idnits 2.17.1 draft-aks-lwig-crypto-sensors-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 30, 2016) is 2857 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-28) exists of draft-ietf-core-resource-directory-07 == Outdated reference: A later version (-08) exists of draft-irtf-cfrg-eddsa-05 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Light-Weight Implementation Guidance M. Sethi 3 Internet-Draft J. Arkko 4 Intended status: Informational A. Keranen 5 Expires: January 1, 2017 H. Back 6 Ericsson 7 June 30, 2016 9 Practical Considerations and Implementation Experiences in Securing 10 Smart Object Networks 11 draft-aks-lwig-crypto-sensors-01 13 Abstract 15 This memo describes challenges associated with securing smart object 16 devices in constrained implementations and environments. The memo 17 describes a possible deployment model suitable for these 18 environments, discusses the availability of cryptographic libraries 19 for small devices, presents some preliminary experiences in 20 implementing small devices using those libraries, and discusses 21 trade-offs involving different types of approaches. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 1, 2017. 40 Copyright Notice 42 Copyright (c) 2016 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Related Work . . . . . . . . . . . . . . . . . . . . . . . . 2 59 3. Challenges . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 4. Proposed Deployment Model . . . . . . . . . . . . . . . . . . 5 61 5. Provisioning . . . . . . . . . . . . . . . . . . . . . . . . 5 62 6. Protocol Architecture . . . . . . . . . . . . . . . . . . . . 8 63 7. Code Availability . . . . . . . . . . . . . . . . . . . . . . 9 64 8. Implementation Experiences . . . . . . . . . . . . . . . . . 11 65 9. Example Application . . . . . . . . . . . . . . . . . . . . . 16 66 10. Design Trade-Offs . . . . . . . . . . . . . . . . . . . . . . 20 67 11. Feasibility . . . . . . . . . . . . . . . . . . . . . . . . . 20 68 12. Freshness . . . . . . . . . . . . . . . . . . . . . . . . . . 21 69 13. Layering . . . . . . . . . . . . . . . . . . . . . . . . . . 23 70 14. Symmetric vs. Asymmetric Crypto . . . . . . . . . . . . . . . 25 71 15. Security Considerations . . . . . . . . . . . . . . . . . . . 26 72 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 73 17. Informative references . . . . . . . . . . . . . . . . . . . 26 74 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 30 76 1. Introduction 78 This memo describes challenges associated with securing smart object 79 devices in constrained implementations and environments (see 80 Section 3). 82 Secondly, Section 4 discusses a deployment model that the authors are 83 considering for constrained environments. The model requires minimal 84 amount of configuration, and we believe it is a natural fit with the 85 typical communication practices smart object networking environments. 87 Thirdly, Section 7 discusses the availability of cryptographic 88 libraries. Section 8 presents some experiences in implementing small 89 devices using those libraries, including information about achievable 90 code sizes and speeds on typical hardware. 92 Finally, Section 10 discusses trade-offs involving different types of 93 security approaches. 95 2. Related Work 96 Constrained Application Protocol (CoAP) [RFC7252] is a light-weight 97 protocol designed to be used in machine-to-machine applications such 98 as smart energy and building automation. Our discussion uses this 99 protocol as an example, but the conclusions may apply to other 100 similar protocols. CoAP base specification [RFC7252] outlines how to 101 use DTLS [RFC6347] and IPsec [RFC7296] for securing the protocol. 102 DTLS can be applied with group keys, pairwise shared keys, or with 103 certificates. The security model in all cases is mutual 104 authentication, so while there is some commonality to HTTP in 105 verifying the server identity, in practice the models are quite 106 different. The specification says little about how DTLS keys are 107 managed. The IPsec mode is described with regards to the protocol 108 requirements, noting that small implementations of IKEv2 exist 109 [RFC7815]. However, the specification is silent on policy and other 110 aspects that are normally necessary in order to implement 111 interoperable use of IPsec in any environment [RFC5406]. 113 [RFC6574] gives an overview of the security discussions at the March 114 2011 IAB workshop on smart objects. The workshop recommended that 115 additional work is needed in developing suitable credential 116 management mechanisms (perhaps something similar to the Bluetooth 117 pairing mechanism), understanding the implementability of standard 118 security mechanisms in small devices and additional research in the 119 area of lightweight cryptographic primitives. 121 [I-D.moskowitz-hip-dex] defines a light-weight version of the HIP 122 protocol for low-power nodes. This version uses a fixed set of 123 algorithms, Elliptic Curve Cryptography (ECC), and eliminates hash 124 functions. The protocol still operates based on host identities, and 125 runs end-to-end between hosts, protecting IP layer communications. 126 [RFC6078] describes an extension of HIP that can be used to send 127 upper layer protocol messages without running the usual HIP base 128 exchange at all. 130 [I-D.daniel-6lowpan-security-analysis] makes a comprehensive analysis 131 of security issues related to 6LoWPAN networks, but its findings also 132 apply more generally for all low-powered networks. Some of the 133 issues this document discusses include the need to minimize the 134 number of transmitted bits and simplify implementations, threats in 135 the smart object networking environments, and the suitability of 136 6LoWPAN security mechanisms, IPsec, and key management protocols for 137 implementation in these environments. 139 [I-D.garcia-core-security] discusses the overall security problem for 140 Internet of Things devices. It also discusses various solutions, 141 including IKEv2/IPsec [RFC7296], TLS/SSL [RFC5246], DTLS [RFC6347], 142 HIP [RFC7401] [I-D.moskowitz-hip-dex], PANA [RFC5191], and EAP 143 [RFC3748]. The draft also discusses various operational scenarios, 144 bootstrapping mechanisms, and challenges associated with implementing 145 security mechanisms in these environments. 147 3. Challenges 149 This section discusses three challenges: implementation difficulties, 150 practical provisioning problems, and layering and communication 151 models. 153 The most often discussed issues in the security for the Internet of 154 Things relate to implementation difficulties. The desire to build 155 small, battery-operated, and inexpensive devices drives the creation 156 of devices with a limited protocol and application suite. Some of 157 the typical limitations include running CoAP instead of HTTP, limited 158 support for security mechanisms, limited processing power for long 159 key lengths, sleep schedule that does not allow communication at all 160 times, and so on. In addition, the devices typically have very 161 limited support for configuration, making it hard to set up secrets 162 and trust anchors. 164 The implementation difficulties are important, but they should not be 165 overemphasized. It is important to select the right security 166 mechanisms and avoid duplicated or unnecessary functionality. But at 167 the end of the day, if strong cryptographic security is needed, the 168 implementations have to support that. Also, the use of the most 169 lightweight algorithms and cryptographic primitives is useful, but 170 should not be the only consideration in the design. Interoperability 171 is also important, and often other parts of the system, such as key 172 management protocols or certificate formats are heavier to implement 173 than the algorithms themselves. 175 The second challenge relates to practical provisioning problems. 176 These are perhaps the most fundamental and difficult issue, and 177 unfortunately often neglected in the design. There are several 178 problems in the provisioning and management of smart object networks: 180 o Small devices have no natural user interface for configuration 181 that would be required for the installation of shared secrets and 182 other security-related parameters. Typically, there is no 183 keyboard, no display, and there may not even be buttons to press. 184 Some devices may only have one interface, the interface to the 185 network. 187 o Manual configuration is rarely, if at all, possible, as the 188 necessary skills are missing in typical installation environments 189 (such as in family homes). 