Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Haystack + DASH7 Security
1
Similarities & Differences of PHY/MAC
DASH7 DASH7/LoRa 6LoWPAN
Primary Spectrum 433 MHz 433/915 MHz 2450 MHz
Supported Bit...
Similarities & Differences of PHY/MAC
DASH7 DASH7/LoRa 6LoWPAN
Primary Spectrum 433 MHz 433/915 MHz 2450 MHz
Supported Bit...
Networking Strengths Weaknesses
• Fast, low-power network sync
• Fast round-trip for request/response
• Universal MAC prec...
Networking Strengths Weaknesses
• Fast, low-power network sync
• Fast round-trip for request/response
• Universal MAC prec...
802.15.4 CRC is Vulnerable
• On vulnerable MAC’s, payloads should have their own integrity check.
• Seminal research on th...
Contrasting Methods of Network Sync

To do it in a low-power way, network asymmetries must be exploited
DASH7 6LoWPAN
Idle...
Contrasting Methods of Network Sync

To do it in a low-power way, network asymmetries must be exploited
DASH7 6LoWPAN
Idle...
6LoWPAN:RepeatthePacket
• Idea is to send the request packet many times, so the receiver can
“strobe” its listening cycle ...
DASH7:Advertise&GroupSync
ETA
500
Info
0
ETA
1
Info
0
ETA
0
Info
0
Foreground RequestBackground AdvertisingBackground Adve...
Low-Pwr Advertising & Group Sync Timeline
Engineers have pursued low-power
advertising for years. The goals have
been most...
Fast Group Sync Enables Fast Round-Trip

Synchronize devices, send request, and get responses before endpoints are GONE
“C...
Networking Strengths Weaknesses
• Fast, low-power network sync
• Fast round-trip for request/response
• Universal MAC prec...
Implementing Trivial Apps

DASH7 stacks have built-in application functionality
DASH7
PHY/MAC/NET
Sessioning
Transport Lay...
What Exactly is the DASH7 Filesystem?

A consistent data model & API to promote multi-app, multi-vendor interoperability
D...
What Exactly is the DASH7 Filesystem?

A consistent data model & API to promote multi-app, multi-vendor interoperability
D...
WhyDASH7FilesystemMatters
Alice’s
Network
Bob’s
Network
DASH7 Endpoint with
default configuration.
Alice discovers Endpoint...
WhyDASH7FilesystemMatters
Alice’s
Network
Bob’s
Network
DASH7 Endpoint with
default configuration.
Alice discovers Endpoint...
Haystack + DASH7 Security
15
Patrick Burns
co-founder & CEO
pat@haystacktechnologies.com
Upcoming SlideShare
Loading in …5
×

Haystack + DASH7 Security

2,808 views

Published on

An overview of Haystack's security features for low power IoT networks. Unlike most IoT stacks, when Haystack invented DASH7, security was an a priori principle and led to the most secure networking stack available in the low power, wide area networking (LPWAN) space today.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Haystack + DASH7 Security

