Difference between revisions of "LPWAN Security Features"
From Franklin Heath Ltd Wiki
(Based on the features table from our recent LPWAN security white paper) |
m (capitalisation) |
||
Line 19: | Line 19: | ||
|- | |- | ||
! style="text-align:left;color:gray" | Maximum Coupling Loss | ! style="text-align:left;color:gray" | Maximum Coupling Loss | ||
− | | | + | |~160dB <ref name="mcl">These figures are provided as a guide only; precise comparisons may be misleading as link budget assumptions vary in the calculations for each technology</ref> |
|164dB <ref name="mcl" /> | |164dB <ref name="mcl" /> | ||
|164dB <ref name="mcl" /> | |164dB <ref name="mcl" /> | ||
Line 128: | Line 128: | ||
|Optional (GIA4/5) | |Optional (GIA4/5) | ||
|Yes | |Yes | ||
− | | | + | |Unknown <ref>Sigfox does not disclose the algorithm for calculating the Message Authentication Code, thus it is unknown how much of the control information (if any) is covered</ref> |
|- | |- | ||
! style="text-align:left" | Replay Protection | ! style="text-align:left" | Replay Protection |
Revision as of 10:09, 15 May 2017
Table of features for various Low-Power Wide Area Networking technologies, extracted from the LPWA Technology Security Comparison white paper.
The first few rows (with Grey Titles) are not security features as such, but are included as they may be significant factors in choosing one technology over another.
LTE-M | NB-IoT | EC-GSM-IoT | LoRaWAN | Sigfox | |
---|---|---|---|---|---|
Bandwidth | 1.08MHz | 180kHz | 600kHz | 125kHz (500kHz d/l) | 100Hz (1.5kHz d/l) |
Maximum Coupling Loss | ~160dB [1] | 164dB [1] | 164dB [1] | 157dB [1] | 153dB [1] |
Typical Frequency Bands | Below or above 1GHz | Below or above 1GHz | Below or above 1GHz | Below 1GHz | Below 1GHz |
Maximum Downlink Peak Data Rate | 1Mbps | 250kbps | 74kbps | 50kbps | 600bps |
Maximum Uplink Peak Data Rate | 1Mbps | 250kbps | 74kbps | 50kbps | 100bps |
Typical Downlink Daily Throughput | Limited only by battery power | Limited only by battery power | Limited only by battery power | ~200B [2] | 24B |
Typical Uplink Daily Throughput | Limited only by battery power | Limited only by battery power | Limited only by battery power | ~200kB [2] | 1.64kB |
Typical Module Cost | Medium | Low | Low | Low | Very low |
Globally Unique Identifiers | IMSI | IMSI | IMSI | Optional (DevEUI) | Yes (32 bits) |
Device/Subscriber Authentication | UICC or eUICC [3] | UICC or eUICC [3] | UICC or eUICC [3] | Device or Subscriber [4] | Device |
Network Authentication | LTE AKA | LTE AKA | UMTS AKA | Optional | No |
Identity Protection | TMSI | TMSI | TMSI | Partial (DevAddr) | No |
Data Confidentiality | Yes (EEAx) | Yes (EEAx) | Optional (GEA4/5) | Yes (AppSKey) | No |
End-to-Middle Security | No | No [5] | To visited network | Yes (AppSKey) | No |
Forward Secrecy | No | No | No | No | No |
Data Integrity | Limited [6] | Optional (with DoNAS) | Limited [6] | Limited [6] | Variable [7] |
Control Integrity | Yes (EIAx) | Yes (EIAx) | Optional (GIA4/5) | Yes | Unknown [8] |
Replay Protection | Yes | Optional (with DoNAS) | Limited [9] | Yes | Yes |
Reliable Delivery | Yes | Yes | Yes | No | No |
Critical Infrastructure Class | Access Classes 11-15 | Access Classes 11-15 | Access Classes 11-15 | No | No |
Updatability (Device) | Possible | Possible | Possible | Limited [10] | No |
Updatability (Keys/Algorithms) | Optional (SIM OTA) | Optional (SIM OTA) | Optional (SIM OTA) | Limited | No |
Network Monitoring and Filtering | Yes | Yes | Yes | Limited | Monitoring only |
Key Provisioning | Pre-provisioned or RSP | Pre-provisioned or RSP | Pre-provisioned or RSP | Pre-provisioned (ABP) or OTAA | Pre-provisioned |
Algorithm Negotiation | Yes | Yes | Yes | No | No |
Class Break Resistance | Yes [11] | Yes [11] | Yes [11] | Optional [12] | Yes [11] |
Certified Equipment | Required | Required | Required | Optional | Required |
IP Network | Optional | Optional | Yes | No | No |
- ↑ 1.0 1.1 1.2 1.3 1.4 These figures are provided as a guide only; precise comparisons may be misleading as link budget assumptions vary in the calculations for each technology
- ↑ 2.0 2.1 Based on The Things Network Fair Access Policy
- ↑ 3.0 3.1 3.2 UICC and eUICC both authenticate the mobile subscription, for a non-removable eUICC the EID also serves to uniquely identify the device
- ↑ Pre-provisioned NwkSKey authenticates the device, or default AppKey (permitted by The Things Network) authenticates the subscriber, or unique AppKey authenticates both
- ↑ Under discussion for a future 3GPP release (SA3 work item “Battery Efficient Security for Very-Low-Throughput MTC Devices”)
- ↑ 6.0 6.1 6.2 Where data encryption is in use, modifying ciphertext will corrupt the data unpredictably
- ↑ A 16-byte Message Authentication Code is truncated to fit within a fixed size packet: only 2 to 5 bytes are transmitted, depending on the space available in each packet
- ↑ Sigfox does not disclose the algorithm for calculating the Message Authentication Code, thus it is unknown how much of the control information (if any) is covered
- ↑ Where data encryption is in use, replaying ciphertext will not result in the same plaintext
- ↑ Firmware update broadcast capability is under discussion for a future LoRaWAN version
- ↑ 11.0 11.1 11.2 11.3 No private or secret keys are shared between devices
- ↑ Devices may share a default AppKey, which would then be a potential class break