191 o There may be a large number of devices. Configuration tasks that 192 may be acceptable when performed for one device may become 193 unacceptable with dozens or hundreds of devices. 195 o Network configurations evolve over the lifetime of the devices, as 196 additional devices are introduced or addresses change. Various 197 central nodes may also receive more frequent updates than 198 individual devices such as sensors embedded in building materials. 200 Finally, layering and communication models present difficulties for 201 straightforward use of the most obvious security mechanisms. Smart 202 object networks typically pass information through multiple 203 participating nodes [I-D.arkko-core-sleepy-sensors] and end-to-end 204 security for IP or transport layers may not fit such communication 205 models very well. The primary reasons for needing middleboxes 206 relates to the need to accommodate for sleeping nodes as well to 207 enable the implementation of nodes that store or aggregate 208 information. 210 4. Proposed Deployment Model 212 [I-D.arkko-core-security-arch] recognizes the provisioning model as 213 the driver of what kind of security architecture is useful. This 214 section re-introduces this model briefly here in order to facilitate 215 the discussion of the various design alternatives later. 217 The basis of the proposed architecture are self-generated secure 218 identities, similar to Cryptographically Generated Addresses (CGAs) 219 [RFC3972] or Host Identity Tags (HITs) [RFC7401]. That is, we assume 220 the following holds: 222 I = h(P|O) 224 where I is the secure identity of the device, h is a hash function, P 225 is the public key from a key pair generated by the device, and O is 226 optional other information. 228 5. Provisioning 230 As provisioning security credentials, shared secrets, and policy 231 information is difficult, the provisioning model is based only on the 232 secure identities. A typical network installation involves physical 233 placement of a number of devices while noting the identities of these 234 devices. This list of short identifiers can then be fed to a central 235 server as a list of authorized devices. Secure communications can 236 then commence with the devices, at least as far as information from 237 from the devices to the server is concerned, which is what is needed 238 for sensor networks. 240 The above architecture is a perfect fit for sensor networks where 241 information flows from large number of devices to small number of 242 servers. But it is not sufficient alone for other types of 243 applications. For instance, in actuator applications a large number 244 of devices need to take commands from somewhere else. In such 245 applications it is necessary to secure that the commands come from an 246 authorized source. This can be supported, with some additional 247 provisioning effort and optional pairing protocols. The basic 248 provisioning approach is as described earlier, but in addition there 249 must be something that informs the devices of the identity of the 250 trusted server(s). There are multiple ways to provide this 251 information. One simple approach is to feed the identities of the 252 trusted server(s) to devices at installation time. This requires 253 either a separate user interface, local connection (such as USB), or 254 using the network interface of the device for configuration. In any 255 case, as with sensor networks the amount of configuration information 256 is minimized: just one short identity value needs to be fed in. Not 257 both an identity and a certificate. Not shared secrets that must be 258 kept confidential. An even simpler provisioning approach is that the 259 devices in the device group trust each other. Then no configuration 260 is needed at installation time. When both peers know the expected 261 cryptographic identity of the other peer off-line, secure 262 communications can commence. Alternatively, various pairing schemes 263 can be employed. Note that these schemes can benefit from the 264 already secure identifiers on the device side. For instance, the 265 server can send a pairing message to each device after their initial 266 power-on and before they have been paired with anyone, encrypted with 267 the public key of the device. As with all pairing schemes that do 268 not employ a shared secret or the secure dentity of both parties, 269 there are some remaining vulnerabilities that may or may not be 270 acceptable for the application in question. In any case, the secure 271 identities help again in ensuring that the operations are as simple 272 as possible. Only identities need to be communicated to the devices, 273 not certificates, not shared secrets or IPsec policy rules. 275 Where necessary, the information collected at installation time may 276 also include other parameters relevant to the application, such as 277 the location or purpose of the devices. This would enable the server 278 to know, for instance, that a particular device is the temperature 279 sensor for the kitchen. 281 Collecting the identity information at installation time can be 282 arranged in a number of ways. The authors have employed a simple but 283 not completely secure method where the last few digits of the 284 identity are printed on a tiny device just a few millimeters across. 285 Alternatively, the packaging for the device may include the full 286 identity (typically 32 hex digits), retrieved from the device at 287 manufacturing time. This identity can be read, for instance, by a 288 bar code reader carried by the installation personnel. (Note that 289 the identities are not secret, the security of the system is not 290 dependent on the identity information leaking to others. The real 291 owner of an identity can always prove its ownership with the private 292 key which never leaves the device.) Finally, the device may use its 293 wired network interface or proximity-based communications, such as 294 Near-Field Communications (NFC) or Radio-Frequency Identity tags 295 (RFIDs). Such interfaces allow secure communication of the device 296 identity to an information gathering device at installation time. 298 No matter what the method of information collection is, this 299 provisioning model minimizes the effort required to set up the 300 security. Each device generates its own identity in a random, secure 301 key generation process. The identities are self-securing in the 302 sense that if you know the identity of the peer you want to 303 communicate with, messages from the peer can be signed by the peer's 304 private key and it is trivial to verify that the message came from 305 the expected peer. There is no need to configure an identity and 306 certificate of that identity separately. There is no need to 307 configure a group secret or a shared secret. There is no need to 308 configure a trust anchor. In addition, the identities are typically 309 collected anyway for application purposes (such as identifying which 310 sensor is in which room). Under most circumstances there is actually 311 no additional configuration effort from provisioning security. 313 Groups of devices can be managed through single identifiers as well. 314 In these deployment cases it is also possible to configure the 315 identity of an entire group of devices, rather than registering the 316 individual devices. For instance, many installations employ a kit of 317 devices bought from the same manufacturer in one package. It is easy 318 to provide an identity for such a set of devices as follows: 320 Idev = h(Pdev|Potherdev1|Potherdev2|...|Potherdevn) 322 Igrp = h(Pdev1|Pdev2|...|Pdevm) 324 where Idev is the identity of an individual device, Pdev is the 325 public key of that device, and Potherdevi are the public keys of 326 other devices in the group. Now, we can define the secure identity 327 of the group (Igrp) as a hash of all the public keys of the devices 328 in the group (Pdevi). 330 The installation personnel can scan the identity of the group from 331 the box that the kit came in, and this identity can be stored in a 332 server that is expected to receive information from the nodes. Later 333 when the individual devices contact this server, they will be able to 334 show that they are part of the group, as they can reveal their own 335 public key and the public keys of the other devices. Devices that do 336 not belong to the kit can not claim to be in the group, because the 337 group identity would change if any new keys were added to Igrp. 339 6. Protocol Architecture 341 As noted above, the starting point of the architecture is that nodes 342 self-generate secure identities which are then communicated out-of- 343 band to the peers that need to know what devices to trust. To 344 support this model in a protocol architecture, we also need to use 345 these secure identities to implement secure messaging between the 346 peers, explain how the system can respond to different types of 347 attacks such as replay attempts, and decide at what protocol layer 348 and endpoints the architecture should use. 350 The deployment itself is suitable for a variety of design choices 351 regarding layering and protocol mechanisms. 