames. When a sender sends a frame, it can request an ACK frame from the receiver by setting the bit flags in the

encrypted sequence number from the data frame. If an attacker does not want a particular frame to be received by the receiver, he can send interference to the receiver at the same time when


the sender is sending the data frame. This leads to reject the frame. The adversary can then send a forged ACK frame fooling the sender that the receivthe frame. Therefore, a sender cannot be sure if the received frame came from the receiver or another node even if the receiver received the ACK frame. [31]

3.7.4 Jamming attack

A jamming attack is the wireless equivalent of a DeIt is simple and effective, especially in single frequency networks. It aims to weaken or zero-out the availability of system services. At PHY layer, a jamming attack can be easily carried out by continuously sending out radiotransmission power. All needed is a PHY compliant transmitter. What makes the ZigBee networks even more vulnerable to jamming attacks is their extremely low transmission power. [33]

3.7.5 Exhaustion

Exhaustion attacks are aavailability. One common exhaustion attack is to exploit some initiation or connection procedures, like association procedures, that require both nodes involved to store some state values in their memory.within its reach, notwithstanding the protocol demands that each device be associated only with one coordinator. [33]

A more powerful attack can be launched by a compromised coordinator, who allures large number of nodes to associate with it by appearing to be a coordinator with high link quality (LQ) or low level in the tree. After that, it can simply send out deliberately configured beacons to force all the devices to stay active for most of the time, resulting in quick battery depletions at those devices. [33]

Figure 3.20. Exhaustion attack [33]


the sender is sending the data frame. This leads to reject the frame. The adversary can then send a forged ACK frame fooling the sender that the receiver successfully received the frame. Therefore, a sender cannot be sure if the received frame came from the receiver or another node even if the receiver received the ACK frame. [31]

A jamming attack is the wireless equivalent of a Denial of Service (DoS) attack. It is simple and effective, especially in single frequency networks. It aims to weaken or

out the availability of system services. At PHY layer, a jamming attack can be easily carried out by continuously sending out radio signals using relatively high transmission power. All needed is a PHY compliant transmitter. What makes the ZigBee networks even more vulnerable to jamming attacks is their extremely low

Exhaustion attacks are a type of DoS attacks from the point view of service availability. One common exhaustion attack is to exploit some initiation or connection procedures, like association procedures, that require both nodes involved to store some state values in their memory. A device can try to associate with all the coordinators within its reach, notwithstanding the protocol demands that each device be associated only with one coordinator. [33]

A more powerful attack can be launched by a compromised coordinator, who large number of nodes to associate with it by appearing to be a coordinator with

high link quality (LQ) or low level in the tree. After that, it can simply send out deliberately configured beacons to force all the devices to stay active for most of the

me, resulting in quick battery depletions at those devices. [33]

Figure 3.20. Exhaustion attack [33]


the sender is sending the data frame. This leads to reject the frame. The adversary can er successfully received

the frame. Therefore, a sender cannot be sure if the received frame came from the receiver or another node even if the receiver received the ACK frame. [31]

nial of Service (DoS) attack. It is simple and effective, especially in single frequency networks. It aims to weaken or

out the availability of system services. At PHY layer, a jamming attack can be signals using relatively high

transmission power. All needed is a PHY compliant transmitter. What makes the ZigBee networks even more vulnerable to jamming attacks is their extremely low

type of DoS attacks from the point view of service availability. One common exhaustion attack is to exploit some initiation or connection procedures, like association procedures, that require both nodes involved to store some

A device can try to associate with all the coordinators within its reach, notwithstanding the protocol demands that each device be associated

A more powerful attack can be launched by a compromised coordinator, who large number of nodes to associate with it by appearing to be a coordinator with

high link quality (LQ) or low level in the tree. After that, it can simply send out deliberately configured beacons to force all the devices to stay active for most of the


3.7.6 Collision

Collision attacks are often launched by deviating from the protocols rather than blindly as in the jamming attacks. An attacker can seleespecially to some sensitive control and management frames. For example, collision with an ACK frame will cause the sender to back off exponentially; collision with an association response frame will force the device to start theprocedure from the very beginning; and collision with several beacon frames from a beacon enabled coordinator will cause its children to get orphaned. By creating collisions selectively, an attacker can make the attacks look like ran

3.7.7 Unfairness

Unfairness attacks can substantially degrade the network performance, though normally not shut down the whole network. Media access points are one of the most vulnerable places where unfairness attacks can be launched. Unslotted CSMAused for channel access in nonaccess during the contention access period (CAP) in beacon enabled mode. In beacon enabled mode, a cheating nodbeacon, by simply skipping the backbeacon enabled mode, a cheating node can also get some priority in accessing the channel by using smaller backmessages one after another, a cheating node has a good chance of keeping the control of the channel. Other nodes have little chance of transmitting their messages before the cheating node finishes all its transmi


Collision attacks are often launched by deviating from the protocols rather than blindly as in the jamming attacks. An attacker can selectively create collisions, especially to some sensitive control and management frames. For example, collision with an ACK frame will cause the sender to back off exponentially; collision with an association response frame will force the device to start the multistep association procedure from the very beginning; and collision with several beacon frames from a beacon enabled coordinator will cause its children to get orphaned. By creating collisions selectively, an attacker can make the attacks look like random collisions. [33]

Figure 3.21. Collision attack [33]

Unfairness attacks can substantially degrade the network performance, though normally not shut down the whole network. Media access points are one of the most

here unfairness attacks can be launched. Unslotted CSMAused for channel access in non-beacon enabled mode and slotted CSMAaccess during the contention access period (CAP) in beacon enabled mode. In beacon enabled mode, a cheating node can capture the channel immediately after it receives a beacon, by simply skipping the back-off process as well as the CCA process. In nonbeacon enabled mode, a cheating node can also get some priority in accessing the channel by using smaller back-off period and/or CCA duration. By transmitting messages one after another, a cheating node has a good chance of keeping the control of the channel. Other nodes have little chance of transmitting their messages before the cheating node finishes all its transmissions. This problem comes because of the fact


Collision attacks are often launched by deviating from the protocols rather than ctively create collisions,

especially to some sensitive control and management frames. For example, collision with an ACK frame will cause the sender to back off exponentially; collision with an

multistep association procedure from the very beginning; and collision with several beacon frames from a beacon enabled coordinator will cause its children to get orphaned. By creating

dom collisions. [33]

Unfairness attacks can substantially degrade the network performance, though normally not shut down the whole network. Media access points are one of the most

here unfairness attacks can be launched. Unslotted CSMA-CA is beacon enabled mode and slotted CSMA-CA for channel

access during the contention access period (CAP) in beacon enabled mode. In beacon e can capture the channel immediately after it receives a

off process as well as the CCA process. In non-beacon enabled mode, a cheating node can also get some priority in accessing the

period and/or CCA duration. By transmitting messages one after another, a cheating node has a good chance of keeping the control of the channel. Other nodes have little chance of transmitting their messages before the

ssions. This problem comes because of the fact


that, unlike in 802.11, no strict mechanism is used in 802.15.4 to prevent other transmission from happening between a frame and its corresponding ACK. [33]

Figure 3.22. Unfairness attack [33]

3.8 Possible attacks to ZigBee NWK layer

3.8.1 Route disruption in the cluster

As shown in the figure below, an attacker can repeatedly send association requests to a coordinator, each time with a different forged IEEE device address. Thecoordinator under attack will soon reach its association request will be rejected by the coordinator. Such attacks are especially powerful when launched at a small level of the tree, as closer as possible to the roothe tree. [33]

Figure 3.23. Route disruption in the cluster tree attack (compromised device) [33]



Figure 3.22. Unfairness attack [33]

attacks to ZigBee NWK layer

3.8.1 Route disruption in the cluster-tree by a compromised device

As shown in the figure below, an attacker can repeatedly send association requests to a coordinator, each time with a different forged IEEE device address. Thecoordinator under attack will soon reach its Cm capacity. Afterwards, any legitimate association request will be rejected by the coordinator. Such attacks are especially powerful when launched at a small level of the tree, as closer as possible to the roo




tree by a compromised device

As shown in the figure below, an attacker can repeatedly send association requests to a coordinator, each time with a different forged IEEE device address. The

capacity. Afterwards, any legitimate association request will be rejected by the coordinator. Such attacks are especially powerful when launched at a small level of the tree, as closer as possible to the root of



3.8.2 Route disruption in the clustercoordinator

A compromised coordinator can perform another type of attack. The coordinatoA can capture the devices around it by announcing itself as an extremely good coordinator if possible at very small level in the tree. After attracted large number of devices, the coordinator can then perform various attacks such as dropping or selectively dropping packets, broadcasting specially configured beacons to keep all those devices from entering low energy consumption states, and controlling the subformation. In the figure at next page, this kind of attack is illustrated.

Figure 3.24. Route disruption in the cluster tree attack (compromised coordinator) [33]

3.8.3 Loop in the cluster

A tree is normally loopto form a loop among its children. The problem lies in the fact thatpower to assign a short address (together with other clusterLm and current level Li) to the device asking for association. This is necessary for forming a useful cluster-tree, but problems including routi

In the figure below, the left part is the logical structure of a cluster= 2 and Lm = 4, the middle part is the logical structure of a clusterLm = 3, and the right part is the physical structure of a numbers within the circle are the short addresses assigned during associations. In the right part, the malicious coordinator (with short address 1) can manipulate the associations and assign short addresses 9, 10, 13 to the thbelieve that they have the triplet (parent, 3), respectively. All the triplets are valid with respect to clusteralgorithm, so the devices cannot find anything abnor


3.8.2 Route disruption in the cluster-tree by a compromised

A compromised coordinator can perform another type of attack. The coordinatoA can capture the devices around it by announcing itself as an extremely good coordinator if possible at very small level in the tree. After attracted large number of devices, the coordinator can then perform various attacks such as dropping or

ly dropping packets, broadcasting specially configured beacons to keep all those devices from entering low energy consumption states, and controlling the subformation. In the figure at next page, this kind of attack is illustrated.

ute disruption in the cluster tree attack (compromised coordinator) [33]

3.8.3 Loop in the cluster-tree

A tree is normally loop-free. However, it is possible for a malicious coordinator to form a loop among its children. The problem lies in the fact that a coordinator has the power to assign a short address (together with other cluster-tree parameters such as

) to the device asking for association. This is necessary for tree, but problems including routing loops can arise.

In the figure below, the left part is the logical structure of a cluster= 4, the middle part is the logical structure of a cluster-tree with

= 3, and the right part is the physical structure of a certain network area. All the numbers within the circle are the short addresses assigned during associations. In the right part, the malicious coordinator (with short address 1) can manipulate the associations and assign short addresses 9, 10, 13 to the three devices, and make them believe that they have the triplet (parent, Cm, Lm) values (1, 2, 4), (9, 2, 4), and (10, 3, 3), respectively. All the triplets are valid with respect to clusteralgorithm, so the devices cannot find anything abnormal in terms of tree parameters.


tree by a compromised

A compromised coordinator can perform another type of attack. The coordinator A can capture the devices around it by announcing itself as an extremely good coordinator if possible at very small level in the tree. After attracted large number of devices, the coordinator can then perform various attacks such as dropping or

ly dropping packets, broadcasting specially configured beacons to keep all those devices from entering low energy consumption states, and controlling the sub-tree

ute disruption in the cluster tree attack (compromised coordinator) [33]

free. However, it is possible for a malicious coordinator a coordinator has the

tree parameters such as Cm, ) to the device asking for association. This is necessary for

ng loops can arise.

In the figure below, the left part is the logical structure of a cluster-tree with Cm tree with Cm = 3 and

certain network area. All the numbers within the circle are the short addresses assigned during associations. In the right part, the malicious coordinator (with short address 1) can manipulate the

ree devices, and make them ) values (1, 2, 4), (9, 2, 4), and (10, 3,

3), respectively. All the triplets are valid with respect to cluster-tree formation mal in terms of tree parameters.


The Cm and Lm are values passed down from coordinator, and no authentication or verification is required. Therefore, all the triplets are just good enough to all the devices. After the associations of all the three devices,sending a packet to any of the three devices, indicating the destination short address is 14 or 15. According to clusterdevices. [33]

Figure 3.25. Loop in the clus


are values passed down from coordinator, and no authentication or verification is required. Therefore, all the triplets are just good enough to all the devices. After the associations of all the three devices, the coordinator can trigger a loop by sending a packet to any of the three devices, indicating the destination short address is 14 or 15. According to cluster-tree routing, the packet will loop among the three

Figure 3.25. Loop in the cluster-tree [33]


are values passed down from coordinator, and no authentication or verification is required. Therefore, all the triplets are just good enough to all the devices.

the coordinator can trigger a loop by sending a packet to any of the three devices, indicating the destination short address is

tree routing, the packet will loop among the three


3.9 ZigBee solutions

3.9.1 Freescale solution

3.9.1.1 Freescale electronic three

Polyphase electricity meters are used both in residential and commercial smart metering applications and they represent an important part of smart grids deployment. These meters are capable of measuring active, reactive and apparent energy and include flash upgrade, connectivity and anti

Figure 3.26. Polyphase electricity m

As shown in the previous figure, only some of the parts of the complete metring diagram are provided by Freescale, but they are the most important ones:

• MCF51EM256:V1 MCU with embedperipherals • 56F802X: A digital signal controller in PLM• MC13224V:external antenna in order to implement a ZigBee application.

The smart meter meteand includes tamper detection features and a highIts comprehensive reference design contains all necessary hardware and software resources to make smart metering ap

For further information on Freescale ZigBee solution go to:


3.9 ZigBee solutions

3.9.1 Freescale solution

3.9.1.1 Freescale electronic three-phase electricity meter

Polyphase electricity meters are used both in residential and commercial smart and they represent an important part of smart grids deployment.

These meters are capable of measuring active, reactive and apparent energy and include flash upgrade, connectivity and anti-tampering security features.

Figure 3.26. Polyphase electricity meter diagram [39]


MCF51EM256: A smart meter 32-bit SoC. It is equipped with ColdFire V1 MCU with embedded LCD controller, 16-bit ADC and metrology specific

A digital signal controller in PLM MC13224V: A RF Low Power platform in package that needs only an

external antenna in order to implement a ZigBee application.

The smart meter meter is specially optimized for smart metering applications and includes tamper detection features and a high-precision Real Time Clock (iRTC). Its comprehensive reference design contains all necessary hardware and software resources to make smart metering applications deployment quick and easy. [39]

For further information on Freescale ZigBee solution go to: www.freescale.com


Polyphase electricity meters are used both in residential and commercial smart and they represent an important part of smart grids deployment.

These meters are capable of measuring active, reactive and apparent energy and include


bit SoC. It is equipped with ColdFire bit ADC and metrology specific

A RF Low Power platform in package that needs only an

r is specially optimized for smart metering applications precision Real Time Clock (iRTC).

Its comprehensive reference design contains all necessary hardware and software plications deployment quick and easy. [39]

www.freescale.com


3.9.2 Texas Instruments solution

3.9.2.1 CC2530 ZigBee SoC solution

The CC2530 is a low point to point and star or ZigBee PRO mesh network applications. There are four different version of this SoC: CC22530corresponding amount in KB of flash performance RF transceiver and an industry

Figure 3.27. CC2530 block diagram [42]

Many benefits make this SoC a great option for implementing a smart metering solution. It is capable of supporting ZigBee, ZigBee PRO, ZigBee RF4CE, 6LoWPAN and all solutions based on IEEE 802.15.4. It performs a very low current consumption either on RX or TX ensuring a long lifetime for its battery. Its design was thought for many applications such as remote controls, home/building automation, industrial control and monitoring, low-power wireless sensor network and the one we are interested on smart energy and automated meter reading. [42]


3.9.2 Texas Instruments solution

3.9.2.1 CC2530 ZigBee SoC solution

The CC2530 is a low power SoC solution specifically designed for IEE 802.15.4 point to point and star or ZigBee PRO mesh network applications. There are four different version of this SoC: CC22530-F32/64/128/256, each one equipped with the corresponding amount in KB of flash memory. It is equipped with an integrated highperformance RF transceiver and an industry-standard enhanced 8051 MCU.

Figure 3.27. CC2530 block diagram [42]

Many benefits make this SoC a great option for implementing a smart metering apable of supporting ZigBee, ZigBee PRO, ZigBee RF4CE, 6LoWPAN

and all solutions based on IEEE 802.15.4. It performs a very low current consumption either on RX or TX ensuring a long lifetime for its battery. Its design was thought for

ch as remote controls, home/building automation, industrial control power wireless sensor network and the one we are interested on

smart energy and automated meter reading. [42]


power SoC solution specifically designed for IEE 802.15.4 point to point and star or ZigBee PRO mesh network applications. There are four

F32/64/128/256, each one equipped with the memory. It is equipped with an integrated high-

standard enhanced 8051 MCU.

Many benefits make this SoC a great option for implementing a smart metering apable of supporting ZigBee, ZigBee PRO, ZigBee RF4CE, 6LoWPAN

and all solutions based on IEEE 802.15.4. It performs a very low current consumption either on RX or TX ensuring a long lifetime for its battery. Its design was thought for

ch as remote controls, home/building automation, industrial control power wireless sensor network and the one we are interested on


The CC2530 Systemfollowing chart:

Figure 3.28. CC2530 general characteristics [42]

For further information in CC2530 SoC go to:


The CC2530 System-on-Chip general characteristics are pre

Figure 3.28. CC2530 general characteristics [42]

For further information in CC2530 SoC go to: www.ti.com


Chip general characteristics are presented in the


4. Raconet

4.1 Introduction

EMH metering has developed an innovative and future orientated meter readout system which operates on the basis of short range radio. It operates in the ISM (Industrial, Scientific and Medical) free license band in the 868 MHz frequency.

Raconet is a dynamic, easycommunications between the data collector and EMH smart meters, both described in section about EMH metering solutions for Raconet. The electricity meters are equipped with a radio transceiver whose consumption is saved centrally and independent of the measuring station. Moreoveand organizing the network. Through telephone or mobile radio network the consumption data can be retrieved by the control center comfortably and at all times. This means that there no need to makemeters and that on site read outs are no longer required.

Meanwhile communications between devices inside Raconet network are performed through wireless radio links, the energy supplying company has access to allinformation stored in the data collector via an electrical interface which can be either RS485, RS232 or CL0. Additionally, the data collector is equipped with the D0 optical data interface for reading out on site. [53]

Figure 4.1. Raconet network exam


EMH metering has developed an innovative and future orientated meter readout ystem which operates on the basis of short range radio. It operates in the ISM

(Industrial, Scientific and Medical) free license band in the 868 MHz frequency.

Raconet is a dynamic, easy-to-install network system for bithe data collector and EMH smart meters, both described in

section about EMH metering solutions for Raconet. The electricity meters are equipped with a radio transceiver whose consumption is saved centrally and independent of the measuring station. Moreover, the data collector is capable of automatically managing and organizing the network. Through telephone or mobile radio network the consumption data can be retrieved by the control center comfortably and at all times. This means that there no need to make any appointment for reading out data from meters and that on site read outs are no longer required.

Meanwhile communications between devices inside Raconet network are performed through wireless radio links, the energy supplying company has access to allinformation stored in the data collector via an electrical interface which can be either RS485, RS232 or CL0. Additionally, the data collector is equipped with the D0 optical data interface for reading out on site. [53]

Figure 4.1. Raconet network example deployment [53]


EMH metering has developed an innovative and future orientated meter readout ystem which operates on the basis of short range radio. It operates in the ISM

(Industrial, Scientific and Medical) free license band in the 868 MHz frequency.

install network system for bi-directional the data collector and EMH smart meters, both described in

section about EMH metering solutions for Raconet. The electricity meters are equipped with a radio transceiver whose consumption is saved centrally and independent of the

r, the data collector is capable of automatically managing and organizing the network. Through telephone or mobile radio network the consumption data can be retrieved by the control center comfortably and at all times.

any appointment for reading out data from

Meanwhile communications between devices inside Raconet network are performed through wireless radio links, the energy supplying company has access to all information stored in the data collector via an electrical interface which can be either RS485, RS232 or CL0. Additionally, the data collector is equipped with the D0 optical


4.2 Raconet network global performance

The raconet network is ruled by the data collector. It the central interface through which any communication inside the network passes. Besides, the data collector configures controls and monitonetwork for any changes such as the attachment or detachment of a device and respond to the changes independently and flexibly. A layout of the raconet network is depicted in the following figure: [53]

Figure 4.2. System layout of a raconet network [53]

During the network startbroadcast message to all meters in its range and these meters respond with their identifier and the RSSI value (Received SignThis RSSI value specifies the quality of the signal strength received by the meter from the data collector. Afterwards, the data collector creates an overview including a list of all meters detected, their RSShave been depicted in the network overview, are requested one by one to search for additional meters than may be found in the area but not reachable from the data collector and receive their identifthis information a new network overview is created. In regular time intervals the network is reviewed and checked for new devices.


4.2 Raconet network global performance

The raconet network is ruled by the data collector. It the central interface through which any communication inside the network passes. Besides, the data collector configures controls and monitors the entire network. It is capable of checking the network for any changes such as the attachment or detachment of a device and respond to the changes independently and flexibly. A layout of the raconet network is depicted in the following figure: [53]

Figure 4.2. System layout of a raconet network [53]

During the network start-up process performance, the data collector sends a broadcast message to all meters in its range and these meters respond with their identifier and the RSSI value (Received Signal Strength Indication) to the data collector. This RSSI value specifies the quality of the signal strength received by the meter from the data collector. Afterwards, the data collector creates an overview including a list of all meters detected, their RSSI value and the communication path. Then, all meters than have been depicted in the network overview, are requested one by one to search for additional meters than may be found in the area but not reachable from the data collector and receive their identifiers and RSSI values. Once the data collector receives this information a new network overview is created. In regular time intervals the network is reviewed and checked for new devices.


The raconet network is ruled by the data collector. It the central interface through which any communication inside the network passes. Besides, the data collector

rs the entire network. It is capable of checking the network for any changes such as the attachment or detachment of a device and respond to the changes independently and flexibly. A layout of the raconet network is depicted

up process performance, the data collector sends a broadcast message to all meters in its range and these meters respond with their

al Strength Indication) to the data collector. This RSSI value specifies the quality of the signal strength received by the meter from the data collector. Afterwards, the data collector creates an overview including a list of

I value and the communication path. Then, all meters than have been depicted in the network overview, are requested one by one to search for additional meters than may be found in the area but not reachable from the data

iers and RSSI values. Once the data collector receives this information a new network overview is created. In regular time intervals the


Once the start up process is finalized, the meters are able to begin metering purposes and they sent their collected data to the data collector. The data collector in responsible for accumulating all metering data from meters and sending it to the control center of the power supplying company for billing purposes.

In consequence of the previous described management process, any changes that may happen in the raconet network are quickly detected and a flexible response is presented by the data collector. Hence, the network does almost not even require maintenance. By means of network management software, the network can be configured and managed manually using the software tools provided by EMH metering and describe in the section about EMH

4.3 Raconet layers

Since it is a proprietarpossible to found specific information about how they different layers are implemented. Moreover, we cannot even be sure if they are implemented following the OSI model although most communication technologfollow this model for making adaptation with other protocols easier.

However, from the procedures performance during its startdeduced that the network topology is based on a cluster tree as it cZigBee.

Regarding the physical layer, what we know about it is that it operates with wireless radio links using the 868 MHz frequency inside the ISM (Industrial, Scientific and Medical) free license band.

4.4 Security on raconet

As well as in raconet layers description, no information can be obtained about security features in raconet networks. Although customers cannot get to information about it without contracting EMH metering services, this fact makes raconet more secure as a consequence that potential attackers are not able to obtain information about raconet over the net.


Once the start up process is finalized, the meters are able to begin metering purposes and they sent their collected data to the data collector. The data collector in responsible for accumulating all metering data from meters and sending it to the control center of the power supplying company for billing purposes.

In consequence of the previous described management process, any changes that may happen in the raconet network are quickly detected and a flexible response is presented by the data collector. Hence, the network does almost not even require

y means of network management software, the network can be configured and managed manually using the software tools provided by EMH metering and describe in the section about EMH-metering raconet solution. [53]

Since it is a proprietary technology designed by EMH metering, it was not possible to found specific information about how they different layers are implemented. Moreover, we cannot even be sure if they are implemented following the OSI model although most communication technologies that are implemented nowadays tend to follow this model for making adaptation with other protocols easier.

However, from the procedures performance during its start-up face it can be deduced that the network topology is based on a cluster tree as it can be implemented in

Regarding the physical layer, what we know about it is that it operates with wireless radio links using the 868 MHz frequency inside the ISM (Industrial, Scientific and Medical) free license band.

4.4 Security on raconet

well as in raconet layers description, no information can be obtained about security features in raconet networks. Although customers cannot get to information about it without contracting EMH metering services, this fact makes raconet more

nsequence that potential attackers are not able to obtain information about


Once the start up process is finalized, the meters are able to begin if their metering purposes and they sent their collected data to the data collector. The data collector in responsible for accumulating all metering data from meters and sending it to

In consequence of the previous described management process, any changes that may happen in the raconet network are quickly detected and a flexible response is presented by the data collector. Hence, the network does almost not even require

y means of network management software, the network can be configured and managed manually using the software tools provided by EMH metering

y technology designed by EMH metering, it was not possible to found specific information about how they different layers are implemented. Moreover, we cannot even be sure if they are implemented following the OSI model

ies that are implemented nowadays tend to

up face it can be an be implemented in

Regarding the physical layer, what we know about it is that it operates with wireless radio links using the 868 MHz frequency inside the ISM (Industrial, Scientific

well as in raconet layers description, no information can be obtained about security features in raconet networks. Although customers cannot get to information about it without contracting EMH metering services, this fact makes raconet more

nsequence that potential attackers are not able to obtain information about


4.5 Attacks that may be performed on raconet

Although no information about security features on raconet could be found, as it is a wireless technology opepower transmission, the network is susceptible of suffering many different types of attacks.

The data collector is the center of all communications and management of the networks and an attack to it may device in the network.

Many of the attacks described on the ZigBee section taking advantage of the wireless radio links and the low power transmissions may be performed to the raconet data collector too which are: jamming, exhaustion, collision and unfairness. As well as to the data collector, these attacks may also be performed to meters which are acting as a bridge to permit data collector control them even when they are out of its range.

Finally, a similar attack to one described in the ZigBee section may be performed in the network too. Coordinating all the raconet network from the data collecor represents a wide range of advantages but it results in some weaknesses too. A route disruption in the clusattacker may try to capture the devices around it by announcing itself as a data collector and presenting a better signal rate that the real data collector for the raconet network deployment. It illustrated in the following figure:



4.5 Attacks that may be performed on raconet

Although no information about security features on raconet could be found, as it is a wireless technology operating on a well known frequency band and using low power transmission, the network is susceptible of suffering many different types of

The data collector is the center of all communications and management of the networks and an attack to it may compromise the operational performance of any other

Many of the attacks described on the ZigBee section taking advantage of the wireless radio links and the low power transmissions may be performed to the raconet

which are: jamming, exhaustion, collision and unfairness. As well as to the data collector, these attacks may also be performed to meters which are acting as a bridge to permit data collector control them even when they are out of its range.

milar attack to one described in the ZigBee section may be performed in the network too. Coordinating all the raconet network from the data collecor represents a wide range of advantages but it results in some weaknesses too. A route disruption in the cluster-tree by a comprised coordinator may be performed. An attacker may try to capture the devices around it by announcing itself as a data collector and presenting a better signal rate that the real data collector for the raconet network

strated in the following figure:



Although no information about security features on raconet could be found, as it rating on a well known frequency band and using low

power transmission, the network is susceptible of suffering many different types of

The data collector is the center of all communications and management of the compromise the operational performance of any other

Many of the attacks described on the ZigBee section taking advantage of the wireless radio links and the low power transmissions may be performed to the raconet

which are: jamming, exhaustion, collision and unfairness. As well as to the data collector, these attacks may also be performed to meters which are acting as a bridge to permit data collector control them even when they are out of its range.

milar attack to one described in the ZigBee section may be performed in the network too. Coordinating all the raconet network from the data collecor represents a wide range of advantages but it results in some weaknesses too. A

tree by a comprised coordinator may be performed. An attacker may try to capture the devices around it by announcing itself as a data collector and presenting a better signal rate that the real data collector for the raconet network



4.6 EMH-metering Raconet solution

4.6.1 Raconet repeater RNRE

The repeater operates within 50 to 60 Hz frequrange conditions from -25 to +55ºC. Its flexible housing antenna is 90mm length and incorporates N-socket for connection GP900C for operating distance increasing supplied antenna cable of 2 m. [52]

4.6.2 Data collector RND

The Raconet repeater RRNE has been designed order to extend Raconet networks to obtain longin outdoor installations. It is equipped with an antenna and can be optionally equipped with an external antenna to longer range.

The repeater servers as a connection link between raconet devices which cannot reach another device of the network due to long distances or constructional barriers.

The Data collector RNDC of the RacoNet network, been deployed to read out up to 90 residential meters via short range radio and saving the meter data, implementing a transparent bi-directional communication w

The data collector is the most important part of the RacoNet network. It is the central interface for all communications which are performed inside the network.


metering Raconet solution

4.6.1 Raconet repeater RNRE

The repeater operates within 50 to 60 Hz frequency range and in a temperature 25 to +55ºC. Its flexible housing antenna is 90mm length and

socket for connection GP900C for operating distance increasing supplied antenna cable of 2 m. [52]

4.6.2 Data collector RNDC

et repeater RRNE has been designed in order to extend Raconet networks to obtain long-range service in outdoor installations. It is equipped with an antenna and can be optionally equipped with an external antenna to longer

The repeater servers as a connection link between raconet devices which cannot reach another device of the

ng distances or constructional barriers.

The Data collector RNDC of the RacoNet network, has been deployed to read out up to 90 residential meters via short range radio and saving the meter data, implementing a

directional communication with the meters.

The data collector is the most important part of the RacoNet network. It is the central interface for all communications which are performed inside the network.


ency range and in a temperature 25 to +55ºC. Its flexible housing antenna is 90mm length and

socket for connection GP900C for operating distance increasing


this, the data collector is in charge of tasks management of the network, such as configuration, control and configuration of the whole network performance. It checks the network for any changes, detecting newly added or removed meters in the networkresponding to them independently and flexibly.

The device operates within 50 to 60 Hz frequency range in a temperature range from -25 to + 55ºC. Its Real Time Clock (RTC) has a +/reserve battery for over 20 years and it can These data interfaces the concentrator operates with are the D0 optical data interface, RS485 and RS232, all of the operating with IEC62056rate.

The concentrator integrated radio band. Some of the functions controlled from the radio module are meter remote readout via-bidirectional communication, online mode, transferring of commands or automatic network build-up. [49]


this, the data collector is in charge of tasks management of the network, such as configuration, control and configuration of the whole network performance. It checks the network for any changes, detecting newly added or removed meters in the networkresponding to them independently and flexibly.

The device operates within 50 to 60 Hz frequency range in a temperature range 25 to + 55ºC. Its Real Time Clock (RTC) has a +/- 5 ppm accuracy running its

reserve battery for over 20 years and it can be synchronized through the data interfaces. These data interfaces the concentrator operates with are the D0 optical data interface, RS485 and RS232, all of the operating with IEC62056-21 at up to 9600 transmission

The concentrator integrated radio module operates in 868 MHz license free ISMband. Some of the functions controlled from the radio module are meter remote readout

bidirectional communication, online mode, transferring of commands or automatic


this, the data collector is in charge of tasks management of the network, such as configuration, control and configuration of the whole network performance. It checks the network for any changes, detecting newly added or removed meters in the network,

The device operates within 50 to 60 Hz frequency range in a temperature range 5 ppm accuracy running its

be synchronized through the data interfaces. These data interfaces the concentrator operates with are the D0 optical data interface,

21 at up to 9600 transmission

module operates in 868 MHz license free ISM-band. Some of the functions controlled from the radio module are meter remote readout

bidirectional communication, online mode, transferring of commands or automatic


4.6.3 Raconet MAUS RNMA

The Raconet MAUS is an easy operation device designed for help with planning raconet networks. It used for analyzing the quality of radio connections within the installation area as well as reading out the already installed meters. Iconnected to be connected to a PC or notebook through a USB 1.1/2.0 interface for operating.

The raconet MAUS software includes three specific functions: [50]

Figure 4.4. Raconet MAUS functions [50]

The MAUS integrated radio module operates in 868 MHz license free ISM-band. The functions controlled from the radio module are meter remote readout viacommunication, online mode or transferring of commands.

The device operates in a temperature range from to + 55ºC. It incorporates a 90 mm flexible housand operates with Windows 2000, XP, Vista or 7 for software.

Quality analysis of all radio connections


.3 Raconet MAUS RNMA

The Raconet MAUS is an easy operation device designed for help with planning raconet networks. It used for analyzing the quality of radio connections within the installation area as well as reading out the already installed meters. Iconnected to be connected to a PC or notebook through a USB 1.1/2.0 interface for

The raconet MAUS software includes three specific functions: [50]

Figure 4.4. Raconet MAUS functions [50]

The MAUS integrated radio module operates in 868 band. The functions controlled from the

radio module are meter remote readout via-bidirectional communication, online mode or transferring of commands.

The device operates in a temperature range from – 25 to + 55ºC. It incorporates a 90 mm flexible housing antenna and operates with Windows 2000, XP, Vista or 7 for software.

Continuous analysis of the radio connection of an individual meter

Readout of meter data from an individual

meter


The Raconet MAUS is an easy operation device designed for help with planning raconet networks. It used for analyzing the quality of radio connections within the installation area as well as reading out the already installed meters. It needs to be connected to be connected to a PC or notebook through a USB 1.1/2.0 interface for

Readout of meter data from an individual

meter


4.6.4 Raconet Gateway RNMB

The device operates in the frequency range from 50 to 60 Hz in an environmental condition from types of data interfaces, the raconet radio module and the M13757-2, -3 both operating in a transmission rate up to 9600 baud.

The Gateway is equipped with four different functional LEDfunctions are:

• Ready: Informs about the availability of the Gateway to operate• COM: Inform on communications on the M

• Overload: It is On when shortbus is overloaded by too much meters• Init: It is Off when initialization of radio module is finished, but remains On when an error during the initialization of the radio module has happened

Figure 4.5. Raconet network system connection through RNMB Gateway [51]

The M-Bus is a field bus for the registration of consuming data. Transfer takes place serially on a polarized twoGateway. As shown in the figure above, besides for electricity meters the raconet Gateway can be used also for water, thermal and gas meters. The data is transferred at different rates depending on cable diameters and cable lengths as shown in the following chart: [51]

The raconet RNMB Gatewinternal raconet radio module and longsupply and it is thought to be able to connect up to 25 M-Bus measuring devices while DINdevice is capable of self-configuration.


4.6.4 Raconet Gateway RNMB

The device operates in the frequency range from 50 to 60 Hz in an environmental condition from – 25 to + 55ºC temperature range. It is equipped with two types of data interfaces, the raconet radio module and the M-Bus according to DIN EN

oth operating in a transmission rate up to 9600 baud.

The Gateway is equipped with four different functional LED

Informs about the availability of the Gateway to operateInform on communications on the M-Bus

It is On when short-circuit happens and it flashes when the bus is overloaded by too much meters

It is Off when initialization of radio module is finished, but remains On when an error during the initialization of the radio module has happened


Bus is a field bus for the registration of consuming data. Transfer takes place serially on a polarized two-wire cable from the connected meters to the raconet

wn in the figure above, besides for electricity meters the raconet Gateway can be used also for water, thermal and gas meters. The data is transferred at different rates depending on cable diameters and cable lengths as shown in the

The raconet RNMB Gateway is equipped with an internal raconet radio module and long-range power supply and it is thought to be able to connect up to 25

Bus measuring devices while DIN-rail mounted. The configuration.


The device operates in the frequency range from 50 to 60 Hz in an 25 to + 55ºC temperature range. It is equipped with two

Bus according to DIN EN

The Gateway is equipped with four different functional LED-display whose

Informs about the availability of the Gateway to operate

circuit happens and it flashes when the

It is Off when initialization of radio module is finished, but remains On when an error during the initialization of the radio module has happened


Bus is a field bus for the registration of consuming data. Transfer takes wire cable from the connected meters to the raconet

wn in the figure above, besides for electricity meters the raconet Gateway can be used also for water, thermal and gas meters. The data is transferred at different rates depending on cable diameters and cable lengths as shown in the


Figure 4.6. Dependence on cable diameters and cable lengths of data transfer rates [51]

In the following figure, the Mtransferring from the Gateway to the meters is depicted:

Figure 4.7. M



In the following figure, the M-Bus technical specification from bi-transferring from the Gateway to the meters is depicted:

Figure 4.7. M-Bus Bit-transfer [51]



-directional data


4.6.5 Digital Multi-Rate Meter

The device operates at 50 Hz frequency within the range. Its Real Time Clock (RTC) has a +/for over 10 years and it can be syncincorporates an additional display for supervision of the following functions:

• Status information on phase failure• Energy direction

• Tariffs • Meter start-up• Manipulation

• Communication• Running reserve of

The meter integrated radio module operates in 868 MHz license free ISMSome of the functions controlled from the radio module are meter remote readout viabidirectional communication, online mode, transferring of commands onetwork build-up. Besides, the D0 optical interface is implemented, working in Mode C with a transmission baud rate up to 4800 baud and the RS485 electrical interface working at up to 9600 baud.

Optionally, the meter can be equipped with furthrecognition: registration of the number of manipulation attempts and the start of the last manipulation attempt, supervision of the phase and neutral current for fraud detection in the two-wire distribution system and internal

The ED2000 meter is capable actand optional –A and |A|, always for billing purposes and with a class 2 accuracy according to IEC62053accuracy according to EN 50470tariff registers plus one tariffless register for every meatype each.


Rate Meter – ED2000

The device operates at 50 Hz frequency within the -25 to + 55 ºC temperature range. Its Real Time Clock (RTC) has a +/- 5 ppm accuracy running its reserve battery for over 10 years and it can be synchronized through the data interfaces. Additionally, it incorporates an additional display for supervision of the following functions:

Status information on phase failure Energy direction

up Manipulation

Communication Running reserve of the Real Time Clock (RTC)

The meter integrated radio module operates in 868 MHz license free ISMSome of the functions controlled from the radio module are meter remote readout viabidirectional communication, online mode, transferring of commands o

up. Besides, the D0 optical interface is implemented, working in Mode C with a transmission baud rate up to 4800 baud and the RS485 electrical interface working at up to 9600 baud.

Optionally, the meter can be equipped with further features for manipulation recognition: registration of the number of manipulation attempts and the start of the last manipulation attempt, supervision of the phase and neutral current for fraud detection in

wire distribution system and internal disconnection relay. [47]

The ED2000 meter is capable active energy +A type |, always for billing purposes and with

a class 2 accuracy according to IEC62053-21 and class A accuracy according to EN 50470-1, -3. It is equipped with 4 tariff registers plus one tariffless register for every measuring


25 to + 55 ºC temperature 5 ppm accuracy running its reserve battery

hronized through the data interfaces. Additionally, it incorporates an additional display for supervision of the following functions:

The meter integrated radio module operates in 868 MHz license free ISM-band. Some of the functions controlled from the radio module are meter remote readout via-bidirectional communication, online mode, transferring of commands or automatic

up. Besides, the D0 optical interface is implemented, working in Mode C with a transmission baud rate up to 4800 baud and the RS485 electrical interface

er features for manipulation recognition: registration of the number of manipulation attempts and the start of the last manipulation attempt, supervision of the phase and neutral current for fraud detection in


4.6.6 Raconet software tools

Three software tools for configurating and managing the raconet network from a PC are provided by EMH-metering:

• Meter communication• EMH-COM Control center

• Meter communication and configuration program EMHMASTER 2000 [76]

4.6.6.1 Meter communication

EMH-COM is a modular developed software which allows and enables communication between a PC and EMH meters. Due to the modular can be tailored directly to the customer requests. The software is planned in particular for start-up and data read out of the meter and also for changing basic settings. Its main functionalities are:

4.6.6.2 EMH-COM Control Cente

The EMH-COM-control center is a program module from EMHcontrol centre an unlimited number of meters can be integrated. With help of the control centre it is possible to automate tasks such as data readout, sending of emails etc. Its main functionalities are:

• Reading out meter data• Graphical load profile display• Setting of the clock

• Mode, function (optional)• Tariff settings for individual meter types

(optional)

• Send write commands (optional) [76]

• Reading out of data (tables, load profile)• Administration of customer and meter data

• Automated accomplishment of fixed tasks• Setting of the clock• Management of up to 1000 meters

• Access or SQL database [76]


4.6.6 Raconet software tools

Three software tools for configurating and managing the raconet network from a metering:

Meter communication and configuration program EMH-COMCOM Control center

mmunication and configuration program EMH-COMBIMASTER 2000 [76]

4.6.6.1 Meter communication and configuration program EMH-COM

COM is a modular developed software which allows and enables communication between a PC and EMH meters. Due to the modular setcan be tailored directly to the customer requests. The software is planned in particular

up and data read out of the meter and also for changing basic settings. Its main

COM Control Center

control center is a program module from EMHcontrol centre an unlimited number of meters can be integrated. With help of the control centre it is possible to automate tasks such as data readout, sending of emails etc. Its

Reading out meter data Graphical load profile display Setting of the clock

Mode, function (optional) Tariff settings for individual meter types

Send write commands (optional) [76]

data (tables, load profile) ministration of customer and meter data

d accomplishment of fixed tasks Setting of the clock Management of up to 1000 meters

Access or SQL database [76]


Three software tools for configurating and managing the raconet network from a

COM

COMBI-

COM

COM is a modular developed software which allows and enables set-up the software

can be tailored directly to the customer requests. The software is planned in particular up and data read out of the meter and also for changing basic settings. Its main

control center is a program module from EMH-COM. In the control centre an unlimited number of meters can be integrated. With help of the control centre it is possible to automate tasks such as data readout, sending of emails etc. Its


4.6.6.3 Meter communication and configuration program EMHMASTER 2000

The EMH-COM-control centre is a program module from EMHcontrol centre an unlimited number of meters can be integrated. With help of the control centre it is possible to automate tasks such as data readout, sending of emails etc.

For further information about raconet solutions go to:

• Reading out of the meter data• Graphical load profile display• Configuration of meters from the

LZQJ • Setting of transformer ratios with meters

from the series LZQJ

• All functions of the EMH


4.6.6.3 Meter communication and configuration program EMH

control centre is a program module from EMHcontrol centre an unlimited number of meters can be integrated. With help of the control centre it is possible to automate tasks such as data readout, sending of emails etc.

For further information about raconet solutions go to: www.emh-metering.com

of the meter data Graphical load profile display Configuration of meters from the series

Setting of transformer ratios with meters from the series LZQJ

All functions of the EMH-COM [76]


4.6.6.3 Meter communication and configuration program EMH-COMBI-

control centre is a program module from EMH-COM. In the control centre an unlimited number of meters can be integrated. With help of the control centre it is possible to automate tasks such as data readout, sending of emails etc.

metering.com


5. Bluetooth

5.1 Introduction

The Bluetooth wireless technology provides short range, wireless connectivity between common devices. The key features of Bluetooth technology are robustness, low power, and low cost. Different applications can be built based on these spontaneous, adhoc networks such as the one we are interested in smart meters networks. The Bluetooth wireless technology system contains a set of messages and procedures (generally termed specifications. This gives an unambiguous description of the air interface for specified services and use cases. Working groups within the Bluetooth SIG define these profiles. The Security Expert Group (BSEG) provides the Bluetooth SIG and associated working groups with expertise regarding all aspects of Bluetooth security.

The security requirements for Bluetooth applications will vary based on the sensitivity of the information involved, the market, and the needs of the user. There are some applications that do nohigh levels of security. Risk analysis and trade studies need to be conducted prior to implementing new applications using Bluetooth wireless technology. The current Bluetooth System specification dsecurity is not specified, allowing application developers the flexibility to select the most appropriate security mechanisms for their particular application. [57]


e Bluetooth wireless technology provides short range, wireless connectivity between common devices. The key features of Bluetooth technology are robustness, low power, and low cost. Different applications can be built based on these spontaneous, ad

works such as the one we are interested in smart meters networks. The Bluetooth wireless technology system contains a set of profiles. A profile defines a selection of messages and procedures (generally termed capabilities) from the Bluetooth SIG

tions. This gives an unambiguous description of the air interface for specified services and use cases. Working groups within the Bluetooth SIG define these profiles. The Security Expert Group (BSEG) provides the Bluetooth SIG and associated working

with expertise regarding all aspects of Bluetooth security.

The security requirements for Bluetooth applications will vary based on the sensitivity of the information involved, the market, and the needs of the user. There are some applications that do not require any security and others which require extremely high levels of security. Risk analysis and trade studies need to be conducted prior to implementing new applications using Bluetooth wireless technology. The current Bluetooth System specification defines security at the link level. Application level security is not specified, allowing application developers the flexibility to select the most appropriate security mechanisms for their particular application. [57]

Figure 5.1 Bluetooth stack [58]


e Bluetooth wireless technology provides short range, wireless connectivity between common devices. The key features of Bluetooth technology are robustness, low power, and low cost. Different applications can be built based on these spontaneous, ad-

works such as the one we are interested in smart meters networks. The Bluetooth A profile defines a selection of

s) from the Bluetooth SIG tions. This gives an unambiguous description of the air interface for specified

services and use cases. Working groups within the Bluetooth SIG define these profiles. The Security Expert Group (BSEG) provides the Bluetooth SIG and associated working

The security requirements for Bluetooth applications will vary based on the sensitivity of the information involved, the market, and the needs of the user. There are

t require any security and others which require extremely high levels of security. Risk analysis and trade studies need to be conducted prior to implementing new applications using Bluetooth wireless technology. The current

efines security at the link level. Application level security is not specified, allowing application developers the flexibility to select the most appropriate security mechanisms for their particular application. [57]


5.2 Bluetooth RF layer overview

The Bluetooth transceivers operate in the 2.4 GHz free license ISM (Industrial Scientific and Medical) frequency band. Although there is a specific regulation for a few countries such as France, in most of them the range of thband is from 2.400 to 2483.5 MHz. 79 RF channels are implemented with 1 MHz spacing and lower and upper guard bands are reserved with 2 and 3.5 MHz respectively. For the transmitters, three power classes are defined Power Class 1, 2 amaximum output power of 20, 4 and 0 dBm respectively and the reference sensitivity level at reception is -70 dBm. The modulation used is GMSK (Gaussian Frequency Shift Keying) with BT = 0.5 and a modulation index between 0.28 and 0.35. Allleads to a symbol rate of 1 Ms/s.

A transceiver may support powerstrength of the received signal and determine if the transmitter on the other side of the link should increase or decrease its output powIndicator (RSSI) makes this possible. The RSSI measurement compares the received signal power with two threshold levels, which define the Golden Receive Power Range. The lower threshold level corresponds to a received pabove the actual sensitivity of the receiver. The upper threshold level is 20 dB above the lower threshold level to an accuracy of +/power control is mandatory in Power Class 1 devices

Figure 5.2. RSSI dynamic range and accuracy [57]


Bluetooth RF layer overview

The Bluetooth transceivers operate in the 2.4 GHz free license ISM (Industrial Scientific and Medical) frequency band. Although there is a specific regulation for a few countries such as France, in most of them the range of the Bluetooth frequency band is from 2.400 to 2483.5 MHz. 79 RF channels are implemented with 1 MHz spacing and lower and upper guard bands are reserved with 2 and 3.5 MHz respectively. For the transmitters, three power classes are defined Power Class 1, 2 amaximum output power of 20, 4 and 0 dBm respectively and the reference sensitivity

70 dBm. The modulation used is GMSK (Gaussian Frequency Shift Keying) with BT = 0.5 and a modulation index between 0.28 and 0.35. Allleads to a symbol rate of 1 Ms/s.

A transceiver may support power-controlled links by being able to measure the strength of the received signal and determine if the transmitter on the other side of the link should increase or decrease its output power level. A Receiver Signal Strength Indicator (RSSI) makes this possible. The RSSI measurement compares the received signal power with two threshold levels, which define the Golden Receive Power Range. The lower threshold level corresponds to a received power between -56 dBm and 6 dB above the actual sensitivity of the receiver. The upper threshold level is 20 dB above the lower threshold level to an accuracy of +/- 6 dB as shown in the figure below. This power control is mandatory in Power Class 1 devices. [57]

Figure 5.2. RSSI dynamic range and accuracy [57]


The Bluetooth transceivers operate in the 2.4 GHz free license ISM (Industrial Scientific and Medical) frequency band. Although there is a specific regulation for a

e Bluetooth frequency band is from 2.400 to 2483.5 MHz. 79 RF channels are implemented with 1 MHz spacing and lower and upper guard bands are reserved with 2 and 3.5 MHz respectively. For the transmitters, three power classes are defined Power Class 1, 2 and 3 providing a maximum output power of 20, 4 and 0 dBm respectively and the reference sensitivity

70 dBm. The modulation used is GMSK (Gaussian Frequency Shift Keying) with BT = 0.5 and a modulation index between 0.28 and 0.35. All this

controlled links by being able to measure the strength of the received signal and determine if the transmitter on the other side of the

er level. A Receiver Signal Strength Indicator (RSSI) makes this possible. The RSSI measurement compares the received signal power with two threshold levels, which define the Golden Receive Power Range.

56 dBm and 6 dB above the actual sensitivity of the receiver. The upper threshold level is 20 dB above the

6 dB as shown in the figure below. This


5.3 Bluetooth Baseband layer overview

The Bluetooth specification uses a combination of circuit and packet switching. For full duplex transmission, a Timesupport an asynchronous data channel, providing up to 723.2 kb/s asymmetric (and still up to 57.6 kb/s in the return direction), or 433.9 kb/s symmetric.

The Bluetooth system consists of a radio unit, a link control unit, and a support unit for link management and host terminal interface functions, as depicted on the figure below. The Bluetooth link controller carries out the baseband protocols and other lowlevel link routines. Link layer messages and control are performed by the Bluetooth link manager. [57]

Figure 5.3. Functional blocks of the Bluetooth system [57]

The Bluetooth system provides a pointmultipoint connection. In the pointamong several Bluetooth units. Two or more units sharing the same channel form a piconet. One of them acts as the master of the piconet, whereas up to 7 other units act as slaves. In addition, many more slaves can remain locked to the master in a passive state, not active but synchronized to the master. Both for active and parked slaves, the channel access is controlled by the master.

