Security Issues on ZigBee Summary
Transcript of Security Issues on ZigBee Summary
1
SSecurityecurity IIssuesssues onon ZZigBeeigBee
Rui Silva (1,2),Serafim Nunes (1,3)
(1) INESC(1) INESC--ID, (2) ESTIG, (3) IST ID, (2) ESTIG, (3) IST
Coimbra, 22 de Julho de 2005
SummarySummary1. ZigBee Security
ZigBee Security GeneralsSuite AES-CTRSuite AES-CBC-MACSuite AES-CCM
2. ZigBee Security ProblemsSame Key on multiple ACL entriesPower FailuresNo Support for Group KeysSequential Freshness vs. Single ACL entryWeak Integrity protection on AES-CTRFast Denail-of-service Attack on AES-CTRAcknowledges Forgery
3. Implementation Environment
4. Implementation OptionsUse Key Sequential Counter to avoid Nonce RepetitionNew Frame Type “Protected-ACK”Use Trust Reference Value (TRV)Use Non-Volatile memory to store Nonce States
2
ZigBeeZigBee SecuritySecurity
• ZigBee Security overall aspectsMAC Layer Security
• Single Hop Security
• Advanced Encryption Standard
• Weak Message Integrity
• Access Control Lists (ACLs)- Up to 255 ACL entries
- Listed by Address
- With a default ACL entry for unlisted Addresses
Headers Payload FCS
16 bit
• Several Suites of Security Services:
No SecurityNull
ConfidentialityAES-CTR
AuthenticationAES-CBC-MAC, with 32, 64 or 128 bits of MAC
Confidenciality and AuthenticationAES-CCM , with 32, 64 or 128 bits of MAC
Security SuiteAddress Security Material
128 bit blocks
128 bit key
Depends on the Security Suite
ZigBeeZigBee SecuritySecurity
• Suite AES-CTRSecurity Material and Data Formats
Access Control
Data Encryption
Sequencial Freshness
A simple ACL entry
Using Group or Peer-to-Peer Key
For incoming frames
Symmetric Key
16 bytes
Frame Counter Key Sequence Counter Optional External Frame Counter Optional External Key Sequence Counter
4 bytes 1 bytes (4) bytes (1) bytesMAC PIB :
Protected Payload Field Format :
Headers Payload FCS
Frame Ctr Encrypted PayloadKey Ctrvariable1 byte4 bytes
CTR Input Blocks :
Counter 1
Ciphertext 1
Plaintext 1
Input Blk 1
CIPHK
Output Blk 1
Counter 2
Ciphertext 2
Plaintext 2
Input Blk 2
CIPHK
Output Blk 2
Counter n
Ciphertext n
Plaintext n
Input Blk n
CIPHK
Output Blk n. . .
CTR Encryption:
Fr Ctr Key Ctr Block CtrSrc AddrFlag
Counter X
I
II IV
III
10000010
3
ZigBeeZigBee SecuritySecurity
• Suite AES-CTRSecurity Operations
Outgoing Frames :
MACPIB
MAC DomainBlock
CounterManagement
AES-CTREncryption
Fr Ctr
Key Ctr
Block Ctr
Src Addr
1st) Obtain Data from PIB2nd) Compute Input Data3rd) Encrypt4th) Recompute Payload
5th) Increment Frame CounterTest Frame Counter
SuccessOk!
FailAbort!
