Survey On Security in Internet of Things State of The Art and Challenges
Survey On Security in Internet of Things State of The Art and Challenges
Survey On Security in Internet of Things State of The Art and Challenges
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2017.2672752, IEEE
Transactions on Computers
1
Abstract—With the proliferation of Internet of Things (IoT), the IEEE 802.15.4 physical layer is becoming increasingly popular due to
its low power consumption. However, secure data communication over the network is a challenging issue because vulnerabilities in the
existing security primitives lead to several attacks. The mitigation of these attacks separately adds significant computing burden on the
legitimate node. In this paper, we propose a secure IEEE 802.15.4 transceiver design that mitigates multiple attacks simultaneously by
using a physical layer encryption approach that reduces the computations at the upper layers. In addition to providing confidentiality and
integrity services, the proposed transceiver provides sufficient complexity to various attacks, such as cryptanalysis and traffic analysis
attacks. It also significantly improves the lifetime of the node in the presence of a ghost attacker by preventing the legitimate node from
processing the bogus messages and hence combats against energy depletion attacks. The simulation results show that a high symbol
error rate at the adversary can be achieved using the proposed transceiver without affecting the throughput at the legitimate node. In
this paper, we also analyze the hardware complexity by developing an FPGA and ASIC prototype of the proposed transceiver.
Index Terms—Attacks in wireless networks, energy depletion attack, hardware encryption, IEEE 802.15.4 transceiver, physical layer
security, physical layer encryption, phase encryption, security in Internet of Things, traffic analysis attack
1 I NTRODUCTION
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2017.2672752, IEEE
Transactions on Computers
2
between the message bits and the key bits generated by a among others [26]. However, its implementation along with
key-stream generator [10]. In terms of implementation, it is the key-stream generation has not been well studied and
hardware efficient, but its security strength solely depends implemented for IEEE 802.15.4. Moreover, security analyses
on the underlying algorithm used for key-stream generation against various attacks, such as energy depletion and traffic
and does not provide any additional strength. Conversely, analysis attacks, have not been performed for 802.15.4 with
PLE schemes can provide high decoding error in the ci- PLE schemes. This work focuses on the phase encryption for
phertext itself at the adversary and thus provide additional 802.15.4 with an extensive analysis of the different attacks.
strength to the underlying encryption algorithm [11]. PLE
approaches are also computationally secure, but unlike up- 1.2 Contributions of this Paper
per layer encryption approaches, they provide additional
The contributions of this paper include the following:
strength to the underlying algorithm because they hinder
the adversary in receiving the ciphertext itself. Because PLE 1) We propose a secure IEEE 802.15.4 transceiver with
schemes perform encryption during the modulation process the PLE approach using physical layer phase en-
rather than performing it on the incoming data bits directly, cryption, which reduces the computation at the
these schemes are modulation specific and require special upper layers aiming toward energy savings.
attention for each wireless technology. 2) Analysis of the proposed system in terms of security
In the case of 802.15.4, security services are provided services and capability of combating against attacks
through a medium access control (MAC) layer package that such as brute force search, cryptanalysis, traffic anal-
offers basic services such as confidentiality, integrity and ysis and resource depletion attacks.
so forth [12]. These services are achieved at the cost of 3) Performance comparison of the proposed
computing energy that is far from ignorable [13], [14]. By transceiver with standard transceivers reported
investigating some potential flaws in these services, new at- in the literature by considering security strength,
tacks have been presented [15], [16], [17]. Different methods power consumption and symbol error rate as the
have been proposed to mitigate different attacks at the cost key performance metrics.
of additional computing power, but all the methods have 4) Comparison of the message reception at the legiti-
not been concurrently studied and adopted by 802.15.4. mate and adversary receivers.
However, for secret data transmission, some steganography 5) Implementation of the proposed system in ASIC
methods have also been proposed for 802.15.4 to create using UMC 0.18µm CMOS technology and FPGA
a covert channel along with the main channel [18], but prototyping for hardware complexity analysis.
these methods suffer the drawbacks of a low data rate
over the covert channel and depend on the primary data 1.3 Organization of the Paper
transmission. The remainder of this paper is organized as follows. Section
In this work, we propose a PLE scheme for IEEE 802.15.4. 2 describes the necessary background related to the work,
To the best of our knowledge, we are the first to implement followed by the requirements for the system. The proposed
and analyze PLE for 802.15.4. In the following subsections, system design is described in section 3, followed by the
we discuss the existing PLE approaches with associated implementation of the system in section 4. The performance
problems followed by the contributions of this work. of the system is analyzed through various performance
metrics in section 5. Section 6 concludes the paper with
1.1 Related Works future directions for research.
The motivation for providing security at the physical layer
lies in the fact that it has the lowest impact on the network 2 BACKGROUND AND S YSTEM R EQUIREMENTS
and offers low latency without introducing any overhead In this section, we describe the phase encryption that is
[19]. Various PLE schemes have been proposed in the lit- used in the proposed system for security and the system
erature, although most of these schemes are for securing requirements for implementing phase encryption.
