Wireless Sensor Networks (WSN) aim at linking the cyber and physical worlds. Their security has taken relevance due to the sensitive data these networks might process under unprotected physical and cybernetic environments. The operational constraints in the sensor nodes demand security primitives with small implementation size and low power consumption. Authenticated encryption is a mechanism to provide these systems with confidentiality, integrity, and authentication of sensitive data. In this paper we explore hardware implementation alternatives of authenticated encryption through generic compositions, to assess the costs of this security approach in WSN. Two symmetric ciphers, AES and P
Wireless Sensor Network (WSN) is a relatively novel technology that has attracted attention by being one of the cornerstones for the Internet of Things (IoT) [
The batteries of a sensor node cannot be replaced, and so their operational life is limited [
In this work we study the energy and area costs associated with providing security services to WSN motes. The main goals of our research are protecting the sensitive data in a WSN, guaranteeing the user privacy, and ensuring the trustworthiness of a WSN.
In some WSN applications where sensitive data is collected and transmitted (i.e., wireless body area networks), it is compulsory to guarantee information security through protected communications. Particularly, the IEEE Standard for local and metropolitan area networks, IEEE 802.15.4 [
AES CCM
In order to study alternatives to the use of AES we shall require alternative schemes which provide the same protections as CCM
An authenticated encryption scheme designed by “generic composition” is an operation mode which makes black-box use of a given symmetric encryption scheme and a given MAC algorithm. Three of such constructions have been studied in the literature:
Given that it is possible to select different cryptographic primitives to realize authenticated encryption systems, what would be the benefit for sensor nodes if the implemented AE solutions are based on lightweight algorithms over generic alternatives?
The privacy-preserving CTR mode is CPA-secure. Under this operation mode, only the encryption procedure of the cipher is required to encrypt or decrypt the data. This is advantageous for constrained devices. When a MAC function is added to the scheme then it is possible to provide integrity and authentication. These MACs can be generated using block ciphers (CBCMAC) or hash functions (HMAC) as long as the operation mode is CMA secure. While hash-based tags provide desirable security features, their efficiency has been questioned [
In the AE constructions evaluated we use generic and lightweight ciphers and hash functions. We study the use of block ciphers for symmetric encryption and MAC generation, as well as the use of hash functions in MAC algorithms. In this sense our goals are (a) to quantify the cost of lightweight algorithms compared against generic algorithms, both in the case of block ciphers and hash functions, and (b) to quantify the cost of hash functions compared against block ciphers. Authenticated encryption through generic composition provides us with the means to reach these goals.
Recently, modern operation modes for authenticated encryption have been proposed in the literature [ The use of a generic composition method is advantageous in that it facilitates the design of an authenticated encryption with associated data (AEAD) construct by making it possible to choose both an appropriate symmetric encryption scheme and a message authentication scheme independently [ The flexibility on the selection of the underlying primitives is the enabler for the study of a broader range of alternatives in the use of encryption and MAC schemes. The chosen composite schemes are usually already supported by existing security analyses; consequently tailored security analysis of the composed scheme is unnecessary [ The selected AE paradigm is well suited for WSN communications as no decryption is needed to verify the integrity of the message [ Using generic compositions as case study allows flexibility in the selection of the underlying security primitives. In this sense, AE through generic compositions acts as an enabler for additional purposes such as: the cost analysis of (a) lightweight algorithms and (b) hash-based MAC functions. This assessment can be useful for different AE schemes which can adopt lightweight cryptographic algorithms or hash-based MACs.
We evaluate different configurations of AE over a battery powered sensor node prototyped in FPGA. This mote is enabled to perform basic tasks of sensing, processing, and transmission of messages. Additionally, the prototype incorporates a security core that implements the AE configurations evaluated in this work. The underlying symmetric encryption function can be implemented as a lightweight block cipher in a convenient confidentiality mode, and the underlying MAC function can also make use of lightweight algorithms, with cipher-based or hash-based schemes. In this work we aim at determining experimentally which of these options provide greater advantages for sensor nodes, regarding energy consumption and usage of hardware resources.
Our contributions can be summarized as follows: We quantify the overhead in the lifetime of WSN motes when implementing authenticated encryption through generic compositions. We prove empirically the advantage of using lightweight algorithms over generic alternatives in reducing the impact in the lifetime of WSN motes. We find the costs of using hash functions over block ciphers in hardware and the impact of those constructions in the lifetime of a WSN mote.
