An overview of Haystack's security features for low power IoT networks. Unlike most IoT stacks, when Haystack invented DASH7, security was an a priori principle and led to the most secure networking stack available in the low power, wide area networking (LPWAN) space today.
2. Similarities & Differences of PHY/MAC
DASH7 DASH7/LoRa 6LoWPAN
Primary Spectrum 433 MHz 433/915 MHz 2450 MHz
Supported Bitrates 26.5, 53, 106 kbps 1 - 26.5 kbps 250 kbps
Modulation/Encoding MSK / FEC+RS CSS / FEC MSK / DSSS
Network Model Host – Host Host – Host
Multiaccess Models
CSMA-CA
Time slotting
Query Arbitration
CSMA-CA
Time slotting
MAC Data Integrity High Low
MAC Cryptography AES128 EAX AES128 CCM
Frame MTU 256 bytes 127 bytes
2
3. Similarities & Differences of PHY/MAC
DASH7 DASH7/LoRa 6LoWPAN
Primary Spectrum 433 MHz 433/915 MHz 2450 MHz
Supported Bitrates 26.5, 53, 106 kbps 1 - 26.5 kbps 250 kbps
Modulation/Encoding MSK / FEC+RS CSS / FEC MSK / DSSS
Network Model Host – Host Host – Host
Multiaccess Models
CSMA-CA
Time slotting
Query Arbitration
CSMA-CA
Time slotting
MAC Data Integrity High Low
MAC Cryptography AES128 EAX AES128 CCM
Frame MTU 256 bytes 127 bytes
CRC validation of the frame is vulnerable
to incorrect length byte in header.
Koopman & Chakravarty,
CRC Polynomial Selection For Embedded Networks
EAX is a newer (2004) cipher for AES.
‣ Standard AES keys & distribution!
‣ Runs twice as fast as CCM!
‣ Can encrypt MAC addresses (CCM can’t)!
‣ Packets don’t need to be 16byte aligned!
2
4. Networking Strengths Weaknesses
• Fast, low-power network sync
• Fast round-trip for request/response
• Universal MAC precludes App Profiles
• Supports core IPv6 features & UDP
• New, so few implementations available
• Formal support for only 2 hops
• No TCP support at present
• Possible to do almost all IPv6 features
• Mature implementations available
• Lots of PHY/MAC options
• App data really should use internal CRC!
• No standard way for low-power network sync
• Needs a lot of extra work up the stack and in
definition of application profiles
Greatest Differentiation is in Networking
DASH7
6LoWPAN
3
5. Networking Strengths Weaknesses
• Fast, low-power network sync
• Fast round-trip for request/response
• Universal MAC precludes App Profiles
• Supports core IPv6 features & UDP
• New, so few implementations available
• Formal support for only 2 hops
• No TCP support at present
• Possible to do almost all IPv6 features
• Mature implementations available
• Lots of PHY/MAC options
• App data really should use internal CRC!
• No standard way for low-power network sync
• Needs a lot of extra work up the stack and in
definition of application profiles
Let’s Investigate a Few Areas
4
DASH7
6LoWPAN
6. 802.15.4 CRC is Vulnerable
• On vulnerable MAC’s, payloads should have their own integrity check.
• Seminal research on the topic published only in 2012.
Koopman & Chakravarty, CRC Polynomial Selection for Embedded Networks. 2012.
Mirror: http://www.indigresso.com/wiki/doku.php?id=dash7_mode_2:crc_research
• Some polynomials we thought were good, are not.
• Length byte (header) must be protected independently. If frame length is
wrong, the frame-CRC gets marginalized no matter how strong it is.