orthogonal frequency division multiplexing (OFDM) sys-
tems. Some techniques are implemented by scrambling the 2.1 Phase Encryption
constellation symbols [20], [21], whereas in [22] and [23],
In phase encryption, the phase of the modulated symbol is
PLE is achieved by adding a small amount of random noise
varied according to a key stream whose size depends on
to each constellation symbol. A few methods [11], [24] have
the underlying modulation scheme. In IEEE 802.15.4, each
proposed the encryption of training symbols along with
modulated symbol contains 2 bits of the message and is of
data symbols to combat traffic analysis attacks, which have
the form (I, Q) where I and Q takes the value from the set
not been mitigated by other methods. The aforementioned
{1, −1}. Therefore, the key stream’s I and Q components
approaches provide security for OFDM systems, but these
take values from the binary set {1, −1}, and the ciphertext
cannot be applied to IEEE 802.15.4 due to their unsuitability
is generated by multiplying the respective components of
with its devices.
the key stream and modulated symbols.
Recently, Huo et al. proposed a method called phase
If ki , di , and ci are the ith sample of the key stream,
encryption for combating against traffic analysis attacks
modulated symbol and ciphertext, respectively, then the
[25]. They compared the phase encryption with XOR en-
ciphertext generation can be explained by equation 1.
cryption and generalized the phase encryption for vari-
ous modulation schemes, such as BPSK, QPSK, and QAM, ci = ai × Re{di } + jbi × Im{di } (1)
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2017.2672752, IEEE
Transactions on Computers
3
where ai + jbi = ki , and ai , bi are the in-phase and In the RC4 algorithm, a secret key sk is used to scramble
quadrature-phase components of the key stream, respec- the permutation of an array S and to generate an arbitrary
tively. number of pseudo-random key-stream bytes. There are
two components in RC4, namely, key scheduling algorithm
2.2 System Requirements (KSA) and pseudo-random generator algorithm (PRGA).
The KSA performs an initial permutation on S on the basis
The specification of the IEEE 802.15.4 PHY layer supports of an array K , where K is the repeated version of sk of
a data rate of up to 250 Kbps. The modulated symbol rate length 256. The PRGA uses this pseudo-random permuta-
for this data rate is 1 Mbps as bit-to-symbol encodes k = 4 tion to generate the key stream. The complete description of
bits into 2k = 16 symbols and each symbol is mapped to a the RC4 algorithm and its loop unrolling architecture can be
32-bit-long chip sequence. To perform encryption after the found in [28].
modulation, there is a need for a key stream at the required
In the loop unrolling architecture, a consecutive pair of
rate of 1 Mbps. The stream cipher is used to generate the key
cycles is combined in a particular fashion such that the
stream, and the reasons for choosing a stream cipher rather
functionality of two consecutive loops is completed in a
than a block cipher are as follows:
single loop. According to the authors in [28], the operations
• Block ciphers have a complex architecture that re- of the two consecutive cycles of the RC4 algorithm are per-
quires a large chip area and high power consump- formed simultaneously, and its functionality can be reduced
tion. These may not be suitable for constrained de- to circuits as mentioned in Table 1. Circuit1 and Circuit2 are
vices at the mentioned data rate. used to increment i1 , i2 and j1 , j2 , respectively; Circuit3 is
• In block ciphers, there is no one-to-one relationship for swapping; and Circuit4 will calculate the output Z1 and
between individual bits in plaintext and ciphertext Z2 . These circuits can be found in [28], except for Circuit2,
as in stream ciphers. Even a single bit error in the which has been modified by us to make it reusable and less
ciphertext introduced in the channel due to noise complex. Because both KSA and PRGA need not run at the
will change the plaintext dramatically [27]. This re- same time, the same circuitry should be utilized for both.
flects the unsuitability of block ciphers when error- The modified circuit 2 is shown in Fig. 2.
correcting codes are applied prior to encryption.
TABLE 1: Loop Unrolling of RC4
We used the RC4 stream cipher for encryption and key-
stream generation purposes due to its simplicity and suit- Task First Loop Second Loop Corres.