352 [I-D.arkko-core-security-arch] was mostly focused on employing end- 353 to-end data object security as opposed to hop-by-hop security. But 354 other approaches are possible. For instance, HIP in its 355 opportunistic mode could be used to implement largely the same 356 functionality at the IP layer. However, it is our belief that the 357 right layer for this solution is at the application layer. More 358 specifically, in the data formats transported in the payload part of 359 CoAP. This approach provides the following benefits: 361 o Ability for intermediaries to act as caches to support different 362 sleep schedules, without the security model being impacted. 364 o Ability for intermediaries to be built to perform aggregation, 365 filtering, storage and other actions, again without impacting the 366 security of the data being transmitted or stored. 368 o Ability to operate in the presence of traditional middleboxes, 369 such as a protocol translators or even NATs (not that we recommend 370 their use in these environments). 372 However, as we will see later there are also some technical 373 implications, namely that link, network, and transport layer 374 solutions are more likely to be able to benefit from sessions where 375 the cost of expensive operations can be amortized over multiple data 376 transmissions. While this is not impossible in data object security 377 solutions either, it is not the typical arrangement either. 379 7. Code Availability 381 For implementing public key cryptography on resource constrained 382 environments, we chose Arduino Uno board [arduino-uno] as the test 383 platform. Arduino Uno has an ATmega328 microcontroller, an 8-bit 384 processor with a clock speed of 16 MHz, 2 kB of SRAM, and 32 kB of 385 flash memory. 387 For selecting potential asymmetric cryptographic libraries, we did an 388 extensive survey and came up with a set of possible code sources, and 389 performed an initial analysis of how well they fit the Arduino 390 environment. Note that the results are preliminary, and could easily 391 be affected in any direction by implementation bugs, configuration 392 errors, and other mistakes. Please verify the numbers before relying 393 on them for building something. No significant effort was done to 394 optimize ROM memory usage beyond what the libraries provided 395 themselves, so those numbers should be taken as upper limits. 397 Here is the set of libraries we found: 399 o AvrCryptolib [avr-cryptolib]: This library provides a variety of 400 different symmetric key algorithms such as DES/Triple DES/AES etc. 401 and RSA as an asymmetric key algorithm. We stripped down the 402 library to use only the required RSA components and used a 403 separate SHA-256 implementation from the original AvrCrypto-Lib 404 library [avr-crypto-lib]. Parts of SHA-256 and RSA algorithm 405 implementations were written in AVR-8 bit assembly language to 406 reduce the size and optimize the performance. The library also 407 takes advantage of the fact that Arduino boards allow the 408 programmer to directly address the flash memory to access constant 409 data which can save the amount of SRAM used during execution. 411 o Relic-Toolkit [relic-toolkit]: This library is written entirely in 412 C and provides a highly flexible and customizable implementation 413 of a large variety of cryptographic algorithms. This not only 414 includes RSA and ECC, but also pairing based asymmetric 415 cryptography, Boneh-Lynn-Schacham, Boneh-Boyen short signatures 416 and many more. The toolkit provides an option to build only the 417 desired components for the required platform. While building the 418 library, it is possible to select a variety mathematical 419 optimizations that can be combined to obtain the desired 420 performance (as a general thumb rule, faster implementations 421 require more SRAM and flash). It includes a multi precision 422 integer math module which can be customized to use different bit- 423 length words. 425 o TinyECC [tinyecc]: TinyECC was designed for using Elliptic Curve 426 based public key cryptography on sensor networks. It is written 427 in nesC programming language and as such is designed for specific 428 use on TinyOS. However, the library can be ported to standard C99 429 either with hacked tool-chains or manually rewriting parts of the 430 code. This allows for the library to be used on platforms that do 431 not have TinyOS running on them. The library includes a wide 432 variety of mathematical optimizations such as sliding window, 433 Barrett reduction for verification, precomputation, etc. It also 434 has one of the smallest memory footprints among the set of 435 Elliptic Curve libraries surveyed so far. However, an advantage 436 of Relic over TinyECC is that it can do curves over binary fields 437 in addition to prime fields. 439 o Wiselib [wiselib]: Wiselib is a generic library written for sensor 440 networks containing a wide variety of algorithms. While the 441 stable version contains algorithms for routing only, the test 442 version includes many more algorithms including algorithms for 443 cryptography, localization , topology management and many more. 444 The library was designed with the idea of making it easy to 445 interface the library with operating systems like iSense and 446 Contiki. However, since the library is written entirely in C++ 447 with a template based model similar to Boost/CGAL, it can be used 448 on any platform directly without using any of the operating system 449 interfaces provided. This approach was taken by the authors to 450 test the code on Arduino Uno. The structure of the code is similar 451 to TinyECC and like TinyECC it implements elliptic curves over 452 prime fields only. In order to make the code platform 453 independent, no assembly level optimizations were incorporated. 454 Since efficiency was not an important goal for the authors of the 455 library while designing, many well known theoretical performance 456 enhancement features were also not incorporated. Like the relic- 457 toolkit, Wiselib is also Lesser GPL licensed. 459 o MatrixSSL [matrix-ssl]: This library provides a low footprint 460 implementation of several cryptographic algorithms including RSA 461 and ECC (with a commercial license). However, the library in the 462 original form takes about 50 kB of ROM which is not suitable for 463 our hardware requirements. Moreover, it is intended for 32-bit 464 systems and the API includes functions for SSL communication 465 rather than just signing data with private keys. 467 This is by no ways an exhaustive list and there exist other 468 cryptographic libraries targeting resource-constrained devices. 470 8. Implementation Experiences 472 We have summarized the initial results of RSA private key performance 473 using AvrCryptolib in Table 1. All results are from a single run 474 since repeating the test did not change (or had only minimal impact 475 on) the results. The keys were generated separately and were hard 476 coded into the program. All keys were generated with the value of 477 the public exponent as 3. The performance of signing with private 478 key was faster for smaller key lengths as was expected. However the 479 increase in the execution time was considerable when the key size was 480 2048 bits. It is important to note that two different sets of 481 experiments were performed for each key length. In the first case, 482 the keys were loaded into the SRAM from the ROM (flash) before they 483 were used by any of the functions. However, in the second case, the 484 keys were addressed directly in the ROM. As was expected, the second 485 case used less SRAM but lead to longer execution time. 487 More importantly, any RSA key size less than 2,048-bit should be 488 considered legacy and insecure. The performance measurements for 489 these keys are provided here for reference only. 491 +-----------+-------------+-------------+-------------+-------------+ 492 | Key | Execution | Memory | Execution | Memory | 493 | length | time (ms); | footprint | time (ms); | footprint | 494 | (bits) | key in SRAM | (bytes); | key in ROM | (bytes); | 495 | | | key in SRAM | | key in ROM | 496 +-----------+-------------+-------------+-------------+-------------+ 497 | 64 | 64 | 40 | 69 | 32 | 498 | 128 | 434 | 80 | 460 | 64 | 499 | 512 | 25,076 | 320 | 27,348 | 256 | 500 | 1,024 | 199,688 | 640 | 218,367 | 512 | 501 | 2,048 | 1,587,567 | 1,280 | 1,740,258 | 1,024 | 502 +-----------+-------------+-------------+-------------+-------------+ 504 RSA private key operation performance 506 Table 1 508 The code size was less than 3.6 kB for all the test cases with scope 509 for further reduction. It is also worth noting that the 510 implementation performs basic exponentiation and multiplication 511 operations without using any mathematical optimizations such as 512 Montgomery multiplication, optimized squaring, etc. as described in 513 [rsa-high-speed]. With more SRAM, we believe that 1024/2048-bit 514 operations can be performed in much less time as has been shown in 515 [rsa-8bit]. 