ZigBee Security Specification Overview

Transcription

1 Wireless Control That Simply Works ZigBee Security Specification Overview Copyright 2005 ZigBee TM Alliance. All Rights Reserved.

2 Agenda ZigBee Security Overview Residential Applications Guidelines Typical configurations Commercial Applications Guidelines Typical configurations 2

3 Describes Key setup and maintenance (Commercial, Residential) ZigBee 1.0 Defines security Key builds Types on security (Master, Link, Network) ZigBee Security CCM* (Unified/Simpler mode of operation) Security AES encryption CCM security modes Uses 128-bit AES algorithm Strong, NIST approved security ZigBee uses the basic security elements in

4 ZigBee Security Architecture Application Framework Application (APL) Layer Application Object 30 Endpoint 30 APSDE-SAP Application Object 1 Endpoint 1 APSDE-SAP ZDO Public Interfaces ZigBee Device Object (ZDO) Endpoint 0 APSDE-SAP Defines security for the MAC, NWK, and APS layers Application Support Sublayer (APS) Security Service Provider ASL APS Security Management NLDE-SAP NWK Security Management APS Message Broker Network (NWK) Layer NWK Message Routing Broker Management Reflector Management Network Management APSME-SAP - NLME-SAP ZDO Management Plane MLDE-SAP Medium Access Control (MAC) Layer MLME-SAP PD-SAP Physical (PHY) Layer PLME-SAP 2.4 GHz Radio 868/915 MHz Radio 4

5 ZigBee Provides Freshness Freshness check prevents replay attacks ( an attacker from replaying messages ) ZigBee devices maintain incoming and outgoing freshness counters Counter is reset when a new key is created Devices that communicate once per second will not overflow their freshness counters for 136 years 5

6 ZigBee Provides Message Integrity Prevents an attacker from modifying the message in transit Option of 0, 32, 64, or 128 bit integrity Default is 64 Integrity options allow tradeoff between message protection and message overhead 6

7 ZigBee provides Authentication Authentication provides assurance about the originator of the message Prevents an attacker from modifying a hacked device to impersonate another device Authentication is possible at network level or device level Network level authentication is achieved by using a common network key This prevents outsider attacks while adding very little in memory cost Device level authentication is achieved by using unique link keys between pairs of devices This prevents insider and outsider attacks but has higher memory cost 7

8 ZigBee Provides Encryption Prevents an eavesdropper from listening to messages ZigBee uses 128-bit AES encryption Encryption protection is possible at network level or device level Network level encryption is achieved by using a common network key This prevents outsider attacks while adding very little in memory cost Device level encryption is achieved by using unique link keys between pairs of devices This prevents insider and outsider attacks but has higher memory cost Encryption can be turned off without impacting freshness, integrity, or authentication Some applications may not need encryption protection Could help to ease export control regulation issues 8

9 ZigBee frames with Security Application of security suite adds auxiliary header and also an integrity code Message Integrity Code SYNC PHY HDR MAC HDR NWK HDR APS HDR Auxiliary HDR Encrypted APS Payload MIC All of the above APS frame is integrity-protected ZigBee Security could add headers to the data frames at the MAC, NWK, and APS layers 9

10 ZigBee introduces the concept of a Trust Center ZigBee Network The trust center allows devices into the network and distributes keys The ZigBee coordinator is assumed to be the trust center Coordinator Router End Device Mesh Link Star Link It is possible for the trust center to be a dedicated device e.g. a portable device 10

11 Trust Center roles Trust Manager Authenticate device that request to join network Network Manager Maintains and distributes network keys Configuration Manager Enabling end-to-end security between devices 11

12 Trust Center modes Residential Mode The trust center allows devices to join the network, but does not establish keys with network devices The trust center cannot update keys periodically because it does not maintain keys with network devices The memory cost in the trust center is minimal and does not scale with the size of the network Commercial Mode The trust center establishes and maintains keys and freshness counters with every device in the network This allows centralized control and update of keys Cost memory in the trust center could scale with the size of the network 12