Circuit
ability for low-power devices [28]. However, some biases Increment of i
Increment of j
i1 ← i0 + 1
j1 ← j0 + S0 [i1 ]
i2 ← i0 + 2
j2 ← j0 + S0 [i1 ] + S1 [i2 ]
Circuit1
Circuit2
have been found in RC4 that make it insecure [29], but for Swap S0 [i1 ] ↔ S0 [j1 ] S1 [i2 ] ↔ S1 [j2 ] Circuit3
Output Z1 ← S1 [S0 [i1 ] + S0 [j1 ]] Z1 ← S2 [S1 [i2 ] + S1 [j2 ]] Circuit4
the proposed system, RC4 provides sufficient complexity to
perform the cryptanalysis as the adversary faces additional
The complete architecture of the key-stream generator is
difficulty in frame synchronization and receives the cipher-
depicted in Fig. 3. The clock selector circuit is for selecting
text with a high error rate.
the clock from the two clocks CLKsystem and CLKderived .
Here, CLKsystem is 16 MHz, and CLKderived is the re-
3 S YSTEM D ESIGN quired clock rate such that the output bit rate of the key
The block diagram of the proposed transceiver is presented stream matches the modulated data rate. This is to ensure
in Fig. 1. Based on functionality, it can be categorized that KSA completes in the minimum possible time, while
into three main units: transmitter, receiver and key-stream during PRGA, the output of the key stream is 1 Mbps. Two
generator. First, we discuss the key-stream generator, which control signals KSAen and P RGAen are used for control-
is common for transmitter and receiver operation. Later, we ling the execution timing of the two algorithms because KSA
briefly describe the transmitter and receiver units. has to complete its operations prior to the start of PRGA.
CLKsystem and CLKderived should be given at the trailing
edge of KSAen and P RGAen , respectively, while no clock
3.1 Key-stream Generator
should be given to the KSA and PRGA in the absence of a
To generate the key stream, we use the RC4 stream cipher valid incoming frame to reduce the power consumption.
with hardware implementation using loop unrolling [28]. The task of the clock scheduler block is to generate clocks
We have modified the hardware implementation proposed for all the circuits given in Table 1 because these circuits
by S. Gupta et al. to make it more suitable for phase require different clocks to run at different time intervals.
encryption [28]. The reason for choosing hardware rather Circuit1, Circuit2 and Circuit4 run on the trailing edge of
than software is due to the unsuitability of software imple- odd cycles of φ, whereas Circuit3 runs on the trailing edge
mentation in the transceiver. The hardware implementation of even cycles of φ. Here, φ is the clock to the clock
of RC4 with loop unrolling provides the fastest results with scheduler. Circuit1, Circuit2 and Circuit3 should be ON for
minimum latency. In addition, through the loop unrolling both KSA and PRGA, whereas Circuit4 and the serializer
design, we obtain two bytes of the key stream on every are only needed for PRGA. The behavior model of the clock
alternate clock, where one can be used for the real part of the selector and clock scheduler is described in Algorithm 1.
key stream and the other for the imaginary part. Thus, both The purpose of the serializer is to generate serial bit streams
parts of the key streams can be generated at the same time driven by the outputs Z1 and Z2 of Circuit4 during PRGA
without any lag between the two, which is the requirement execution. In this way, the key stream for the ith modulated
of the system. symbol is [KSi , KSq ].
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2017.2672752, IEEE
Transactions on Computers
4
SECURE
KEYSTREAM
SECRET KEY HEADER
GENERATOR
MAC GENERATOR
DATA RECOVERY
FRAME
62.5Ksps 2Mbps 1Mbps
SYMBOL CHIP TO OQPSK DE- PHASE SYNCHRONI- ANALOG/RF
250Kbps TO BIT SYMBOL MODULATION DECRYPTION SATION AND SECTION 2.4GHz
1Mbps DETECTION
.
Register Bank S Register Bank K Register Bank K Register Bank S which rotates the phase accordingly. When the transceiver
i1 256 × 1 MUX 256 × 1 MUX 256 × 1 MUX 256 × 1 MUX receives the request to send the data from the upper layer,
i2
0
it sends KSAen signal to the key-stream generator block.
PRGAen 2 × 1 MUX 2 × 1 MUX
After completion of the KSA, it will set P RGAen to high
and start the transmission of the data. During KSA, the key-
j0 stream generator operates with a clock frequency of 16 MHz,
and KSA requires 256 clock cycles for completion. So, the
3-input adder 3-input adder 3-input adder
latency caused by encryption during transmission is 16 µs.
Comparator 2 × 1 MUX
3.3 Receiver
j1 j2
In Fig. 1, the receiver unit has two main blocks: one is
frame synchronization and detection, and the other is the
Fig. 2: Circuit 2 to compute j1 and j2 data recovery block. The data recovery block is activated
only if a valid frame is detected by the former block. The
CLKderived Clock Clock functionality of both blocks is explained below:
CLKderived Selector Scheduler
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2017.2672752, IEEE
Transactions on Computers
5
and validated using Xilinx Kintex-7 FPGA KC705 and Xil- with a guaranteed amount of accuracy. The correlator then
inx Chipscope Pro Analyzer. The latency of transmitting a extracts the payload from the frame, and the receiver starts
frame is 16 microseconds, whereas the latency of receiving processing the extracted data.
a frame is 128 microseconds (this latency includes the frame However, we can observe from the figures that the ad-
synchronization and detection latency). The result obtained versary is unable to obtain a subtle peak above the threshold
is summarized in Table 2. and hence fails to detect the valid frames. Moreover, even if
the adversary attempts to decode the message by having a
TABLE 2: FPGA Implementation Results
low threshold, it is difficult to perform the cryptanalysis as
Designs
Static
Power in mw
Dynamic Total
Hardware
Slices
Usage
LUTs
there is no guarantee that it has received the valid ciphertext
RC4 163.43 74.89 238.32 2476 7064 exactly.
