Haystack security

Haystack powers a new age of low power IoT security

We designed DASH7 to accommodate security requirements for today’s low power IoT users, not users of the 1990’s. Compare us to the competition and we think you’ll rank Haystack’s privacy and security capabilities above any other low power IoT technology available today.

Our approach

Network security is about more than just cryptography. Decades of copying cryptography and security models from past standards into new standards has left massive vulnerabilities in not just IoT wireless, but also in all kinds of wireless, including WiFi and Bluetooth. With DASH7, Haystack has developed a top-to-bottom security architecture to keep information secure. Haystack DASH7 endpoints remain “quiet” until queried or until a business event occurs. Beyond just AES 128 encryption, we offer other features that are unavailable with other LPWAN and low power IoT networking solutions:
  • AES 128 private and public key encryption
  • Public key handshaking through connectionless request-response session
  • Over-the-air key refresh and over-the-air firmware patches and updates
  • Streaming MAC layer encryption
  • Reduced vulnerabilities in traffic pattern detection using adaptive TX power modulation, ad hoc network sync without regular discovery broadcast, and listen-before-talk endpoints
  • Multicasted Group Queries: ask a question to many endpoints, receive a response only from relevant endpoints

Haystack security vs. LoRaWAN

haystack vs lorawan graphic

Why Haystack utilizes EAX ciphers

Haystack has pioneered implementation of the EAX cipher for IoT wireless, one of the two most advanced ciphers available for AES cryptography.  Unlike any other widely known communications protocol in the world, in addition to simply protecting the payload data, Haystack’s EAX encrypted DASH7 protocol is able to encrypt most of the protocol information itself.

Public-Key handshaking: simplifying deployment.

There are two primary ways to do public-key handshaking: the RSA model and the Diffie-Hellman Model. For battery-powered IoT endpoints, both methods are very suitable, as it is impractical to perform extensive attacks on such devices, and succeed, before depleting the battery. However, for battery-powered IoT endpoints, the problem is often doing a public key exchange at all, by any means. Consider the following:

  • Public Key handshaking data payloads tend to be over 100 bytes in size.
  • The public key handshaking process requires multiple request-response dialogs to occur in a relatively short amount of time (seconds) to avoid “man in the middle” vulnerabilities.
  • 802.15.4-based systems are limited to a practical data payload of only 72 bytes, due to the way they are designed.
  • LoRaWAN and SigFox LPWAN data payloads systems are limited in size, due to their slow data rate, of 12-51 bytes.
  • LoRaWAN and SigFox LPWANs, by network design, emphasize high-latency uplinks, and they are not capable of completing a public key handshaking process in a required amount of time.
  • Haystack’s DASH7 can exchange payloads up to 1KB with millisecond latency between request and response, making it uniquely suitable for public key exchange among these technologies.
  • As a result, public key cryptography has not thrived yet in IoT sensor networks, despite the fact that modern ARM Cortex-M CPUs are capable of meeting the computation requirements quite easily. Instead, much emphasis has been on using SIM card providers to supply “secure elements” for provisioning LPWAN devices. This adds cost and complexity that is unnecessary in a system compatible with Haystack’s DASH7. LPWAN builders may want to consider adding the DASH7 stack alongside their LPWAN stack, as DASH7’s public key exchange firmware could improve security and operational flexibility beyond what SIM elements can provide, at reduced cost.

The DASH7 filesystem & security

In the mid 2000’s, the EPC standards committee determined that filesystems were so critical for security, that they should be implemented on such ultra-constrained devices as EPC passive RFID tags.It took them quite a while to arrive at this decision (years), but by 2010 it was generally accepted.

The importance of the filesystem to information security is in the way files can be attributed with different privileges and access levels.In other words, they allow for multiple users, multiple users allow for multiple cryptographic keys for communicating data at different access levels, and that is what protects the important data on the device from hackers who may have cracked a lesser access level.

Haystack’s DASH7 filesystem is compact and offers features more common to a database than a PC filesystem, but importantly it has all the features needed to meet security requirements.Important data that controls the way the device works can be set as read-only and only accessible by network administrators, or even the manufacturer.Other data can be made more or less accessible.

graphic showing security vulnerabilities of different technologies
graphic showing security benefits of DASH7

Get started developing with our network solutions