Multiple piconets with overlapping coverage areas form a piconet can only have a single master. However, slaves can participate inpiconets on a time-division multiplex basis. In addition, a master in one piconet can be a slave in another piconet. The piconets shall not be frequency synchronized. Each piconet has its own hopping channel. [57]


5.3 Bluetooth Baseband layer overview

The Bluetooth specification uses a combination of circuit and packet switching. For full duplex transmission, a Time-Division Duplex (TDD) scheme is used.support an asynchronous data channel, providing up to 723.2 kb/s asymmetric (and still up to 57.6 kb/s in the return direction), or 433.9 kb/s symmetric.

The Bluetooth system consists of a radio unit, a link control unit, and a support nk management and host terminal interface functions, as depicted on the figure

below. The Bluetooth link controller carries out the baseband protocols and other lowlevel link routines. Link layer messages and control are performed by the Bluetooth link


The Bluetooth system provides a point-to-point connection or a pointmultipoint connection. In the point-to-multipoint connection, the channel is shared

units. Two or more units sharing the same channel form a . One of them acts as the master of the piconet, whereas up to 7 other units act

as slaves. In addition, many more slaves can remain locked to the master in a passive chronized to the master. Both for active and parked slaves, the

channel access is controlled by the master.

Multiple piconets with overlapping coverage areas form a scatternetpiconet can only have a single master. However, slaves can participate in

division multiplex basis. In addition, a master in one piconet can be a slave in another piconet. The piconets shall not be frequency synchronized. Each piconet has its own hopping channel. [57]


The Bluetooth specification uses a combination of circuit and packet switching. Division Duplex (TDD) scheme is used. It can

support an asynchronous data channel, providing up to 723.2 kb/s asymmetric (and still

The Bluetooth system consists of a radio unit, a link control unit, and a support nk management and host terminal interface functions, as depicted on the figure

below. The Bluetooth link controller carries out the baseband protocols and other low-level link routines. Link layer messages and control are performed by the Bluetooth link


point connection or a point-to-multipoint connection, the channel is shared

units. Two or more units sharing the same channel form a . One of them acts as the master of the piconet, whereas up to 7 other units act

as slaves. In addition, many more slaves can remain locked to the master in a passive chronized to the master. Both for active and parked slaves, the

scatternet. Each piconet can only have a single master. However, slaves can participate in different

division multiplex basis. In addition, a master in one piconet can be a slave in another piconet. The piconets shall not be frequency synchronized. Each


Figure 5.4. Piconets with a

In this layer the control over the physical layer, links, device operational modes and states is performed. Also security features of the specification are proceeBluetooth Baseband and will be described on the section specified for security on Bluetooth. Here a brief description of the functionalities of this layer is described:

• Two types of physical linksConnection-Oriented (SCO) link and the Asynchronous Connectionlink. The first one is a symmetric pointslave where packets are sent in regular intervals and never retransmitted. In the asynchronous link, a packetslaves in the piconet is provided. Packet retransmission for data integrity is applied here. • Data packetssynchronization, DC offset compensation and idcontaining link control information for addressing, flow control or error checking; and up to 2745 bits of payload including a CRC code and a payload header. • Three error correction schemesand ARQ system. It is flexible to use them in the payload or not bit the header of the packets is always protected with the first one.• Data scramblingorder to randomize the data from highly redundant pattbias in the packet. The whitening word is generated with the and is subsequently EXORed with the header and the payload.• States controloperate in two possibis the default low power state when only the native clock works and no communication with other devices is possible. On the Connection state communication is possible and four possible operational m


Piconets with a single slave operation (a), a multi-slave operation (b) and a scatternet operation (c) [57]

In this layer the control over the physical layer, links, device operational modes and states is performed. Also security features of the specification are proceeBluetooth Baseband and will be described on the section specified for security on Bluetooth. Here a brief description of the functionalities of this layer is described:

Two types of physical links can be established, the Synchronous riented (SCO) link and the Asynchronous Connection

link. The first one is a symmetric point-to point connection between master and slave where packets are sent in regular intervals and never retransmitted. In the asynchronous link, a packet-switched connection between master and active slaves in the piconet is provided. Packet retransmission for data integrity is

Data packets consist of 3 entities which are a 72-bit access code synchronization, DC offset compensation and identification; a 54containing link control information for addressing, flow control or error checking; and up to 2745 bits of payload including a CRC code and a payload

Three error correction schemes which are 1/3 rate FEC, 2/3 rate FEC and ARQ system. It is flexible to use them in the payload or not bit the header of the packets is always protected with the first one.

Data scrambling is performed on the packets before transmission in order to randomize the data from highly redundant patterns and to minimize DC

The whitening word is generated with the g(Dand is subsequently EXORed with the header and the payload.

States control is also performed in this layer. A Bluetooth device may operate in two possible states which are Standby and Connection. The first one is the default low power state when only the native clock works and no communication with other devices is possible. On the Connection state communication is possible and four possible operational m


slave operation (b) and a

In this layer the control over the physical layer, links, device operational modes and states is performed. Also security features of the specification are proceeded in the Bluetooth Baseband and will be described on the section specified for security on Bluetooth. Here a brief description of the functionalities of this layer is described:

can be established, the Synchronous riented (SCO) link and the Asynchronous Connection-Less (ACL)

to point connection between master and slave where packets are sent in regular intervals and never retransmitted. In the

ched connection between master and active slaves in the piconet is provided. Packet retransmission for data integrity is

bit access code used for entification; a 54-bit header

containing link control information for addressing, flow control or error checking; and up to 2745 bits of payload including a CRC code and a payload

which are 1/3 rate FEC, 2/3 rate FEC and ARQ system. It is flexible to use them in the payload or not bit the header of

is performed on the packets before transmission in erns and to minimize DC

D) = D7 + D4 + 1

A Bluetooth device may le states which are Standby and Connection. The first one

is the default low power state when only the native clock works and no communication with other devices is possible. On the Connection state communication is possible and four possible operational modes can be


performed, the active mode for devices actively working in the piconet and three power-saving states: Sniff Mode, Hold Mode and Park Mode.• Bluetooth addressing.48-bit Bluetooth device address (Bstandard. The address is assigned to slaves depending on their states, so there are three types which are an Active Member Address (AM_ADDR), Parked Member Address (PM_ADDR) or Access Request Address (AR_ADDR). [57]

5.4 Link Manager Protocol layer overview

The Link Manager carries out link setup, authentication, link configuration and other protocols. It discovers other remote LM’s and communicates with them via the Link Manager Protocol (LMP). To perform its service proviservices of the underlying Link Controller (LC). The Link Manager Protocol essentially consists of a number of PDU (protocol Data Units), which are sent from one device to another, determined by the AM_ADDR in the packet header. Las single-slot packets and the payload header is therefore one byte. [81]

5.5 Host Controller Interface (HCI) layer overview

The HCI provides a command interface to the baseband controller and link manager, and access to hardware sprovides a uniform method of accessing the Bluetooth baseband capabilities. The HCI exists across 3 sections, the Host sections has a different role toup into 3 separate parts:

• HCI Firmwarecommands, link manager commands and registers.• HCI Drivernotifications of HCI events, HCI events are used for notifying the Host when something occurs. When the Host discovers that an event has occurred it will then parse the received event packet to determine which event occurred.• Host Controller Transpothe communication via for the two previous entities. It should provide the ability to transfer data without intimate knowledge of the data being transferred. Several different Host Controller Layers can be usedefined initially for Bluetooth:useful important for smart metering usage, specially the last one which is a widely used interface in all smart meters. [81]


performed, the active mode for devices actively working in the piconet and three saving states: Sniff Mode, Hold Mode and Park Mode. Bluetooth addressing. Each Bluetooth transceiver is allocated a unique

bit Bluetooth device address (BD_ADDR) derived from the IEEE802 standard. The address is assigned to slaves depending on their states, so there are three types which are an Active Member Address (AM_ADDR), Parked Member Address (PM_ADDR) or Access Request Address (AR_ADDR). [57]

nk Manager Protocol layer overview

The Link Manager carries out link setup, authentication, link configuration and other protocols. It discovers other remote LM’s and communicates with them via the Link Manager Protocol (LMP). To perform its service provider role, the LM uses the services of the underlying Link Controller (LC). The Link Manager Protocol essentially consists of a number of PDU (protocol Data Units), which are sent from one device to another, determined by the AM_ADDR in the packet header. LM PDUs are always sent

slot packets and the payload header is therefore one byte. [81]

5.5 Host Controller Interface (HCI) layer overview

The HCI provides a command interface to the baseband controller and link manager, and access to hardware status and control registers. Essentially this interface provides a uniform method of accessing the Bluetooth baseband capabilities. The HCI exists across 3 sections, the Host - Transport Layer - Host Controller. Each of the sections has a different role to play in the HCI system. The HCI is functionally broken

HCI Firmware located on the Host Controller. It implements the HCI commands, link manager commands and registers.

HCI Driver located on the Host. The Host will receive asynchnotifications of HCI events, HCI events are used for notifying the Host when something occurs. When the Host discovers that an event has occurred it will then parse the received event packet to determine which event occurred.

Host Controller Transport Layer located in Intermediate Layers. It is the communication via for the two previous entities. It should provide the ability to transfer data without intimate knowledge of the data being transferred. Several different Host Controller Layers can be used, of which 3 have been defined initially for Bluetooth: USB, UART and RS232. All three of them very useful important for smart metering usage, specially the last one which is a widely used interface in all smart meters. [81]


performed, the active mode for devices actively working in the piconet and three

Each Bluetooth transceiver is allocated a unique D_ADDR) derived from the IEEE802

standard. The address is assigned to slaves depending on their states, so there are three types which are an Active Member Address (AM_ADDR), Parked Member Address (PM_ADDR) or Access Request Address (AR_ADDR). [57]

The Link Manager carries out link setup, authentication, link configuration and other protocols. It discovers other remote LM’s and communicates with them via the

der role, the LM uses the services of the underlying Link Controller (LC). The Link Manager Protocol essentially consists of a number of PDU (protocol Data Units), which are sent from one device to

M PDUs are always sent

The HCI provides a command interface to the baseband controller and link tatus and control registers. Essentially this interface

provides a uniform method of accessing the Bluetooth baseband capabilities. The HCI Host Controller. Each of the

play in the HCI system. The HCI is functionally broken

located on the Host Controller. It implements the HCI

located on the Host. The Host will receive asynchronous notifications of HCI events, HCI events are used for notifying the Host when something occurs. When the Host discovers that an event has occurred it will then parse the received event packet to determine which event occurred.

located in Intermediate Layers. It is the communication via for the two previous entities. It should provide the ability to transfer data without intimate knowledge of the data being transferred.

d, of which 3 have been All three of them very

useful important for smart metering usage, specially the last one which is a


5.6 Logical Link Control and Alayer overview

L2CAP provides connectionlayer protocols with protocol multiplexing capability, segmentation and reassembly operation, and group abstractions. L2CAP permits highapplications to transmit and receive L2CAP data packets up to 64 kilobytes in length. The L2CAP Specification is defined for only ACL links and no support for SCO links is planned. [81]

Figure 5.5. L2CAP within protocol layers [57]

5.7 RFCOMM protocol layer overview

RFCOMM is a simple transport protocol, which provides emulation of RS232 serial ports over the L2CAP protocol. The protocol is based on the ETSI standard TS 07.10. Only a subset of the TS 07.10 standard is used and an extension is added, in the form of a mandatory credit based flow control scheme. The RFCOMM protocol supports up to 60 simultaneous connections between two BT devices. The number of connections that can be used simultaneously in a BT deviimplementation-specific. For the purposes of RFCOMM, a complete communication path involves two applications running on different devices (the communication endpoints) with a communication segment between them. RFCOMM is a simple transport protocol, with additional provisions for emulating the 9 circuits of RSserial ports. [81]


5.6 Logical Link Control and Adaptation Protocol (L2CAP)

L2CAP provides connection-oriented and connectionless data services to upper layer protocols with protocol multiplexing capability, segmentation and reassembly operation, and group abstractions. L2CAP permits higher level protocols and applications to transmit and receive L2CAP data packets up to 64 kilobytes in length. The L2CAP Specification is defined for only ACL links and no support for SCO links is

Figure 5.5. L2CAP within protocol layers [57]

5.7 RFCOMM protocol layer overview

RFCOMM is a simple transport protocol, which provides emulation of RS232 serial ports over the L2CAP protocol. The protocol is based on the ETSI standard TS 07.10. Only a subset of the TS 07.10 standard is used and an RFCOMM extension is added, in the form of a mandatory credit based flow control scheme. The RFCOMM protocol supports up to 60 simultaneous connections between two BT devices. The number of connections that can be used simultaneously in a BT devi

specific. For the purposes of RFCOMM, a complete communication path involves two applications running on different devices (the communication endpoints) with a communication segment between them. RFCOMM is a simple

with additional provisions for emulating the 9 circuits of RS


daptation Protocol (L2CAP)

oriented and connectionless data services to upper layer protocols with protocol multiplexing capability, segmentation and reassembly

er level protocols and applications to transmit and receive L2CAP data packets up to 64 kilobytes in length. The L2CAP Specification is defined for only ACL links and no support for SCO links is

RFCOMM is a simple transport protocol, which provides emulation of RS232 serial ports over the L2CAP protocol. The protocol is based on the ETSI standard TS

RFCOMM - specific extension is added, in the form of a mandatory credit based flow control scheme. The RFCOMM protocol supports up to 60 simultaneous connections between two BT devices. The number of connections that can be used simultaneously in a BT device is

specific. For the purposes of RFCOMM, a complete communication path involves two applications running on different devices (the communication endpoints) with a communication segment between them. RFCOMM is a simple

with additional provisions for emulating the 9 circuits of RS-232


5.8 Profiles overview

The profiles have been developed in order to describe how implementations of user models are to be accomplished. The user models describe a numberscenarios where Bluetooth performs the radio transmission. A profile can be described as a vertical slice through the protocol stack. It defines options in each protocol that are mandatory for the profile. It also defines parameter ranges for eachconcept is used to decrease the risk of interoperability problems between different manufacturers products. [57]

Figure 5.6. Bluetooth Profiles [81]

The Bluetooth profile structure and the dependencies of the profiles are depictedabove. A profile is dependent upon another profile if it reimplicitly or explicitly referencing it. Dependency is illustrated in the figure: a profile has dependencies on the profile in which it is contained either directly


5.8 Profiles overview

The profiles have been developed in order to describe how implementations of user models are to be accomplished. The user models describe a numberscenarios where Bluetooth performs the radio transmission. A profile can be described as a vertical slice through the protocol stack. It defines options in each protocol that are mandatory for the profile. It also defines parameter ranges for each protocol. The profile concept is used to decrease the risk of interoperability problems between different manufacturers products. [57]

Figure 5.6. Bluetooth Profiles [81]

The Bluetooth profile structure and the dependencies of the profiles are depictedabove. A profile is dependent upon another profile if it re-uses parts of that profile, by implicitly or explicitly referencing it. Dependency is illustrated in the figure: a profile has dependencies on the profile in which it is contained either directly or indirectly. [81]


The profiles have been developed in order to describe how implementations of user models are to be accomplished. The user models describe a number of user scenarios where Bluetooth performs the radio transmission. A profile can be described as a vertical slice through the protocol stack. It defines options in each protocol that are

protocol. The profile concept is used to decrease the risk of interoperability problems between different

The Bluetooth profile structure and the dependencies of the profiles are depicted uses parts of that profile, by

implicitly or explicitly referencing it. Dependency is illustrated in the figure: a profile or indirectly. [81]


5.9 Security in Bluetooth

5.9.1 Security services

The following are the three basic security services specified in the Bluetooth standard:

• Authentication: authentication is not using PIN. • Confidentiality (Encryption): caused by eavesdropping by ensuring that only authorized devices can access and view data. • Authorization: device is authorized to use a service before permitting it to do so. [55]

5.9.2 Security modes

The various Bluetooth versions define four security modes in which each device must work on:

• Security Mode 1:authentication, authorization nor encryption. Both devices and connection are vulnerable to attacks.

• Security Mode 2:manager controls access to specific services ansecurity manager maintains policies for access control and interfaces with other protocols and device users. Varying security policies and trust levels to restrict access may be defined for applications with different security re• Security Mode 3:devices initiate security procedures before the physical link is fully established. Bluetooth devices operating in Security Mode 3 mandates authentication and encryption for all connections to and from the device. The authentication and encryption features are based on a separate secret link key that is shared by paired devices, once the pairing has been established.

• Security Mode 4:security procedures are initiated after link setup. Secure Simple Pairing uses Elliptic Curve Diffie Hellman (ECDH) techniques for key exchange and link key generation. Device authentication and encryption algorithms are identical to the algorithms in Bluetooth earlier versions. [55]


5.9 Security in Bluetooth

5.9.1 Security services


Authentication: verifying the identity of communicating devices. User authentication is not provided natively by Bluetooth and it is commonly done

Confidentiality (Encryption): preventing information compromise caused by eavesdropping by ensuring that only authorized devices can access

Authorization: allowing the control of resources by ensuring that a device is authorized to use a service before permitting it to do so. [55]

The various Bluetooth versions define four security modes in which each device

Security Mode 1: In this mode no security measures are applied. No authentication, authorization nor encryption. Both devices and connection are vulnerable to attacks.

Security Mode 2: It is a service level-enforced security mode. A security manager controls access to specific services and devices. The centralized security manager maintains policies for access control and interfaces with other protocols and device users. Varying security policies and trust levels to restrict access may be defined for applications with different security requirements.

Security Mode 3: It is a link level-enforced security mode. Bluetooth devices initiate security procedures before the physical link is fully established. Bluetooth devices operating in Security Mode 3 mandates authentication and

all connections to and from the device. The authentication and encryption features are based on a separate secret link key that is shared by paired devices, once the pairing has been established.

Security Mode 4: It is a service level enforced security modsecurity procedures are initiated after link setup. Secure Simple Pairing uses Elliptic Curve Diffie Hellman (ECDH) techniques for key exchange and link key generation. Device authentication and encryption algorithms are identical to

hms in Bluetooth earlier versions. [55]



verifying the identity of communicating devices. User provided natively by Bluetooth and it is commonly done

preventing information compromise caused by eavesdropping by ensuring that only authorized devices can access

of resources by ensuring that a device is authorized to use a service before permitting it to do so. [55]

The various Bluetooth versions define four security modes in which each device

security measures are applied. No authentication, authorization nor encryption. Both devices and connection are

enforced security mode. A security d devices. The centralized

security manager maintains policies for access control and interfaces with other protocols and device users. Varying security policies and trust levels to restrict

quirements. enforced security mode. Bluetooth

devices initiate security procedures before the physical link is fully established. Bluetooth devices operating in Security Mode 3 mandates authentication and

all connections to and from the device. The authentication and encryption features are based on a separate secret link key that is shared by

It is a service level enforced security mode in which security procedures are initiated after link setup. Secure Simple Pairing uses Elliptic Curve Diffie Hellman (ECDH) techniques for key exchange and link key generation. Device authentication and encryption algorithms are identical to


5.9.3 Bluetooth security chain of events

The chain of the events is described here as well as depicted in the figure below:

• 1. Each device calculates its own Unit Key (K• 2. When they meet, devices begin wit

• 3. From PIN, derive K• 4. After KINIT

• 5. Link Key Exchange using K

• 6. KA or KAB

Figure 5.7. Bluetooth security


5.9.3 Bluetooth security chain of events


Each device calculates its own Unit Key (KA and KB). When they meet, devices begin with PIN.

From PIN, derive KINIT.

INIT derivation, Pairing process takes place. Link Key Exchange using Kinit : KAor KB, or a more secured one, K

AB are used in Authentication and Encryption. [55]

Figure 5.7. Bluetooth security chain of events [59]



, or a more secured one, KAB. are used in Authentication and Encryption. [55]


5.9.4 Security entities

Many different entities are used for security procedures in Bluetooth, they are presented in the figure below. As it can be seen, among them there are a device address and PIN, 5 different keys and 4 different authentication. The last two, SRES and ACO, are used to check accordance for authentication. [55]

Entity PIN

BD_ADDR K init

K1 / K2

K link

Kmaster

KC

IN_RAND Random number for generating KLK_RAND Random number for generating KAU_RAND Random number for autheEN_RAND Random number for generating K

SRES ACO

Figure 5.8. Bluetooth security entities [59]

5.9.5 Bluetooth security types of keys

Five different keys of 128 bits are used

• Initialization Key (Kno prior agreement or previous communication meet. It is discarded afterwards.• Unit Key (Kresources. • Combination Key (Kprovided by Devices A and B.• Master Key (Kto multiple slaves. • Encryption Key (Kviceversa. [59] [55]


Many different entities are used for security procedures in Bluetooth, they are presented in the figure below. As it can be seen, among them there are a device address and PIN, 5 different keys and 4 different random numbers for key generation or authentication. The last two, SRES and ACO, are used to check accordance for

Description Personal identification number

Bluetooth device address Initialization key

Unit key Link key

Master key Encryption key

Random number for generating Kinit

Random number for generating Klink Random number for authentication Random number for generating KC

Authentication result Authenticated ciphering offset

Figure 5.8. Bluetooth security entities [59]

5.9.5 Bluetooth security types of keys

Five different keys of 128 bits are used for different security procedures in Bluetooth:

Initialization Key (K init ): Created once from PIN when two devices with no prior agreement or previous communication meet. It is discarded afterwards.

Unit Key (K 1 and K2): created once for a device that has

Combination Key (Klink): created from the combination of inputs provided by Devices A and B.

Master Key (KMASTER): Created for the purpose of broadcasting packets

Encryption Key (K c): Used to change plain text intoviceversa. [59] [55]


Many different entities are used for security procedures in Bluetooth, they are presented in the figure below. As it can be seen, among them there are a device address

random numbers for key generation or authentication. The last two, SRES and ACO, are used to check accordance for

Length (Bits) 8, 16, …, 128

48 128 128 128 128

8, 16, …, 128 128 128 128 128 32 96

for different security procedures in Bluetooth:

Created once from PIN when two devices with no prior agreement or previous communication meet. It is discarded afterwards.

created once for a device that has low memory

created from the combination of inputs

Created for the purpose of broadcasting packets

Used to change plain text into cipher and


5.9.6 Algorithms in Bluetooth security

All algorithms used in Bluetooth are based on Secure and Fast Encryption Routine (SAFER+). A Symmetric Block Cipher operating on fixed length groups of bits (blocks). They are the following:

• E22 for deriving K• E21 for deriving K

• E1 for applying authentication procedures.• E3 for deriving K

• E0 for Cipher Stream generation.

Figure 5.9. SAFER block cipher


5.9.6 Algorithms in Bluetooth security

All algorithms used in Bluetooth are based on Secure and Fast Encryption Routine (SAFER+). A Symmetric Block Cipher operating on fixed length groups of bits

ollowing:

for deriving Kinit as initialization key. for deriving K1/K2 and Klink as link keys.

for applying authentication procedures. for deriving KC as encryption key.

for Cipher Stream generation. [55]

Figure 5.9. SAFER block cipher [100]


All algorithms used in Bluetooth are based on Secure and Fast Encryption Routine (SAFER+). A Symmetric Block Cipher operating on fixed length groups of bits


5.9.7 Link Key (LK) generation

Associated devices simultaneously derive link keys during the initialization phase when users enter an identical PIN into one or both devices, depending on the configuration and device type. The PIN entry, device assodepicted conceptually in Figure 5.10. Note that if the PIN is less than 16 bytes, the BD_ADDR is used to supplement the PIN value used to generate the initialization key. The E

x boxes represent encryption algorithms that are

association and key derivation processes.

After initialization is complete, devices automatically and transparently authenticate and initiate the encryption procedure to secure the wireless link, if encryption is enabled. The PIN code used in Bluetooth devices can vary between one and 16 bytes. The typical fourlonger PIN should be used for devices that require a higher level of security. [55]

Figure 5.10. Link Key g


5.9.7 Link Key (LK) generation

Associated devices simultaneously derive link keys during the initialization phase when users enter an identical PIN into one or both devices, depending on the configuration and device type. The PIN entry, device association, and key derivation are depicted conceptually in Figure 5.10. Note that if the PIN is less than 16 bytes, the BD_ADDR is used to supplement the PIN value used to generate the initialization key.

boxes represent encryption algorithms that are used during the Bluetooth device

association and key derivation processes.

After initialization is complete, devices automatically and transparently authenticate and initiate the encryption procedure to secure the wireless link, if

The PIN code used in Bluetooth devices can vary between one and 16 bytes. The typical four-digit PIN may be sufficient for low-risk situations; a longer PIN should be used for devices that require a higher level of security. [55]

Figure 5.10. Link Key generation [55]


Associated devices simultaneously derive link keys during the initialization phase when users enter an identical PIN into one or both devices, depending on the

ciation, and key derivation are depicted conceptually in Figure 5.10. Note that if the PIN is less than 16 bytes, the BD_ADDR is used to supplement the PIN value used to generate the initialization key.

used during the Bluetooth device

After initialization is complete, devices automatically and transparently authenticate and initiate the encryption procedure to secure the wireless link, if

The PIN code used in Bluetooth devices can vary between one risk situations; a

longer PIN should be used for devices that require a higher level of security. [55]


5.9.8 Bluetooth Authentication

The Bluetooth device authentication procedure is in the form of a challengeresponse scheme. It validates devices by verifying the knowledge of the link key. The authentication scheme is shown in figure 5.11. designed to be different for every transaction and is derived from a pseudoprocess within the Bluetooth device. The steps in the authentication process are as follows:

• Step 1. The verifier transmits a 128to the claimant. • Step 2. Both entities the E

response using his unique 48inputs. Only the 32 most significant bits of the E

authentication purposes. The remaining 96 bits are used later to create the Bluetooth encryption key.• Step 3. The claimant returns the most significant 32 bits of the E

as the computed response, SRES, to the verifier.• Step 4. The verifier compares the Sthat it computed. • Step 5. If the two 32successful. [55]

Figure 5.11. Bluetooth Authentication [55]


5.9.8 Bluetooth Authentication

The Bluetooth device authentication procedure is in the form of a challengeresponse scheme. It validates devices by verifying the knowledge of the link key. The authentication scheme is shown in figure 5.11. Note that the random challenge is designed to be different for every transaction and is derived from a pseudoprocess within the Bluetooth device. The steps in the authentication process are as

The verifier transmits a 128-bit random challenge (AU_RAND)

Both entities the E1

algorithm to compute an authentication

response using his unique 48-bit BD_ADDR, the link key, and AU_RAND as inputs. Only the 32 most significant bits of the E

1 output are used for

ntication purposes. The remaining 96 bits are used later to create the Bluetooth encryption key.

The claimant returns the most significant 32 bits of the E

as the computed response, SRES, to the verifier. The verifier compares the SRES from the claimant with the value

If the two 32-bit values are equal, the authentication is considered

Figure 5.11. Bluetooth Authentication [55]


The Bluetooth device authentication procedure is in the form of a challenge-response scheme. It validates devices by verifying the knowledge of the link key. The

Note that the random challenge is designed to be different for every transaction and is derived from a pseudo-random process within the Bluetooth device. The steps in the authentication process are as

om challenge (AU_RAND)

algorithm to compute an authentication

bit BD_ADDR, the link key, and AU_RAND as output are used for

ntication purposes. The remaining 96 bits are used later to create the

The claimant returns the most significant 32 bits of the E1 output

RES from the claimant with the value

bit values are equal, the authentication is considered


The Bluetooth standard allows both oneperformed. For mutual authentication, the above process is repeated switching roles. If authentication fails, a Bluetooth device waits an interval of time, exponentially increased, before a new attempt is made to prevent an adversary from attaccess by trial-and-error with different keys. [55]

5.9.9 Bluetooth confidentiality

Bluetooth provides a separate confidentiality service to thwart eavesdropping attempts on the payloads of the packets exchanged between Bluetooth devices.Bluetooth has three Encryption Modes, but only two of them actually provide confidentiality. The modes are as follows:

• Encryption Mode 1: • Encryption Mode 2: based on individual link keys; broadcast traffic is not encrypted.

• Encryption Mode 3: based on the master link key.

Figure 5.12. Bluetooth encryption procedure [55]


The Bluetooth standard allows both one-way and mutual authentperformed. For mutual authentication, the above process is repeated switching roles. If authentication fails, a Bluetooth device waits an interval of time, exponentially increased, before a new attempt is made to prevent an adversary from att

error with different keys. [55]

5.9.9 Bluetooth confidentiality

Bluetooth provides a separate confidentiality service to thwart eavesdropping attempts on the payloads of the packets exchanged between Bluetooth devices.Bluetooth has three Encryption Modes, but only two of them actually provide confidentiality. The modes are as follows:

Encryption Mode 1: No encryption is performed on any traffic.Encryption Mode 2: Unicast traffic is encrypted using encryption keys

ed on individual link keys; broadcast traffic is not encrypted.

Encryption Mode 3: All traffic is encrypted using an encryption key based on the master link key.

Figure 5.12. Bluetooth encryption procedure [55]


way and mutual authentication to be performed. For mutual authentication, the above process is repeated switching roles. If authentication fails, a Bluetooth device waits an interval of time, exponentially increased, before a new attempt is made to prevent an adversary from attempting to gain

Bluetooth provides a separate confidentiality service to thwart eavesdropping attempts on the payloads of the packets exchanged between Bluetooth devices. Bluetooth has three Encryption Modes, but only two of them actually provide

No encryption is performed on any traffic. Unicast traffic is encrypted using encryption keys

All traffic is encrypted using an encryption key


As the figure above, the encryption key prproduced using an internal key generator (KG). It produces stream cipher keys based on the 128-bit link key, a 128-produced during the authentication procedure.

The Bluetooth encryption procedure is based on a stream cipher, E

stream output is exclusive-ORThis key stream is produced using a cryptographic algorithm based on LFSR. The encryption function takes the following as inputs: the master BD_ADDR, the random number EN_RAND, a slot number, and an the Kthe LFSRs before the transmission of each packet, if encryption is enabled. The slot number used in the stream cipher changes with each packet; the ciphering engine is also reinitialized with each packet while the other variables remain static.

The encryption key K

eight bits to 128 bits. The key size negslave devices. In product implementations, a minimum acceptable key size parameter can be set to prevent a malicious user from driving the key size down to the minimum of eight bits. [55]

5.9.10 Trust levels, Service Levels and Authorization

The two Bluetooth levels of trust in Bluetooth are trusted and untrusted. A trusted device has a fixed relationship with another device and has full access to all services. An untrusted device Bluetooth device, which results in the untrusted device receiving restricted access to services.

Three levels of security have been defined for Bluetooth services. These levels allow the requirements for authorization, authenticconfigured and altered independently. The service security levels are as follows:

• Service Level 1: access is granted only to trusted devices; untrusted devices need manual authorization. • Service Level 2: necessary. Access to an application is allowed only after an authentication procedure. • Service Level 3: Access is granted automatically.


As the figure above, the encryption key provided to the encryption algorithm is produced using an internal key generator (KG). It produces stream cipher keys based on

-bit random number (EN_RAND), and the 96produced during the authentication procedure.

e Bluetooth encryption procedure is based on a stream cipher, E

OR-ed with the payload bits and sent to the receiving device. This key stream is produced using a cryptographic algorithm based on LFSR. The

ion takes the following as inputs: the master BD_ADDR, the random number EN_RAND, a slot number, and an the KC key, which when combined initialize the LFSRs before the transmission of each packet, if encryption is enabled. The slot

m cipher changes with each packet; the ciphering engine is also reinitialized with each packet while the other variables remain static.

The encryption key KC is generated from the current link key and may vary from

eight bits to 128 bits. The key size negotiation process occurs between the master and slave devices. In product implementations, a minimum acceptable key size parameter can be set to prevent a malicious user from driving the key size down to the minimum

Service Levels and Authorization

The two Bluetooth levels of trust in Bluetooth are trusted and untrusted. A has a fixed relationship with another device and has full access to all

untrusted device does not have an established relationship with another Bluetooth device, which results in the untrusted device receiving restricted access to

Three levels of security have been defined for Bluetooth services. These levels allow the requirements for authorization, authentication, and encryption to be configured and altered independently. The service security levels are as follows:

Service Level 1: Requires authorization and authentication. Automatic access is granted only to trusted devices; untrusted devices need manual

Service Level 2: Requires authentication only; authorization is not necessary. Access to an application is allowed only after an authentication

Service Level 3: Open to all devices, with no authentication required. automatically.


ovided to the encryption algorithm is produced using an internal key generator (KG). It produces stream cipher keys based on

bit random number (EN_RAND), and the 96-bit ACO value

e Bluetooth encryption procedure is based on a stream cipher, E0. A key

ed with the payload bits and sent to the receiving device. This key stream is produced using a cryptographic algorithm based on LFSR. The

ion takes the following as inputs: the master BD_ADDR, the random key, which when combined initialize

the LFSRs before the transmission of each packet, if encryption is enabled. The slot m cipher changes with each packet; the ciphering engine is also

is generated from the current link key and may vary from

otiation process occurs between the master and slave devices. In product implementations, a minimum acceptable key size parameter can be set to prevent a malicious user from driving the key size down to the minimum

The two Bluetooth levels of trust in Bluetooth are trusted and untrusted. A has a fixed relationship with another device and has full access to all

relationship with another Bluetooth device, which results in the untrusted device receiving restricted access to

Three levels of security have been defined for Bluetooth services. These levels ation, and encryption to be

configured and altered independently. The service security levels are as follows:

Requires authorization and authentication. Automatic access is granted only to trusted devices; untrusted devices need manual

Requires authentication only; authorization is not necessary. Access to an application is allowed only after an authentication

Open to all devices, with no authentication required.


The Bluetooth architecture allows for defining security policies that can set trust relationships in such a way that even trusted devices can get access only to specific services. [55]

5.10 Possible attacks to Bluetooth

Bluetooth technology and associated devices are susceptible to general wireless networking threats that have been described in previous wireless technologies, such as Denial of Service (DoS) attacks, eavesdropping, manmodification, and resource misappropriation. Additionally, Bluetooth devices are also threatened by more specific Bluetooth

5.10.1 BlueSnarfing

BlueSnarfing enables attackers to gain access to a Bluetoothexploiting a firmware flaw in oldBluetooth device, allowing access to data stored on the device and even the device’s international mobile equipment identity (IMEI). The IMEI is a unique identifier for each device that an attacker could potdevice to the attacker’s device. [56]

5.10.2 BlueBugging

RFCOMM emulates serial RS60 connections (RFCOMM channels) via RFCOMM may get established simultaneously for one device. RFCOMM emulates a virtual serial connection between two communication endpoints. What an attacker needs to know of a vulnerable device is the BD_ADDR. The attacker connects to RFCOMM channel 17, where vulnerable devices provide an open backdoor which requires no authentication procedure. By using AT commands the attacker is able to perform remote control of communication devices, like analog or ISDN modems. The attacker is able to execute most tasks as normal user is able to do, like gathering the victim’s private data. [56]

5.10.3 Fuzzing attacks

Bluetooth fuzzing attacks consist of sending malformed or otherwise nonstandard data to a device’s Bluetooth radio and observing how the device reacts. When


The Bluetooth architecture allows for defining security policies that can set trust relationships in such a way that even trusted devices can get access only to specific

5.10 Possible attacks to Bluetooth

gy and associated devices are susceptible to general wireless networking threats that have been described in previous wireless technologies, such as Denial of Service (DoS) attacks, eavesdropping, man-in-the-middle attacks, message

ce misappropriation. Additionally, Bluetooth devices are also threatened by more specific Bluetooth-related attacks. [55]

BlueSnarfing enables attackers to gain access to a Bluetooth-enabled device by exploiting a firmware flaw in older devices. This attack forces a connection to a Bluetooth device, allowing access to data stored on the device and even the device’s international mobile equipment identity (IMEI). The IMEI is a unique identifier for each device that an attacker could potentially use to route all incoming calls from the user’s device to the attacker’s device. [56]

RFCOMM emulates serial RS-232 interfaces via Bluetooth connections. Up to 60 connections (RFCOMM channels) via RFCOMM may get established

multaneously for one device. RFCOMM emulates a virtual serial connection between two communication endpoints. What an attacker needs to know of a vulnerable device is

. The attacker connects to RFCOMM channel 17, where vulnerable an open backdoor which requires no authentication procedure. By using

AT commands the attacker is able to perform remote control of communication devices, like analog or ISDN modems. The attacker is able to execute most tasks as normal user

like gathering the victim’s private data. [56]

5.10.3 Fuzzing attacks

Bluetooth fuzzing attacks consist of sending malformed or otherwise nonstandard data to a device’s Bluetooth radio and observing how the device reacts. When


The Bluetooth architecture allows for defining security policies that can set trust relationships in such a way that even trusted devices can get access only to specific

gy and associated devices are susceptible to general wireless networking threats that have been described in previous wireless technologies, such as

middle attacks, message ce misappropriation. Additionally, Bluetooth devices are also

enabled device by er devices. This attack forces a connection to a

Bluetooth device, allowing access to data stored on the device and even the device’s international mobile equipment identity (IMEI). The IMEI is a unique identifier for each

entially use to route all incoming calls from the user’s

232 interfaces via Bluetooth connections. Up to 60 connections (RFCOMM channels) via RFCOMM may get established

multaneously for one device. RFCOMM emulates a virtual serial connection between two communication endpoints. What an attacker needs to know of a vulnerable device is

. The attacker connects to RFCOMM channel 17, where vulnerable an open backdoor which requires no authentication procedure. By using

AT commands the attacker is able to perform remote control of communication devices, like analog or ISDN modems. The attacker is able to execute most tasks as normal user

Bluetooth fuzzing attacks consist of sending malformed or otherwise non-standard data to a device’s Bluetooth radio and observing how the device reacts. When


a device’s response is slowed or stopped by these attacks, this indicates that a serious vulnerability potentially exists in the protocol stack. [56]

5.10.4 HeloMoto

HeloMoto is a combination of BlueSnarf and BlueBug attacks, exploiting a flawed implementation of trusted devices attacker connects to an OBEX push profile, as it is done in BlueSnarf. If there is no vulnerable implementation of OBEX that would allow a BlueSnarf attack, HeloMoto makes use of the trusted devices feature, defined attempts to send a vCard to the target device and immediately cancels the request. In consequence of the HeloMoto vulnerability, his device remains within the trusted devices history, while the owner of the target device is Finally he uses the status of a trusted device to execute AT commands. [56]

5.10.5 BlueSmack

BlueSmack is a Denial of Service (DoS) attack. The adversary sends an L2CAP echo request (ping) of large size, approximately 600 bytelimited hardware resources. Those devices reserve an input buffer of fixed length (around 600 bytes). When receiving such a malicious ping request, the input buffer overflows, which normally leads to a segmentation fault and, bknock-out of the target device. On a linux computer, this can be done simply using the bluez-utils’ l2 ping command with

5.10.6 Relay attacks

In relay attacks, the attacker posing as A. All authentication messages that conveys these messages from performed: two-sided, and oneimpersonated. In a one-sided attack, only one victim is impersonated. Relay attacks are similar to Man-in-the-Middle (MitM) attacks. There exists an adversary located between the sender and receiver, but the only activity of tinformation that it receives from one to another without changing the content. Three conditions are needed by the attacker to be able to perform this kind of attack which are:

• Actual communication between sender and receiver is disthey cannot listen to each other anymore.• Network infrastructure does not have a global infrastructure for routing and locating its users.• Attacker is capable enough to impersonate each of the victims to the other, even if the victims are loc


owed or stopped by these attacks, this indicates that a serious vulnerability potentially exists in the protocol stack. [56]

is a combination of BlueSnarf and BlueBug attacks, exploiting a flawed implementation of trusted devices in some Motorola devices. At first, the attacker connects to an OBEX push profile, as it is done in BlueSnarf. If there is no vulnerable implementation of OBEX that would allow a BlueSnarf attack, HeloMoto makes use of the trusted devices feature, defined in Bluetooth. The adversary now attempts to send a vCard to the target device and immediately cancels the request. In consequence of the HeloMoto vulnerability, his device remains within the trusted devices history, while the owner of the target device is not aware of being attacked. Finally he uses the status of a trusted device to execute AT commands. [56]

BlueSmack is a Denial of Service (DoS) attack. The adversary sends an L2CAP echo request (ping) of large size, approximately 600 bytes to a Bluetooth device with limited hardware resources. Those devices reserve an input buffer of fixed length (around 600 bytes). When receiving such a malicious ping request, the input buffer overflows, which normally leads to a segmentation fault and, by this, to the immediate

out of the target device. On a linux computer, this can be done simply using the ping command with -s <num> option, defining the packet length. [56]

In relay attacks, the attacker C talks to victim A posing as victim . All authentication messages that C needs are generated by real

conveys these messages from A/B to B/A. Two types of relay attacks may be sided, and one-sided. In a two-sided relay attack, both victims are

sided attack, only one victim is impersonated. Relay attacks are Middle (MitM) attacks. There exists an adversary located

between the sender and receiver, but the only activity of the adversary is to relay information that it receives from one to another without changing the content. Three conditions are needed by the attacker to be able to perform this kind of attack which are:

Actual communication between sender and receiver is disthey cannot listen to each other anymore.

Network infrastructure does not have a global infrastructure for routing and locating its users.

Attacker is capable enough to impersonate each of the victims to the other, even if the victims are located in distant locations. [61]


owed or stopped by these attacks, this indicates that a serious

is a combination of BlueSnarf and BlueBug attacks, exploiting a in some Motorola devices. At first, the

attacker connects to an OBEX push profile, as it is done in BlueSnarf. If there is no vulnerable implementation of OBEX that would allow a BlueSnarf attack, HeloMoto

in Bluetooth. The adversary now attempts to send a vCard to the target device and immediately cancels the request. In consequence of the HeloMoto vulnerability, his device remains within the trusted

not aware of being attacked. Finally he uses the status of a trusted device to execute AT commands. [56]

BlueSmack is a Denial of Service (DoS) attack. The adversary sends an L2CAP s to a Bluetooth device with

limited hardware resources. Those devices reserve an input buffer of fixed length (around 600 bytes). When receiving such a malicious ping request, the input buffer

y this, to the immediate out of the target device. On a linux computer, this can be done simply using the

option, defining the packet length. [56]

posing as victim B, and to B needs are generated by real A and B. C

. Two types of relay attacks may be elay attack, both victims are

sided attack, only one victim is impersonated. Relay attacks are Middle (MitM) attacks. There exists an adversary located

he adversary is to relay information that it receives from one to another without changing the content. Three conditions are needed by the attacker to be able to perform this kind of attack which are:

Actual communication between sender and receiver is disconnected and

Network infrastructure does not have a global infrastructure for routing

Attacker is capable enough to impersonate each of the victims to the


5.10.6.1 Two-Sided Relay attack

A real Bluetooth device establishment process starts with the paging procedure. thinking that it is real B. After the paging procedure, command to the attacker. The attacker attacker pages B and initiates a connection establishment procedure posing as both A and B use the same frequency hopping order with different offsets and do not hear each other.

The current link key between connection. The attacker does not need to know this key. Thus, changing the link key or using the current one do not cause any problem in attack setting. If the link is to be changed, then the next step is the exchange of combination key contributions (the random numbers which are encrypted by XORing with the current link key). encrypted random number RAND_NRthis encrypted random number to real B sends out its encrypted random number RAND_NRattacker forwards it to real real A and real B compute the same combination key Knew link key. [61]

Figure 5.13. Two


Sided Relay attack

A real Bluetooth device A wants to establish connection to B. The connection establishment process starts with the paging procedure. A first pages the attacker device

. After the paging procedure, A sends connection requestThe attacker accepts the connection request. Meanwhile,

and initiates a connection establishment procedure posing as e frequency hopping order with different offsets and do not

The current link key between A and B may or may not be changed at each connection. The attacker does not need to know this key. Thus, changing the link key or

ne do not cause any problem in attack setting. If the link is to be changed, then the next step is the exchange of combination key contributions (the random numbers which are encrypted by XORing with the current link key).

er RAND_NRA to the attacker who, using its this encrypted random number to real B as if it is sent by A. After receiving this number,

sends out its encrypted random number RAND_NRB to the attacker interfaceto real A using his other interface. After these message rounds, both

compute the same combination key Klink and this key is assigned as

Figure 5.13. Two-sided relay attack [61]


. The connection the attacker device

sends connection request accepts the connection request. Meanwhile, the

and initiates a connection establishment procedure posing as A. Thus, e frequency hopping order with different offsets and do not

may or may not be changed at each connection. The attacker does not need to know this key. Thus, changing the link key or

ne do not cause any problem in attack setting. If the link is to be changed, then the next step is the exchange of combination key contributions (the random numbers which are encrypted by XORing with the current link key). A sends its

interface, relays . After receiving this number, the attacker interface, and the

using his other interface. After these message rounds, both and this key is assigned as


The next steps are for authenticatinumber AU_RANDA. Afterauthentication response SRESknow the current link key, but usingas if A requests authentication of SRESA to A as the authentication response. After that but the truth is that the attacker device that they authenticated each other, but the fact isthem. [61]

5.10.6.2 One-Sided Relay attack

In this attack, the attackerrequested by the attacker. and then sends connection requesttime the attacker pages A After the first step, the attackerreal A requests authentication and sends back the corresponding authentication response SRESA. Having sent SRESattacker. The attacker should obtain SRESAU_RANDB, so he sends out AU_RANDthat B requests authentication, and calculates and sends SRESforwards it to real B. The connection setup is completed by mutually sending completion. These steps authenticate attacker sends a detach command to end its communication with real needed anymore. [61]

Figure 5.14. One


The next steps are for authentication. A sends to the attacker the 1. After sending AU_RANDA, A expects the corresponding

authentication response SRESA. The attacker cannot calculate SRESA, since it does not know the current link key, but using his other interface can forward AU_RAND

requests authentication of B. The response of real B contains SRESas the authentication response. After that A thinks that B

the attacker device is authenticated. At the end, both that they authenticated each other, but the fact is that the attacker impersonated both of

Sided Relay attack

the attacker impersonates A to talk to B. Communication is In order to make new connection the attacker

connection request to B. B accepts the connection request. At the same A and starts the connection establishment procedure with

the attacker sends the random number AU_RANDrequests authentication and sends back the corresponding authentication response . Having sent SRESA, B sends its authentication challenge AU_RAND. The attacker should obtain SRESB, which is the SRES corresponding to

sends out AU_RANDB to real A using its interface. Real requests authentication, and calculates and sends SRESB to the attacker and then

. The connection setup is completed by mutually sending . These steps authenticate Ac to B as if Ac were the real A

command to end its communication with real A

Figure 5.14. One-sided relay attack [61]


to the attacker the 128 bit random expects the corresponding

, since it does not ce can forward AU_RANDA to real

contains SRESA. C forwards B is authenticated,

henticated. At the end, both A and B think impersonated both of

. Communication is the attacker first pages B

accepts the connection request. At the same and starts the connection establishment procedure with A.

random number AU_RANDA. B thinks that requests authentication and sends back the corresponding authentication response

sends its authentication challenge AU_RANDB to the , which is the SRES corresponding to

using its interface. Real A thinks to the attacker and then

. The connection setup is completed by mutually sending setup A. At the end the A, since A is not


5.10.7 Attack to the pairing process

In order to perform this attack, an attacker needs to be able to eavesdrop the whole communication within the pairing process between two Bluetooth devices. Now the attacker is able to do an exhaustive search within the space of possible Bluetooth PINs. Knowing IN_RAND and BD_ADDR, the adversary feeds Etogether with the PIN candidates, chosen by his brute force algorithm, receiving a hypothesis for Kinit. Subsequently, the attacker decrypts the first two messages within the mutual authentication process, resulting in a hypothesis for LK_RANDLK_RANDB. Due to LK_RANDused in E21 to calculate the link ke

After that, the attacker is able to use the last few messages to prove, whether his hypothesis for Klink is correct or not. He feeds Erespectively AU_RANDB

SRESB message. This process is repeatedly done until the correct Bluetooth PIN used by A and B is found. Additionally, the attack is rather efficient. Due to some algebraic optimization of needed computations, crackingIV 3GHz takes approximately 63 milliseconds. [61]


5.10.7 Attack to the pairing process

In order to perform this attack, an attacker needs to be able to eavesdrop the whole communication within the pairing process between two Bluetooth devices. Now

r is able to do an exhaustive search within the space of possible Bluetooth PINs. Knowing IN_RAND and BD_ADDR, the adversary feeds E22 with those values, together with the PIN candidates, chosen by his brute force algorithm, receiving a

. Subsequently, the attacker decrypts the first two messages within the mutual authentication process, resulting in a hypothesis for LK_RAND

. Due to LK_RANDA and LK_RANDB being the only secret information to calculate the link key, the attacker computes a hypothesis for K

After that, the attacker is able to use the last few messages to prove, whether his is correct or not. He feeds E1 with the challenges AU_RAND

B and compares his result with the corresponding SRESmessage. This process is repeatedly done until the correct Bluetooth PIN used by

A and B is found. Additionally, the attack is rather efficient. Due to some algebraic needed computations, cracking a 4-digit Bluetooth PIN with a Pentium

takes approximately 63 milliseconds. [61]


In order to perform this attack, an attacker needs to be able to eavesdrop the whole communication within the pairing process between two Bluetooth devices. Now

r is able to do an exhaustive search within the space of possible Bluetooth with those values,

together with the PIN candidates, chosen by his brute force algorithm, receiving a . Subsequently, the attacker decrypts the first two messages within

the mutual authentication process, resulting in a hypothesis for LK_RANDA and being the only secret information

y, the attacker computes a hypothesis for Klink.

After that, the attacker is able to use the last few messages to prove, whether his with the challenges AU_RANDA,

esult with the corresponding SRESA or message. This process is repeatedly done until the correct Bluetooth PIN used by

A and B is found. Additionally, the attack is rather efficient. Due to some algebraic digit Bluetooth PIN with a Pentium


5.11 Solution for Bluetooth

5.11.1 Three phase remote disconnection and re

RDC3

This meter has been designed in acc11[2003], IEC62053-23[2003] & BS5685. It operates in the 50 Hz frequency within environmental conditions of temperature between synchronized daily if its error is larger than 30 secondfor over 10 years. Its accuracy is class 1 for active energy and class to for reactive energy.

Its communication module operates with Bluetooth vE2.1 through either HHU or PDA for local data reading and disconnection/reAdditionally, RS232 interface (In accordance with IEC 61107) and optical port interface (In accordance with IEC 62056

For further information on this meter go to:

The Eis RDC3 is a threeand reconnection meter. It is remotely controlled using a handheld unit (HHU) or PDA through acommunication interface module. It can also send the energy usage information to a customer’s mobile phone. The Eis RDC3’s features include tamper proof casing, impulse output, testing via LED pulse output, forward and reverse energy measurement, large LCD display, backlight and Bluetooth communication BS5685.