  1. 1. Haystack + DASH7 Security 1
  2. 2. Similarities & Differences of PHY/MAC DASH7 DASH7/LoRa 6LoWPAN Primary Spectrum 433 MHz 433/915 MHz 2450 MHz Supported Bitrates 26.5, 53, 106 kbps 1 - 26.5 kbps 250 kbps Modulation/Encoding MSK / FEC+RS CSS / FEC MSK / DSSS Network Model Host – Host Host – Host Multiaccess Models CSMA-CA
 Time slotting
 Query Arbitration CSMA-CA
 Time slotting MAC Data Integrity High Low MAC Cryptography AES128 EAX AES128 CCM Frame MTU 256 bytes 127 bytes 2
  3. 3. Similarities & Differences of PHY/MAC DASH7 DASH7/LoRa 6LoWPAN Primary Spectrum 433 MHz 433/915 MHz 2450 MHz Supported Bitrates 26.5, 53, 106 kbps 1 - 26.5 kbps 250 kbps Modulation/Encoding MSK / FEC+RS CSS / FEC MSK / DSSS Network Model Host – Host Host – Host Multiaccess Models CSMA-CA
 Time slotting
 Query Arbitration CSMA-CA
 Time slotting MAC Data Integrity High Low MAC Cryptography AES128 EAX AES128 CCM Frame MTU 256 bytes 127 bytes CRC validation of the frame is vulnerable to incorrect length byte in header. Koopman & Chakravarty, 
 CRC Polynomial Selection For Embedded Networks EAX is a newer (2004) cipher for AES. ‣ Standard AES keys & distribution! ‣ Runs twice as fast as CCM! ‣ Can encrypt MAC addresses (CCM can’t)! ‣ Packets don’t need to be 16byte aligned! 2
  4. 4. Networking Strengths Weaknesses • Fast, low-power network sync • Fast round-trip for request/response • Universal MAC precludes App Profiles • Supports core IPv6 features & UDP • New, so few implementations available • Formal support for only 2 hops • No TCP support at present • Possible to do almost all IPv6 features • Mature implementations available • Lots of PHY/MAC options • App data really should use internal CRC! • No standard way for low-power network sync • Needs a lot of extra work up the stack and in definition of application profiles Greatest Differentiation is in Networking DASH7 6LoWPAN 3
  5. 5. Networking Strengths Weaknesses • Fast, low-power network sync • Fast round-trip for request/response • Universal MAC precludes App Profiles • Supports core IPv6 features & UDP • New, so few implementations available • Formal support for only 2 hops • No TCP support at present • Possible to do almost all IPv6 features • Mature implementations available • Lots of PHY/MAC options • App data really should use internal CRC! • No standard way for low-power network sync • Needs a lot of extra work up the stack and in definition of application profiles Let’s Investigate a Few Areas 4 DASH7 6LoWPAN
  6. 6. 802.15.4 CRC is Vulnerable • On vulnerable MAC’s, payloads should have their own integrity check. • Seminal research on the topic published only in 2012.
 Koopman & Chakravarty, CRC Polynomial Selection for Embedded Networks. 2012.
 Mirror: http://www.indigresso.com/wiki/doku.php?id=dash7_mode_2:crc_research • Some polynomials we thought were good, are not. • Length byte (header) must be protected independently. If frame length is wrong, the frame-CRC gets marginalized no matter how strong it is. DASH7 LoRa HW Support 6LP CRC Poly CRC16-IBM CRC16-IBM CRC16-CCITT Koopman’s Rating Strong Strong Weak Header CRC Yes Yes No 5
  7. 7. Contrasting Methods of Network Sync
 To do it in a low-power way, network asymmetries must be exploited DASH7 6LoWPAN Idle Mode BackgroundDetect Duty-cycledRX Asymmetry Exploited Plug-in nodes can transmit streams Plug-in nodes can transmit streams Low-Power Listening Yes Yes Provides Group Sync Yes No Endpoints Stay Quiet Yes Yes Sync Latency (typ) 1 - 2 sec 1 - 2 sec On-time / Period (typ) 1.3 ms / 500 ms 8 ms / 1s 6
  8. 8. Contrasting Methods of Network Sync
 To do it in a low-power way, network asymmetries must be exploited DASH7 6LoWPAN Idle Mode BackgroundDetect Duty-cycledRX Asymmetry Exploited Plug-in nodes can transmit streams Plug-in nodes can transmit streams Low-Power Listening Yes Yes Provides Group Sync Yes No Endpoints Stay Quiet Yes Yes Sync Latency (typ) 1 - 2 sec 1 - 2 sec On-time / Period (typ) 1.3 ms / 500 ms 8 ms / 1s Typical figures: all standards can be configured to optimize latency vs. low power. 6
  9. 9. 6LoWPAN:RepeatthePacket • Idea is to send the request packet many times, so the receiver can “strobe” its listening cycle and still get the data. • Many different — but similar — variants of above:
 BMAC, XMAC, BoXMAC, WiseMAC, ContikiMAC, … others • Downside: synchronizes one endpoint at a time, not a group all at once. • Downside: if data rate is low, packets are long & receiver listens a lot. DD D A AD D A Acknowledgement packet Data packet Reception window Send data packets until ack received Sender Receiver Transmission detected D Figure 1: ContikiMAC: nodes sleep most of the time and periodically wake up to check for radio activity. If a packet transmission is detected, the receiver stays awake to receive the next packet and sends a link layer acknowl- edgment. To send a packet, the sender repeatedly sends the same packet until a link layer acknowledgment is re- ceived. Data packet t i t c t r Sender Receiver CCA Figure 3: The ContikiMAC tr ing. 2.1 ContikiMAC Timi ContikiMAC has a power-effi that relies on precise timing be Example is of “ContikiMAC”
 http://www.dunkels.com/adam/ dunkels11contikimac.pdf 7