2048-bit RSA is nonetheless possible with about 1 kB of 516 SRAM as is seen in Table 1. 518 In Table 2 we present the results obtained by manually porting 519 TinyECC into C99 standard and running ECDSA signature algorithm on 520 the Arduino Uno board. TinyECC supports a variety of SEC 2 521 recommended Elliptic Curve domain parameters. The execution time and 522 memory footprint are shown next to each of the curve parameters. 523 SHA-1 hashing algorithm included in the library was used in each of 524 the cases. The measurements reflect the performance of elliptic 525 curve signing only and not the SHA-1 hashing algorithm. SHA-1 is now 526 known to be insecure and should not be used in real deployments. It 527 is clearly observable that for similar security levels, Elliptic 528 Curve public key cryptography outperforms RSA. These results were 529 obtained by turning on all the optimizations. These optimizations 530 include - Curve Specific Optimizations for modular reduction (NIST 531 and SEC 2 field primes were chosen as pseudo-Mersenne primes), 532 Sliding Window for faster scalar multiplication, Hybrid squaring 533 procedure written in assembly and Weighted projective Coordinate 534 system for efficient scalar point addition, doubling and 535 multiplication. We did not use optimizations like Shamir Trick and 536 Sliding Window as they are only useful for signature verification and 537 tend to slow down the signature generation by precomputing values (we 538 were only interested in fast signature generation). There is still 539 some scope for optimization as not all the assembly code provided 540 with the library could be ported to Arduino directly. Re-writing 541 these procedures in compatible assembly would further enhance the 542 performance. 544 +----------------+---------------+----------------+-----------------+ 545 | Curve | Execution | Memory | Comparable RSA | 546 | parameters | time (ms) | Footprint | key length | 547 | | | (bytes) | | 548 +----------------+---------------+----------------+-----------------+ 549 | 128r1 | 1,858 | 776 | 704 | 550 | 128r2 | 2,002 | 776 | 704 | 551 | 160k1 | 2,228 | 892 | 1,024 | 552 | 160r1 | 2,250 | 892 | 1,024 | 553 | 160r2 | 2,467 | 892 | 1,024 | 554 | 192k1 | 3,425 | 1008 | 1,536 | 555 | 192r1 | 3,578 | 1008 | 1,536 | 556 +----------------+---------------+----------------+-----------------+ 558 ECDSA signature performance with TinyECC 560 Table 2 562 We also performed experiments by removing the assembly code for 563 hybrid multiplication and squaring thus using a C only form of the 564 library. This gives us an idea of the performance that can be 565 achieved with TinyECC on any platform regardless of what kind of OS 566 and assembly instruction set available. The memory footprint remains 567 the same with our without assembly code. The tables contain the 568 maximum RAM that is used when all the possible optimizations are on. 569 If however, the amount of RAM available is smaller in size, some of 570 the optimizations can be turned off to reduce the memory consumption 571 accordingly. 573 +----------------+---------------+----------------+-----------------+ 574 | Curve | Execution | Memory | Comparable RSA | 575 | parameters | time (ms) | Footprint | key length | 576 | | | (bytes) | | 577 +----------------+---------------+----------------+-----------------+ 578 | 128r1 | 2,741 | 776 | 704 | 579 | 128r2 | 3,086 | 776 | 704 | 580 | 160k1 | 3,795 | 892 | 1,024 | 581 | 160r1 | 3,841 | 892 | 1,024 | 582 | 160r2 | 4,118 | 892 | 1,024 | 583 | 192k1 | 6,091 | 1008 | 1,536 | 584 | 192r1 | 6,217 | 1008 | 1,536 | 585 +----------------+---------------+----------------+-----------------+ 587 ECDSA signature performance with TinyECC (No assembly optimizations) 589 Table 3 591 Table 4 documents the performance of Wiselib. Since there were no 592 optimizations that could be turned on or off, we have only one set of 593 results. By default Wiselib only supports some of the standard SEC 2 594 Elliptic curves. But it is easy to change the domain parameters and 595 obtain results for for all the 128, 160 and 192-bit SEC 2 Elliptic 596 curves. SHA-1 algorithm provided in the library was used. The 597 measurements reflect the performance of elliptic curve signing only 598 and not the SHA-1 hashing algorithm. SHA-1 is now known to be 599 insecure and should not be used in real deployments. The ROM size 600 for all the experiments was less than 16 kB. 602 +----------------+---------------+----------------+-----------------+ 603 | Curve | Execution | Memory | Comparable RSA | 604 | parameters | time (ms) | Footprint | key length | 605 | | | (bytes) | | 606 +----------------+---------------+----------------+-----------------+ 607 | 128r1 | 5,615 | 732 | 704 | 608 | 128r2 | 5,615 | 732 | 704 | 609 | 160k1 | 10,957 | 842 | 1,024 | 610 | 160r1 | 10,972 | 842 | 1,024 | 611 | 160r2 | 10,971 | 842 | 1,024 | 612 | 192k1 | 18,814 | 952 | 1,536 | 613 | 192r1 | 18,825 | 952 | 1,536 | 614 +----------------+---------------+----------------+-----------------+ 616 ECDSA signature performance with Wiselib 618 Table 4 620 For testing the relic-toolkit we used a different board because it 621 required more RAM/ROM and we were unable to perform experiments with 622 it on Arduino Uno. We decided to use the Arduino Mega which has the 623 same 8-bit architecture like the Arduino Uno but has a much larger 624 RAM/ROM for testing relic-toolkit. Again, SHA-1 hashing algorithm 625 included in the library was used in each of the cases. The 626 measurements reflect the performance of elliptic curve signing only 627 and not the SHA-1 hashing algorithm. SHA-1 is now known to be 628 insecure and should not be used in real deployments. The library 629 does provide several alternatives with such as SHA-256. 631 The relic-toolkit supports Koblitz curves over prime as well as 632 binary fields. We have experimented with Koblitz curves over binary 633 fields only. We do not run our experiments with all the curves 634 available in the library since the aim of this work is not prove 635 which curves perform the fastest, and rather show that asymmetric 636 crypto is possible on resource-constrained devices. 638 The results from relic-toolkit are documented in two separate tables 639 shown in Table 5 and Table 6. The first set of results were 640 performed with the library configured for high speed performance with 641 no consideration given to the amount of memory used. For the second 642 set, the library was configured for low memory usage irrespective of 643 the execution time required by different curves. By turning on/off 644 optimizations included in the library, a trade-off between memory and 645 execution time between these values can be achieved. 647 +----------------+-----------------+---------------+----------------+ 648 | Curve | Execution time | Memory | Comparable RSA | 649 | parameters | (ms) | Footprint | key length | 650 | | | (bytes) | | 651 +----------------+-----------------+---------------+----------------+ 652 | NIST K163 | 261 | 2,804 | 1024 | 653 | (assembly | | | | 654 | math) | | | | 655 | NIST K163 | 932 | 2,750 | 1024 | 656 | NIST B163 | 2,243 | 2,444 | 1024 | 657 | NIST K233 | 1,736 | 3,675 | 2,048 | 658 | NIST B233 | 4,471 | 3,261 | 2,048 | 659 +----------------+-----------------+---------------+----------------+ 661 ECDSA signature performance with relic-toolkit (Fast) 662 Table 5 664 +----------------+-----------------+---------------+----------------+ 665 | Curve | Execution time | Memory | Comparable RSA | 666 | parameters | (ms) | Footprint | key length | 667 | | | (bytes) | | 668 +----------------+-----------------+---------------+----------------+ 669 | NIST K163 | 592 | 2,087 | 1024 | 670 | (assembly | | | | 671 | math) | | | | 672 | NIST K163 | 2,950 | 2,215 | 1024 | 673 | NIST B163 | 3,213 | 2,071 | 1024 | 674 | NIST K233 | 6,450 | 2,935 | 2,048 | 675 | NIST B233 | 6,100 | 2,737 | 2,048 | 676 +----------------+-----------------+---------------+----------------+ 678 ECDSA signature performance with relic-toolkit (Low Memory) 680 Table 6 682 It is important to note the following points about the elliptic curve 683 measurements: 685 o As with the RSA measurements, curves giving less that 112-bit 686 security are insecure and considered as legacy. The measurements 687 are only provided for reference. 