In this section we review the relevant works from the literature, provide some preliminary notions, describe our design methodology for the proposed solution, and present our experimental design.
Some classical proposals for AE besides the generic compositions include the operation modes CCM [
Other works have proposed AE schemes from the original generic compositions. The authors in [
The need for real-time cryptographic solutions has also been expressed. In [
Some additional proposals have focused on single-pass AE. Two stream-cipher modes of authenticated encryption, namely, PFC-CTR (counter-based authenticated encryption environment) and PFC-OCB (OCB-based authenticated encryption environment), are proposed in [
In this work, we have selected generic compositions over schemes such as CCM, GCM, and OCB since we are interested in testing different MAC algorithms, such the ones based on hash functions. The modern operation modes reviewed, although efficient, were not considered on the same basis. Moreover generic compositions can allow us to include associated data which is an interesting feature for WSN. Nonetheless, our findings can be used in implementations of the aforementioned schemes since we are not only interested in evaluated the AE construction, but also its underlying primitives.
We analyze the suitability of authenticated encryption through generic compositions for WSN. Our goal is to construct such a solution which provides confidentiality, integrity, and authentication with reduced energy consumption and implementation area. Unlike previous proposals, our study provides sufficient experimental data to support our findings.
The notions for authentication of symmetric encryption, as presented in [
These security notions for confidentiality and authentication share well-known relations which are used to demonstrate the security of complex cryptographic schemes; for a detailed description of these relations the reader should refer to [
For MAC algorithms, the security notions involve the concept of
A “generic composition” is a combination of a symmetric encryption scheme with a MAC algorithm in some way [
Table
Security results for different authenticated encryption schemes under the assumption that
Composition Method | Confidentiality | Authentication | ||
---|---|---|---|---|
IND-CPA | IND-CCA | INT-PTXT | INT-CTXT | |
| Insecure | Insecure | Secure | Insecure |
| Secure | Insecure | Secure | Insecure |
| Secure | Secure | Secure | Secure |
The three AE compositions are evaluated to prove whether they are secure under four different notions of security: IND-CPA, IND-CCA, INT-PTXT, and INT-CTXT. Formal demonstrations for the security of each scheme are provided in [
In this work, the
For constrained environments, as in a WSN, reducing the number of algorithms required is one of many critical tasks. Hence, involutive cryptographic transformations are desired. An involutive symmetric cipher is one such that its encryption function
The CTR operation mode is illustrated in Figure
The CTR operation mode.
A MAC is a tag computed from the message using a private key. As mentioned in [
CBCMAC is an operation mode that allows to use a symmetric cipher to generate MACs. This scheme is shown in Figure
The CBCMAC operation mode.
HMAC was included in this study to evaluate the cost of hash algorithms in constrained environments. This operation mode generates the MAC of a message using a hash function and a private key as illustrated in Figure
The HMAC operation mode.
The architecture of the sensor node prototype created includes a sensing unit and a communications unit. The
Components in the sensor node architecture.
The sensor node includes a
Upon receiving a new message from the sensing unit, the automata is in charge of overseeing the processing and transmission of the message. In our study, the scenario where a message is received from a neighboring node was not considered.
In this sensor node architecture, the most critical component is the
The architecture of the security module is composed of two main elements: a submodule to encrypt/decrypt the message and a submodule in charge of generating and verifying the MAC of the message. In the case study proposed it is considered that the node only performs transmission tasks, which require only encryption and tag generation. The block diagram for the security module is illustrated in Figure
Architecture of the security module implementing the
The operation modes selected to provide confidentiality authentication require underlying block ciphers or hash functions. A general purpose algorithm and a lightweight alternative were studied for each type of cryptographic primitive.
Rijndael was proposed in 1998 by Joan Daemen and Vincent Rijmen and standardized as AES by NIST in 2001. Its a round based cipher built as a substitution-permutation network (SPN). P
The hardware architectures for AES and P
Block ciphers used to implement the authenticated encryption scheme. To the left, the architecture of AES; to the right, the architecture of P
The AES architecture has a well-balanced trade-off between implementation size and performance. When the goal is to improve the energy consumption of a circuit it is not practical to sacrifice performance in aims of achieving minimal area footprint. Reduced latency and thus improved performance play a major role in reducing the energy usage.
