Haystack + DASH7 Security: Comparing Wireless Standards
•
1 like•7,172 views
An overview of Haystack's security features for low power IoT networks. Unlike most IoT stacks, when Haystack invented DASH7, security was an a priori principle and led to the most secure networking stack available in the low power, wide area networking (LPWAN) space today.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Haystack + DASH7 Security: Comparing Wireless Standards
Similar to Haystack + DASH7 Security: Comparing Wireless Standards (20)
Recently uploaded
Recently uploaded (20)
Haystack + DASH7 Security: Comparing Wireless Standards
- 1. Haystack + DASH7 Security 1
- 2. Similarities & Differences of PHY/MAC DASH7 DASH7/LoRa 6LoWPAN Primary Spectrum 433 MHz 433/915 MHz 2450 MHz Supported Bitrates 26.5, 53, 106 kbps 1 - 26.5 kbps 250 kbps Modulation/Encoding MSK / FEC+RS CSS / FEC MSK / DSSS Network Model Host – Host Host – Host Multiaccess Models CSMA-CA Time slotting Query Arbitration CSMA-CA Time slotting MAC Data Integrity High Low MAC Cryptography AES128 EAX AES128 CCM Frame MTU 256 bytes 127 bytes 2
- 3. Similarities & Differences of PHY/MAC DASH7 DASH7/LoRa 6LoWPAN Primary Spectrum 433 MHz 433/915 MHz 2450 MHz Supported Bitrates 26.5, 53, 106 kbps 1 - 26.5 kbps 250 kbps Modulation/Encoding MSK / FEC+RS CSS / FEC MSK / DSSS Network Model Host – Host Host – Host Multiaccess Models CSMA-CA Time slotting Query Arbitration CSMA-CA Time slotting MAC Data Integrity High Low MAC Cryptography AES128 EAX AES128 CCM Frame MTU 256 bytes 127 bytes CRC validation of the frame is vulnerable to incorrect length byte in header. Koopman & Chakravarty, CRC Polynomial Selection For Embedded Networks EAX is a newer (2004) cipher for AES. ‣ Standard AES keys & distribution! ‣ Runs twice as fast as CCM! ‣ Can encrypt MAC addresses (CCM can’t)! ‣ Packets don’t need to be 16byte aligned! 2
- 4. Networking Strengths Weaknesses • Fast, low-power network sync • Fast round-trip for request/response • Universal MAC precludes App Profiles • Supports core IPv6 features & UDP • New, so few implementations available • Formal support for only 2 hops • No TCP support at present • Possible to do almost all IPv6 features • Mature implementations available • Lots of PHY/MAC options • App data really should use internal CRC! • No standard way for low-power network sync • Needs a lot of extra work up the stack and in definition of application profiles Greatest Differentiation is in Networking DASH7 6LoWPAN 3
- 5. Networking Strengths Weaknesses • Fast, low-power network sync • Fast round-trip for request/response • Universal MAC precludes App Profiles • Supports core IPv6 features & UDP • New, so few implementations available • Formal support for only 2 hops • No TCP support at present • Possible to do almost all IPv6 features • Mature implementations available • Lots of PHY/MAC options • App data really should use internal CRC! • No standard way for low-power network sync • Needs a lot of extra work up the stack and in definition of application profiles Let’s Investigate a Few Areas 4 DASH7 6LoWPAN
- 6. 802.15.4 CRC is Vulnerable • On vulnerable MAC’s, payloads should have their own integrity check. • Seminal research on the topic published only in 2012. Koopman & Chakravarty, CRC Polynomial Selection for Embedded Networks. 2012. Mirror: http://www.indigresso.com/wiki/doku.php?id=dash7_mode_2:crc_research • Some polynomials we thought were good, are not. • Length byte (header) must be protected independently. If frame length is wrong, the frame-CRC gets marginalized no matter how strong it is. DASH7 LoRa HW Support 6LP CRC Poly CRC16-IBM CRC16-IBM CRC16-CCITT Koopman’s Rating Strong Strong Weak Header CRC Yes Yes No 5