5.11 Solution for Bluetooth

5.11.1 Three phase remote disconnection and re-connection meter Eis

This meter has been designed in accordance with IEC 6205323[2003] & BS5685. It operates in the 50 Hz frequency within

environmental conditions of temperature between -10 and 45ºC. Its internal clock is synchronized daily if its error is larger than 30 seconds and can have a battery life time for over 10 years. Its accuracy is class 1 for active energy and class to for reactive

Its communication module operates with Bluetooth vE2.1 through either HHU or PDA for local data reading and disconnection/re-connection switch and data retrieval. Additionally, RS232 interface (In accordance with IEC 61107) and optical port interface (In accordance with IEC 62056-21) may be used for data readout. [60]

For further information on this meter go to: www.kigg.com

The Eis RDC3 is a three-phase remote disconnection and reconnection meter. It is remotely controlled using a handheld unit (HHU) or PDA through a Bluetooth communication interface module. It can also send the energy usage information to a customer’s mobile phone. The Eis RDC3’s features include tamper proof casing, impulse output, testing via LED pulse output, forward and reverse

, large LCD display, backlight and Bluetooth communication BS5685.


connection meter Eis

ordance with IEC 62053-21, IEC62052-23[2003] & BS5685. It operates in the 50 Hz frequency within

10 and 45ºC. Its internal clock is s and can have a battery life time

for over 10 years. Its accuracy is class 1 for active energy and class to for reactive

Its communication module operates with Bluetooth vE2.1 through either HHU connection switch and data retrieval.

Additionally, RS232 interface (In accordance with IEC 61107) and optical port interface


6. PRIME

6.1 Introduction

PRIME stands for PoweRline Intelligent Metering Evolution and defines the lower layers of a solution for Power Line Communications in the CENELECusing OFDM modulation. Its purpose isnarrowband communication channel for many applications such as Automated Management (AMM). Its design is based on IEC 61334, IEEE 802.15.4 and IEEE 802.16 standards with specific modifications and improvements in with the Power Line Communications environment.

Figure 6.1. PRIME low voltage sample scenario [65]

The PRIME project was started by Iberdrola in 2006 and in order to cover all the different activities involved many other members from were added including:

• Advanced Digital Design• Current Technologies International• Landis & Gyr

• ST Microelectronics• USyscom

• ZIV Medida [65]


PRIME stands for PoweRline Intelligent Metering Evolution and defines the lower layers of a solution for Power Line Communications in the CENELECusing OFDM modulation. Its purpose is to provide an open, low cost, very robust narrowband communication channel for many applications such as Automated Management (AMM). Its design is based on IEC 61334, IEEE 802.15.4 and IEEE 802.16 standards with specific modifications and improvements in order to get along with the Power Line Communications environment.

Figure 6.1. PRIME low voltage sample scenario [65]

The PRIME project was started by Iberdrola in 2006 and in order to cover all the different activities involved many other members from all relevant stakeholder groups

Advanced Digital Design Current Technologies International Landis & Gyr

ST Microelectronics

ZIV Medida [65]


PRIME stands for PoweRline Intelligent Metering Evolution and defines the lower layers of a solution for Power Line Communications in the CENELEC-A Band

to provide an open, low cost, very robust narrowband communication channel for many applications such as Automated Management (AMM). Its design is based on IEC 61334, IEEE 802.15.4 and IEEE

order to get along

The PRIME project was started by Iberdrola in 2006 and in order to cover all the all relevant stakeholder groups


6.2 Architecture of the system

PRIME comes up with an open, non proprietary, royalty communications solution that could fit a telecommunication layered architecture.

Figure 6.2: PRIME Layers definition [65]

The service-specific Convergence Layer (CL) classifies traffic associating it with its proper MAC connection.to be properly included in MAC SDUs. It may also include payload header suppression functions. Multiple Convergence sublayers are defined to accommodate different kinds of traffic into MAC SDUs.

The MAC layer provides core MAC functionalities of system access, bandwidth allocation, connection establishment/maintenance and topology resolution, as long as the PHY layer transmits and receives MPDUs between neighbor Nodes. [17]

6.3 Physical layer overvie

This layer is implemented using Orthogonal Frequency Division Multiplexing (OFDM) in the CENELECmodulation technique because of its adaptability in the presence of frequency selective channels, its robustness and its capacity for achieving high spectral efficiencies. Different modulation schemes are used in combination with three possible constellations: DBPSK, DQPSK and D8PSK. [17]


6.2 Architecture of the system

PRIME comes up with an open, non proprietary, royalty and patent free PLC communications solution that could fit a telecommunication layered architecture.

Figure 6.2: PRIME Layers definition [65]

specific Convergence Layer (CL) classifies traffic associating it with its proper MAC connection. This layer performs the mapping of any kind of traffic to be properly included in MAC SDUs. It may also include payload header suppression functions. Multiple Convergence sublayers are defined to accommodate different kinds

MAC layer provides core MAC functionalities of system access, bandwidth allocation, connection establishment/maintenance and topology resolution, as long as the PHY layer transmits and receives MPDUs between neighbor Nodes. [17]


This layer is implemented using Orthogonal Frequency Division Multiplexing (OFDM) in the CENELEC-A band as defined in EN50065-1. OFDM was chosen as the modulation technique because of its adaptability in the presence of frequency selective

robustness and its capacity for achieving high spectral efficiencies. Different modulation schemes are used in combination with three possible constellations: DBPSK, DQPSK and D8PSK. [17]


and patent free PLC communications solution that could fit a telecommunication layered architecture.

specific Convergence Layer (CL) classifies traffic associating it This layer performs the mapping of any kind of traffic

to be properly included in MAC SDUs. It may also include payload header suppression functions. Multiple Convergence sublayers are defined to accommodate different kinds

MAC layer provides core MAC functionalities of system access, bandwidth allocation, connection establishment/maintenance and topology resolution, as long as the PHY layer transmits and receives MPDUs between neighbor Nodes. [17]

This layer is implemented using Orthogonal Frequency Division Multiplexing 1. OFDM was chosen as the

modulation technique because of its adaptability in the presence of frequency selective robustness and its capacity for achieving high spectral efficiencies.

Different modulation schemes are used in combination with three possible


The following figure shows the PHY layer transmitter block diagra

Figure 6.3. PHY Layer transmitter block diagram [17]

On the following chart many physical parameters relative to the PRIME Physical Layer are presented:

Base Band Clock (Hz)

Subcarrier Spacing (Hz)

Data subcarriers

Pilot subcarriers

FFT interval (µ

FFT interval (samples)

Cyclic Prefix (µ

Cyclic Prefix (samples)

Symbol interval (µ

Symbol interval (samples)

Preamble period (µ

Convolutional Code (1/2)

Information bits per subcarrier

Information bits per symbol OFDM

Raw data rate

MAX MSDU length (bits)

MAX MSDU length (bytes)

Convolutional (1/2)

Information bits per subcarrier

Information bits per symbol OFDM

Figure 6.4 PRIME PHY layer parameters


The following figure shows the PHY layer transmitter block diagram:

Figure 6.3. PHY Layer transmitter block diagram [17]

On the following chart many physical parameters relative to the PRIME Physical

Base Band Clock (Hz) 250000

Subcarrier Spacing (Hz) 488.28125

Data subcarriers 84 (header) 96

Pilot subcarriers 13 (header) 1 (payload)

FFT interval (µs) 2048

FFT interval (samples) 512

Cyclic Prefix (µs) 192

Cyclic Prefix (samples) 48

Symbol interval (µs) 2240

Symbol interval (samples) 560

Preamble period (µs) 2048

DBPSK DQPSK

Convolutional Code (1/2) On Off On Off

Information bits per subcarrier 0,5 1 1 2

Information bits per symbol OFDM 48 96 96 192

Raw data rate 21,4 42,9 42,9 85,7

MAX MSDU length (bits) 3016 6048 6040 12096

MAX MSDU length (bytes) 377 756 755 1512

DBPSK

Convolutional (1/2) On

Information bits per subcarrier 0,5

Information bits per symbol OFDM 42

Figure 6.4 PRIME PHY layer parameters


On the following chart many physical parameters relative to the PRIME Physical

96 (payload)

1 (payload)

D8PSK

On Off

1,5 3

144 288

64,3 128,6

12096 9064 18144

1512 1133 2268



MAC layer takes inspiration from meshed systems, whilst considering that the available bandwidth will be limited. Simplicity, low cost and flexibility are the main goals of the design.

PRIME MAC specification has been provided with different characteristics to fulfill the following goals:

• Low complexity on metering devices• Connection ori

• Range of optional features (retransmission, security, packet aggregation, ...) • Different complexity levels: IPv4 vs. simple metering options, optional features, … • Readiness for demand management applications

PRIME system is composed of subnetworks, which are composed of a transformer substation and its meters. Each subnetwork can be formed by many nodes: one Base Node, which is the Master of the subnetwork and provides connectivity to it, and the Service Nodes. These Servicwhere metering is performed or as Switching Nodes that establish connection between the Terminal Nodes and the Base Node. All devices are working in a shared communication medium (LV PLC) and will use a channel scheduled along with Time Division Multiplexing (TDD).

Information in MAC Layer is structured in Packet Data Units (PDUs) organized in three different types:

• Generic PDUcontrol information.

• Beacon PDUsubnetwork of its parameters• Promotion Needed PDUreceived, to search for help in reaching the Base Node [17] [18]

6.5 Convergence laye

This layer opens MAC and PHY to upper layers and applications. It classifies the traffic associating it with the proper MAC connection, mapping the traffic into MAC SDUs, providing access to the MAC core functionalities.



MAC layer takes inspiration from meshed systems, whilst considering that the le bandwidth will be limited. Simplicity, low cost and flexibility are the main

PRIME MAC specification has been provided with different characteristics to fulfill the

Low complexity on metering devices Connection oriented Master/Slave configuration

Range of optional features (retransmission, security, packet aggregation,

Different complexity levels: IPv4 vs. simple metering options, optional

Readiness for demand management applications

s composed of subnetworks, which are composed of a transformer substation and its meters. Each subnetwork can be formed by many nodes: one Base Node, which is the Master of the subnetwork and provides connectivity to it, and the Service Nodes. These Service Nodes can either actuate as Terminal Nodes where metering is performed or as Switching Nodes that establish connection between the Terminal Nodes and the Base Node. All devices are working in a shared communication medium (LV PLC) and will use a channel scheme based on CSMA/CA scheduled along with Time Division Multiplexing (TDD).

Information in MAC Layer is structured in Packet Data Units (PDUs) organized

Generic PDU used for most transmissions, can convey both data and information.

Beacon PDU, used by Base Node and Switch Nodes to announce the subnetwork of its parameters

Promotion Needed PDU, used by Terminal Nodes when no Beacon is received, to search for help in reaching the Base Node [17] [18]

6.5 Convergence layer overview

This layer opens MAC and PHY to upper layers and applications. It classifies the traffic associating it with the proper MAC connection, mapping the traffic into MAC SDUs, providing access to the MAC core functionalities.


MAC layer takes inspiration from meshed systems, whilst considering that the le bandwidth will be limited. Simplicity, low cost and flexibility are the main

PRIME MAC specification has been provided with different characteristics to fulfill the

Range of optional features (retransmission, security, packet aggregation,

Different complexity levels: IPv4 vs. simple metering options, optional

s composed of subnetworks, which are composed of a transformer substation and its meters. Each subnetwork can be formed by many nodes: one Base Node, which is the Master of the subnetwork and provides connectivity to it,

e Nodes can either actuate as Terminal Nodes where metering is performed or as Switching Nodes that establish connection between the Terminal Nodes and the Base Node. All devices are working in a shared

scheme based on CSMA/CA

Information in MAC Layer is structured in Packet Data Units (PDUs) organized

used for most transmissions, can convey both data and

, used by Base Node and Switch Nodes to announce the

, used by Terminal Nodes when no Beacon is

This layer opens MAC and PHY to upper layers and applications. It classifies the traffic associating it with the proper MAC connection, mapping the traffic into


The convergence layer is divided into two convergence sublayers:

• The Common Part Convergence Sublayer (CPCS) service common to any SSCS as Segmentation and Reassembly.• The Service Specific Convergence Sublayer (SSCS)that are specific to one apPRIME, IPv4 convergence layer as universal access to PRIME, and IEC 613344-32 as a link to metering systems. [17] [18]

6.6 Security on PRIME

In PRIME protocol, security functions provide the MAC layauthentication and data integrity through a secure connection method and a key management policy. All data packets transferred on the network must use the specific security profile on the MAC level. However, REG and SEC control messages, and Beacon PDU and Promotion Needed PDU Two different security profiles are specified on the current version of the standard in order to be used depending on the needs of the network manager. In addition, the standard leaves scopversions. [18]

6.6.1 Security Profile 0

When using Security Profile 0, security is supposed not to be much necessary and all packets are transferred without any encryption. This profile shall be usedcommunication that does not have strict requirements on privacy, authentication or data integrity. [18]


In the case that data protection is needed, Security Profile 1 is used. It is based on 128-bit AES Encryption and the assall security requirements which are privacy, authentication and data integrity:

• Privacy is guaranteed by the encryption itself and by the fact that the encryption key is kept secret.• Authenticationsecret key known only by the node itself and the Base Node.• Data integrityencrypted. [18]


s divided into two convergence sublayers:

The Common Part Convergence Sublayer (CPCS) provides generic service common to any SSCS as Segmentation and Reassembly.

The Service Specific Convergence Sublayer (SSCS) contains services that are specific to one application layer. Two convergence layers are defined in PRIME, IPv4 convergence layer as universal access to PRIME, and IEC 61334

32 as a link to metering systems. [17] [18]

6.6 Security on PRIME

In PRIME protocol, security functions provide the MAC layauthentication and data integrity through a secure connection method and a key management policy. All data packets transferred on the network must use the specific security profile on the MAC level. However, REG and SEC control messages, and

Promotion Needed PDU are transferred non-encrypted.

Two different security profiles are specified on the current version of the standard in order to be used depending on the needs of the network manager. In addition, the standard leaves scope for adding up to more security profile on its future


When using Security Profile 0, security is supposed not to be much necessary and all packets are transferred without any encryption. This profile shall be usedcommunication that does not have strict requirements on privacy, authentication or data


In the case that data protection is needed, Security Profile 1 is used. It is based bit AES Encryption and the associated CRC. It is defined in order to accomplish

all security requirements which are privacy, authentication and data integrity:

is guaranteed by the encryption itself and by the fact that the encryption key is kept secret.

Authentication is guaranteed by the fact that each node has its own secret key known only by the node itself and the Base Node.

Data integrity is guaranteed by the fact that the payload CRC is


provides generic contains services

plication layer. Two convergence layers are defined in PRIME, IPv4 convergence layer as universal access to PRIME, and IEC 61334-

In PRIME protocol, security functions provide the MAC layer privacy, authentication and data integrity through a secure connection method and a key management policy. All data packets transferred on the network must use the specific security profile on the MAC level. However, REG and SEC control messages, and

encrypted.

Two different security profiles are specified on the current version of the standard in order to be used depending on the needs of the network manager. In

e for adding up to more security profile on its future

When using Security Profile 0, security is supposed not to be much necessary and all packets are transferred without any encryption. This profile shall be used by communication that does not have strict requirements on privacy, authentication or data

In the case that data protection is needed, Security Profile 1 is used. It is based ociated CRC. It is defined in order to accomplish

all security requirements which are privacy, authentication and data integrity:

is guaranteed by the encryption itself and by the fact that the

nteed by the fact that each node has its own

is guaranteed by the fact that the payload CRC is


6.6.3 Negotiation of the Security Profile

Both MAC signaling PDUs andis negotiated during the device registration. In the REG_REQ message the terminal indicates the Security Profile it can support in the field REG.SPC. The Base Node decides then whether to accept or reject theprovided is acceptable or not. If the registration is accepted the Base Node sends back a REG_RSP message with the same value on the REG.SPC field. On the other hand, if the registration is rejected, the REG.0 is the one to be used.

It is recommended that terminal first attempt to register using the Security Profile 1, if it is performed like this, Security Profile 0 will be used only when the Base Node rejects the registration request and it is assured that data that needs to be encrypted will be encrypted always.

The following sections are to be applied only on the case of Security Profile 1, as long as no encryption is used if the system is working on

6.6.4 Cryptographic algorithm

The cryptographic algorithm used in PRIME is AES as defined in FIPS197, from the NIST, the organization in charge of the technology standards from de US Department of Commerce. The algorithm is dpossible key sizes. The 128supposed to present a level of security for preserving privacy up to 2030 and beyond, as specified in SP800-57, page 66, table 4.

AES is used according to the sospecified in SP800-38A, using block128-bit blocks. In the case that the last block is smaller than 128 bits, padding is implemented with the additreach a length of the string to be encrypted as a multiple of 128 bits. Encryption is performed one block at a time, using the same working key for all the data. [18]

6.6.5 Algorithm for key deriv

The method used for obtaining the working keys from the secret keys is very simple. AES algorithm is applied on a constant (C) as it was plain text and the generation key (Gk) as it was an encryption key. If the constant is a word shorter than 128 bits, the padding is added for alignment to the LSB. The convention followed for


6.6.3 Negotiation of the Security Profile

Both MAC signaling PDUs and Data PDUs use the same Security Profile, which is negotiated during the device registration. In the REG_REQ message the terminal indicates the Security Profile it can support in the field REG.SPC. The Base Node decides then whether to accept or reject the registration depending if the Security Profile provided is acceptable or not. If the registration is accepted the Base Node sends back a REG_RSP message with the same value on the REG.SPC field. On the other hand, if the registration is rejected, the REG.SPC field is set to 0 indicating that Security Profile

It is recommended that terminal first attempt to register using the Security Profile 1, if it is performed like this, Security Profile 0 will be used only when the Base

ejects the registration request and it is assured that data that needs to be encrypted will be encrypted always.

The following sections are to be applied only on the case of Security Profile 1, as long as no encryption is used if the system is working on the Security Profile 0. [18]

6.6.4 Cryptographic algorithm

The cryptographic algorithm used in PRIME is AES as defined in FIPS197, from the NIST, the organization in charge of the technology standards from de US Department of Commerce. The algorithm is described on the standard with three possible key sizes. The 128-bit secret key, which is the one used on PRIME; is supposed to present a level of security for preserving privacy up to 2030 and beyond, as

57, page 66, table 4.

ed according to the so-called Electronic Code Book (ECB), as 38A, using block-ciphering mode where plain text is divided into

bit blocks. In the case that the last block is smaller than 128 bits, padding is implemented with the addition of a bit equal to 1 and as many zeroes as necessary to reach a length of the string to be encrypted as a multiple of 128 bits. Encryption is performed one block at a time, using the same working key for all the data. [18]

6.6.5 Algorithm for key derivation

The method used for obtaining the working keys from the secret keys is very simple. AES algorithm is applied on a constant (C) as it was plain text and the

) as it was an encryption key. If the constant is a word shorter than its, the padding is added for alignment to the LSB. The convention followed for


Data PDUs use the same Security Profile, which is negotiated during the device registration. In the REG_REQ message the terminal indicates the Security Profile it can support in the field REG.SPC. The Base Node

registration depending if the Security Profile provided is acceptable or not. If the registration is accepted the Base Node sends back a REG_RSP message with the same value on the REG.SPC field. On the other hand, if

SPC field is set to 0 indicating that Security Profile

It is recommended that terminal first attempt to register using the Security Profile 1, if it is performed like this, Security Profile 0 will be used only when the Base

ejects the registration request and it is assured that data that needs to be

The following sections are to be applied only on the case of Security Profile 1, the Security Profile 0. [18]

The cryptographic algorithm used in PRIME is AES as defined in FIPS197, from the NIST, the organization in charge of the technology standards from de US

escribed on the standard with three bit secret key, which is the one used on PRIME; is

supposed to present a level of security for preserving privacy up to 2030 and beyond, as

called Electronic Code Book (ECB), as ciphering mode where plain text is divided into

bit blocks. In the case that the last block is smaller than 128 bits, padding is ion of a bit equal to 1 and as many zeroes as necessary to

reach a length of the string to be encrypted as a multiple of 128 bits. Encryption is performed one block at a time, using the same working key for all the data. [18]

The method used for obtaining the working keys from the secret keys is very simple. AES algorithm is applied on a constant (C) as it was plain text and the

) as it was an encryption key. If the constant is a word shorter than its, the padding is added for alignment to the LSB. The convention followed for


derivation equations of each one or the keys used is presented in the following lines: [18]

Figure 6.5. Key derivation algorithm [19]

Generated Key = AES_enc (Generation Key

6.6.6 Key Hierarchy

A set of three working keys are used by Service Nodes and Base Nodes for all data encryption. The three keys and their usage are the following:

Initial Working Key (WKREG.SNK and REG.AUK fields of the REG_RSP message. It is used by the Service Node in a disconnected state and is derived using the following formula:

WK 0 = AES_enc (USK, 0)

Working Key (WK): This key is used to encrypt all the unicast data thfrom the Base Node to a Service Node and viceversa. Each registered Service Node would have a unique WK that is known only to the Base Node and itself. The WK is derived using the following formula:

WK = AES_enc (USK, Random sequence rece


derivation equations of each one or the keys used is presented in the following lines:

Figure 6.5. Key derivation algorithm [19]

= AES_enc (Generation Key, Constant (C)) [19]

A set of three working keys are used by Service Nodes and Base Nodes for all data encryption. The three keys and their usage are the following:

Initial Working Key (WK 0): This key has a limited usage. It is used tREG.SNK and REG.AUK fields of the REG_RSP message. It is used by the Service Node in a disconnected state and is derived using the following formula:

= AES_enc (USK, 0)

This key is used to encrypt all the unicast data thfrom the Base Node to a Service Node and viceversa. Each registered Service Node would have a unique WK that is known only to the Base Node and itself. The WK is derived using the following formula:

Random sequence received in SEC.RAN)


derivation equations of each one or the keys used is presented in the following lines:

A set of three working keys are used by Service Nodes and Base Nodes for all

This key has a limited usage. It is used to decrypt the REG.SNK and REG.AUK fields of the REG_RSP message. It is used by the Service Node in a disconnected state and is derived using the following formula:

This key is used to encrypt all the unicast data that is transmitted from the Base Node to a Service Node and viceversa. Each registered Service Node would have a unique WK that is known only to the Base Node and itself. The WK is


Subnetwork Working Key (SWK): security of the key is ensured because it is never transmitted over the physical channel. Instead of that, it is derived from other keys which are transmitted eand non-encrypted in SEC control packets. It is used to encrypt the following:

• Broadcast data, including MAC broadcast control packets

• Multicast data• Unicast data that is transacted over direct connections, i.e. not involving the Base Node

The Subnetwork Working Key is derived using the following formula:

SWK = AES_enc (SNK, Random sequence received in SEC.SNK)

The WK and the SWK have a limited validity time in relation to the random sequence generation period. This sequence is generated anetwork by the Base Node every packets. If a device does not receive a new random sequence within 2 times the MAC Random Sequence Change Time, it considers the keys it is using as n

The process for key derivation was designed to be indirect and with multiple stages in order to ensure its protection. The parameters involved in this process are the ones described in the following lines.

Master Keys (MK1, MK 2): with different usages. The first one is used to derive the Device Secret Key and the second one to compute the Key Diversifier. Both of them are administered on the Base Node. Having two Master Keys turns thderiving The DSK and KDIV in the first stage and in the second stage derive the USK from those two. It is important to note that both DSK and KDIV are unique for each registering Service Node.

Device Secret Key (DSK): is hard-coded in the device during production. The DSK is constant for the entire life of the Service Node. The Base Node uses MK1 to derive Service Nodeusing the following equation:

DSK = AES_enc (MK1, UI

Key Diversifier (KDIV): opposition to DSK, it does not have to be a fixed constant for the entire life of the Service Node. The Base Node computes deviceequation:

KDIV = AES_enc (MK2, UI


Subnetwork Working Key (SWK): This key is shared by the entire subnetwork. The security of the key is ensured because it is never transmitted over the physical channel. Instead of that, it is derived from other keys which are transmitted encrypted in REG

encrypted in SEC control packets. It is used to encrypt the following:

Broadcast data, including MAC broadcast control packets

Multicast data Unicast data that is transacted over direct connections, i.e. not involving

The Subnetwork Working Key is derived using the following formula:

Random sequence received in SEC.SNK)

The WK and the SWK have a limited validity time in relation to the random sequence generation period. This sequence is generated and distributed through all network by the Base Node every MACRandSeqChgTime seconds using the SEC Control packets. If a device does not receive a new random sequence within 2 times the MAC Random Sequence Change Time, it considers the keys it is using as no longer valid.

The process for key derivation was designed to be indirect and with multiple stages in order to ensure its protection. The parameters involved in this process are the ones described in the following lines.

): Two Master Keys are defined in the specification each one with different usages. The first one is used to derive the Device Secret Key and the second one to compute the Key Diversifier. Both of them are administered on the Base Node. Having two Master Keys turns the Unique Secret Key into a two stage process by deriving The DSK and KDIV in the first stage and in the second stage derive the USK from those two. It is important to note that both DSK and KDIV are unique for each

ey (DSK): This key is unique to each Service Node on the network and coded in the device during production. The DSK is constant for the entire life of

the Service Node. The Base Node uses MK1 to derive Service Nodeequation:

UI)

Key Diversifier (KDIV): This key is also unique to each Service Node, but in opposition to DSK, it does not have to be a fixed constant for the entire life of the Service Node. The Base Node computes device-specific KDIV using the following

UI)


This key is shared by the entire subnetwork. The security of the key is ensured because it is never transmitted over the physical channel.

ncrypted in REG encrypted in SEC control packets. It is used to encrypt the following:

Broadcast data, including MAC broadcast control packets

Unicast data that is transacted over direct connections, i.e. not involving

The WK and the SWK have a limited validity time in relation to the random nd distributed through all

seconds using the SEC Control packets. If a device does not receive a new random sequence within 2 times the MAC

o longer valid.

The process for key derivation was designed to be indirect and with multiple stages in order to ensure its protection. The parameters involved in this process are the

r Keys are defined in the specification each one with different usages. The first one is used to derive the Device Secret Key and the second one to compute the Key Diversifier. Both of them are administered on the Base

e Unique Secret Key into a two stage process by deriving The DSK and KDIV in the first stage and in the second stage derive the USK from those two. It is important to note that both DSK and KDIV are unique for each

This key is unique to each Service Node on the network and coded in the device during production. The DSK is constant for the entire life of

the Service Node. The Base Node uses MK1 to derive Service Node-specific DSK

This key is also unique to each Service Node, but in opposition to DSK, it does not have to be a fixed constant for the entire life of the

sing the following


Unique Secret Key (USK)above equations. The USK is in turn derived by applying AES to KDIV, using DSK as the generation key, as shown in the foll

USK = AES_enc (DSK, KDIV)

Unique Identifier (UI) : The UI of a Service Node shall be its EUI48, which is one of the three possible configurations used by IEEE for the device MAC address. [18]

6.6.7 Key distribution and management

The Base Node defines the Security Profile that will be used for MAC control packets that will travel on the network. Any node that tries to attach to the network has to adapt to the Security Profile advertised by the Base Node BPDU, which cannot be Security Profile 0 because MAC control packets must be encrypted. Any Terminal Nodes on a subnetwork that transit to Switch functionality as a result of a promotion should also advertise the same Security Profile as the Base Node in their BPDUs.

During a device registraall time indicated by REG control packet specific fields for each device. All connections from/to the device must follow that Security Profile and any connections involving the same device cannot be a difference, in exception of the Base Node.

The SWK used to derive a working key for nonconnections is never transmitted nonbroadcast messages transmitted by the Base Node at keys for both unicast and nonresponse from the Base Node contains the random sequence used to derive WK for unicast traffic. The REG message is followed by a unicast SENode to the registering device. [18]

6.6.8 Data encryption algorithm

Any connections working on Security Profile 1 always transmit a SCRC (Security CRC) with all packets. It is calculated over the unencrypted packet payload. It is the confirmation for the data contained in the packet for when it is decrypted at the receiving end. It is calculated by the generator polynomial g(D)=D8+D2+D+1 of the polynomial D8 multiplied by the unencrypted packet payload.

The data block obtained by thepacket and the SCRC is padded with a 1 and as many zeroes as necessary to make it a multiple of 128 pack and divided into 128start of the padding at the rece


Unique Secret Key (USK). The USK is used to derive WK0 and WK as defined in the above equations. The USK is in turn derived by applying AES to KDIV, using DSK as the generation key, as shown in the following equation:

KDIV)

: The UI of a Service Node shall be its EUI48, which is one of the three possible configurations used by IEEE for the device MAC address. [18]

6.6.7 Key distribution and management

Node defines the Security Profile that will be used for MAC control packets that will travel on the network. Any node that tries to attach to the network has to adapt to the Security Profile advertised by the Base Node BPDU, which cannot be

e 0 because MAC control packets must be encrypted. Any Terminal Nodes on a subnetwork that transit to Switch functionality as a result of a promotion should also advertise the same Security Profile as the Base Node in their BPDUs.

During a device registration the Security Profile for data traffic is negotiated and all time indicated by REG control packet specific fields for each device. All connections from/to the device must follow that Security Profile and any connections involving the

be a difference, in exception of the Base Node.

The SWK used to derive a working key for non-unicast traffic and direct connections is never transmitted non-encrypted over the physical channel. The SEC broadcast messages transmitted by the Base Node at regular intervals contain random keys for both unicast and non-unicast traffic. After a device registration, the REG response from the Base Node contains the random sequence used to derive WK for unicast traffic. The REG message is followed by a unicast SEC message from Base Node to the registering device. [18]

6.6.8 Data encryption algorithm

Any connections working on Security Profile 1 always transmit a SCRC (Security CRC) with all packets. It is calculated over the unencrypted packet payload. It

confirmation for the data contained in the packet for when it is decrypted at the receiving end. It is calculated by the generator polynomial g(D)=D8+D2+D+1 of the polynomial D8 multiplied by the unencrypted packet payload.

The data block obtained by the concatenation of the unencrypted payload of the packet and the SCRC is padded with a 1 and as many zeroes as necessary to make it a multiple of 128 pack and divided into 128-bit blocks. The 1 inserted is used to detect the start of the padding at the receiver. After that, each 128-bit block is encrypted with the


and WK as defined in the above equations. The USK is in turn derived by applying AES to KDIV, using DSK as

: The UI of a Service Node shall be its EUI48, which is one of the three possible configurations used by IEEE for the device MAC address. [18]

Node defines the Security Profile that will be used for MAC control packets that will travel on the network. Any node that tries to attach to the network has to adapt to the Security Profile advertised by the Base Node BPDU, which cannot be

e 0 because MAC control packets must be encrypted. Any Terminal Nodes on a subnetwork that transit to Switch functionality as a result of a promotion should also advertise the same Security Profile as the Base Node in their BPDUs.

tion the Security Profile for data traffic is negotiated and all time indicated by REG control packet specific fields for each device. All connections from/to the device must follow that Security Profile and any connections involving the

unicast traffic and direct encrypted over the physical channel. The SEC

regular intervals contain random unicast traffic. After a device registration, the REG

response from the Base Node contains the random sequence used to derive WK for C message from Base

Any connections working on Security Profile 1 always transmit a SCRC (Security CRC) with all packets. It is calculated over the unencrypted packet payload. It

confirmation for the data contained in the packet for when it is decrypted at the receiving end. It is calculated by the generator polynomial g(D)=D8+D2+D+1 of the

concatenation of the unencrypted payload of the packet and the SCRC is padded with a 1 and as many zeroes as necessary to make it a

bit blocks. The 1 inserted is used to detect the bit block is encrypted with the


AES algorithm using the Working Key and the result is the encrypted payload of the packet. Afterwards the packet header is added as the final operation of the process. [19] [18]

Figure 6.6. Encry


AES algorithm using the Working Key and the result is the encrypted payload of the packet. Afterwards the packet header is added as the final operation of the process. [19]

Figure 6.6. Encryption algorithm [19]


AES algorithm using the Working Key and the result is the encrypted payload of the packet. Afterwards the packet header is added as the final operation of the process. [19]


6.6.9 Transmitter MAC Security Module

When a packet is being sent from MAC layer, the Transmitter Module first gives DMA-AES block a control signal indicating the address for the header and SRAM response fixed bytes to Transmitter Module through the DMATransmitter Module analyses the header and aggregates information such as payload and the fact that it must be encrypted or not, the kind of key should be used for encryption or the size of the data. This

Figure 6.7. Transmitter Module Architecture [19]

1. Get address for Header2. After getting Head, TX module has to analyze the Head information, then deciding the associated packet would encrypt or not, meanwhile, ipayload’s address. 3. Get Header Words, and send to TX to analyzing4. Read payload5. Send payload to TX block encrypted or direct

Aggregating control signal would be reone or several cyclic times. DMAwhen the payload need encrypted. Meanwhile, DMAsentences from SRAM with indicating address, and 32time based on the bus width. After encryption, DMAback to TX module each time. [19]


6.6.9 Transmitter MAC Security Module

When a packet is being sent from MAC layer, the Transmitter Module first gives AES block a control signal indicating the address for the header and SRAM

Transmitter Module through the DMA-AES Module. The Transmitter Module analyses the header and aggregates information such as payload and the fact that it must be encrypted or not, the kind of key should be used for encryption or the size of the data. This procedure is shown on the following figure:

Figure 6.7. Transmitter Module Architecture [19]

Get address for Header After getting Head, TX module has to analyze the Head information, then

deciding the associated packet would encrypt or not, meanwhile, i

Get Header Words, and send to TX to analyzing Read payload Send payload to TX block encrypted or direct

Aggregating control signal would be re-sent back to DMA-AES module after one or several cyclic times. DMA-AES module attains key and prepares encryption when the payload need encrypted. Meanwhile, DMA-AES module gets payload sentences from SRAM with indicating address, and 32-bit data would be attained every time based on the bus width. After encryption, DMA-AES module sends back to TX module each time. [19]


When a packet is being sent from MAC layer, the Transmitter Module first gives AES block a control signal indicating the address for the header and SRAM

AES Module. The Transmitter Module analyses the header and aggregates information such as payload and the fact that it must be encrypted or not, the kind of key should be used for

procedure is shown on the following figure:

After getting Head, TX module has to analyze the Head information, then deciding the associated packet would encrypt or not, meanwhile, indicating

AES module after ns key and prepares encryption

AES module gets payload bit data would be attained every AES module sends 32-bit data


6.6.10 Receiver MAC Security Module

When a packet from PHY is received, its associated information is analyzed and a decision is taken about whether it should be decrypted or not, which is needed for decryption and where it is going to be stored in the SRAM. After all this process DMA gives the Receiver Module a control signal indicating that it is ready for receiving a new packet. All the procedure is shown in the following figure:

Figure 6.8 Receiver Modu

1. Read Header from PHY and decide either to encrypt or not indicating address in SRAM 2. Store Head to SRAM3. Control signal4. Get payload 5. Send payload to DMA decrypted or direct

After analyzing by RX module, address which indicates in the SRattained, and the packet would directly send to SRAM through DMA module if the packet needs no decryption. Then DMA module gives RX a control signal indicating that it has capability to receive next packet. [19]


6.6.10 Receiver MAC Security Module

When a packet from PHY is received, its associated information is analyzed and a decision is taken about whether it should be decrypted or not, which is needed for

ion and where it is going to be stored in the SRAM. After all this process DMA gives the Receiver Module a control signal indicating that it is ready for receiving a new packet. All the procedure is shown in the following figure:

Figure 6.8 Receiver Module Architecture [19]

Read Header from PHY and decide either to encrypt or not indicating

Store Head to SRAM Control signal

Send payload to DMA decrypted or direct

After analyzing by RX module, address which indicates in the SRattained, and the packet would directly send to SRAM through DMA module if the packet needs no decryption. Then DMA module gives RX a control signal indicating that it has capability to receive next packet. [19]


When a packet from PHY is received, its associated information is analyzed and a decision is taken about whether it should be decrypted or not, which is needed for

ion and where it is going to be stored in the SRAM. After all this process DMA gives the Receiver Module a control signal indicating that it is ready for receiving a new

Read Header from PHY and decide either to encrypt or not indicating

After analyzing by RX module, address which indicates in the SRAM is attained, and the packet would directly send to SRAM through DMA module if the packet needs no decryption. Then DMA module gives RX a control signal indicating


6.7 Possible attacks to PRIME

Although AES-128 algorithm is supposed to give complete cryptographic protection when implemented, methods to break the algorithm and being capable of unencrypt the information protected with it may be attempted. If this scenario is reproduced, security issues other kinds of attacks may be performed to get over security procedures implemented in PRIME.

6.7.1 Exposition of the keys

PRIME security does not provide Perfect Forward Secrecy. Compromise of the keys leads to compromise of recorded past sessions, consequently, if this compromise is not accomplished, this may enable an attacker to impersonate a Base Node and this may lead to attacker to attempt to obtain critical information from the Service nodes.

PRIME security procedures provide no protection against a legitimate device sharing its keys with a third party. Then, not permanently but during the period while the working are valid, an attacker may be capable of using the working to get access to the network and eavesdrop information from it. Since the attacker owns the valid working keys he may obtain this information unencrypted.

6.7.2 Denial of Service (DoS) attacks

One of the attacks that may be performed if an attacker is able to gets access the network is the DoS attack. This attack aims at preventing transmission of user data, and signaling and control information over the network disrupting communication and network operation. It can be achieved by malicious third parties who:

• Try to flood the network with big amounts of irrelevant information in order to make it collapse• Induce specific protocol failures

• Impersonate as Base Nodes and then prevent data traffic, either user traffic, signaling traffic or control traffic, from being transmit


6.7 Possible attacks to PRIME

128 algorithm is supposed to give complete cryptographic protection when implemented, methods to break the algorithm and being capable of unencrypt the information protected with it may be attempted. If this scenario is reproduced, security issues on PRIME will no longer be accomplished. Besides of that, other kinds of attacks may be performed to get over security procedures implemented in

6.7.1 Exposition of the keys

PRIME security does not provide Perfect Forward Secrecy. Compromise of e keys leads to compromise of recorded past sessions, consequently, if this

compromise is not accomplished, this may enable an attacker to impersonate a Base Node and this may lead to attacker to attempt to obtain critical information from the

PRIME security procedures provide no protection against a legitimate device sharing its keys with a third party. Then, not permanently but during the period while the working are valid, an attacker may be capable of using the working to get access to he network and eavesdrop information from it. Since the attacker owns the valid

working keys he may obtain this information unencrypted.


One of the attacks that may be performed if an attacker is able to gets access the network is the DoS attack. This attack aims at preventing transmission of user data, and signaling and control information over the network disrupting communication and network operation. It can be achieved by malicious third parties who:

od the network with big amounts of irrelevant information in order to make it collapse

Induce specific protocol failures

Impersonate as Base Nodes and then prevent data traffic, either user traffic, signaling traffic or control traffic, from being transmitted


128 algorithm is supposed to give complete cryptographic protection when implemented, methods to break the algorithm and being capable of unencrypt the information protected with it may be attempted. If this scenario is

on PRIME will no longer be accomplished. Besides of that, other kinds of attacks may be performed to get over security procedures implemented in

PRIME security does not provide Perfect Forward Secrecy. Compromise of e keys leads to compromise of recorded past sessions, consequently, if this

compromise is not accomplished, this may enable an attacker to impersonate a Base Node and this may lead to attacker to attempt to obtain critical information from the

PRIME security procedures provide no protection against a legitimate device sharing its keys with a third party. Then, not permanently but during the period while the working are valid, an attacker may be capable of using the working to get access to he network and eavesdrop information from it. Since the attacker owns the valid

One of the attacks that may be performed if an attacker is able to gets access in the network is the DoS attack. This attack aims at preventing transmission of user data, and signaling and control information over the network disrupting communication and

od the network with big amounts of irrelevant information in

Impersonate as Base Nodes and then prevent data traffic, either user ted


6.7.3 Identity protection

Since it was chosen to restrict to a single cryptographic primitive from symmetric cryptography, namely, the block cipher AESpossible to provide reasonable identity protection without failigoal.

If only symmetric cryptography is used, only a weak form of identity protection may be offered, namely, pseudonym management. In other words, the peer and the server agree on pseudonyms that they use to identify each other change them periodically, possibly in a protected way so that an attacker cannot learn new pseudonyms before they are used.

With pseudonym management, there is a tradepseudonym resynchronization (thanks to a permanentactive attacks (in which the attacker forges messages simulating a pseudonym desynchronization). Because pseudonym management adds complexity to the protocol and implies this unsatisfactory trade

However, PRIME security procedures may trivially provide some protection when the concern is to avoid the "realattack can very simply be thwarted, merely by not providing users with an idenallows easy recovery of their realis not correlated to a real-life identity is used, no valuable information leaks because of the fact that not specific identity protection procedures

It is worth noting that the Base Node systematically discloses its identity, which may allow probing attacks. This may not be a problem as the identity of the server is not supposed to remain secret. On the contrary, users tend to want towhom they will be talking in order to choose the right network to attach to.



Since it was chosen to restrict to a single cryptographic primitive from symmetric cryptography, namely, the block cipher AES-128, it appears that it is not possible to provide reasonable identity protection without failing to meet the simplicity

If only symmetric cryptography is used, only a weak form of identity protection may be offered, namely, pseudonym management. In other words, the peer and the server agree on pseudonyms that they use to identify each other change them periodically, possibly in a protected way so that an attacker cannot learn new pseudonyms before they are used.

With pseudonym management, there is a trade-off between allowing for pseudonym resynchronization (thanks to a permanent identity) and being vulnerable to active attacks (in which the attacker forges messages simulating a pseudonym desynchronization). Because pseudonym management adds complexity to the protocol and implies this unsatisfactory trade-off, it was decided not to be included.

However, PRIME security procedures may trivially provide some protection when the concern is to avoid the "real-life" identity of the user being discovered. This attack can very simply be thwarted, merely by not providing users with an idenallows easy recovery of their real-life identity. It is believed that when an identifier that

life identity is used, no valuable information leaks because of the fact that not specific identity protection procedures are implemented.

It is worth noting that the Base Node systematically discloses its identity, which may allow probing attacks. This may not be a problem as the identity of the server is not supposed to remain secret. On the contrary, users tend to want towhom they will be talking in order to choose the right network to attach to.


Since it was chosen to restrict to a single cryptographic primitive from 128, it appears that it is not

ng to meet the simplicity

If only symmetric cryptography is used, only a weak form of identity protection may be offered, namely, pseudonym management. In other words, the peer and the server agree on pseudonyms that they use to identify each other and usually change them periodically, possibly in a protected way so that an attacker cannot learn

off between allowing for identity) and being vulnerable to

active attacks (in which the attacker forges messages simulating a pseudonym desynchronization). Because pseudonym management adds complexity to the protocol

o be included.

However, PRIME security procedures may trivially provide some protection life" identity of the user being discovered. This

attack can very simply be thwarted, merely by not providing users with an identifier that life identity. It is believed that when an identifier that

life identity is used, no valuable information leaks because of are implemented.

It is worth noting that the Base Node systematically discloses its identity, which may allow probing attacks. This may not be a problem as the identity of the server is not supposed to remain secret. On the contrary, users tend to want to know to whom they will be talking in order to choose the right network to attach to.


6.8 PRIME solutions for smart metering

6.8.1 Landis+Gyr E450

There are many possible communication channels for the E450 smart meter. The optical channel can be used over the IEC62056HDLC and DLMS/COSEM for upper layers. Also the standard RS485 channel can be used but the main one is the PRIME standard through the PLC modem incorporated into the smart meter using DLMS/COSEM for application layer. In this case, a fullcommunication system is implemented following the EN 50065

For further information on this smart meter go to:

The E450 Landihas been designed to cover a wide range of different functions on the smart metering in the future. The E450 communication interfaces are based on the PRIMon the MAC and PHY layers and DLMS/COSEM on the application layer. This fact makes it capable for combining many applications on its infrastructure and making them fully interoperable.

It operates on the 50 Hz +/temperature range from class 2 precision for reactive energy. It also incorporates a high precision clock without need for supply maintenance for up to 6 years.


6.8 PRIME solutions for smart metering

6.8.1 Landis+Gyr E450-PRIME

There are many possible communication channels for the E450 smart meter. The hannel can be used over the IEC62056-21 protocol for the low layers and

HDLC and DLMS/COSEM for upper layers. Also the standard RS485 channel can be used but the main one is the PRIME standard through the PLC modem incorporated into

LMS/COSEM for application layer. In this case, a fullcommunication system is implemented following the EN 50065-1 normative. [41]

For further information on this smart meter go to: www.landisgyr.com

The E450 Landis+Gyr smart meter has been designed to cover a wide range of different functions on the smart metering in

The E450 communication interfaces are based on the PRIME standard on the MAC and PHY layers and DLMS/COSEM on the application layer. This fact makes it capable for combining many applications on its infrastructure and making them fully interoperable.

It operates on the 50 Hz +/- 1% in a -25 to +70ºC with a

class 2 precision for reactive energy. It also incorporates a high precision clock without need for supply maintenance for up to 6


There are many possible communication channels for the E450 smart meter. The 21 protocol for the low layers and

HDLC and DLMS/COSEM for upper layers. Also the standard RS485 channel can be used but the main one is the PRIME standard through the PLC modem incorporated into

LMS/COSEM for application layer. In this case, a full -duplex 1 normative. [41]


6.8.2 ADDM2102 Modem board for PRIME

The ADDM2102 PRIME Modem Board provides a platform to develop a complete PRIME meter. It implements a PRIME certified ADD1021 System on Chip, isolated PLC coupling circuitry and power supply, programminand serial USB connection. The ADDM2102 board is included in ADD Semiconductor development kits, which are provided with a complete implementation of ADD Semiconductor’s certified PRIME software stack.

The ADD1021 is a lowPLC with the PRIME standard for smart metering. It can reach a baud rate up to 128 kbps in the CENELEC A band. It counts with hardware units specifically designed for it such as the 8051 enhanced microcontroller anblock for security implementation. Besides, the optimized Analog Front End (AFE) incorporated to it, allows an outstanding coupling with low cost BOM. All these benefits come as a result that it was specifically designgrid applications.

This PRIME fully digital solution has a very good performance at high temperatures as well as an outstanding performance against noise over the physical channel. Moreover, it presents a high efficiency inconsumption. [43]

Figure 6.9. ADD1021 SoC block diagram [43]

For further information on this ADD PRIME solution go to:


ADDM2102 Modem board for PRIME

The ADDM2102 PRIME Modem Board provides a platform to develop a complete PRIME meter. It implements a PRIME certified ADD1021 System on Chip, isolated PLC coupling circuitry and power supply, programming and debugging mode and serial USB connection. The ADDM2102 board is included in ADD Semiconductor development kits, which are provided with a complete implementation of ADD Semiconductor’s certified PRIME software stack.

The ADD1021 is a low-cost but high efficiency SoC solution for narrowband PLC with the PRIME standard for smart metering. It can reach a baud rate up to 128 kbps in the CENELEC A band. It counts with hardware units specifically designed for it such as the 8051 enhanced microcontroller and the hardware 128-bit AES encryption block for security implementation. Besides, the optimized Analog Front End (AFE) incorporated to it, allows an outstanding coupling with low cost BOM. All these benefits come as a result that it was specifically designed for smart metering and smart

This PRIME fully digital solution has a very good performance at high temperatures as well as an outstanding performance against noise over the physical channel. Moreover, it presents a high efficiency in TX which leads to less power

Figure 6.9. ADD1021 SoC block diagram [43]

For further information on this ADD PRIME solution go to: www.addsemi.com


The ADDM2102 PRIME Modem Board provides a platform to develop a complete PRIME meter. It implements a PRIME certified ADD1021 System on Chip,

g and debugging mode and serial USB connection. The ADDM2102 board is included in ADD Semiconductor development kits, which are provided with a complete implementation of ADD

gh efficiency SoC solution for narrowband PLC with the PRIME standard for smart metering. It can reach a baud rate up to 128 kbps in the CENELEC A band. It counts with hardware units specifically designed for it

bit AES encryption block for security implementation. Besides, the optimized Analog Front End (AFE) incorporated to it, allows an outstanding coupling with low cost BOM. All these

ed for smart metering and smart

This PRIME fully digital solution has a very good performance at high temperatures as well as an outstanding performance against noise over the physical

TX which leads to less power

www.addsemi.com


7. PLC G3

7.1 Introduction

PLC G3 is a PLC OFDM standard of communication system for mpurposes that was developed by ERDF and Maxim. The design of the standard was developed to accomplish the aims of robustness, simplicity, flexibility, security, openness and scalability. The layers stack implemented to fulfill these goals is formedby:

• A robust highadapted to PLC environment• A MAC layer of the IEEE type, well suited to low data rates

• IPv6, the new IP generation and the 6LoWPAN adaptation sublayer taken from the internet world to adapt IPv6 tothe best possible way

• Application layer comprising two broad classes of applications: the metering application based on DLMS/COSEM and the Application ensuring the management of the meter

The following figure gives an overview of the PLCcommunication profile when it is used to implement applications for Automated Meter Management (AMM) with the DLMS/COSEM protocol at the application level.

Figure 7.1. PLC OFDM G3 metering communication profile [22]


PLC G3 is a PLC OFDM standard of communication system for mpurposes that was developed by ERDF and Maxim. The design of the standard was developed to accomplish the aims of robustness, simplicity, flexibility, security, openness and scalability. The layers stack implemented to fulfill these goals is formed

A robust high-performance PHY layer based on OFDM and adapted to PLC environment

A MAC layer of the IEEE type, well suited to low data rates

IPv6, the new IP generation and the 6LoWPAN adaptation sublayer taken from the internet world to adapt IPv6 to the MAC layer at the best possible way

Application layer comprising two broad classes of applications: the metering application based on DLMS/COSEM and the Application ensuring the management of the meter

The following figure gives an overview of the PLC OFDM G3 metering communication profile when it is used to implement applications for Automated Meter Management (AMM) with the DLMS/COSEM protocol at the application level.



PLC G3 is a PLC OFDM standard of communication system for metering purposes that was developed by ERDF and Maxim. The design of the standard was developed to accomplish the aims of robustness, simplicity, flexibility, security, openness and scalability. The layers stack implemented to fulfill these goals is formed

performance PHY layer based on OFDM and

A MAC layer of the IEEE type, well suited to low data rates

IPv6, the new IP generation and the 6LoWPAN adaptation the MAC layer at

Application layer comprising two broad classes of applications: the metering application based on DLMS/COSEM and the Application

OFDM G3 metering communication profile when it is used to implement applications for Automated Meter Management (AMM) with the DLMS/COSEM protocol at the application level.