689 o The arduino board only provides pseudo random numbers with the 690 random() function call. In order to create private keys with a 691 better quality of random number, we can use a true random number 692 generator like the one provided by TrueRandom library 693 [truerandom], or create the keys separately on a system with a 694 true random number generator and then use them directly in the 695 code. 697 o For measuring the memory footprint of all the ECC libraries, we 698 used the Avrora simulator [avrora]. Only stack memory was used to 699 easily track the RAM consumption. 701 At the time of performing these measurements and study, it was 702 unclear which exact elliptic curve(s) would be selected by the IETF 703 community for use with resource-constrained devices. However now, 704 [RFC7748] defines two elliptic curves over prime fields (Curve25519 705 and Curve448) that offer a high level of practical security for 706 Diffie-Hellman key exchange. Correspondingly, there is ongoing work 707 to specify elliptic curve signature schemes with Edwards-curve 708 Digital Signature Algorithm (EdDSA). [I-D.irtf-cfrg-eddsa] specifies 709 the recommended parameters for the edwards25519 and edwards448 710 curves. From these, curve25519 (for elliptic curve Diffie-Hellman 711 key exchange) and edwards25519 (for elliptic curve digital 712 signatures) are especially suitable for resource-constrained devices. 714 We found that the NaCl [nacl] and MicoNaCl [micronacl] libraries 715 provide highly efficient implementations of Diffie-Hellman key 716 exchange with curve25519. The results have shown that these 717 libraries with curve25519 outperform other elliptic curves that 718 provide similar levels of security. Hutter and Schwabe [naclavr] 719 also show that signing of data using the curve Ed25519 from the NaCl 720 library needs only 23,216,241 cycles on the same microcontroller that 721 we used for our evaluations (Arduino Mega ATmega2560). This 722 corresponds to about 1,4510 milliseconds of execution time. When 723 compared to the results for other curves and libraries that offer 724 similar level of security (such as NIST B233, NIST K233), this 725 implementation far outperforms all others. As such, it is recommend 726 that the IETF community uses these curves for protocol specification 727 and implementations. 729 A summary library ROM use is shown in Table 7. 731 +-------------------------+---------------------------+ 732 | Library | ROM Footprint (Kilobytes) | 733 +-------------------------+---------------------------+ 734 | AvrCryptolib | 3.6 | 735 | Wiselib | 16 | 736 | TinyECC | 18 | 737 | Relic-toolkit | 29 | 738 | NaCl Ed25519 [naclavr] | 17-29 | 739 +-------------------------+---------------------------+ 741 Summary of library ROM needs 743 Table 7 745 All the measurements here are only provided as an example to show 746 that asymmetric-key cryptography (particularly, digital signatures) 747 is possible on resource-constrained devices. These numbers by no way 748 are the final source for measurements and some curves presented here 749 may not be acceptable for real in-the-wild deployments anymore. For 750 example, Mosdorf et al. [mosdorf] and Liu et al. [tinyecc] also 751 document performance of ECDSA on similar resource-constrained 752 devices. 754 9. Example Application 756 We developed an example application on the Arduino platform to use 757 public key crypto mechanisms, data object security, and an easy 758 provisioning model. Our application was originally developed to test 759 different approaches to supporting communications to "always off" 760 sensor nodes. These battery-operated or energy scavenging nodes do 761 not have enough power to be stay on at all times. They wake up 762 periodically and transmit their readings. 764 Such sensor nodes can be supported in various ways. 765 [I-D.arkko-core-sleepy-sensors] was an early multicast-based 766 approach. In the current application we have switched to using 767 resource directories [I-D.ietf-core-resource-directory] and mirror 768 proxies [I-D.vial-core-mirror-proxy] instead. Architecturally, the 769 idea is that sensors can delegate a part of their role to a node in 770 the network. Such a network node could be either a local resource or 771 something in the Internet. In the case of CoAP mirror proxies, the 772 network node agrees to hold the web resources on behalf of the 773 sensor, while the sensor is asleep. The only role that the sensor 774 has is to register itself at the mirror proxy, and periodically 775 update the readings. All queries from the rest of the world go to 776 the mirror proxy. 778 We constructed a system with four entities: 780 Sensor 782 This is an Arduino-based device that runs a CoAP mirror proxy 783 client and Relic-toolkit. Relic takes 29 Kbytes of ROM, and the 784 simple CoAP client roughly 3 kilobytes. 786 Mirror Proxy 788 This is a mirror proxy that holds resources on the sensor's 789 behalf. The sensor registers itself to this node. 791 Resource Directory 793 While physically in the same node in our implementation, a 794 resource directory is a logical function that allows sensors and 795 mirror proxies to register resources in the directory. These 796 resources can be queried by applications. 798 Application 800 This is a simple application that runs on a general purpose 801 computer and can retrieve both registrations from the resource 802 directory and most recent sensor readings from the mirror proxy. 804 The security of this system relies on an SSH-like approach. In Step 805 1, upon first boot, sensors generate keys and register themselves in 806 the mirror proxy. Their public key is submitted along with the 807 registration as an attribute in the CORE Link Format data [RFC6690]. 809 In Step 2, when the sensor makes a sensor reading update to the 810 mirror proxy it signs the message contents with a JOSE signature on 811 the used JSON/SENML payload [RFC7515] [I-D.jennings-core-senml]. 813 In Step 3, any other device in the network -- including the mirror 814 proxy, resource directory and the application -- can check that the 815 public key from the registration corresponds to the private key used 816 to make the signature in the data update. 818 Note that checks can be done at any time and there is no need for the 819 sensor and the checking node to be awake at the same time. In our 820 implementation, the checking is done in the application node. This 821 demonstrates how it is possible to implement end-to-end security even 822 with the presence of assisting middleboxes. 824 To verify the feasibility of our architecture we developed a proof- 825 of-concept prototype. In our prototype, the sensor was implemented 826 using the Arduino Ethernet shield over an Arduino Mega board. Our 827 implementation uses the standard C99 programming language on the 828 Arduino Mega board. In this prototype, the Mirror Proxy (MP) and the 829 Resource Directory (RD) reside on the same physical host. A 64-bit 830 x86 linux machine serves as the MP and the RD, while a similar but 831 physically different 64-bit x86 linux machine serves as the client 832 that requests data from the sensor. We chose the Relic library 833 version 0.3.1 for our sample prototype as it can be easily compiled 834 for different bit-length processors. Therefore, we were able to use 835 it on the 8-bit processor of the Arduino Mega, as well as on the 836 64-bit processor of the x86 client. We used ECDSA to sign and verify 837 data updates with the standard NIST-K163 curve parameters (163-bit 838 Koblitz curve over binary field). While compiling Relic for our 839 prototype, we used the fast configuration without any assembly 840 optimizations. 842 The gateway implements the CoAP base specification in the Java 843 programming language and extends it to add support for Mirror Proxy 844 and Resource Directory REST interfaces. We also developed a 845 minimalistic CoAP C-library for the Arduino sensor and for the client 846 requesting data updates for a resource. The library has small SRAM 847 requirements and uses stack-based allocation only. It is inter- 848 operable with the Java implementation of CoAP running on the gateway. 