As#previously#discussed,#payload#space#is#a#scarce#resource#in#IEEE#802.15.4#environments,# and# consequently# header# and# address# compression# is# prevalent# in# 6LoWPAN# and# CoAP# specifications.#In#Figure#5.1#we#illustrate#the#employment#and#availability#of#payload#space#in# IEEE# 802.15.4# lowBenergy# communication# environments# using# 6LoWPAN# and# CoAP,# when# supporting# endBtoBend# communications# with# Internet# hosts.# In# particular,# 6LoWPAN# IPHC# sharedBcontext#header#compression#[71]#enables#the#compression#of#the#UDP/IPv6#header# down#to#10#bytes,#while#CoAP#requires#4#bytes#and#DTLS#a#total#of#13#bytes,#not#considering# the#space#required#for#the#transportation#of#securityBrelated#data#as#an#Initialization#Vector# (IV)#or#authentication#(HMAC)#fields.##
Figure*5.1*9*Payload*space*usage*for*end9to9end*communications*in*6LoWPAN*environments*
Sensing# platforms# as# the# TelosB# [194]# implement# IEEE# 802.15.4# and# support# hardware# AES/CCM# encryption# at# the# link# layer.# While# endBtoBend# security# may# dispense# linkBlayer# security,#this#doesn’t#preclude#the#usage#of#hardwareBbased#encryption#to#support#security# at#higher#layers,#as#we#have#previously#observed#for#6LoWPAN#security#and#consider#also#for# other# research# proposals# described# in# the# thesis.# While# DTLS# provides# confidentiality,# authentication# and# integrity,# the# authentication# and# key# agreement# between# communication#parties#may#take#place#following#different#approaches.#
Regarding#CoAP#security,#two#of#the#proposed#security#modes#currently#require#the#support# of# ECC# publicBkey# authentication# [34],# namely# the# RawPublicKey# and# Certificates# CoAP# security# modes.# Table# 5.1# resumes# the# characteristics# of# the# security# modes# proposed# for# CoAP,#which#we#have#previously#identified#in#Chapter#3#and#analyze#in#greater#detail#in#our# following#discussion.#
As#illustrated#in#this#table,#the#PreSharedKey,#RawPublicKey#and#Certificates#modes#support# security# with# different# configurations.# In# particular,# Elliptic# Curve# Cryptography# (ECC)# operations# are# employed# in# the# RawPublicKey# and# Certificates# security# modes# using# the# Elliptic#Curve#Digital#Signature#Algorithm#(ECDSA)#[133],#and#key#agreement#using#the#Elliptic# Curve# DiffieBHellman# with# Ephemeral# Keying# Algorithm# (ECDHE)# [133].# Encryption# employs#
802.15.4 overhead 127 bytes 102 bytes 25 bytes 6LoWPAN addressing 75 bytes 10 bytes CoAP addressing 4 bytes Application-layer payload DTLS 13 bytes
AES# in# CCM# (at# the# hardware# when# available)# or# CBC# modes.# After# authentication,# both# parties#share#a#preBmaster#shared#secret#from#which#they#derive#a#shared#master#secret,#and# from# this# master# secret# they# obtain# the# keying# material# required# for# encryption# and# authentication#[127].# Table*5.1*–*Security*modes*defined*for*CoAP*communications* Security#mode# Security#usage# NoSec# • Encryption: None; • Authentication: None; PreSharedKey • Encryption: Using DTLS; • Authentication: None; • Keys obtained:
Predefined keys (key for a node, key for a group of nodes); • Mandatory cypher suites:
TLS_PSK_WITH_AES_128_CCM_8
RawPublicKey • Encryption:
Using DTLS; • Authentication:
Mutual using public keys; • Keys obtained:
Device has one or various public keys; Device identification(s) derived from public key(s); Device stores identification of authorized nodes; • Mandatory cypher suites:
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
Certificates • Encryption:
Using DTLS; • Authentication:
Mutual using X.509 certificates; • Keys obtained:
Device has one or more certificates binding public keys to authority names of the device;
Public key and device id of other nodes obtained from certificates;
Device has root trust anchors for certificate validation; • Mandatory cypher suites:
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 TLS_RSA_PSK_WITH_AES_128_CBC_SHA