Proposed Transceiver 220.06 141.67 361.73 6507 15954
The proposed system has also been implemented in an 5.2 De-spreading Analysis
application-specific integrated circuit (ASIC) using the UMC In the 802.15.4 standard, a set of sixteen pseudo-noise (PN)
0.18 µm CMOS technology. The clock frequency used in the sequences is used to spread a 4-bit symbol into 32-bit chip
implementation is 16 MHZ. The gate-level synthesis is con- sequences. These PN sequences are quasi-orthogonal, and
ducted using the Synopsys Design Compiler. The synthesis the Hamming distance between any two chip sequences
result of the proposed transceiver provides a total number of lies between 12 and 20. In this way, there is a capability
gate counts of 1,32,046, whereas the count for the standard to tolerate six chip errors without a symbol error. With the
transceiver is 1,04,477. This results in a 26% higher number use of the proposed method, this property is destroyed,
of gate counts, which is a reasonable amount considering resulting in more error at the adversary even in the absence
the security benefits. The resource overhead is primarily of noise.
due to the RC4 stream cipher, which consumes 0.681 mW of In the de-spreading block, the incoming 32-bit chips are
power, while the proposed transceiver consumes 3.931 mW correlated with the known chips, and the chip sequence that
of power. The phase encryption/decryption block is quite provides the maximum correlation is selected for symbol
simple in terms of resources because it only consists of two mapping. For the standard receiver, the incoming chip has
multipliers. a very small Hamming distance from one sequence while
having large Hamming distances from the others. However,
5 P ERFORMANCE A NALYSIS using the proposed method, the Hamming distance at the
adversary is almost the same for all the known sequences,
In the first two subsections, the performance of the proposed resulting in more ambiguity in the result. This can be ob-
transceiver is compared with the standard receiver in terms served from Figs. 4c and 4d, where 40 incoming sequences
of frame synchronization and detection analysis and de- are correlated with the known sequences.
spreading analysis, respectively. The following two subsec- To demonstrate the ambiguity in taking a decision dur-
tions discuss the effect of the proposed PLE on the sym- ing the de-spreading at the receiver, we have observed one
bol error rate (SER) and power consumption, respectively. hundred incoming symbols of the frame for both of the
Finally, the security strength of the proposed transceiver transceivers and analyzed the Hamming distance of each
is analyzed in terms of provided services and mitigated symbol from the nearest symbol. As shown in Fig. 4e, the
attacks. effect of noise is visible for the standard receiver as the
minimum Hamming distance from any chip sequence is
5.1 Frame Synchronization and Detection Analysis increased. However, using the proposed method, the ad-
Using the proposed system, the adversary faces difficulty versary has faced almost the same ambiguity in the absence
in the detection and synchronization of the frames. Fig. 4a of noise.
shows the normalized output of the correlator for 5 frames
at an SNR of 3 dB. We can observe that the legitimate 5.3 SER Analysis
receiver has very subtle peaks, whereas the adversarial The performance of the proposed system is compared with
receiver could not obtain such a peak. For better clarity, the standard transceiver in a noisy environment in terms
the normalized calculated peak for the continuous reception of SER. As shown in Fig. 4f, the proposed transceiver does
of frames is plotted in Fig. 4b. After detecting the energy not degrade the SER performance at the legitimate receiver.
in the channel, it starts correlating and computes the peak However, the SER at the adversary receiver is very high for
of the correlation for that frame. This value is the same all densities of noise.