Originator next
Higher layer
Originator
MAC
MCPS-DATA.request […, TxOptions=0000 1xxx, …]
Possible Security Errors :1º) Not approprieate Key in ACL
MCPS-DATA.confirm […, status = UNAVAILABLE_KEY]
2º) Any other error related to security processing:
- Frame Counter Overlap
- Key Sequence Counter Roll OverMCPS-DATA.confirm […, status = FAILED_SECURITY_CHECK]
MLME-COMM-STATUS.indication […, status = UNAVAILABLE_KEY]
MLME-COMM-STATUS.indication […, status = FAILED_SECURITY_CHECK] Fr Ctr Key CtrSrc Addr Block Ctr
NonceNonce
Security Operations
• Suite AES-CTR
ZigBeeZigBee SecuritySecurity
Incoming Frames :
MAC Domain
BlockCounter
Management
AES-CTRDecryption
Fr Ctr
Key Ctr
Block Ctr
Src Addr 1st) Obtain Fr. and Key Ctr from Payload2nd) Checks Freshness [ IF !!! ]
Optional Frame CounterOptional Key Seq. Counter-OK! go to 3rd) -Fail! Abort
3rd) Obtain Src. Addr From Header4th) Compute Input Data5th) Decrypt6th) Replace Encrypted Payload
with Decrypted Payload7th) Set new Opt. Ext. Frame Counter8th) Set new Opt. Ext. Key Seq. Counter
Fr Ctr Encrypted PayloadKey CtrHeaders FCS
MACPIB
Recipient next
Higher layer
Recipient
MAC
Any Kind of Security Error
MLME-COMM-STATUS.indication
[…, status = FAILED_SECURITY_CHECK]
Recipient
PHY
DataPD-DATA.indication
Fr Ctr Key CtrSrc Addr Block Ctr
NonceNonce
4
ZigBeeZigBee SecuritySecurity
• Suite AES-CBC-MACSecurity Material and Data Formats
Access Control
Frame Integrity
A simple ACL entry
Using Group or Peer-to-Peer KeyUsing 32, 64 or 128 bits to generate the MAC (MIC)
MAC PIB :I
Protected Payload Field Format :II
CBC-MAC Input Blocks :III
Symmetric Key
16 bytes
Headers Payload FCS
MIC (MAC)4, 8 ou 16 bytes
Payload
Headers PayloadLength = n + mn bytes m bytes
Input Block
CBC-MAC :IV
16 bytes 16 bytes 16 bytes 16 bytes
Input Block
Input 1 Input 2 Input 3 Input n …
Input 1
CIPHK. . .
Output 1
Input 2
CIPHK
Output 2
Input 3
CIPHK
Output 3
Input n
CIPHK
Output n
MIC
1 byte
ZigBeeZigBee SecuritySecurity
• Suite AES-CBC-MACSecurity Operations
Outgoing Frames :
MAC Domain
AES-CBC-MACencryption
1st) Calculate the Headersand Payload Length
2nd) Compute Input Block3rd) Generate MIC4th) Recompute Payload
Headers Payload FCS
MIC (MAC)PayloadHeaders FCS
Security Operations
Incoming Frames :
MAC DomainAES-CBC-MAC
decryption
1st) Calculate the Headersand Payload Length
2nd) Compute Input Block3rd) Calculate the MIC4th) Compare the MICs5th) -OK! -Fail!
Headers Payload FCS
MIC (MAC)PayloadHeaders FCS
MIC (MAC)
=
Recipient next
Higher layer
Recipient
MAC
MLME-COMM-STATUS.indication
[…, status = FAILED_SECURITY_CHECK]
Recipient
PHY
DataPD-DATA.indication
OKINTEGRITY
FAIL
5
ZigBeeZigBee SecuritySecurity
• Suite AES-CCMUsing 32, 64 or 128 bits to generate the MAC (MIC)
Security Material and Data Formats
MAC PIB :I
Protected Payload Field Format :II
CCM Nonce and CCM Security Parameters :III
Access Control
Data Encryption
Frame Integrity
Sequential Freshness
A simple ACL entry
Using Group or Peer-to-Peer Key
Using Group or Peer-to-Peer Key
For incoming Frames
Symmetric Key
16 bytes
Frame Counter Key Sequence Counter Optional External Frame Counter Optional External Key Sequence Counter
4 bytes 1 bytes (4) bytes (1) bytes
Headers Payload FCS
Frame Ctr Encrypted PayloadKey Ctrvariable1 byte4 bytes
Encrypted MIC4, 8 ou 16 bytes
1) L = 2 Bytes
2) M = 4, 8 ou 16 Bytes
3) Aditional Authenticated Data ‘a’
0 ≤ l(a) < 264 - - - Lenght Zero if not used
Fr Ctr Key CtrSrc Addr
ZigBeeZigBee SecuritySecurity
• Suite AES-CCM
Flags :bit 7 → 0 bit 6:
Aditional Authentication Data ?YES → 1NO → 0
bits 5, 4 e 3 :M = 4 → 001 [MIC com 32 bits]M = 8 → 011 [MIC com 64 bits]M = 16 → 111 [MIC com 128 bits]
bits 2, 1 e 0 → 010
Authentication (using CBC–MAC ) :16 bytes16 bytes
2 Bytes
16 bytes
Input 1
CIPHK. . .