DASH7 LoRa HW Support 6LP
CRC Poly CRC16-IBM CRC16-IBM CRC16-CCITT
Koopman’s Rating Strong Strong Weak
Header CRC Yes Yes No
5
7. Contrasting Methods of Network Sync
To do it in a low-power way, network asymmetries must be exploited
DASH7 6LoWPAN
Idle Mode BackgroundDetect Duty-cycledRX
Asymmetry Exploited
Plug-in nodes can transmit
streams
Plug-in nodes can transmit
streams
Low-Power Listening Yes Yes
Provides Group Sync Yes No
Endpoints Stay Quiet Yes Yes
Sync Latency (typ) 1 - 2 sec 1 - 2 sec
On-time / Period (typ) 1.3 ms / 500 ms 8 ms / 1s
6
8. Contrasting Methods of Network Sync
To do it in a low-power way, network asymmetries must be exploited
DASH7 6LoWPAN
Idle Mode BackgroundDetect Duty-cycledRX
Asymmetry Exploited
Plug-in nodes can transmit
streams
Plug-in nodes can transmit
streams
Low-Power Listening Yes Yes
Provides Group Sync Yes No
Endpoints Stay Quiet Yes Yes
Sync Latency (typ) 1 - 2 sec 1 - 2 sec
On-time / Period (typ) 1.3 ms / 500 ms 8 ms / 1s
Typical figures: all standards can be
configured to optimize latency vs. low power.
6
9. 6LoWPAN:RepeatthePacket
• Idea is to send the request packet many times, so the receiver can
“strobe” its listening cycle and still get the data.
• Many different — but similar — variants of above:
BMAC, XMAC, BoXMAC, WiseMAC, ContikiMAC, … others
• Downside: synchronizes one endpoint at a time, not a group all at once.
• Downside: if data rate is low, packets are long & receiver listens a lot.
DD D A
AD
D
A Acknowledgement packet
Data packet
Reception window
Send data packets until ack received
Sender
Receiver
Transmission detected
D
Figure 1: ContikiMAC: nodes sleep most of the time and
periodically wake up to check for radio activity. If a
packet transmission is detected, the receiver stays awake
to receive the next packet and sends a link layer acknowl-
edgment. To send a packet, the sender repeatedly sends
the same packet until a link layer acknowledgment is re-
ceived.
Data packet
t
i
t
c
t
r
Sender
Receiver
CCA
Figure 3: The ContikiMAC tr
ing.
2.1 ContikiMAC Timi
ContikiMAC has a power-effi
that relies on precise timing be
Example is of “ContikiMAC”
http://www.dunkels.com/adam/
dunkels11contikimac.pdf
7
10. DASH7:Advertise&GroupSync
ETA
500
Info
0
ETA
1
Info
0
ETA
0
Info
0
Foreground RequestBackground AdvertisingBackground AdvertisingBackground Advertising
Host A sends a stream of special “background frames” containing
Advertising Protocol Data. The data includes the time when the
next request will occur (e.g. 500 ms).
Host A sends
synchronized request
at planned time
Any number of other Hosts can listen for advertising.
1. Briefly sample the channel for any activity.
2. Check for signs that it’s a background frame (part of design).
3. Receive the background frame.
1 2 3
All listeners can receive
request, all can send
responses, all are now
synced to each other.
DASH7’s advertising & synchronization model follows from the
previous concepts. It provides group synchronization, allows for wide
tolerances in device specs, and also scales to low data rates.
8
11. Low-Pwr Advertising & Group Sync Timeline
Engineers have pursued low-power
advertising for years. The goals have
been mostly consistent:
‣ Minimize RX on-time
‣ Minimize False-positives
‣ Maximize True-positives
DASH7’s method is the first to use a
bifurcated frame specification and
real-time synchronization units (ms).
20 years of collective R&D, but the
concept finally works and scales.
1990’s2000-20102010—
Transmission of long preamble
ahead of request packet.
BMAC proposed (early 2000’s):
A protocol using countdown packets.
ISO 18000-7.1 (early 2000’s)
structured long preamble
TinyOS group implements BMAC+:
struggles, finds impractical (late 2000’s)
Final spec of DASH7 MAC and
Advertising Protocol (2012)
9
12. Fast Group Sync Enables Fast Round-Trip
Synchronize devices, send request, and get responses before endpoints are GONE
“Chaotic” Conditions assume:
‣ Endpoints as well as internet gateways
(i.e. edge routers) may be mobile.