849 The location of the mirror proxy was pre-configured into the smart 850 object sensor by hardcoding the IP address. We used an IPv4 network 851 with public IP addresses obtained from a DHCP server. 853 Some important statistics of this prototype are listed in table Table 854 8. Our straw man analysis of the performance of this prototype is 855 preliminary. Our intention was to demonstrate the feasibility of the 856 entire architecture with public-key cryptography on an 8-bit 857 microcontroller. The stated values can be improved further by a 858 considerable amount. For example, the flash memory and SRAM 859 consumption is relatively high because some of the Arduino libraries 860 were used out-of-the- box and there are several functions which can 861 be removed. Similarly we used the fast version of the Relic library 862 in the prototype instead of the low memory version. 864 +--------------------------------------------------------+----------+ 865 | | | 866 +--------------------------------------------------------+----------+ 867 | Flash memory consumption (for the entire prototype | 51 kB | 868 | including Relic crypto + CoAP + Arduino UDP, Ethernet | | 869 | and DHCP Libraries) | | 870 | | | 871 | SRAM consumption (for the entire prototype including | 4678 | 872 | DHCP client + key generation + signing the hash of | bytes | 873 | message + COAP + UDP + Ethernet) | | 874 | | | 875 | Execution time for creating the key pair + sending | 2030 ms | 876 | registration message + time spent waiting for acknowl- | | 877 | edgement | | 878 | | | 879 | Execution time for signing the hash of message + | 987 ms | 880 | sending update | | 881 | | | 882 | Signature overhead | 42 bytes | 883 +--------------------------------------------------------+----------+ 885 Prototype Performance 887 Table 8 889 To demonstrate the efficacy of this communication model we compare it 890 with a scenario where the smart objects do not transition into the 891 energy saving sleep mode and directly serve temperature data to 892 clients. As an example, we assume that in our architecture, the 893 smart objects wake up once every minute to report the signed 894 temperature data to the caching MP. If we calculate the energy 895 consumption using the formula W = U * I * t (where U is the operating 896 voltage, I is the current drawn and t is the execution time), and use 897 the voltage and current values from the datasheets of the ATmega2560 898 (20mA-active mode and 5.4mA-sleep mode) and W5100 (183mA) chips used 899 in the architecture, then in a one minute period, the Arduino board 900 would consume 60.9 Joules of energy if it directly serves data and 901 does not sleep. On the other hand, in our architecture it would only 902 consume 2.6 Joules if it wakes up once a minute to update the MP with 903 signed data. Therefore, a typical Li-ion battery that provides about 904 1800 milliamps per hour (mAh) at 5V would have a lifetime of 9 hours 905 in the unsecured always-on scenario, whereas it would have a lifetime 906 of about 8.5 days in the secured sleepy architecture presented. 907 These lifetimes appear to be low because the Arduino board in the 908 prototype uses Ethernet which is not energy efficient. The values 909 presented only provide an estimate (ignoring the energy required to 910 transition in and out of the sleep mode) and would vary depending on 911 the hardware and MAC protocol used. Nonetheless, it is evident that 912 our architecture can increase the life of smart objects by allowing 913 them to sleep and can ensure security at the same time. 915 10. Design Trade-Offs 917 This section attempts to make some early conclusions regarding trade- 918 offs in the design space, based on deployment considerations for 919 various mechanisms and the relative ease or difficulty of 920 implementing them. This analysis looks at layering and the choice of 921 symmetric vs. asymmetric cryptography. 923 11. Feasibility 925 The first question is whether using cryptographic security and 926 asymmetric cryptography in particular is feasible at all on small 927 devices. The numbers above give a mixed message. Clearly, an 928 implementation of a significant cryptographic operation such as 929 public key signing can be done in surprisingly small amount of code 930 space. It could even be argued that our chosen prototype platform 931 was unnecessarily restrictive in the amount of code space it allows: 932 we chose this platform on purpose to demonstrate something that is as 933 small and difficult as possible. 935 In reality, ROM memory size is probably easier to grow than other 936 parameters in microcontrollers. A recent trend in microcontrollers 937 is the introduction of 32-bit CPUs that are becoming cheaper and more 938 easily available than 8-bit CPUs, in addition to being more easily 939 programmable. In short, the authors do not expect the code size to 940 be a significant limiting factor, both because of the small amount of 941 code that is needed and because available memory space is growing 942 rapidly. 944 The situation is less clear with regards to the amount of CPU power 945 needed to run the algorithms. The demonstrated speeds are sufficient 946 for many applications. For instance, a sensor that wakes up every 947 now and then can likely spend a fraction of a second for the 948 computation of a signature for the message that it is about to send. 950 Or even spend multiple seconds in some cases. Most applications that 951 use protocols such as DTLS that use public key cryptography only at 952 the beginning of the session would also be fine with any of these 953 execution times. 955 Yet, with reasonably long key sizes the execution times are in the 956 seconds, dozens of seconds, or even longer. For some applications 957 this is too long. Nevertheless, the authors believe that these 958 algorithms can successfully be employed in small devices for the 959 following reasons: 961 o With the right selection of algorithms and libraries, the 962 execution times can actually be smaller. Using the Relic-toolkit 963 with the NIST K163 algorithm (roughly equivalent to RSA at 1024 964 bits) at 0.3 seconds is a good example of this. 966 o As discussed in [wiman], in general the power requirements 967 necessary to send or receive messages are far bigger than those 968 needed to execute cryptographic operations. There is no good 969 reason to choose platforms that do not provide sufficient 970 computing power to run the necessary operations. 972 o Commercial libraries and the use of full potential for various 973 optimizations will provide a better result than what we arrived at 974 in this paper. 976 o Using public key cryptography only at the beginning of a session 977 will reduce the per-packet processing times significantly. 979 12. Freshness 981 In our architecture, if implemented as described thus far, messages 982 along with their signatures sent from the sensors to the mirror proxy 983 can be recorded and replayed by an eavesdropper. The mirror proxy 984 has no mechanism to distinguish previously received packets from 985 those that are retransmitted by the sender or replayed by an 986 eavesdropper. Therefore, it is essential for the smart objects to 987 ensure that data updates include a freshness indicator. However, 988 ensuring freshness on constrained devices can be non-trivial because 989 of several reasons which include: 991 o Communication is mostly unidirectional to save energy. 993 o Internal clocks might not be accurate and may be reset several 994 times during the operational phase of the smart object. 996 o Network time synchronization protocols such as Network Time 997 Protocol (NTP) [RFC5905] are resource intensive and therefore may 998 be undesirable in many smart object networks. 1000 There are several different methods that can be used in our 1001 architecture for replay protection. The selection of the appropriate 1002 choice depends on the actual deployment scenario. 1004 Including sequence numbers in signed messages can provide an 1005 effective method of replay protection. The mirror proxy should 1006 verify the sequence number of each incoming message and accept it 1007 only if it is greater than the highest previously seen sequence 1008 number. The mirror proxy drops any packet with a sequence number 1009 that has already been received or if the received sequence number is 1010 greater than the highest previously seen sequence number by an amount 1011 larger than the preset threshold. 