13 ZigBee uses three fundamental key types Can be setup over the air or using out-of-band mechanisms (eavesdropping should be prevented when this is setup) Can also be factory installed option Can also be factory installed option Master Key Basis for long-term security between two devices Link Key Basis of security between two devices Network Key Basis of security across the network ( protects against outsiders ) Can also be factory installed option Link and Network keys can be updated periodically 13

14 Setup of Link and Network keys Master keys are installed first: A) Installed in factory or out of band B) Sent from Trust Center Master Key Basis for long-term security between two devices Link Key Basis of security between two devices Options for installation of Link and Network Keys: A) Installed in factory or out of band B) SKKE handshake between devices ( Link keys ) C) Key transport from trust center ( Link and Network keys ) Network Key Basis of security across the network 14

15 Keys need to be setup with and between new devices that join the network Existing Network A B X Y E (Empty Device) C Coordinator Router End Device Mesh Link Star Link Binding Link 15

16 If keys are setup over-the-air only the last link is vulnerable to a one time eavesdropper attack Existing Network A B Secure X Secure Y Unsecured E (Empty Device) C Coordinator Router End Device Mesh Link Star Link Binding Link 16

17 After a devices joins it needs to store multiple keys A Existing Network B X Y Possible security material MAC Security: MK YE = Master Key LK YE = Link Key Trust Center Security: MK BE = Master Key LK BE = Link Key C E (Secured Device) Infrastructure Security: K NWK = Network Key Coordinator Mesh Link Application Security: MK CE = Master Key LK CE = Link Key Router End Device Star Link Binding Link 17

18 ZigBee allows options to reduce storage cost, but the highest possible security is always used B LK BC = Link Key K NWK = Network Key If two devices have a link key, it is always used instead of the network key C B C K NWK = Network Key Storage cost can be reduced by using the network key. However, this reduces security since the network key is used in many devices and cannot prevent insider attacks. 18

19 Policy decisions not defined in ZigBee Specification Out of band methods for key setup Cost/Security tradeoff for number of link keys needed Choosing Commercial/Residential modes is starting point for this decision Handling security error conditions Handling loss of counter synchronization Handling loss of key synchronization Policy for expiration and update of keys Policy for accepting new devices 19

20 Agenda ZigBee Security Overview Residential Applications Guidelines Typical configurations Commercial Applications Guidelines Typical configurations 20

21 Definition of Residential Application (from a security viewpoint) A secure wireless network that can be installed and maintained by a homeowner with no knowledge of security Security is transparent during setup Must still provide best security possible The homeowners takes no active role in maintaining security of network Homeowner may discard devices without revocation of keys 21

22 Residential Keys Wireless Network Coordinator K N K N Router B A X Y K N End Device K N K N Network Key K N K N D C A minimum number of keys/storage is used for low cost 22

23 Residential Trust Center is Low Cost Residential Trust Center only needs to store network key Minimizes storage Low capability device can act as trust center Trust center can be easily replaced with another device without homeowner intervention When another Coordinator takes over, it becomes the trust center 23

24 Key and Frame Counter Storage Requirements for Residential Devices All Devices require network key and frame counters One outgoing network frame counter Incoming network frame counters FFD: one per child RFD: one for parent Provides only network level authentication, integrity and encryption protection Vulnerable to insider attacks 24

25 Example of Residential-Mode Authentication Trust Center Router Joiner Joined (unauthenticated) Update-Device Command Decision to accept new device Secured Transport-Key Command(NWK key) 1 Unsecured Transport-Key Command(NWK key) 1 Joined (authenticated) Note: 1. The trust center sends a dummy all-zero NWK key if the joiner securely joined using a preconfigured network key. 25

26 Agenda ZigBee Security Overview Residential Applications Guidelines Typical configurations Commercial Applications Guidelines Typical configurations 26