for the time until the frame reception is completed. Then,
it is again calculated and updated. Smaller values at the
repetitive intervals indicate that there is no valid frame in 5.4 Power Analysis
the channel during that period of time. If the proposed transceiver is used, we can avoid the MAC
From both figures 4a and 4b, it can be inferred that layer encryption approaches, which consume considerable
the average normalized amplitude of the peak is found computing power when encrypting a frame and can be
to be 0.8 and the adversary output is averaged at 0.2. For found in [17]. The proposed transceiver reduces this consid-
a successful reception of data, the threshold can be set erable computing burden at the cost of a small amount of
anywhere between 0.4 to 0.6. Such a threshold can help additional communication energy. We discuss an analytical
in the detection of valid frames at the legitimate receiver model for the lifetime of the node for this purpose in two
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2017.2672752, IEEE
Transactions on Computers
6
1 1
Legitimate Receiver 30
Legitimate Receiver
Adversary Receiver Adversary Receiver
25
Normalized correlator output
0.8 0.8
Hamming Distance
20
correlator peaks
0.6 0.6
15
0.4 0.4 10
5
0.2 0.2
0
15
0 0 10
5 25 30 35 40
0 1 2 3 4 5 0 0.02 0.04 0.06 0.08 0.1 5 10 15 20
Refrence Chips 0
simulation time(s) -3 Incoming Chips
×10 simulation time(s)
(a) Output of the correlator for frame (b) Comparison of values of the peak for (c) Hamming distance analysis of chip sequences
synchronization and detection continuous reception of frames using the standard transceiver
20
30 Standard without Noise
10 0
Standard with Noise
proposed without Noise Standard Transceiver
from the nearest chip sequence
25
15 Proposed with Noise Secured Transceiver
Hamming Distance
10 -1 Adversary Receiver
20
Hamming Distance
15
SER
10
10 -2
10
5 5
10 -3
0
15
10 0
5 30 35 40
15 20 25 10 -4
0 5 10
Refrence Chips Incoming Chips 0 20 40 60 80 100 -20 -15 -10 -5 0 5
Incoming symbols Es/N0
(d) Hamming distance analysis of chip sequences (e) Performance of the de-spreading in the presence (f) Comparison of SER
at the adversary using the proposed transceiver of noise .
Fig. 4: Results of the proposed transceiver compared with the standard transceiver
cases. In the first case, we compare its energy consumption bogus message by the proposed and standard transceivers,
with that of the standard transceiver in the presence of an respectively. Let Ta be the total time to receive, process and
attacker in the channel. In the second case, its energy con- decrypt a packet; for the proposed transceiver, Ta = Tsrx as
sumption is analyzed in two different scenarios depending the packet is decrypted in the transceiver only. However, for
upon whether crafted or genuine packets are present in the the standard transceiver, it is Ta = Trx + Tdec , where Tdec is
channel. time taken by the CPU to decrypt the packet.
If we neglect the energy consumption during sleep, i.e.,
5.4.1 Lifetime Comparison with Standard Transceiver when the node is not involved in communication, the total
We consider two nodes for comparison purposes: the first energy consumed per cycle Ec can be considered as the sum
node N P employs the proposed PLE method, whereas of the communication cost Ecomm and computational cost
the second node N U has the standard transceiver with Ecomp , where Ecomm and Ecomp are the energy consumed
advanced encryption standard (AES) as the upper layer per cycle by its transceiver and CPU, respectively. Ecomm
encryption scheme. We consider a counter with the CBC- for nodes N P and N U are given below
MAC mode of operation using AES with a 128-bit key P
Ecomm = τ Psrx (2)
(AES-CCM-128), which is the most secure approach at the (
MAC layer for 802.15.4. We assume that both nodes have U np Ta Prx if np Ta ≥ τ,
the same central processing unit (CPU). We consider that Ecomm = (3)
τ Prx otherwise.
the transceiver works in a duty cycle mode, which is a
valid assumption and also a standard assumption made by U
The Ecomm depends on the number of frames detected in
multiple studies [17]. Let the duty cycle of the node be Tτ , P
the active period, whereas Ecomm depends only on the duty
where τ is the active period and T is the length of the cycle. cycle. This is because the proposed transceiver decrypts
We assume that the attacker is sending a crafted packet at the data during the demodulation itself, and hence, extra
a fixed rate and that np is the number of crafted packets computation and latency due to decryption in the CPU can
a
received by the receiver in the active period. Let Pcpu , be ignored. In this way, the CPU can also be considered idle
i
Pcpu , Prx and Psrx denote the power consumption by the with the proposed transceiver in the active period, i.e., the
active CPU, idle CPU, standard transceiver and proposed CPU in node N p is always idle. The computation costs for
transceiver, respectively. The CPU remains idle during the nodes N P and N U are given below
reception of messages by the transceiver, whereas it is active P i
during the encryption/decryption of upper layer security Ecomp = τ Pcpu (4)
U a i
methods. Let Tsrx and Trx denote the times to receive a Ecomp = np (Tdec Pcpu + Trx Pcpu ) (5)
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2017.2672752, IEEE
Transactions on Computers
7
Because the lifetime of the node is inversely proportional From equations 7 and 8, we can observe that if the number
to the energy consumed by the node per cycle, the ratio of of packets per unit time is the same for both cases, then
lifetime of nodes N P and N U can be expressed as the reduction in lifetime due to legitimate packets is more
U U a i than that due to bogus packets. In other words, the pro-
LP Ecomp + Ecomm np (Tdec Pcpu + Trx Pcpu + Ta Prx )
= P = posed receiver does not waste considerable resources on the
LU Ecomp + Ecomm P i
τ Psrx + τ Pcpu
processing of the bogus messages.