Output 1
Input 2
CIPHK
Output 2
Input 3
CIPHK
Output 3
Input n
CIPHK
Output n
MIC
Fr Ctr Key CtrSrc Addr
Payload FCSHeaders
Input 2 Input 3 Input n …Input 1 16 bytes
Security Operations – Authentication
NonceFlag l (m)1 Byte 13 Bytes 2 Bytes
6
ZigBeeZigBee SecuritySecurity
• Suite AES-CCMSecurity Operations – Encryption
Encryption (using CTR ) :
Counter 1
Ciphertext 1
Input Blk 1
CIPHK
Output Blk 1
Counter 2
Ciphertext 2
Plaintext 2
Input Blk 2
CIPHK
Output Blk 2
Counter n
Ciphertext n
Plaintext n
Input Blk n
CIPHK
Output Blk n
. . .
Payload FCSHeaders
MIC
NonceFlag Block Ctr1 Byte 13 Bytes 2 Bytes
BlockCounter
Management
16 bytes16 bytes 16 bytes
…16 bytes
Counter 2 Counter 1 Counter 3 Counter n
Fr Ctr Key CtrSrc Addr
00000010 . . .
Encrypted MIC
Encrypted Payload
Plaintext 2 Plaintext n. . .. . . . . .
From Authentication CBC-MAC phase
ZigBeeZigBee SecuritySecurity ProblemsProblems
•• SameSame keykey on multiple ACL entries
- PAN Coordinator (FFD)
- FFD - RFD
Receiver R1
Sender
MSG to R1 : 0xAA00Receiver R2MSG to R2 : 0x00BB
. . .
ACL Table
Address Key ABC Frame Ctr Key Seq. Ctr Opt. Ext. Fr. Ctr Opt. Ext. Key Seq. Ctr
Addr R1 0x00..00 0x00 0x00..00 0x00
Addr R2 0x00..00 0x00 0x00..00 0x00
Address Key ZWZ Frame Ctr Key Seq. Ctr Opt. Ext. Fr. Ctr Opt. Ext. Key Seq. Ctr
Key RRR
Key RRR
SameSame
NonceNonce initializationinitialization
CTR
Nonce
Stream
Key RRR
0xAA00
Cifra R1
Stream
0x00BB
Cifra R2
Cifra R1 Cifra R2
0x00BB0xAA00
=
7
ZigBeeZigBee SecuritySecurity ProblemsProblems
•• PowerPower FailuresFailures- The reboot process after a power failure could initiate correctly the ACL table.
- But :
- What’s the initialization value of the Nonces ?
- There are a “non-volatile Nonce state maintenance“ ?
- If not, that could lead to a Nonce Reutilization !
. . . . . .
boot
Initiate ACL table
timereboot
ReInitiate ACL table
. . .
Address Key ABC Frame Ctr Key Seq. Ctr
Addr R1 0x00..00 0x00
Addr R2 0x00..00 0x00
Address Key ZWZ Frame Ctr Key Seq. Ctr
Key DEF
Key GHI . . .
Address Key ABC Frame Ctr Key Seq. Ctr
Addr R1 0x00..00 0x00
Addr R2 0x00..00 0x00
Address Key ZWZ Frame Ctr Key Seq. Ctr
Key DEF
Key GHI
powerfailure
ZigBeeZigBee SecuritySecurity ProblemsProblems
•• NoNo Support for GroupGroup KeysKeys- Solution 1:
- SameSame KeyKey onon diferentdiferent ACL ACL entriesentries
- Problem: Nonce reutilization
- Solution 2:- OnlyOnly OneOne ACL ACL entryentry andand changechange addressaddress accordingaccording to to destinationdestination onon everyevery frameframe
- Problem: The receiver must know the “Next Sender” to set up the ACL address
Address Key ABC Frame Ctr Key Seq. Ctr
Addr R1 Frame Ctr Key Seq. CtrKey DEF
. . . . . . Address Key ZWZ Frame Ctr Key Seq. Ctr
Addr RG1 Frame Ctr Key Seq. CtrKey RRR. . . . . .
Address Key ABC Frame Ctr Key Seq. Ctr
Addr R1 Frame Ctr Key Seq. Ctr
Address Key ZWZ Frame Ctr Key Seq. Ctr
Key DEF
Addr RG1 0x00..00 0x00Key RRR
Addr RG2 0x00..00 0x00Key RRR
Addr RG3 0x00..00 0x00Key RRR
Addr RGn 0x00..00 0x00Key RRR
Addr RG1
Addr RG2
Addr RG3
Addr RGn
Group Address List
8
ZigBeeZigBee SecuritySecurity ProblemsProblems
•• SequentialSequential FreshnessFreshness vs. SingleSingle ACL ACL entryentry- If there is a single ACL entry key for all, or a group of, network users
- Sender S1 sends 50 frames to Receiver R, from 0 to 49 sequence numbers
- Receiver R, Checks Sequential Freshness, and updates the last FrameNumber
- Sender S2 sends also 50 frames to Receiver R, from 0 to 49 sequence numbers
- Receiver R, Checks Sequential Freshness and FAILsFAILs !!!
