monet23 security in adhoc networks

7/29/2019 Monet23 Security in Adhoc Networks

1/46


2/46

1

ECSE6962: Wireless Ad Hoc Networks

Security

Alhussein Abouzeid

ECSE, RPINovember 28th, 2005


3/46

Outline

2

Security and the protocolstack Security approaches andtradeoffs Security problems at link and networklayers Outline ofsolutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusion


4/46

Outline

3

Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline ofsolutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusion


5/46

Security and the protocol stack

4

Early research focused on the challenges posed byadhoc networks to MAC androuting Security becomes a primary concern in ahostileenvironmen

t Additional challenges compared towired Shared wireless medium Resource constraints (energy and/or bandwidth)

Dynamic topology (mobility, users join/leave,etc.) The goal is to provide protected multi-

hopcommunication between nodes in a hostileenvironment Security solutions may (should?) span the entireprotocolstack Solutions for wired networks do not directlyapply


6/46

Security solutions span the entire stack

5

Layer

Security issue

Application Viruses, worms

Transport Authentication for end-to-endcommunication

Network

Protecting routing and forwarding

protocols

Link Protecting the wireless MAC protocol;provide link layersecurity

Physical Signal jamming DoS attacks


7/46

Outline

6

Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline ofsolutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusion


8/46

Security Approaches and tradeoffs

7

1. Proactive Prevent an attack from happening

2. Reactive Detect an attack and react quickly

Effective approaches are likely

hybrid The key components: prevention, detection, reaction. Security typically comes at a cost

Computation

Communication

Management overhead

Performance may suffere.g. Scalability

Service availability

Robustness

Solutions should consider not only security strength but alsoperformance metrics


9/46

Outline

8

Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline ofSolutions Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusion


10/46

Securing connectivity in ad-hoc

networks

9

The protection of the network basic functionalitytodeliver data bits from one node toanother. This entails the protectionof: Link-layer: one hop connectivity Routing layer: extending connectivity to multiple hops

Unlike wired, no clear line ofdefense : the wireless channel is accessible to legitimate as well

asmalicious attackers

each node may function as a router

so there is no clear point to implement access/traffic control

the boundary between network edges and core is blurred

A malicious attacker can easily assume the routerrolebut intentionally deviate from the protocolspecifications


11/46

Network Layer Attacks

10

Cooperation is assumed but notenforced The main network layer operationsare routing

packet forwarding

These are notseparate Routing protocols exchange messages and

maintainnetwork routing state at eachnode Packet forwarding follows accordingly (hopefully!)byintermediate nodes along apath thus, we have routing and packet forwardingattacks


12/46

Routing attacks

11

Routing attacks: any routing message updates thatdonot follow the specs depends on the protocole.g. e.g. DSR: mess with the RREQ or RREP packets:

add, remove, append a node to the list [1]

advertise that an active link is broken [1]

e.g. AODV: mess with the distance metrics:

advertise a smaller metric than the actual distance to thedestination;

advertise wrong updates with a larger sequence numberhence invalidate other valid updates [2]

e.g. Wormhole effect [4]: Pair of attackers shortcuts the normalflows by altering theroutes Results in: longer routes, non-existent routes, loops, severecongestion on specific nodes/links


13/46

Packet Forwarding Attacks

12

Drop, modify or duplicate the packets alreadyforwarded Inject a large amount of (junk) packets (Denial ofServiceDoS attack network layer packetblasting) Cause severe persistent congestion

Increased due to MAC contention


14/46

Link Layer Attacks

13

802.11 is vulnerable to attacks targeting itschannelcontention and allocation schemes,e.g.

Exploit the binary exponential backoff mechanism to deny

access to the channel by its neighbors [10,11]

Overhear the NAV field carried in the RTS/CTS which indicatesthe duration of the reservation, then intentional interfere during

the data transmission of a neighbor (also considered a DoS

attack)


15/46

Outline

14

Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline ofsolutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layer

security Conclusion


16/46

15

Prevention

Mainly achieved by secure routingprotocols

Work in a proactive manner, to prevent the attackerfrominstalling incorrect routing

states

Typical routing protocols + cryptographic primitivestoauthenticate routing messages (will see exampleslater)

From experience, any connected node is not100%secure. If its true for wired, its also true forwireless


