Not all wireless networking environments are created equal. An enterprise with mobile workers firing data back and forth, for example, has very different needs than a hospital outfitted with wireless patient-monitoring equipment. The standards governing networks in such distinct environments must reflect their specific requirements.
This is especially true when it comes to security. Due to bandwidth and other constraints, some networks—such as automated process and control networks—require strong, small cryptographic solutions to protect them. Until recently, this type of solution didn't exist. Legacy crypto approaches like RSA and Diffie-Helman couldn't achieve efficient scalability. But that's changing.
The standards are changing too. ZigBee, also known as IEEE 802.15.4, was created specifically for automated process and control networks. Unlike older wireless standards such as IEEE 802.11 and Bluetooth, ZigBee has advanced security built right in.
Process and control networks are used for industrial, commercial, and medical applications, as well as many others. They govern manufacturing operations. They manage indoor heating and cooling systems. And, they monitor the performance of critical equipment. In every case, the risk of having someone interfere with or shut down the network is unacceptable. Strong security is essential.
Yet the characteristics of these environments make security a complicated proposition. The number of devices in process and control networks can be enormous, and those devices are typically interconnected. Architecturally, you're dealing with a mesh, in which many points of access create multiple points of vulnerability. As a result, every element must be authorized and authenticated.
At the same time, the physical layout of process and control environments can often prohibit hardwiring devices to an energy supply. Running off a battery is the only practical option. That automatically imposes limitations on the computational intensity of any security solution.
Finally, process-and-control devices are constrained environments. They must occupy a small footprint and "stay out of the way" of the network's more business-essential equipment.
ZigBee addresses these issues inherently. It's designed to serve as a simple, low data-rate solution operating in an unlicensed international frequency band. An ultra-wideband technology, it boasts the advantages of architectural flexibility, low power consumption, and high reliability. It's mesh-friendly and allows devices to get years of operation from a single battery. Plus, it was created with end-to-end security as a primary objective.
ZigBee provides security based on three main principles. First is simplicity: Every layer originating a frame is responsible for securing it, rather than having multiple layers do so. Second is directness: Keys are exchanged directly between each source and destination device. Third is end-to-end security: Data proceeds without having to be decrypted and re-encrypted at each hop.
Conforming to U.S. Federal Information Processing Standard (FIPS) 197, ZigBee uses the Advanced Encryption Standard (AES) to protect data. AES specifies that any two devices must share a key for encryption and decryption, and ZigBee offers AES for symmetric key-establishment methods. Symmetric encryption, however, does not scale in a system with hundreds of devices. To address this issue, ZigBee must additionally adopt an asymmetric (a.k.a. public-key) method.
Elliptic Curve Cryptography (ECC) should be considered as the public-key scheme for ZigBee. It scales with AES much better than RSA. It has smaller key sizes (see the table) and less intensive computational demands. ECC can deliver stronger security within the constraints of process and control networks, meeting the real-world demands of applications from smart badges and building-systems automation to industrial and medical devices.
Given its low power needs, architectural flexibility, and built-in security, ZigBee is an excellent standard for particular wireless networking environments. ECC as a public-key encryption algorithm reinforces those strengths of ZigBee to achieve truly robust wireless network security.
Reprints
