Alcances y limitaciones

As is stated in paragraph 1.3, the research question of this thesis is: how can the distribution and updating capabilities of cryptographic keys on the application layer in LoRa be improved? In chapter 3 we saw that currently not all secret keys in LoRa can be updated and that secret keys can only be pre- distributed manually. We have shown that by implementing KDUM key distribution and updating capabilities in LoRa are improved. With KDUM all secret keys (static and session keys) are updatable in LoRa and authenticated key agreement is implemented using ECDH and ECDSA. KDUM can be used with other LPWAN technologies that make use of bi-directional communications (e.g. NB-IOT). Bi- directional communications are necessary for key exchange and exchanging remote update commands. KDUM can also be used by other IoT technologies which do not make use of battery powered devices, however because the energy consumption constraints are not applicable for those devices, the use of asymmetric algorithms (like RSA) is also an option. The advantages and disadvantages of KDUM in relation to the use of asymmetric algorithms when non battery powered devices are used, should be researched in future work. Improving key updating and distribution in LPWAN technologies like SigFox and NWave, which do not support bi-directional communications, should be researched in future work.

KDUM is currently the best solution available to make all the secret keys (long-lived as well as session keys) updateable, perform authenticated key exchange and with the lowest possible energy consumption while being secure. As we have shown KDUM makes use of AES128 for encryption, decryption and keyed hashing. ECDH in combination with ECDSA is used for authenticated key exchange. For encryption and decryption, the use of AES is chosen because the energy consumption is low and it is faster than using an asymmetric algorithm. For authenticated key exchange ECDH and ECDSA are chosen because they are energy efficient in relation to other key exchange and signing algorithms (e.g. DH and RSA). This is because smaller key sizes are used with elliptic curves.

We have seen there is a trade-off between energy consumption and security levels within LoRa. The use of longer key lengths to achieve a higher level of security, immediately has a negative impact on the energy consumption and thus the lifetime of a node (Hirani, 2003). Therefore, within LoRa AES is used, because smaller keys can be used to achieve the same level of security and the computational effort and resulting energy consumption is lower than with asymmetric algorithms. Because KDUM uses AES to perform key updating the impact on the lifetime of a node is low. The same one way function that is already being used in LoRa for generating session keys are used for key updating the static keys.

However, the authenticated key exchange in KDUM has a larger impact on the lifetime of the node because ECDH and ECDSA use far higher amounts of energy than AES. We have seen that for key exchange DH and ECDH can be used, however ECDH is more energy efficient than DH because of the smaller key lengths used. We have also seen that ECDSA is more energy efficient than RSA because of

the smaller key length used. The choice to use AES in combination with ECDH and ECDSA is an energy efficient and secure way to implement KDUM. Because of the relative high energy consumption (ECDH and ECDSA in comparison with AES), one should be wary of the impact on the lifetime of the node while using KDUM. Therefore, it is advisable to update the static keys only when the confidentiality of the static key is breached or there are strong suspicions that a static key has become known.

KDUM makes it possible to update all the keys (static and session keys) that are being used within LoRa. By using a new command that must be added to the LoRaWAN specification, the static keys in the nodes can be updated remotely, which is a major improvement on the current implementation of LoRa. As we have seen, currently static keys cannot or can only be updated manually with direct physical access to the node. The possibility to update static keys remotely is necessary because it is infeasible (because of the scattered nature of LoRa nodes and the associated cost) to update all nodes manually because they are often scattered over a large geographical area. Furthermore, gaining physical access to some nodes can be very hard (for instance if nodes are integrated in paving stones that are installed in public parking lots).

The key distribution problem of LoRa is solved by using ECDH and ECDSA to generate shared keys between the node and the application server that can be used for all operations for which the current pre-shared static key is used. The combination of ECDH and ECDSA is chosen because they are both based on elliptic curves and with the use of both, not only a shared key can be generated, but the authenticity of the public keys generated and shared with the ECDH protocol can be proven. This mitigates the risk of an adversary performing a successful man-in-the middle attack. The ECDSA implementation must comply with the standard (NIST, 2009), because if a fault is made in the proper implementation this can result in an adversary being able to compute the private keys being used for the signing of the public keys.

