Profile - Research - Teaching - Projects
Publications
Note:
Recent work has been unpublished industrial research. Technical reports and white papers will be released as time permits depending on contractual obligations.

Combined secure storage and communication for the Internet of Things

Thumbnail

Bagci, I. E. and Raza, S. and Chung, A. and Roedig, U. and Voigt, T.

Proceedings of 10th Annual IEEE Communications Society Conference on Sensing, Communication and Networking (SECON 2013)

The future Internet of Things (IoT) may be based on the existing and established Internet Protocol (IP). Many IoT application scenarios will handle sensitive data. However, as security requirements for storage and communication are addressed separately, work such as key management or cryptographic processing is duplicated. In this paper we present a framework that allows us to combine secure storage and secure communication in the IP-based IoT. We show how data can be stored securely such that it can be delivered securely upon request without further cryptographic processing. Our prototype implementation shows that combined secure storage and communication can reduce the security-related processing on nodes by up to 71% and energy consumption by up to 32.1%.

Download Paper (PDF)


Efficient Authentication in High Security Wireless Sensor Networks

Thumbnail

Chung, A.

Lancaster University PhD Thesis

Wireless sensor networks (WSNs) promise to greatly enhance and simplify the collection of sensor data in many applications. Individually, nodes are relatively limited, with minimalist computational power, communication bandwidth and energy. Lots of effort continues to be made to manage these limitations whilst providing a powerful overall system. Unfortunately, these limitations and solutions introduce new security challenges that must be solved. This work enhances authentication in WSNs for high security scenarios.
A review of available security solutions for wireless sensor networks found an over-emphasis on link-layer security. This is insufficient as attackers can easily imitate any node if a single key in the network is compromised. End-to-end security offers an improvement by allowing the sink to authenticate the source of a message as well as its integrity. The impracticality of using public key cryptography for all communication requires that different symmetric keys are shared between the sink and individual nodes. This can cause significant communication overhead in the network, unbalanced energy use and network lifetime reduction.
The first contribution addresses this problem with the concept of Broadcast Key Establishment (BKE). BKE allows the sink to distribute key material using a broadcast that is used to securely generate different keys on each node. The evaluation shows that this method significantly reduces overheads, extends the life of the network and causes less disruption.
The combination of wireless communication and exposed resources on nodes has resulted in new attack threats. For example, attackers can inject arbitrary messages and waste computational resources via cryptographic algorithms. The second contribution, Distance-Based Message Authentication, focuses on physical layer security to reject messages, based on distance measurement, as early as possible. Practical experiments evaluate ranging accuracy and optimisations.
This work therefore improves WSN authentication by efficiently distributing keys, for end-to-end authentication, and protects resources against depletion attack.

Download Paper (PDF)


Securing Communication in 6LoWPAN with Compressed IPsec

Thumbnail

Raza, S. and Duquennoy, S. and Chung, A. and Yazar, D. and Voigt, T. and Roedig, U.

Proceedings of the 7th IEEE International Conference on Distributed Computing in Sensor Systems (IEEE DCOSS 2011)

Real-world deployments of wireless sensor networks (WSNs) require secure communication. It is important that a receiver is able to verify that sensor data was generated by trusted nodes. It may also be necessary to encrypt sensor data in transit. Recently, WSNs and traditional IP networks are more tightly integrated using IPv6 and 6LoWPAN. Available IPv6 protocol stacks can use IPsec to secure data exchange. Thus, it is desirable to extend 6LoWPAN such that IPsec communication with IPv6 nodes is possible. It is beneficial to use IPsec because the existing end-points on the Internet do not need to be modi?ed to communicate securely with the WSN. Moreover, using IPsec, true end-to-end security is implemented and the need for a trustworthy gateway is removed. In this paper we provide End-to-End (E2E) secure communication between IP enabled sensor networks and the traditional Internet. This is the ?rst compressed lightweight design, implementation, and evaluation of 6LoWPAN extension for IPsec. Our extension supports both IPsec.s Authentication Header (AH) and Encapsulation Security Payload (ESP). Thus, communication endpoints are able to authenticate, encrypt and check the integrity of messages using standardized and established IPv6 mechanisms.

Download Paper (PDF)


Securing Internet of Things with Lightweight IPsec

Thumbnail

Raza, S. and Chung, T. and Duquennoy, S. and Yazar, D. and Voigt, T. and Roedig, U.

Swedish Institute of Computer Science

Download Paper (PDF)


Locking Out The Evil Guys - Without Using Keys

Thumbnail

Chung, A.

Presented at Lancaster University SciTech Faculty Christmas Conference 2010

Download Poster


Implementation and Evaluation of Distance Based Message Authentication

Thumbnail

Chung, A. and Roedig, U.

Proceedings of the 6th IEEE International Workshop on Wireless and Sensor Network Security (WSNS2010) (Part of the 7th IEEE International Conference on Mobile Ad-hoc and Sensor Systems)

A new generation of WSN communication transceivers are now available that support time-of-flight distance measurement. This measurement can be inseparably integrated with message transmission making it possible to authenticate messages based on distance. In this paper we present a practical implementation of Distance Based Message Authentication (DBMA) for WSNs using Nanotron NA5TR1 transceivers. We show that DBMA can be used to reject messages sent from outside a secure (trusted) area. With DBMA, messages can be authenticated without involving costly cryptographic algorithms. The DBMA implementation is evaluated in two different deployment scenarios. Distance measurement errors and their impact on the size of the required secure area are evaluated. Furthermore, we present methods to reduce the size of the required secure area.