Tdec a Trx i
np Ta Ta (Pcpu + Prx ) + Ta (Pcpu + Prx )
= i 5.5 Security Analysis
τ Psrx + Pcpu
!
np Ta Pcpu i
+ Prx Tdec Pcpua i
− Pcpu 5.5.1 Brute Force Search Attack
= i
+ i
(6) In IEEE 802.15.4, the physical layer preamble consists of 32
τ Pcpu + Psrx Ta Pcpu + Psrx
zeros. It encodes k = 4 bits into 2k = 16 symbols, and each
As the power consumption is primarily dominated by the symbol is 32 bits long. In this way, the preamble consists of
RF section [33], we consider that the power consumption 8 symbols or 256 chips. After modulation, it will convert to
by the proposed secure transceiver is approximately equal 128 complex samples. During phase modulation, the phase
to the standard transceiver since the only change is in of each sample is rotated with one of the four phases of
base-band resources whose power consumption is relatively QPSK according to the key. Thus, there are 4128 possible
minimal. So, Psrx ≈ Prx . We can use Tdec Trx and combinations of the key for one preamble, which can be
a i
Pcpu > Pcpu , which is a valid assumption and can be considered sufficiently secure in today’s standard [34]. With
referenced in [17]. In the case of a ghost attack, when np Ta is such large number of combinations, it is quite difficult for
considerably larger than τ , it can be inferred from equation the adversary to detect the valid frame and perform brute
6 that the lifetime of the node with the proposed transceiver force search attack.
is significantly larger than that of the node with the standard
transceiver. 5.5.2 Confidentiality
5.4.2 Lifetime Comparison with Valid and Bogus Packets Even if the adversary is successful in obtaining the valid
In this case, we considered the dynamic power of the frame, confidentiality is provided by the phase encryption
proposed transceiver for detailed analysis. Let Prf be the as correct data cannot be recovered without a correct key
power consumed by the transceiver when it waits for energy stream. Although we have used the RC4 stream cipher
in the channel. After the successful detection of energy, it to generate the key stream and several biases have been
starts synchronization for duration Tf s and lets it consume found in RC4 making it insecure [29], finding the key by
Pf s energy during that interval. If it detects a valid frame, utilizing these vulnerabilities would require a large number
the data recovery block is activated. Let Tdr and Pdr be the of encrypted texts. In our case, it is difficult to perform the
time duration and power consumed in the reception of the cryptanalysis as there is no guarantee that the adversary
valid frame, respectively. correctly receives the cipher text.
For the analytical model, the power consumed by the
node can be categorized into 3 scenarios: no energy in 5.5.3 Integrity
the channel, only genuine packets in the channel and only Because all the upper layer headers are encrypted, including
bogus packets in the channel. The energy consumed by the their check-sums, the proposed system can identify whether
CPU is the same for all the cases. If the energy consumed the source address or the data have changed in the medium,
o g
by the transceiver in all three cases are Ecomm , Ecomm and thus providing the integrity.
b
Ecomm , respectively, then the following equations describe
these energy consumptions 5.5.4 Authentication, Availability and Data Freshness
o
Ecomm = τ Prf We assumed that these services are provided by the upper
g layers. For availability, the node maintains an access control
Ecomm = np Tf s Pf s + np Tdr Pdr + (τ − np Tf s − np Tdr )Prf
b list (ACL) to prevent unauthorized nodes from participating
Ecomm = np Tf s Pf s + (τ − np Tf s )Prf
in the network. For data freshness, a 32-bit counter is used
at the MAC layer such that the adversary can conduct a
If the lifetimes of the node in the three cases are Lo , Lg
replay attack only after 232 frames, which is considered
and Lb , respectively, then the reduction in lifetime due to
cryptographically secure in practice. In addition, the pro-
the reception of genuine packets is
posed system provides more strength to these services by
i g
Lo τ Pcpu + Ecomm encrypting the security header rather than sending it as a
=
Lg i
τ Pcpu o
+ Ecomm plain text as in the existing security primitives.
np Tf s Pf s − Prf np Tdr Pdr − Prf
=1+ i
+ i
(7) 5.5.5 Traffic Analysis Attack
τ Pcpu + Prf τ Pcpu + Prf
Using the proposed system, the adversary cannot detect the
Similarly, the reduction in lifetime when only bogus packets
timing of the data transmission exactly because it is difficult
are present in the channel is
for the adversary to detect and synchronize the frames.
i g
Lo τ Pcpu + Ecomm np Tf s Pf s − Prf Hence, the proposed system provides sufficient resistivity
= i b
=1+ i
(8)
against traffic analysis attacks.