- 7. Contrasting Methods of Network Sync To do it in a low-power way, network asymmetries must be exploited DASH7 6LoWPAN Idle Mode BackgroundDetect Duty-cycledRX Asymmetry Exploited Plug-in nodes can transmit streams Plug-in nodes can transmit streams Low-Power Listening Yes Yes Provides Group Sync Yes No Endpoints Stay Quiet Yes Yes Sync Latency (typ) 1 - 2 sec 1 - 2 sec On-time / Period (typ) 1.3 ms / 500 ms 8 ms / 1s 6
- 8. Contrasting Methods of Network Sync To do it in a low-power way, network asymmetries must be exploited DASH7 6LoWPAN Idle Mode BackgroundDetect Duty-cycledRX Asymmetry Exploited Plug-in nodes can transmit streams Plug-in nodes can transmit streams Low-Power Listening Yes Yes Provides Group Sync Yes No Endpoints Stay Quiet Yes Yes Sync Latency (typ) 1 - 2 sec 1 - 2 sec On-time / Period (typ) 1.3 ms / 500 ms 8 ms / 1s Typical figures: all standards can be configured to optimize latency vs. low power. 6
- 9. 6LoWPAN:RepeatthePacket • Idea is to send the request packet many times, so the receiver can “strobe” its listening cycle and still get the data. • Many different — but similar — variants of above: BMAC, XMAC, BoXMAC, WiseMAC, ContikiMAC, … others • Downside: synchronizes one endpoint at a time, not a group all at once. • Downside: if data rate is low, packets are long & receiver listens a lot. DD D A AD D A Acknowledgement packet Data packet Reception window Send data packets until ack received Sender Receiver Transmission detected D Figure 1: ContikiMAC: nodes sleep most of the time and periodically wake up to check for radio activity. If a packet transmission is detected, the receiver stays awake to receive the next packet and sends a link layer acknowl- edgment. To send a packet, the sender repeatedly sends the same packet until a link layer acknowledgment is re- ceived. Data packet t i t c t r Sender Receiver CCA Figure 3: The ContikiMAC tr ing. 2.1 ContikiMAC Timi ContikiMAC has a power-effi that relies on precise timing be Example is of “ContikiMAC” http://www.dunkels.com/adam/ dunkels11contikimac.pdf 7
- 10. DASH7:Advertise&GroupSync ETA 500 Info 0 ETA 1 Info 0 ETA 0 Info 0 Foreground RequestBackground AdvertisingBackground AdvertisingBackground Advertising Host A sends a stream of special “background frames” containing Advertising Protocol Data. The data includes the time when the next request will occur (e.g. 500 ms). Host A sends synchronized request at planned time Any number of other Hosts can listen for advertising. 1. Briefly sample the channel for any activity. 2. Check for signs that it’s a background frame (part of design). 3. Receive the background frame. 1 2 3 All listeners can receive request, all can send responses, all are now synced to each other. DASH7’s advertising & synchronization model follows from the previous concepts. It provides group synchronization, allows for wide tolerances in device specs, and also scales to low data rates. 8
- 11. Low-Pwr Advertising & Group Sync Timeline Engineers have pursued low-power advertising for years. The goals have been mostly consistent: ‣ Minimize RX on-time ‣ Minimize False-positives ‣ Maximize True-positives DASH7’s method is the first to use a bifurcated frame specification and real-time synchronization units (ms). 20 years of collective R&D, but the concept finally works and scales. 1990’s2000-20102010— Transmission of long preamble ahead of request packet. BMAC proposed (early 2000’s): A protocol using countdown packets. ISO 18000-7.1 (early 2000’s) structured long preamble TinyOS group implements BMAC+: struggles, finds impractical (late 2000’s) Final spec of DASH7 MAC and Advertising Protocol (2012) 9