The PLC G3 works between the 35.9 kHz to 90.6 kHz frequencies of the CENELEC-A band. An OFDM combined with either DBPSK or DQPSK modulation scheme is chosen to reach 33.4 Kbps data rate in normal conditions operation of the system. This makes the design of the receiver circuitry simple because there no need for coherent detection for the carriers phase. Instead of that, adjacent symbol is used for detecting the phase of the carriers of the current symbol.

The system has two possible works modes, nNormal mode, the FEC is composed of a Reed Solomon Encoder, either with 8 or 16 Bytes of parity, and a convolutional encoder. In the Robust mode the FEC is composed of Reed Solomon and convolutional encoders followed by a Rrepeat each bit four times, making the system more robust to channel impairments. In the following figure can be seen a block diagram of the OFDM transceiver: [24]

Figure 7.2. OFDM Block transceiver [24]


verview

The PLC G3 works between the 35.9 kHz to 90.6 kHz frequencies of the A band. An OFDM combined with either DBPSK or DQPSK modulation

scheme is chosen to reach 33.4 Kbps data rate in normal conditions operation of the design of the receiver circuitry simple because there no need for

coherent detection for the carriers phase. Instead of that, adjacent symbol is used for detecting the phase of the carriers of the current symbol.

The system has two possible works modes, named Normal and Robust modes. In Normal mode, the FEC is composed of a Reed Solomon Encoder, either with 8 or 16 Bytes of parity, and a convolutional encoder. In the Robust mode the FEC is composed of Reed Solomon and convolutional encoders followed by a Repetition Code (RC) that repeat each bit four times, making the system more robust to channel impairments. In the following figure can be seen a block diagram of the OFDM transceiver: [24]

Figure 7.2. OFDM Block transceiver [24]


The PLC G3 works between the 35.9 kHz to 90.6 kHz frequencies of the A band. An OFDM combined with either DBPSK or DQPSK modulation

scheme is chosen to reach 33.4 Kbps data rate in normal conditions operation of the design of the receiver circuitry simple because there no need for

coherent detection for the carriers phase. Instead of that, adjacent symbol is used for

amed Normal and Robust modes. In Normal mode, the FEC is composed of a Reed Solomon Encoder, either with 8 or 16 Bytes of parity, and a convolutional encoder. In the Robust mode the FEC is composed

epetition Code (RC) that repeat each bit four times, making the system more robust to channel impairments. In the following figure can be seen a block diagram of the OFDM transceiver: [24]


As seen before, two posswith OFDM. Moreover, also the Robust Mode for protecting the data against a noisy transmission medium may be used when necessary. For these possible modes of system operation, all basic physical paramete

CENELEC A Number of Symbols

12 20 32 40 52 56 112 252

12 20 32 40 52 56 112 252

Bits per frame Bits per frame in Robust mode

Symbols at the output of encoderFFT points

Overlapped samples Cyclic prefix samples

FCH symbols Sampling frequency Symbols in preamble

Frame duration

Figure 7.3. PLC G3 PHY layer parameters [24]


As seen before, two possible modulation schemes may be used in collaboration with OFDM. Moreover, also the Robust Mode for protecting the data against a noisy transmission medium may be used when necessary. For these possible modes of system operation, all basic physical parameters but all are presented in the following chart:

Reed Solomon Blocks DQPSK

Reed Solomon Blocks DBPSK

Out/In Bytes P16 Out/In Bytes P1653/37 26/10 89/73 44/28

143/127 71/55 179/163 89/73 233/217 116/100 251/235 125/109

- 251/235 - -

Data rate (bps) DQPSK P16

Data rate (bps) DBPSK P16

13453 4620 20556 8562 27349 12332 30445 14049 33853 15941 34759 16444

- 20360 - -

1440 Bits per frame in Robust mode 360

Symbols at the output of encoder 104 256 8 30 12

0.4 MHz 9.5

0.043 sec

Figure 7.3. PLC G3 PHY layer parameters [24]


ible modulation schemes may be used in collaboration with OFDM. Moreover, also the Robust Mode for protecting the data against a noisy transmission medium may be used when necessary. For these possible modes of system

rs but all are presented in the following chart:

Reed Solomon

Blocks (Robust) Out/In Bytes P16 Out/In Bytes P8

- - -

21/13 28/20 30/22 62/54

141/133 Data rate (bps)

(Robust) P8 - - -

3192 3765 3867 5002 5765



Two functional blocks composed the MAC layer in PLC G3:

• The MAC Common Part Sublayer (Mcommunication with neighbouring nodes. Its numerous functions are the following:

o Generation of the MAC Protocol Data Units (MAC PDUs) which can be data frames, check frames or beacon frameso Regulation of the CSMA/CA Access Medium metreatment of QoSo Reliable data transfer to the immediate neighbours using ACK mechanism o Encryption in AESvarious Group Session Keys and an Antio PAN selection and addressing of the different nodformat or 16 bits short address used for the LBP protocol of the 6LoWPAN layer

• The MAC Layer Management Entity (MLME) management of the MAC sublayer. The sublayer functions are:

o Active scan of neighbouring nodes when a nodconnect to the network or after the detachment of a node. The EAP protocol whose packets are encapsulated into 6LoWPAN packets is in charge of this processo Management of the MAC level parameters that constitute the MAC Information Baseo Initialization and re[22]

7.4 6LoWPAN Adaptation layer overview

Three functional blocks can be identified within the 6LoWPAN Adaptation Layer:

• The common processing operations blockend communications within PLC PAN. It is based in the 6LoWPAN Information Base and its Routing Table, which contains the 16 bit addresses of neighbor nodes. It has a lot of important functions: Upper levels header compression, fragmentation, generation of the



Two functional blocks composed the MAC layer in PLC G3:

The MAC Common Part Sublayer (MCPS) responsible for communication with neighbouring nodes. Its numerous functions are the

Generation of the MAC Protocol Data Units (MAC PDUs) which can be data frames, check frames or beacon frames

Regulation of the CSMA/CA Access Medium metreatment of QoS

Reliable data transfer to the immediate neighbours using ACK

Encryption in AES-128 CCM* mode with selection among various Group Session Keys and an Anti-Replay mechanism

PAN selection and addressing of the different nodformat or 16 bits short address used for the LBP protocol of the 6LoWPAN layer The MAC Layer Management Entity (MLME)

management of the MAC sublayer. The sublayer functions are:

Active scan of neighbouring nodes when a nodconnect to the network or after the detachment of a node. The EAP protocol whose packets are encapsulated into 6LoWPAN packets is in charge of this process

Management of the MAC level parameters that constitute the MAC Information Base

tialization and re-initialization of the MAC and PHY layers

7.4 6LoWPAN Adaptation layer overview


The common processing operations block. It is responsible for endcommunications within PLC PAN. It is based in the 6LoWPAN Information

Base and its Routing Table, which contains the 16 bit addresses of neighbor nodes. It has a lot of important functions: Upper levels header compression, fragmentation, generation of the 6LoWPAN PDUs, packet reordering, etc


responsible for communication with neighbouring nodes. Its numerous functions are the

Generation of the MAC Protocol Data Units (MAC PDUs) which

Regulation of the CSMA/CA Access Medium method and

Reliable data transfer to the immediate neighbours using ACK

128 CCM* mode with selection among Replay mechanism

PAN selection and addressing of the different nodes using EUI-64 format or 16 bits short address used for the LBP protocol of the

The MAC Layer Management Entity (MLME) responsible for

Active scan of neighbouring nodes when a node is trying to connect to the network or after the detachment of a node. The EAP protocol whose packets are encapsulated into 6LoWPAN packets is in

Management of the MAC level parameters that constitute the

initialization of the MAC and PHY layers


. It is responsible for end-to-communications within PLC PAN. It is based in the 6LoWPAN Information

Base and its Routing Table, which contains the 16 bit addresses of neighbor nodes. It has a lot of important functions: Upper levels header compression,

6LoWPAN PDUs, packet reordering, etc


• The routing functionusing the LOAD protocol, which is a compact version of the AODV protocol adapted to 6LoWPAN• The Security and Initial Configuration function.6LoWPAN Bootstrapping Protocol (LBP) encapsulating the EAP authentication protocol. Its function is an authentication process before the shared keys can be exchanged between the network nodes [22]


The routing function in Mesh mode. It constitutes the routing table using the LOAD protocol, which is a compact version of the AODV protocol adapted to 6LoWPAN

The Security and Initial Configuration function.6LoWPAN Bootstrapping Protocol (LBP) encapsulating the EAP authentication protocol. Its function is an authentication process before the shared keys can be exchanged between the network nodes [22]


in Mesh mode. It constitutes the routing table using the LOAD protocol, which is a compact version of the AODV protocol

The Security and Initial Configuration function. It uses the 6LoWPAN Bootstrapping Protocol (LBP) encapsulating the EAP authentication protocol. Its function is an authentication process before the shared keys can be


7.5 Security on PLC G3

Many security services are provided on the PLC G3 OFDM network, all of them based on the EAP protocol. This protocol is very flexible and supports a wide range of EAP methods for different purposes. Each one of these methods is characterized by its credentials (shared secret, certificate, SIM cards, etc) and by its signature and encryption algorithms.

In the case of PLC G3 the method chosen is EAPFrance Telecom R&D in 2003goals that were taken into account in this method design:

• Simplicity: EAP-Restriction to such a primitive, and in particular, not using asymmetric cryptography like Diffieunderstand and implement while avoiding cryptographic negotiations. It can also be described as lightweight and well suited for any type of device, especially those with little processing power and memory. However, this prevents EAPPSK from offering advanced features such as identity protection, password support, or Perfect Forward Secrecy (PFS). This choice has been deliberately made as a trade-off between simplicity and security. For the sake of simplicity, EAP-PSK has also chosen a fixed mess(TLV) design. • Security: Since the design of authenticated key exchange is notoriously known to be hard and error prone, EAPcryptographic mechanism. It attempts instead to build onprotocols that have been reviewed by the cryptographic

• Extensibility:its protected channel. Thanks to this mechanism, the EAPto provide more sophisticated security services when the need to do so arises. In th3 PLC G3 case, it is easily extensible to the Group Key distribution.• Wide applicability:any network, and in particular over IEEE 802.11 wi

7.5.1 Access Control and Authentication

An End Device (ED) cannot access the network before passing a preliminary Identification and Authentication process. This stage is based on two parameters that characterize every ED:

• A EUI-48 MAC domain address. It may be easily converted into EUI802.15.4 standard published in 2006 and its related documents.


7.5 Security on PLC G3

urity services are provided on the PLC G3 OFDM network, all of them based on the EAP protocol. This protocol is very flexible and supports a wide range of EAP methods for different purposes. Each one of these methods is characterized by its

ared secret, certificate, SIM cards, etc) and by its signature and

In the case of PLC G3 the method chosen is EAP-PSK, which was developed in France Telecom R&D in 2003-2004. It was chosen in order to accomplish the following

that were taken into account in this method design:

-PSK relies on a single cryptographic primitive, AESRestriction to such a primitive, and in particular, not using asymmetric cryptography like Diffie-Hellman key exchange, makes EAPunderstand and implement while avoiding cryptographic negotiations. It can also be described as lightweight and well suited for any type of device, especially those with little processing power and memory. However, this prevents EAP

ering advanced features such as identity protection, password support, or Perfect Forward Secrecy (PFS). This choice has been deliberately

off between simplicity and security. For the sake of simplicity, PSK has also chosen a fixed message format and not a Type

Since the design of authenticated key exchange is notoriously to be hard and error prone, EAP-PSK tries to avoid inventing any new

cryptographic mechanism. It attempts instead to build on existing primitives and protocols that have been reviewed by the cryptographic community.

Extensibility: It provides a mechanism to allow future extensions within its protected channel. Thanks to this mechanism, the EAP-PSK method will be

sophisticated security services when the need to do so arises. In th3 PLC G3 case, it is easily extensible to the Group Key distribution.

Wide applicability: EAP-PSK should be suitable to authenticate over any network, and in particular over IEEE 802.11 wireless LANs. [23]

7.5.1 Access Control and Authentication

An End Device (ED) cannot access the network before passing a preliminary Identification and Authentication process. This stage is based on two parameters that

48 MAC address as defined in [802-2001] considered as a public domain address. It may be easily converted into EUI-64 as required in the 802.15.4 standard published in 2006 and its related documents.


urity services are provided on the PLC G3 OFDM network, all of them based on the EAP protocol. This protocol is very flexible and supports a wide range of EAP methods for different purposes. Each one of these methods is characterized by its

ared secret, certificate, SIM cards, etc) and by its signature and

PSK, which was developed in 2004. It was chosen in order to accomplish the following

PSK relies on a single cryptographic primitive, AES-128. Restriction to such a primitive, and in particular, not using asymmetric

Hellman key exchange, makes EAP-PSK easy to understand and implement while avoiding cryptographic negotiations. It can also be described as lightweight and well suited for any type of device, especially those with little processing power and memory. However, this prevents EAP-

ering advanced features such as identity protection, password support, or Perfect Forward Secrecy (PFS). This choice has been deliberately

off between simplicity and security. For the sake of simplicity, age format and not a Type-Length-Value

Since the design of authenticated key exchange is notoriously PSK tries to avoid inventing any new

existing primitives and community.

It provides a mechanism to allow future extensions within PSK method will be

sophisticated security services when the need to do so arises. In th3 PLC G3 case, it is easily extensible to the Group Key distribution.

PSK should be suitable to authenticate over reless LANs. [23]

An End Device (ED) cannot access the network before passing a preliminary Identification and Authentication process. This stage is based on two parameters that

2001] considered as a public 64 as required in the


• A 128-bit shared secretcredential during the authentication process. It is shared between the ED and the authentication server. The mutual authentication is based on the assumption that the other part knows the PSK. From this PSK the Authentication Key (AK) is derived, a key used only for the purpose of authentication, which makes this part cryptographically independent from other aspects of the EAP protocol.

These Authentication and Identification procedures are activated when an ED restarts and can be also activated at any timso. Embedding the EAP protocol, the 6LoWPAN Bootstrapping Protocol (LBP) carries the related material. These two protocols have been designed to be relayed by intermediate nodes. Then , during the Bootstrappinhave not yet acquired a routable 16Coordinator (aka LBS) they can directly communicate. Otherwise, they must use an intermediate node (aka LBA) located at 1 The LBP protocol has been designed to fit two different authentication architectures:

• The authentication function is directly supported by the LoWPAN Bootstrapping Server (LBS), and in this case all the authentication material (access lists, credentials, etc.) must be loaded in the LBS.

• The authentication function is supported by a remote and centralized Authentication, Authorization and Accounting (AAA) server, and in this case, the LBS is only in charge of forwarding the EAP messages to the Aover a standard AAA protocol.

In this case, the AAA protocol used is Remote Authentication Dial in User Service (RADIUS), an IETF standard whose server is usually a background process running in a UNIX or Windows server. The protocol works on tlevel using UDP and its procedure is simple: the user sends a request to a Remote Access Server (NAS) to gain access to a network using access credentials. After that, the NAS requests access for that user to the RADIUS server includincredentials and the RADIUS server checks the user identity via EAP procedures.

After the EAP procedures, the NAS sends back to the user either one of three possible answers: the Access Accept granting the access for the user, the Access Rejectdenying the user access or the Access Challenge for requesting additional information from the user such as a secondary password or PIN. In response, the user may ask for a reason for the rejection, send a welcome message for the acceptance or send the additional information required. [23] [71] [72]


bit shared secret (aka Pre-Shared Key or PSK) used as a credential during the authentication process. It is shared between the ED and the authentication server. The mutual authentication is based on the assumption that the other part knows the PSK. From this PSK the Authentication Key (AK) is

d only for the purpose of authentication, which makes this part cryptographically independent from other aspects of the EAP protocol.

These Authentication and Identification procedures are activated when an ED restarts and can be also activated at any time if the security policy agreed requires to do so. Embedding the EAP protocol, the 6LoWPAN Bootstrapping Protocol (LBP) carries the related material. These two protocols have been designed to be relayed by intermediate nodes. Then , during the Bootstrapping phase, when an ED (aka LBD) that have not yet acquired a routable 16-bit address, is a 1-hop distance of the PAN Coordinator (aka LBS) they can directly communicate. Otherwise, they must use an intermediate node (aka LBA) located at 1-hop distance of the LBD. [23]

The LBP protocol has been designed to fit two different authentication

The authentication function is directly supported by the LoWPAN Bootstrapping Server (LBS), and in this case all the authentication material

redentials, etc.) must be loaded in the LBS.

The authentication function is supported by a remote and centralized Authentication, Authorization and Accounting (AAA) server, and in this case, the LBS is only in charge of forwarding the EAP messages to the Aover a standard AAA protocol.

In this case, the AAA protocol used is Remote Authentication Dial in User Service (RADIUS), an IETF standard whose server is usually a background process running in a UNIX or Windows server. The protocol works on the application layer level using UDP and its procedure is simple: the user sends a request to a Remote Access Server (NAS) to gain access to a network using access credentials. After that, the NAS requests access for that user to the RADIUS server includincredentials and the RADIUS server checks the user identity via EAP procedures.

After the EAP procedures, the NAS sends back to the user either one of three possible answers: the Access Accept granting the access for the user, the Access Rejectdenying the user access or the Access Challenge for requesting additional information from the user such as a secondary password or PIN. In response, the user may ask for a reason for the rejection, send a welcome message for the acceptance or send the

ditional information required. [23] [71] [72]


Shared Key or PSK) used as a credential during the authentication process. It is shared between the ED and the authentication server. The mutual authentication is based on the assumption that the other part knows the PSK. From this PSK the Authentication Key (AK) is

d only for the purpose of authentication, which makes this part cryptographically independent from other aspects of the EAP protocol.

These Authentication and Identification procedures are activated when an ED e if the security policy agreed requires to do

so. Embedding the EAP protocol, the 6LoWPAN Bootstrapping Protocol (LBP) carries the related material. These two protocols have been designed to be relayed by

g phase, when an ED (aka LBD) that hop distance of the PAN

Coordinator (aka LBS) they can directly communicate. Otherwise, they must use an LBD. [23]

The LBP protocol has been designed to fit two different authentication

The authentication function is directly supported by the LoWPAN Bootstrapping Server (LBS), and in this case all the authentication material

The authentication function is supported by a remote and centralized Authentication, Authorization and Accounting (AAA) server, and in this case, the LBS is only in charge of forwarding the EAP messages to the AAA server

In this case, the AAA protocol used is Remote Authentication Dial in User Service (RADIUS), an IETF standard whose server is usually a background process

he application layer level using UDP and its procedure is simple: the user sends a request to a Remote Access Server (NAS) to gain access to a network using access credentials. After that, the NAS requests access for that user to the RADIUS server including the user credentials and the RADIUS server checks the user identity via EAP procedures.

After the EAP procedures, the NAS sends back to the user either one of three possible answers: the Access Accept granting the access for the user, the Access Reject denying the user access or the Access Challenge for requesting additional information from the user such as a secondary password or PIN. In response, the user may ask for a reason for the rejection, send a welcome message for the acceptance or send the


Figure 7.4. RADIUS Authentication procedure [103]

7.5.2 Bootstrapping procedure

At the beginning of the Bootstrapping procedure, an ED (aka LoWPAN Bootstrapping Device or LBD) must launch an active channecan start an active scan by invoking the ADPMDISCOVERY. request primitive, and specifying the duration of the scan. The adaptation layer then invokes the MLMESCAN.request primitive of the MAC layer specifying the same parameters.

The LBD sends a 1Device in the Neighborhood should reply by sending a Beacon frame with its PAN identifier, short address and capabilities.

Upon completion, the MAC layer issues a MLMEwith the list of existing PAN in the PANDescriptorList parameter. In response, the adaptation layer generates an ADPMthe PANDescriptorList parameter provided by the MAC layer.

At the end of the scan,quality, association permit, PAN identifier and short address (according to a round robin algorithm). It may be either the PAN coordinator that play the role of LoWPAN Bootstrapping Server (LBS) or a


Figure 7.4. RADIUS Authentication procedure [103]

7.5.2 Bootstrapping procedure

At the beginning of the Bootstrapping procedure, an ED (aka LoWPAN Bootstrapping Device or LBD) must launch an active channel scan. The higher layer can start an active scan by invoking the ADPMDISCOVERY. request primitive, and specifying the duration of the scan. The adaptation layer then invokes the MLMESCAN.request primitive of the MAC layer specifying the same parameters.

The LBD sends a 1-hop broadcast Beacon.request frame and any Full Feature Device in the Neighborhood should reply by sending a Beacon frame with its PAN identifier, short address and capabilities.

Upon completion, the MAC layer issues a MLME-SCAN.confirmwith the list of existing PAN in the PANDescriptorList parameter. In response, the adaptation layer generates an ADPM-DISCOVERY.confirm primitive which contains the PANDescriptorList parameter provided by the MAC layer.

At the end of the scan, the LBD selects one of the Beacon senders based on link quality, association permit, PAN identifier and short address (according to a round robin algorithm). It may be either the PAN coordinator that play the role of LoWPAN Bootstrapping Server (LBS) or another FFD. In the latter case, the FFD (aka LoWPAN


At the beginning of the Bootstrapping procedure, an ED (aka LoWPAN l scan. The higher layer

can start an active scan by invoking the ADPMDISCOVERY. request primitive, and specifying the duration of the scan. The adaptation layer then invokes the MLME-SCAN.request primitive of the MAC layer specifying the same parameters.

hop broadcast Beacon.request frame and any Full Feature Device in the Neighborhood should reply by sending a Beacon frame with its PAN

SCAN.confirm primitive, with the list of existing PAN in the PANDescriptorList parameter. In response, the

DISCOVERY.confirm primitive which contains

the LBD selects one of the Beacon senders based on link quality, association permit, PAN identifier and short address (according to a round robin algorithm). It may be either the PAN coordinator that play the role of LoWPAN

nother FFD. In the latter case, the FFD (aka LoWPAN


Bootstrapping Agent or LBA) is in charge of relaying the LoWPAN Bootstrapping Protocol (LBP) frames between the LBA and the LBS.

Then, the LBD sends an LBP JOINING frame to the LBA. This frame includes afield that carries the EUI-64 address of the joining LBD. When received by the LBA, this frame is relayed by the LBA to the LBS. The LBA is supposed fully bootstrapped with the full capability to directly transmit any message to the LBS in a secure way. Asoon as the LBS gets the message, the EUIand two possibilities follow it: the address does not fit the list and a LBP DECLINE message is sent back to the LBA. On the contrary, if the address fits the list and LCHALLENGE message is sent back embedding an EAP.Request message asking for further data for identification. [23]

7.5.3 Authentication and Key distribution phase

This phase is totally dependent of the EAP method used. In the case of EAPPSK, methods are ordinary based on two round

• The first one is for mutual Authentication and initial exchange of ciphering material • The second one for mutual control of session keys derivation

At the end of the process, the LBD should be provided with difkeys:

• Unicast session keysmessages • Group session keysthat have passed through the authentication stage. Its usage is for encryption and decryption of every MAC frame travelling in the PAN. For the security of the network these keys are refreshed not only timely but every time that a node is detached from the network.

• More specific keysApplication layer


Bootstrapping Agent or LBA) is in charge of relaying the LoWPAN Bootstrapping Protocol (LBP) frames between the LBA and the LBS.

Then, the LBD sends an LBP JOINING frame to the LBA. This frame includes a64 address of the joining LBD. When received by the LBA,

this frame is relayed by the LBA to the LBS. The LBA is supposed fully bootstrapped with the full capability to directly transmit any message to the LBS in a secure way. Asoon as the LBS gets the message, the EUI-64 is compared with an Access Control list and two possibilities follow it: the address does not fit the list and a LBP DECLINE message is sent back to the LBA. On the contrary, if the address fits the list and LCHALLENGE message is sent back embedding an EAP.Request message asking for further data for identification. [23]

7.5.3 Authentication and Key distribution phase

This phase is totally dependent of the EAP method used. In the case of EAPe ordinary based on two round-trip exchanges:

The first one is for mutual Authentication and initial exchange of

The second one for mutual control of session keys derivation

At the end of the process, the LBD should be provided with dif

Unicast session keys that are timely refreshed for security of EAP

Group session keys for the PAN security, which are shared by all nodes that have passed through the authentication stage. Its usage is for encryption and

ryption of every MAC frame travelling in the PAN. For the security of the network these keys are refreshed not only timely but every time that a node is detached from the network.

More specific keys to provide security on higher levels such as the


Bootstrapping Agent or LBA) is in charge of relaying the LoWPAN Bootstrapping

Then, the LBD sends an LBP JOINING frame to the LBA. This frame includes a 64 address of the joining LBD. When received by the LBA,

this frame is relayed by the LBA to the LBS. The LBA is supposed fully bootstrapped with the full capability to directly transmit any message to the LBS in a secure way. As

64 is compared with an Access Control list and two possibilities follow it: the address does not fit the list and a LBP DECLINE message is sent back to the LBA. On the contrary, if the address fits the list and LBP CHALLENGE message is sent back embedding an EAP.Request message asking for

This phase is totally dependent of the EAP method used. In the case of EAP-

The first one is for mutual Authentication and initial exchange of

The second one for mutual control of session keys derivation

At the end of the process, the LBD should be provided with different groups of

that are timely refreshed for security of EAP

for the PAN security, which are shared by all nodes that have passed through the authentication stage. Its usage is for encryption and

ryption of every MAC frame travelling in the PAN. For the security of the network these keys are refreshed not only timely but every time that a node is

to provide security on higher levels such as the


7.5.4 Authorization and initial configuration phase

After the authentication and key distribution phase there are two possible scenarios that may occur:

• The process does not reach completion and an LBP DECLINE message is sent back by the L• The process is completed and the LBS selects a 16sends back an LBP ACCEPTED message, embedding an EAP.success message and the LBD activates the GMK key. A second LBP ACCEPTED messsent by the LBS embedding the address and various parameters. Now, the LDB owns all necessary session keys and can transmit messages securely end[23]

Figure 7.5. LBP and EAP Relaying capabilities [23]


7.5.4 Authorization and initial configuration phase

After the authentication and key distribution phase there are two possible

The process does not reach completion and an LBP DECLINE message is sent back by the LBS embedding an EAP.failure message reaching the LBD.

The process is completed and the LBS selects a 16-bit short address and sends back an LBP ACCEPTED message, embedding an EAP.success message and the LBD activates the GMK key. A second LBP ACCEPTED messsent by the LBS embedding the address and various parameters. Now, the LDB owns all necessary session keys and can transmit messages securely end

Figure 7.5. LBP and EAP Relaying capabilities [23]


After the authentication and key distribution phase there are two possible

The process does not reach completion and an LBP DECLINE message BS embedding an EAP.failure message reaching the LBD.

bit short address and sends back an LBP ACCEPTED message, embedding an EAP.success message and the LBD activates the GMK key. A second LBP ACCEPTED message is sent by the LBS embedding the address and various parameters. Now, the LDB owns all necessary session keys and can transmit messages securely end-to-end.


7.5.5 Confidentiality and Integrity

Confidentiality and Integrity services are implemented differently depending on the level:

• At MAC level:using a CCM* type of ciphering, in exception of control frames used during the Bootstrapping procesreceive a Group Master Key (GMK) securely using the EAPChannel. • At EAP-PSK level:provides Confidentiality and Integrity services to the mebetween the EAP server and any peer. [23]

Figure 7.6. Confidentiality at MAC and EAP


7.5.5 Confidentiality and Integrity

Confidentiality and Integrity services are implemented differently depending on

At MAC level: All frames are encrypted and decrypted at every hop using a CCM* type of ciphering, in exception of control frames used during the Bootstrapping process. In order to support this service all nodes in the network receive a Group Master Key (GMK) securely using the EAP

PSK level: The EAP-PSK Protected Channel (PCHANNEL) provides Confidentiality and Integrity services to the messages exchanged between the EAP server and any peer. [23]

Figure 7.6. Confidentiality at MAC and EAP-PSK levels [23]


Confidentiality and Integrity services are implemented differently depending on

All frames are encrypted and decrypted at every hop using a CCM* type of ciphering, in exception of control frames used during the

s. In order to support this service all nodes in the network receive a Group Master Key (GMK) securely using the EAP-PSK Protected

PSK Protected Channel (PCHANNEL) ssages exchanged

PSK levels [23]


7.5.6 Cryptographic design of EAP

EAP-PSK uses three cryptographic parts:

• A key setup(KDK) from PSK. • An authenticated key exchange protocolcommunicating parties and derive session keys• A protected channel protocolauthenticated parties [23]

7.5.7 Key Setup

During the key setup AK and KDK are derived from the PSK using the modified counter mode of operation of AESincreasing function that expands one AESt≥2. This operation is done just once immediately after the PSK has been provisioned. As soon as the derivation is done, the PSK should be securely deleted. [23]

7.5.8 The Authenticated Key Exchange

The authentication protocol used by EAPconsists in a one-and-a-half round trip exchange as the following:

Figure 7.7. AKEP2 round trip exchange [28]

EAP-PSK instantiates this protocol with:

• The server as A and the peer as B• na and nb as 16.byte random numbers RAND_S and RAND_P

• A and B as their


7.5.6 Cryptographic design of EAP-PSK

PSK uses three cryptographic parts:

A key setup to derive Authentication Key (AK) and Key

An authenticated key exchange protocol to mutually authenticate the communicating parties and derive session keys

A protected channel protocol for communication between the mutually authenticated parties [23]

During the key setup AK and KDK are derived from the PSK using the modified counter mode of operation of AES-128. The modified counter mode is a length increasing function that expands one AES-128 block into a longer t-block output where

n is done just once immediately after the PSK has been provisioned. As soon as the derivation is done, the PSK should be securely deleted. [23]

7.5.8 The Authenticated Key Exchange

The authentication protocol used by EAP-PSK is inspired by AKEP2 that half round trip exchange as the following:

Figure 7.7. AKEP2 round trip exchange [28]

PSK instantiates this protocol with:

The server as A and the peer as B as 16.byte random numbers RAND_S and RAND_P

A and B as their respective NAIs ID_S and ID_P


to derive Authentication Key (AK) and Key-Derivation Key

to mutually authenticate the

for communication between the mutually

During the key setup AK and KDK are derived from the PSK using the modified 128. The modified counter mode is a length

block output where n is done just once immediately after the PSK has been provisioned.

As soon as the derivation is done, the PSK should be securely deleted. [23]

PSK is inspired by AKEP2 that

as 16.byte random numbers RAND_S and RAND_P


• The MAC algorithm as CMAC with AEStag length of 16 bytes

• The modified counter mode of operation of AESderive session keys as a result of the exchange [28]

7.5.9 Protected Chann

EAP-PSK provides a protected channel using EAX mode of operation for mutual authenticated parties to communicate over. It is used to exchange protected result indications and may have further usages in the future. Figure 7.8 shows how EAX is used to implement the protected channel (PCHANNEL). It encrypts a Plain Text Payload up to 960 bytes and provides replay protection.

In the PCHANNEL, AESused to provide cryptographic security to the encryption and as well as protection replay. The header H consists of the first 22 bytes of the EAP request or response packet and the Tag is a MAC that protects both the header and the payload.

The 2-bit R flag of the PCHANNEL field is sent iEAP-PSK messages and it us used to provide result indications. Since it is communicated over the protected channel it is encrypted, integrityprotected against replays. It can take three possible values: 01 to to mean DONE_SUCCESS or 11 to mean DONE_FAILURE. Both the peer and the server remember about both values of R that have sent and they have received, and this conjuction indicates either the success or failure of the maintained EAP[23]

7.5.10 Key Hierarchy

The EAP-PSK method based on the EAP specification defines a key hierarchy as the following: Pre-Shared Key (PSK): This Key is shared between the EAP peer and the EAP server and it is assumed that they are the only ones thadistribution the security properties are reduced as in all other symmetric key methods. The protocol also assumes that both the server and the peer identify the correct PSK to use with each other thanks to their respectivmost one PSK shared between a server using a given server NAI and a peer using a given peer NAI.


The MAC algorithm as CMAC with AES-128 using AK and producing a tag length of 16 bytes

The modified counter mode of operation of AES-128 using KDK, to derive session keys as a result of the exchange [28]

7.5.9 Protected Channel

PSK provides a protected channel using EAX mode of operation for mutual authenticated parties to communicate over. It is used to exchange protected result indications and may have further usages in the future. Figure 7.8 shows how EAX

plement the protected channel (PCHANNEL). It encrypts a Plain Text Payload up to 960 bytes and provides replay protection.

In the PCHANNEL, AES-128 is encrypted with the TEK key. The nonce N is used to provide cryptographic security to the encryption and data origin authentication as well as protection replay. The header H consists of the first 22 bytes of the EAP request or response packet and the Tag is a MAC that protects both the header and the

bit R flag of the PCHANNEL field is sent in the third and fourth types of PSK messages and it us used to provide result indications. Since it is

communicated over the protected channel it is encrypted, integrityprotected against replays. It can take three possible values: 01 to mean CONTINUE, 10 to mean DONE_SUCCESS or 11 to mean DONE_FAILURE. Both the peer and the server remember about both values of R that have sent and they have received, and this conjuction indicates either the success or failure of the maintained EAP

PSK method based on the EAP specification defines a key hierarchy

: This Key is shared between the EAP peer and the EAP server and it is assumed that they are the only ones that know it, because if it has wider distribution the security properties are reduced as in all other symmetric key methods. The protocol also assumes that both the server and the peer identify the correct PSK to use with each other thanks to their respective NAIs, which means that there must be at most one PSK shared between a server using a given server NAI and a peer using a


128 using AK and producing a

128 using KDK, to

PSK provides a protected channel using EAX mode of operation for mutual authenticated parties to communicate over. It is used to exchange protected result indications and may have further usages in the future. Figure 7.8 shows how EAX

plement the protected channel (PCHANNEL). It encrypts a Plain Text

128 is encrypted with the TEK key. The nonce N is data origin authentication

as well as protection replay. The header H consists of the first 22 bytes of the EAP request or response packet and the Tag is a MAC that protects both the header and the

n the third and fourth types of PSK messages and it us used to provide result indications. Since it is

communicated over the protected channel it is encrypted, integrity-protected and mean CONTINUE, 10

to mean DONE_SUCCESS or 11 to mean DONE_FAILURE. Both the peer and the server remember about both values of R that have sent and they have received, and this conjuction indicates either the success or failure of the maintained EAP-PSK dialog.

PSK method based on the EAP specification defines a key hierarchy

: This Key is shared between the EAP peer and the EAP server t know it, because if it has wider

distribution the security properties are reduced as in all other symmetric key methods. The protocol also assumes that both the server and the peer identify the correct PSK to

e NAIs, which means that there must be at most one PSK shared between a server using a given server NAI and a peer using a


This key is used to derive two 16the Authentication Key (AK) and done only once during the called key setup.

Authentication Key (AK)EAP server. It is a static longrespective NAIs the peer and the server identify the correct AK to use, which means, as well as with the previous key, that there must be only one AK shared between an EAP server and an EAP peer given their NAIs. The EAP peer chooses the AK to use based on the first EAP-PSK message sent and it includes it on the second EAP

Key-Derivation Key (KDK)the EAP peer and the EAP server, named TEK, MSK and EMSK. It is a static longlived key derived from PSK. As well as with previous keys, there must be only one KDK shared between peer and server using their given NAIs. As it was done with the AK it is chosen from the first EAPmessage.

Transient EAP Key (TEK)during authentication and the KDK. Its use is to implement a protected channel for both mutually authenticated parties to communicate over securely. EAPbit TEK in collaboration wi

Master Session Key (MSK)during authentication and the KDK. It is a 512the application level.

Extended Master Session Key (EMSK)exchange during authentication and the KDK. As well as MSK, the EMSK is a 512key. It is included on the EAPnot be generated. [23] [68] [69]


This key is used to derive two 16-byte (128 bits) static long-lived subkeys called the Authentication Key (AK) and the Key-Derivation Key (KDK). This derivation is done only once during the called key setup.

Authentication Key (AK) : It is used to mutually authenticate the EAP peer and the EAP server. It is a static long-lived key derived from the PSK. Thanks to their espective NAIs the peer and the server identify the correct AK to use, which means, as

well as with the previous key, that there must be only one AK shared between an EAP server and an EAP peer given their NAIs. The EAP peer chooses the AK to use based

PSK message sent and it includes it on the second EAP

Derivation Key (KDK) : This key is used to derive session keys shared between the EAP peer and the EAP server, named TEK, MSK and EMSK. It is a static long

d from PSK. As well as with previous keys, there must be only one KDK shared between peer and server using their given NAIs. As it was done with the AK it is chosen from the first EAP-PSK message and included in the second EAP

y (TEK) : This key is derived from a random number exchange during authentication and the KDK. Its use is to implement a protected channel for both mutually authenticated parties to communicate over securely. EAP-PSK uses the 128bit TEK in collaboration with AES-128 in EAX mode of operation as a cipher suite.

Master Session Key (MSK): This key is also derived from a random number exchange during authentication and the KDK. It is a 512-bit key to be used to provide security at

Master Session Key (EMSK): This key is derived from a random number exchange during authentication and the KDK. As well as MSK, the EMSK is a 512key. It is included on the EAP-PSK protocol but not used on OFDM CPL so it might

68] [69]


lived subkeys called Derivation Key (KDK). This derivation is

: It is used to mutually authenticate the EAP peer and the lived key derived from the PSK. Thanks to their

espective NAIs the peer and the server identify the correct AK to use, which means, as well as with the previous key, that there must be only one AK shared between an EAP server and an EAP peer given their NAIs. The EAP peer chooses the AK to use based

PSK message sent and it includes it on the second EAP-PSK message.

: This key is used to derive session keys shared between the EAP peer and the EAP server, named TEK, MSK and EMSK. It is a static long-

d from PSK. As well as with previous keys, there must be only one KDK shared between peer and server using their given NAIs. As it was done with the

PSK message and included in the second EAP-PSK

: This key is derived from a random number exchange during authentication and the KDK. Its use is to implement a protected channel for both

PSK uses the 128-128 in EAX mode of operation as a cipher suite.

: This key is also derived from a random number exchange bit key to be used to provide security at

: This key is derived from a random number exchange during authentication and the KDK. As well as MSK, the EMSK is a 512-bit

PSK protocol but not used on OFDM CPL so it might


In the following figure an overview of the Key Hierarchy of the protocol is shown, with the derivation process, the EAPprocess:

Figure 7.8. EAP


In the following figure an overview of the Key Hierarchy of the protocol is shown, with the derivation process, the EAP-PSK message flow and the key exchange

Figure 7.8. EAP-PSK Key Hierarchy overview [23]


In the following figure an overview of the Key Hierarchy of the protocol is PSK message flow and the key exchange


7.5.11 Group Master Key distribution

The 128-bit GMK is generated by the EAP server and then, securely and individually delivered to the EAP peers via the PCHANNEL. It is assumed being random and its generation is considered as purely implementation dependant. It is distributed in two scenarios: during the bootstrapping process as a regular extension to EAP-PSK message 3 or during the rePSK message 5. Its lifetime is rather long (several 10s years) due to the 4 byte counterincluded in the nonce. The procedure with is dependent on each side:

• Peer side procedure:key in its respective slot and starts ciphering the messages with it as soon as it receives an EAP Success message.• Server side procedure:new GMK and transmits a LBP Challenge message that contains it coupled with the preceding one to every formerly authenticated peer expecting for the success confirmation response of ev


Master Key distribution

bit GMK is generated by the EAP server and then, securely and individually delivered to the EAP peers via the PCHANNEL. It is assumed being random and its generation is considered as purely implementation dependant. It is istributed in two scenarios: during the bootstrapping process as a regular extension to

PSK message 3 or during the re-keying process as a regular extension to EAPPSK message 5. Its lifetime is rather long (several 10s years) due to the 4 byte counterincluded in the nonce. The procedure with is dependent on each side:

Peer side procedure: When a peer receives a new GMK it installs the key in its respective slot and starts ciphering the messages with it as soon as it receives an EAP Success message.

Server side procedure: In case of re-keying, the EAP server generates a new GMK and transmits a LBP Challenge message that contains it coupled with the preceding one to every formerly authenticated peer expecting for the success confirmation response of every peer. [23]


bit GMK is generated by the EAP server and then, securely and individually delivered to the EAP peers via the PCHANNEL. It is assumed being random and its generation is considered as purely implementation dependant. It is istributed in two scenarios: during the bootstrapping process as a regular extension to

keying process as a regular extension to EAP-PSK message 5. Its lifetime is rather long (several 10s years) due to the 4 byte counter

When a peer receives a new GMK it installs the key in its respective slot and starts ciphering the messages with it as soon as it

keying, the EAP server generates a new GMK and transmits a LBP Challenge message that contains it coupled with the preceding one to every formerly authenticated peer expecting for the success


7.6 Possible attacks to PLC G3


Denial of Service (DoS) resistance has not been a design goal for EAPTherefore, it is recommended that EAPinterleaved in its dialog to prevent potential DoS attacks. Indeed, since EAP notifications are not integrity protected, they can easily be spoofed by an attacker. Such an attacker could force a peer that allows EAP notifications to engage in a discussion that would delay his or her authentication or result in the peer taking unexpected actions.

It is up to the implementation of EAPspecify the maximum number of failed cryptographic checks that are allowed. Anyway, for the sake of simplicity and denialinclude any error messages. Hence, an invalid EAPAlthough this makes interoperability testing and debugging harder, this leads to simpler implementations and does not open any venue for denial

7.6.2 Exposition of the PSK

EAP-PSK does not provide Perfect Forward Secrecy. Compromise of the PSK leads to compromise of recorded past sessions, consequently, if this caccomplished, this may enable an attacker to impersonate the peer and the server: compromise of the PSK leads to full compromise of future sessions.

EAP-PSK provides no protection against a legitimate peer sharing its PSK with a third party. Such protection may be provided by appropriate repositories for the PSK. The PSK used by EAPand the server. In particular, this PSK must not be shared by a group of peers communicating with the sam

The PSK used by EAPused by other protocols, otherwise the security of EAPa rule of thumb in cryptography to use different keys for different applications. [68] [69


Since it was chosen to restrict to a single cryptographic primitive from symmetric cryptography, namely, the block cipher AES


7.6 Possible attacks to PLC G3


Denial of Service (DoS) resistance has not been a design goal for EAPTherefore, it is recommended that EAP-PSK not allow EAP notifications to be

erleaved in its dialog to prevent potential DoS attacks. Indeed, since EAP notifications are not integrity protected, they can easily be spoofed by an attacker. Such an attacker could force a peer that allows EAP notifications to engage in a discussion

t would delay his or her authentication or result in the peer taking unexpected

It is up to the implementation of EAP-PSK or to the peer and the server to specify the maximum number of failed cryptographic checks that are allowed. Anyway,

sake of simplicity and denial-of-service resilience, EAP-PSK has chosen not to include any error messages. Hence, an invalid EAP-PSK message is silently discarded. Although this makes interoperability testing and debugging harder, this leads to simpler mplementations and does not open any venue for denial-of-service attacks. [68] [69]

7.6.2 Exposition of the PSK

PSK does not provide Perfect Forward Secrecy. Compromise of the PSK leads to compromise of recorded past sessions, consequently, if this compromise is not accomplished, this may enable an attacker to impersonate the peer and the server: compromise of the PSK leads to full compromise of future sessions.

PSK provides no protection against a legitimate peer sharing its PSK ty. Such protection may be provided by appropriate repositories for the

PSK. The PSK used by EAP-PSK must only be shared between two parties: the peer and the server. In particular, this PSK must not be shared by a group of peers communicating with the same server.

The PSK used by EAP-PSK must be cryptographically separated from keys used by other protocols, otherwise the security of EAP-PSK may be compromised. It is a rule of thumb in cryptography to use different keys for different applications. [68] [69


Since it was chosen to restrict to a single cryptographic primitive from symmetric cryptography, namely, the block cipher AES-128, it appears that it is not


Denial of Service (DoS) resistance has not been a design goal for EAP-PSK. PSK not allow EAP notifications to be

erleaved in its dialog to prevent potential DoS attacks. Indeed, since EAP notifications are not integrity protected, they can easily be spoofed by an attacker. Such an attacker could force a peer that allows EAP notifications to engage in a discussion

t would delay his or her authentication or result in the peer taking unexpected

PSK or to the peer and the server to specify the maximum number of failed cryptographic checks that are allowed. Anyway,

PSK has chosen not to PSK message is silently discarded.

Although this makes interoperability testing and debugging harder, this leads to simpler service attacks. [68] [69]

PSK does not provide Perfect Forward Secrecy. Compromise of the PSK ompromise is not

accomplished, this may enable an attacker to impersonate the peer and the server:

PSK provides no protection against a legitimate peer sharing its PSK ty. Such protection may be provided by appropriate repositories for the

PSK must only be shared between two parties: the peer and the server. In particular, this PSK must not be shared by a group of peers

PSK must be cryptographically separated from keys PSK may be compromised. It is

a rule of thumb in cryptography to use different keys for different applications. [68] [69]

Since it was chosen to restrict to a single cryptographic primitive from 128, it appears that it is not


possible to provide reasonable identity protection without failing togoal.

If only symmetric cryptography is used, only a weak form of identity protection may be offered, namely, pseudonym management. In other words, the peer and the server agree on pseudonyms that they use to identify each other and uchange them periodically, possibly in a protected way so that an attacker cannot learn new pseudonyms before they are used.

With pseudonym management, there is a tradepseudonym resynchronization (thanks to a permanent idenactive attacks (in which the attacker forges messages simulating a pseudonym desynchronization). Because pseudonym management adds complexity to the protocol and implies this unsatisfactory tradeEAP-PSK.

However, EAP-PSK may trivially provide some protection when the concern is to avoid the "real-life" identity of the user being discovered. EAPsimply thwart this attack, merely by not providing users with a NAI trecovery of their real-life identity. It is believed that when a NAI that is not correlated to a real-life identity is used, no valuable information leaks because of the EAP method.

It is worth noting that the server systematically disclosmay allow probing attacks. This may not be a problem as the identity of the server is not supposed to remain secret. On the contrary, users tend to want to know to whom they will be talking in order to choose the right network to at

7.6.4 Packet modification attacks

While EAP methods may support perintegrity, and replay protection, support is not provided within the EAP layer.

Since the Identifier is only a single octet, it is attacker to successfully inject or replay EAP packets. An attacker may also modify EAP headers (Code, Identifier, Length, Type) within EAP packets where the header is unprotected. This could cause packets to be inappropriately di

To protect EAP packets against modification, spoofing, or replay, methods supporting protected ciphersuite negotiation, mutual authentication, and key derivation, as well as integrity and replay protection, are recommended.

Method-specific MICs may be used to provide protection. If a peris employed within an EAP method, then peers, authentication servers, and authenticators not operating in pass


possible to provide reasonable identity protection without failing to meet the simplicity

If only symmetric cryptography is used, only a weak form of identity protection may be offered, namely, pseudonym management. In other words, the peer and the server agree on pseudonyms that they use to identify each other and uchange them periodically, possibly in a protected way so that an attacker cannot learn new pseudonyms before they are used.

With pseudonym management, there is a trade-off between allowing for pseudonym resynchronization (thanks to a permanent identity) and being vulnerable to active attacks (in which the attacker forges messages simulating a pseudonym desynchronization). Because pseudonym management adds complexity to the protocol and implies this unsatisfactory trade-off, it was decided not to include this feature in

PSK may trivially provide some protection when the concern life" identity of the user being discovered. EAP

simply thwart this attack, merely by not providing users with a NAI tlife identity. It is believed that when a NAI that is not correlated to

life identity is used, no valuable information leaks because of the EAP method.

It is worth noting that the server systematically discloses its identity, which may allow probing attacks. This may not be a problem as the identity of the server is not supposed to remain secret. On the contrary, users tend to want to know to whom they will be talking in order to choose the right network to attach to. [68] [69]

7.6.4 Packet modification attacks

While EAP methods may support per-packet data origin authentication, integrity, and replay protection, support is not provided within the EAP layer.

Since the Identifier is only a single octet, it is easy to guess, allowing an attacker to successfully inject or replay EAP packets. An attacker may also modify EAP headers (Code, Identifier, Length, Type) within EAP packets where the header is unprotected. This could cause packets to be inappropriately discarded or misinterpreted.

To protect EAP packets against modification, spoofing, or replay, methods supporting protected ciphersuite negotiation, mutual authentication, and key derivation, as well as integrity and replay protection, are recommended.

specific MICs may be used to provide protection. If a peris employed within an EAP method, then peers, authentication servers, and authenticators not operating in pass-through mode must validate the MIC. MIC


meet the simplicity

If only symmetric cryptography is used, only a weak form of identity protection may be offered, namely, pseudonym management. In other words, the peer and the server agree on pseudonyms that they use to identify each other and usually change them periodically, possibly in a protected way so that an attacker cannot learn

off between allowing for tity) and being vulnerable to

active attacks (in which the attacker forges messages simulating a pseudonym desynchronization). Because pseudonym management adds complexity to the protocol

lude this feature in

PSK may trivially provide some protection when the concern life" identity of the user being discovered. EAP-PSK can very

simply thwart this attack, merely by not providing users with a NAI that allows easy life identity. It is believed that when a NAI that is not correlated to

life identity is used, no valuable information leaks because of the EAP method.

es its identity, which may allow probing attacks. This may not be a problem as the identity of the server is not supposed to remain secret. On the contrary, users tend to want to know to whom

tach to. [68] [69]

packet data origin authentication, integrity, and replay protection, support is not provided within the EAP layer.

easy to guess, allowing an attacker to successfully inject or replay EAP packets. An attacker may also modify EAP headers (Code, Identifier, Length, Type) within EAP packets where the header is

scarded or misinterpreted.

To protect EAP packets against modification, spoofing, or replay, methods supporting protected ciphersuite negotiation, mutual authentication, and key derivation,

specific MICs may be used to provide protection. If a per-packet MIC is employed within an EAP method, then peers, authentication servers, and

through mode must validate the MIC. MIC


validation failures should be lofatal error or not is determined by the EAP method specification.

It is recommended that methods providing integrity protection of EAP packets include coverage of all the EAP header fields, including Type, and Type-Data fields. Additionally, since EAP messages of Types Identity, Notification, and Nak do not include their own MIC, it may be desirable for the EAP method MIC to cover information contained within these messageheader of each EAP message. [68] [69]

7.6.5 Weak ciphersuites

If after the initial EAP authentication, data packets are sent without perauthentication, integrity, and replay protection, an attacker with access to the media can inject packets, flip bits within existing packets, replay packets, or even hijack the session completely. Without perpackets.

To protect against data modification, spoofing, or snooping, it is recommended that EAP methods supporting mutual authentication and key derivation be used, along with lower layers providing perintegrity, and replay protection.