17/46

Detection & Reaction

16

Identification of malicious nodes by noticingtheirabnormalbehavior

This is intrinsically

reactive

1. End-to-end detection

2. Local detection through collaborative decision-making

Reaction: Adjust routing and forwarding operationtoavoid or exclude the maliciousnode


18/46

Network Layer Security

17

Secure ad hoc routingprotocols ensure that the routing message exchanged between nodes is

consistent with the protocol specification

Secure packet forwardingprotocols ensure the packet forwarding behavior of each nodeisconsistent with its routing states


19/46

Outline

18

Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline of

solutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layer

security Conclusion


20/46

Message Authentication Primitives

19

The essential component in any security designismessageauthentication Three crypto primitives for message authenticationare:1. HMAC

2. DigitalSignature3. One-wayHMAC


21/46

1. HMAC

20

What it is:

Hash function based Message Authentication Code [15]

hash functions are not keyed primitives, ie. do not

accommodate naturally the notion of secret key, but we

neglect that detail here

It was designed to meet the requirements of the IPSEC workinggroup in the IETF, and is now a standard.

How can I make sure that the message is actually sent by mypartner and it is as sent by the partner (unmodified)?

If two nodes share a secret symmetric key K, they can generateand verify a message authenticator h_K(.) using a cryptographic

one way hash function h.


22/46

HMAC (Contd)

21

How itworks: when party A transmits a message to party B, it appends to the

message a value called the authentication tag, computed by theMAC algorithm as a function of the transmitted information andthe shared secret key.

At reception, B recomputes the authentication tag on thereceived message using the same mechanism (and key) andchecks that the value he obtains equals the tag attached to thereceived message.

Only if the values match is the information received consideredas not altered on the way from A to B.1

(In cryptography, the goal is to prevent forgery, namely, thecomputation, by the adversary, of a message (not sent by thelegitimate parties) and its corresponding valid authenticationtag.)


23/46

(HMAC contd)

22

Advantages: The computation is very efficient (good for

handhelds)

Disadvantages

: Establishing a secret key in the first place is not trivial Does not scale well: a network of n nodes requires n(n-1)/2

keysto be established (and maintained).

Does not suit broadcast

e.g. SRP for DSR[13]


24/46

2. Digital Signatures

23

Asymmetric KeyCryptography Digital signatures use asymmetric key crypto, so here is an intro

key material is bound to a single user

a private key, to which only the user has access, and

a public key, which may be published or distributed on request.

Each key generates a corresponding transformation function

The functions are inversely related, i.e., if one function is used toencrypt a message, the other is used to decrypt the message

The advantage of a public-key system is that two users cancommunicate securely without exchanging secret keys.

The originator encrypts the message using the recipient's public key. Only the recipient's private key can be used to decrypt the message.

This is due to the computational infeasibility of inverting the publickey transformation function. In other words, without the recipient's

private key, it is computationally infeasible for the interceptortotransform the ciphertext into its original plaintext.


25/46

2. Digital Signatures

24

What it is: Based on asymmetric key (also called public-key)

cryptographye.g. RSA (see next slide)

A digital signature is a cryptographic checksum computed as afunction of a message and a user's private key.

A digital signature is different from a hand-written signature, inthat hand-written signatures are constant, regardless of thedocument being signed. A user's digital signature varies with thedata. For example, if a user signs five different messages,fivedifferent signatures are generated. Each signature, however, canbe authenticated for the signing user.

Due to the efficiency drawbacks of public-key cryptography,auser often signs a condensed version of a message, called amessage digest, rather than the message itself. Message digestsare generated by (1-way & collision-free) hashfunctions.


26/46

25

So, digital signature goes asfollows:At originator: Apply hash function to message to generate message digest

Encrypt message digest using own private key signature

Append signature to the message

Send message+signature.

At intended receiver:

Apply hash function to message to generate message digest_B

Decrypt signature using originator public key message

digest_A

Note: this does not protect the message from being seen by others.But it proves to receiver that the message is authentic andunaltered.