- PAN Coordinator (FFD)
- FFD - RFD
Sender S1
Sender S2Receiver R
ZigBeeZigBee SecuritySecurity ProblemsProblems
•• WeakWeak Integrity Protection on AESIntegrity Protection on AES--CTRCTR- The use of integrity protection based on a simple CRC calculation (in CTR) is Bad !
- It’s possible to change the Payload and then recalculate the new CRC
- It’s possible to forge messages to begin confidentiality attacks
LessonsLessons fromfrom IEEE 802.11 standard IEEE 802.11 standard shouldshould bebe learnedlearned onon thisthis mattermatter !!
Headers Payload FCS
16 bit
9
ZigBeeZigBee SecuritySecurity ProblemsProblems
•• Fast Fast DenailDenail--ofof--service Attack on AESservice Attack on AES--CTRCTR- If SequentialSequential FreshnessFreshness is used:
- a unique forged packet with the Frame Counter and Key Sequential Counter setto the maximum value will stop the receiving of any other frame from this address.
- there is no test to the payload, so it could also be any thing
. . .
Receiver ACL Table
Address Key ABC Frame Ctr Key Seq. Ctr Opt. Ext. Fr. Ctr Opt. Ext. Key Seq. Ctr
Addr R1 0x00..00 0x00 0x00..00 0x00
Addr R2 0x00..00 0x00 0x00..00 0x00
Address Key ZWZ Frame Ctr Key Seq. Ctr Opt. Ext. Fr. Ctr Opt. Ext. Key Seq. Ctr
Key DEF
Key GHI
- PAN Coordinator (FFD)
- FFD - RFD
Bad Sender
Receiver Frame Ctr = 0xFFFFFFFF; Key Seq. Ctr = 0xFF Payload FCS
ZigBeeZigBee SecuritySecurity ProblemsProblems
•• AcknowledgesAcknowledges ForgeryForgery
Data [AR=1, DSN=x]
Ack [DSN=x]
Originator
High Layer
MCPS-DATA.request [AR=1]
Originator
MAC
Recipient
MAC
Recipient
High Layer
MCPS-DATA.indicationMCPS-DATA.confirm
Bad Guy
Data [AR=1, DSN=x]
Ack [DSN=x]
Originator
High Layer
MCPS-DATA.request [AR=1]
Originator
MAC
Recipient
MAC
Recipient
High Layer
MCPS-DATA.confirm
The Bad Guy knows the DSN !
Burst CRC Error !
Drop packed !
10
ImplementationImplementation EnvironmentEnvironment
•• MicrochipMicrochip StackStack for for thethe ZigBeeZigBee ProtocolProtocol VersionVersion 1.01.0
-- Only Star Networks, , no peer-to-peer or clustered network suport
-- OnlyOnly NonNon--beaconbeacon StarStar NetworksNetworks
- No No securitysecurity and access control capabilities- No No routingrouting functionality
•• ChipconChipcon SmartRFSmartRF®® CC2420CC2420- CTR, CBC-MAC, or CCM, allall withwith 128 bit 128 bit keykey
- 2 2 keyskeys storage space
- Operations on Transmission, Reception, and Stand-Alone modes
•• PICDEM Z PICDEM Z BoardBoard
- 64 kB Flash memory
ImplementationImplementation OptionsOptionson Microchip Stack for the ZigBee Protocol version 1.0
over Chipcon CC2420 using Microchip PICDEM Z
A A –– Use Use KeyKey SeqSeq. . CounterCounter to to avoidavoid NonceNonce RepetitionRepetition- The PAN Coordinator manages the initialization of the Key Sequence Counter field
MLME-ASSOCIATE.indication
MLME-ASSOCIATE.response
MLME-ASSOCIATE.confirm
Association response [KSC=x]
Acknowledge
Association request
Acknowledge
Device
High Layer
MLME-ASSOCIATE.request
Device
MLME
Coordinator
MLME
Coordinator
High Layer
MLME-ASSOCIATE.confirm
KSC Management
MHR CommID ShortAddr AssStatus MFRKSC_Init
1/2
11
- PAN Coordinator (FFD)
- FFD - RFD
. . .