Lb τ Pcpu + Ecomm τ Pcpu + Prf
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2017.2672752, IEEE
Transactions on Computers
8
5.5.6 Energy Depletion Attacks [11] J. Zhang; A. Marshall; R. Woods; T. Q. Duong, “Design of an
OFDM Physical Layer Encryption Scheme,” in IEEE Transactions
Ghost-in-ZigBee is a resource depletion attack that leverages on Vehicular Technology , vol.PP, no.99, pp.1-1
the underlying vulnerabilities of existing security suites. [12] N. Sastry and D. Wagner, “Security considerations for IEEE
This attack not only depletes the energy of nodes at a faster 802.15.4 networks”, in Proc. 3rd ACM workshop on Wireless security,
pp. 3242, 2004.
rate but also facilitates a variety of threats, such as denial [13] Y. Xiao, H. Chen, B. Sun, R. Wang, and S. Sethi, “MAC security
of service and replay attacks [17]. In these attacks, bogus and security overhead analysis in the IEEE 802.15.4 wireless sensor
messages are transmitted by the attacker, having intention to networks”, EURASIP J. Wirel. Comm., pp.1-12, May 2006.
deplete the energy of the legitimate nodes. In the proposed [14] M. Doomun, K. Soyjaudah, and D. Bundhoo, “Energy con-
sumption and computational analysis of Rijndael-AES”, in Proc.
method, the bogus message will be dropped as soon as pos- IEEE/IFIP Int. Conf. in Central Asia on Internet, pp. 16, Sept. 2007.
sible because it will not be detected as a valid frame. Hence, [15] L. D. Callimahos, “Introduction to Traffic Analysis”, Declassified by
energy will not be wasted on receiving and processing these NSA, 2008.
[16] E. Y. Vasserman and N. Hopper, “Vampire attacks: draining life
bogus messages. We have determined that the node with the from wireless ad hoc sensor networks”, IEEE Trans. Mobile Comput.,
proposed transceiver does not waste considerable energy vol. 12, no. 2, pp. 318332, Feb. 2013.
on bogus messages and provides higher lifetime to the [17] Shila, Devu Manikantan, et al. “Ghost-in-the-wireless: Energy
network. depletion attack on zigbee” Internet of Things Journal, IEEE, DOI:
10.1109/JIOT.2016.2516102, Jan. 2016.
[18] A. K. Nain, P. Rajalakshmi, “A Reliable Covert Channel over IEEE
802.15.4 using Steganography” accepted for publication in Internet
6 C ONCLUSION AND F UTURE D IRECTIONS of Things (WF-IoT), IEEE World Forum on, Reston, Dec. 2016
[19] Y. S. Shiu, S. Y. Chang, H. C. Wu, S. C. H. Huang and H. H. Chen,
We have proposed a secure IEEE 802.15.4 transceiver ar- “Physical layer security in wireless networks: a tutorial” in IEEE
chitecture along with FPGA and ASIC implementation. We Wireless Communications, vol. 18, no. 2, pp. 66-74, April 2011.
[20] H. Li, X. Wang and W. Hou, “Secure Transmission in OFDM
have analyzed the performance through comparison with Systems by Using Time Domain Scrambling” Vehicular Technology
the standard transceiver. The proposed system provides Conference (VTC Spring), 2013 IEEE 77th, Dresden, 2013, pp. 1-5.
a high error rate at the adversary without affecting SER [21] L. Zhang, X. Xin, B. Liu, and Y. Wang, “Secure OFDM-PON based
on chaos scrambling” in IEEE Photon. Technol. Lett., vol. 23, no. 14,
performance at the legitimate receiver. In addition to con-
pp. 9981000, Jul. 2011.
fidentiality, it also offers protection from cryptanalysis and [22] R. Ma, L. Dai, Z. Wang, and J. Wang, “Secure communication in
traffic analysis attacks by increasing the complexity for TDS OFDM system using constellation rotation and noise inser-
the attacker. It provides a significant improvement in the tion” IEEE Trans. Consum. Electron., vol. 56, no. 3, pp. 13281332,
Aug. 2010.
lifetime of the node in the presence of energy depletion [23] D. Reilly and G. Kanter, “Noise-enhanced encryption for physical
attacks. The proposed physical layer encryption technique layer security in an OFDM radio” in Proc. IEEE Radio and Wireless
introduces a minimal latency of approximately 16 µs and Symp. (RWS), San Diego, CA, USA, Jan. 2009, pp. 344347.
has the lowest impact on the network. Future work can be [24] D. Dzung, “Data encryption on the physical layer of a data
transmission system”, U.S. Patent 7 752 430B2, Jul. 6, 2010.
to extend the proposed approach for a multi-radio secure [25] Huo and G. Gong, “Physical layer phase encryption for combating
transceiver that has ZigBee, WiFi and Bluetooth on board. the traffic analysis attack”, in Proc. IEEE Int. Symp. Electromagn.
