michael baswell wsn security wireless ad hoc sensor network security michael baswell for cs591 s2007...

Michael Baswell WSN SecurityMichael Baswell WSN Security

Wireless Ad Hoc Sensor Wireless Ad Hoc Sensor Network SecurityNetwork Security

Michael BaswellMichael Baswell

For CS591 S2007For CS591 S2007

5/7/20075/7/2007 11


IntroductionIntroduction

Wireless networking is becoming prevalent, and Wireless networking is becoming prevalent, and presents unique security concernspresents unique security concerns Physical access is trivial since the physical layer is a Physical access is trivial since the physical layer is a

broadcast radio signalbroadcast radio signal

Ad Hoc network – no centralized control Ad Hoc network – no centralized control mechanisms (routers, switches, etc.); Nodes may mechanisms (routers, switches, etc.); Nodes may serve the routing and relay functions.serve the routing and relay functions.MANET (Mobile Ad Hoc Network) – one emerging MANET (Mobile Ad Hoc Network) – one emerging example example Nodes can be added or removed at any timeNodes can be added or removed at any time Nodes may move to different regionsNodes may move to different regions Nodes may be constrained (PDA, cell phone) Nodes may be constrained (PDA, cell phone) assumption of trust among nodes – dangerous!assumption of trust among nodes – dangerous!

5/7/20075/7/2007 22

Project Goal

Present an overview of existing research in WSN security

Look for related research (MANET literature in particular)

Offer some insight into potential security mechanisms and implementation constraints & possibilities

5/7/20075/7/2007 Michael Baswell WSN SecurityMichael Baswell WSN Security 33


Wireless Sensor NetworksWireless Sensor Networks

WSN share a number of key features with WSN share a number of key features with MANETMANET Ad hoc nature – WSN must self-configure and Ad hoc nature – WSN must self-configure and

reconfigure at intervalsreconfigure at intervals More or less random deploymentMore or less random deployment Motes are constrained in terms of CPU, battery life, Motes are constrained in terms of CPU, battery life,

storage, etc.storage, etc. Size of network – potentially 10k or 100k nodesSize of network – potentially 10k or 100k nodes

A few key differencesA few key differences Motes usually are stationaryMotes usually are stationary A trust relationship can be defined prior to deploymentA trust relationship can be defined prior to deployment

5/7/20075/7/2007 44


WSN Security – ConstraintsWSN Security – Constraints

Computational Power is minimal, and draws Computational Power is minimal, and draws powerpowerStorage is minimal – no HDD, etc.Storage is minimal – no HDD, etc.Limited broadcast/reception range, and low Limited broadcast/reception range, and low bandwidth. Also, the stronger the broadcast bandwidth. Also, the stronger the broadcast signal, the more power it takessignal, the more power it takesPower is limited by the battery life – in short, the Power is limited by the battery life – in short, the more active the mote, the quicker it dies. more active the mote, the quicker it dies. Crossbow Technologies (www.xbow.com) offers a Crossbow Technologies (www.xbow.com) offers a

“Mote Battery Life Calculator” spreadsheet for “Mote Battery Life Calculator” spreadsheet for download, for several research motesdownload, for several research motes

5/7/20075/7/2007 55


WSN Security – Key Points WSN Security – Key Points

Security in proportion to sensitivity of dataSecurity in proportion to sensitivity of dataAny security mechanism should address Any security mechanism should address limitations of CPU, energy, and network limitations of CPU, energy, and network resilienceresilienceAny security mechanism WILL require more Any security mechanism WILL require more computation and power, as well as add to computation and power, as well as add to latencylatencyTwo scenarios:Two scenarios: WSN with laptops or other high-power computer in WSN with laptops or other high-power computer in

direct communication / monitoring rangedirect communication / monitoring range Ad hoc node-to-node only; all work must be done by Ad hoc node-to-node only; all work must be done by

motesmotes

5/7/20075/7/2007 66


ObjectivesObjectives

Data Confidentiality – keeping it secretData Confidentiality – keeping it secret

Data Authentication – knowing that the Data Authentication – knowing that the broadcaster is legitimatebroadcaster is legitimate

Data Integrity – broadcast data is sent and Data Integrity – broadcast data is sent and received accurately and completelyreceived accurately and completely

Data Freshness – data is delivered in Data Freshness – data is delivered in timely manner (old data may be useless, timely manner (old data may be useless, or a rebroadcast)or a rebroadcast)

5/7/20075/7/2007 77


Example ThreatsExample Threats

Insertion of Malicious Code (on a WSN Insertion of Malicious Code (on a WSN supporting code mobility)supporting code mobility)Interception of node location broadcasts or Interception of node location broadcasts or other sensitive dataother sensitive dataSleep Deprivation Torture attackSleep Deprivation Torture attack (almost as bad as the dreaded Semester (almost as bad as the dreaded Semester

Project Deadline attack)Project Deadline attack)

Protection of data within a captured / Protection of data within a captured / compromised nodecompromised node