The P
In the P
As can be seen from Figure
The key schedule of the architecture works by recording all the keying materials in a module and allowing the synthesis tool to generate the combinational design that produces the round keys. This is interesting for this specific design since the width of the round key is reduced from 64 to 16 bits, which enables a reduction in the complexity of the combinational process. Under this approach, it is required to calculate the whole key set presynthesis and to describe it as a memory block. When the FPGA can not use memory blocks to implement this module, the synthesizer will be forced to use LUTs to create a combinatorial block capable of generating each one of the round keys required by the cipher [
The keyed MAC algorithms selected use a key size of 128 bits. The implementation of CBCMAC requires an XOR layer at the input of the underlying block cipher. In an area optimized implementation, a single encryption core can process all the message, which is divided into several blocks. When the last block is processed, the result is the MAC of the message. In the implementation of HMAC two inner registers and an XOR layer are required, additionally to the hash core. The input message is divided into blocks of length determined by the underlying hash function. To reduce resource usage and utilize a single hash core it is necessary to utilize an extra register to store the intermediate results (
K
SHA3-256 provides as default an output of 256 bits. This output is generated as 64-bit blocks, and according to NIST the MAC can be truncated to fit the application. Following the recommendations in [
Hardware architectures for SHA3-256 (left) and
The authors of SHA-3 developed three hardware implementations of the algorithms: a high performance core, a middle-range core, and a minimum area coprocessor [
Reduced area is important to implement generic algorithms in WSN; however the performance cannot be compromised if the goal is to improve the energy consumption of the circuit. The
The architecture developed for
The LFSR counter is generated by a 6-bit register clocked each active round. Its value is XOR-ed with the least significant bits of the state and its reversed value is XOR-ed with the state’s most significant bits. The substitution layer is formed by 22 4-bit substitution boxes which process the state in parallel. The permutation layer is a simple wiring which can be straightforwardly implemented with little cost. The output is taken directly from the output of the register. To reduce the switching activity at the output, we opted to include a mask, thus improving the energy consumption at the cost of a few additional hardware resources.
This section describes the experimental method followed in this work, including the experimental setup, the configurations for the experiments, and the evaluation metrics.
The sensor node prototype presented in Section
A lead acid battery of 6V and 1Ah was used in our experimentation. The FPGA was connected to the power supply through the regulators included in the Nexys 3 development board.
The operation of the sensing unit was emulated using a set of messages retrieved from a public available database of Intel (http://db.csail.mit.edu/labdata/labdata.html). This database contains messages from 54 sensor nodes deployed in the Intel Berkeley Research lab between February 28 and April 5, 2004. The motes utilized collected timestamped topology information, along with humidity, temperature, light, and voltage values every 31 seconds. The database includes a log of about 2.3 million readings collected from these sensors.
The communications unit was configured as a driver for 4215A XBee board using serial protocol in the data transmission from the FPGA to the XBee card. This module was set to receive and transmit data as 64-bit words which were then partitioned in bytes and transmitted via wireless communication.
To transmit messages, a basic scenario was considered where the sensor node sends the data directly to a base station using the XBee card connected to the FPGA. To reproduce identical conditions for all of the experiments the sensing unit was emulated using messages taken from the public database. From the database, 3600 messages corresponding to the sensor node with id=1 were extracted and converted to fixed point notation. The codification produced messages with constant length of 144 bits, which were stored in the sensor node implemented. The sensing unit was configured to produce as output one of these messages each second. The components of the environment are illustrated in Figure
Experimental environment.
The security module in the sensor node was implemented under different configurations, created from compositions of the cryptographic primitives shown in Table
Underlying cryptographic algorithms utilized in the different security module configurations.