- 12. Fast Group Sync Enables Fast Round-Trip Synchronize devices, send request, and get responses before endpoints are GONE “Chaotic” Conditions assume: ‣ Endpoints as well as internet gateways (i.e. edge routers) may be mobile. ‣ “Potpourri of ownership” of the endpoints & gateways. Some examples of chaotic networks: ‣ Getting sensor data off-of tags in a moving vehicle (see diagram). ‣ Smartphones querying smart objects and each other. 30m/s Advertising (1s) Request (<50ms) Responses (1s) Discovering and getting data from low-power devices inside a vehicle going highway speed is a hard problem, but it is one for which DASH7 is well-suited. Any IP address WAN/4G DASH7 Gateway 10
- 13. Networking Strengths Weaknesses • Fast, low-power network sync • Fast round-trip for request/response • Universal MAC precludes App Profiles • Supports core IPv6 features & UDP • New, so few implementations available • Formal support for only 2 hops • No TCP support at present • Possible to do almost all IPv6 features • Mature implementations available • Lots of PHY/MAC options • App data really should use internal CRC! • No standard way for low-power network sync • Needs a lot of extra work up the stack and in definition of application profiles Let’s Investigate a Few Areas (Update) DASH7 6LoWPAN 11
- 14. Implementing Trivial Apps DASH7 stacks have built-in application functionality DASH7 PHY/MAC/NET Sessioning Transport Layer Applications Filesystem Transport Layer Apps (TLA’s) include: ‣ Beaconing Series (a.k.a. “Announcement”) ‣ Inventory & Collection Queries User configures TLA’s and provides them with data via Filesystem API. 12
- 15. What Exactly is the DASH7 Filesystem? A consistent data model & API to promote multi-app, multi-vendor interoperability DASH7 PHY/MAC/NET Sessioning Transport Layer Applications Filesystem • L6, queryable, database-ish API • root/admin/guest XRW privileges • Up to 256 “BLOB” files (Generic Files) • Up to 1024 indexed short files (ISF’s) ‣ Low-level (L4) queries happen here ‣ Batch or single-file access ‣ 0-15 used as configuration registry ‣ Rest available to user for arbitrary data storage, application ports, etc. 13
- 16. What Exactly is the DASH7 Filesystem? A consistent data model & API to promote multi-app, multi-vendor interoperability DASH7 PHY/MAC/NET Sessioning Transport Layer Applications Filesystem • L6, queryable, database-ish API • root/admin/guest XRW privileges • Up to 256 “BLOB” files (Generic Files) • Up to 1024 indexed short files (ISF’s) ‣ Low-level (L4) queries happen here ‣ Batch or single-file access ‣ 0-15 used as configuration registry ‣ Rest available to user for arbitrary data storage, application ports, etc. Filesystem is key to security and interoperability of binary data formats. 13
- 17. WhyDASH7FilesystemMatters Alice’s Network Bob’s Network DASH7 Endpoint with default configuration. Alice discovers Endpoint & uploads network params Endpoint leaves Alice, joins Bob. Bob uploads its network params A DASH7 device can productively carry data across diverse IoT networks. Today’s IoT lacks such a distributed data model, and as a result data gets stuck in cloud “silos.” On the other hand, a distributed data model promotes IoT market growth and market-wide commitment to data security features. 14
- 18. WhyDASH7FilesystemMatters Alice’s Network Bob’s Network DASH7 Endpoint with default configuration. Alice discovers Endpoint & uploads network params Endpoint leaves Alice, joins Bob. Bob uploads its network params A DASH7 device can productively carry data across diverse IoT networks. Today’s IoT lacks such a distributed data model, and as a result data gets stuck in cloud “silos.” On the other hand, a distributed data model promotes IoT market growth and market-wide commitment to data security features. Not to mention, the potential to spider & search an open IoT. 14
- 19. Haystack + DASH7 Security 15 Patrick Burns co-founder & CEO pat@haystacktechnologies.com