Additionally, if the lower layer performs ciphersuite negotiatunderstood that EAP does not provide by itself integrity protection of that negotiation. Therefore, in order to avoid downgrading attacks which would lead to weaker ciphersuites being used, clients implementing lower layer ciphersuite negprotect against negotiation downgrading. [68] [69]

7.6.6 Separation of authenticator and backend authentication server

In the case where the authenticator and authentication server reside on different machines, there are several implicati

• Authentication will occur between the peer and the authentication server, not between the peer and the authenticator. This means that it is not possible for the peer to validate the identity of the authenticator that it is speaking to, usalone. • The authenticator is dependent on the AAA protocol in order to know the outcome of an authentication conversation, and does not look at the encapsulated EAP packet to determine the outcome. In practice, this implies that


validation failures should be logged. Whether a MIC validation failure is considered a fatal error or not is determined by the EAP method specification.

It is recommended that methods providing integrity protection of EAP packets include coverage of all the EAP header fields, including the Code, Identifier, Length,

Data fields. Additionally, since EAP messages of Types Identity, Notification, and Nak do not include their own MIC, it may be desirable for the EAP method MIC to cover information contained within these messages, as well as the header of each EAP message. [68] [69]

7.6.5 Weak ciphersuites

If after the initial EAP authentication, data packets are sent without perauthentication, integrity, and replay protection, an attacker with access to the media can nject packets, flip bits within existing packets, replay packets, or even hijack the

session completely. Without per-packet confidentiality, it is possible to snoop data

To protect against data modification, spoofing, or snooping, it is ed that EAP methods supporting mutual authentication and key derivation

be used, along with lower layers providing per-packet confidentiality, authentication, integrity, and replay protection.

Additionally, if the lower layer performs ciphersuite negotiation, it should be understood that EAP does not provide by itself integrity protection of that negotiation. Therefore, in order to avoid downgrading attacks which would lead to weaker ciphersuites being used, clients implementing lower layer ciphersuite negprotect against negotiation downgrading. [68] [69]


In the case where the authenticator and authentication server reside on different machines, there are several implications for security:

Authentication will occur between the peer and the authentication server, not between the peer and the authenticator. This means that it is not possible for the peer to validate the identity of the authenticator that it is speaking to, us

The authenticator is dependent on the AAA protocol in order to know the outcome of an authentication conversation, and does not look at the encapsulated EAP packet to determine the outcome. In practice, this implies that


gged. Whether a MIC validation failure is considered a

It is recommended that methods providing integrity protection of EAP packets the Code, Identifier, Length,

Data fields. Additionally, since EAP messages of Types Identity, Notification, and Nak do not include their own MIC, it may be desirable for the EAP

s, as well as the

If after the initial EAP authentication, data packets are sent without per-packet authentication, integrity, and replay protection, an attacker with access to the media can nject packets, flip bits within existing packets, replay packets, or even hijack the

packet confidentiality, it is possible to snoop data

To protect against data modification, spoofing, or snooping, it is ed that EAP methods supporting mutual authentication and key derivation

packet confidentiality, authentication,

ion, it should be understood that EAP does not provide by itself integrity protection of that negotiation. Therefore, in order to avoid downgrading attacks which would lead to weaker ciphersuites being used, clients implementing lower layer ciphersuite negotiation should


In the case where the authenticator and authentication server reside on

Authentication will occur between the peer and the authentication server, not between the peer and the authenticator. This means that it is not possible for the peer to validate the identity of the authenticator that it is speaking to, using EAP

The authenticator is dependent on the AAA protocol in order to know the outcome of an authentication conversation, and does not look at the encapsulated EAP packet to determine the outcome. In practice, this implies that


the AAA protocol spomust support per-packet authentication, integrity, and replay protection.• After completion of the EAP conversation, where lower layer security services such as per-packet confidentiality, authenticatiprotection will be enabled, a secure association protocol should be run between the peer and authenticator in order to provide mutual authentication between the peer and authenticator, guarantee liveness of transient session keys,protected ciphersuite and capabilities negotiation for subsequent data, and synchronize key usage.• An AAA-Key derived from the MSK and/or EMSK negotiated between the peer and authentication server may be transmitted to the authenticator. Therefore, a mechanism needs to be provided to transmit the AAAauthentication server to the authenticator that needs it. [68] [69]

7.6.7 Channel binding

It is possible for a compromised or poorly implemented EAP authenticator to communicate incorrect information to the EAP peer and/or server. This may enable an authenticator to impersonate another authenticator or communicate incorrect information via out-of-band mechanisms such as via a AAA or lower layer protocol.

Where EAP is used in passverify the identity of the passthrough authenticator is trusted by the EAP server. This creates a potential security vulnerability.

An EAP pass-through authentit attempts to impersonate another authenticator by various details such as sending incorrect NAS-Identifier, NASAAA protocol. However, it is possible for AAA client to provide correct information to the AAA server while communicating misleading information to the EAP peer via a lower layer protocol.

For example, it is possible for a compromised authenticator to useauthenticator's Called-Stationpeer via a lower layer protocol, or for a passclient to provide an incorrect peer Callingprotocol.

In order to address this vulnerability, EAP methods may support a protected exchange of channel properties such as endpoint identifiers, including: CalledId, Calling-Station-Id, NAS[69]


the AAA protocol spoken between the authenticator and authentication server packet authentication, integrity, and replay protection.

After completion of the EAP conversation, where lower layer security services packet confidentiality, authentication, integrity, and replay

protection will be enabled, a secure association protocol should be run between the peer and authenticator in order to provide mutual authentication between the peer and authenticator, guarantee liveness of transient session keys,protected ciphersuite and capabilities negotiation for subsequent data, and synchronize key usage.

Key derived from the MSK and/or EMSK negotiated between the peer and authentication server may be transmitted to the authenticator.

, a mechanism needs to be provided to transmit the AAAauthentication server to the authenticator that needs it. [68] [69]

7.6.7 Channel binding

It is possible for a compromised or poorly implemented EAP authenticator to ct information to the EAP peer and/or server. This may enable an

authenticator to impersonate another authenticator or communicate incorrect band mechanisms such as via a AAA or lower layer protocol.

Where EAP is used in pass-through mode, the EAP peer typically does not verify the identity of the pass-through authenticator, it only verifies that the passthrough authenticator is trusted by the EAP server. This creates a potential security

through authenticator acting as an AAA client can be detected if it attempts to impersonate another authenticator by various details such as sending

Identifier, NAS-IP-Address or NAS-IPv6-Address attributes via the AAA protocol. However, it is possible for a pass-through authenticator acting as an AAA client to provide correct information to the AAA server while communicating misleading information to the EAP peer via a lower layer protocol.

For example, it is possible for a compromised authenticator to useStation-Id or NAS-Identifier in communicating with the EAP

peer via a lower layer protocol, or for a pass-through authenticator acting as a AAA client to provide an incorrect peer Calling-Station-Id to the AAA server via the

In order to address this vulnerability, EAP methods may support a protected exchange of channel properties such as endpoint identifiers, including: Called

Id, NAS-Identifier, NAS-IP-Address and NAS-IPv6


ken between the authenticator and authentication server packet authentication, integrity, and replay protection.

After completion of the EAP conversation, where lower layer security services on, integrity, and replay

protection will be enabled, a secure association protocol should be run between the peer and authenticator in order to provide mutual authentication between the peer and authenticator, guarantee liveness of transient session keys, provide protected ciphersuite and capabilities negotiation for subsequent data, and

Key derived from the MSK and/or EMSK negotiated between the peer and authentication server may be transmitted to the authenticator.

, a mechanism needs to be provided to transmit the AAA -Key from the

It is possible for a compromised or poorly implemented EAP authenticator to ct information to the EAP peer and/or server. This may enable an

authenticator to impersonate another authenticator or communicate incorrect band mechanisms such as via a AAA or lower layer protocol.

gh mode, the EAP peer typically does not through authenticator, it only verifies that the pass-

through authenticator is trusted by the EAP server. This creates a potential security

icator acting as an AAA client can be detected if it attempts to impersonate another authenticator by various details such as sending

Address attributes via the through authenticator acting as an

AAA client to provide correct information to the AAA server while communicating

For example, it is possible for a compromised authenticator to use another Identifier in communicating with the EAP

through authenticator acting as a AAA Id to the AAA server via the AAA

In order to address this vulnerability, EAP methods may support a protected exchange of channel properties such as endpoint identifiers, including: Called-Station-

IPv6-Address. [68]


7.7 Maxim PLC G3 solutions

On the figure below, a smart meter block diagram is presented where the blocks painted on blue are the ones that can be implemented by Maxim solutions. The most important three are the meterinReal-Time Clock (RTC). These blocks are the ones that can be identified as characteristic for an Automated Meter Reading (AMR) application. Their possible solutions are described on the following lines.

Figur


7.7 Maxim PLC G3 solutions

On the figure below, a smart meter block diagram is presented where the blocks painted on blue are the ones that can be implemented by Maxim solutions. The most important three are the metering SoC, the data communications block and the

Time Clock (RTC). These blocks are the ones that can be identified as characteristic for an Automated Meter Reading (AMR) application. Their possible solutions are described on the following lines.

Figure 7.9. Smart meter block diagram [25]


On the figure below, a smart meter block diagram is presented where the blocks painted on blue are the ones that can be implemented by Maxim solutions. The

g SoC, the data communications block and the Time Clock (RTC). These blocks are the ones that can be identified as

characteristic for an Automated Meter Reading (AMR) application. Their possible


7.7.1 Metering SoC

7.7.1.1 71M6541D/41F, 71M6542F (single phase), 71M6543F/43H (polyphase)

The Teridian 71M6541D/41F/42F (single phase) and 71M6543F/43H (polyphase) are highly integrated, flexible metering SoCresidential, commercial, and industrial meter applications with up to Class 0.2 accuracy. The devices incorporate a 5MHz 8051engine , a low-power RTC with digital temperature compmemory and 5KB RAM; and an LCD driver. The proprietary Single Converter Technology architecture includes a 22linearity performance over a wide dynamic range and consumes less power tmulti-ADC implementation. Automatic switching between main power and three battery-backup modes ensures operational reliability.

The 71M6541D/41F are packaged in a 6471M6542F/43F/43H are packaged in a 10071M6541D/41F/42F and 71M6543F/43H metering SoCs also feature a proprietary isolation technology. By using lowof the Teridian isolated sensors (71M6601*, 71M6103*), these metering solutions eliminate the need for expensive, bulky current transformers. This, in turn, reduces costs and casing size requirements. The metering design will also benefit from immunity to magnetic tampering and enhanced reliability.



The Teridian 71M6541D/41F/42F (single phase) and 71M6543F/43H (polyphase) are highly integrated, flexible metering SoCs that support a wide range of residential, commercial, and industrial meter applications with up to Class 0.2 accuracy. The devices incorporate a 5MHz 8051-compatible MPU core and a 32-

power RTC with digital temperature compensation; up to 64KB flash memory and 5KB RAM; and an LCD driver. The proprietary Single Converter Technology architecture includes a 22-bit delta-sigma ADC, which provides unmatched linearity performance over a wide dynamic range and consumes less power t

ADC implementation. Automatic switching between main power and three backup modes ensures operational reliability.

The 71M6541D/41F are packaged in a 64-pin lead-free LQFP, and the 71M6542F/43F/43H are packaged in a 100-pin lead-free L71M6541D/41F/42F and 71M6543F/43H metering SoCs also feature a proprietary isolation technology. By using low-cost resistive shunts and optional interfaces to one of the Teridian isolated sensors (71M6601*, 71M6103*), these metering solutions

inate the need for expensive, bulky current transformers. This, in turn, reduces costs and casing size requirements. The metering design will also benefit from immunity to magnetic tampering and enhanced reliability. [25]



The Teridian 71M6541D/41F/42F (single phase) and 71M6543F/43H s that support a wide range of

residential, commercial, and industrial meter applications with up to Class 0.2 accuracy. -bit computation

ensation; up to 64KB flash memory and 5KB RAM; and an LCD driver. The proprietary Single Converter

sigma ADC, which provides unmatched linearity performance over a wide dynamic range and consumes less power than a

ADC implementation. Automatic switching between main power and three

free LQFP, and the free LQFP. The

71M6541D/41F/42F and 71M6543F/43H metering SoCs also feature a proprietary cost resistive shunts and optional interfaces to one

of the Teridian isolated sensors (71M6601*, 71M6103*), these metering solutions inate the need for expensive, bulky current transformers. This, in turn, reduces costs

and casing size requirements. The metering design will also benefit from immunity to


Figure 7.10. 71M654


Figure 7.10. 71M6543F/71M6543H polyphase metering SoCs diagram [25]


3F/71M6543H polyphase metering SoCs diagram [25]


Figure 7.11. 71M6541D/71M6541F single


Figure 7.11. 71M6541D/71M6541F single-phase metering SoCs block diagram [25]


phase metering SoCs block diagram [25]


7.7.2 Real-Time Clock (RTC)

7.7.2.1 DS3231M

The DS3231M is a highly precise realresonator technology. It meets the core requirements for accuracy, stability, power, and compliance testing for smart meters. This innovative RTC provides temperaturecompensated timing accuracy of MEMS technology makes the DS3231M less sensitive to shock and vibration than traditional crystal-based clocks. It is also less sensitive to accuracy drift, which is quite common with aging quartz crystals.

The DS3231M is a lowSwitching automatically between the main and battery power, it meets the industry requirement for dual-supply operation as a safeguard in the absence of main power.

The DS3231M’s accuracy and stability make it particularly suitable for multitariff metering. With no crystal to consume space and add cost, it is a lowsolution for time-based billing and rate charges directly at the meter. It is a viable option for metering networks that do not distribute timebut must maintain an accurate time base at the meter.

Figure 7.12. DS3231M RTC block diagram [25]


Time Clock (RTC)

The DS3231M is a highly precise real-time clock (RTC) based on MEMSresonator technology. It meets the core requirements for accuracy, stability, power, and compliance testing for smart meters. This innovative RTC provides temperaturecompensated timing accuracy of }0.5s/day (< 5.0ppm) from -40°C to +85°C. The

ology makes the DS3231M less sensitive to shock and vibration than based clocks. It is also less sensitive to accuracy drift, which is quite

common with aging quartz crystals.

The DS3231M is a low-power device (< 3.0µA) that prolongs Switching automatically between the main and battery power, it meets the industry

supply operation as a safeguard in the absence of main power.

The DS3231M’s accuracy and stability make it particularly suitable for tariff metering. With no crystal to consume space and add cost, it is a low

based billing and rate charges directly at the meter. It is a viable option for metering networks that do not distribute time-of-day information between metebut must maintain an accurate time base at the meter. [25]

Figure 7.12. DS3231M RTC block diagram [25]


time clock (RTC) based on MEMS resonator technology. It meets the core requirements for accuracy, stability, power, and compliance testing for smart meters. This innovative RTC provides temperature-

40°C to +85°C. The ology makes the DS3231M less sensitive to shock and vibration than

based clocks. It is also less sensitive to accuracy drift, which is quite

A) that prolongs battery life. Switching automatically between the main and battery power, it meets the industry

supply operation as a safeguard in the absence of main power.

The DS3231M’s accuracy and stability make it particularly suitable for tariff metering. With no crystal to consume space and add cost, it is a low-cost

based billing and rate charges directly at the meter. It is a viable option day information between meters,


7.7.3 Data Communications

The part of the system that explicitly works on the PLC G3 protocol is the Data Communications block. It consists on(AFE) for signal conditioning. Two options are offered by Maxim as a solution for this block implementation:

7.7.3.1 MAX2990/MAX2991

The MAX2990 modem and the MAX2991 analog frontPLC chipset that achieves reliable longhighly rated SoC that combines the PHY and MAC layers using Maxim’s 16microcontroller core. MAX2991 is a IC that implements twocontrol (AGC) with 62 dB dyoffset cancelation. They offer up to 100 kbps at 10 kHz to 490 kHz and up to 32 kbps at 10 kHz to 95 kHz including forward error correction (FEC), CRC16 and CRC32. The traffic in multimode networks is rumechanism for data transmission reliability. In addition, they implement DES/3DES security protocols, in order to prevent tampering. [25]

Figure 7.13. MAX2990 and MAX2991 block diagrams [25]


7.7.3 Data Communications

The part of the system that explicitly works on the PLC G3 protocol is the Data Communications block. It consists on a PLC G3 modem and an analog front(AFE) for signal conditioning. Two options are offered by Maxim as a solution for this

7.7.3.1 MAX2990/MAX2991

The MAX2990 modem and the MAX2991 analog front-end (AFE) comprise a hat achieves reliable long-rate data communications. The MAX2990 is a

highly rated SoC that combines the PHY and MAC layers using Maxim’s 16microcontroller core. MAX2991 is a IC that implements two-stage automatic gain control (AGC) with 62 dB dynamic range and on-chip programmable filters with DC offset cancelation. They offer up to 100 kbps at 10 kHz to 490 kHz and up to 32 kbps at 10 kHz to 95 kHz including forward error correction (FEC), CRC16 and CRC32. The traffic in multimode networks is ruled by CSMA/CA algorithm combined with an ARQ mechanism for data transmission reliability. In addition, they implement DES/3DES security protocols, in order to prevent tampering. [25]



The part of the system that explicitly works on the PLC G3 protocol is the a PLC G3 modem and an analog front-end

(AFE) for signal conditioning. Two options are offered by Maxim as a solution for this

end (AFE) comprise a rate data communications. The MAX2990 is a

highly rated SoC that combines the PHY and MAC layers using Maxim’s 16-bit MAXQ stage automatic gain

chip programmable filters with DC offset cancelation. They offer up to 100 kbps at 10 kHz to 490 kHz and up to 32 kbps at 10 kHz to 95 kHz including forward error correction (FEC), CRC16 and CRC32. The

led by CSMA/CA algorithm combined with an ARQ mechanism for data transmission reliability. In addition, they implement DES/3DES



7.7.3.2 MAX2992

The MAX2992 modem improves the longextending network capabilities to transmission over transformers. It is a highly rated SoC that combines the PHY and MAC layers using Maxim’s 32microcontroller core. Two forms ofreliability over older PLC generations and it is compatible with older FSKtechnologies. It operates in the CENELEC band frequency band among others. In combination with MAX2991 a full PLC modem can be real

This modem offers many benefits in front of MAX2990. It provides up to 225 kbps effective data rate at 10 kHz to 490 kHz and up to 44 kbps effective data rate at 10 kHz to 95 kHz with a maximum data rate of 298 kbpscorrection (FEC), CRC16 and CRC32. The traffic in multimode networks is ruled by CSMA/CA algorithm combined with an ARQ mechanism for data transmission reliability. In addition, it implements an AEStampering and the 6LoWPAN adap

Figure 7.14. MAX2992 block diagram [25]

For further information on Maxim PLC G3 solutions please go to: ic.com/smartgrid


The MAX2992 modem improves the long-range data communications by extending network capabilities to transmission over transformers. It is a highly rated SoC that combines the PHY and MAC layers using Maxim’s 32microcontroller core. Two forms of FEC are added to improve communication reliability over older PLC generations and it is compatible with older FSKtechnologies. It operates in the CENELEC band frequency band among others. In combination with MAX2991 a full PLC modem can be realized.

This modem offers many benefits in front of MAX2990. It provides up to 225 kbps effective data rate at 10 kHz to 490 kHz and up to 44 kbps effective data rate at 10 kHz to 95 kHz with a maximum data rate of 298 kbps including forward error

n (FEC), CRC16 and CRC32. The traffic in multimode networks is ruled by CSMA/CA algorithm combined with an ARQ mechanism for data transmission reliability. In addition, it implements an AES-128 fast engine in order to prevent tampering and the 6LoWPAN adaptation layer supporting IPv6. [25]

Figure 7.14. MAX2992 block diagram [25]

For further information on Maxim PLC G3 solutions please go to:


range data communications by extending network capabilities to transmission over transformers. It is a highly rated SoC that combines the PHY and MAC layers using Maxim’s 32-bit MAXQ

FEC are added to improve communication reliability over older PLC generations and it is compatible with older FSK-based PLC technologies. It operates in the CENELEC band frequency band among others. In

This modem offers many benefits in front of MAX2990. It provides up to 225 kbps effective data rate at 10 kHz to 490 kHz and up to 44 kbps effective data rate at 10

including forward error n (FEC), CRC16 and CRC32. The traffic in multimode networks is ruled by

CSMA/CA algorithm combined with an ARQ mechanism for data transmission 128 fast engine in order to prevent

For further information on Maxim PLC G3 solutions please go to: www.maxim-


8. IEC 62056-21, FLAG Protocol

8.1 Introduction

IEC 62056-21:2002, also known as version of the originally IEC 1107:1990. It can be used for local data exchange using a HHU (Hand Held Unit) or for remote data exchange. In fact, when the need for a standard protocol for reading and programming the FLAG protocol appeared as the first standard protocol for meter data exchange and it has been always widely used. Three different physical interfaces may be implemented, infrared optical, current loop or V.24/V.28.with ASCII characters is used with a baud rate from 300 to 19200 and both reading and programming of devices can be operated.

8.2 FLAG Manufacturers ID

All manufacturers working with the FLAG protocol are integrated in the FLAProtocol Association and are identified by the association with a threelist of all of them with their corresponding threefollowing link: http://www.dlms.com/organization/flagmanufacturesids/index.html

8.3 Characteristics of the FLAG Protocol

Many advantages give FLAG an advanced position in front of other protocols for meter data exchange:

• Flexible for configuring progra

• Low cost of the optical port• Common HHU reading and programming

• Can allow for manufacturer• Optical port is robust in residential applications• Very low overhead which means low complex post

• Simplicity of hardware circuitry• Can accommodate an unlimited scope in the security access to data, which means each manufacturer may use their own proprietary methods to secure the equipment


21, FLAG Protocol

21:2002, also known as ‘FLAG Protocol’ is classified as the third version of the originally IEC 1107:1990. It can be used for local data exchange using a HHU (Hand Held Unit) or for remote data exchange. In fact, when the need for a standard protocol for reading and programming complex metering devices was arising, the FLAG protocol appeared as the first standard protocol for meter data exchange and it has been always widely used. Three different physical interfaces may be implemented, infrared optical, current loop or V.24/V.28. Asynchronous data exchange with ASCII characters is used with a baud rate from 300 to 19200 and both reading and programming of devices can be operated.

8.2 FLAG Manufacturers ID

All manufacturers working with the FLAG protocol are integrated in the FLAProtocol Association and are identified by the association with a three-list of all of them with their corresponding three-letter code can be found in the

http://www.dlms.com/organization/flagmanufacturesids/index.html

8.3 Characteristics of the FLAG Protocol

Many advantages give FLAG an advanced position in front of other protocols

Flexible for configuring programmable meters

Low cost of the optical port Common HHU reading and programming

Can allow for manufacturer-specific functions and testingOptical port is robust in residential applications Very low overhead which means low complex post-processing data

city of hardware circuitry Can accommodate an unlimited scope in the security access to data,

which means each manufacturer may use their own proprietary methods to secure the equipment


‘FLAG Protocol’ is classified as the third version of the originally IEC 1107:1990. It can be used for local data exchange using a HHU (Hand Held Unit) or for remote data exchange. In fact, when the need for a

complex metering devices was arising, the FLAG protocol appeared as the first standard protocol for meter data exchange and it has been always widely used. Three different physical interfaces may be

Asynchronous data exchange with ASCII characters is used with a baud rate from 300 to 19200 and both reading and

All manufacturers working with the FLAG protocol are integrated in the FLAG -letter code. The

letter code can be found in the http://www.dlms.com/organization/flagmanufacturesids/index.html. [66]

Many advantages give FLAG an advanced position in front of other protocols

specific functions and testing

processing data

Can accommodate an unlimited scope in the security access to data, which means each manufacturer may use their own proprietary methods to


There are five different communications modes available to use with protocol which are previously negotiated between the meter and the HHU:

• Mode A: Supports bidirectional data exchange at constant 300 baud rate. It allows data readout and programming with optional data protection.• Mode B: Supports bidirectional data eallows data readout and programming with optional data protection.• Mode C: Supports bidirectional data exchange with baud rate switching and permits data readout, programming with enhanced security and manufacturer-specifi• Mode D: Supports unidirectional data exchange at a fixed baud rate of 2400 baud and permits data readout only.

• Mode E: Supports usage of advanced metering protocols on the application and transport layers like DLMS/COSEM while on remote twocommunication. On the data link layer, the HDLC protocol is used. [14]

8.4 Physical medium for data transmission

There are three possible ways of physical communication connection between the Hand Held Unit (HHU) and the tariff equipment:

• Electrical interf

• Electricity V.24/ V.28 interface• Optical interface

8.4.1 Electrical interface with current loop

In this case a 20 mA electrical current loop is implemented, with 30 V DC for open circuit voltage and 30 mA loop current as absolute liIn the following table all electrical parameters operating values are shown:

Current Zero, without the current

loop, State A One, 20 mA the current

loop, State Z The voltage drop

One, 20 mA the current loop, State Z

The maximum open circuit voltage

Figure 8.1. Electrical interface parameters


There are five different communications modes available to use with protocol which are previously negotiated between the meter and the HHU:

Supports bidirectional data exchange at constant 300 baud rate. It allows data readout and programming with optional data protection.

Supports bidirectional data exchange at constant baud rate. It allows data readout and programming with optional data protection.

Supports bidirectional data exchange with baud rate switching and permits data readout, programming with enhanced security and

specific modes. Supports unidirectional data exchange at a fixed baud rate of

permits data readout only. Supports usage of advanced metering protocols on the

application and transport layers like DLMS/COSEM while on remote twommunication. On the data link layer, the HDLC protocol is used. [14]

8.4 Physical medium for data transmission

There are three possible ways of physical communication connection between the Hand Held Unit (HHU) and the tariff equipment:

Electrical interface with current loop

Electricity V.24/ V.28 interface Optical interface

8.4.1 Electrical interface with current loop

In this case a 20 mA electrical current loop is implemented, with 30 V DC for open circuit voltage and 30 mA loop current as absolute limits for electrical parameters. In the following table all electrical parameters operating values are shown:

Transmission (TX) Receptionthe current

≤ 2,5 mA ≤ 3 mA

≥ 11 mA ≥ 9

Transmission (TX) Reception

≤ 2 V ≤

open circuit voltage during operation 30 V DC

Figure 8.1. Electrical interface parameters


There are five different communications modes available to use with this protocol which are previously negotiated between the meter and the HHU:

Supports bidirectional data exchange at constant 300 baud rate. It allows data readout and programming with optional data protection.

xchange at constant baud rate. It allows data readout and programming with optional data protection.

Supports bidirectional data exchange with baud rate switching and permits data readout, programming with enhanced security and

Supports unidirectional data exchange at a fixed baud rate of

Supports usage of advanced metering protocols on the application and transport layers like DLMS/COSEM while on remote two-way

mmunication. On the data link layer, the HDLC protocol is used. [14]

There are three possible ways of physical communication connection between

In this case a 20 mA electrical current loop is implemented, with 30 V DC for mits for electrical parameters.

In the following table all electrical parameters operating values are shown:

Reception (RX)

≤ 3 mA

≥ 9 mA

Reception (RX)

≤ 3 V

30 V DC


Regarding connectors, polarity errors can damacommunication so it is something to take into account when operating with it. Four different circuit arrangements can be implemented which are: Twowith a single or more substations or a foursubstations. [14]

8.4.2 Electricity V.24/V.28

The relevant ITU-T recommendations:

• ITU-T V.24(transmitted data) and 104 (

• ITU-T V.28accordance with ITUup to 20 kbps. [14]

8.4.3 Optical interface

In the following figures the design of the optical probe head is shown:

Figure 8.2. Arrangement and dimensions of components of probe heads [14]

8.4.3.1 Optical characteristics

Although it is not prescribed bywill be provided when the test conditionsthe correct position (cable the infrared transmitter and infrareddirectly to the infrared transmitterposition do not substantially


Regarding connectors, polarity errors can damage device and prohibit communication so it is something to take into account when operating with it. Four different circuit arrangements can be implemented which are: Two-wire implementation with a single or more substations or a four-wire configuration either with one or more

V.24/V.28 interface

recommendations:

V.24: Use only the number of circuit 102 (signal ground)and 104 (received data).

V.28: Electrical characteristics of the coupling circuitsITU-T Recommendation V.28. These allow data transfer rates

8.4.3 Optical interface

In the following figures the design of the optical probe head is shown:

angement and dimensions of components of probe heads [14]

8.4.3.1 Optical characteristics

prescribed by a mechanical adjustment, optimalthe test conditions are implemented, when the reading head is

down), infrared receiver devices in tariff are setand infrared sensing head scanning receiver intransmitter in the tariff device. Small deviation

substantially affect the characteristics. At larger deviations


ge device and prohibit communication so it is something to take into account when operating with it. Four

wire implementation ther with one or more

signal ground), 103

circuits must be in data transfer rates

angement and dimensions of components of probe heads [14]

optimal data transfer reading head is in are set directly in

receiver in the head is set deviations from this deviations may occur


deterioration of optical characteristics. The wavelengthdirections is between 800 nm

8.4.3.2 Transmitter and receiver

The transmitter devicesignal with a spectral width ofarea) at a1 = 10 mm (± 1 mm)following limits are defined for the transmitter radiation:

ZAP = ON, VYP = OFF

ZAP-State (ZAP = State A = Binary 0): 500

VYP-State (VYP = State Z (

The transmitter, which is located mm) from the receiver in thespectral width of E0/R definedlimits are defined for the receiver radiation:

ZAP = ON, VYP = OFF

ZAP-State: receiver clearly

VYP-State: receiver clearlyBinary 1) [14]

Figure 8.3. Testing for the transmitter and receiver arrangement [14]


characteristics. The wavelength of the emittednm and 1000 nm (infrared). [14]

Transmitter and receiver

device in the tariff, as well as the scanning head,width of radiation E0/T defined reference surface

1 mm) from the surface of the tariff device or sensor headlimits are defined for the transmitter radiation:

State (ZAP = State A = Binary 0): 500 ≤ E0/T ≤ 5000 µW/cm2

State (VYP = State Z (idle state) = Binary 1): E0/T ≤ 10 µW/cm2

, which is located in the optical axis at a distance receiver in the tariff device or sensor head generates a signal

defined reference surface (optically active area). limits are defined for the receiver radiation:

clearly ZAP at E0/R ≥ 200 µW/cm2 (ZAP = State A = Binary 0)

clearly VYP at E0/R ≤ 20 µW/cm2 (VYP = State Z (



of the emitted signals in both

head, generates a (optically active sensor head. The

a2 = 10 mm (± 1 generates a signal with a

). The following

AP = State A = Binary 0)

(VYP = State Z (idle state) =



8.5 Character transmission

Independently from the interfain the same way. Ii is an asynchronous serial bit (Startwith various possible established baud rates 300, 600, 1200, 2400, 4800, 9600 or 19200 baud which can be restricted bequipment or tariff restrictions establishes in ITU

The character format defined according to IEC 1177:1985 is: 1 start bit, 7 data bits, 1 parity bit and 1 stop bit. Note that in ptransparency syllables and 1 data bit substitutes the parity bit. [14]

8.6 Data transfer protocol

The protocol allowsE mode selection is a subset

Data exchange protocolinitiates with the HHU transferacts as the main facilities works as a client device and the tariffprogramming and reading out

In protocol mode D operatesreading out meter features but not programming.tariff device to HHU. Data transferdevices on the tariff.

Mode protocol used byidentification. Protocol modes Atelegraph velocity. On the contrary,meaning. Protocol E modemeasuring HDLC protocol.

The data reading out can be performed with or without check digit block. Whenever used it is includesdetected SOH or STX characterincluding this character. Calculated


8.5 Character transmission

Independently from the interface used, the characters are all always transmitted in the same way. Ii is an asynchronous serial bit (Start–Stop) half-duplex transmission with various possible established baud rates 300, 600, 1200, 2400, 4800, 9600 or 19200 baud which can be restricted because of the optical scanning head, the interface equipment or tariff restrictions establishes in ITU-T recommendation V.26.

The character format defined according to IEC 1177:1985 is: 1 start bit, 7 data bits, 1 parity bit and 1 stop bit. Note that in protocol mode E is is possible to use transparency syllables and 1 data bit substitutes the parity bit. [14]

8.6 Data transfer protocol

allows 5 different modes that can use the tariff deviceis a subset of ISO / IEC 1745, management procedures

protocol is bi-directional in modes A, B, C and E, andtransfer request message. In protocol modes A to C the

and tariff acts as a subordinate. In protocoland the tariff acts as a server. These modes provide

reading out meters. Protocol mode E can be transparent

D operates half-duplex exchange of data and allowsreading out meter features but not programming. Information is transmitted

Data transfer is initiated by pressing for example,

used by tariff HHU device is indicated by identification. Protocol modes A to D are determined by the identification symbol

velocity. On the contrary, E mode protocol is designed by sequencemode allows you to use different protocols, one of which is the

protocol.

The data reading out can be performed with or without check digit block. Whenever used it is includes the area from the character immediately following

character after the terminating character ETXCalculated BCC is located immediately behind the


ce used, the characters are all always transmitted duplex transmission

with various possible established baud rates 300, 600, 1200, 2400, 4800, 9600 or 19200 ecause of the optical scanning head, the interface

T recommendation V.26.

The character format defined according to IEC 1177:1985 is: 1 start bit, 7 data rotocol mode E is is possible to use

device: A, B, C, D, management procedures in Idle mode.

and E, and it always A to C the HHU

protocol mode E HHU provide features for

transparent two's regime.

and allows only Information is transmitted through the

for example, sensors or other

messages with by the identification symbol for

sequence change of one of which is the

The data reading out can be performed with or without check digit block. immediately following the first

ETX this report, immediately behind the ETX. [14]


Figure 8.4. Setting the block check character (block check character is determined by

8.7 Security in IEC62056

The standard defines 4 different levels of access that may be used by the metering data exchange system:

• Level 1, Basic:needed by the user to gain entrance to thinadvisable to have any operations which involve sensitive data. During normal, non-communications operation, most equipment will be at this level. One command that might be available is the automatic meter reading operatiwhich presents the operator nonbilling data. The Hand Held Unit (HHU) signmeter identification message must be used before any other kind of communications can happen. The

And its corresponding reply, the meter identification message is:

Where XXXmanufacturer and Identusually used for specifying the particular product.


Figure 8.4. Setting the block check character (block check character is determined by the grey area) [14]

8.7 Security in IEC62056-21 (FLAG)

The standard defines 4 different levels of access that may be used by the metering data exchange system:

Level 1, Basic: In this level only the knowledge of the FLAG protocol is needed by the user to gain entrance to the metering system and hence it is inadvisable to have any operations which involve sensitive data. During normal,

communications operation, most equipment will be at this level. One command that might be available is the automatic meter reading operatiwhich presents the operator non-sensitive data such as meter identification and billing data. The Hand Held Unit (HHU) sign-on message and its associated meter identification message must be used before any other kind of communications can happen. The sign-on message has the following form:

/?! CR LF


/XXX Ident CR LF

XXX is the three letter code that identifies the equipment Ident is an specific identification code for the manufacturer,

usually used for specifying the particular product.


Figure 8.4. Setting the block check character (block check character is determined by

The standard defines 4 different levels of access that may be used by the

In this level only the knowledge of the FLAG protocol is e metering system and hence it is

inadvisable to have any operations which involve sensitive data. During normal, communications operation, most equipment will be at this level. One

command that might be available is the automatic meter reading operation, sensitive data such as meter identification and

on message and its associated meter identification message must be used before any other kind of

on message has the following form:


is the three letter code that identifies the equipment code for the manufacturer,


• Level 2, Password:passwords correctly which, if programmable, may be changed under one of the highest levels. Access to data wto or greater than that available at the Base Level, but would still be limited. Examples might be security data (such as unauthorized access attempts or date of last attempt), time adjustment or maximum dema

• Level 3, Secure:data (a seed) using a secret algorithm is the door to enable access to comprehensive read and write facilities. For added security, this secret algorithm can be dynamic and

• Level 4, Internal:some form of physical setting inside the metering system, such as installation of a bridging link. It may allow full uninhibited read/write resetting of any security registers.[14]


Level 2, Password: This level requires the user to enter one or more passwords correctly which, if programmable, may be changed under one of the highest levels. Access to data which may be changed or retrieved would be equal to or greater than that available at the Base Level, but would still be limited. Examples might be security data (such as unauthorized access attempts or date of last attempt), time adjustment or maximum demand reset.

Level 3, Secure: Operation of sealable button or manipulation of certain data (a seed) using a secret algorithm is the door to enable access to comprehensive read and write facilities. For added security, this secret algorithm can be dynamic and changed under the internal access level.

Level 4, Internal: This is the highest level available, involving changing some form of physical setting inside the metering system, such as installation of a bridging link. It may allow full uninhibited read/write operation, including resetting of any security registers.


This level requires the user to enter one or more passwords correctly which, if programmable, may be changed under one of the

hich may be changed or retrieved would be equal to or greater than that available at the Base Level, but would still be limited. Examples might be security data (such as unauthorized access attempts or date

Operation of sealable button or manipulation of certain data (a seed) using a secret algorithm is the door to enable access to comprehensive read and write facilities. For added security, this secret algorithm

This is the highest level available, involving changing some form of physical setting inside the metering system, such as installation of

operation, including


8.8 Possible attacks to IEC62056

In the case of this protocol, the attacks that may be performed to its security issues depend on the security level used by the meterange of communication between the optical infrared ports, which are the mainly used, is about ten meters, we must think on attacks performed to this protocol differently from others. In other words, in order to perform an atcommunicating, the attacker has the need to be physically close to the meter. Consequently, there is no possibility for an attacker to perform any attack from somewhere where cannot be discovered.

8.8.1 Level 1, Basic

Since no security features are implemented in this basic level, the only thing that an attacker needs for getting access to the network is the knowledge about the protocol. Only a sniffer that scans the network communications may be needed for eavesdropinformation from it. However, since devices remain in this level of security basically while non-communications operation, the data that can be eavesdropped is meter identification and billing data which is regarded to be non

8.8.2 Level 2, Password

In this level, since the barrier to get access to cleartext messages is one or more passwords, the kind of attacks that may be performed are the dictionary attacks or brute force attacks. [14]

8.8.2.1 Dictionary attacks

The most common method of authenticating a user in a computer system is through a password. It is used basically because it is the most convenient and practical way of authenticating users. However, this is makes the authentication process weaker, because users may use ordinary words as passwords. An attacker is able to take advantage of this weakness by using a dictionary attack. The attacker may get access to the system simply by trying all possible passwords until the correct one is found. Two ways for palliating this weakness are locking the access after several unsuccessful attempts and delay the system response so that it takes a lot more time to attacker for trying different passwords.


8.8 Possible attacks to IEC62056-21 (FLAG)

In the case of this protocol, the attacks that may be performed to its security issues depend on the security level used by the meters manager. However, since the range of communication between the optical infrared ports, which are the mainly used, is about ten meters, we must think on attacks performed to this protocol differently from others. In other words, in order to perform an attack to meters using this protocol for communicating, the attacker has the need to be physically close to the meter. Consequently, there is no possibility for an attacker to perform any attack from somewhere where cannot be discovered.

Since no security features are implemented in this basic level, the only thing that an attacker needs for getting access to the network is the knowledge about the protocol. Only a sniffer that scans the network communications may be needed for eavesdropinformation from it. However, since devices remain in this level of security basically

communications operation, the data that can be eavesdropped is meter identification and billing data which is regarded to be non-sensitive information. [1

8.8.2 Level 2, Password

In this level, since the barrier to get access to cleartext messages is one or more passwords, the kind of attacks that may be performed are the dictionary attacks or brute

8.8.2.1 Dictionary attacks

ost common method of authenticating a user in a computer system is through a password. It is used basically because it is the most convenient and practical way of authenticating users. However, this is makes the authentication process weaker,

may use ordinary words as passwords. An attacker is able to take advantage of this weakness by using a dictionary attack. The attacker may get access to the system simply by trying all possible passwords until the correct one is found. Two

ting this weakness are locking the access after several unsuccessful attempts and delay the system response so that it takes a lot more time to attacker for


In the case of this protocol, the attacks that may be performed to its security rs manager. However, since the

range of communication between the optical infrared ports, which are the mainly used, is about ten meters, we must think on attacks performed to this protocol differently from

tack to meters using this protocol for communicating, the attacker has the need to be physically close to the meter. Consequently, there is no possibility for an attacker to perform any attack from

Since no security features are implemented in this basic level, the only thing that an attacker needs for getting access to the network is the knowledge about the protocol. Only a sniffer that scans the network communications may be needed for eavesdropping information from it. However, since devices remain in this level of security basically

communications operation, the data that can be eavesdropped is meter sensitive information. [14]

In this level, since the barrier to get access to cleartext messages is one or more passwords, the kind of attacks that may be performed are the dictionary attacks or brute

ost common method of authenticating a user in a computer system is through a password. It is used basically because it is the most convenient and practical way of authenticating users. However, this is makes the authentication process weaker,

may use ordinary words as passwords. An attacker is able to take advantage of this weakness by using a dictionary attack. The attacker may get access to the system simply by trying all possible passwords until the correct one is found. Two

ting this weakness are locking the access after several unsuccessful attempts and delay the system response so that it takes a lot more time to attacker for


Dictionary attacks are not effective against systems that make use of word passwords, and also fail against systems that use random permutations of lowercase and uppercase letters combined with numerals.

8.8.2.2 Brute force attacks

A brute force attack for obtaining an algorithm key or a password is performed by trying all possible combinations until the one grants the access to the system is found. Two factors of the password implementation have direct influence on the capability of the attacker to perform a brute force attack:

• The effort required to get to a succchance is 2n – 1 operations, where n is the length of the password.• The number of possible characters that can be used to implement the password. If only numerical characters are used, it will be a lot easier for the attacker to obtain the password than if also letters can be used. As well, the length of the password is also a determining factor.

Many countermeasures can be implemented to protect the network from brute force attacks such as limiting the number of attemptsintroducing time delays between successive attempts, increasing the answer's complexity by requiring answer or verification code sent via cellphone, and locking accounts out after unsuccessful login attempts.

8.8.3 Level 3, Secure

Protection of data is highly more implemented in this level than in the two previous ones. This security level is not implemented for reading out operations but for programming functions because programming data is what is considered as sensitive information. [14]

The first security feature which is the operation of a sealable button does not need any description about it can be attacked since it is a manual manipulation.

Security algorithms are used also. Since the algorithm used is designed or chosen by the manufacturer, each network or even each meter may be implementing different security algorithms. This fact makes the possibility to attack the algorithms highly difficult. Moreover, as these secret algorithms can be dynamically changed under de upper security level, it makes even more difficult the access. It can be deduced that in order to brake through this security level, the best options is getting access into the upper internal security level.


Dictionary attacks are not effective against systems that make use of word passwords, and also fail against systems that use random permutations of lowercase and uppercase letters combined with numerals.

8.8.2.2 Brute force attacks

A brute force attack for obtaining an algorithm key or a password is performed rying all possible combinations until the one grants the access to the system is

found. Two factors of the password implementation have direct influence on the capability of the attacker to perform a brute force attack:

The effort required to get to a successful search with more than 50 % 1 operations, where n is the length of the password.

The number of possible characters that can be used to implement the password. If only numerical characters are used, it will be a lot easier for the

ker to obtain the password than if also letters can be used. As well, the length of the password is also a determining factor.

Many countermeasures can be implemented to protect the network from brute force attacks such as limiting the number of attempts that a password can be tried, introducing time delays between successive attempts, increasing the answer's complexity by requiring answer or verification code sent via cellphone, and locking accounts out after unsuccessful login attempts.

Protection of data is highly more implemented in this level than in the two previous ones. This security level is not implemented for reading out operations but for programming functions because programming data is what is considered as sensitive


Security algorithms are used also. Since the algorithm used is designed or hosen by the manufacturer, each network or even each meter may be implementing

different security algorithms. This fact makes the possibility to attack the algorithms highly difficult. Moreover, as these secret algorithms can be dynamically changed under e upper security level, it makes even more difficult the access. It can be deduced that in

order to brake through this security level, the best options is getting access into the upper internal security level.


Dictionary attacks are not effective against systems that make use of multiple-word passwords, and also fail against systems that use random permutations of

A brute force attack for obtaining an algorithm key or a password is performed rying all possible combinations until the one grants the access to the system is

found. Two factors of the password implementation have direct influence on the

essful search with more than 50 % 1 operations, where n is the length of the password.

The number of possible characters that can be used to implement the password. If only numerical characters are used, it will be a lot easier for the

ker to obtain the password than if also letters can be used. As well, the

Many countermeasures can be implemented to protect the network from brute that a password can be tried,

introducing time delays between successive attempts, increasing the answer's complexity by requiring answer or verification code sent via cellphone, and locking

Protection of data is highly more implemented in this level than in the two previous ones. This security level is not implemented for reading out operations but for programming functions because programming data is what is considered as sensitive


Security algorithms are used also. Since the algorithm used is designed or hosen by the manufacturer, each network or even each meter may be implementing

different security algorithms. This fact makes the possibility to attack the algorithms highly difficult. Moreover, as these secret algorithms can be dynamically changed under e upper security level, it makes even more difficult the access. It can be deduced that in

order to brake through this security level, the best options is getting access into the


If an attacker, either by trespassing the uppother way, is capable of discovering which secret algorithm/ algorithms is/ are used, then he would be able to perform a set of attacks to it. These attacks may be oriented either to eavesdrop programming information orin order to disturb its tariffying functions or to perform an overbilling attack to the power supplier customer. [14]

8.8.4 Level 4, Internal

At the highest security available, attacking the meter requires complex manmanipulation as well as knowledge of how to update security registers. [14]


If an attacker, either by trespassing the upper internal security level or by any other way, is capable of discovering which secret algorithm/ algorithms is/ are used, then he would be able to perform a set of attacks to it. These attacks may be oriented either to eavesdrop programming information or to changing the meter programmation in order to disturb its tariffying functions or to perform an overbilling attack to the power supplier customer. [14]

8.8.4 Level 4, Internal

At the highest security available, attacking the meter requires complex manmanipulation as well as knowledge of how to update security registers. [14]


er internal security level or by any other way, is capable of discovering which secret algorithm/ algorithms is/ are used, then he would be able to perform a set of attacks to it. These attacks may be oriented

to changing the meter programmation in order to disturb its tariffying functions or to perform an overbilling attack to the

At the highest security available, attacking the meter requires complex manual manipulation as well as knowledge of how to update security registers. [14]


8.9 Solutions for IEC62056

8.9.1 Single-phase electronic

Enerlux meters belong to the category of operating measuring means and they are intended for the metering of active and reactive electric energy for the residential consumers and commercial agents that use multitariff systems for elin single-phase low voltage networks. The meters enable the consumer connection/disconnection and communication either through an optional PLC modem or the data exchange protocol IEC62056

The meter enables energy tariffying imeasured energies can be configured for tariffying in time zones. In the time zones tariffying program there can be defined two independent tariffying sequences.

The metering program on time zones is yearly. In one year up to 12 seasons. Within each season is defined the weekly program made up of a sequence of 7 types of days chosen from the 24 types of days that can be defined. Within each type of day there can be defined up to 8 switchings for each daily sequences. The resolution of the programming is 30 minutes.

The meter operates from 45 to 65 Hz frequency range within an environmental temperature range from accuracies defined for its measures are classes 1 and 2 for active energy according to IEC6205211, classes 2 and 3 for reactive energy according to IEC62053-23 and a time base accuracy of +/0.5 s per each 24 hours according to IEC61

The meter is provided with 8 demand registers and 8 demand cumulative registers; each of them can be programmed to be calculated from any type of energy with a time interval with 5, 10, 15, 20 ,30 or 60 minutes. The registers and demands are memorizemonthly when programmed reset occurs.


8.9 Solutions for IEC62056-21

phase electronic meter Enerlux Σ

Enerlux meters belong to the category of operating measuring means and they are intended for the metering of active and reactive electric energy for the residential consumers and commercial agents that use multitariff systems for electric energy billing

phase low voltage networks. The meters enable the consumer connection/disconnection and communication either through an optional PLC modem or the data exchange protocol IEC62056-21.

The meter enables energy tariffying in up to 4 time zones. The types of measured energies can be configured for tariffying in time zones. In the time zones tariffying program there can be defined two independent tariffying sequences.

The metering program on time zones is yearly. In one year there can be defined up to 12 seasons. Within each season is defined the weekly program made up of a sequence of 7 types of days chosen from the 24 types of days that can be defined. Within each type of day there can be defined up to 8 switchings for each daily sequences. The resolution of the programming is 30 minutes.

The meter operates from 45 to 65 Hz within an environmental

rom -40 to 60ºC. The accuracies defined for its measures are classes 1 and 2 for active energy according to IEC62052-11, classes 2 and 3 for reactive energy according

23 and a time base accuracy of +/- 0.5 s per each 24 hours according to IEC61038.

The meter is provided with 8 demand registers and 8 demand cumulative registers; each of them can be programmed to be calculated from any type of energy with a time interval with 5, 10, 15, 20 ,30 or 60 minutes. The registers and demands are memorized monthly when programmed reset occurs.


Enerlux meters belong to the category of operating measuring means and they are intended for the metering of active and reactive electric energy for the residential

ectric energy billing phase low voltage networks. The meters enable the consumer

connection/disconnection and communication either through an optional PLC modem or

n up to 4 time zones. The types of measured energies can be configured for tariffying in time zones. In the time zones tariffying program there can be defined two independent tariffying sequences.

there can be defined up to 12 seasons. Within each season is defined the weekly program made up of a sequence of 7 types of days chosen from the 24 types of days that can be defined. Within each type of day there can be defined up to 8 switchings for each of the two


Within the tariffying program there also can be defined 64 groups of days of holydays. The duration of one group of days of holyday can be programmed from 1 to 4 days. Each group of days of holydays can be defined with or without repetition.

Billing purposes achieve the followings storage of energy quantities: storage of the recorded maximum power, storage of the cumulative maximum power, resetting to zero of the maximum power rethat the self reading was made The meter storages the values of the self readings from the last 12 self readings.

For communication functions two different accesses can be used, the optical port loop using IEC 62056-21: Direct local data exchange (3rd edition of IEC 61107). Optionally, the meter is provided with PLC built in modem. Transmission of the data is made via modem in band CENELECused protocol for data transmission EHS (logical level). The following data are read: Indexes, maximum power, load curve, events and weekly registers. [45]

For further information on the Enerlux


Within the tariffying program there also can be defined 64 groups of days of holydays. The duration of one group of days of holyday can be programmed from 1 to 4

of days of holydays can be defined with or without repetition.