Label | Algorithm | Type | Class | Operation mode | Service provided |
---|---|---|---|---|---|
AES-128 | AES | Symmetric cipher | Generic | CTR | Confidentiality |
CBCMAC | Authentication | ||||
PRE-128 | P | Symmetric cipher | Lightweight | CTR | Confidentiality |
CBCMAC | Authentication | ||||
SHA-256 | K | Hash function | Generic | HMAC | Authentication |
SPO-88 | | Hash function | Lightweight | HMAC | Authentication |
The configurations derived from the use of these algorithms are described as follows: No security services (C0). In this case the sensor node operates without providing security services. The results from this configuration can be used as a reference to measure the security-related overhead of the other configurations. Generic cipher (C1). In this configuration CTR was used to encrypt the data using AES-128, and CBCMAC was constructed using AES-128 as well. Generic cipher and hash (C2). The message is encrypted with CTR mode using AES-128 and the MAC is generated with HMAC using SHA-256. Lightweight cipher (C3). This configuration uses CTR with PRE-128 to encrypt the message and CBCMAC with PRE-128 to generate the MAC. Lightweight cipher and hash (C4). The message is encrypted with PRE-128 in CTR mode and HMAC with SPO-88 is used to obtain the MAC.
All the previous configurations derived on a different construction for the security module in the sensor node under study. The modularity in the FPGA implementation was exploited to achieve easy replacement of each building block described with VHDL.
The resource usage was studied using the FPGA units of slices (SLC), Look-Up Tables (LUT), and Flip-Flops (FF). The performance was studied as latency (LAT) and throughput (Thr). The different architectures were implemented using the ISE Design Suite System Edition 14.7 and the power analysis was performed using Xilinx XPower Analyzer. The synthesis processes were configured with
The life span of the sensor node is used to evaluate the energy consumption associated with each authenticated encryption composition under study. Each design was configured in the FPGA and set to operate until the energy of the battery ran out. The voltage level was monitored during the whole process and registered using a digital oscilloscope. The experimental setup is shown in Figure
Experimental setup.
This sections presents our experimental results and our analysis derived from the data.
Table
Implementation results for the different sensor node configurations. The XC6LX16-CS324 FPGA was used as implementation target with an operational frequency of 13.56 MHz.
Configuration | FPGA resources | Latency (Cycles) | t (ms) | POW (mW) | ENE (mJ) | ||||
---|---|---|---|---|---|---|---|---|---|
FF | LUT | SLC | ENC | MAC | COM | ||||
C0 | 256 | 398 | 137 | 0 | 0 | 271200 | 20.00 | 23.19 | 0.4638 |
C1 | 2569 | 3944 | 1379 | 84 | 84 | 542400 | 40.01 | 27.27 | 1.0911 |
C2 | 3655 | 5033 | 1728 | 84 | 125 | 542400 | 40.01 | 31.01 | 1.2409 |
C3 | 884 | 1694 | 516 | 396 | 396 | 361600 | 26.72 | 23.63 | 0.6315 |
C4 | 1198 | 1899 | 571 | 396 | 3770 | 361600 | 26.97 | 23.45 | 0.6325 |
Figure
Operation time for the implemented sensor node configurations. It is important to remark that our experiment is a case study, it is expected that the lifetime of a real-world application would be longer, and thus the time differences would be greater. The sensor node prototypes were configured on the XC6LX16-CS324 FPGA embedded in the Nexys 3 development board. A 6V and 1Ah lead acid battery was used as power source. An XBee transmitter was connected to the FPGA board and also sourced from the 6V battery.
The first important observation is that the energy estimations provided in Table
Our experiments were all conducted under the same conditions to achieve a fair comparison. However, the hours rate for the lead acid battery used was not specified in the product. This can lead to obtain different results if our experiment is replicated with the same conditions described in this work. Nonetheless we would expect that the behavior observed in Figure
Several conclusions can be drawn from our experimentation concerning the life span of the sensor node configurations. As it was expected, the configuration which did not provide security for the messages (C0) reported the longest active time of the sensor node. This design (C0) achieved an active time of 13 hours and 50 minutes, which will be used as reference in further discussion.
If we group the configurations C1 (generic cipher) and C3 (lightweight cipher) and compare them to the configurations C2 (generic cipher and generic hash) and C4 (lightweight cipher and lightweight hash) it can be noted how the use of HMAC over CBCMAC has a negative impact on the life span of the prototype. This comparison can be appreciated in Figure
Now, compare the configurations C1 and C2 (generic algorithms) to the configurations C3 and C4 (lightweight algorithms). In this scenario the advantage of using lightweight algorithms is demonstrated. Compare C1 to C3 as shown in Figure
The impact of each authenticated encryption configuration on the life span of the sensor node utilized as study case is detailed in Table
Reduction on the lifetime of the different configurations of the sensor node prototype.