27/46

26

So, (secure) digital signature goes asfollows:At originator: Apply hash function to message to generate message digest

Encrypt message digest using own private keysignature

Append signature to the message

(Encrypt all of this using receivers public key)

Send encrypted(message+signature)

At intended receiver:

(Decrypt using own private

key

originator signature +

message) Apply hash function to message to generate message digest_B

Decrypt signature using originator public key messagedigest_A


28/46

Advantages

27

Scalesbetter a digital signature (but not secure message) can be verified by

any node given that it knows the public key of the signing node,

hence is scalable to a large numbers of receivers only atotalnumber of n public/private key pairs


29/46


30/46

3. One-way HMAC Key Chain

29

How itworks: To generate a key chain of length n+1, the first element of the

chain h is randomly picked and then the chain is generated by0repeatedly applying a one-way functionH A one-way hash function maps an input to an output of a fixed

length, which is the new key

The keys are then used and revealed in the reverseorder,starting from the last generated key hn

Any key hj can be verified from hi ( 0 i < j n ) to be indeed anelement in the chain by repeatedly applying H for j i times

Advantages: Less computation than asymmetric crypto

One authenticator can be verified by a large number ofreceivers


31/46

30

Disadvantages: Requires synchronization

Receivers need to buffer messages for verification when thekeyis revealed this delay may reduce routing protocol

responsiveness to topology changes

The release of the key requires a second roundofcommunication

Storage of the hash chain limits scalability

e.g. TESLA, SEAD (for DSDV) and Ariadne (forDSR).


32/46

31

TESLA (example of one way HMACkeychain

) Unicast authentication is cheap, using symmetrickeyauthentication, but doesnt scale forbroadcast. Secure broadcast authentication requires anasymmetricprimitiv

e TESLA differs from asymmetric protocols (e.g. RSA)inthat it achieves this asymmetry fromclocksynchronization and delayed key disclosure, ratherthanfrom computationally expensive one-wayfunctions


33/46

TESLA (Contd)

32

Timed Efficient Stream Loss-tolerant Authentication[8] Requires time synchronization and causes delay inauthentication Idea: The sender commits to a random key k without revealing it and transmits it to the

receivers. The sender then attaches a message authenticating code to the next packet P and usesthe

ikey k as the MACkey. In a later packetP

i+1, the sender decommits to k (i.e. it discloses the key), which allowsthereceivers to verify the commitment and the MAC of packet

P.

i

If both verifications are correct, and if it is guaranteed that packetP

i+1 was not sentbeforepacket P was received, then a receiver knows that the packet P is

authentic.i i

To start this scheme, the sender uses a regular signature scheme to sign theinitialcommitment. All subsequent packets are authenticated throughchaining. Security condition: A data packet Pi arrived safely, if the receiver canunambiguouslydecide, based on its synchronized time and network delay, that the sender did not yetsendout the corresponding key disclosurepacket.

Packet loss

tolernace Sender precomputes a sequence of n key values, called key chain (all one way i.e. eachoneis notinvertible) If receiver receives packet P, any subsequent packet reception allows it tocompute

i kiandki

and verify the authenticityof

Pi


34/46

TESLA example [9]

33

'

1 1 1 1

1 1 2

1

'

1 1

2

'

1 1 1 1

1 1 2

'

'

,(, )

,( ),

pick a fresh key

,(, )

,(

),

pick a fresh key

,(, )

,

(

),

where

() ; an

i i i i

iii

i

i

i i i i

iii

i

i

i i i i

iii

i

i i

PDMAC K D

DMF K K

K

PDMAC K D

DMF K K

K

PDMAC K D

DMF K K

KFK F

+

+

+

+

+

+ +

++++

!!

!!

!!

!!

!!

!

'

d are two hash functionsF

The example shows the transmission ofthree consecutive packets

When the i+1 packets is received, thereceivercan: Verify that Ki is correct by generating F(K)i

and comparing it with the one received in

packet i-1 Compute F(K) and generate MAC of P,i i

then compare it with the one received inpacket i.

The above also authenticate F(Ki+1)

The only way to break this security chain

isfor an attacker to get Pi+1 before thereceiver gets P (hence it would know kiiand take over the sequence without thereceiver being able to detect that.)