ACL Table
Addr B Key ABC 0x00..00 0x00 0x00..00 0x00
Addr C 0x00..00 0x01 0x00..00 0x00
Addr D 0x00..00 0x02 0x00..00 0x00
Addr ZAZ Key ZWZ 0x00..00 0xFF 0x00..00 0x00
Key DEF
Key GHI
- The PAN Coordinator manages the initialization of the Key Sequence Counter field
0x00..00 0x00
232
4 Bytes 1 Byte
Benefits
Allows the use of Allows the use of SameSame Keys on Keys on multiplemultiple ACL ACL entriesentries
AllowsAllows thethe use use ofof GroupGroup KeysKeys… The Price
At the limit, it reduces the number of possible frames transmitted to 232
Note: The maximum size of ACL entries on ZigBee is 255 and KSC field is 1 Byte long.
ImplementationImplementation OptionsOptionson Microchip Stack for the ZigBee Protocol version 1.0
over Chipcon CC2420 using Microchip PICDEM Z
A A –– Use Use KeyKey SeqSeq. . CounterCounter to to avoidavoid NonceNonce RepetitionRepetition2/2
B B –– NewNew FrameFrame TypeType ““ProtectedProtected--ACKACK””
ImplementationImplementation OptionsOptionson Microchip Stack for the ZigBee Protocol version 1.0
over Chipcon CC2420 using Microchip PICDEM Z
- To avoid forgery of Acknowledge Frames, define a new type of Frame
ProtectedAck [DSN=x; ExOFrC; ExOKSC]
MCPS-DATA.indication
MCPS-DATA.confirm
Data [AR=1, PAR=1, DSN=x]
Originator
High Layer
MCPS-DATA.request [AR=1]
Originator
MAC
Recipient
MAC
Recipient
High Layer
Bad Guy The Bad Guy knows the DSN !
Protected with the actual Security Suite
Payload contains: DSN (Frame Counter and Key Sequence Counter); External
Optional Frame Counter; and External Optional Key Sequence Counter
Frame Control Field
( 2 Bytes )
Frame Type Sub-field
( 3 bits )
000 : Beacon Frame
001 : Data Frame
010 : Acknowledge Frame
011 : Command Frame
100 – 111 : Reserved
100 : Protectd Acknowledge Frame
…
ReservedReserved bit, bit, usedused to to RequestRequest ProtectedProtected AcknowledgeAcknowledge (PAR)(PAR)
12
C C –– Use a Use a TrustTrust ReferenceReference ValueValue (TRV)(TRV)
ImplementationImplementation OptionsOptionson Microchip Stack for the ZigBee Protocol version 1.0
over Chipcon CC2420 using Microchip PICDEM Z
. . .
Receiver ACL Table
Address Key ABC Frame Ctr Key Seq. Ctr Opt. Ext. Fr. Ctr Opt. Ext. Key Seq. Ctr
Addr R1 0x00..00 0x00 Stored_OExFrC Stored_OExKSC
Addr R2 0x00..00 0x00 0x00..00 0x00
Address Key ZWZ Frame Ctr Key Seq. Ctr Opt. Ext. Fr. Ctr Opt. Ext. Key Seq. Ctr
Key DEF
Key GHI
- PAN Coordinator (FFD)
- FFD - RFD
Bad Sender
Receiver Frame Ctr = Arrived_FrC; Key Seq. Ctr = Arrived_KSC Payload FCS
- To avoid Fast Denail of Service Attack on AES-CTR
IF Arrived_KSC >= Stored_OExKSC and IF Arrived_FrC >= Stored_OExFrC
IF Arrived_KSC <= Stored_OExKSC + TRV and IF Arrived_FrC <= Stored_OExFrC + TRV
OK !
ELSE
Ask Sender
Arreved_FrC Arreved_KSC
Data [AR=1, PAR=1, DSN=x]
ReceiverMAC
SenderMAC
ProtectedAck [DSN=x; ExOFrC; ExOKSC]
- The problem of re-initialization of the sensor related with the reuse of the Noncescan be simply solved, by saving the last used values on flash memory.
ImplementationImplementation OptionsOptionson Microchip Stack for the ZigBee Protocol version 1.0
over Chipcon CC2420 using Microchip PICDEM Z
D D –– Use Use NonNon--volatilevolatile memorymemory to to storestore NonceNonce StatesStates