Download Paper (PDF)


Vehicle-Driver Communication Using Off-the-Shelf Transceivers

Thumbnail

Ghamari, M. and Chung, A. and Roedig, U. and Honary, B. and Pickering, C. A.

Proceedings of the 72nd IEEE Vehicular Technology Conference Fall (VTC 2010-Fall)

Almost all modern cars can be controlled remotely using a personal communicator (keyfob). However, the degree of interaction between currently available personal communicators and cars is very limited. The communication link is unidirectional and the communication range is limited to a few dozen meters. However, there are many interesting applications that could be supported if a keyfob would be able to support energy efficient bidirectional longer range communication. In this paper we investigate off-the-shelf transceivers in terms of their usability for bidirectional longer range communication. Our evaluation results show that existing transceivers can generally support the required communication ranges but that links tend to be very unreliable. This high unreliability must be handled in an energy efficient way by the keyfob to car communication protocol in order to make off-the-shelf transceivers a viable solution

Download Paper (PDF)


Poster Abstract: An Implementation of Distance-Based Message Authentication for WSNs

Thumbnail

Chung, A. and Roedig, U.

Adjunct Proceedings of the 7th European Conference on Wireless Sensor Networks (EWSN'10)

Distance-Based Message Authentication provides an additional layer of access control and helps to defend against key compromise and denial-of-service attacks on constrained nodes. The range between sender and receiver is measured securely. Messages sent from outside a defined physical radius can be rejected early, protecting vulnerable higher layers. We show our initial implementation of a modified protocol using the Nanotron NA5TR1. We show how changing MAC addresses can avoid modification to ranging hardware.

Download Paper (PDF)


On The Feasibility of a New Defense Layer for Wireless Sensor Networks using RF Ranging

Thumbnail

Chung, A. and Roedig, U.

Proceedings of the IFIP Network and Service Security Conference 2009 (N2S)

Cryptography is commonly used to provide link-layer message authentication in wireless sensor networks. However, keys are susceptible to compromise and introduce management requirements. Avoiding keys can therefore deliver security and management benefits. Our paper introduces and discusses the feasibility of RTTMAP, a protocol that uses radio frequency ranging for message authentication. RTTMAP uses secure round-trip-time with hash functions to determine the minimum distance of a transmitter. Transmissions from outside of a de┬┐ned radius are rejected without requiring keys. We provide our motivation, an evaluation of our findings and continuing research challenges. We find RTTMAP offers higher security, costs about twice the energy of keyed message authentication but complicates MAC protocol selection.

Download Paper (PDF)


DHB-KEY: An Efficient Key Distribution Scheme for Wireless Sensor Networks

Thumbnail

Chung, A. and Roedig, U.

Proceedings of the 4th IEEE International Workshop on Wireless and Sensor Network Security (WSNS'08) (Part of the 5th IEEE International Conference on Mobile Ad-hoc and Sensor Systems)

Real-world deployments of wireless sensor networks require secure communication. In many application cases it is sufficient to provide message authentication at the sink. To implement this requirement using symmetric ciphers, keys shared between each sensor node and the sink have to be established and kept fresh during network operation. This paper presents a key distribution scheme based on the well known Elliptic Curve Diffie-Hellman key exchange mechanism that allows us to fulfil the previously outlined requirements efficiently. The DHB-KEY scheme requires only the distribution of a single sink-initiated broadcast message to set individual keys on all sensor nodes. Thus, DHB-KEY has a low complexity and preserves scarce resources such as bandwidth and energy. In the paper we present a protocol specification based on the DHB-KEY scheme and its implementation for the well known TinyOS platform. A physical intrusion detection system in an office building is used to evaluate the protocol implementation. The evaluation shows that DHB-KEY is practical in real-world deployments.

Download Paper (PDF)


DHB-KEY - A Diffie-Hellman Key Distribution Protocol for Wireless Sensor Networks

Thumbnail

Chung, A. and Roedig, U.

Proceedings of the 5th European Conference on Wireless Sensor Networks

Many sensor network applications require secure communication between sensor nodes and the sink. This paper presents a key distribution scheme based on the well known Elliptic Curve Diffie-Hellman key exchange mechanism. The DHB-KEY scheme is performed in two stages. The first stage is carried out in a secure environment before network deployment. The second stage is carried out periodically using a single broadcast message. Each node arrives at a unique key it shares with the sink. This paper presents a first evaluation and a prototype implementation of the protocol. We have found that the presented key distribution approach uses energy and communication resources efficiently and has a low deployment complexity.

Download Paper (PDF)


Securing Wireless Sensor Networks for Intrusion Detection

Thumbnail

Chung, A.

Presented at Lancaster University SciTech Faculty Christmas Conference 2007

Download Poster


Efficient Key Establishment for Wireless Sensor Networks Using Elliptic Curve Diffie-Hellman

Thumbnail

Chung, A. and Roedig, U.

Proceedings of the 2nd European Conference on Smart Sensing and Context

We propose a broadcast method to establish symmetric keys between wireless sensor nodes and a sink, that achieves a different key for each node. We apply the Elliptic Curve Diffie-Hellman (ECDH) key exchange mechanism in two parts. The first part of the ECDH key exchange is conducted in a secure environment before network deployment to avoid the common man-in-the-middle problem of Diffie-Hellman (DH) schemes. The second part of the key exchange is initiated periodically by the sink using a broadcast message. Thus, the communication overheads in the resource constrained sensor network are reduced.

Download Paper (PDF)

Download Poster


Copyright Tony Chung, unless stated on the credits page.