1013 Sequence numbers can wrap-around at their maximum value and, 1014 therefore, it is essential to ensure that sequence numbers are 1015 sufficiently long. However, including long sequence numbers in 1016 packets can increase the network traffic originating from the sensor 1017 and can thus decrease its energy efficiency. To overcome the problem 1018 of long sequence numbers, we can use a scheme similar to that of 1019 Huang [huang], where the sender and receiver maintain and sign long 1020 sequence numbers of equal bit-lengths but they transmit only the 1021 least significant bits. 1023 It is important for the smart object to write the sequence number 1024 into the permanent flash memory after each increment and before it is 1025 included in the message to be transmitted. This ensures that the 1026 sensor can obtain the last sequence number it had intended to send in 1027 case of a reset or a power failure. However, the sensor and the 1028 mirror proxy can still end up in a discordant state where the 1029 sequence number received by the mirror proxy exceeds the expected 1030 sequence number by an amount greater than the preset threshold. This 1031 may happen because of a prolonged network outage or if the mirror 1032 proxy experiences a power failure for some reason. Therefore it is 1033 essential for sensors that normally send Non-Confirmable data updates 1034 to send some Confirmable updates and re-synchronize with the mirror 1035 proxy if a reset message is received. The sensors re-synchronize by 1036 sending a new registration message with the current sequence number. 1038 Although sequence numbers protect the system from replay attacks, a 1039 mirror proxy has no mechanism to determine the time at which updates 1040 were created by the sensor. Moreover, if sequence numbers are the 1041 only freshness indicator used, a malicious eavesdropper can induce 1042 inordinate delays to the communication of signed updates by buffering 1043 messages. It may be important in certain smart object networks for 1044 sensors to send data updates which include timestamps to allow the 1045 mirror proxy to determine the time when the update was created. For 1046 example, when the mirror proxy is collecting temperature data, it may 1047 be necessary to know when exactly the temperature measurement was 1048 made by the sensor. A simple solution to this problem is for the 1049 mirror proxy to assume that the data object was created when it 1050 receives the update. In a relatively reliable network with low RTT, 1051 it can be acceptable to make such an assumption. However most 1052 networks are susceptible to packet loss and hostile attacks making 1053 this assumption unsustainable. 1055 Depending on the hardware used by the smart objects, they may have 1056 access to accurate hardware clocks which can be used to include 1057 timestamps in the signed updates. These timestamps are included in 1058 addition to sequence numbers. The clock time in the smart objects 1059 can be set by the manufacturer or the current time can be 1060 communicated by the mirror proxy during the registration phase. 1061 However, these approaches require the smart objects to either rely on 1062 the long-term accuracy of the clock set by the manufacturer or to 1063 trust the mirror proxy thereby increasing the potential vulnerability 1064 of the system. The smart objects could also obtain the current time 1065 from NTP, but this may consume additional energy and give rise to 1066 security issues discussed in [RFC5905]. The smart objects could also 1067 have access to a GSM network or the Global Positioning System (GPS), 1068 and they can be used obtain the current time. Finally, if the 1069 sensors need to co-ordinate their sleep cycles, or if the mirror 1070 proxy computes an average or mean of updates collected from multiple 1071 smart objects, it is important for the network nodes to synchronize 1072 the time among them. This can be done by using existing 1073 synchronization schemes. 1075 13. Layering 1077 It would be useful to select just one layer where security is 1078 provided at. Otherwise a simple device needs to implement multiple 1079 security mechanisms. While some code can probably be shared across 1080 such implementations (like algorithms), it is likely that most of the 1081 code involving the actual protocol machinery cannot. Looking at the 1082 different layers, here are the choices and their implications: 1084 link layer 1086 This is probably the most common solution today. The biggest 1087 benefits of this choice of layer are that security services are 1088 commonly available (WLAN secrets, cellular SIM cards, etc.) and 1089 that their application protects the entire communications. 1091 The main drawback is that there is no security beyond the first 1092 hop. This can be problematic, e.g., in many devices that 1093 communicate to a server in the Internet. A Withings scale 1094 [Withings], for instance, can support WLAN security but without 1095 some level of end-to-end security, it would be difficult to 1096 prevent fraudulent data submissions to the servers. 1098 Another drawback is that some commonly implemented link layer 1099 security designs use group secrets. This allows any device within 1100 the local network (e.g., an infected laptop) to attack the 1101 communications. 1103 network layer 1105 There are a number of solutions in this space, and many new ones 1106 and variations thereof being proposed: IPsec, PANA, and so on. In 1107 general, these solutions have similar characteristics to those in 1108 the transport layer: they work across forwarding hops but only as 1109 far as to the next middlebox or application entity. There is 1110 plenty of existing solutions and designs. 1112 Experience has shown that it is difficult to control IP layer 1113 entities from an application process. While this is theoretically 1114 easy, in practice the necessary APIs do not exist. For instance, 1115 most IPsec software has been built for the VPN use case, and is 1116 difficult or impossible to tweak to be used on a per-application 1117 basis. As a result, the authors are not particularly enthusiastic 1118 about recommending these solutions. 1120 transport and application layer 1122 This is another popular solution along with link layer designs. 1123 TLS with HTTP (HTTPS) and DTLS with CoAP are examples of solutions 1124 in this space, and have been proven to work well. These solutions 1125 are typically easy to take into use in an application, without 1126 assuming anything from the underlying OS, and they are easy to 1127 control as needed by the applications. The main drawback is that 1128 generally speaking, these solutions only run as far as the next 1129 application level entity. And even for this case, HTTPS can be 1130 made to work through proxies, so this limit is not unsolvable. 1131 Another drawback is that attacks on link layer, network layer and 1132 in some cases, transport layer, can not be protected against. 1133 However, if the upper layers have been protected, such attacks can 1134 at most result in a denial-of-service. Since denial-of-service 1135 can often be caused anyway, it is not clear if this is a real 1136 drawback. 1138 data object layer 1139 This solution does not protect any of the protocol layers, but 1140 protects individual data elements being sent. It works 1141 particularly well when there are multiple application layer 1142 entities on the path of the data. The authors believe smart 1143 object networks are likely to employ such entities for storage, 1144 filtering, aggregation and other reasons, and as such, an end-to- 1145 end solution is the only one that can protect the actual data. 1147 The downside is that the lower layers are not protected. But 1148 again, as long as the data is protected and checked upon every 1149 time it passes through an application level entity, it is not 1150 clear that there are attacks beyond denial-of-service. 1152 The main question mark is whether this type of a solution provides 1153 sufficient advantages over the more commonly implemented transport 1154 and application layer solutions. 1156 14. Symmetric vs. Asymmetric Crypto 1158 The second trade-off that is worth discussing is the use of plain 1159 asymmetric cryptographic mechanisms, plain symmetric cryptographic 1160 mechanisms, or some mixture thereof. 1162 Contrary to popular cryptographic community beliefs, a symmetric 1163 crypto solution can be deployed in large scale. In fact, one of the 1164 largest deployment of cryptographic security, the cellular network 1165 authentication system, uses SIM cards that are based on symmetric 1166 secrets. In contrast, public key systems have yet to show ability to 1167 scale to hundreds of millions of devices, let alone billions. But 1168 the authors do not believe scaling is an important differentiator 1169 when comparing the solutions. 