Billing purposes achieve the followings storage of energy quantities: storage of the recorded maximum power, storage of the cumulative maximum power, resetting to zero of the maximum power registers (maximum power reset) and storage of the time that the self reading was made The meter storages the values of the self readings from

For communication functions two different accesses can be used, the optical port 21: Direct local data exchange (3rd edition of IEC 61107).

Optionally, the meter is provided with PLC built in modem. Transmission of the data is made via modem in band CENELEC-A, according EN 50065-1 physical level and the

data transmission EHS (logical level). The following data are read: Indexes, maximum power, load curve, events and weekly registers. [45]

For further information on the Enerlux Σ meters go to: www.aem.com


Within the tariffying program there also can be defined 64 groups of days of holydays. The duration of one group of days of holyday can be programmed from 1 to 4

of days of holydays can be defined with or without repetition.

Billing purposes achieve the followings storage of energy quantities: storage of the recorded maximum power, storage of the cumulative maximum power, resetting to

gisters (maximum power reset) and storage of the time that the self reading was made The meter storages the values of the self readings from

For communication functions two different accesses can be used, the optical port 21: Direct local data exchange (3rd edition of IEC 61107).

Optionally, the meter is provided with PLC built in modem. Transmission of the data is 1 physical level and the

data transmission EHS (logical level). The following data are read: Indexes, maximum power, load curve, events and weekly registers. [45]


8.9.2 ACE6000 DC4 commercial and industrial multifunction meter

Energy while all directed connected versions are class B.

The meter provides 8 tariff energy registers per measured value and up to 15 registers per tariff for End of Billing (EOB) data. There are 32 tariff registers for energy in total and 24 for maximum demand. In addition, the meter provides per phase and total instantaneous values such as voltage and current per phase, power and power factor. Load profile data can be stored in up to eight channels.

Up to six output relays and up to six control inputs are available to control the meter such as the tariff control and the from the meter to other devices like tariff information or pulse output. The auxiliary terminal is self arresting and without screws for easy installation.

All time stamp functions are derived from a high preciback up from an integrated battery and/or super capacitor. The battery can power the device clock for up to seven days of continuous total supply. The typical time derivation is better than 9 seconds per month.

Regarding the communmeter can be performed from two interfaces at the same time. The different interfaces that can be used are the following: optical port using the IEC62056electrical CL0 interface andattached to the meter via RS232/RS485 interface using the RJ45 connector. [40]

For further information on ACE6000 DC4 go to:

The ACE6000 DC4 meter provides integrated energy measurement in up to four quadrants for comindustrial applications. It has interoperable capabilities and has the advantage of being easy to implement infuture reading systems.

The innovative metrology concept of this meter offers accuracy and long-term stability. All transformer connected meters are available with accuracy up to class C for active



Energy while all directed connected versions are class B.

rovides 8 tariff energy registers per measured value and up to 15 registers per tariff for End of Billing (EOB) data. There are 32 tariff registers for energy in total and 24 for maximum demand. In addition, the meter provides per phase and

eous values such as voltage and current per phase, power and power factor. Load profile data can be stored in up to eight channels.

Up to six output relays and up to six control inputs are available to control the meter such as the tariff control and the clock synchronization or to give information from the meter to other devices like tariff information or pulse output. The auxiliary terminal is self arresting and without screws for easy installation.

All time stamp functions are derived from a high precision clock, with supply back up from an integrated battery and/or super capacitor. The battery can power the device clock for up to seven days of continuous total supply. The typical time derivation is better than 9 seconds per month.

Regarding the communication functions of the meter, data collection from the meter can be performed from two interfaces at the same time. The different interfaces that can be used are the following: optical port using the IEC62056-electrical CL0 interface and RS232 or RS485 interfaces. Additionally, a modem may be attached to the meter via RS232/RS485 interface using the RJ45 connector. [40]

For further information on ACE6000 DC4 go to: www.itron.com

The ACE6000 DC4 meter provides integrated energy measurement in up to four quadrants for commercial and

It has interoperable capabilities and has the advantage of being easy to implement in existing and

The innovative metrology concept of this meter offers term stability. All transformer connected

meters are available with accuracy up to class C for active



rovides 8 tariff energy registers per measured value and up to 15 registers per tariff for End of Billing (EOB) data. There are 32 tariff registers for energy in total and 24 for maximum demand. In addition, the meter provides per phase and

eous values such as voltage and current per phase, power and power

Up to six output relays and up to six control inputs are available to control the clock synchronization or to give information

from the meter to other devices like tariff information or pulse output. The auxiliary

sion clock, with supply back up from an integrated battery and/or super capacitor. The battery can power the device clock for up to seven days of continuous total supply. The typical time derivation

ication functions of the meter, data collection from the meter can be performed from two interfaces at the same time. The different interfaces

-21 protocol, the RS232 or RS485 interfaces. Additionally, a modem may be

attached to the meter via RS232/RS485 interface using the RJ45 connector. [40]


9. Comparisons betwee

In this section, technologies described in previous sections will be compared to each other. GPRS will stay out of comparison since it is used to create wide area networks with meter networks but not for read out data from the meters itself

9.1 PRIME vs. PLC G3

The physical layer main characteristics of both standards are very similar. Both use CENELEC A band by Cyclic Prefix (CP) OFDM combined with Differential Phase shift Keying (DPSK) which is assumed to be a robust technique for data over the Powerline channel. OFDM is efficiently implemented using FFT and DPSK modulation avoids receiver modules the necessity for channel estimation algorithms for signal reception. Focusing on detailed characteristics, many differences can All of them are presented in the following chart:

Frequency range

Sampling frequency fs FFT size

CP length Windowing

Subcarrier spacing Carrier used

FEC

Interleaving Modulation

Differential encoding Maximum packet size Maximum data rate

Guard interval effective length

Figure 9.1. PRIME vs. G3 physical layers [27]

PRIME MAC layer has been designed by PRIME Alliance independently from other international standards. In opposition, thFrance implements its Mac layer based on the 802.15.4layer. This may be a consequence of the fact that PRIME was designed for LV networks and G3 for MV networks.

Although the MAC layers were designmany characteristics that can be found in common in the two MAC layer implementations. In both technologies the network structure is similarly implemented.


9. Comparisons between technologies

In this section, technologies described in previous sections will be compared to each other. GPRS will stay out of comparison since it is used to create wide area networks with meter networks but not for read out data from the meters itself

9.1 PRIME vs. PLC G3

The physical layer main characteristics of both standards are very similar. Both use CENELEC A band by Cyclic Prefix (CP) OFDM combined with Differential Phase shift Keying (DPSK) which is assumed to be a robust technique for data over the Powerline channel. OFDM is efficiently implemented using FFT and DPSK modulation avoids receiver modules the necessity for channel estimation algorithms for signal reception. Focusing on detailed characteristics, many differences can All of them are presented in the following chart:

PLC G3 PRIME35-91 kHz 42-400 kHz 250 kHz

256 30

Yes 1,5625 kHz 488 Hz

36 Reed-Solomon, convolutional

or repetition codes Convolutional code

Per data packet Per OFDM symbolDBPSK, DQPSK DBPSK, DQPSK, D8PSK

In time In frequency235 bytes 2268 bytes33,4 kbps 128,6 kbps

0,035 ms 0,192 ms

Figure 9.1. PRIME vs. G3 physical layers [27]

PRIME MAC layer has been designed by PRIME Alliance independently from other international standards. In opposition, the G3 technology developed by ERDF France implements its Mac layer based on the 802.15.4-2006 IEEE standard MAC layer. This may be a consequence of the fact that PRIME was designed for LV networks

Although the MAC layers were designed based in different purposes, there are many characteristics that can be found in common in the two MAC layer implementations. In both technologies the network structure is similarly implemented.


In this section, technologies described in previous sections will be compared to each other. GPRS will stay out of comparison since it is used to create wide area networks with meter networks but not for read out data from the meters itself.

The physical layer main characteristics of both standards are very similar. Both use CENELEC A band by Cyclic Prefix (CP) OFDM combined with Differential Phase shift Keying (DPSK) which is assumed to be a robust technique for data transmission over the Powerline channel. OFDM is efficiently implemented using FFT and DPSK modulation avoids receiver modules the necessity for channel estimation algorithms for signal reception. Focusing on detailed characteristics, many differences can be found.

PRIME 89 kHz

250 kHz 512 48 No

488 Hz 97

Convolutional code

Per OFDM symbol DBPSK, DQPSK, D8PSK

In frequency 2268 bytes 128,6 kbps

0,192 ms

PRIME MAC layer has been designed by PRIME Alliance independently from e G3 technology developed by ERDF

2006 IEEE standard MAC layer. This may be a consequence of the fact that PRIME was designed for LV networks

ed based in different purposes, there are many characteristics that can be found in common in the two MAC layer implementations. In both technologies the network structure is similarly implemented.


A Base Node (PRIME) or server (G3) is in charge of managin(PRIME) and peers (G3). Besides, both technologies implement CSMA/CA algorithm for the purpose of controlling the channel access of all devices as well as similar implementations of the ARQ mechanism.

In addition, many differences calayers. Obviously there a lot a difference regarding the formats of data frames, beacon frames, check frames and MAC primitives, but these differences do not add any relevant difference between both MAC layers performancdifferences, the first one are the address formats used.

PRIME uses EUI-48 IEEE universal MAC address combined with three network identifiers: the 8-bit Switch Identifier (SID) for identifying the switch to which a node attached, the 14-bit Local Node Identifier (LNID) to identify a node locally and the 9bit Local Connection Identifier (LCID) to identify a specific connection to a node during connections establishment process. On the other hand, G3 uses for addressing either EUI-64 universal MAC address or 16 bits short address used for the LBP protocol of the 6LoWPAN layer.

Note that also many common and different characteristics between the two technologies can be found in the security features implemented in both MAC layerthey will be described below.

In the convergence layer the differences are obvious since for the upper layer PRIME was designed for IPv4 and G3 for IPv6 so the adaptation layers are prepared to accommodate different versions of the same protocol. In thclear advantage in front of PRIME. The IPv6 protocol will gradually substitute IPv4 in all networks worldwide since the IPv4 addressing system is going towards due to the fact that it is running out of possible addrIPv6 and consequently the 6LoWPAN adaptation layer, gives G3 the possibility to use the Bootstrapping protocol before MAC security features proceed and keys are exchanged.

As this paper is mainly focused in security featurhere is where more differences between the two technologies can be found. One difference between them is that PRIME presents the possibility of using two different security profiles one implementing security procedures and thFrom one side this gives an advantage to PRIME because it is possible not using security when not necessary which permits a higher data transmission. On the other side, an attacker may cause any node in the PRIME network to choosesecurity profile when security procedures are needed and data would be transmitted unencrypted. This kind of attack cannot be performed on G3 since there is no option for a not secured security profile.

In both technologies a key hierarchy common as well as some differences. In both cases this key hierarchy is defined in order


A Base Node (PRIME) or server (G3) is in charge of managing the Services Nodes (PRIME) and peers (G3). Besides, both technologies implement CSMA/CA algorithm for the purpose of controlling the channel access of all devices as well as similar implementations of the ARQ mechanism.

In addition, many differences can be found between PRIME and G3 MAC layers. Obviously there a lot a difference regarding the formats of data frames, beacon frames, check frames and MAC primitives, but these differences do not add any relevant difference between both MAC layers performances. Regarding the significant differences, the first one are the address formats used.

48 IEEE universal MAC address combined with three network bit Switch Identifier (SID) for identifying the switch to which a node bit Local Node Identifier (LNID) to identify a node locally and the 9

bit Local Connection Identifier (LCID) to identify a specific connection to a node during connections establishment process. On the other hand, G3 uses for addressing

64 universal MAC address or 16 bits short address used for the LBP protocol

Note that also many common and different characteristics between the two technologies can be found in the security features implemented in both MAC layerthey will be described below.

In the convergence layer the differences are obvious since for the upper layer PRIME was designed for IPv4 and G3 for IPv6 so the adaptation layers are prepared to accommodate different versions of the same protocol. In this case, it is G3 who has a clear advantage in front of PRIME. The IPv6 protocol will gradually substitute IPv4 in all networks worldwide since the IPv4 addressing system is going towards due to the fact that it is running out of possible addresses worldwide. Moreover, using IPv6 and consequently the 6LoWPAN adaptation layer, gives G3 the possibility to use the Bootstrapping protocol before MAC security features proceed and keys are

As this paper is mainly focused in security features of the standards described, here is where more differences between the two technologies can be found. One difference between them is that PRIME presents the possibility of using two different security profiles one implementing security procedures and the other one without them. From one side this gives an advantage to PRIME because it is possible not using security when not necessary which permits a higher data transmission. On the other side, an attacker may cause any node in the PRIME network to choosesecurity profile when security procedures are needed and data would be transmitted unencrypted. This kind of attack cannot be performed on G3 since there is no option for a not secured security profile.

In both technologies a key hierarchy is defined. This fact brings some points in common as well as some differences. In both cases this key hierarchy is defined in order


g the Services Nodes (PRIME) and peers (G3). Besides, both technologies implement CSMA/CA algorithm for the purpose of controlling the channel access of all devices as well as similar

n be found between PRIME and G3 MAC layers. Obviously there a lot a difference regarding the formats of data frames, beacon frames, check frames and MAC primitives, but these differences do not add any

es. Regarding the significant

48 IEEE universal MAC address combined with three network bit Switch Identifier (SID) for identifying the switch to which a node bit Local Node Identifier (LNID) to identify a node locally and the 9-

bit Local Connection Identifier (LCID) to identify a specific connection to a node during connections establishment process. On the other hand, G3 uses for addressing

64 universal MAC address or 16 bits short address used for the LBP protocol

Note that also many common and different characteristics between the two technologies can be found in the security features implemented in both MAC layers,

In the convergence layer the differences are obvious since for the upper layer PRIME was designed for IPv4 and G3 for IPv6 so the adaptation layers are prepared to

is case, it is G3 who has a clear advantage in front of PRIME. The IPv6 protocol will gradually substitute IPv4 in all networks worldwide since the IPv4 addressing system is going towards obsolescence

esses worldwide. Moreover, using IPv6 and consequently the 6LoWPAN adaptation layer, gives G3 the possibility to use the Bootstrapping protocol before MAC security features proceed and keys are

es of the standards described, here is where more differences between the two technologies can be found. One difference between them is that PRIME presents the possibility of using two different

e other one without them. From one side this gives an advantage to PRIME because it is possible not using security when not necessary which permits a higher data transmission. On the other side, an attacker may cause any node in the PRIME network to choose the unsecured security profile when security procedures are needed and data would be transmitted unencrypted. This kind of attack cannot be performed on G3 since there is no option for

is defined. This fact brings some points in common as well as some differences. In both cases this key hierarchy is defined in order


to obtain a wide set of keys to be used in different aspects of security features and making them independent so if an attasecurity system is broken. In order to secure it higher, these keys are renewed periodically so that if an attacker is capable of obtaining a key somehow, only during a short period of time he is able to eavprocedure of the network.

As mentioned above, G3 performs a more complex a secure system for the purpose of authentication. While PRIME guarantees the authentication of nodes in the network by the fact that eacBase Node, G3 implements a much more complex procedure. In this case also, a pre shared key known only by the peer and the coordinator is used but it is used for deriving another key, an authentication key, using AES. The Bootstrapping process can be performed locally or even remotely with the support of a remote authentication server. Apart from the benefits is gives, the usage of a remote authentication server can create a security vulnerability by the fact that authentication will occur between the peer and the authentication server, not between the peer and the authenticator. This means that it is not possible for the peer to validate the identity of the authenticator that it is speaking to, using EAP alone.

After authentication procedures, both implementations use different keys for broadcast and unicast traffics so that each subnetwork has its own key and each connection between nodes has its own too. However, G3 implements one security feature for information exchange that PRIME does not, the Protected Channel. It provides data origin authentication and protection against replays.

Finally, regarding to the data encryption, both technologies implement 128encryption, which is assumed to bebroken until at least 2030. This way data integrity is supposed to be guaranteed.

Since data integrity it supposed to be guaranteed, the most important security feature for these technologies is the protecconcluded that the exposition of keys from their key hierarchies to a third party is the most important weakness that this technologies present and one of the few that they have in common.


to obtain a wide set of keys to be used in different aspects of security features and making them independent so if an attacker is able to obtain one of them not the whole security system is broken. In order to secure it higher, these keys are renewed periodically so that if an attacker is capable of obtaining a key somehow, only during a short period of time he is able to eavesdrop information or to disturb the correct

As mentioned above, G3 performs a more complex a secure system for the purpose of authentication. While PRIME guarantees the authentication of nodes in the network by the fact that each node has its own private key known only by itself and the Base Node, G3 implements a much more complex procedure. In this case also, a pre shared key known only by the peer and the coordinator is used but it is used for deriving

ation key, using AES. The Bootstrapping process can be performed locally or even remotely with the support of a remote authentication server. Apart from the benefits is gives, the usage of a remote authentication server can create a

by the fact that authentication will occur between the peer and the authentication server, not between the peer and the authenticator. This means that it is not possible for the peer to validate the identity of the authenticator that it is speaking

After authentication procedures, both implementations use different keys for broadcast and unicast traffics so that each subnetwork has its own key and each connection between nodes has its own too. However, G3 implements one security

e for information exchange that PRIME does not, the Protected Channel. It provides data origin authentication and protection against replays.

Finally, regarding to the data encryption, both technologies implement 128encryption, which is assumed to be a high security algorithm that assures not to be broken until at least 2030. This way data integrity is supposed to be guaranteed.

Since data integrity it supposed to be guaranteed, the most important security feature for these technologies is the protection of its shared secrets or keys. So it can be concluded that the exposition of keys from their key hierarchies to a third party is the most important weakness that this technologies present and one of the few that they


to obtain a wide set of keys to be used in different aspects of security features and cker is able to obtain one of them not the whole

security system is broken. In order to secure it higher, these keys are renewed periodically so that if an attacker is capable of obtaining a key somehow, only during a

esdrop information or to disturb the correct

As mentioned above, G3 performs a more complex a secure system for the purpose of authentication. While PRIME guarantees the authentication of nodes in the

h node has its own private key known only by itself and the Base Node, G3 implements a much more complex procedure. In this case also, a pre shared key known only by the peer and the coordinator is used but it is used for deriving

ation key, using AES. The Bootstrapping process can be performed locally or even remotely with the support of a remote authentication server. Apart from the benefits is gives, the usage of a remote authentication server can create a

by the fact that authentication will occur between the peer and the authentication server, not between the peer and the authenticator. This means that it is not possible for the peer to validate the identity of the authenticator that it is speaking

After authentication procedures, both implementations use different keys for broadcast and unicast traffics so that each subnetwork has its own key and each connection between nodes has its own too. However, G3 implements one security

e for information exchange that PRIME does not, the Protected Channel. It

Finally, regarding to the data encryption, both technologies implement 128-AES a high security algorithm that assures not to be

broken until at least 2030. This way data integrity is supposed to be guaranteed.

Since data integrity it supposed to be guaranteed, the most important security tion of its shared secrets or keys. So it can be

concluded that the exposition of keys from their key hierarchies to a third party is the most important weakness that this technologies present and one of the few that they


9.2 ZigBee vs. Raconet

Focusing on the physical layer deployment, since we have not much information about Raconet physical layer there is not much we can compare. One thing is the frequency of operation. Both technologies operate in the ISM free license frequency band which represents a great advantage. Both operate using 868 MHz as central frequency of their bands which has a 1% duty cycle limitation and is only operable in Europe. Data rate that can be provided in this frequency band is usually about 20 kbps.

As opposition, ZigBee specification is also able to operate on a different band inside the ISM band which is at 2.4 GHz frequency which can be used worlwide. In this band, there are 12 channels available while there only one in 868 MHz. It leads to providing a bit rate of about 250 kbps which is by far bigger than the rate that Raconet is able to provide. Consequently, most deployments of ZigBee appliances operate in the 2.4 GHz frequency.

Finally, some words about power consumption must be said. Both technolocan be classified inside the group of low power wireless PANs. In fact, very low power consumption is a design goal in ZigBee specification. On one side it must be regarded as a huge advantage for giving the battery of the network devices a longer lifleads to a weakness that potential attackers may take advantage from.

Regarding to the network topology, both technologies look very similar in this aspect. In ZigBee the Reduced Function Devices (RFD) or meters are coordinated by a Full Function Device (FFD) or router which acts as a data collector and manages its subnetwork. This FFDs are simultaneously coordinated by the ZigBee coordinator that manages the whole network and sends all collected data from the meters to the database management system, by using RSIn Raconet, the global network performance is very similar although it presents a few differences. There is only one data collector that coordinates and manages the network which can be parallelized to the ZigBee coordinator because it is as well in charge of sending all data collected to the power supplier facilities for billing purposes. Meters in the Raconet network can be considered to perform the same operations as RFDs in ZigBee network since they only operate metering purposes, except for those ones that are acting as a bridge to give connection with the Raconet data collector to those meters that cannot be reached by data collector’s range. Those that act as bridges may be parallelized with ZigBee FFDs.

Some also mutual characteristics between two technologies refer to network start-up and attachment/detachment of devices. In both cases the network startmanaged either by the ZigBee coordinator or by the Raconet data collectovery quickly and so does the attachment/detachment of devices to/from the network. Also in both cases the subnetwork coordinator and which is either a ZigBee router or


s. Raconet

Focusing on the physical layer deployment, since we have not much information about Raconet physical layer there is not much we can compare. One thing is the frequency of operation. Both technologies operate in the ISM free license frequency

nd which represents a great advantage. Both operate using 868 MHz as central frequency of their bands which has a 1% duty cycle limitation and is only operable in Europe. Data rate that can be provided in this frequency band is usually about 20 kbps.

pposition, ZigBee specification is also able to operate on a different band inside the ISM band which is at 2.4 GHz frequency which can be used worlwide. In this band, there are 12 channels available while there only one in 868 MHz. It leads to

bit rate of about 250 kbps which is by far bigger than the rate that Raconet is able to provide. Consequently, most deployments of ZigBee appliances operate in the

Finally, some words about power consumption must be said. Both technolocan be classified inside the group of low power wireless PANs. In fact, very low power consumption is a design goal in ZigBee specification. On one side it must be regarded as a huge advantage for giving the battery of the network devices a longer lifleads to a weakness that potential attackers may take advantage from.

Regarding to the network topology, both technologies look very similar in this aspect. In ZigBee the Reduced Function Devices (RFD) or meters are coordinated by a

n Device (FFD) or router which acts as a data collector and manages its subnetwork. This FFDs are simultaneously coordinated by the ZigBee coordinator that manages the whole network and sends all collected data from the meters to the database

stem, by using RS-232 electrical interface, owned by the power supplier. In Raconet, the global network performance is very similar although it presents a few differences. There is only one data collector that coordinates and manages the network

be parallelized to the ZigBee coordinator because it is as well in charge of sending all data collected to the power supplier facilities for billing purposes. Meters in the Raconet network can be considered to perform the same operations as RFDs in

network since they only operate metering purposes, except for those ones that are acting as a bridge to give connection with the Raconet data collector to those meters that cannot be reached by data collector’s range. Those that act as bridges may be

lelized with ZigBee FFDs.

Some also mutual characteristics between two technologies refer to network up and attachment/detachment of devices. In both cases the network start

managed either by the ZigBee coordinator or by the Raconet data collectovery quickly and so does the attachment/detachment of devices to/from the network. Also in both cases the subnetwork coordinator and which is either a ZigBee router or


Focusing on the physical layer deployment, since we have not much information about Raconet physical layer there is not much we can compare. One thing is the frequency of operation. Both technologies operate in the ISM free license frequency

nd which represents a great advantage. Both operate using 868 MHz as central frequency of their bands which has a 1% duty cycle limitation and is only operable in Europe. Data rate that can be provided in this frequency band is usually about 20 kbps.

pposition, ZigBee specification is also able to operate on a different band inside the ISM band which is at 2.4 GHz frequency which can be used worlwide. In this band, there are 12 channels available while there only one in 868 MHz. It leads to

bit rate of about 250 kbps which is by far bigger than the rate that Raconet is able to provide. Consequently, most deployments of ZigBee appliances operate in the

Finally, some words about power consumption must be said. Both technologies can be classified inside the group of low power wireless PANs. In fact, very low power consumption is a design goal in ZigBee specification. On one side it must be regarded as a huge advantage for giving the battery of the network devices a longer life, but it

Regarding to the network topology, both technologies look very similar in this aspect. In ZigBee the Reduced Function Devices (RFD) or meters are coordinated by a

n Device (FFD) or router which acts as a data collector and manages its subnetwork. This FFDs are simultaneously coordinated by the ZigBee coordinator that manages the whole network and sends all collected data from the meters to the database

232 electrical interface, owned by the power supplier. In Raconet, the global network performance is very similar although it presents a few differences. There is only one data collector that coordinates and manages the network

be parallelized to the ZigBee coordinator because it is as well in charge of sending all data collected to the power supplier facilities for billing purposes. Meters in the Raconet network can be considered to perform the same operations as RFDs in

network since they only operate metering purposes, except for those ones that are acting as a bridge to give connection with the Raconet data collector to those meters that cannot be reached by data collector’s range. Those that act as bridges may be

Some also mutual characteristics between two technologies refer to network up and attachment/detachment of devices. In both cases the network start-up

managed either by the ZigBee coordinator or by the Raconet data collector is performed very quickly and so does the attachment/detachment of devices to/from the network. Also in both cases the subnetwork coordinator and which is either a ZigBee router or


the raconet data collector are capable of detecting new devices that appenetwork area by broadcasting messages to invite them to join the network.

Although no information about security features on raconet could be found, as it is a wireless technology operating on a well known frequency band and using low power transmission, the network is susceptible of suffering many different types of attacks which are very similar to the attack that ZigBee may also suffer. These attacks can be divided into two categories:

• Attacks that may take advantage from low power and radio lwireless PANs which are: jamming, exhaustion, collision and unfairness. All of them are detailed in the ZigBee section of this paper.

• Attacks to the cluster tree network topology, such as route disruptions or loops which, as the previous ones, are paper.


the raconet data collector are capable of detecting new devices that appenetwork area by broadcasting messages to invite them to join the network.

Although no information about security features on raconet could be found, as it is a wireless technology operating on a well known frequency band and using low

smission, the network is susceptible of suffering many different types of attacks which are very similar to the attack that ZigBee may also suffer. These attacks can be divided into two categories:

Attacks that may take advantage from low power and radio lwireless PANs which are: jamming, exhaustion, collision and unfairness. All of them are detailed in the ZigBee section of this paper.

Attacks to the cluster tree network topology, such as route disruptions or loops which, as the previous ones, are detailed in the ZigBee section of this


the raconet data collector are capable of detecting new devices that appear in the network area by broadcasting messages to invite them to join the network.


smission, the network is susceptible of suffering many different types of attacks which are very similar to the attack that ZigBee may also suffer. These attacks

Attacks that may take advantage from low power and radio links at wireless PANs which are: jamming, exhaustion, collision and unfairness. All of

Attacks to the cluster tree network topology, such as route disruptions or detailed in the ZigBee section of this


9.3 Bluetooth vs. Raconet

Starting with the physical layer deployment, since we have not much information about Raconet physical layer implementation there is not much we can compare. One thing is the frequency of operation. Both technologies operate in the ISM free license frequency band which represents a great advantage. However, Raconet is using 868 MHz as central frequency of its band while Bluetooth works at 2,4 GHz.

Both technologies caPANs. In fact, low power consumption is a design goal in both specifications. On one side it must be regarded as a huge advantage for giving the battery of the network devices a longer life, but it leaadvantage from.

Regarding to the network topology, both technologies look very similar in this aspect. In Bluetooth the slaves or coordinated by the master of the piconet and sharing the same channel and the unit of various piconets can form a scatternet. In Raconet, the global network performance is very similar although it presents a few differences. There is a data collector that coordinates and manages the network which is in charge of sending all data collected to the power supplier facilities for billing purposes. As it can be seen the difference to the Bluetooth specification is that her there is only one master in the whole network. Meters in the Raconet network can be considered to perform the same operations as slaves in Bluetooth network since they only operate metering purposes, except for those ones that are acting as a bridge to give connection with the Raconet data collector to those meters that cannot be reached by data collector’s range. The main difference that can be found here is that in Bluetooth a device is capable a being part of more than one subnetwork (piconet), given by the fact of the another big difference that can be found which is that Bluetooth allows either pointpoint-to-multipoint connection which Raconet does not.

Another difference that can be found is the ability of Bluetooth of providing either asynchronous or synchronous connections. However, this fact is not specially remarkable when we are dealing with smatransmissions are not thought for data packets transferring but for voice communications. In addition, something that clearly makes the difference between the two specifications are the Bluetooth Profiles. Having a vicapability of Bluetooth for accommodation a very wide range of difference profiles on its application layers, makes one think about the possibility of offering a wider range of services for smart metering customers in the future anfuture development in front of Raconet for Bluetooth.

Although no information about security features on raconet could be found, as it is a wireless technology operating on a well known frequency band and using low power transmission, the network is susceptible of suffering many different types of


9.3 Bluetooth vs. Raconet

Starting with the physical layer deployment, since we have not much information about Raconet physical layer implementation there is not much we can

g is the frequency of operation. Both technologies operate in the ISM free license frequency band which represents a great advantage. However, Raconet is using 868 MHz as central frequency of its band while Bluetooth works at 2,4 GHz.

Both technologies can be classified inside the group of low power wireless PANs. In fact, low power consumption is a design goal in both specifications. On one side it must be regarded as a huge advantage for giving the battery of the network devices a longer life, but it leads to a weakness that potential attackers may take

Regarding to the network topology, both technologies look very similar in this aspect. In Bluetooth the slaves or coordinated by the master of the piconet and sharing

the unit of various piconets can form a scatternet. In Raconet, the global network performance is very similar although it presents a few differences. There is a data collector that coordinates and manages the network which is in charge of

collected to the power supplier facilities for billing purposes. As it can be seen the difference to the Bluetooth specification is that her there is only one master in the whole network. Meters in the Raconet network can be considered to perform the

operations as slaves in Bluetooth network since they only operate metering purposes, except for those ones that are acting as a bridge to give connection with the Raconet data collector to those meters that cannot be reached by data collector’s range.

main difference that can be found here is that in Bluetooth a device is capable a being part of more than one subnetwork (piconet), given by the fact of the another big difference that can be found which is that Bluetooth allows either point

multipoint connection which Raconet does not.

Another difference that can be found is the ability of Bluetooth of providing either asynchronous or synchronous connections. However, this fact is not specially remarkable when we are dealing with smart metering networks since synchronous transmissions are not thought for data packets transferring but for voice communications. In addition, something that clearly makes the difference between the two specifications are the Bluetooth Profiles. Having a vision two the future, the capability of Bluetooth for accommodation a very wide range of difference profiles on its application layers, makes one think about the possibility of offering a wider range of services for smart metering customers in the future and it gives an clearly advantage for future development in front of Raconet for Bluetooth.


r transmission, the network is susceptible of suffering many different types of


Starting with the physical layer deployment, since we have not much information about Raconet physical layer implementation there is not much we can

g is the frequency of operation. Both technologies operate in the ISM free license frequency band which represents a great advantage. However, Raconet is using 868 MHz as central frequency of its band while Bluetooth works at 2,4 GHz.

n be classified inside the group of low power wireless PANs. In fact, low power consumption is a design goal in both specifications. On one side it must be regarded as a huge advantage for giving the battery of the network

ds to a weakness that potential attackers may take

Regarding to the network topology, both technologies look very similar in this aspect. In Bluetooth the slaves or coordinated by the master of the piconet and sharing

the unit of various piconets can form a scatternet. In Raconet, the global network performance is very similar although it presents a few differences. There is a data collector that coordinates and manages the network which is in charge of

collected to the power supplier facilities for billing purposes. As it can be seen the difference to the Bluetooth specification is that her there is only one master in the whole network. Meters in the Raconet network can be considered to perform the

operations as slaves in Bluetooth network since they only operate metering purposes, except for those ones that are acting as a bridge to give connection with the Raconet data collector to those meters that cannot be reached by data collector’s range.

main difference that can be found here is that in Bluetooth a device is capable a being part of more than one subnetwork (piconet), given by the fact of the another big difference that can be found which is that Bluetooth allows either point-to-point or

Another difference that can be found is the ability of Bluetooth of providing either asynchronous or synchronous connections. However, this fact is not specially

rt metering networks since synchronous transmissions are not thought for data packets transferring but for voice communications. In addition, something that clearly makes the difference between the

sion two the future, the capability of Bluetooth for accommodation a very wide range of difference profiles on its application layers, makes one think about the possibility of offering a wider range of

d it gives an clearly advantage for


r transmission, the network is susceptible of suffering many different types of


attacks which are very similar to the attack that any other wireless network may also suffer. These attacks can be divided into two categories:

• Attacks that may take advantage wireless PANs which are: jamming, exhaustion, collision and unfairness. All of them are detailed in the ZigBee section of this paper.• Attacks to the cluster tree network topology, such as route disruptions or loops which, as the previous ones, are detailed in the ZigBee section of this paper.

In the case Bluetooth, by taking advantage of its profile definition, a wide range of specific attacks can be directed to it. Additionally, a great weakness that Bluetooth shows is the usage of the SAFER+ based algorithms for its security purposes. It is hardly recommended for Bluetooth to adapt and get closer to other specifications security and use AES algorithm to defend itself from potential attackers.


attacks which are very similar to the attack that any other wireless network may also suffer. These attacks can be divided into two categories:

Attacks that may take advantage from low power and radio links at wireless PANs which are: jamming, exhaustion, collision and unfairness. All of them are detailed in the ZigBee section of this paper.

Attacks to the cluster tree network topology, such as route disruptions or as the previous ones, are detailed in the ZigBee section of this

In the case Bluetooth, by taking advantage of its profile definition, a wide range of specific attacks can be directed to it. Additionally, a great weakness that Bluetooth

he usage of the SAFER+ based algorithms for its security purposes. It is hardly recommended for Bluetooth to adapt and get closer to other specifications security and use AES algorithm to defend itself from potential attackers.


attacks which are very similar to the attack that any other wireless network may also

from low power and radio links at wireless PANs which are: jamming, exhaustion, collision and unfairness. All of

Attacks to the cluster tree network topology, such as route disruptions or as the previous ones, are detailed in the ZigBee section of this

In the case Bluetooth, by taking advantage of its profile definition, a wide range of specific attacks can be directed to it. Additionally, a great weakness that Bluetooth

he usage of the SAFER+ based algorithms for its security purposes. It is hardly recommended for Bluetooth to adapt and get closer to other specifications security and use AES algorithm to defend itself from potential attackers.


9.4 ZigBee vs. Bluetooth

These two specifications are both wireless technologies working on the ISM free license frequency band. Bluetooth is only working on the 2.4 GHz, ZigBee is capable of working also on the 868 MHz and 900 MHz frequency bands. However, working o2.4 GHz is the best option if the main goal is to obtain the highest possible throughput for data transmission, and that is why most ZigBee applications are using this frequency instead of the others.

If we focus on the layer implementations it can implementations do not have much in common and does not really make sense two compare the layers between each other one by one. However, there are a few things that can be easily compared and a few points in common also. A similar used in both specifications based on the EUIstandards. Finally, regarding the application layers of both specifications a parallelization can be easily made. In both cases a wide range of possiblecan be adapted to the technology. In Bluetooth by using the adequate service profile an application may be implemented, while in ZigBee the design of the final application is completely chosen by the customer since in its application layer a is implemented for every device in a ZigBee network and for every different customer for different applications.

A point that must be noticed to be different between the two specifications is the network topology. In ZigBee the Reducecoordinated by a Full Function Device (FFD) or router which acts as a data collector and manages its subnetwork. This FFDs are simultaneously coordinated by the ZigBee coordinator that manages the whole network and semeters to the database management system, by using RSby the power supplier. In Bluetooth the network is organized differently although both point-to-point and point-to-

In the point-to-multipoint connection, the channel is shared among several Bluetooth units and forming a piconetto 7 other units act as slaves. The channel access is contbe parallelized to the ZigBee coordinator. Multiple piconets with overlapping coverage areas form a scatternet. Slaves can participate in different piconets on a timemultiplex basis. In addition, a master in one picThe piconets shall not be frequency synchronized. Each piconet has its own hopping channel. By this procedure, Bluetooth is capable of forming a huge network at the same time formed by a huge amount of small networkscapable of creating a big network coordinated by one unique coordinator that manages the whole network.


s. Bluetooth

These two specifications are both wireless technologies working on the ISM free license frequency band. Bluetooth is only working on the 2.4 GHz, ZigBee is capable of working also on the 868 MHz and 900 MHz frequency bands. However, working o2.4 GHz is the best option if the main goal is to obtain the highest possible throughput for data transmission, and that is why most ZigBee applications are using this frequency

If we focus on the layer implementations it can be easily seen that both implementations do not have much in common and does not really make sense two compare the layers between each other one by one. However, there are a few things that can be easily compared and a few points in common also. A similar addressing model is used in both specifications based on the EUI-48 bits standard address from the IEEE standards. Finally, regarding the application layers of both specifications a parallelization can be easily made. In both cases a wide range of possiblecan be adapted to the technology. In Bluetooth by using the adequate service profile an application may be implemented, while in ZigBee the design of the final application is completely chosen by the customer since in its application layer a ZigBee device object is implemented for every device in a ZigBee network and for every different customer

A point that must be noticed to be different between the two specifications is the network topology. In ZigBee the Reduced Function Devices (RFD) or meters are coordinated by a Full Function Device (FFD) or router which acts as a data collector and manages its subnetwork. This FFDs are simultaneously coordinated by the ZigBee coordinator that manages the whole network and sends all collected data from the meters to the database management system, by using RS-232 electrical interface, owned by the power supplier. In Bluetooth the network is organized differently although both

-multipoint connections can be also implemented.

multipoint connection, the channel is shared among several Bluetooth piconet. One of them acts as the master of the piconet, whereas up

to 7 other units act as slaves. The channel access is controlled by the master which can be parallelized to the ZigBee coordinator. Multiple piconets with overlapping coverage

. Slaves can participate in different piconets on a timemultiplex basis. In addition, a master in one piconet can be a slave in another piconet. The piconets shall not be frequency synchronized. Each piconet has its own hopping channel. By this procedure, Bluetooth is capable of forming a huge network at the same time formed by a huge amount of small networks with up to 8 devices, but is not capable of creating a big network coordinated by one unique coordinator that manages


These two specifications are both wireless technologies working on the ISM free license frequency band. Bluetooth is only working on the 2.4 GHz, ZigBee is capable of working also on the 868 MHz and 900 MHz frequency bands. However, working on the 2.4 GHz is the best option if the main goal is to obtain the highest possible throughput for data transmission, and that is why most ZigBee applications are using this frequency

be easily seen that both implementations do not have much in common and does not really make sense two compare the layers between each other one by one. However, there are a few things that

addressing model is 48 bits standard address from the IEEE

standards. Finally, regarding the application layers of both specifications a parallelization can be easily made. In both cases a wide range of possible applications can be adapted to the technology. In Bluetooth by using the adequate service profile an application may be implemented, while in ZigBee the design of the final application is

ZigBee device object is implemented for every device in a ZigBee network and for every different customer

A point that must be noticed to be different between the two specifications is the d Function Devices (RFD) or meters are

coordinated by a Full Function Device (FFD) or router which acts as a data collector and manages its subnetwork. This FFDs are simultaneously coordinated by the ZigBee

nds all collected data from the 232 electrical interface, owned

by the power supplier. In Bluetooth the network is organized differently although both can be also implemented.

multipoint connection, the channel is shared among several Bluetooth . One of them acts as the master of the piconet, whereas up

rolled by the master which can be parallelized to the ZigBee coordinator. Multiple piconets with overlapping coverage

. Slaves can participate in different piconets on a time-division onet can be a slave in another piconet.

The piconets shall not be frequency synchronized. Each piconet has its own hopping channel. By this procedure, Bluetooth is capable of forming a huge network at the same

with up to 8 devices, but is not capable of creating a big network coordinated by one unique coordinator that manages


Focusing on the security procedures of both technologies the first thing that can be easily identified as a big diffeuses the AES algorithm, Bluetooth is using various algorithms for its different security features based on the SAFER+ cipher block. This method was also presented to the contest for becoming the AES algoto the conclusion that in Bluetooth actual AES encryption should be embraced to substitute SAFER+. Another disadvantage that Bluetooth presents in front of ZigBee is that it does not implement security pdoes. In addition, ZigBee is able to optionally provide sequential freshness in the purpose of frame integrity, a service not provided by Bluetooth. Finally, the trust center is an entity that appears on the Bluetooth. It is an application trusted by all the devices in the network that distributes keys as part of network and endis required to maintain a list of all the devices in the network, all the relevant keys and control the policies of network admittance.

Although many differences have been noticed, many points can be found in common also. The first one is that both specifications are using a varioits different security procedures to make each procedure independent from any other by using a different key. The usage of these sets of keys leads t avoid to use any kind of passwords in the security procedure which is regarded to be noto guarantee the security of a network. Finally, another point that we can found in common are the security profiles. Both specifications present various security modes in order to use different security mechanisms depending on the operational circumstances of the moment. In addition, apart from global security profiles, Bluetooth incorporates also three different modes of data encryption.

Although there are a lot of differences between these two specifications, as bof them are wireless technologies operating on a well known frequency band and using low power transmission, their networks are susceptible of suffering many different types of attacks which are very similar and these attacks are described in the ZigBesection of this paper. These attacks can be divided into two categories:

• Attacks that may take advantage from low power and radio links at wireless PANs which are: jamming, exhaustion, collision and unfairness. All of them are detailed in the ZigBee sect• Attacks to the cluster tree network topology, such as route disruptions or loops which, as the previous ones, are detailed in the ZigBee section of this paper. In the case of Bluetooth, the network topology is not a cluster tree but piconets and scatternets, however, Bluetooth may suffer similar attacks to the ones that can be directed to ZigBee network topology.


Focusing on the security procedures of both technologies the first thing that can be easily identified as a big difference is the encryption algorithm used. While ZigBee uses the AES algorithm, Bluetooth is using various algorithms for its different security features based on the SAFER+ cipher block. This method was also presented to the contest for becoming the AES algorithm but did not win. Consequently, this fact leads to the conclusion that in Bluetooth actual AES encryption should be embraced to substitute SAFER+. Another disadvantage that Bluetooth presents in front of ZigBee is that it does not implement security procedures in the application layer while ZigBee does. In addition, ZigBee is able to optionally provide sequential freshness in the purpose of frame integrity, a service not provided by Bluetooth. Finally, the trust center is an entity that appears on the ZigBee application layer security and not available in Bluetooth. It is an application trusted by all the devices in the network that distributes keys as part of network and end-to-end application configuration management. The TC

list of all the devices in the network, all the relevant keys and control the policies of network admittance.

Although many differences have been noticed, many points can be found in common also. The first one is that both specifications are using a various set of keys for its different security procedures to make each procedure independent from any other by using a different key. The usage of these sets of keys leads t avoid to use any kind of passwords in the security procedure which is regarded to be not a very secured method to guarantee the security of a network. Finally, another point that we can found in common are the security profiles. Both specifications present various security modes in order to use different security mechanisms depending on the network and the operational circumstances of the moment. In addition, apart from global security profiles, Bluetooth incorporates also three different modes of data encryption.

Although there are a lot of differences between these two specifications, as bof them are wireless technologies operating on a well known frequency band and using low power transmission, their networks are susceptible of suffering many different types of attacks which are very similar and these attacks are described in the ZigBesection of this paper. These attacks can be divided into two categories:

Attacks that may take advantage from low power and radio links at wireless PANs which are: jamming, exhaustion, collision and unfairness. All of them are detailed in the ZigBee section of this paper.

Attacks to the cluster tree network topology, such as route disruptions or loops which, as the previous ones, are detailed in the ZigBee section of this paper. In the case of Bluetooth, the network topology is not a cluster tree but

nets and scatternets, however, Bluetooth may suffer similar attacks to the ones that can be directed to ZigBee network topology.


Focusing on the security procedures of both technologies the first thing that can rence is the encryption algorithm used. While ZigBee

uses the AES algorithm, Bluetooth is using various algorithms for its different security features based on the SAFER+ cipher block. This method was also presented to the

rithm but did not win. Consequently, this fact leads to the conclusion that in Bluetooth actual AES encryption should be embraced to substitute SAFER+. Another disadvantage that Bluetooth presents in front of ZigBee is

rocedures in the application layer while ZigBee does. In addition, ZigBee is able to optionally provide sequential freshness in the purpose of frame integrity, a service not provided by Bluetooth. Finally, the trust center

ZigBee application layer security and not available in Bluetooth. It is an application trusted by all the devices in the network that distributes

end application configuration management. The TC list of all the devices in the network, all the relevant keys and

Although many differences have been noticed, many points can be found in us set of keys for

its different security procedures to make each procedure independent from any other by using a different key. The usage of these sets of keys leads t avoid to use any kind of

t a very secured method to guarantee the security of a network. Finally, another point that we can found in common are the security profiles. Both specifications present various security modes in

network and the operational circumstances of the moment. In addition, apart from global security profiles, Bluetooth incorporates also three different modes of data encryption.

Although there are a lot of differences between these two specifications, as both of them are wireless technologies operating on a well known frequency band and using low power transmission, their networks are susceptible of suffering many different types of attacks which are very similar and these attacks are described in the ZigBee

Attacks that may take advantage from low power and radio links at wireless PANs which are: jamming, exhaustion, collision and unfairness. All of

Attacks to the cluster tree network topology, such as route disruptions or loops which, as the previous ones, are detailed in the ZigBee section of this paper. In the case of Bluetooth, the network topology is not a cluster tree but

nets and scatternets, however, Bluetooth may suffer similar attacks to the


In the case of Bluetooth, as described in the section dedicated to it in this paper, there is a wide range of attacks that areadvantage especially of the Bluetooth Profiles specification.


In the case of Bluetooth, as described in the section dedicated to it in this paper, there is a wide range of attacks that are specifically designed to attack it taking advantage especially of the Bluetooth Profiles specification.


In the case of Bluetooth, as described in the section dedicated to it in this paper, specifically designed to attack it taking


9.5 PLC vs. RF

PLC and radiofrequency technologies must be regarded differently since their deployments have many differences.installed everywhere infrastructure for energy supplying and there no need to install new wires. Besides, by the fact that it is a wired technology there no need to concern about power consumption while batttechnologies. On the other side, RF offers flexibility, design, easy portability of its devices and robustness against unexpected events such as an earthquake that may disable a wired network. It also brings advantages of mesh networking such a multiple paths for transmission to prevent disabling of a node on a path failure.

Since these are complete different technologies, there no much common points in their physical layers implementation. The usage they make of the spectrum is completely different since they do not use the same media for transmitting data, however, we can find a point in common in the fact that all of them may use BPSK modulation, and another ofollowing the OSI model except for the case of Raconet which we do not know much about its layers implementation.

There are many characteristics that can be found in common in the MAC layer implementations. In the two PLC technologies the network structure is similarly implemented. A Base Node (PRIME) or server (G3) is in charge of managing the Services Nodes (PRIME) and peers (G3). In opposition, ZigBee is capable of implementing different network toor cluster tree. However, in Raconet the network topology is fixed by the fact that the data collector is at the top of it for managing the network and a tree topology is implemented below it. Besides, CSMA/CA algorithm for the purpose of controlling the channel access of all devices as well as similar implementations of the ARQ mechanism.

In addition, many differences can be found between the three MAC layersdescription we know in detail. Obviously there a lot a difference regarding the formats of data frames, beacon frames, check frames and MAC primitives, but these differences do not add any relevant difference between both MAC layers performances. Rethe significant differences, the first one are the address formats used.

PRIME uses EUI-48 IEEE universal MAC address combined with three network identifiers: the 8-bit Switch Identifier (SID) for identifying the switch to which a node attached, the 14-bit Local Node Identifier (LNID) to identify a node locally and the 9bit Local Connection Identifier (LCID) to identify a specific connection to a node during connections establishment process. On the other hand, G3 and ZigBee addressing are very similar since both MAC layers designs are based on IEEE 802.15.4 they can use either EUI-64 universal MAC address or a 16


PLC and radiofrequency technologies must be regarded differently since their deployments have many differences. PLC presents the advantage of using the already installed everywhere infrastructure for energy supplying and there no need to install new wires. Besides, by the fact that it is a wired technology there no need to concern about power consumption while batteries life is one matter of concern in wireless technologies. On the other side, RF offers flexibility, design, easy portability of its devices and robustness against unexpected events such as an earthquake that may disable a wired network. It also brings easy planning of networks together with all the advantages of mesh networking such a multiple paths for transmission to prevent disabling of a node on a path failure.

Since these are complete different technologies, there no much common points ysical layers implementation. The usage they make of the spectrum is

completely different since they do not use the same media for transmitting data, however, we can find a point in common in the fact that all of them may use BPSK

and another one in the fact that their physical layers are organized following the OSI model except for the case of Raconet which we do not know much about its layers implementation.

There are many characteristics that can be found in common in the MAC layer ations. In the two PLC technologies the network structure is similarly

implemented. A Base Node (PRIME) or server (G3) is in charge of managing the Services Nodes (PRIME) and peers (G3). In opposition, ZigBee is capable of implementing different network topologies used in wireless networks such as star, mesh or cluster tree. However, in Raconet the network topology is fixed by the fact that the data collector is at the top of it for managing the network and a tree topology is implemented below it. Besides, ZigBee, PRIME and G3 technologies implement CSMA/CA algorithm for the purpose of controlling the channel access of all devices as well as similar implementations of the ARQ mechanism.

In addition, many differences can be found between the three MAC layersdescription we know in detail. Obviously there a lot a difference regarding the formats of data frames, beacon frames, check frames and MAC primitives, but these differences do not add any relevant difference between both MAC layers performances. Rethe significant differences, the first one are the address formats used.