Identification of the node (after the shared secret key is agreed upon) is performed using the shared key agreed between the node and the application server. Because this shared secret key is only known to the node and the application server, identification can be performed using this shared secret key. This is because in LoRa each pre-shared static key or with KDUM the shared secret key used must be unique for all the nodes connecting to the application server. By using a check and reinitiate procedure after the key distribution phase of KDUM by the application server, the uniqueness of the shared secret key is guaranteed.

In the future, several related studies can be performed to further optimize key management in LoRa and other LPWAN networks. The scope of this thesis is aimed on solving some specific problems with key management in LoRa. It is interesting to see if future LPWAN technologies like the standard for LTE-M have the same problems. Also with LoRa, other aspects of key management can be researched.

Because nodes reside in hostile environments, the nodes can be susceptible for side-channel attacks. Through such an attack, an adversary can extract all static and session key material used for

communication. The secure storage of the keys in nodes and improving the resilience against side-channel attacks is one example of future work.

KDUM is designed to work with LoRa which has a star network topology. The ability to implement KDUM in other network topologies like mesh networks that are for instance used in distributed sensor networks can be researched. Because of the multi-hop capabilities of these networks and the any-to-any structure makes this an interesting field of research. The use of group certificates in such a network for identification and authentication purposes may be more efficient than implementing KDUM.

Finally optimizing cipher suites for LPWAN networks and wireless battery powered devices can be considered. Current key exchange, digital signature algorithms and certificate schemes are not specifically designed for wireless battery powered devices used in LoRa and other LPWAN networks.

Definitions, abbreviations and symbols Definitions and abbreviations

3DES Triple DES is a symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block.

3G, 4G

Generations of wireless mobile telecommunication technologies developed and standardized by the 3GPP which is a partnership between telecommunications operators and suppliers of mobile network components and mobile phones

ADR Adaptive Data Rate

AES Advanced Encryption Standard also known as Rijndael is a symmetric cryptographic algorithm that uses a substitution-permutation network. Array An enumerated collection of identical entities (e.g., an array of bytes). Authenticity The property that data originated from its purported source

Bit A binary digit having a value of 0 or 1. Bit String A finite, ordered sequence of bits

Block For a given block cipher, a bit string whose length is the block size of the block cipher

Block Cipher An algorithm for a parameterized family of permutations on bit strings of a fixed length

Block Size For a given block cipher, the fixed length of the input (or output) bit strings Blowfish A symmetric-key block cipher designed in 1993 by Bruce Schneier

Byte A group of eight bits that is treated either as a single entity or as an array of 8 individual bits.

CBC Cipher Block Chaining

CCM Counter with CMAC

CFB Cipher feedback

CIA Confidentiality, Integrity and Availability

Cipher Series of transformations that converts plaintext to ciphertext using the Cipher Key.

Cipher Key

Secret, cryptographic key that is used by the Key Expansion routine to generate a set of Round Keys; can be pictured as a rectangular array of bytes, having four rows and Nk columns.

Ciphertext Data output from the Cipher or input to the Inverse Cipher. CMAC or CBC-MAC Cipher block chaining message authentication code

Collision For a given function, a pair of distinct input values that yield the same output value Confidentiality The property, that information is not made available or disclosed to unauthorized

individuals, entities, or processes

CTR Counter

DDoS Distributed Denial of Service

DES Data Encryption Standard

Diffie-Hellman or DH

A specific method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman

DNS Domain Name Server

DSA Digital Signature Algorithm

ECB Electronic codebook

ECC Elliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields

ECDH Elliptic curve Diffie-Hellman

ECDSA Elliptic Curve Digital Signature Algorithm EEPROM Electrically erasable programmable ROM

ElGamal An asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange.