5/7/20075/7/2007 88


Security Mechanisms - EncyptionSecurity Mechanisms - Encyption

Network shared symmetric key is the only Network shared symmetric key is the only practical approachpractical approach Unique key pairs between nodes impracticalUnique key pairs between nodes impractical Could keep a series of keys and change at intervals – Could keep a series of keys and change at intervals –

longer expected life -> more keys are neededlonger expected life -> more keys are needed

Scalable algorithm is preferable due to storageScalable algorithm is preferable due to storage stronger encryption through more iterations stronger encryption through more iterations

(DES/AES as examples), when it is critical(DES/AES as examples), when it is critical Fewer iterations when less essential Fewer iterations when less essential Burn power only to the extent that it is necessaryBurn power only to the extent that it is necessary

5/7/20075/7/2007 99


Security Mechanisms - IDSSecurity Mechanisms - IDS

““traditional” IDS not an optiontraditional” IDS not an option no centralized control mechanisms no centralized control mechanisms Limited monitoring due to reception rangeLimited monitoring due to reception range

Critical Node monitor / trigger mechanismCritical Node monitor / trigger mechanism MANET literature suggests this approach which might MANET literature suggests this approach which might

be adaptable to WSN – better results in low-mobility, be adaptable to WSN – better results in low-mobility, densely populated networks. That describes WSN!densely populated networks. That describes WSN!

Identify and monitor only critical nodes – they’re worth Identify and monitor only critical nodes – they’re worth protecting!protecting!

Watchdog type IDS uses 60-70% CPU, 450k storage Watchdog type IDS uses 60-70% CPU, 450k storage initiallyinitially

Trigger / critical event approach results in less than Trigger / critical event approach results in less than 1% utilization, 125kb storage initially1% utilization, 125kb storage initially

5/7/20075/7/2007 1010


ConclusionsConclusions

WSN security is severely limited by WSN WSN security is severely limited by WSN constraints of power, CPU, etc.constraints of power, CPU, etc.These constraints are not going awayThese constraints are not going away WSN do better when many nodes are deployedWSN do better when many nodes are deployed nodes will get cheaper, not more powerful, so that nodes will get cheaper, not more powerful, so that

more can be deployedmore can be deployed

MANET research lends some insight into MANET research lends some insight into resource-friendly mechanismsresource-friendly mechanisms Encryption – shared symmetric key; predefined trust Encryption – shared symmetric key; predefined trust

relationship set up prior to deploymentrelationship set up prior to deployment IDS – critical nodes, triggers / critical eventsIDS – critical nodes, triggers / critical events

5/7/20075/7/2007 1111


ReferencesReferencesLindsey McGrath and Christine Weiss, “Wireless Sensor Networks Lindsey McGrath and Christine Weiss, “Wireless Sensor Networks Security.” UCCS Presentation / Semester Project, cCS591, 2005.Security.” UCCS Presentation / Semester Project, cCS591, 2005.Slijeocevic, Potkonjac, Tsiatsis, Zimbeck, and Srivastrava, “On Slijeocevic, Potkonjac, Tsiatsis, Zimbeck, and Srivastrava, “On Communication Security in Wireless Ad-Hoc Sensor Networks.” UCLA, Communication Security in Wireless Ad-Hoc Sensor Networks.” UCLA, 2002 2002 Karygiannis, Antonakakis, and Apostolopoulos, “Detecting Critical Nodes for Karygiannis, Antonakakis, and Apostolopoulos, “Detecting Critical Nodes for MANET Intrusion Detection Systems.” 2006, National Institute of Standards MANET Intrusion Detection Systems.” 2006, National Institute of Standards and Technology (NIST). http://csrc.nist.gov/manet/Critical-Nodes-and Technology (NIST). http://csrc.nist.gov/manet/Critical-Nodes-MANET.pdfMANET.pdfKarygiannis and Antonakakis, “mLab: a Mobile Ad Hoc Network Test Bed.” Karygiannis and Antonakakis, “mLab: a Mobile Ad Hoc Network Test Bed.” 2005, National Institute of Standards and Technology. 2005, National Institute of Standards and Technology. http://csrc.nist.gov/manet/SecPerU2005-Karygiannis-Antonakakis.pdf http://csrc.nist.gov/manet/SecPerU2005-Karygiannis-Antonakakis.pdf Ioannis G. Askoxylakis, Diomedes D. Kastanis and Apostolos P. Traganitis, Ioannis G. Askoxylakis, Diomedes D. Kastanis and Apostolos P. Traganitis, “Secure Wireless Ad Hoc Networking.” ERCIM News No. 63, October “Secure Wireless Ad Hoc Networking.” ERCIM News No. 63, October 2005. http://www.ercim.org/publication/Ercim_News/enw63/askoxylakis.html2005. http://www.ercim.org/publication/Ercim_News/enw63/askoxylakis.html

5/7/20075/7/2007 1212

michael baswell wsn security wireless ad hoc sensor network security michael baswell for cs591 s2007...

Documents