This guide explains the Encryption library features and functions. There are no great variations in this library for our new product lines Waspmote v15 and Plug & Sense! v15, released on October 2016.

Anyway, if you are using previous versions of our products, please use the corresponding guides, available on our Development website.

You can get more information about the generation change on the document "New generation of Libelium product lines".

The new Encryption Libraries are designed to add to the Waspmote sensor platform the capabilities necessary to protect the information gathered by the sensors. To do so three cryptography layers are defined:

• Link Layer: In the first one all the nodes of the network share a common preshared key which is used to encrypt the information using AES 128. This process is carried out by specific hardware integrated in the same 802.15.4/ZigBee radio, allowing the maximum efficiency of the sensor nodes energy consumption. This first security layer ensures no third party devices will be able to even connect to the network (access control).

• Application Layer: In the second security layer each node uses a point to point encryption scheme with Meshlium -the Gateway of the network-. This way, even the intermediate nodes of the network (the ones which forward the information to the destination) will not be able to see the sensor data transmitted. Messages are sent using AES, (implemented by the software library) ensuring complete confidentiality and privacy while maintaining the minimum resources of the node in term of computing cycles and energy consumption.

• Secure Web Server Connection: The third security technique is carried out in Meshlium -the Gateway- where HTTPS and SSH connections are used to send the information to the Cloud server located on the Internet.

A fourth optional encryption layer allows each node to encrypt the information using the Public key of the Cloud server. Thus, the information will be kept confidentially all the way from the sensor device to the web or data base server on the Internet.

*Note: The Encryption Libraries are part of the Waspmote API and have been designed to work solely on top of the Waspmote and Waspmote Plug & Sense sensor platforms. More info at:*

http://www.libelium.com/waspmote

http://www.libelium.com/plug_&_sense

- Transmission of sensor data:

Information is encrypted in the application layer via software with AES using the key shared exclusively between the origin and the destination. Then the packet is encrypted again in the link layer via hardware with AES 128 so that only trusted packets be forwarded, ensuring access control and improving the usage of resources of the network.

Common security issues which are solved include:

- Access control: by using AES 128 in the link layer we ensure that only nodes with the shared key can access to the routing capabilities of the sensor network. If a strange node sends a message to the network the message will be discharged in the first hop so no extra communication resources will be used. The AES 128 algorithm is implemented in the same radio using specific hardware, for this reason the information will be automatically discarded and not even send to the microcontroller. This provides an extra layer of security as the main control unit of the node will not be interrupted from performing basic tasks or event not awaken from the sleep mode (what ensures optimum energy usage).

- Authentication: the library implements also RSA with asymmetric key scheme. Each node has a pair of Public/Private keys (1024b) which uses to sign the messages in order to ensure the authenticity of origin and destination.

- Data Confidentiality (Privacy): by doubling encryption of the messages we ensure that first that only the nodes which form part of the network can see the general routing packets (AES 128 in the link layer) and after that we establish an encryption tunnel by direct P2P encryption between origin and destination (using AES).

- Data Integrity: the new library uses hash algorithms such as MD5 and SHA to create the checksum of the message and to ensure that the final information received correspond with the original sent.

- Non-repudiation: by signing the messages with RSA keys we have also the legal proof that the information sent really was sent by a specific sensor node and not by other. Important in the future when all the sensitive sensor information has to be legally approved.

Each node may store thousands of different Public Keys of the nodes of the network in its SD card. So we can establish a real P2P encryption among any sensor and the Gateway and even between any sensor and any web or data base server directly.

The new Libraries are specifically designed to be used in the Waspmote hardware sensor platform and are distributed along with the Waspmote IDE which is distributed under an open source license.