Configuration | Impact |
---|---|
C0 | 0% |
C1 | 7.1224% |
C2 | 8.4090% |
C3 | 3.9808% |
C4 | 4.9935% |
Regarding implementation area and performance, the results reveal that lightweight algorithms offer advantages in area by making performance trade-offs. These design considerations need to be reviewed carefully in the design of lightweight algorithms. While minimizing the resource usage and ergo the production costs of the system may be a primordial goal, this optimization should not represent great compromises to the performance of the algorithms. The performance impacts directly on the runtime of the architecture, if the architecture expends longer periods active then this affects the energy consumption. Energy-aware solutions require adequate compromises between the implementation size (to reduce the number of elements that must be powered) and the performance (to reduce the total time these elements must be powered on).
We were unable to find hardware implementations of authenticated encryption solutions in FPGA. For this reason we cannot provide a quantitative comparison with other works. What we provide, however, is a comparison in terms of qualitative characteristics, as well as quantitative comparisons, to some degree, of the underlying lightweight primitives used.
Table
Qualitative comparison of our proposed solutions with works from the literature.
Scheme | Ref. | Privacy | Integrity/Auth. | Supports AD | Patented | Calls |
---|---|---|---|---|---|---|
CCM | [ | CTR | CBC-MAC | Yes | No | |
GCM | [ | CTR | GHASH | Yes | No | |
OCB | [ | Cipher | Checksum | Yes | Yes | |
SOSEMANUK-MAC | [ | Stream cipher | Dragon-MAC | Yes | No | |
HC 128-MAC | [ | Stream cipher | Dragon-MAC | Yes | No | |
Rabbit-MAC | [ | Stream cipher | Dragon-MAC | Yes | No | |
TinyAEAD | [ | Cipher | MMO | Yes | No | |
PFC-CTR | [ | CTR | PFC | No | No | |
PFC-OCB | [ | OCB | PFC | No | No | |
IAR-CTR | [ | CTR | PFC | No | No | |
IAR-CFB | [ | CFB | PFC | No | No | |
RT-OCFB | [ | OCFB | No | No | No | |
PFX-CTR | [ | CTR | PFC | No | No | |
PFX-INC | [ | CTR | PFC | No | No | |
CTR-CBCMAC | This work. | CTR | CBC-MAC | Yes | No | |
CTR-HMAC | This work. | CTR | HMAC | Yes | No | |
Multiple block ciphers are reported in the literature which could be used instead of P
Our first criteria for selecting P
The second aspect to consider on the selection of a block cipher is its latency. As the works in [
Regarding the hash function selected, to the best of our knowledge, the basic implementation of
In this paper we have studied different alternatives to provide authenticated encryption for WSN applications under the
In our study, we considered general purpose and lightweight cryptographic algorithms to implement the building blocks of the
As underlying cryptographic primitives for the
From our experiments we observed that providing authenticated encryption through generic compositions represents an impact of ~-6% in the lifetime of the sensor node, in the average. This is in line with our first contribution enumerated.
Our experimentation also demonstrated that the use of lightweight algorithms to enable authenticated encryption has favorable effects on the implementation size (~-65% SLC in average) and lifetime (~+3.4% in the average) of our WSN mote. Our second contribution is outlined with these findings. In particular, the use of a lightweight cipher under CTR mode to encrypt data and under CBCMAC mode to generate MACs achieved the best results.
The provided results also show evidence that using hash functions to generate MACs under the HMAC operation mode is less efficient than using block ciphers under the CBCMAC operation mode for the same task. This held true for both the generic and lightweight instances with impacts of ~-1.3% on the lifetime of the sensor node and ~+15% on the SLC count, in the average. Although the increased costs could discourage the use of hash functions, under some circumstances their added security benefits might outweigh the associated costs. With these results we conclude our third contribution.
The experimental data used to support the findings of this study are available from the corresponding author upon request.
The authors declare that there are no conflicts of interest regarding the publication of this paper.
This work was supported by CONACyT [Grants nos. 393070 and 336750] and CINVESTAV. This work was also funded by “Fondo Sectorial de Investigación para la Educación”, CONACyT Mexico, through the Project no. 281565.