  10. 10. DASH7:Advertise&GroupSync ETA 500 Info 0 ETA 1 Info 0 ETA 0 Info 0 Foreground RequestBackground AdvertisingBackground AdvertisingBackground Advertising Host A sends a stream of special “background frames” containing Advertising Protocol Data. The data includes the time when the next request will occur (e.g. 500 ms). Host A sends synchronized request at planned time Any number of other Hosts can listen for advertising. 1. Briefly sample the channel for any activity. 2. Check for signs that it’s a background frame (part of design). 3. Receive the background frame. 1 2 3 All listeners can receive request, all can send responses, all are now synced to each other. DASH7’s advertising & synchronization model follows from the previous concepts. It provides group synchronization, allows for wide tolerances in device specs, and also scales to low data rates. 8
  11. 11. Low-Pwr Advertising & Group Sync Timeline Engineers have pursued low-power advertising for years. The goals have been mostly consistent: ‣ Minimize RX on-time ‣ Minimize False-positives ‣ Maximize True-positives DASH7’s method is the first to use a bifurcated frame specification and real-time synchronization units (ms). 20 years of collective R&D, but the concept finally works and scales. 1990’s2000-20102010— Transmission of long preamble ahead of request packet. BMAC proposed (early 2000’s): 
 A protocol using countdown packets. ISO 18000-7.1 (early 2000’s) structured long preamble TinyOS group implements BMAC+: struggles, finds impractical (late 2000’s) Final spec of DASH7 MAC and Advertising Protocol (2012) 9
  12. 12. Fast Group Sync Enables Fast Round-Trip
 Synchronize devices, send request, and get responses before endpoints are GONE “Chaotic” Conditions assume: ‣ Endpoints as well as internet gateways (i.e. edge routers) may be mobile. ‣ “Potpourri of ownership” of the endpoints & gateways. Some examples of chaotic networks: ‣ Getting sensor data off-of tags in a moving vehicle (see diagram). ‣ Smartphones querying smart objects and each other. 30m/s Advertising (1s) Request (<50ms) Responses (1s) Discovering and getting data from low-power devices inside a vehicle going highway speed is a hard problem, but it is one for which DASH7 is well-suited. Any IP address WAN/4G DASH7
 Gateway 10
  13. 13. Networking Strengths Weaknesses • Fast, low-power network sync • Fast round-trip for request/response • Universal MAC precludes App Profiles • Supports core IPv6 features & UDP • New, so few implementations available • Formal support for only 2 hops • No TCP support at present • Possible to do almost all IPv6 features • Mature implementations available • Lots of PHY/MAC options • App data really should use internal CRC! • No standard way for low-power network sync • Needs a lot of extra work up the stack and in definition of application profiles Let’s Investigate a Few Areas (Update) DASH7 6LoWPAN 11
  14. 14. Implementing Trivial Apps
 DASH7 stacks have built-in application functionality DASH7 PHY/MAC/NET Sessioning Transport Layer Applications Filesystem Transport Layer Apps (TLA’s) include: ‣ Beaconing Series (a.k.a. “Announcement”) ‣ Inventory & Collection Queries User configures TLA’s and provides them with data via Filesystem API. 12
  15. 15. What Exactly is the DASH7 Filesystem?
 A consistent data model & API to promote multi-app, multi-vendor interoperability DASH7 PHY/MAC/NET Sessioning Transport Layer Applications Filesystem • L6, queryable, database-ish API • root/admin/guest XRW privileges • Up to 256 “BLOB” files (Generic Files) • Up to 1024 indexed short files (ISF’s) ‣ Low-level (L4) queries happen here ‣ Batch or single-file access ‣ 0-15 used as configuration registry ‣ Rest available to user for arbitrary data storage, application ports, etc. 13
  16. 16. What Exactly is the DASH7 Filesystem?
 A consistent data model & API to promote multi-app, multi-vendor interoperability DASH7 PHY/MAC/NET Sessioning Transport Layer Applications Filesystem • L6, queryable, database-ish API • root/admin/guest XRW privileges • Up to 256 “BLOB” files (Generic Files) • Up to 1024 indexed short files (ISF’s) ‣ Low-level (L4) queries happen here ‣ Batch or single-file access ‣ 0-15 used as configuration registry ‣ Rest available to user for arbitrary data storage, application ports, etc. Filesystem is key to security and 
 interoperability of binary data formats. 13
  17. 17. WhyDASH7FilesystemMatters Alice’s Network Bob’s Network DASH7 Endpoint with default configuration. Alice discovers Endpoint & uploads network params Endpoint leaves Alice, joins Bob. Bob uploads its network params A DASH7 device can productively carry data across diverse IoT networks. Today’s IoT lacks such a distributed data model, and as a result data gets stuck in cloud “silos.” On the other hand, a distributed data model promotes IoT market growth and market-wide commitment to data security features. 14
  18. 18. WhyDASH7FilesystemMatters Alice’s Network Bob’s Network DASH7 Endpoint with default configuration. Alice discovers Endpoint & uploads network params Endpoint leaves Alice, joins Bob. Bob uploads its network params A DASH7 device can productively carry data across diverse IoT networks. Today’s IoT lacks such a distributed data model, and as a result data gets stuck in cloud “silos.” On the other hand, a distributed data model promotes IoT market growth and market-wide commitment to data security features. Not to mention, the potential to spider & search an open IoT. 14
  19. 19. Haystack + DASH7 Security 15 Patrick Burns co-founder & CEO pat@haystacktechnologies.com

×