48 IEEE universal MAC address combined with three network bit Switch Identifier (SID) for identifying the switch to which a node bit Local Node Identifier (LNID) to identify a node locally and the 9

bit Local Connection Identifier (LCID) to identify a specific connection to a node during connections establishment process. On the other hand, G3 and ZigBee

milar since both MAC layers designs are based on IEEE 802.15.4 64 universal MAC address or a 16-bit short address. In the case


PLC and radiofrequency technologies must be regarded differently since their PLC presents the advantage of using the already

installed everywhere infrastructure for energy supplying and there no need to install new wires. Besides, by the fact that it is a wired technology there no need to concern

eries life is one matter of concern in wireless technologies. On the other side, RF offers flexibility, design, easy portability of its devices and robustness against unexpected events such as an earthquake that may

easy planning of networks together with all the advantages of mesh networking such a multiple paths for transmission to prevent

Since these are complete different technologies, there no much common points ysical layers implementation. The usage they make of the spectrum is

completely different since they do not use the same media for transmitting data, however, we can find a point in common in the fact that all of them may use BPSK

ne in the fact that their physical layers are organized following the OSI model except for the case of Raconet which we do not know much

There are many characteristics that can be found in common in the MAC layer ations. In the two PLC technologies the network structure is similarly

implemented. A Base Node (PRIME) or server (G3) is in charge of managing the Services Nodes (PRIME) and peers (G3). In opposition, ZigBee is capable of

pologies used in wireless networks such as star, mesh or cluster tree. However, in Raconet the network topology is fixed by the fact that the data collector is at the top of it for managing the network and a tree topology is

ZigBee, PRIME and G3 technologies implement CSMA/CA algorithm for the purpose of controlling the channel access of all devices as

In addition, many differences can be found between the three MAC layers whose description we know in detail. Obviously there a lot a difference regarding the formats of data frames, beacon frames, check frames and MAC primitives, but these differences do not add any relevant difference between both MAC layers performances. Regarding

48 IEEE universal MAC address combined with three network bit Switch Identifier (SID) for identifying the switch to which a node bit Local Node Identifier (LNID) to identify a node locally and the 9-

bit Local Connection Identifier (LCID) to identify a specific connection to a node during connections establishment process. On the other hand, G3 and ZigBee

milar since both MAC layers designs are based on IEEE 802.15.4 bit short address. In the case


of G3, the short address is specifically used for the LBP protocol of the 6LoWPAN layer. In ZigBee, the address format sent in a packet can be chosen and the correspondence between them two is checked at reception.

Additionally, we can found a point in common between ZigBee and G3 but different in PRIME. In the first two, the MAC layer implements two separatwithin the layer. The first entity is in charge of the transport of data units and the second one manages the layer and is capable of transporting commands to the lower and upper layers as well as controlling the channel access.

Note that also many common and different characteristics between the three technologies can be found in the security features implemented in all three MAC layers, they will be described below.

Since Raconet and ZigBee are fully independent technologies, they do not require the support of other protocols for implementing upper layers and applications. In opposition, PRIME and G3 technologies implement only the low layers of the OSI model and require upper layer protocols to implements applications. The one which is mostly used is DLMS/COSEM protocol, and also WiMAX and some IP technologies are used for these purposes. That is the reason why PRIME and G3 implement an adaptation/convergence layer for IPv4 and for IPv6 respectively and ZigBee and Raconet do not implement such

Regarding security features, since we do not have information on Raconet security features, we will be focusing in comparing ZigBee against PRIME and G3. As previously said, radiofrequency networks presents many more weak points to be attacked than wired technologies. This fact leads to the obligation to try to implement higher security measures in wireless networks in order to be able to guarantee that they are as much secure as wired technologies that may be deployed for the same applications. What all of them have in common is the usage of AES encryption algorithm for data encryption.

Different complexity levels can be found on the authentication procedures of these protocols. As mentioned in the comparison between PRIME and G3, the first one guarantees authentication between two nodes by the fact that there is a key known only by these two nodes. The second one, implements a much more complex procedure named the Bootstrapping protocol for authentication, implemented in the adaptation layer, which proceeds before MAC layer security runs. In ZigBee, authentication is guaranteed in MAC, network and application layers by using the AES CCM mode of operation. More specifically, in the application layer, the Mutual Entity Authentication protocol is used for procedures of authentication between to nodes base on a shared secret.

Different sets of keys are implemented by the three specifications for different usages. They are implemented in order to make all security procedures independent form each other and different keys are used for authentication, ciphering unicast traffic,


of G3, the short address is specifically used for the LBP protocol of the 6LoWPAN ddress format sent in a packet can be chosen and the

correspondence between them two is checked at reception.

Additionally, we can found a point in common between ZigBee and G3 but different in PRIME. In the first two, the MAC layer implements two separatwithin the layer. The first entity is in charge of the transport of data units and the second one manages the layer and is capable of transporting commands to the lower and upper layers as well as controlling the channel access.

many common and different characteristics between the three technologies can be found in the security features implemented in all three MAC layers, they will be described below.

Since Raconet and ZigBee are fully independent technologies, they do not ire the support of other protocols for implementing upper layers and applications. In

opposition, PRIME and G3 technologies implement only the low layers of the OSI model and require upper layer protocols to implements applications. The one which is

used is DLMS/COSEM protocol, and also WiMAX and some IP technologies are used for these purposes. That is the reason why PRIME and G3 implement an adaptation/convergence layer for IPv4 and for IPv6 respectively and ZigBee and Raconet do not implement such a layer.

Regarding security features, since we do not have information on Raconet security features, we will be focusing in comparing ZigBee against PRIME and G3. As previously said, radiofrequency networks presents many more weak points to be

han wired technologies. This fact leads to the obligation to try to implement higher security measures in wireless networks in order to be able to guarantee that they are as much secure as wired technologies that may be deployed for the same

What all of them have in common is the usage of AES encryption algorithm for data encryption.

Different complexity levels can be found on the authentication procedures of these protocols. As mentioned in the comparison between PRIME and G3, the first one guarantees authentication between two nodes by the fact that there is a key known only by these two nodes. The second one, implements a much more complex procedure named the Bootstrapping protocol for authentication, implemented in the adaptation

ich proceeds before MAC layer security runs. In ZigBee, authentication is guaranteed in MAC, network and application layers by using the AES CCM mode of operation. More specifically, in the application layer, the Mutual Entity Authentication

ed for procedures of authentication between to nodes base on a shared

Different sets of keys are implemented by the three specifications for different usages. They are implemented in order to make all security procedures independent

r and different keys are used for authentication, ciphering unicast traffic,


of G3, the short address is specifically used for the LBP protocol of the 6LoWPAN ddress format sent in a packet can be chosen and the

Additionally, we can found a point in common between ZigBee and G3 but different in PRIME. In the first two, the MAC layer implements two separate entities within the layer. The first entity is in charge of the transport of data units and the second one manages the layer and is capable of transporting commands to the lower and upper

many common and different characteristics between the three technologies can be found in the security features implemented in all three MAC layers,

Since Raconet and ZigBee are fully independent technologies, they do not ire the support of other protocols for implementing upper layers and applications. In

opposition, PRIME and G3 technologies implement only the low layers of the OSI model and require upper layer protocols to implements applications. The one which is

used is DLMS/COSEM protocol, and also WiMAX and some IP technologies are used for these purposes. That is the reason why PRIME and G3 implement an adaptation/convergence layer for IPv4 and for IPv6 respectively and ZigBee and

Regarding security features, since we do not have information on Raconet security features, we will be focusing in comparing ZigBee against PRIME and G3. As previously said, radiofrequency networks presents many more weak points to be

han wired technologies. This fact leads to the obligation to try to implement higher security measures in wireless networks in order to be able to guarantee that they are as much secure as wired technologies that may be deployed for the same

What all of them have in common is the usage of AES encryption

Different complexity levels can be found on the authentication procedures of these protocols. As mentioned in the comparison between PRIME and G3, the first one guarantees authentication between two nodes by the fact that there is a key known only by these two nodes. The second one, implements a much more complex procedure named the Bootstrapping protocol for authentication, implemented in the adaptation

ich proceeds before MAC layer security runs. In ZigBee, authentication is guaranteed in MAC, network and application layers by using the AES CCM mode of operation. More specifically, in the application layer, the Mutual Entity Authentication

ed for procedures of authentication between to nodes base on a shared

Different sets of keys are implemented by the three specifications for different usages. They are implemented in order to make all security procedures independent

r and different keys are used for authentication, ciphering unicast traffic,


broadcast traffic, attach/detach of a device to/from the network, etc. In PRIME and G3 theses sets of keys are implemented at MAC layer security level and in ZigBee it is implemented in the application layer security level. Note that some of these keys in all protocols are periodically renewed in order to avoid the fact that if one key is discovered security in the network or in a part of the network may be comprised permanently.

ZigBee is also incorporating an entity which is not present in PRIME or G3 networks and it is the Trust Center (TC). The TC is and application which is trusted by all the devices in the network. It distributes keys as part of network and endapplication configuration management. It can operate in either high or standard security modes. In the high security mode, the TC is required to maintain a list of all the devices in the network, all the relevant keys and control the policies of network admittanca result, the required memory of the TC grows with the number of the devices in the network in this mode.

There is security implementation which is only present in G3, the Protected Channel. It is implemented using EAX mode of the AES ciphering blocdata origin authentication and protection against replays.

There is also an important implementation to take into account that is present in ZigBee and in PRIME but not in G3. The previous two are capable of implementing different levels of security. In PRIME two security profiles, secured and not secured, are defined and a negotiation of security profile is performed before any communication occurs. In ZigBee, there is a wide range of combinations for security profiles. There are 8 possible security suites that can be chosen in the MAC layer security, depending on if the application implements requests security or not, the size of the AES ciphering block or the security services that may be requested. In G3, only one security profile is defined.

Finally, is it important to note that the attacks that may be performed to each one of these technologies are different since, as mentioned before in this section, the wireless networks present much more weak points to be attacked than the wired onesthe sections dedicated for description of each specification, some attacks that may be performed to the specification are described. In can be easily identified that is much easier for an attacker eavesdropping packets or interfere in wireless communitaking advantage from the radio links and the low power transmission policies of the wireless networks.


broadcast traffic, attach/detach of a device to/from the network, etc. In PRIME and G3 theses sets of keys are implemented at MAC layer security level and in ZigBee it is

ted in the application layer security level. Note that some of these keys in all protocols are periodically renewed in order to avoid the fact that if one key is discovered security in the network or in a part of the network may be comprised

ZigBee is also incorporating an entity which is not present in PRIME or G3 networks and it is the Trust Center (TC). The TC is and application which is trusted by all the devices in the network. It distributes keys as part of network and end

tion configuration management. It can operate in either high or standard security modes. In the high security mode, the TC is required to maintain a list of all the devices in the network, all the relevant keys and control the policies of network admittanca result, the required memory of the TC grows with the number of the devices in the

There is security implementation which is only present in G3, the Protected Channel. It is implemented using EAX mode of the AES ciphering blocdata origin authentication and protection against replays.

There is also an important implementation to take into account that is present in ZigBee and in PRIME but not in G3. The previous two are capable of implementing

security. In PRIME two security profiles, secured and not secured, are defined and a negotiation of security profile is performed before any communication occurs. In ZigBee, there is a wide range of combinations for security profiles. There are

security suites that can be chosen in the MAC layer security, depending on if the application implements requests security or not, the size of the AES ciphering block or the security services that may be requested. In G3, only one security profile is

Finally, is it important to note that the attacks that may be performed to each one of these technologies are different since, as mentioned before in this section, the wireless networks present much more weak points to be attacked than the wired onesthe sections dedicated for description of each specification, some attacks that may be performed to the specification are described. In can be easily identified that is much easier for an attacker eavesdropping packets or interfere in wireless communitaking advantage from the radio links and the low power transmission policies of the


broadcast traffic, attach/detach of a device to/from the network, etc. In PRIME and G3 theses sets of keys are implemented at MAC layer security level and in ZigBee it is

ted in the application layer security level. Note that some of these keys in all protocols are periodically renewed in order to avoid the fact that if one key is discovered security in the network or in a part of the network may be comprised

ZigBee is also incorporating an entity which is not present in PRIME or G3 networks and it is the Trust Center (TC). The TC is and application which is trusted by all the devices in the network. It distributes keys as part of network and end-to-end

tion configuration management. It can operate in either high or standard security modes. In the high security mode, the TC is required to maintain a list of all the devices in the network, all the relevant keys and control the policies of network admittance. As a result, the required memory of the TC grows with the number of the devices in the

There is security implementation which is only present in G3, the Protected Channel. It is implemented using EAX mode of the AES ciphering block and provides

There is also an important implementation to take into account that is present in ZigBee and in PRIME but not in G3. The previous two are capable of implementing

security. In PRIME two security profiles, secured and not secured, are defined and a negotiation of security profile is performed before any communication occurs. In ZigBee, there is a wide range of combinations for security profiles. There are

security suites that can be chosen in the MAC layer security, depending on if the application implements requests security or not, the size of the AES ciphering block or the security services that may be requested. In G3, only one security profile is

Finally, is it important to note that the attacks that may be performed to each one of these technologies are different since, as mentioned before in this section, the wireless networks present much more weak points to be attacked than the wired ones. In the sections dedicated for description of each specification, some attacks that may be performed to the specification are described. In can be easily identified that is much easier for an attacker eavesdropping packets or interfere in wireless communication taking advantage from the radio links and the low power transmission policies of the


9.6 PLC vs. IEC62056

The PowerLine Communications systems have been used by energy supplying companies for smart metering since late 1990technology in Europe with many deployments already out there. France ERDF with G3 and Iberdrola with PRIME have been developing its own deployments for testing their respective new technologies. The main advantage of PLno need for implementation of the wired network is required. The already existing network for energy supplying is used. In the case of smart metering, that fact makes that smart grids can reach anywhere that smart metering mmentioned before in this section, these two technologies only implement the lower layers of a system and other protocols are requested for implementation of upper layers. In the case of PRIME IPv4 or IEC61334 may be used for with G3, IPv6 is used. In both cases DLMS/COSEM is usually chosen for the application layer implementation.

In a similar position IEC62056an optical port interface or an electricadata exchange. It is highly useful for onthe energy supplying company. Besides, it can be used for implementing smart metering applications. By using the MoHDLC protocol for the data link layer and usually DLMS/COSEM for the application layer, although other protocols may be used for the application layer, smart grid applications can be deployed. This techneffectiveness, simple transmitters and receivers because of their simple circuitries, robustness of the optical port in residential applications and very low data postprocessing.

Regarding security features, datataken into account since data protection is very important in smart metering. For this aspect, both PLC technologies use 128 bit AES encryption, and it may be used in the third level of security of IEC62056and selected by the meter manufacturer. For the implementation of these data encryption and also other security measures such as authentication or replay protection, the two PLC technologies define a set of drenewed to reinforce protection. Their nodes choose which key to use depending on the type of traffic transferred or the security procedure taking place. In IEC62056standard there are not such tools defined, howthird level of its security the security procedures to be used can be chosen by the manufacturer.

Different levels of security are implemented in PRIME and IEC62056in G3. They are used depending on the application is taking place and whether or not the information transmitted requires any


9.6 PLC vs. IEC62056-21

The PowerLine Communications systems have been used by energy supplying companies for smart metering since late 1990’s and it has become the mainly used technology in Europe with many deployments already out there. France ERDF with G3 and Iberdrola with PRIME have been developing its own deployments for testing their respective new technologies. The main advantage of PLC technologies is the fact that no need for implementation of the wired network is required. The already existing network for energy supplying is used. In the case of smart metering, that fact makes that smart grids can reach anywhere that smart metering may be implemented. However, as mentioned before in this section, these two technologies only implement the lower layers of a system and other protocols are requested for implementation of upper layers. In the case of PRIME IPv4 or IEC61334 may be used for the Data Link Layer while with G3, IPv6 is used. In both cases DLMS/COSEM is usually chosen for the application layer implementation.

In a similar position IEC62056-21 can be situated. All smart meters incorporate an optical port interface or an electrical interface to operate with this protocol for local data exchange. It is highly useful for on-site programming and testing of the meters for the energy supplying company. Besides, it can be used for implementing smart metering applications. By using the Mode E of the IEC62056-21 protocol in combination with HDLC protocol for the data link layer and usually DLMS/COSEM for the application layer, although other protocols may be used for the application layer, smart grid applications can be deployed. This technology brings many advantages such as cost effectiveness, simple transmitters and receivers because of their simple circuitries, robustness of the optical port in residential applications and very low data post

Regarding security features, data encryption may be the first things that must be taken into account since data protection is very important in smart metering. For this aspect, both PLC technologies use 128 bit AES encryption, and it may be used in the third level of security of IEC62056-21 where data encryption algorithms can be used and selected by the meter manufacturer. For the implementation of these data encryption and also other security measures such as authentication or replay protection, the two PLC technologies define a set of different keys, some of them periodically renewed to reinforce protection. Their nodes choose which key to use depending on the type of traffic transferred or the security procedure taking place. In IEC62056standard there are not such tools defined, however, it may be implemented since in the third level of its security the security procedures to be used can be chosen by the

Different levels of security are implemented in PRIME and IEC62056in G3. They are used depending on the requirements where the application of the application is taking place and whether or not the information transmitted requires any


The PowerLine Communications systems have been used by energy supplying ’s and it has become the mainly used

technology in Europe with many deployments already out there. France ERDF with G3 and Iberdrola with PRIME have been developing its own deployments for testing their

C technologies is the fact that no need for implementation of the wired network is required. The already existing network for energy supplying is used. In the case of smart metering, that fact makes that

ay be implemented. However, as mentioned before in this section, these two technologies only implement the lower layers of a system and other protocols are requested for implementation of upper layers.

the Data Link Layer while with G3, IPv6 is used. In both cases DLMS/COSEM is usually chosen for the

21 can be situated. All smart meters incorporate l interface to operate with this protocol for local

site programming and testing of the meters for the energy supplying company. Besides, it can be used for implementing smart metering

21 protocol in combination with HDLC protocol for the data link layer and usually DLMS/COSEM for the application layer, although other protocols may be used for the application layer, smart grid

ology brings many advantages such as cost effectiveness, simple transmitters and receivers because of their simple circuitries, robustness of the optical port in residential applications and very low data post-

encryption may be the first things that must be taken into account since data protection is very important in smart metering. For this aspect, both PLC technologies use 128 bit AES encryption, and it may be used in the

21 where data encryption algorithms can be used and selected by the meter manufacturer. For the implementation of these data encryption and also other security measures such as authentication or replay protection,

ifferent keys, some of them periodically renewed to reinforce protection. Their nodes choose which key to use depending on the type of traffic transferred or the security procedure taking place. In IEC62056-21

ever, it may be implemented since in the third level of its security the security procedures to be used can be chosen by the

Different levels of security are implemented in PRIME and IEC62056-21 but not requirements where the application of the

application is taking place and whether or not the information transmitted requires any


kind of protection as well as if more security procedures such as node authentication are required.

By terms of authenticatioPRIME and G3. To make a parallelization with IEC62056procedure that it implements is operated in the second level of security of it. It is the introduction of one or more security pasunfortunately leads to a weakness that most smart metering protocols avoid by not using passwords which is the possibility to attack it by using brute force and dictionary attacks.

As the security features forthird level of security not much more comparison can be done between it and the PLC specifications security operations and the PLC specifications have been already compared in the previous section dedicatelevel of security in IEC62056and modifications of security registers as well as changing some form of physical setting inside the metering system, such a


kind of protection as well as if more security procedures such as node authentication are

By terms of authentication, shared secrets between nodes are used in both PRIME and G3. To make a parallelization with IEC62056-21, the authentication procedure that it implements is operated in the second level of security of it. It is the introduction of one or more security passwords to access in the metering system, what unfortunately leads to a weakness that most smart metering protocols avoid by not using passwords which is the possibility to attack it by using brute force and dictionary

As the security features for IEC62056-21 are chosen by the manufacturer at the third level of security not much more comparison can be done between it and the PLC specifications security operations and the PLC specifications have been already compared in the previous section dedicated for it. However, there is also one higher level of security in IEC62056-21 which implies on-site manipulation of sealable buttons and modifications of security registers as well as changing some form of physical setting inside the metering system, such as installation of a bridging link.


kind of protection as well as if more security procedures such as node authentication are

n, shared secrets between nodes are used in both 21, the authentication

procedure that it implements is operated in the second level of security of it. It is the swords to access in the metering system, what

unfortunately leads to a weakness that most smart metering protocols avoid by not using passwords which is the possibility to attack it by using brute force and dictionary

21 are chosen by the manufacturer at the third level of security not much more comparison can be done between it and the PLC specifications security operations and the PLC specifications have been already

d for it. However, there is also one higher site manipulation of sealable buttons

and modifications of security registers as well as changing some form of physical s installation of a bridging link.


9.7 RF vs. IEC62056

Both radiofrequency and optical infrared (IEC62056systems but some differences can be found in each way on wireless transmission. The first one, which is obvious, is that they operate in different frequency ranges. The ZigBee and Raconet operate at 868 MHz (ZigBee can do it also at 2.4 GHz) while infrared operates inside a range from 800 nm to 1000 nm wavelength. The range of a wireless link between two deviradiofrequency the range of radio link can be up to 100 meters while in infrared is up ten meters. Note that, in infrared is also necessary line of sight between devices, a fact which is no required in radiofrequency networks, whose signal can pass through walls and opaque objects. It is also important to note at the physical level, that both technologies perform very low consumption (it is actually a design goal in ZigBee), gives its devices battery longer life and independence.

Regarding to interferences there are big differences between the two technologies. It is a very important issue of concern in radiofrequency. There might interferences between devices in the same network, from electromagnetic generated by other devices such as the ones using microwaves and obviously from other radiofrequency systems that might operate in the same area. On the other side, in infrared optical communications the only thing that can cause interferences is sufact that makes infrared inadequate for applications outdoors.

In addition, radiofrequency networks can be planned with a wide range of different network topologies such as mesh, adtwo we are dealing with implement cluster trees providing the network even with a wider range. In opposition, connections with infrared optical technology are always point to point which leads to requiring support from other technologies at upper level for implementing a complete network with numerous devices. However, this is not such an important fact since the main goal of IEC62056effective local data exchange which is what it provides. It is mainly used for onmeter reading and the smart meters are mostly equipped with other technologies such a PLC deployments or GPRS to incorporate them to smart grids.

As mentioned before, IEC62056technology, although line of sight is required for cofact that this technology best fits into residential applications and for those applications requiring specific privacy. It also better suites for using Hand Held Unit (HHU) for manufacturer specific programming and tes

On the other side, both ZigBee and Raconet (radiofrequency technologies) best suite for either industrial or commercial networks for smart metering without the need of support from another technology. These technolocoordinator that is able to send all data to the database facility of the energy supplier.


9.7 RF vs. IEC62056-21

Both radiofrequency and optical infrared (IEC62056-21) systems are wireless systems but some differences can be found in each way on wireless transmission. The

bvious, is that they operate in different frequency ranges. The ZigBee and Raconet operate at 868 MHz (ZigBee can do it also at 2.4 GHz) while infrared operates inside a range from 800 nm to 1000 nm wavelength. The range of a wireless link between two devices using either technologies is very different too. In radiofrequency the range of radio link can be up to 100 meters while in infrared is up ten meters. Note that, in infrared is also necessary line of sight between devices, a fact

n radiofrequency networks, whose signal can pass through walls and opaque objects. It is also important to note at the physical level, that both technologies perform very low consumption (it is actually a design goal in ZigBee),

onger life and independence.

Regarding to interferences there are big differences between the two technologies. It is a very important issue of concern in radiofrequency. There might interferences between devices in the same network, from electromagnetic generated by other devices such as the ones using microwaves and obviously from other radiofrequency systems that might operate in the same area. On the other side, in infrared optical communications the only thing that can cause interferences is sufact that makes infrared inadequate for applications outdoors.

In addition, radiofrequency networks can be planned with a wide range of different network topologies such as mesh, ad-hoc, peer to peer or star; in the case of the

g with implement cluster trees providing the network even with a wider range. In opposition, connections with infrared optical technology are always point to point which leads to requiring support from other technologies at upper level

omplete network with numerous devices. However, this is not such an important fact since the main goal of IEC62056-21 is its usage for simple and costeffective local data exchange which is what it provides. It is mainly used for on

the smart meters are mostly equipped with other technologies such a PLC deployments or GPRS to incorporate them to smart grids.

As mentioned before, IEC62056-21 is a cost-effective and extremely simple technology, although line of sight is required for communicate with it. This leads to the fact that this technology best fits into residential applications and for those applications requiring specific privacy. It also better suites for using Hand Held Unit (HHU) for manufacturer specific programming and testing functions to be performed on site.

On the other side, both ZigBee and Raconet (radiofrequency technologies) best suite for either industrial or commercial networks for smart metering without the need of support from another technology. These technologies are ruled by a network coordinator that is able to send all data to the database facility of the energy supplier.


21) systems are wireless systems but some differences can be found in each way on wireless transmission. The

bvious, is that they operate in different frequency ranges. The ZigBee and Raconet operate at 868 MHz (ZigBee can do it also at 2.4 GHz) while infrared operates inside a range from 800 nm to 1000 nm wavelength. The range of a

ces using either technologies is very different too. In radiofrequency the range of radio link can be up to 100 meters while in infrared is up ten meters. Note that, in infrared is also necessary line of sight between devices, a fact

n radiofrequency networks, whose signal can pass through walls and opaque objects. It is also important to note at the physical level, that both technologies perform very low consumption (it is actually a design goal in ZigBee),

Regarding to interferences there are big differences between the two technologies. It is a very important issue of concern in radiofrequency. There might interferences between devices in the same network, from electromagnetic fields generated by other devices such as the ones using microwaves and obviously from other radiofrequency systems that might operate in the same area. On the other side, in infrared optical communications the only thing that can cause interferences is sunlight, a

In addition, radiofrequency networks can be planned with a wide range of hoc, peer to peer or star; in the case of the

g with implement cluster trees providing the network even with a wider range. In opposition, connections with infrared optical technology are always point to point which leads to requiring support from other technologies at upper level

omplete network with numerous devices. However, this is not such 21 is its usage for simple and cost-

effective local data exchange which is what it provides. It is mainly used for on-site the smart meters are mostly equipped with other technologies such a

effective and extremely simple mmunicate with it. This leads to the

fact that this technology best fits into residential applications and for those applications requiring specific privacy. It also better suites for using Hand Held Unit (HHU) for

ting functions to be performed on site.

On the other side, both ZigBee and Raconet (radiofrequency technologies) best suite for either industrial or commercial networks for smart metering without the need

gies are ruled by a network coordinator that is able to send all data to the database facility of the energy supplier.


Regarding security features, as we do not know much about security implementations in Raconet combined with the fact that the weaknessespresent are similar to the ones that ZigBee presents, we are directly comparing security implementations in ZigBee with the ones in IEC62056

Since the range and the application of both technologies are sensitively different its security features must be regarded differently. ZigBee is implemented with a wide range of security features all along its layers since in radiofrequency high security measures must be deployed due to it has a wide range of weak points that might be attacked as it has been described in ZigBee section of this paper. ZigBee counts with security measures implemented in its MAC, network and application layers. AES encryption is applied in all of them and a set of different keys is defined at the application layer in order to use them independently for different operations in the network such as authentication, device updating or device detaching among others. In the MAC layer, different security suites can be used depending on the needs of the communication that is takingsequential freshness can be guaranteed if necessary.

In IEC62056-21, there not as much complexity implemented regarding those security features. Access control is provided by a passwords or a semust be introduced at second level of security which is sensitively much less complex implementation that the one in ZigBee since for accessing a device using this protocol on-site presence is necessary which does not happen with radiofAs well as in ZigBee, data encryption algorithms can be implemented by manufacturer choice at the third level of security level of IEC62056seems to be choice that most manufacturers take. Furthermore, in hisecurity of this protocol, manual tampering of the meter is required to get through security barriers which mean onboth technologies are able for not using security measures when it ibecause it is not requested in the environment where the protocol is working or because the frames or information that are being transmitted are not considered as sensible and do not need any encryption or protection.

Regarding the weaknesses that these technologies present, not much divergence can be found. Since all of them are wireless technologies, all of them share the weaknesses that this type of technologies present, taking into account that it is more difficult for an attacker to eavesdrop from IEC62056highly shorter.


Regarding security features, as we do not know much about security implementations in Raconet combined with the fact that the weaknessespresent are similar to the ones that ZigBee presents, we are directly comparing security implementations in ZigBee with the ones in IEC62056-21.

Since the range and the application of both technologies are sensitively different eatures must be regarded differently. ZigBee is implemented with a wide

range of security features all along its layers since in radiofrequency high security measures must be deployed due to it has a wide range of weak points that might be

as been described in ZigBee section of this paper. ZigBee counts with security measures implemented in its MAC, network and application layers. AES encryption is applied in all of them and a set of different keys is defined at the

r to use them independently for different operations in the network such as authentication, device updating or device detaching among others. In the MAC layer, different security suites can be used depending on the needs of the communication that is taking place; access control, frame integrity, data encryption and sequential freshness can be guaranteed if necessary.

21, there not as much complexity implemented regarding those security features. Access control is provided by a passwords or a set of passwords that must be introduced at second level of security which is sensitively much less complex implementation that the one in ZigBee since for accessing a device using this protocol

site presence is necessary which does not happen with radiofrequency technologies. As well as in ZigBee, data encryption algorithms can be implemented by manufacturer choice at the third level of security level of IEC62056-21 and AESseems to be choice that most manufacturers take. Furthermore, in hisecurity of this protocol, manual tampering of the meter is required to get through security barriers which mean on-site manipulation. Finally, it is important to note that both technologies are able for not using security measures when it is not required either because it is not requested in the environment where the protocol is working or because the frames or information that are being transmitted are not considered as sensible and do not need any encryption or protection.

weaknesses that these technologies present, not much divergence can be found. Since all of them are wireless technologies, all of them share the weaknesses that this type of technologies present, taking into account that it is more

r to eavesdrop from IEC62056-21 due to the fact that its range is


Regarding security features, as we do not know much about security implementations in Raconet combined with the fact that the weaknesses that it may present are similar to the ones that ZigBee presents, we are directly comparing security

Since the range and the application of both technologies are sensitively different eatures must be regarded differently. ZigBee is implemented with a wide

range of security features all along its layers since in radiofrequency high security measures must be deployed due to it has a wide range of weak points that might be

as been described in ZigBee section of this paper. ZigBee counts with security measures implemented in its MAC, network and application layers. AES encryption is applied in all of them and a set of different keys is defined at the

r to use them independently for different operations in the network such as authentication, device updating or device detaching among others. In the MAC layer, different security suites can be used depending on the needs of the

place; access control, frame integrity, data encryption and

21, there not as much complexity implemented regarding those t of passwords that

must be introduced at second level of security which is sensitively much less complex implementation that the one in ZigBee since for accessing a device using this protocol

requency technologies. As well as in ZigBee, data encryption algorithms can be implemented by manufacturer

21 and AES-128 encryption seems to be choice that most manufacturers take. Furthermore, in highest level of security of this protocol, manual tampering of the meter is required to get through

site manipulation. Finally, it is important to note that s not required either

because it is not requested in the environment where the protocol is working or because the frames or information that are being transmitted are not considered as sensible and

weaknesses that these technologies present, not much divergence can be found. Since all of them are wireless technologies, all of them share the weaknesses that this type of technologies present, taking into account that it is more

21 due to the fact that its range is


10. Tools for performing the attacks

An enormous range of tools can be found on the internet for the purpose of attacking networks, either hardware or software. Despitepurpose of attacking networks but to be tools for security professionals to test security in networks and improve this security, owning this kind of tools, specially the hardware ones, is illegal in some countries. In this can be found on the net are presented as well as some practical example of how to perform attacks with these tools.

10.1 Back Track

Back Track, today in its fifth version already, is one of the most useful tohacking. It is a Linux Live distribution focused on security with over 300 different tools a user friendly interface. It is available in the Back Track Linux website for no charge. It is regularly used in two opposite ways. It gives the possibilityattack servers, networks or any terminal, actually Back Track 5 is widely used, even by unexperienced users for cracking Wiinternet. On the other hand, it is a highly used for securitysecurity testing and security study and improvement of already existing specifications.


10. Tools for performing the attacks

An enormous range of tools can be found on the internet for the purpose of attacking networks, either hardware or software. Despite they are meant not only for the purpose of attacking networks but to be tools for security professionals to test security in networks and improve this security, owning this kind of tools, specially the hardware ones, is illegal in some countries. In this section some of the most important tools that can be found on the net are presented as well as some practical example of how to perform attacks with these tools.

Back Track, today in its fifth version already, is one of the most useful tohacking. It is a Linux Live distribution focused on security with over 300 different tools a user friendly interface. It is available in the Back Track Linux website for no charge. It is regularly used in two opposite ways. It gives the possibility to hackers to use it to attack servers, networks or any terminal, actually Back Track 5 is widely used, even by unexperienced users for cracking Wi-Fi passwords and obtaining free access to the internet. On the other hand, it is a highly used for security professionals for network security testing and security study and improvement of already existing specifications.

Figure 10.1. Back Track 5


An enormous range of tools can be found on the internet for the purpose of they are meant not only for the

purpose of attacking networks but to be tools for security professionals to test security in networks and improve this security, owning this kind of tools, specially the hardware

section some of the most important tools that can be found on the net are presented as well as some practical example of how to

Back Track, today in its fifth version already, is one of the most useful tools for hacking. It is a Linux Live distribution focused on security with over 300 different tools a user friendly interface. It is available in the Back Track Linux website for no charge. It

to hackers to use it to attack servers, networks or any terminal, actually Back Track 5 is widely used, even by

Fi passwords and obtaining free access to the professionals for network

security testing and security study and improvement of already existing specifications.


The tools that comprise Back Track are all openare also available separatelythem to security professionals and hackers. Back Track tools are organized into 12 categories:

• Information Gathering:web and network analysis. Among athere are two that are highly useful for hackers which are Nmap and Wireshark.

Figure 10.2. Network analysis menu in Back Track 5

Nmap is a sophisticated scanning tool used to discover ports, services and hosts on a network. It can be used to determine what type of operating system is running on a target machine as well as what version of a service is running on a specific port which may assist hackers in determining what vulnerabilities a target may be s


The tools that comprise Back Track are all open-source and free. All of the tools are also available separately if needed. Back Track integrates the tools and organizes them to security professionals and hackers. Back Track tools are organized into 12

Information Gathering: In this category we can find several tools for web and network analysis. Among all tools that can be found in this section there are two that are highly useful for hackers which are Nmap and Wireshark.

Figure 10.2. Network analysis menu in Back Track 5

Nmap is a sophisticated scanning tool used to discover ports, services osts on a network. It can be used to determine what type of operating

system is running on a target machine as well as what version of a service is running on a specific port which may assist hackers in determining what vulnerabilities a target may be susceptible to.


source and free. All of the tools if needed. Back Track integrates the tools and organizes

them to security professionals and hackers. Back Track tools are organized into 12

In this category we can find several tools for ll tools that can be found in this section

there are two that are highly useful for hackers which are Nmap and Wireshark.

Nmap is a sophisticated scanning tool used to discover ports, services osts on a network. It can be used to determine what type of operating

system is running on a target machine as well as what version of a service is running on a specific port which may assist hackers in determining what


Wireshark is a open to troubleshoot network problems or eavesdrop on both wired and wireless network traffic. Wireshark can assist hackers in performing man attacks and is a key component for many other attacks.

• Vulnerability Assessment:used mainly for searching for vulnerabilities in networks. These tools first use network scanners to study the configuraexploitations to the ports that they have found. One of the most powerful ones is Nessus. • Exploitation Tools:of vulnerability exploits that can be used for hackers to remote targets and check if these targets are susceptible to the exploits tested. The Metaexploit Framework is a powerful tool here. Another one that is interesting for us here is the freeradiusattacking RADIUS remote authentication servers as in the case of PLC G3 specification. • Privilege Escalation:tools in which highlight networks sniffers such as wireshark, tools for network spoofing and tools f


Wireshark is a open-source packet analyzer (sniffer) which can be used to troubleshoot network problems or eavesdrop on both wired and wireless network traffic. Wireshark can assist hackers in performing man

s a key component for many other attacks.

Figure 10.3 Wireshark

Vulnerability Assessment: In this section tools that can be found are used mainly for searching for vulnerabilities in networks. These tools first use network scanners to study the configuration of the network and then try some exploitations to the ports that they have found. One of the most powerful ones is

Exploitation Tools: Here there can be found tools for the development of vulnerability exploits that can be used for hackers to test these exploits to remote targets and check if these targets are susceptible to the exploits tested. The Metaexploit Framework is a powerful tool here. Another one that is interesting for us here is the freeradius-wpe, a tool that may be used for

king RADIUS remote authentication servers as in the case of PLC G3

Privilege Escalation: In this section we can find a various collection of tools in which highlight networks sniffers such as wireshark, tools for network spoofing and tools for passwords attacks such as John the ripper the most well


source packet analyzer (sniffer) which can be used to troubleshoot network problems or eavesdrop on both wired and wireless network traffic. Wireshark can assist hackers in performing man-in-the-middle

In this section tools that can be found are used mainly for searching for vulnerabilities in networks. These tools first use

tion of the network and then try some exploitations to the ports that they have found. One of the most powerful ones is

Here there can be found tools for the development test these exploits to

remote targets and check if these targets are susceptible to the exploits tested. The Metaexploit Framework is a powerful tool here. Another one that is

wpe, a tool that may be used for king RADIUS remote authentication servers as in the case of PLC G3

In this section we can find a various collection of tools in which highlight networks sniffers such as wireshark, tools for network

or passwords attacks such as John the ripper the most well-


known tool to perform dictionary and brute force attacks to security passwords. The John the ripper tool is deployed in the figure on the next page.

Figure 10.4 John the ripper password cracker

• Maintaining Access:Backdoors and a few more for tunneling protocols can be found in this section.• Reverse Engineering:device functionalities. It is widely used for antimprovement. IT may be used to figure out the operational functionalities of proprietary technologies such as Raconet.• RFID Tools:this section. • Stress testing:networks are comprised in this section. The goals of such tests may be to ensure the software does not DoS attacks. • Forensics: Recovery file tools and mailbox scanner applications are included in this section. These tools are used for avoiding corrupted files and scanning files for hacker tools.• Reporting Tools:MagicTree can be found in this section. • Services: Very different applications can be found in this section. One that highlights here is Snort a network intrusion detection system, a very useful



Figure 10.4 John the ripper password cracker

aintaining Access: A set of tools for exploiting OS and Web Backdoors and a few more for tunneling protocols can be found in this section.

Reverse Engineering: A set of tools for system analysis to discover device functionalities. It is widely used for anti-tampering systems improvement. IT may be used to figure out the operational functionalities of proprietary technologies such as Raconet.

RFID Tools: A wide range for attacking RFID devices can be found in

Stress testing: A set of tools for high load test on various types of networks are comprised in this section. The goals of such tests may be to ensure the software does not crash in conditions of insufficient computational resources

Recovery file tools and mailbox scanner applications are included in this section. These tools are used for avoiding corrupted files and scanning files for hacker tools.

Reporting Tools: Several tools for penetration testing such as MagicTree can be found in this section.

Very different applications can be found in this section. One that highlights here is Snort a network intrusion detection system, a very useful



A set of tools for exploiting OS and Web Backdoors and a few more for tunneling protocols can be found in this section.

A set of tools for system analysis to discover tampering systems

improvement. IT may be used to figure out the operational functionalities of

A wide range for attacking RFID devices can be found in

high load test on various types of networks are comprised in this section. The goals of such tests may be to ensure

cient computational resources

Recovery file tools and mailbox scanner applications are included in this section. These tools are used for avoiding corrupted files and

or penetration testing such as

Very different applications can be found in this section. One that highlights here is Snort a network intrusion detection system, a very useful


tools for security professionaand anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.• Miscellaneous:are situated in this section. Tools wsuch as the MAC changer, an application for changing the MAC address. [87]

One of the best issues of the Back Track software is its development community. In the Back Track web site, a big amount of forums are organized with tutorials for all aspects of Back Track and there is a lot of interaction between users. Additionally a nice amount of books are also available for learning on how to use all tools that are comprised in Back Track. There is also an extensive online training and a certification track for the people who are capable of mastering in all aspects of Back Track.Offensive Security provides a certification calProfessional, where would-certain number of test systems in Offensive Security's test lab. [87] [93] [96]

After having described utilities and applications thwe will see two examples of attacks that can be performed with Back Track. The first one is a DoS attack to networks using IP technology on its network level. In this category there can be found two of the technologies of smarpaper which are PRIME and G3. The second attack that will be described is a Man


tools for security professionals. Combining the benefits of signature, protocol, based inspection, Snort is the most widely deployed IDS/IPS

technology worldwide. Miscellaneous: Tools that are not included in other more specific section

are situated in this section. Tools with very different utilities can be found here such as the MAC changer, an application for changing the MAC address. [87]

Figure 10.5 GNU MAC Changer

One of the best issues of the Back Track software is its development community. ite, a big amount of forums are organized with tutorials for all

aspects of Back Track and there is a lot of interaction between users. Additionally a nice amount of books are also available for learning on how to use all tools that are

rack. There is also an extensive online training and a certification track for the people who are capable of mastering in all aspects of Back Track.

provides a certification called the Offensive Security Certified -be-hackers / security pros must prove themselves and hack a

certain number of test systems in Offensive Security's test lab. [87] [93] [96]

After having described utilities and applications that can be found in Back Track we will see two examples of attacks that can be performed with Back Track. The first one is a DoS attack to networks using IP technology on its network level. In this category there can be found two of the technologies of smart metering described on this paper which are PRIME and G3. The second attack that will be described is a Man


Combining the benefits of signature, protocol, based inspection, Snort is the most widely deployed IDS/IPS

Tools that are not included in other more specific section ith very different utilities can be found here

such as the MAC changer, an application for changing the MAC address. [87]

One of the best issues of the Back Track software is its development community. ite, a big amount of forums are organized with tutorials for all

aspects of Back Track and there is a lot of interaction between users. Additionally a nice amount of books are also available for learning on how to use all tools that are

rack. There is also an extensive online training and a certification track for the people who are capable of mastering in all aspects of Back Track.

led the Offensive Security Certified hackers / security pros must prove themselves and hack a

certain number of test systems in Offensive Security's test lab. [87] [93] [96]

at can be found in Back Track we will see two examples of attacks that can be performed with Back Track. The first one is a DoS attack to networks using IP technology on its network level. In this

t metering described on this paper which are PRIME and G3. The second attack that will be described is a Man-in-


the-Middle attack that may be performed to a wireless network, a category in which we may comprise all other smart metering specifications analy

10.1.1 Denial of Service (DoS) attack with Back Track

To perform a Denial of Service attack with Back Track two applications are requested:

• Lbd.sh, Load Balancing Detector:domain uses load balancing.workload across multiple resources in the network to optimize the utilization, data rate and time response. It is usually provided by the DNS (Domain Name Server). • Slowloris.pl:There are other applications to perform DoS attacks in Back Track such as dos6.• Zenmap: This tool is used to scan a network obtaining MAC and IP addresses of network hosts and open ports of these hosts.

First of all the attacker needs to hack and get access to the network where the attack is to be performed. Once the access is obtained in the network, to perform the


Middle attack that may be performed to a wireless network, a category in which we may comprise all other smart metering specifications analyzed in this paper.

10.1.1 Denial of Service (DoS) attack with Back Track

To perform a Denial of Service attack with Back Track two applications are

Lbd.sh, Load Balancing Detector: This application checks if a given domain uses load balancing. The load balancing is a methodology to distribute workload across multiple resources in the network to optimize the utilization, data rate and time response. It is usually provided by the DNS (Domain Name

Slowloris.pl: This application is the one that performs the DoS attack. There are other applications to perform DoS attacks in Back Track such as dos6.

This tool is used to scan a network obtaining MAC and IP addresses of network hosts and open ports of these hosts.

Figure 10.6 Zenmap network scan



Middle attack that may be performed to a wireless network, a category in which we zed in this paper.

To perform a Denial of Service attack with Back Track two applications are

This application checks if a given The load balancing is a methodology to distribute

workload across multiple resources in the network to optimize the utilization, data rate and time response. It is usually provided by the DNS (Domain Name

that performs the DoS attack. There are other applications to perform DoS attacks in Back Track such as dos6.

This tool is used to scan a network obtaining MAC and IP



attack, the network is firstly scanned by Zenmap. This way the attacker obtaaddresses, open ports of hosts and topology of the network. This way the attacker is able to identify the server of the network to attack it and shut it down, or a single host if it is the purpose. Afterwards, load balancing at the server is checkebalancing is found, the attacker is able to perform the DoS attack by using slowloris.pl application.

10.1.2 Man-in-the-Middle (MitM) attack with Back Track

The MitM attack is performed in order to eavesdrop by an attacker thatindependent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be abintercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances.

Once an attacker has been able to gain access to a network the attack can begin. The target's IP and operating has already beenaddress. The test computer, the target as well as the gateway are all on the same subnet. The attack begins with a basic MITM (Managainst a single target on a network.

The network traffic, will be intercepted by the test computer, and an iframe will be injected. This iframe will point back to the test computer which will be hosting packets with malicious payload (via the Metaexecute the malicious content hosted on the test computer in the victim equipment. The end result will be admin\root access to the targets computer via a meterpreter session. The attack follows the following instructions:

/usr/bin/start-network cd /pentest/exploit/framework3svn update echo 1 > /proc/sys/net/ipv4/ip_forwardec-uid = 0 ec_guid = 0 if (ip.proto == TCP && tcp.dst == 80) {if (search(DATA.data, “Acceptreplace (“Accept-Encoding”,”Acceptmsg(“zapped Accept-Encoding!} }


attack, the network is firstly scanned by Zenmap. This way the attacker obtaaddresses, open ports of hosts and topology of the network. This way the attacker is able to identify the server of the network to attack it and shut it down, or a single host if it is the purpose. Afterwards, load balancing at the server is checked and if not load balancing is found, the attacker is able to perform the DoS attack by using slowloris.pl

Middle (MitM) attack with Back Track

The MitM attack is performed in order to eavesdrop by an attacker thatdependent connections with the victims and relays messages between them, making

them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be abintercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances.

Once an attacker has been able to gain access to a network the attack can begin. The target's IP and operating has already been discovered as well as the gateway IP address. The test computer, the target as well as the gateway are all on the same subnet. The attack begins with a basic MITM (Man-in-the-Middle) ARP poisoning attack against a single target on a network.

traffic, will be intercepted by the test computer, and an iframe will be injected. This iframe will point back to the test computer which will be hosting packets with malicious payload (via the Meta-sploit framework). This iframe will

content hosted on the test computer in the victim equipment. The root access to the targets computer via a meterpreter session.

The attack follows the following instructions:

cd /pentest/exploit/framework3 Metaexploit commands

echo 1 > /proc/sys/net/ipv4/ip_forward

if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, “Accept-Encoding”)){

Encoding”,”Accept-Rubbish!”); Encoding!\n”);


attack, the network is firstly scanned by Zenmap. This way the attacker obtains the addresses, open ports of hosts and topology of the network. This way the attacker is able to identify the server of the network to attack it and shut it down, or a single host if it is

d and if not load balancing is found, the attacker is able to perform the DoS attack by using slowloris.pl

The MitM attack is performed in order to eavesdrop by an attacker that makes dependent connections with the victims and relays messages between them, making

them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is

Once an attacker has been able to gain access to a network the attack can begin. discovered as well as the gateway IP

address. The test computer, the target as well as the gateway are all on the same subnet. Middle) ARP poisoning attack

traffic, will be intercepted by the test computer, and an iframe will be injected. This iframe will point back to the test computer which will be hosting

sploit framework). This iframe will content hosted on the test computer in the victim equipment. The

root access to the targets computer via a meterpreter session.

Metaexploit commands


if (ip.proto == TCP && tcp.src == 80){replace(“(/title)”,”(/title>)iframe src =height=0>(/iframe)”); msg(“iframe Filter Ran.\n”);ettefilter iframe.txt –o iframe.efcd /pentest/exploit/framework3directorymsfconsole Use windows/browser/ms10_xxx_helpctr_xss_cmd_execSet PAYLOAD windows/meterpreter/reverse_tcpSet LHOST youripaddress Set SRVHOST youripaddressSet SRVPORT 80 Exploit Ettercap –i wlan –F iframe.ef

The attack is performed by using the above written commands using two applications in Back Track:

• Metasploit Framework:code against a remote target machine. It also includes tools. It offers many types of enables users to run collection scripts or run commands against the host ometerpreter which enables attackers to control the victim’s screen and to upload or download files.

• Ettercap: It is a network sniffer that can not only log packet data but can use filters to inject or replace data within the packets. When used in a MITM attack ettercap filters can drop packets, or inject code into packets that will be forwarded to the target machine.

Once the attack has been runned, the victim’s box is compromised. The attacker is able perform a wide range of actions on the victim such ashell on the target by entering shell into meterpreter, upload or download files, grab password hashes, send over a secure backdoor program like netcat or edit victim’s registry. [88]


if (ip.proto == TCP && tcp.src == 80){ replace(“(/title)”,”(/title>)iframe src = http://youripaddress” width=0

n”); o iframe.ef

pentest/exploit/framework3directory

Use windows/browser/ms10_xxx_helpctr_xss_cmd_exec Metaexploit commandsSet PAYLOAD windows/meterpreter/reverse_tcp

Set SRVHOST youripaddress

F iframe.ef –TQM arp:remote /targeip/ /gatewayip/ -P autoadd

The attack is performed by using the above written commands using two applications in Back Track:

Metasploit Framework: It is a tool for developing and executing code against a remote target machine. It also includes anti-forensictools. It offers many types of payloads, including such as command shell, that enables users to run collection scripts or run commands against the host ometerpreter which enables attackers to control the victim’s screen and to upload

It is a network sniffer that can not only log packet data but can use filters to inject or replace data within the packets. When used in a MITM attack ettercap filters can drop packets, or inject code into packets that will be forwarded to the target machine.