Entropy In information theory entropy is the expected (average) value of the information contained in each message

Exclusive-OR (XOR) The bitwise addition, modulo 2, of two bit strings of equal length

Integrity Maintaining and assuring the accuracy and completeness of data over its entire life-cycle

Inverse Cipher Series of transformations that converts ciphertext to plaintext using the Cipher Key.

IOT

The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment

IPsec Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications.

ISM The industrial, scientific and medical radio bands are radio bands (portions of the radio spectrum) reserved internationally for the use of radio frequency (RF) energy

for industrial, scientific and medical purposes other than telecommunications.

IV Initialization vector

KDUM Key Updating and Distribution Mechanism

Key Expansion Routine used to generate a series of Round Keys from the Cipher Key. Key length The number of bits in a key used by a cryptographic algorithm

KPS Key Pre-distribution Scheme

Level of assurance

The level of assurance is defined in NIST special publication 800-63-1 and sets requirements for different levels of assurance (4 levels). Assurance is in this context the degree of confidence in the process used to establish an identity of an entity and the confidence that the identity is only used by the entity who was granted this identity

LoRa An open LPWAN technology standard that has been developed to enable a wide range of devices and services to be connected

LPWAN

Low power wide area networks and this is a type of wireless telecommunication network that is designed to allow long range communication at low bit rates among nodes that are battery powered

Message

Authentication Code (MAC)

A bit string of fixed length, computed by a MAC generation algorithm, that is used to establish the authenticity and, hence, the integrity of a message.

Message Integrity Code (MIC)

A bit string of fixed length, computed by a MIC generation algorithm, that is used to establish the integrity and, hence, the authenticity of a message.

NB-IOT

A Low Power Wide Area Network (LPWAN) radio technology standard that has been developed to enable a wide range of devices and services to be connected using cellular telecommunications bands

Network effect

In economics and business, a network effect (also called network externality or demand-side economies of scale) is the effect that one user of a good or service has on the value of that product to other people. When a network effect is present, the value of a product or service is dependent on the number of others using it NIST National Institute of Standards and Technology

Nonce An arbitrary number that may only be used once NWave

An ultra-narrow band radio technology combined with advanced software defined radio (sdr) techniques to provide its communications network for the internet of things.

OFB Output feedback

PKI Public Key Infrastructure

Plaintext Data input to the Cipher or output from the Inverse Cipher. RFID Radio Frequencey IDentification

ROM Read-only memory

Round Key Round keys are values derived from the Cipher Key using the Key Expansion routine; they are applied to the State in the Cipher and Inverse Cipher

RC6 Rivest cipher 6 is a symmetric key block cipher

RSA An asymmetric (public-key) cryptographic algorithm used for secure data transmission and is based on the factoring problem.

S-box Non-linear substitution table used in several byte substitution transformations and in the Key Expansion routine to perform a one-for-one substitution of a byte value. Secure by design Secure by design means that the software has been designed from the ground up to

be secure.

Session key A single-use symmetric key used for encrypting all messages in one communication session

SHA Secure Hash Algorithm; specified in FIPS 180 SigFox

A wireless network to connect low-energy objects such as electricity meters, smartwatches, and washing machines, which need to be continuously on and emitting small amounts of data

Spectrum

The frequency band used for communications. E.g. the 900 and 1800 frequency bands are licensed and being used for wireless mobile communications. A license to use these bands must be purchased from government by a service provider. Without a license a service provider cannot operate a wireless mobile network. State Intermediate Cipher result that can be pictured as a rectangular array of bytes,

having four rows and four columns.

TA Trusted authority who is responsible for such things as verifying identities, issuing certificates, choosing and transmitting keys to users, etc.

