Networking Working Group Dong Jin Kwak Internet-Draft KT Advanced Technology Lab Expires: April 16 , 2006 Joon Heo Choong Seon Hong Kyung Hee University October, 2005 Secure Route Discovery in Low-Rate WPAN draft-kwak-srd-wpan-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on April 16, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract A low-rate wireless personal area network (LR-WPAN) is a network designed for low-cost and very low-power short-range wireless communications. It is hard to employ static routes. Route discovery is the procedure whereby network devices cooperate to find and establish routes through the network and is always performed with regard to a particular source and destination device. However, Route discovery in LR-WPAN has lack of authentication mechanism. Also, dynamic network topology makes it arduous to detect malicious nodes. We proposed a secure route discovery authentication mechanism using the レSRD. レSRD uses RREQ ID, destination address and the unique value as input string to generate authentication code (AC). It is used as the authentication between source node and destination node. Kwak, et al. Expires April 16, 2006 [Page 1] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 2. Route Discovery in LR-WPAN . . . . . . . . . . . . . . . . 2 3. Security of ZigBee Device . . . . . . . . . . . . . . . . . 3 4. Counter with CBC-MAC (CCM) . . . . . . . . . . . . . . . . 3 5. Mechanism . . . . . . . . . . . . . . . . . . . . . . . 4 5.1 レSRD Algorithm . . . . . . . . . . . . . . . . . . . . . 5 5.2 Authentication Code (AC) in RREQ/RREP message . . . . . . . 5 5.3 Authentication Processes in LR-WPAN . . . . . . . . . . . 7 6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction The explosive growth of embedded control and monitoring in almost any electronic device and the need for connectivity of these applications is causing an integration bottleneck. Conventionally, these communication links are wired. Wires allow power and the reliable transmission of signals from a controller to its peripherals. When the peripherals are not physically contained in the controller, the required wiring brings issues such as cost of installation, safety, and operation convenience to the surface. Wireless technology is the obvious solution to overcome these obstacles, although it comes with its own set of challenges propagation, interface, security, regulations, and others. The technology to overcome these issues exists, but normally with added complexity causing an increase in the cost of the system. A low-rate wireless personal area network (LR-WPAN) is a network designed for low-cost and very low-power, short-range wireless communications. Wireless Sensor Networks are a subset of wireless networking applications focused on enabling connectivity without the use of wires to sensors and actuators is general. IEEE 802.15.4 Working Group is chartered to focus on wireless sensor networks [Doc1]. Kwak, et al. Expires April 16, 2006 [Page 2] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 The ZigBee Alliance is developing the low-cost, very low power consumption, two-way, wireless communications standard. Solutions adopting the ZigBee standard will be embedded in consumer electronics, home and building automation, industrial controls, Many of these application have security needs [Doc2]. Sometimes LR-WPAN is formed by self-configuring wireless sensor devices, usually mobile, which do not rely on any fixed infrastructure. Route discovery is the procedure whereby network devices cooperate to find and establish routes through the network and is always performed with regard to a particular source and destination device. Some sensor nodes in LR-WPAN act as routers to forward packets for each other and this co-operation helps in routing packets to the destination. Therefore, routing protocols must be dynamic and robust against malicious attacks. However route discovery in LR-WPAN has lack of authentication facilities. Also, dynamic network topology makes it arduous to detect malicious nodes. 