35/46

34

1

0

3

0

32

13

2

3

3

3

()

()

(

)(

)fo r examp

le:(

)(

)(

)

jj

n

n

n

iin

FxF

x

KF

KKF

K

KF

KKF

KKF

KKK

What happens if a packet in thesequence is lost?: make a key chain

Given K, an attacker cannot generateiany K, j>i.j

If a receiver receives packet Pi,

anysubsequent packet will allow it tocompute Ki and K as well as verify theiauthenticity of P.i

For example, suppose, in a sequence ofpackets, F (K ) is received, F (K ) is lost3 3

23

and F(K ) is received. Then receivercan 3run F(F(K )) to get F (K ) so as to3

23

validate the receivedpacket.


36/46

Outline

35


Solutions Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusio

n


37/46

Secure Source Routing: Ariadne [1]

36

Ariadne is designed for source routingprotocols S performs a Route Discovery for target D, theysharethe secret keysK

SD andK

DS, respectively, ineachdirection

. Target authenticatesRREQ To convince the target of the legitimacy of each field in a

ROUTEREQUEST, the initiator includes a MAC computed with key KSDover unique data, e.g. timestamp. The target can easily verify the

authenticity.


38/46

Node list authentication in Ariadne

37

Data authentication: initiator wants to authenticate each individual node in the node list of the

RREP

target wants to authenticate each node in the node list of the ROUTEREQUEST

Ariadne proposes three techniques for node list authenticationbased : Standard MACs

is most efficient, but requires pairwise shared keys between allnodes. the MAC list in the REQUEST is computed using a key shared between thetargetand the current

node. Digital signatures the REQUEST includes a signaturelist TESLA

target buffers the REPLY until intermediate nodes can release thecorrespondingTESLA keys

Protection against node removal use one-way hash functions to verify that no hop was omitted -- called

per-hop hashing.


39/46

Outline

38



n


40/46

Secure packet forwarding

39

It is possible for a malicious node to correctlyparticipatein the route discovery phase but fail to correctlyforwarddatapackets. The security solution should ensure that each

nodeindeed forwards packets according to its routingtable. This is typically achieved by the reactiveapproachbecause attacks on packetforwarding cannot be completelyprevented Two key components of this solutionare a detection technique and

a reaction scheme


41/46

Detection

40

Each node may perform localized detection by overhearing ongoingtransmission

Limited by channel errors, interference, mobility

Need mechanisms to avoid false accusations (slander)

e.g.

watchdog solution[10] for DSR A sends to B and knows (from header) that Bs next hop isC Assuming symmetric links, A will check to see if it overhears Bs transmissionto C, if not it increases a

counter If the counter passes a threshold it reports Bs behavior to thesource

Solution[11] works for AODV Same concept after adding a next_hop field in

AODV Also considered other kinds ofattacks

Solution [9] utilizes an Ack-based scheme Used on demand when a path loss rate issuspicious Sends encryptedprobes


42/46


43/46

Outline

42



n


44/46

802.11 MAC

43

The attacker may exploit its binary exponentialbackoffscheme to launch DoS attacks [5,6]. Reference [5] uses simulations to show thatimplementinga fair MAC protocol is a necessary butinsufficienttechnique to solve the

problem. Need a MAC with fairnessguarantees [6] proposes a MAC protocol that seeks to detectandreact to MAC-layer misbehaviors (i.e. it isreactive) The backoff timer is provided by the receiver (hence receiver

candetect misbehavior)

NAV field in RTS/CTS is vulnerable to DoS attacks[12] Attacker may only need to interfere on a few bits

powerconsumption favors the adversarysideNot clear how to prevent such resource consumption-based DoSattacks


45/46

IEEE 802.11 WEP

44

WEP [14] (Wired EquivalentPrivacy) is 802.11s optional encryption standard implemented in the

MAClayer

WEP has several problems regarding the vulnerabilityofthe cryptographic techniques toattacks

802.11i WPA [13] seems to have fixedtheseweaknesses


46/46

Conclusion

45

Touched on a few issues regarding securing ad hoc networks

Research on adhoc networks security is still in its earlystage The existing proposals are typically attack-centric: first identify several security threats

and then enhance the existing protocol or propose a new protocol

This may not work well under unanticipated attacks

A more ambitious goal is to embed security measures that can protectagainst unanticipated attacks a broader space e.g. treat malfunction

as an attack?

Need better tools to understand tradeoffs between security strength,

communication overhead, computation complexity, energyconsumption, and scalability (largely unexplored)

monet23 security in adhoc networks

Documents