1171 As can be seen from the Section 8, the time needed to calculate some 1172 of the asymmetric crypto operations with reasonable key lengths can 1173 be significant. There are two contrary observations that can be made 1174 from this. First, recent wisdom indicates that computing power on 1175 small devices is far cheaper than transmission power [wiman], and 1176 keeps on becoming more efficient very quickly. From this we can 1177 conclude that the sufficient CPU is or at least will be easily 1178 available. 1180 But the other observation is that when there are very costly 1181 asymmetric operations, doing a key exchange followed by the use of 1182 generated symmetric keys would make sense. This model works very 1183 well for DTLS and other transport layer solutions, but works less 1184 well for data object security, particularly when the number of 1185 communicating entities is not exactly two. 1187 15. Security Considerations 1189 This entire memo deals with security issues. 1191 16. IANA Considerations 1193 There are no IANA impacts in this memo. 1195 17. Informative references 1197 [I-D.arkko-core-security-arch] 1198 Arkko, J. and A. Keranen, "CoAP Security Architecture", 1199 draft-arkko-core-security-arch-00 (work in progress), July 1200 2011. 1202 [I-D.arkko-core-sleepy-sensors] 1203 Arkko, J., Rissanen, H., Loreto, S., Turanyi, Z., and O. 1204 Novo, "Implementing Tiny COAP Sensors", draft-arkko-core- 1205 sleepy-sensors-01 (work in progress), July 2011. 1207 [I-D.daniel-6lowpan-security-analysis] 1208 Park, S., Kim, K., Haddad, W., Chakrabarti, S., and J. 1209 Laganier, "IPv6 over Low Power WPAN Security Analysis", 1210 draft-daniel-6lowpan-security-analysis-05 (work in 1211 progress), March 2011. 1213 [I-D.garcia-core-security] 1214 Garcia-Morchon, O., Kumar, S., Keoh, S., Hummen, R., and 1215 R. Struik, "Security Considerations in the IP-based 1216 Internet of Things", draft-garcia-core-security-06 (work 1217 in progress), September 2013. 1219 [I-D.ietf-core-resource-directory] 1220 Shelby, Z., Koster, M., Bormann, C., and P. Stok, "CoRE 1221 Resource Directory", draft-ietf-core-resource-directory-07 1222 (work in progress), March 2016. 1224 [I-D.irtf-cfrg-eddsa] 1225 Josefsson, S. and I. Liusvaara, "Edwards-curve Digital 1226 Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-05 1227 (work in progress), March 2016. 1229 [I-D.jennings-core-senml] 1230 Jennings, C., Shelby, Z., Arkko, J., and A. Keranen, 1231 "Media Types for Sensor Markup Language (SenML)", draft- 1232 jennings-core-senml-06 (work in progress), April 2016. 1234 [I-D.moskowitz-hip-dex] 1235 Moskowitz, R. and R. Hummen, "HIP Diet EXchange (DEX)", 1236 draft-moskowitz-hip-dex-05 (work in progress), January 1237 2016. 1239 [I-D.vial-core-mirror-proxy] 1240 Vial, M., "CoRE Mirror Server", draft-vial-core-mirror- 1241 proxy-01 (work in progress), July 2012. 1243 [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. 1244 Levkowetz, Ed., "Extensible Authentication Protocol 1245 (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004, 1246 . 1248 [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", 1249 RFC 3972, DOI 10.17487/RFC3972, March 2005, 1250 . 1252 [RFC5191] Forsberg, D., Ohba, Y., Ed., Patil, B., Tschofenig, H., 1253 and A. Yegin, "Protocol for Carrying Authentication for 1254 Network Access (PANA)", RFC 5191, DOI 10.17487/RFC5191, 1255 May 2008, . 1257 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1258 (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ 1259 RFC5246, August 2008, 1260 . 1262 [RFC5406] Bellovin, S., "Guidelines for Specifying the Use of IPsec 1263 Version 2", BCP 146, RFC 5406, DOI 10.17487/RFC5406, 1264 February 2009, . 1266 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 1267 "Network Time Protocol Version 4: Protocol and Algorithms 1268 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 1269 . 1271 [RFC6078] Camarillo, G. and J. Melen, "Host Identity Protocol (HIP) 1272 Immediate Carriage and Conveyance of Upper-Layer Protocol 1273 Signaling (HICCUPS)", RFC 6078, DOI 10.17487/RFC6078, 1274 January 2011, . 1276 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1277 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 1278 January 2012, . 1280 [RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object 1281 Workshop", RFC 6574, DOI 10.17487/RFC6574, April 2012, 1282 . 1284 [RFC6690] Shelby, Z., "Constrained RESTful Environments (CoRE) Link 1285 Format", RFC 6690, DOI 10.17487/RFC6690, August 2012, 1286 . 1288 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 1289 Application Protocol (CoAP)", RFC 7252, DOI 10.17487/ 1290 RFC7252, June 2014, 1291 . 1293 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 1294 Kivinen, "Internet Key Exchange Protocol Version 2 1295 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 1296 2014, . 1298 [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. 1299 Henderson, "Host Identity Protocol Version 2 (HIPv2)", RFC 1300 7401, DOI 10.17487/RFC7401, April 2015, 1301 . 1303 [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 1304 Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 1305 2015, . 1307 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 1308 for Security", RFC 7748, DOI 10.17487/RFC7748, January 1309 2016, . 1311 [RFC7815] Kivinen, T., "Minimal Internet Key Exchange Version 2 1312 (IKEv2) Initiator Implementation", RFC 7815, DOI 10.17487/ 1313 RFC7815, March 2016, 1314 . 1316 [Withings] 1317 Withings, "The Withings scale", February 2012, 1318 . 1320 [arduino-uno] 1321 Arduino, "Arduino Uno", September 2015, 1322 . 1324 [avr-crypto-lib] 1325 AVR-CRYPTO-LIB, "AVR-CRYPTO-LIB", September 2015, 1326 . 1328 [avr-cryptolib] 1329 Van der Laan, E., "AVR CRYPTOLIB", September 2015, 1330 . 1332 [avrora] Titzer, Ben., "Avrora", September 2015, 1333 . 1335 [huang] Huang, C., "Low-overhead freshness transmission in sensor 1336 networks", 2008. 1338 [matrix-ssl] 1339 PeerSec Networks, "Matrix SSL", September 2015, 1340 . 1342 [micronacl] 1343 MicroNaCl, "The Networking and Cryptography library for 1344 microcontrollers", . 1346 [mosdorf] Mosdorf, M. and W. Zabolotny, "Implementation of elliptic 1347 curve cryptography for 8 bit and 32 bit embedded systems 1348 time efficiency and power consumption analysis", 2010. 1350 [nacl] NaCl, "Networking and Cryptography library", 1351 . 1353 [naclavr] Hutter, M. and P. Schwabe, "NaCl on 8-Bit AVR 1354 Microcontrollers", International Conference on Cryptology 1355 in Africa , Springer Berlin Heidelberg , 2013. 1357 [relic-toolkit] 1358 Aranha, D. and C. Gouv, "Relic Toolkit", September 2015, 1359 . 1361 [rsa-8bit] 1362 Gura, N., Patel, A., Wander, A., Eberle, H., and S. 1363 Shantz, "Comparing Elliptic Curve Cryptography and RSA on 1364 8-bit CPUs", 2010. 1366 [rsa-high-speed] 1367 Koc, C., "High-Speed RSA Implementation", November 1994, 1368 . 1370 [tinyecc] North Carolina State University and North Carolina State 1371 University, "TinyECC", 2008, 1372 . 1374 [truerandom] 1375 Drow, C., "Truerandom", September 2015, 1376 . 1378 [wiman] Margi, C., Oliveira, B., Sousa, G., Simplicio, M., Paulo, 1379 S., Carvalho, T., Naslund, M., and R. Gold, "Impact of 1380 Operating Systems on Wireless Sensor Networks (Security) 1381 Applications and Testbeds. In International Conference on 1382 Computer Communication Networks (ICCCN'2010) / IEEE 1383 International Workshop on Wireless Mesh and Ad Hoc 1384 Networks (WiMAN 2010), 2010, Zurich. Proceedings of 1385 ICCCN'2010/WiMAN'2010", 2010. 1387 [wiselib] Baumgartner, T., Chatzigiannakis, I., Fekete, S., Koninis, 1388 C., Kroller, A., and A. Pyrgelis, "Wiselib", 2010, 1389 . 1391 Appendix A. Acknowledgments 1393 The authors would like to thank Mats Naslund, Salvatore Loreto, Bob 1394 Moskowitz, Oscar Novo, Vlasios Tsiatsis, Daoyuan Li, Muhammad Waqas, 1395 Eric Rescorla and Tero Kivinen for interesting discussions in this 1396 problem space. The authors would also like to thank Diego Aranha for 1397 helping with the relic-toolkit configurations and Tobias Baumgartner 1398 for helping with questions regarding wiselib. 1400 Authors' Addresses 1402 Mohit Sethi 1403 Ericsson 1404 Jorvas 02420 1405 Finland 1407 EMail: mohit@piuha.net 1409 Jari Arkko 1410 Ericsson 1411 Jorvas 02420 1412 Finland 1414 EMail: jari.arkko@piuha.net 1416 Ari Keranen 1417 Ericsson 1418 Jorvas 02420 1419 Finland 1421 EMail: ari.keranen@ericsson.com 1422 Heidi-Maria Back 1423 Ericsson 1424 Jorvas 02420 1425 Finland 1427 EMail: heidi-maria.back@ericsson.com