2. Route Discovery in LR-WPAN In LR-WPAN, When source node desires to send a message to some destination node and does not already have a valid route to that destination, it initiates a path discovery process to located the other node. Essentially routes are discovered using a request-response protocol as shown in Figure 1 [Doc3]. |------------| |---------------| |------------| | A | | Intermediate | | B | | source | | node | |destionation| |-----|------| |------|--------| |------|-----| | | | | | | | Braodcast RREQ | | |--------------------->| | | | RREQ packets may |Compare path | | arrive by multiple |costs and | | paths |respond with | |---------------------->|with a reply | | |when a new | | Zero or More |minium cost | | Unicast RREP packet |is found. | |<----------------------| compare | | | replies | | | and select| | | the one |<---------------------| | the best | | | route | | | --- --- --- Fig 1. Route Discovery Process in Low-Rate WPAN Kwak, et al. Expires April 16, 2006 [Page 3] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 When a device, A, wishes to discover a route to some destination, B, it broadcasts a special route request command (RREQ) frame throughout the network. As the route request command frame transits the network, devices that are not the destination record information about the route taken by the route request command frame. When the route request command frame arrive at B, B responds by unicasting one or more route reply (RREP) command frames. These follow the path set up by the route request and eventually arrive back at A carrying information about possible routes. Routes are compared throughout this process using a routing cost metric that has been defined in such a way that minimizing this metric will minimize latency and improve traffic throughout the network [Doc3]. However, Route discovery in LR-WPAN has lack of authentication mechanism. In LR-WPAN, there are some potential attacks on the integrated routing. To prevent diverse attacks, the authentication process is necessary between source node and destination node. 3. Security of ZigBee Device In IEEE 802.15.4 standard, The AES-CCM-128, AES-CCM-64, AES-CCM-32 modes employ AES to provide access control, encryption, integrity, and, optionally, sequential freshness (by the transmission of a freshness code) [Doc1][IEEE15] In particular, by reusing AES in a clever way, the AES-CCM modes enable a single algorithm to provide all four secure services in a very small implementation. In addition the use of AES-CCM modes retains compatibility with other draft IEEE 802 standards, such as IEEE Draft Std 802.11i and IEEE Std 802.15.3[Doc1]. Security amongst a network of ZigBee devices is based on `link¨keys and a `network¨ key. Unicast communication between APL (Application Layer) peer entities is secured by means of a 128-bit link key shared by two devices, while broadcast communications are secured by means of a 128-bit network key shared amongst all devices in the network [Doc2]. For the purpose, ZigBee defines the role of trust center. The trust center is the device trusted by devices within a network to distributed keys for the purpose of network and end-to-end application configuration management. All members of the network shall recognize exactly one trust center in each secure network. For purpose of network management, a device shall accept an initial network key only from its trust center. Therefore, only a device that hasjoined the network and successfully received the network key will be able to have its messages communicated more than one hop across the network [Doc2]. 4. Counter with CBC-MAC (CCM) CCM [Jonsson][LEE] is a generic authenticate-and-encrypt block cipher mode. CCM is only defined for using with 128-bit block cipher, such as AES. The CCM ideas can easily be extended to other block sizes, but this will require further definitions. For the generic CCM mode there are two parameter choices. The first choice is M, the size of the authentication Kwak, et al. Expires April 16, 2006 [Page 4] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 field. The choice of the value for M involves a trade-off between message expansion and the probability that an attacker can undetectably modify a message. Valid values are 4, 6, 8, 10, 12, 14, and 16octets. The second choice is L, the size of the length field. The value requires a trade-off between the maximum message size and the size of the Nonce. Different applications require different trade-offs,so L is a parameter. Valid values of L range between 2octets and 8octets (the value L=1 is reserved). To send a message, the sender must provide the following information: - An encryption key K suitable for the block cipher. - A nonce N of 15-L octets. Within the scope of any encryption key K, the nonce value should be unique. That is, the set of nonce values used with any given key should not contain any duplicate values. Using the same nonce for two different messages encrypted with the same key destroys the security properties of this mode. - The message m, consisting of a string of l(m) octets where 0 < l(m) < 2^8L. The length restriction ensures that l(m) can be encoded in a field of L octets. - Additional authenticated data a, consisting of a string of l(a) octets where 0 < l(a) < 2^64. This additional data is authenticated but not encrypted, and is not included in the output of this mode. It can be used to authenticate plaintext packet headers, or contextual information that affects the interpretation of the message. Users who do not wish to authenticate additional data can provide a string of length zero. In LR-WPAN, the AES-CCM is used for data encryption/decryption and node authentication. Therefore nodes in LR-WPAN support AES-CCM encryption/decryption mechanism. 