Department of Computer Science and Technology

Security Group

Security of TinySec

We have looked very closely at the TinySec library and we have not only analysed security of TinySec, but also tried to figure out, what was behind the relative success of TinySec. It seems that the main reasons for TinySec being so successful are its biggest weaknesses – simple key management, and "boundaries" of cryptographic protection within the wireless communication so that the system beyond the wireless network is not influenced.

These two facts make the whole problem of TinySec deployment and use rather isolated and easy to manage from the overall system's point of view. So what is the real security of TinySec? Obviously, a global key schemes are very vulnerable to attacks, but how bad is this for TinySec in particular?

First of all, TinySec does not work with 802.15.4/ZigBee radio chips used in most motes today.

We have successfully ported TinySec to run on the new generation of radio chips, thereby providing authentication and encryption services at the link layer of modern sensor networks. However, this is not the end of the story as a link layer security mechanism doesn't really provide everything we want.

Though, we have found one compatibility problem with TinySec. When a MAC is computed, it takes on input only seven bytesi blocks (instead of eight bytes blocks). It would be a problem for the initialisation vector of the CBC mode as there is only byte in the IV that is effectively changing according to the length of the messages (represents number of 8 bytes blocks). The last byte of the IV containg length of the message would not be used and the length of the message could be changed (e.g. by concatenating two messages together). Fortunately, the IV is treated separately and the error does not affect it.

Some thoughts about modularity and how a multilayer architecture could eventually cover some of the vulnerabilities are described in Counters, Freshness, and Implementation.

The mentioned article mentions a severe problem of replay protection which we see as the main drawback of TinySec implementation – the authors never claimed to solve the problem but there is no support allowing implementation of the protection on higher layers either.

TinySec Download

Our implementation of TinySec for motes with CC2420 radio chip can be downloaded from HERE.

The archive contains tos directory with two folders lib and platform holding the new code. One way of installing it is to copy it into the main directory of TinyOS installation, MoteWorks in our case, and run tar -zxvf TinySec.tgz.