Compat., pp. 604608, Aug. 2014.
[26] Fei Huo and Guang Gong, “XOR Encryption Versus Phase Encryp-
tion, an In-Depth Analysis”, IEEE Trans. On Electromagn. Compt.,
R EFERENCES vol. 57, No. 4, Jan. 2015.
[27] Richard E. Smith, “Encrypting Volumes”, in Elementary Information
[1] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari and M. Security, 2nd ed. Johns & barlett Learning, 2016, ch. 9, sec. 2, pp.
Ayyash, “Internet of Things: A Survey on Enabling Technologies, 379-387.
Protocols, and Applications,” in IEEE Communications Surveys & [28] Gupta, Soumya Sen, et al. “High-performance hardware imple-
Tutorials, vol. 17, no. 4, pp. 2347-2376, Fourthquarter 2015. mentation for RC4 stream cipher”, Computers, IEEE Trans. on, vol.
[2] J. A. Stankovic, “Research directions for the internet of things”, 62, no. 4, pp. 730-743, April 2013.
IEEE Internet of Things J., vol. 1, no. 1, pp. 39, 2014. [29] Sepehrdad, Pouyan, Serge Vaudenay, and Martin Vuagnoux. “Dis-
[3] Yulong Zou, Xianbin Wang and Lajos Hanzo, “A survey on wireless covery and exploitation of new biases in RC4”, Selected Areas in
security: technical challenges, recent advances and future trends.” Cryptography, Springer, 18th int. workshop, SAC 2011, Berlin, 2011.
arXiv preprint arXiv:1505.07919, May, 2015. [30] N. Salman, I. Rasool and A. H. Kemp, “Overview of the IEEE
[4] N. Doraswamy and Dan Harkins, “IPSec Architecture,” in IPSec: 802.15.4 standards family for Low Rate Wireless Personal Area
The New Security Standard for The Internet, intranets, and virtual Networks,” Wireless Communication Systems (ISWCS), 2010 7th In-
Private Networks, 2nd ed. Prentice Hall Prof., 2003, ch. 4, pp. 59-80. ternational Symposium on, York, 2010, pp. 701-705
[5] S. Raza, D. Trabalza and T. Voigt, “6LoWPAN Compressed DTLS [31] Lin, Kuang-Hao, Wei-Hao Chiu, and Jan-Dong Tseng. “Low-
for CoAP,” Distributed Computing in Sensor Systems (DCOSS), 2012 Complexity Architecture of Carrier Frequency Offset Estimation
IEEE 8th Int. Conf. on, Hangzhou, 2012, pp. 287-289. and Compensation for Body Area Network Systems,” Computers
[6] Mukherjee A., et al.,“Principles of physical layer security in mul- and Mathematics with Applications, vol. 64. no. 5, Sept. 2012. pp. 1400-
tiuser wireless networks: A survey,” IEEE Comm. Surveys & Tutori- 1408.
als, vol., No. 3, pp. 1550-1573, 2014. [32] Chen, Kai-Hsin, and Hsi-Pin Ma. “A low power ZigBee baseband
[7] Goeckel, D., Vasudevan, S., Towsley, D., Adams, S., Ding, Z., and processor.” SoC Design Conference, 2008. ISOCC’08. International. Vol.
Leung, K., “Artificial Noise Generation from Cooperative Relays 1. IEEE, 2008.
for Everlasting Secrecy in Two-Hop Wireless Networks” ,IEEE J. on [33] W. Kluge et al., “A Fully Integrated 2.4-GHz IEEE 802.15.4-
Selected Areas in Comm., vol. 29, no. 10, pp. 2067-2076, October 2011. Compliant Transceiver for ZigBee Applications,” in IEEE Journal
[8] A. Mukherjee amd A. Swindlehurst, “Robust Beamforming for of Solid-State Circuits, vol. 41, no. 12, pp. 2767-2775, Dec. 2006.
Security in MIMO Wiretap Channels with Imperfect CSI”, IEEE [34] William Stalling, “Classical Encryption Techniques,” in Cryptogra-
Trans. Signal Process., vol. 59, no. 1, pp. 351-361, January 2011. phy and Network security: Principle and practice, 5th ed. Prentice Hall,
[9] W. Trappe, “The challenges facing physical layer security”, IEEE 2011, ch. 2, pp. 35-38.
Commun. Mag., vol. 53, no. 6, pp. 1620, Jun. 2015.
[10] Zquete, Andr, and Joao Barros. “Physical-layer encryption with
stream ciphers” Inf. Theory, IEEE Int. Symp. on, (ISIT 2008), Canada,
July 2008.
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.