5. Mechanism To prevent diverse attacks, the authentication process is necessary between source node and destination node during route discovery process. Moreover, low-cost and low-power characteristic of nodes are important considering fact in LR-WPAN. We proposed a secure route discovery authentication mechanism using the レSRD. レSRD is a new proposal based on the CCM [Jonsson][LEE]. Of course, CCM is a good mechanism to encrypt and authenticate. However, it has some prerequisites and complex transformation process to generate authentication tag. Route discovery process is happened frequently therefore such complexity is overhead to the node. Moreover, CCM uses plaintext data to generate authentication tag. Therefore, if source node has no data, it could not generate authentication value.レSRD uses RREQ ID, destination address and the unique value as input string to generate authentication code (AC). It is used as the authentication value between source node and destination node. Kwak, et al. Expires April 16, 2006 [Page 5] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 5.1 レSRD Algorithm レSRD is only the authentication block cipher mode. レSRD is only defined for using with block ciphers with a 128-bit block size, such as AES-128. As with the CCM mode, the レSRD mode requires only one key. Input: The レSRD mode forward transformation takes as inputs A Key size: NWKkey (network key) = 128 bit AddAuthData : 13 octets. It is received from Trust Center in a periodic time. AuthCode = RREQ ID || destination address || AddAuthData (1octet) (2octets) (13octets) Authentication transformation: B0 = AuthCode The CBC-MAC value X1 is defined by X0 := 0128; X1 := E(NWKkey, X0 XOR B0 ) The AC (authentication code) is the result of omitting all but the leftmost 4 octets of the value X1 thus computed. 5.2 Authentication Code (AC) in RREQ/RREP message Authentication code is generated by レSRD. レSRD uses RREQ ID, AddAuthData and destination address as input string to generate authentication code (AC). We have added AC to RREQ/RREP message in Payload. (Figure 2, 3) Kwak, et al. Expires April 16, 2006 [Page 6] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 |------------|------------|------------|------------| | Frame |Destination | Source | Payload | NWK frame | Control | | | | |------------|------------|------------|------------| < > < > < > < > < |=====================| > |<-------|------||--------|------------|----------|-----|--------->| |Ox01 |Option|| RREQ ID||Destination| Extended | PCM | RREQ AC | |(octets)| 1 || 1 | 2 | Dest. 8 | 1 | 4 | |--------|------||--------|------------|----------|-----|----------| | | | |==========.==========| ^ | | |______________レSRD_____________| / / / Include AddAuthData Fig 2. RREQ Message included Authentication Code |------------|------------|------------|------------| | Frame |Destination | Source | Payload | NWK frame | Control | | | | |------------|------------|------------|------------| < > < > < > < > < |=========| > |<-------|-------|-|---------|-|----------|--------->| |Ox02 |Option | | RREQ ID | | PCM | RREP AC | |(octets)| 1 | | 1 | | 1 | 4 | |--------|-------|-|---------|-|----------|----------| |====.====| ^ | | |__________レSRD_________| / / / Include AddAuthData & destination address Fig 3. RREP Message included Authentication Code Kwak, et al. Expires April 16, 2006 [Page 7] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 5.3 Authentication Processes in LR-WPAN In the previous section, we introduced レSRD and the RREQ/RREP message included authentication code. This section describes the authentication processes in LR-WPAN. a. After successfully associating to a secured network, the joining device shall receive the network key and unique value (AddAuthData) from trust center. b. When a source node (S) desires to send a message to destination node (D) and does not already have a valid route to that destination. It generates the RREQ AC using