In# the# PreSharedKey# security# mode# a# device# stores# predefined# keys# used# to# communicate# securely#with#another#sensing#device#or#with#a#group#of#sensing#devices.#This#may#be#useful# in# situations# where# publicBkey# cryptography# requires# too# many# resources,# or# when# the# management# of# preBshared# keying# is# convenient,# as# in# closed# environments# where# preBconfiguration# of# devices# is# necessary# due# to# other# reasons.# This# mode# uses# the# TLS_PSK_WITH_AES_128_CCM# suite,# which# uses# the# Authenticated# Encryption# with# Associated#Data#(AEAD)#[206]#operational#mode#AEAD_AES_128_CCM#[134].#AES#is#used#in# the# Counter# and# CBCBMAC# # (CCM)# mode,# providing# confidentiality# and# data# origin#
authentication.# The# usage# of# an# AEAD# mode# is# a# requirement# from# DTLS,# and# it# adds# the# ability#to#verify#the#integrity#and#authenticity#of#data#other#then#that#which#is#encrypted.#A# 128Bbit#authentication#tag#is#used#with#the#CCM#mode,#and#a#unique#12Bbyte#nonce#is#used# for#each#packet#using#the#same#key.#Integrity#is#supported#using#the#Pseudorandom#Function# (PRF)#defined#for#TLS#1.2#[134]#with#HMAC#with#SHAB256.# In#the#RawPublicKey#mode#a#sensing#device#accesses#one#or#more#public#keys,#from#where#it# may# extract# its# identification.# ECC# publicBkey# cryptography# is# employed# to# perform# authentication#of#peer#devices#(DTLS#client#and#server)#and#the#device#must#also#store#the# identity#of#the#nodes#it#communicates#with,#given#that#a#certification#chain#is#not#available.# The# cipher# suite# proposed# for# this# mode# is# TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,# which#employs#Elliptic#Curve#DiffieBHellman#with#Ephemeral#Keying#(ECDHE)#and#ECDSA#ECC# cryptographic# algorithms.# As# with# the# PreSharedKey# mode,# this# cipher# suite# uses# the# AEAD_AES_128_CCM# operational# mode.# Ephemeral# keys# used# with# ECDHE# enable# perfect# forward# secrecy.# During# the# authentication# process# the# server# generates# and# sends# an# ephemeral#ECDH#ECDSABcapable#public#key#to#the#client,#together#with#the#indication#of#the# corresponding#ECC#curve#to#be#used#for#ECC#encryption.#The#client#then#generates#an#ECDH# key# pair,# sends# its# public# component# to# server# in# a# message# signed# with# ECDSA.# The# authentication#process#allows#for#the#client#and#the#server#to#agree#on#a#shared#premaster# secret#for#DTLS.#
Finally,#the#Certificates#security#mode#adds#to#the#operational#modes#of#the#previous#mode# the#usage#of#certificates#for#authentication#purposes.#A#Certification#Authority#(CA)#should# be# available# so# that# a# device# is# able# to# use# root# trust# anchors# for# certificate# validation# purposes.#For#compatibility#with#devices#not#supporting#ECC#encryption,#authentication#with# RSA# is# available# to# perform# authentication# and# preBshared# key# agreement.# The# RSA_PSK# [207]# key# exchange# algorithm# is# used# in# this# fall# back# usage# scenario,# employing# the# TLS_RSA_PSK_WITH_AES_128_CBC_SHA# security# suite.# Confidentiality# if# guaranteed# using# AES#in#CBC#mode#and#SHA#provides#integrity.#
In#terms#of#security#and#also#of#the#availability#of#critical#resources,#a#chain#is#only#as#strong# as# the# weakest# link.# CoAP# encryption# and# authentication# using# DTLS# may# be# efficiently# supported#by#AES/CCM#at#the#hardware#in#any#of#the#previously#described#security#modes,# but# authentication# and# key# agreement# may# provide# the# largest# impact# on# the# limited# resources# of# lowBenergy# devices# and# communications.# Authentication# and# key# agreement# are# performed# in# the# initial# DTLS# handshake,# which# endBtoBend# devices# are# required# to# support# for# DTLS# to# be# a# viable# solution# in# supporting# endBtoBend# communications# at# the# transport#layer#in#WSN#environments.#This#aspect#motivated#our#preliminary#experimental# evaluation#of#the#impact#of#CoAP#security#as#currently#proposed#for#6LoWPAN#environments# [203],#which#we#discuss#next.#
5.3.2 I
DENTIFICATION*OF*CRYPTOGRAPHIC*ALGORITHMS*FOR*C
OAP
*SECURITY*