27 Definition of Commercial Application (from a security viewpoint) A wireless network which is controlling mission critical applications Commercial lighting, HVAC, Alarm Production monitoring and control Critical residential applications might use commercial security A wireless network which is actively monitored and maintained Scheduled key updates Controlled addition of new devices Revocation of discarded devices 27

28 Commercial System Guidelines Trust Center should only admit new devices when manually enabled Prevents unauthorized devices from joining Trust Center should update network key for legitimate devices periodically Encrypt with link key (not network key) Compromised devices will not get updated key Network key should only be used by the network layer Prevents attacker from using network key to control devices 28

29 Commercial Keys Wireless Network K N K ABM K ABL K BCM K BCL B K N, K BCM, K ACM, K XCM, K BCL, K ACL, K XCL K N, K ABM, K ACM K AXM, K AYM, K ADM K ABL, K ACL, K AXL, K AYL, K ADL A C X K N K AXM, K CXM, K XYM, K AXL, K CXL, K XYL Y K N, K ADM, K ADL K N, K XYM, K YAM, K XYL, K YAL D Coordinator Router End Device K N Network Key K ABM Master Key K ABL Link Key Keys with trust center allow periodic update of network keys 29

30 Example commercial-mode authentication procedure Trust Center Router Joiner Joined (unauthenticated) Update-Device Command Decision to accept new device Secured Transport-Key Command (Master key) 1 SKKE-1 Command Unsecured Transport-Key Command (Master key) 1 SKKE-3 Command Secured Transport-Key Command(NWK key) See Note 2 SKKE-2 Command SKKE-4 Command Joined (authenticated) Notes: 1. The trust center does not send a master key if it already shares one with the joiner device (i.e., the pre-configured situation) 2. SKKE commands shall be sent using the router as a liaison when the nwksecureallframe NIB attribute is TRUE (i.e., these commands will be secured between the trust center and router at the NWK layer, but not between the router and joiner). 30

31 Example of Network Key-Update Trust Center Device 1 Device 2 Transport-Key Command(NWK key, N) Transport-Key Command(NWK key, N) Replace alternate network key with network key N. Can only store one Network Key Switch-Key Command(N) Switch-Key Command(N) Make network key N the active network key. Replace active network key with network key N. Ignore command. 31

32 Example Network Key-Recovery Trust Center Request-Key Command(NWK key) Device A Make sure device A is part of the network. Transport-Key Command(NWK key, N) Switch-Key Command(N) Replace alternate network key with network key N. Make network key N the active network key. 32

33 Example End-to-End Application key establishment Initiator Learn address of responder via discovery or other means (e.g., preloaded) Trust Center Responder Request-Key Command(key, responder address) Start a timer and send a link or master key to initiator and responder. The trust center shall discard new request-key commands for this pair of devices, unless they are from the initiator, until after the timer expires. Transport-Key Command(key, Initiator=TRUE, PartnerAddress = Responder s address) Transport-Key Command(key, Initiator=FALSE, PartnerAddress = Initiator s address) Stores key and, if a master key, initiates key establishment Decides whether to the store key SKKE-1 Command SKKE-2 Command Responder decides whether to run key-establishment protocol SKKE-3 Command SKKE-4 Command Status of SKKE reported to ZDO Status of SKKE reported to ZDO 33

34 Example Remove-Device Procedure Trust Center Remove-Device Command 1 Router Device Disassociation Notification Command 2 Note: 1. If a trust center wants a device to leave and if the trust center is not the router for that device, the trust center shall send the router a remove-device command with the address of the device it wishes to leave the network. 2. A router shall send a disassociation command to cause one of its children to leave the network. 34

35 Example Device-Leave procedure Trust Center Update-Device Command 2 Router Disassociation Notification Command 1 Device Note: 1. A device leaving the network shall send a disassociation command to its router. 2. Upon receipt of a valid disassociation command, a router shall send an update-device command to the trust center to inform it that a device has left the network. 35