the レSRD that is included RREQ message payload. Then source node broadcasts a route request (RREQ) message to its neighbor. c. During the process of forwarding the RREQ, intermediate nodes (A, B, E) recode the RREQ AC in their route discovery table. d. Once the RREQ reaches the destination node (D) with a fresh enough route, the destination node generates RREP AC using the レSRD. And then destination node compares RREP AC with RREQ AC. If two values are same, destination node authenticates source node. e. The RREP included AC is routed back along the reverse path. f. If malicious node sends the RREP message to intermediate node. It compares RREP AC with RREQ AC and then ignores the RREP message. g. Once the RREQ reaches the source node (S), the source node compares RREP AC with RREQ AC. If two values are same, source node authenticates destination node. Kwak, et al. Expires April 16, 2006 [Page 8] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 A successful authentication procedure is shown in Figure 4. ___________ ____________ _________________ __________ |Source node| |Trust Center| |Intermediate node| |dest. node| |___________| |____________| |_________________| |__________| | | | | | | | | join the network | | join the network | | | | |NWK & AddAuthData | NWK & AddAuthData | |<----------------|||------------------|----------------->| | | | | Generate RREQ | | | AC using the レSRD | | | | | | | | Broadcast RREQ included AC | | |------------------|------------------>| | | | | | | | Save RREQ AC | | | | | | | | RREQ | | | |----------------->| | | | | | | | Generate RREP | | | AC using the レSRD | | | | | | | Compare RREQ AC | | | with RREP AC | | | | | | | Authentication | | | | | | | RREQ included AC | | | |<-----------------| | | | | | | Compare RREQ AC | | | with RREP AC | | | | | | RREP included AC | | |<-----------------|-------------------| | | | | | Compare RREQ AC | | | with RREP AC | | | | | | | Authentication | | | | | | | | | | | | | | | ======== ======= ========= ======== Fig 4. Successful Authentication processes Kwak, et al. Expires April 16, 2006 [Page 9] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 6. Conclusion Route discovery in LR-WPAN has lack of authentication mechanism. In LR-WPAN, there are some potential attacks on the integrated routing. Such problem is caused by non-authentication between source node and destination node. To prevent diverse attacks, the authentication process is necessary between source node and destination node. We decribes a secure route discovery authentication mechanism using the レSRD. レSRD uses RREQ ID, destination address and the unique value as input string instead of plaintext data to generate authentication code (AC). It is included RREQ/RREP message and it is used as the authentication between source node and destination node. This mechanism can reduce the resource of nodes. Also, our mechanism uses lower resource and processing time. It is important fact to the node in LR-WPAN. REFERENCES [Doc1] Jose A. Gutierrez, Edgar H. Callaway Jr, Raymond L. Barrett Jr, ^Low-Rate Wireless Personal Area Networks ̄, IEEE Std 802.15.4. [Doc2] Document 03322r12: ZigBee Security Services Specification, July 2004. [Doc3] Document 02130r5: ZigBee Network Specification, March 2003. [IEEE15] IEEE Standard for Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) specifications for Low Rate Wireless Personal Area Networks (LR-WPANs), 2003. [Zapata] Manel Guerrero Zapata, Secure Ad hoc On-Demand Distance Vector Routing, ACM Mobile Computing and Communications Review (MC2R), Vol. 6, No.3, pp.106-107, 2002. [Jonsson] J. Jonsson, On the Security of CTR+CBC-MAC, in Proceedings of Selected Area in Cryptography-SAC 2002, K. Nyberg, H. Heys, Eds., Lecture Notes in Computer Science, Vol. 2595, pp. 76-93, Berlin: Springer, 2002. [Lee] Man Young LEE, ^Internet Security Cryptographic principles, algorithms and protocols", WILEY, 2002. AUTHOR'S ADDRESS Questions about this document can also be directed to the author: Dongjin Kwak KT Advanced Technology Lab Woomyun, Seocho, Seoul, Korea djk@kt.co.kr Joon Heo Department of Computer Engineering Kyung Hee University 1 Seocheon, Giheung, Yongin, Gyeongi-Do, 449-701, Korea Email: joon@networking.khu.ac.kr Choong Seon Hong Department of Computer Engineering Kyung Hee University 1 Seocheon, Giheung, Yongin, Gyeongi-Do, 449-701, Korea E-mail : cshong@khu.ac.kr Kwak, et al. Expires April 16, 2006 [Page 10] Internet-Draft Secure Route Discovery in Low-Rate WPAN October 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Kwak, et al. Expires April 16, 2006 [Page 11]