Mathematical Symbols

b The block size in bits

C The ciphertext

CIPHK The output of the forward cipher function of the block cipher under the key K applied to the block X.

d The decryption function e The encryption function

G One of the ECDSA or ECDH domain parameters; g is a generator of the q-order cyclic group of GF(p)*; that is, an element of order q in the multiplicative group of GF(p)

Hash(M) The result of a hash computation (message digest or hash value) on message M using an approved hash function

Ij The jth input block

k For ECDSA or ECDH, a per-message secret number

K The secret key

K1 The first subkey, derived from K for CMAC

K2 The second subkey, derived from K for CMAC

LSBs(X) The bit string consisting of the s least significant bits of the bit string X.

M The plaintext (or message)

MAC Check function

Mi The ith block of the formatted message.

Mn The final block, possibly a partial block, of the formatted message.

MSBs(X) The bit string consisting of the s most significant bits of the bit string X.

n The order of the base point of the elliptic curve; the bit length of n is considered to be the key size p One of the ECDSA or ECDH domain parameters; a prime number that defines the Galois Field GF(p)

and is used as a modulus in the operations of GF(p)

q One of the ECDSA or ECDH domain parameters; a prime factor of p – 1

Q An ECDSA or ECDH public key

r One component of a ECDSA digital signature. See the definition of (r, s) (r,s) A ECDSA digital signature, where r and s are the digital signature components s One component of a ECDSA digital signature. See the definition of (r, s);

or the number of bits in a data segment. Tlen The bit length of the MAC.

u The number of bits in the last plaintext or ciphertext block.

References

Barker, E. (2016). NIST Special Publication ( SP ) 800-57 Part 1 Revision 4.

Bruce, S. (2013). Applied cryptography. Journal of Chemical Information and Modeling (Second, Vol. 53). John Wiley & Sons. http://doi.org/10.1017/CBO9781107415324.004

Cardenas, A. a., Amin, S., Schwartz, G., Dong, R., & Sastry, S. (2012). A game theory model for electricity theft detection and privacy-aware control in AMI systems. 2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton), 1830–1837.

http://doi.org/10.1109/Allerton.2012.6483444

Dworkin, M. (2001). Recommendation for block cipher modes of operation: methods and techniques. NIST Special Publication, 800–38. http://doi.org/10.6028/NIST.SP.800-38a

Dworkin, M. (2005). Recommendation for Block Cipher Modes of Operation. National Institute of Standards and Technology Special Publication 800-38A 2001 ED, X(December), 1–23. http://doi.org/10.6028/NIST.SP.800-38d

European Union. (2016). Regulation 2016/679 of the European parliament and the Council of the European Union. Official Journal of the European Communities, 1–88.

Fips, N. (2001). Announcing the advanced encryption standard (AES). … Technology Laboratory, National Institute of Standards …, 2009, 8–12. http://doi.org/10.1016/S1353-4858(10)70006-4 Heer, T., Garcia-Morchon, O., Hummen, R., Keoh, S. L., Kumar, S. S., & Wehrle, K. (2011). Security

challenges in the IP-based Internet of Things. Wireless Personal Communications, 61(3), 527–542. http://doi.org/10.1007/s11277-011-0385-5

Hirani, S. (2003). Energy consumption of encryption schemes in wireless devices. Retrieved from http://d- scholarship.pitt.edu/7620/

Jing, Q., Vasilakos, A. V., Wan, J., Lu, J., & Qiu, D. (2014). Security of the Internet of Things:

perspectives and challenges. Wireless Networks, 20(8), 2481–2501. http://doi.org/10.1007/s11276- 014-0761-7

Katz, M. L., & Shapiro, C. (1994). Systems Competition and Network Effects. Journal of Economic Perspectives, 8(2), 93–115. http://doi.org/10.1257/jep.8.2.93

Khan, R., & Zaheer, R. (2012). Future internet: The internet of things architecture, possible applications and key challenges. Proceedings - 10th International Conference on Frontiers of Information