Our#preliminary#evaluation#study#was#performed#with#the#goal#of#evaluating#experimentally# the#usage#of#security#for#communications#using#CoAP,#as#a#fundamental#requirement#for#the# successful#integration#of#smart#objects#with#the#Internet#at#the#application#layer.#The#main# goal# of# this# evaluation# is# to# investigate# the# impact# of# CoAP# security# as# currently# proposed# [34],# which# depends# on# DTLS# and# ECCBbased# authentication# and# key# agreement,# as# previously# discussed.# For# this# evaluation,# we# again# consider# the# TelosB# [194]# reference# sensing#platform.#
Our# experimental# evaluation# study# employs# 6LoWPAN# and# CoAP# communication# sessions# established# between# different# 6LoWPAN# devices,# in# particular# between# a# TelosB# sensing# device#and#a#Linux#host#supporting#6LoWPAN,#CoAP#and#IPv6.#The#TelosB#mote#supports#the# latest#version#of#the#TinyOS#[56]#operating#system#with#6LoWPAN#and#CoAP,#together#with# different# configurations# in# terms# of# the# security# algorithms# employed# and# mechanisms# supported.# The#Linux#host#is#a#router#between#an#Ethernet#IPv6#network#and#the#IEEE#802.15.4#LoWPAN,# employing#a#second#TelosB#mote#as#a#bridge#supporting#communications#with#the#network# of#smart#objects.#The#TelosB#mote#used#for#measurement#of#the#experimental#parameters#is# a#batteryBpowered#device#supporting#our#TinyOS#testing#application#and#the#6LoWPAN/CoAP# security#enabled#stack.#As#in#our#previous#evaluation#of#6LoWPAN#security,#we#consider#the# TelosB# mote# to# provide# a# good# reference# for# the# validation# of# new# mechanisms# for# constrained#sensing#platforms.# Table*5.2*9*Cryptographic*algorithms*and*suites*for*CoAP*security* # TLS_PSK_# WITH_AES_128_CCM_8# TLS_ECDHE_ECDSA_# WITH_AES_128_CCM_8# TLS_RSA_PSK_# WITH_AES_128_CBC_SHA# Encryption# AES/CCM AES/CCM AES/CBC
Authentication PSK key exchange ECDHE and ECDSA RSA
Integrity TLS 1.2 PRF (SHA-256) TLS 1.2 PRF (SHA-256) TLS 1.2 PRF (SHA-1) Security mode(s) PreSharedKey RawPublicKey or Certificates Certificates
The# adoption# of# ECC# cryptography# in# supporting# security# in# LoWPAN# communication# environments#is#motivated#by#its#ability#of#supporting#similar#security#than#classic#publicBkey# cryptography# with# significantly# smaller# key# sizes.# Smaller# key# sizes# and# more# efficient# computations#result#in#savings#of#critical#resources#on#constrained#sensing#devices.#In#Table# 5.2# we# describe# the# cryptographic# algorithms# required# for# the# previously# discussed# CoAP# security# modes.# Our# implementation# considers# that,# for# the# configurations# described# in# Table#5.2,#AES/CCM#encryption#is#always#performed#at#the#hardware#on#the#TelosB,#which# provides# AES# in# the# CCM*# combined# mode# with# the# cc2420# chip.# This# mode# uses# 128Bbit# keys# to# process# 128Bbit# blocks# of# data# and# supports# integrity,# authentication# and#
confidentiality#as#required#for#cipher#suites#employing#AES.#We#also#observe#that#all#security# modes#use#SHAB256#for#integrity#verification#operations.#AES#is#also#used#in#the#CBC#mode,# which#in#our#implementation#we#support#in#software.# It#is#important#to#note#that#the#individual#evaluation#of#the#usage#of#each#of#the#algorithms# identified#in#Table#5.2#would#in#practice#not#provide#a#clear#picture#of#the#viability#security# for#CoAP.#Our#goal#is#therefore#to#evaluate#each#CoAP#security#mode#globally,#by#considering# all# the# necessary# cryptographic# algorithms# and# related# operations.# For# this# purpose,# we# employ#software#implementations#of#the#various#suites#optimized#for#small#microcontrollers# with#the#characteristics#of#the#MSP#430#available#on#the#TelosB,#sideBbyBside#with#AES/CCM# hardwareBbased# encryption.# The# fact# that# software# and# hardwareBbased# cryptographic# algorithms#are#employed#simultaneously#contributes#to#the#conclusions#of#our#experimental# evaluation#study,#as#it#traduces#the#heterogeneity#of#the#characteristics#typically#available#on# constrained#sensing#platforms.#