Alexandru Balmus

802.15.4 MAC Security Overview

Discussion created by Alexandru Balmus Employee on Oct 7, 2014

The 802.15.4 MAC is a standard for Low Rate Wireless Personal Area Networks and it is a cornerstone of the IoT technology of today. The 802.15.4 MAC is used as a Data Link Layer for various Network Protocols used in a variety of applications: industrial automation, medical, utility metering, building automation, etc. Many of these applications need to use security and a large potion use the security offered by the 802.15.4 MAC which is described below. This post is mostly about the 2006 and 2011 versions of the 802.15.4 MAC.

For securing frames the 802.15.4 MAC uses the AES CCM* block cypher mode of operation. AES is a block cypher for encrypting data. In 802.15.4 the 128 bit version of AES is used - both the key and the plaintext block have 128 bits. CCM* is a variation of the Counter With CBC-MAC mode which uses AES-128 and allows the authentication and/or encryption of a data stream or parts of it.

The CCM* mode is applied to 802.15.4 frames as described below.

An unencrypted frame is divided into 2 parts. I will call these A and M. The A part contains the Frame Header (Frame Control, Sequence Number, Addressing Fields - Destination and Source ) and for 802.15.4 Command Frames the first byte of the payload which is the Command Frame Identifier - I will call this Ap. The M part contains the Data Frame Payload or the Payload of the Command Frame except the first byte.

 

A

M

Frame Header

Ap

Frame Control

Sequence Number

Addressing Fields

Authenticated only part of payload

Payload

 

Applying CCM* (with authentication and encryption) to the frame is done in 2 steps.

The first step is adding the Auxiliary Security Header to the frame between the Addressing Fields and the Frame Payload. The size of the Auxiliary Security Header is determined by the parameters of the MAC Data Request. The frame with ASH is shown below.

 

A

M

Frame Header

ASH

Ap

Frame Control

Sequence Number

Addressing Fields

Auxiliary Security Header

Authenticated only part of payload

Payload

 

Remember that Ap is only present for Command Frames and is only 1 byte in length.

The A part is the Authenticate Only Data for the CCM* procedure. This part of the message is authenticated and not encrypted.

The second step is the actual applying of CCM* to the frame. A Message Integrity Code (MIC) is computed for the entire frame (including the M part) and it is added to the end of the frame. The MIC is 4, 8 or 16 bytes in length based on the parameters of the the MAC Data Request which generated the frame.

 

A

M

MIC

Frame Header

ASH

Ap

Frame Control

Sequence Number

Addressing Fields

Auxiliary Security Header

Authenticated only part of payload

Payload

Message Integrity Code

 

Then the M part of the message and the MIC is encrypted. The authentication and encryption are done using the same 128 bit key. The resulting frame is shown below.

 

A

encM

encMIC

Frame Header

ASH

Ap

Frame Control

Sequence Number

Addressing Fields

Auxiliary Security Header

Authenticated only part of payload

Payload

Message Integrity Code

 

The Physical layer CRC is computed over the encrypted frame which is sent over the air.

To decrypt a received 802.15.4 frame the following steps of the CCM* decryption procedure are performed:

  1. The encM and the encMIC are decrypted using the key and they are replaced by M and MIC in the frame.
  2. The authentication procedure is performed on the A and M and the result is compared to the decrypted MIC.
  3. If the calculated MIC matched the decrypted MIC the frame has been decrypted and authenticated successfully. The ASH and MIC are removed and the frame is forwarded to the upper layers.

To encrypt or decrypt a frame the 802.1.4 MAC only needs an AES-128 key. The MAC offers the application the possibility of setting up multiple keys. In order for the MAC to correctly encrypt and decrypt frames and use the proper key for communication with a certain device the application must correctly set up a group of security parameters. These parameters are called PIB (PAN Information Base) Attributes and the MAC exposes a set of API functions through which these attributes can be read or written. The most important Security-related Attributes which must be configured in the MAC are the security tables and subtables:

  • Key Table
    • Key ID Lookup List
    • Key Device List
    • Key Usage List
    • Key
  • Security Level Table
  • Device Table

For the proper identification of the key for encrypting or decrypting a frame some other PIB attributes must have appropriate values (Coordinator Short Address, Frame Counter, Short Address, etc).

Setting up these attributes serves multiple purposes:

  • Determining the key for encrypting/decrypting an outgoing/incoming frame based on the destination/source device
  • Determining if a certain key can be used for encryption/decrypting a frame
  • Determining if a frame meets the minimum security requirements
  • Determining if a peer device is allowed to send secured frames or secured frames with a certain security level

The configuration of the security related attributes is a complex task but allows great flexibility in the use of the MAC security for various application needs.

For a detailed example of MAC Security Attributes setup on a device running a Freescale 802.15.4 Stack in a very common scenario please see AN4973 - "Freescale 802.15.4 MAC Security Setup - MAC 2006 and MAC 2011 Group Key Security Examples".

Outcomes