‣ “Potpourri of ownership” of the
endpoints & gateways.
Some examples of chaotic networks:
‣ Getting sensor data off-of tags in a
moving vehicle (see diagram).
‣ Smartphones querying smart objects
and each other.
30m/s
Advertising (1s)
Request (<50ms)
Responses (1s)
Discovering and getting data from low-power
devices inside a vehicle going highway speed
is a hard problem, but it is one for which
DASH7 is well-suited.
Any IP
address
WAN/4G
DASH7
Gateway
10
13. Networking Strengths Weaknesses
• Fast, low-power network sync
• Fast round-trip for request/response
• Universal MAC precludes App Profiles
• Supports core IPv6 features & UDP
• New, so few implementations available
• Formal support for only 2 hops
• No TCP support at present
• Possible to do almost all IPv6 features
• Mature implementations available
• Lots of PHY/MAC options
• App data really should use internal CRC!
• No standard way for low-power network sync
• Needs a lot of extra work up the stack and in
definition of application profiles
Let’s Investigate a Few Areas (Update)
DASH7
6LoWPAN
11
14. Implementing Trivial Apps
DASH7 stacks have built-in application functionality
DASH7
PHY/MAC/NET
Sessioning
Transport Layer
Applications
Filesystem
Transport Layer Apps (TLA’s) include:
‣ Beaconing Series (a.k.a. “Announcement”)
‣ Inventory & Collection Queries
User configures TLA’s and provides them
with data via Filesystem API.
12
15. What Exactly is the DASH7 Filesystem?
A consistent data model & API to promote multi-app, multi-vendor interoperability
DASH7
PHY/MAC/NET
Sessioning
Transport Layer
Applications
Filesystem
• L6, queryable, database-ish API
• root/admin/guest XRW privileges
• Up to 256 “BLOB” files (Generic Files)
• Up to 1024 indexed short files (ISF’s)
‣ Low-level (L4) queries happen here
‣ Batch or single-file access
‣ 0-15 used as configuration registry
‣ Rest available to user for arbitrary data
storage, application ports, etc.
13
16. What Exactly is the DASH7 Filesystem?
A consistent data model & API to promote multi-app, multi-vendor interoperability
DASH7
PHY/MAC/NET
Sessioning
Transport Layer
Applications
Filesystem
• L6, queryable, database-ish API
• root/admin/guest XRW privileges
• Up to 256 “BLOB” files (Generic Files)
• Up to 1024 indexed short files (ISF’s)
‣ Low-level (L4) queries happen here
‣ Batch or single-file access
‣ 0-15 used as configuration registry
‣ Rest available to user for arbitrary data
storage, application ports, etc.
Filesystem is key to security and
interoperability of binary data formats.
13
17. WhyDASH7FilesystemMatters
Alice’s
Network
Bob’s
Network
DASH7 Endpoint with
default configuration.
Alice discovers Endpoint &
uploads network params
Endpoint leaves Alice, joins Bob.
Bob uploads its network params
A DASH7 device can productively carry data across diverse IoT networks.
Today’s IoT lacks such a distributed data model, and as a result data gets
stuck in cloud “silos.” On the other hand, a distributed data model promotes
IoT market growth and market-wide commitment to data security features.
14
18. WhyDASH7FilesystemMatters
Alice’s
Network
Bob’s
Network
DASH7 Endpoint with
default configuration.
Alice discovers Endpoint &
uploads network params
Endpoint leaves Alice, joins Bob.
Bob uploads its network params
A DASH7 device can productively carry data across diverse IoT networks.
Today’s IoT lacks such a distributed data model, and as a result data gets
stuck in cloud “silos.” On the other hand, a distributed data model promotes
IoT market growth and market-wide commitment to data security features.
Not to mention, the potential to
spider & search an open IoT.
14
19. Haystack + DASH7 Security
15
Patrick Burns
co-founder & CEO
pat@haystacktechnologies.com