Once the attack has been runned, the victim’s box is compromised. The attacker is able perform a wide range of actions on the victim such as dropping commands to a shell on the target by entering shell into meterpreter, upload or download files, grab password hashes, send over a secure backdoor program like netcat or edit victim’s


Metaexploit commands

P autoadd

The attack is performed by using the above written commands using two

It is a tool for developing and executing exploit forensic and evasion

, including such as command shell, that enables users to run collection scripts or run commands against the host or meterpreter which enables attackers to control the victim’s screen and to upload

It is a network sniffer that can not only log packet data but can use filters to inject or replace data within the packets. When used in a MITM attack ettercap filters can drop packets, or inject code into packets that will be

Once the attack has been runned, the victim’s box is compromised. The attacker s dropping commands to a

shell on the target by entering shell into meterpreter, upload or download files, grab password hashes, send over a secure backdoor program like netcat or edit victim’s


10.2 Specific attacks to GPRS

In order to perform an attack to the GPRS network, the following are the tools an attacker may need:

• Any kind of laptop or computer running on Unix OS• An internet uplink connection

• A Power over Ethernet adapter such as D• A hub or a switch

• A Base Transcei• OpenBTS, which is a Unix application that uses software radio to present GPRS air interface to standard 2G GSM and uses SIP softswitch or PBX to connect calls. It gives the possibility to implement a low cost cellularcompatible with handsets in the market.• OpenBSC, a free software GPLand elements. It includes functionality normally performed by a BSC, MSC, HLR, AuC, VLR or EIR.• OsmoSGSN, a software application included iis a free software implementation of the GPRS Serving GPRS Support Node (SGSN). It connects via the Gb interface to the BSS and via the GTP protocol to a Gateway GPRS Support Node (GGSN).• OpenGGSN, a Gateway GPRS Support Node (GGSinterface between the internet and the mobile network infrastructure.• A mobile phone jammer [97] [98]

Various attacks may be performed by using the previously described tools, one of them is a Man-in-the-Middle attack (MitM). To perform itattacker location meanwhile, the mobile phone jammer is used to jam the regular BTS that the victim may connect to so the victim connects to the attacker’s BTS who by following several steps for frequency selection and impersonatOnce this connection is established, the attacker gets full access to the IP connection between the victim and the internet and is able to eavesdrop the traffic in cleartext, alter this traffic, redirect the outgoing connections ofvictim’s vulnerabilities. [90]


10.2 Specific attacks to GPRS

perform an attack to the GPRS network, the following are the tools

Any kind of laptop or computer running on Unix OS An internet uplink connection

A Power over Ethernet adapter such as D-Link DWL-P50A hub or a switch

A Base Transceiver Station (BTS) supported by OpenBTSOpenBTS, which is a Unix application that uses software radio to present

GPRS air interface to standard 2G GSM and uses SIP softswitch or PBX to connect calls. It gives the possibility to implement a low cost cellularcompatible with handsets in the market.

OpenBSC, a free software GPL-licensed implementation for GPRS stack and elements. It includes functionality normally performed by a BSC, MSC, HLR, AuC, VLR or EIR.

OsmoSGSN, a software application included in the OpenBSC project. It is a free software implementation of the GPRS Serving GPRS Support Node (SGSN). It connects via the Gb interface to the BSS and via the GTP protocol to a Gateway GPRS Support Node (GGSN).

OpenGGSN, a Gateway GPRS Support Node (GGSN) which is an interface between the internet and the mobile network infrastructure.

A mobile phone jammer [97] [98]

Various attacks may be performed by using the previously described tools, one Middle attack (MitM). To perform it, a BTS is deployed in the

attacker location meanwhile, the mobile phone jammer is used to jam the regular BTS that the victim may connect to so the victim connects to the attacker’s BTS who by following several steps for frequency selection and impersonation attracts the victim. Once this connection is established, the attacker gets full access to the IP connection between the victim and the internet and is able to eavesdrop the traffic in cleartext, alter this traffic, redirect the outgoing connections of the victim or directly exploit the victim’s vulnerabilities. [90]


perform an attack to the GPRS network, the following are the tools

P50

ver Station (BTS) supported by OpenBTS OpenBTS, which is a Unix application that uses software radio to present

GPRS air interface to standard 2G GSM and uses SIP softswitch or PBX to connect calls. It gives the possibility to implement a low cost cellular network

licensed implementation for GPRS stack and elements. It includes functionality normally performed by a BSC, MSC,

n the OpenBSC project. It is a free software implementation of the GPRS Serving GPRS Support Node (SGSN). It connects via the Gb interface to the BSS and via the GTP protocol to

N) which is an interface between the internet and the mobile network infrastructure.

Various attacks may be performed by using the previously described tools, one , a BTS is deployed in the

attacker location meanwhile, the mobile phone jammer is used to jam the regular BTS that the victim may connect to so the victim connects to the attacker’s BTS who by

ion attracts the victim. Once this connection is established, the attacker gets full access to the IP connection between the victim and the internet and is able to eavesdrop the traffic in cleartext, alter

the victim or directly exploit the


10.3 Specific attack to wireless networks

An attack which can be easily performed to the wireless networks is a jamming attack. It is simple because it does not require a widnetwork to be attacked and it does not deal with cracking passwords or breaking an encryption algorithm. It simply takes advantage of one of the main goals of wireless technologies and wireless networks deployments which is tfor battery life enlargement.

A wide range of jammers can be purchased on the internet within a wide range of prices. Its range goes from just a few up to distances of hundreds of meters. There exist jammers designed to jam specifBluetooth, CDMA or 3G but the most useful ones are capable of jamming a wide range of frequencies. Many of the ones that can be purchased are capable of performing jamming attacks in the range from 900 MHz to 2.5 GHtools used by military for disabling enemy’s radio communications. Something important that must be taken into account is that in many countries it is illegal to own or use one of these devices. In the figure below some of them


10.3 Specific attack to wireless networks - Jamming

An attack which can be easily performed to the wireless networks is a jamming attack. It is simple because it does not require a wide range of knowledge about the network to be attacked and it does not deal with cracking passwords or breaking an encryption algorithm. It simply takes advantage of one of the main goals of wireless technologies and wireless networks deployments which is the low power consumption for battery life enlargement.

A wide range of jammers can be purchased on the internet within a wide range of prices. Its range goes from just a few up to distances of hundreds of meters. There exist jammers designed to jam specific technologies such as GPRS/GSM, WiBluetooth, CDMA or 3G but the most useful ones are capable of jamming a wide range of frequencies. Many of the ones that can be purchased are capable of performing jamming attacks in the range from 900 MHz to 2.5 GHz. Some of them are actually tools used by military for disabling enemy’s radio communications. Something important that must be taken into account is that in many countries it is illegal to own or use one of these devices. In the figure below some of them are shown.

Figure 10.7. Jammers [99]


An attack which can be easily performed to the wireless networks is a jamming e range of knowledge about the

network to be attacked and it does not deal with cracking passwords or breaking an encryption algorithm. It simply takes advantage of one of the main goals of wireless

he low power consumption

A wide range of jammers can be purchased on the internet within a wide range of prices. Its range goes from just a few up to distances of hundreds of meters. There

ic technologies such as GPRS/GSM, Wi-Fi, Bluetooth, CDMA or 3G but the most useful ones are capable of jamming a wide range of frequencies. Many of the ones that can be purchased are capable of performing

z. Some of them are actually tools used by military for disabling enemy’s radio communications. Something important that must be taken into account is that in many countries it is illegal to own or


10.4 Specific attacks to ZigBee

In October of 2010, developer Joshua Wright presented an open source collection of Linux tools called KillerBee with the intention for testing the security of ZigBee networks. The developer thought is that security seriously due to the lack of attack tool availability and it was not going to get better until a practical attack surface was implemented.framework and tool set for exploring and exploiting the security of ZigBee and IEEE 802.15.4 networks. Using KillerBee tools and a compatible IEEE 802.15.4 radio interface, you can eavesdrop on ZigBee networks, replay traffic, attack cryptosystems and much more. Using the KillerBee framework, a potential attacker may be able to build your own tools, implement ZigBee fuzzing, emulate and attack endrouters and coordinators. [62]

The hardware and firmware tools needed for using the KillerBee applthe following:

• Two AVR RZ Raven USB sticks, one for sniffing and one for injecting

• AT90USB1287 uC with AT86RF230 802.15.4 transceiver• 4 LED’s, PCB antenna

• A free development IDE supporting gcc• KillerBee firmware• AVR JTAG ICE mkl

Figure 10.8. AVR RZ Raven USB sticks, AT90USB1287 and AT86RF230 [82] [83]

A wide range of various applications are included in KillerBee in order to sniff out ad performing attacks to ZigBee security which are:


10.4 Specific attacks to ZigBee - KillerBee

In October of 2010, developer Joshua Wright presented an open source collection of Linux tools called KillerBee with the intention for testing the security of

Bee networks. The developer thought is that to date, vendors have not taken ZigBee security seriously due to the lack of attack tool availability and it was not going to get better until a practical attack surface was implemented. KillerBee is a Python basframework and tool set for exploring and exploiting the security of ZigBee and IEEE 802.15.4 networks. Using KillerBee tools and a compatible IEEE 802.15.4 radio interface, you can eavesdrop on ZigBee networks, replay traffic, attack cryptosystems

uch more. Using the KillerBee framework, a potential attacker may be able to build your own tools, implement ZigBee fuzzing, emulate and attack end

[62]

The hardware and firmware tools needed for using the KillerBee appl

Two AVR RZ Raven USB sticks, one for sniffing and one for injecting

AT90USB1287 uC with AT86RF230 802.15.4 transceiver4 LED’s, PCB antenna

A free development IDE supporting gcc-based compilers KillerBee firmware AVR JTAG ICE mkll programmer [62]

Figure 10.8. AVR RZ Raven USB sticks, AT90USB1287 and AT86RF230 [82] [83] [84]

A wide range of various applications are included in KillerBee in order to sniff out ad performing attacks to ZigBee security which are:


In October of 2010, developer Joshua Wright presented an open source collection of Linux tools called KillerBee with the intention for testing the security of

to date, vendors have not taken ZigBee security seriously due to the lack of attack tool availability and it was not going to get

KillerBee is a Python based framework and tool set for exploring and exploiting the security of ZigBee and IEEE 802.15.4 networks. Using KillerBee tools and a compatible IEEE 802.15.4 radio interface, you can eavesdrop on ZigBee networks, replay traffic, attack cryptosystems

uch more. Using the KillerBee framework, a potential attacker may be able to build your own tools, implement ZigBee fuzzing, emulate and attack end-devices,

The hardware and firmware tools needed for using the KillerBee application are

Two AVR RZ Raven USB sticks, one for sniffing and one for injecting

AT90USB1287 uC with AT86RF230 802.15.4 transceiver

Figure 10.8. AVR RZ Raven USB sticks, AT90USB1287 and AT86RF230 [82] [83]

A wide range of various applications are included in KillerBee in order to sniff


• Zbid: Obtains aarea. • Zbdump: Commercial Daintree SNA savefile format. It is used for recording data stream form the wireless network. Recordings can be afterwards analysed in Wireshark without difficulties. Wiresharkprotocol analyzer for Linux and Windows.• Zbconvert: • Zbreplay: It can replay recorded data streams. Using this application, replay attacks can be performed. Packets eavesdropped from the netwstored are resent to the network and the response is observed.• Zbdsniff: This application is capable of searching of captures sniffed from transmission over the air for network keys sent.

• Zbfind: A GUI for ZigBee location tracking.• Zbgoodfind:developed by Travis Goodspeed to crack stored keys.• Zbassocflood:

Figure 10.9. Zbdsniff network key capture [62]

Figure 10.10. Zbreplay performing a replay attack


Obtains a list of the available ZigBee devices supported in the

Commercial Daintree SNA savefile format. It is used for recording data stream form the wireless network. Recordings can be afterwards analysed in Wireshark without difficulties. Wireshark, is a widely used network protocol analyzer for Linux and Windows.

Used to convert captured file formats. It can replay recorded data streams. Using this application,

replay attacks can be performed. Packets eavesdropped from the netwstored are resent to the network and the response is observed.

This application is capable of searching of captures sniffed from transmission over the air for network keys sent.

A GUI for ZigBee location tracking. Zbgoodfind: It uses a memory dump generated using sniffer hardware

developed by Travis Goodspeed to crack stored keys. Zbassocflood: ZR/ZC association flooder. [62]

Figure 10.9. Zbdsniff network key capture [62]

Figure 10.10. Zbreplay performing a replay attack [62]


list of the available ZigBee devices supported in the

Commercial Daintree SNA savefile format. It is used for recording data stream form the wireless network. Recordings can be afterwards

, is a widely used network

It can replay recorded data streams. Using this application, replay attacks can be performed. Packets eavesdropped from the network and

This application is capable of searching of captures sniffed

ses a memory dump generated using sniffer hardware


Figure 10.11. Zbfind searching ZigBee devices [85]

On the following link, a video of a presentation of KillerBee by the developer Joshua Wright can be found:

http://blip.tv/source-bostonframework-3586816


Figure 10.11. Zbfind searching ZigBee devices [85]

On the following link, a video of a presentation of KillerBee by the developer Joshua Wright can be found:

boston-2010/josh-wright-killerbee-practical-zigbee-


On the following link, a video of a presentation of KillerBee by the developer

-exploitation-


10.5 Specific attacks to Bluetooth

10.5.1 Blooover

Blooover, a Java application for mobile phones, was developeGroup. It is available for some mobile phones and requires J2ME (Micro Edition). Blooover is able to do security audits on mobile phones, checking known vulnerabilities. Additionally, it is capable of executing a BlueBug attack. Roughly, BlueSnarfing enables an attacker, to retrieve private data from the targeted device, while BlueBugging aims at taking remote control over an attacked device.

Figure 10.12. Blooover II settings [101]


10.5 Specific attacks to Bluetooth

, a Java application for mobile phones, was developed by the trifinite Group. It is available for some mobile phones and requires J2ME (Java

). Blooover is able to do security audits on mobile phones, checking known vulnerabilities. Additionally, it is capable of executing a BlueSna

attack. Roughly, BlueSnarfing enables an attacker, to retrieve private data from the targeted device, while BlueBugging aims at taking remote control over an attacked

Figure 10.12. Blooover II settings [101]


d by the trifinite Java 2 Platform,

). Blooover is able to do security audits on mobile phones, checking BlueSnarf and a limited

attack. Roughly, BlueSnarfing enables an attacker, to retrieve private data from the targeted device, while BlueBugging aims at taking remote control over an attacked


10.5.2 BTCrack

BTCrack was published at 23C3, a German hacker congress. It serves a graphical interface for a passive attack, which aims at eavesdropping messages in a pairing process between two devices, in order to retrieve the Bluetooth PIN and generated link key.

Figure 10.13. BtCrack example [86]

An attacker is able to enter previously discovered Bluetooth device addresses, in order to enforce re-pairing between the two target devices. Subsequently, the whole pairing communication is eavesdropped, allosearch on the Bluetooth PIN used within the pairing process. This attack is described on the section about Bluetooth of this paper.


was published at 23C3, a German hacker congress. It serves a graphical interface for a passive attack, which aims at eavesdropping messages in a pairing process between two devices, in order to retrieve the Bluetooth PIN and

Figure 10.13. BtCrack example [86]

An attacker is able to enter previously discovered Bluetooth device addresses, in pairing between the two target devices. Subsequently, the whole

pairing communication is eavesdropped, allowing the program to do an exhaustive search on the Bluetooth PIN used within the pairing process. This attack is described on the section about Bluetooth of this paper.


was published at 23C3, a German hacker congress. It serves a graphical interface for a passive attack, which aims at eavesdropping messages in a pairing process between two devices, in order to retrieve the Bluetooth PIN and

An attacker is able to enter previously discovered Bluetooth device addresses, in pairing between the two target devices. Subsequently, the whole

wing the program to do an exhaustive search on the Bluetooth PIN used within the pairing process. This attack is described on


11. Conclusion

On smart meter reading technologies there is still a lot way many deployments have been established already, the goal of these technologies has to be the entire deployment over metering system either in residential or industrial facilities all over the world. These technologies are capable of proviof services to the client of power supplying enterprises as well as to the enterprises and energy billing is eased for both parts. This is why it must be incorporated in all metering systems.

Regarding to security features of these techthey are implemented in very different ways depending on the specification. First thing that must be said is about encryption algorithms. AES algorithm is regarded to be the most secured algorithm and although most spethat do not which is the case of GPRS or Bluetooth, and these technologies should incorporate it in the future. Another thing that various technologies do not incorporate is replay protection and it is a securitas well as a highly security authentication procedure or ciphering. Additionally, and despite the fact that it is not exactly a security feature, the IPv6 technology should be also incorporated as well as the 6LoWPAN Adaptation Layer, features that are present in PLC G3 specification and are some of the strong points of the security implementations of these technology.

One of the most important issues that developers have to deal with is potential attacks and tampering of the smart metering systems. As described over all this paper, although a wide range of security features are implemented in smart metering technologies there are still many weak points to cover. However, it must be assumed that it is almost impossible to guarantee a 100 % security as potential attackers are always working to find weaknesses on any kind of communication networks security features.

Through all work developed in this paper, it can be easily deducted that wireless networks present by far a lot more weaknesses that wired network since there no need for a physical connection to the network to gain access to it and transmissions are performed over the air. This is the reason why wireless networks developers are obligated to present a lot more security protections to wireless specifications.

Finally, if we focus on the different types of attacks, there are specially three types that may be considered as the most dangerous and feared ones. The first type are the DoS attacks. This type of attacks are capable of disabling, in most of the cases temporally, entire networks by attacking its coordinators or servers. By this fact, a high risk of service disabling and data lost is present. The second type of attacks that must be considered highly dangerous are Man


On smart meter reading technologies there is still a lot way to walk. Although many deployments have been established already, the goal of these technologies has to be the entire deployment over metering system either in residential or industrial facilities all over the world. These technologies are capable of providing a huge amount of services to the client of power supplying enterprises as well as to the enterprises and energy billing is eased for both parts. This is why it must be incorporated in all metering

Regarding to security features of these technologies, as seen through this paper, they are implemented in very different ways depending on the specification. First thing that must be said is about encryption algorithms. AES algorithm is regarded to be the most secured algorithm and although most specification are using it there are still some that do not which is the case of GPRS or Bluetooth, and these technologies should incorporate it in the future. Another thing that various technologies do not incorporate is replay protection and it is a security feature that should be present in all specifications as well as a highly security authentication procedure or ciphering. Additionally, and despite the fact that it is not exactly a security feature, the IPv6 technology should be

as the 6LoWPAN Adaptation Layer, features that are present in PLC G3 specification and are some of the strong points of the security implementations of these technology.

One of the most important issues that developers have to deal with is potential cks and tampering of the smart metering systems. As described over all this paper,

although a wide range of security features are implemented in smart metering technologies there are still many weak points to cover. However, it must be assumed

lmost impossible to guarantee a 100 % security as potential attackers are always working to find weaknesses on any kind of communication networks security

Through all work developed in this paper, it can be easily deducted that wireless present by far a lot more weaknesses that wired network since there no need

for a physical connection to the network to gain access to it and transmissions are performed over the air. This is the reason why wireless networks developers are

esent a lot more security protections to wireless specifications.

Finally, if we focus on the different types of attacks, there are specially three types that may be considered as the most dangerous and feared ones. The first type are

s type of attacks are capable of disabling, in most of the cases temporally, entire networks by attacking its coordinators or servers. By this fact, a high risk of service disabling and data lost is present. The second type of attacks that must be

ed highly dangerous are Man-in-the-Middle attacks. In this type of attacks


to walk. Although many deployments have been established already, the goal of these technologies has to be the entire deployment over metering system either in residential or industrial

ding a huge amount of services to the client of power supplying enterprises as well as to the enterprises and energy billing is eased for both parts. This is why it must be incorporated in all metering

nologies, as seen through this paper, they are implemented in very different ways depending on the specification. First thing that must be said is about encryption algorithms. AES algorithm is regarded to be the

cification are using it there are still some that do not which is the case of GPRS or Bluetooth, and these technologies should incorporate it in the future. Another thing that various technologies do not incorporate is

y feature that should be present in all specifications as well as a highly security authentication procedure or ciphering. Additionally, and despite the fact that it is not exactly a security feature, the IPv6 technology should be

as the 6LoWPAN Adaptation Layer, features that are present in PLC G3 specification and are some of the strong points of the security

One of the most important issues that developers have to deal with is potential cks and tampering of the smart metering systems. As described over all this paper,

although a wide range of security features are implemented in smart metering technologies there are still many weak points to cover. However, it must be assumed

lmost impossible to guarantee a 100 % security as potential attackers are always working to find weaknesses on any kind of communication networks security

Through all work developed in this paper, it can be easily deducted that wireless present by far a lot more weaknesses that wired network since there no need

for a physical connection to the network to gain access to it and transmissions are performed over the air. This is the reason why wireless networks developers are

esent a lot more security protections to wireless specifications.

Finally, if we focus on the different types of attacks, there are specially three types that may be considered as the most dangerous and feared ones. The first type are

s type of attacks are capable of disabling, in most of the cases temporally, entire networks by attacking its coordinators or servers. By this fact, a high risk of service disabling and data lost is present. The second type of attacks that must be

Middle attacks. In this type of attacks


because of the fact that victims are totally relaying to the attacker, a lot of confidential data can be eavesdropped by the attacker as well as the behavior of the victim devices can be easily modified by the attacker to perform malicious actions against the victims or even the networks that victims are part of. In the end, the third type of attacks that may be considered as highly dangerous are the exposition of pre shared keys. Nopasswords is a great advantage against password crackers and that is why using pre shared keys is a good security method. However, the exposition of these keys may compromise the security of a whole network temporally or even sometimes permanently. This is why avoiding the exposition of these keys to a third part is a extremely important issue to guarantee the security of the network. As easily deducted since these three types of attacks are highly more dangerous that other types, protection against them should be of first concern of security professionals working to improve security implementations of smart metering specifications or any other type of technologies that implies communication networks either through wired connections or using over the air interface.


because of the fact that victims are totally relaying to the attacker, a lot of confidential data can be eavesdropped by the attacker as well as the behavior of the victim devices an be easily modified by the attacker to perform malicious actions against the victims

or even the networks that victims are part of. In the end, the third type of attacks that may be considered as highly dangerous are the exposition of pre shared keys. Nopasswords is a great advantage against password crackers and that is why using pre shared keys is a good security method. However, the exposition of these keys may compromise the security of a whole network temporally or even sometimes

This is why avoiding the exposition of these keys to a third part is a extremely important issue to guarantee the security of the network. As easily deducted since these three types of attacks are highly more dangerous that other types, protection

them should be of first concern of security professionals working to improve security implementations of smart metering specifications or any other type of technologies that implies communication networks either through wired connections or

air interface.


because of the fact that victims are totally relaying to the attacker, a lot of confidential data can be eavesdropped by the attacker as well as the behavior of the victim devices an be easily modified by the attacker to perform malicious actions against the victims

or even the networks that victims are part of. In the end, the third type of attacks that may be considered as highly dangerous are the exposition of pre shared keys. Not using passwords is a great advantage against password crackers and that is why using pre shared keys is a good security method. However, the exposition of these keys may compromise the security of a whole network temporally or even sometimes

This is why avoiding the exposition of these keys to a third part is a extremely important issue to guarantee the security of the network. As easily deducted since these three types of attacks are highly more dangerous that other types, protection

them should be of first concern of security professionals working to improve security implementations of smart metering specifications or any other type of technologies that implies communication networks either through wired connections or


12. Bibliography and references

[1] Peng, C. ”GSM and GPRS Security”, Telecommunications Software and Multimedia Laboratory, Helsinki University of Technology, 2000

[2] Bavosa, A. “GPRS Security Threats and Solution RecommNetworks, 2004

[3] Wang, J. “Wireless Ad Hoc Networks Remote Meter Reading System Based on GPRS”, College of Information Science, Qingdao University of Science and Technology, 2009

[4] Fuxiang, G. , Wenxin, X. , Langtao, L. “Overview onSystem Based on GPRS”, College of Information Science and Engineering Northeastern University (NEU), 2010

[5] T. Halonen, J. Romero and J. Melero “Ed. 2003 John Wiley & Sons, Ltd

[6] Dínçan, A. , Kavas, A. “Authentication and ciphering in GPRS network”, Yildiz Technical University, Faculty of Electrical and Electronic Engineering, 2006

[7] Brookson, C. “GPRS Security”, Charles Brookson December 2001

[8] Xenakis, C. “Malicious Actions Against the GPRSNetwork Laboratory, Department of Informatics and Telecommunications, University of Athens, 2008

[9] “GPRS White Paper” Copyright © 2000 Cisco Systems, Inc.

[10] “GPRS, General Packet Radio Service” White Paper by Usha CommunicationsTechnology, June 2000

[11] Xenakis, C. “Security Measures and Weaknesses of the GPRS Security Architecture”, Security Group, Communication Networks Laboratory, Department of Informatics & Telecommunications, University of Athens, 2006

[12] K. Premkumar , A. Chockalingam “in General Packet Radio Service”Communication Engineering

[13] Xenakis, C. ”Vulnerabilities and Possible Attacks againsNetwork”, Security Group, Communication Networks Laboratory,Informatics & Telecommunications, University of Athens


12. Bibliography and references

[1] Peng, C. ”GSM and GPRS Security”, Telecommunications Software and Multimedia Laboratory, Helsinki University of Technology, 2000

[2] Bavosa, A. “GPRS Security Threats and Solution Recommendations”, Juniper

[3] Wang, J. “Wireless Ad Hoc Networks Remote Meter Reading System Based on GPRS”, College of Information Science, Qingdao University of Science and

[4] Fuxiang, G. , Wenxin, X. , Langtao, L. “Overview on Remote Meter Reading System Based on GPRS”, College of Information Science and Engineering Northeastern

[5] T. Halonen, J. Romero and J. Melero “GSM, GPRS and EDGE Performance” 2nd 2003 John Wiley & Sons, Ltd

vas, A. “Authentication and ciphering in GPRS network”, Yildiz Technical University, Faculty of Electrical and Electronic Engineering, 2006

[7] Brookson, C. “GPRS Security”, Charles Brookson December 2001

[8] Xenakis, C. “Malicious Actions Against the GPRS Technology”, Computer Network Laboratory, Department of Informatics and Telecommunications, University

[9] “GPRS White Paper” Copyright © 2000 Cisco Systems, Inc.

[10] “GPRS, General Packet Radio Service” White Paper by Usha Communications

[11] Xenakis, C. “Security Measures and Weaknesses of the GPRS Security Architecture”, Security Group, Communication Networks Laboratory, Department of Informatics & Telecommunications, University of Athens, 2006

A. Chockalingam “Performance Analysis of RLC/MAC Protocol in General Packet Radio Service”, Wireless Research Lab, Department of Electrical Communication Engineering, Indian Institute of Science

Vulnerabilities and Possible Attacks against the GPRS Backbone Security Group, Communication Networks Laboratory,

Informatics & Telecommunications, University of Athens


[1] Peng, C. ”GSM and GPRS Security”, Telecommunications Software and

endations”, Juniper

[3] Wang, J. “Wireless Ad Hoc Networks Remote Meter Reading System Based on GPRS”, College of Information Science, Qingdao University of Science and

Remote Meter Reading System Based on GPRS”, College of Information Science and Engineering Northeastern

GSM, GPRS and EDGE Performance” 2nd

vas, A. “Authentication and ciphering in GPRS network”, Yildiz Technical University, Faculty of Electrical and Electronic Engineering, 2006

Technology”, Computer Network Laboratory, Department of Informatics and Telecommunications, University

[10] “GPRS, General Packet Radio Service” White Paper by Usha Communications

[11] Xenakis, C. “Security Measures and Weaknesses of the GPRS Security Architecture”, Security Group, Communication Networks Laboratory, Department of

Performance Analysis of RLC/MAC Protocol Wireless Research Lab, Department of Electrical

t the GPRS Backbone Department of


[14] “Electricity metering Part 21: Direct local data exchange (IEC62056Electrotechnical Standarization, 2002 CENELEC (Czech version)

[15] Deconinck, G. , De Craemer, K. “Analysis of StateCommunication Standards”

[16] “Advanced Encryption SPublication 197 (FIPS197), November 2001

[17] “PRIME Technology Whitepaper, PHY, MAC and Convergence Layers”, PRIME Project, 2008

[18] “Draft Standard for PoweRline Intelligent Metering Evolution”, PRWorking Group

[19] Ming, Y., Jian-hua, D. “The Design and Implementation of 128in PRIME”, Communication University of China (CUC), 2010

[20] “Electricity metering data exchange PLC Orthogonal Frequency Division MultiplexingOPEN meter project

[21] “Electricity metering -using OFDM modulation type 2”, European OPEN meter project

[22] “PLC G3 Profile Specification”, Électricité Réseau Distribution France (ERDF)

[23] “PLC G3 MAC Layer Specification”, Électricité Réseau Distribution France (ERDF)

[24] “PLC G3 Physical Layer Specification”, Électricité Réseau Distribution France (ERDF)

[25] “Smart Grid Solutions Guide”, Maxim, January 2011

[26] Sotillo, S. “Extensible Authentication Protocol (EAP) Security Issues”, Department of Technology systems, East Carolina University, 2007

[27] Hoch, M. “Comparison of PLC G3 and PRIME”, Institute for InformatioTransmission, Friedrich-Alexander

[28] Bruno, A. , White, B. “Authenticated Key Exchange”

[29] Yüksel, E. , Riis Nielson, H. , Nielson, F. , “ZigBee Informatics and Mathematical Modelling, T

[30] Sastry, N. , Wagner, D. “Security Considerations for IEEE 802.15.4 Networks”, University of California, Berkeley, 2004


[14] “Electricity metering – Data Exchange for meter reading, tariff and load control, al data exchange (IEC62056-21:2002)”, European Committee for

Electrotechnical Standarization, 2002 CENELEC (Czech version)

[15] Deconinck, G. , De Craemer, K. “Analysis of State-of-the-art Smart Metering Communication Standards”

[16] “Advanced Encryption Standard (AES)” Federal Information Processing Standards Publication 197 (FIPS197), November 2001

[17] “PRIME Technology Whitepaper, PHY, MAC and Convergence Layers”, PRIME

[18] “Draft Standard for PoweRline Intelligent Metering Evolution”, PR

hua, D. “The Design and Implementation of 128-bit AES encryption in PRIME”, Communication University of China (CUC), 2010

Electricity metering data exchange – The DLMS/7 COSEM suite –rthogonal Frequency Division Multiplexing (OFDM) Type 2 profile”, European

- Data exchange over powerline – Part 2: Lower layer profile using OFDM modulation type 2”, European OPEN meter project

ofile Specification”, Électricité Réseau Distribution France (ERDF)

[23] “PLC G3 MAC Layer Specification”, Électricité Réseau Distribution France

[24] “PLC G3 Physical Layer Specification”, Électricité Réseau Distribution France

rid Solutions Guide”, Maxim, January 2011

[26] Sotillo, S. “Extensible Authentication Protocol (EAP) Security Issues”, Department of Technology systems, East Carolina University, 2007

[27] Hoch, M. “Comparison of PLC G3 and PRIME”, Institute for InformatioAlexander-Universität Erlangen-Nürnberg, 2011

[28] Bruno, A. , White, B. “Authenticated Key Exchange”

[29] Yüksel, E. , Riis Nielson, H. , Nielson, F. , “ZigBee -2007 Security Essentials”, Informatics and Mathematical Modelling, Technical University of Denmark

[30] Sastry, N. , Wagner, D. “Security Considerations for IEEE 802.15.4 Networks”, University of California, Berkeley, 2004


Data Exchange for meter reading, tariff and load control, 21:2002)”, European Committee for

art Smart Metering

tandard (AES)” Federal Information Processing Standards

[17] “PRIME Technology Whitepaper, PHY, MAC and Convergence Layers”, PRIME

[18] “Draft Standard for PoweRline Intelligent Metering Evolution”, PRIME Alliance

bit AES encryption

– Part 8-5: The (OFDM) Type 2 profile”, European

Part 2: Lower layer profile

ofile Specification”, Électricité Réseau Distribution France (ERDF)

[23] “PLC G3 MAC Layer Specification”, Électricité Réseau Distribution France

[24] “PLC G3 Physical Layer Specification”, Électricité Réseau Distribution France

[26] Sotillo, S. “Extensible Authentication Protocol (EAP) Security Issues”, Department

[27] Hoch, M. “Comparison of PLC G3 and PRIME”, Institute for Information Nürnberg, 2011

2007 Security Essentials”, echnical University of Denmark

[30] Sastry, N. , Wagner, D. “Security Considerations for IEEE 802.15.4 Networks”,


[31] “Security Services and Enhancements in the IEEE 802.15.4 Wireless Sensor Networks”, Yang Xiao, Sakshi Sethi, Department of Computer Science, University of Memphis/ Hsiao-Hwa Chen, Institute of Communications Engineering, National Sun Yat-Sen University/ Bo Sun, Department of Computer Science, Lamar University, 2005

[32] “IEEE 802.15.4 MAC Overview” IPersonal Area Networks (WPANs), May 2004

[33] Zheng, J. , Nyung J. Lee, Anshel, M. “Towards Secure Low Rate Wireless Personal Area Networks” , IEEE Transactions on Mobile Computing, October 2006

[34] Bo Chen, Mingguang Wu, Shuai Yao, Ni Bibin “ZigBee Technology and its application on Wireless MeterZhejiang University, 2006

[35] “802.15.4 IEEE Standard forinformation exchange between systemsSpecific requirements Part 15.4: Wireless Medium AccessLayer (PHY) Specifications for LowWPANs)”, IEEE Computer Society, LAN/MA

[36] Stevanovic, D. “ZigBee/IEEE 802.15.4 Standard”, June 2007

[37] “ZigBee Specification”, ZigBee Alliance, January 2008

[38] “ACE4000 GSM/GPRS Specifications”, Itron

[39] “Smart Energy. Secure end

[40] “ACE6000 DC4 Commercial & Industrial Multifunction Meter”, Itron

[41] “Residential AMM. Landis+Gyr E450 PRIME ZCX100”, Landis+Gyr

[42] “Wireless Connectivity Guide”, Texas Instruments

[43] “ADD1021 Brief Datasheet”, ADD

[44] “Three-phase Electricity ElAEM

[45] “Single-phase Electricity Electronic Meter with AMM Facilities Enerlux Technical Characteristics”, AEM

[46] “Digital Multi- Tariff Meter DMTZ

[47] “Digital Multi- Rate Meter ED

[48] “Digital Tariff Meter ITZ”, EMH Metering

[49] “Data collector RNDC Raconet”, EMH Metering


[31] “Security Services and Enhancements in the IEEE 802.15.4 Wireless Sensor akshi Sethi, Department of Computer Science, University of

Hwa Chen, Institute of Communications Engineering, National Sun Sen University/ Bo Sun, Department of Computer Science, Lamar University, 2005

[32] “IEEE 802.15.4 MAC Overview” IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs), May 2004


g Wu, Shuai Yao, Ni Bibin “ZigBee Technology and its application on Wireless Meter-reading System”, Institute of System Engineering,

IEEE Standard for Information technology— Telecommunications and nge between systems— Local and metropolitan area networks

Part 15.4: Wireless Medium Access Control (MAC) and Physical Specifications for Low-Rate Wireless Personal Area Networks (LR

WPANs)”, IEEE Computer Society, LAN/MAN Committee, October 2003


[37] “ZigBee Specification”, ZigBee Alliance, January 2008

[38] “ACE4000 GSM/GPRS Specifications”, Itron

[39] “Smart Energy. Secure end-to-end solutions”, Freescale

0] “ACE6000 DC4 Commercial & Industrial Multifunction Meter”, Itron


[42] “Wireless Connectivity Guide”, Texas Instruments

[43] “ADD1021 Brief Datasheet”, ADD

phase Electricity Electronic Meter Enerlux T Technical Characteristics”,

phase Electricity Electronic Meter with AMM Facilities Enerlux Technical Characteristics”, AEM

Tariff Meter DMTZ-XC”, EMH Metering

Rate Meter ED2 Series”, EMH Metering

[48] “Digital Tariff Meter ITZ”, EMH Metering

[49] “Data collector RNDC Raconet”, EMH Metering


[31] “Security Services and Enhancements in the IEEE 802.15.4 Wireless Sensor akshi Sethi, Department of Computer Science, University of

Hwa Chen, Institute of Communications Engineering, National Sun Sen University/ Bo Sun, Department of Computer Science, Lamar University, 2005

EEE P802.15 Working Group for Wireless


g Wu, Shuai Yao, Ni Bibin “ZigBee Technology and its reading System”, Institute of System Engineering,

Telecommunications and Local and metropolitan area networks—

Control (MAC) and Physical Personal Area Networks (LR-

N Committee, October 2003

0] “ACE6000 DC4 Commercial & Industrial Multifunction Meter”, Itron


ectronic Meter Enerlux T Technical Characteristics”,

phase Electricity Electronic Meter with AMM Facilities Enerlux Σ


[50] “Raconet MAUS RNMA”, EMH Metering

[51] “Technical Data sheet Raconet Gateway”, EMH Metering

[52] “RNRE Raconet repeater”, EMH Meteri

[53] “Radio readout of electricity meters, radio controlles networks”, EMH metering, 2010


[55] Scarfone, K.; Padgette, J. “Guide to Bluetooth Security, Recommendations of the National Institute of Standards and Technology”, NIST SPCommerce, September 2008

[56] Becker, A. “Bluetooth Security & Hacks”, Seminararbeit, RuhrBochum, August 16, 2007

[57] “Specification of the Bluetooth System”, version 1.1, Feb

[58] Padovan, G. “Bluetooth Security”, http://padovan.org

[59] Shesha, T. “Bluetooth Security”, Media Informatics2011

[60] “Three Phase Remote Disconnection and Re Connection Meter Eis RDC3”, www.kigg.com

[61] Levi, A.; Cetintas, E.; Aydos, M.; Kaya Koc, C.; Ufuk Caglayan, M. “Relay Attacks on Bluetooth Authentication and solutions”, 2004

[62] Wright, J. “KillerBee: Practical ZigBee Exploitation Framework”

[63] http://www.zigbee.org

[64] http://www.gsm-security.net/gsm

[65] http://www.prime-alliance.org/

[66] http://www.dlms.com/organization/flagmanufacturesids/index.html

[67] http://www.radio-electronics.com/info/technology.php

[68] http://www.ietf.org/rfc/rfc3748.txt

[69] http://tools.ietf.org/html/rfc4764

[70] http://tools.ietf.org/html/draft

[71] http://www.ietf.org/rfc/rfc2865.txt


[50] “Raconet MAUS RNMA”, EMH Metering

[51] “Technical Data sheet Raconet Gateway”, EMH Metering

[52] “RNRE Raconet repeater”, EMH Metering

[53] “Radio readout of electricity meters, radio controlles networks”, EMH metering,


[55] Scarfone, K.; Padgette, J. “Guide to Bluetooth Security, Recommendations of the ute of Standards and Technology”, NIST SP-800-121 US Department of

Commerce, September 2008

[56] Becker, A. “Bluetooth Security & Hacks”, Seminararbeit, Ruhr

[57] “Specification of the Bluetooth System”, version 1.1, February 22 2001

[58] Padovan, G. “Bluetooth Security”, http://padovan.org

[59] Shesha, T. “Bluetooth Security”, Media Informatics-WS2010-2011, 09 February

Three Phase Remote Disconnection and Re Connection Meter Eis RDC3”,

A.; Cetintas, E.; Aydos, M.; Kaya Koc, C.; Ufuk Caglayan, M. “Relay Attacks on Bluetooth Authentication and solutions”, 2004

[62] Wright, J. “KillerBee: Practical ZigBee Exploitation Framework”

http://www.zigbee.org/

security.net/gsm-security-papers.shtml

alliance.org/


electronics.com/info/wireless/ieee-802-15-4/wireless

http://www.ietf.org/rfc/rfc3748.txt

http://tools.ietf.org/html/rfc4764

http://tools.ietf.org/html/draft-daniel-6lowpan-load-adhoc-routing-03

http://www.ietf.org/rfc/rfc2865.txt


[53] “Radio readout of electricity meters, radio controlles networks”, EMH metering,

[55] Scarfone, K.; Padgette, J. “Guide to Bluetooth Security, Recommendations of the 121 US Department of

[56] Becker, A. “Bluetooth Security & Hacks”, Seminararbeit, Ruhr-Universität

ruary 22 2001

2011, 09 February

Three Phase Remote Disconnection and Re Connection Meter Eis RDC3”,

A.; Cetintas, E.; Aydos, M.; Kaya Koc, C.; Ufuk Caglayan, M. “Relay


4/wireless-standard-

03


[72] http://tools.ietf.org/html/rfc3579

[73]http://www.ti.com/ww/en/smart_grid_solutions/smart_grid_plc.htm?DCMP=dtech&HQS=dtech-pr-g3

[74] http://www.zigbee.org/Products/CertifiedProducts/ZigBeeSmartEnergy.aspx

[75] http://www.ember.com/zigbee_index.html

[76] http://www.emh-metering.com/en/solutions/software

[77] http://blueadmiral.com/C

[78] http://umumble.com/blogs/telecom/316/

[79] http://www.cez.cz/cs/pro

[80] http://www.merl.com/areas/zigbeeinterface/

[81] http://www.palowireless.co

[82] http://www.atmel.com/tools/RZUSBSTICK.aspx

[83] http://nexp.tistory.com/631

[84] http://www.tme.eu/es/katalog/microcontroladoressmd_100583/#id_category%3D100583%26

[85] http://www.willhackfors

[86] http://www.f-secure.com/weblog/archives/00001011.html

[87] http://backtrackos.blogspot.com/

[88] http://www.airdemon.net/mitm.html

[89] http://blip.tv/source-bostonexploitation-framework-3586816

[90] http://www.slideshare.net/rootedcon/davidcomunicaciones-mviles-rootedcon

[91] http://www.cse.wustl.edu/~jain/cse57107/ftp/wireless_hacking/index.html#Section1.1

[92] http://hacknmod.com/hack/top

[93] http://netsecurity.aboutArmy-Knife.htm

[94] http://netsecurity.about.com/od/hackertools/a/top1002006.htm


http://tools.ietf.org/html/rfc3579

http://www.ti.com/ww/en/smart_grid_solutions/smart_grid_plc.htm?DCMP=dtech

http://www.zigbee.org/Products/CertifiedProducts/ZigBeeSmartEnergy.aspx

om/zigbee_index.html

metering.com/en/solutions/software-tools/

http://blueadmiral.com/Communications/comms/airint.shtml

http://umumble.com/blogs/telecom/316/

http://www.cez.cz/cs/pro-zakazniky/pruvodce-elektromery/schrack

http://www.merl.com/areas/zigbeeinterface/

http://www.palowireless.com/infotooth/tutorial/radio.asp

http://www.atmel.com/tools/RZUSBSTICK.aspx

http://nexp.tistory.com/631

http://www.tme.eu/es/katalog/microcontroladores-atmel-8051-smd_100583/#id_category%3D100583%26

http://www.willhackforsushi.com/?paged=4

secure.com/weblog/archives/00001011.html

http://backtrackos.blogspot.com/

http://www.airdemon.net/mitm.html

boston-2010/josh-wright-killerbee-practical-zigbee3586816

http://www.slideshare.net/rootedcon/david-prez-jos-pic-un-ataque-prcticorootedcon-2011

http://www.cse.wustl.edu/~jain/cse571-07/ftp/wireless_hacking/index.html#Section1.1

http://hacknmod.com/hack/top-15-vital-hacking-software-and-tools/

http://netsecurity.about.com/od/hackertools/a/Backtrack-The-Hackers

http://netsecurity.about.com/od/hackertools/a/top1002006.htm


http://www.ti.com/ww/en/smart_grid_solutions/smart_grid_plc.htm?DCMP=dtech

http://www.zigbee.org/Products/CertifiedProducts/ZigBeeSmartEnergy.aspx

elektromery/schrack-dmtz-xc.html

gbee-

prctico-contra-

tools/

Hackers-Swiss-


[95] http://backtrackos.blogspot.com/

[96] http://www.backtrack-

[97] http://openbsc.osmocom.org/trac/

[98] http://openbts.sourceforge.net/

[99] http://www.infostream.biz/

[100] http://www.eng.tau.ac.il/~yash/shaked

[101] http://trifinite.org/trifinite_stuff_blooover.html

[102] https://www.owasp.org/index.php/Man

[103]http://www.interlinknetworks.com/whitepapers/Intro_802_1X_for_Wireless_LAN.htm


http://backtrackos.blogspot.com/

-linux.org/

http://openbsc.osmocom.org/trac/

http://openbts.sourceforge.net/

http://www.infostream.biz/

http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/

http://trifinite.org/trifinite_stuff_blooover.html

https://www.owasp.org/index.php/Man-in-the-middle_attack

http://www.interlinknetworks.com/whitepapers/Intro_802_1X_for_Wireless_LAN


http://www.interlinknetworks.com/whitepapers/Intro_802_1X_for_Wireless_LAN


13. Glossary of terms

6LoWPAN IPv6 over Low power Wireless Personal AreAAA Authentication, Authorization and AccountingACK AcknowledgeACL Access Control List / Asynchronous ConnectionAES Advanced Encryption StandardAES-CBC-MAC AES AES-CCM AES AES-CTR AES AGC Automatic Gain ControlAFE Analog Front EndAKEP Authenticated Key Exchange ProtocolAMM Automated Meter ManagementAMR Automated Meter ReadingAPS Application Support sublayerASCII American StBCC Block Check CharacterBPSK Binary Phase Shift KeyingBSEG Bluetooth Security Expert GroupCOSEM Companion Specification for Energy MeteringCRC Cyclic Redundance CheckCSMA-CA Carrier Sense Multiple AccDES Data Encryption StandardDLL Data Link LayerDLMS Device Language Message SpecificationDBPSK Differential Binary Phase Shift KeyingDQPSK Differential Quadrature Phase Shift KeyingDoS Denial of ServiceDSSS DirecEAP Extensible Authentication ProtocolEAP-PSK EAP-ECDH Elliptic Curve Diffie HellmanEEPROM Electrical Erasable Programmable Read Only MemoryEOB End Of BillingETX End of TextEUI Extended Unique IdenFCH Frame Control HeaderFEC Forward Error CorrectionFFD Full Function DeviceFFT Fast Fourier TransformationGMK Group Master Key


13. Glossary of terms

IPv6 over Low power Wireless Personal Area NetworksAuthentication, Authorization and Accounting Acknowledge Access Control List / Asynchronous Connection-Less linkAdvanced Encryption Standard AES – Cipher Block Chaining – Medium Access ControlAES – Counter with CBC-MAC AES – Counter Automatic Gain Control Analog Front End Authenticated Key Exchange Protocol Automated Meter Management Automated Meter Reading Application Support sublayer American Standard Code for Information InterchangeBlock Check Character Binary Phase Shift Keying Bluetooth Security Expert Group Companion Specification for Energy Metering Cyclic Redundance Check Carrier Sense Multiple Access – Collision AvoidanceData Encryption Standard Data Link Layer Device Language Message Specification Differential Binary Phase Shift Keying Differential Quadrature Phase Shift Keying Denial of Service Direct Sequence Spread Spectrum Extensible Authentication Protocol

-Pre Shared Key Elliptic Curve Diffie Hellman Electrical Erasable Programmable Read Only MemoryEnd Of Billing End of Text Extended Unique Identifier Frame Control Header Forward Error Correction Full Function Device Fast Fourier Transformation Group Master Key


a Networks

Less link

Medium Access Control

andard Code for Information Interchange

Collision Avoidance

Electrical Erasable Programmable Read Only Memory


GPRS General Packet Radio ServiceGSM Global System for Mobile communicationsGTS Guaranteed Time SloHCI Host Controller InterfaceHDLC High Data Link ControlHHU Hand Held UnitHMAC KeyedHSNK High Security mode Network KeyIEEE Institute of Electrical and Electronic EngineersIETF Internet EngineeriIMEI International Mobile Equipment IdentityIMSI International Mobile Subscriber IdentityISM Industrial, Scientific and MedicalIP Internet ProtocolK Key GeneratorL2CAP Link Control and Adaptation ProtocolLAI Location Area ILAN Local Area NetworkLBP 6LoWPAN Bootstrapping ProtocolLC Link ControllerLCD Liquid Crystal DisplayLED Light Emitting DiodeLFSR Linear Feedback Shift RegisterLK Link KeyLMP Link Manager ProtocolLSB Least Significant BitMAC Medium Access ControlMEA Mutual Entity Authentication protocolMitM Man in the MiddleMK Master KeyMS Mobile StationMSB Most Significant BitMSISDN Mobile Station International Subscriber Directory NumberMSRN Mobile Station Roaming OFDM Orthogonal Frequency Division MultiplexingPAN Personal Area NetworkPCT Permission Configuration TablePDU Packet Data UnitPDP Packet Data ProtocolPFS Perfect Forward SecrecyPIB PAN Information BasePIN Personal IdentificatiPLC PowerLine Communications


General Packet Radio Service Global System for Mobile communications Guaranteed Time Slot Host Controller Interface High Data Link Control Hand Held Unit Keyed-Hashing for Message Authentication CodeHigh Security mode Network Key Institute of Electrical and Electronic Engineers Internet Engineering Task Force International Mobile Equipment Identity International Mobile Subscriber Identity Industrial, Scientific and Medical Internet Protocol Key Generator Link Control and Adaptation Protocol Location Area Identifier Local Area Network 6LoWPAN Bootstrapping Protocol Link Controller Liquid Crystal Display Light Emitting Diode Linear Feedback Shift Register Link Key Link Manager Protocol Least Significant Bit Medium Access Control Mutual Entity Authentication protocol Man in the Middle Master Key Mobile Station Most Significant Bit Mobile Station International Subscriber Directory NumberMobile Station Roaming Number Orthogonal Frequency Division Multiplexing Personal Area Network Permission Configuration Table Packet Data Unit Packet Data Protocol Perfect Forward Secrecy PAN Information Base Personal Identification Number PowerLine Communications


Hashing for Message Authentication Code

Mobile Station International Subscriber Directory Number


PPDU Physical Protocol Data UnitPRIME PoweRline Intelligent Metering EvolutionQoS Quality of ServiceRADIUS Remote Authentication Dial in User ServiceRAM Random Access MemoryRFD Reduced Function DeviceROM Read Only MemoryRSSI Received Signal Strength IndicationRTC Real Time ClockSCO Synchronous ConnectionSIM Subscriber Identity ModuleSKKE Symmetric Key Key ExchangeSoC System on ChipSOH Start Of HeaderSRES Signed RespoSTX Start of TextTC Trust CenterTCLK Trust Center Link KeyTMSI Temporary Mobile Subscriber IdentityUDP User Datagram ProtocolVPN Virtual Private NetworkWAN Wide Area NetworkWCDMA Wideband Code Division Multiple AccessZDO ZigBee


Physical Protocol Data Unit PoweRline Intelligent Metering Evolution Quality of Service Remote Authentication Dial in User Service Random Access Memory Reduced Function Device Read Only Memory Received Signal Strength Indication Real Time Clock Synchronous Connection-Oriented Subscriber Identity Module Symmetric Key Key Exchange System on Chip Start Of Header Signed Response Start of Text Trust Center Trust Center Link Key Temporary Mobile Subscriber Identity User Datagram Protocol Virtual Private Network Wide Area Network Wideband Code Division Multiple Access ZigBee Device Object


PROJECTE FINAL DE CARRERA - COnnecting REpositories · PROJECTE FINAL DE CARRERA Anàlisi teòric...

Documents

Transcript of PROJECTE FINAL DE CARRERA - COnnecting REpositories · PROJECTE FINAL DE CARRERA Anàlisi teòric...