The Thread Group uses versions of the same types of security technologies that make applications across the “big Internet” safe – the ones that keep your banking transactions, Amazon purchases and social media sessions secure. We’ve simply adapted them to the special situation of consumer devices that are heavily power-managed and must automatically maintain network security with little or no user interaction.
Let’s dive deeper into some of the key security measures being addressed at the Thread Group, as referenced in our Thread Commissioning whitepaper:
Network-wide key
The fundamental mechanism, which secures all Thread communication, is through the use of symmetric key cryptography based on a network-wide key. The symmetric key cryptography used is AES-CCM, a mode of operation based on the AES block cipher that provides integrity protection and payload encryption to the messages it is applied to.
Integrity protection works by appending a small amount of data to each message (called an integrity check tag or code), which can then be verified by a recipient in possession of the network-wide key to indicate that the message did in fact originate from where it said it came from and that the message was not tampered with in transit. This is especially important in wireless networks where contents of a message could be altered in flight over the air.
Payload encryption scrambles the contents of the payload to ensure it cannot be read by an attacker who does not have knowledge of the network-wide key. This prevents eavesdropping on potentially private or sensitive information.
AES-CCM is used on all packets at the network layer. In practice, this means a high strength base level of protection, which is typically built upon by the application layer through additional protection mechanisms that provide end-to-end security.
Key Agreement
Initially, a new device does not know the network-wide key, and therefore, has to be given that key. If the network-wide key is transported to the new device over the air without any protection, it could potentially be overheard and extracted by an attacker, although the attacker would have to be in the vicinity at the exact moment the key is given out to overhear it. Once in possession of the network-wide key, an attacker can passively eavesdrop on the home network or masquerade as a genuine device. In Thread, the network-wide key is distributed securely through the use of a Password-Authenticated Key Exchange (PAKE).
A PAKE makes use of a relatively low entropy secret (a password) in conjunction with high strength asymmetric cryptography to generate a high strength shared secret between two parties. In the case of Thread, these two parties are known as the Joiner (the new device) and the Commissioner (typically a smartphone already connected to the Thread network). The high strength shared secret is then used to encrypt the communication of the network-wide key from a device already on the home network (known as the Joiner Router) to the Joiner. Ideally, a PAKE must be secured against what is called "offline dictionary analysis." This means that it must be almost impossible for an attacker to figure out the password based solely on the message exchange between two parties. The PAKE used by Thread (Elliptic Curve J-PAKE) is secure against offline dictionary analysis.
Authentication
Authentication is additionally achieved by virtue of the user knowing the Joiner's password and inputting it into the Commissioner. This is often printed on the device itself as part of a QR code, which can be scanned by the Commissioner smartphone. The PAKE will only complete successfully if the password put into the Commissioner matches the Joiner's password. Therefore, the user can be certain the device they just commissioned is in fact the device they have just scanned on their smartphone.
Authorization
The Joiner is authorized to join the home network by virtue of being given the network-wide key from the Joiner Router. The Commissioner sends a KEK (key encryption key) to the Joiner Router, which is based on the high strength shared secret established between the Commissioner and the Joiner. The Joiner Router then uses the KEK to encrypt a message containing the network-wide key and other network parameters, which it sends to the Joiner. Encrypting the message ensures that an attacker overhearing the message will not be able to extract the network-wide key from it. The Joiner decrypts the message, installs the network-wide key and network parameters and then attaches to the network and becomes an authorized and secure member of the Thread network.
Maintenance
Thread networks maintain a sequence counter to periodically change the actual key used to secure messages, which is derived from both the network-wide key and the sequence counter. This is to ensure that even in the unlikely event of obtaining the key used to secure a message through brute force, it will result in a limited window of messages that could actually be processed.
Application layer protection
While Thread provides a high level of security for the network, it is important in many cases to provide additional security at the application layer. As Thread is a mesh networking technology, it does not impose any restrictions on how applications can apply additional security. Many of the building blocks Thread is based on, such as the CoAP transfer protocol and DTLS security, are available to the application layer as well, and as a result, provide the foundation for efficient implementation of secure application layer code.
Protocols
When it comes to security, it is important not to try to "re-invent the wheel". For that reason, Thread uses well established standardized protocols. DTLS, on which Thread key agreement is based, is fundamentally the same as the TLS protocol used to secure Internet transactions today. The J-PAKE protocol is also well established and currently being standardized, with a security proof undertaken by respected cryptographers.
As you can tell, we’re making every effort to secure Thread networks and the Internet of Things as a whole. If you have any questions, please feel free to comment here or contact help@threadgroup.org.