monet23 security in adhoc networks
TRANSCRIPT
-
7/29/2019 Monet23 Security in Adhoc Networks
1/46
-
7/29/2019 Monet23 Security in Adhoc Networks
2/46
1
ECSE6962: Wireless Ad Hoc Networks
Security
Alhussein Abouzeid
ECSE, RPINovember 28th, 2005
-
7/29/2019 Monet23 Security in Adhoc Networks
3/46
Outline
2
Security and the protocolstack Security approaches andtradeoffs Security problems at link and networklayers Outline ofsolutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusion
-
7/29/2019 Monet23 Security in Adhoc Networks
4/46
Outline
3
Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline ofsolutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusion
-
7/29/2019 Monet23 Security in Adhoc Networks
5/46
Security and the protocol stack
4
Early research focused on the challenges posed byadhoc networks to MAC androuting Security becomes a primary concern in ahostileenvironmen
t Additional challenges compared towired Shared wireless medium Resource constraints (energy and/or bandwidth)
Dynamic topology (mobility, users join/leave,etc.) The goal is to provide protected multi-
hopcommunication between nodes in a hostileenvironment Security solutions may (should?) span the entireprotocolstack Solutions for wired networks do not directlyapply
-
7/29/2019 Monet23 Security in Adhoc Networks
6/46
Security solutions span the entire stack
5
Layer
Security issue
Application Viruses, worms
Transport Authentication for end-to-endcommunication
Network
Protecting routing and forwarding
protocols
Link Protecting the wireless MAC protocol;provide link layersecurity
Physical Signal jamming DoS attacks
-
7/29/2019 Monet23 Security in Adhoc Networks
7/46
Outline
6
Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline ofsolutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusion
-
7/29/2019 Monet23 Security in Adhoc Networks
8/46
Security Approaches and tradeoffs
7
1. Proactive Prevent an attack from happening
2. Reactive Detect an attack and react quickly
Effective approaches are likely
hybrid The key components: prevention, detection, reaction. Security typically comes at a cost
Computation
Communication
Management overhead
Performance may suffere.g. Scalability
Service availability
Robustness
Solutions should consider not only security strength but alsoperformance metrics
-
7/29/2019 Monet23 Security in Adhoc Networks
9/46
Outline
8
Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline ofSolutions Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusion
-
7/29/2019 Monet23 Security in Adhoc Networks
10/46
Securing connectivity in ad-hoc
networks
9
The protection of the network basic functionalitytodeliver data bits from one node toanother. This entails the protectionof: Link-layer: one hop connectivity Routing layer: extending connectivity to multiple hops
Unlike wired, no clear line ofdefense : the wireless channel is accessible to legitimate as well
asmalicious attackers
each node may function as a router
so there is no clear point to implement access/traffic control
the boundary between network edges and core is blurred
A malicious attacker can easily assume the routerrolebut intentionally deviate from the protocolspecifications
-
7/29/2019 Monet23 Security in Adhoc Networks
11/46
Network Layer Attacks
10
Cooperation is assumed but notenforced The main network layer operationsare routing
packet forwarding
These are notseparate Routing protocols exchange messages and
maintainnetwork routing state at eachnode Packet forwarding follows accordingly (hopefully!)byintermediate nodes along apath thus, we have routing and packet forwardingattacks
-
7/29/2019 Monet23 Security in Adhoc Networks
12/46
Routing attacks
11
Routing attacks: any routing message updates thatdonot follow the specs depends on the protocole.g. e.g. DSR: mess with the RREQ or RREP packets:
add, remove, append a node to the list [1]
advertise that an active link is broken [1]
e.g. AODV: mess with the distance metrics:
advertise a smaller metric than the actual distance to thedestination;
advertise wrong updates with a larger sequence numberhence invalidate other valid updates [2]
e.g. Wormhole effect [4]: Pair of attackers shortcuts the normalflows by altering theroutes Results in: longer routes, non-existent routes, loops, severecongestion on specific nodes/links
-
7/29/2019 Monet23 Security in Adhoc Networks
13/46
Packet Forwarding Attacks
12
Drop, modify or duplicate the packets alreadyforwarded Inject a large amount of (junk) packets (Denial ofServiceDoS attack network layer packetblasting) Cause severe persistent congestion
Increased due to MAC contention
-
7/29/2019 Monet23 Security in Adhoc Networks
14/46
Link Layer Attacks
13
802.11 is vulnerable to attacks targeting itschannelcontention and allocation schemes,e.g.
Exploit the binary exponential backoff mechanism to deny
access to the channel by its neighbors [10,11]
Overhear the NAV field carried in the RTS/CTS which indicatesthe duration of the reservation, then intentional interfere during
the data transmission of a neighbor (also considered a DoS
attack)
-
7/29/2019 Monet23 Security in Adhoc Networks
15/46
Outline
14
Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline ofsolutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layer
security Conclusion
-
7/29/2019 Monet23 Security in Adhoc Networks
16/46
15
Prevention
Mainly achieved by secure routingprotocols
Work in a proactive manner, to prevent the attackerfrominstalling incorrect routing
states
Typical routing protocols + cryptographic primitivestoauthenticate routing messages (will see exampleslater)
From experience, any connected node is not100%secure. If its true for wired, its also true forwireless
-
7/29/2019 Monet23 Security in Adhoc Networks
17/46
Detection & Reaction
16
Identification of malicious nodes by noticingtheirabnormalbehavior
This is intrinsically
reactive
1. End-to-end detection
2. Local detection through collaborative decision-making
Reaction: Adjust routing and forwarding operationtoavoid or exclude the maliciousnode
-
7/29/2019 Monet23 Security in Adhoc Networks
18/46
Network Layer Security
17
Secure ad hoc routingprotocols ensure that the routing message exchanged between nodes is
consistent with the protocol specification
Secure packet forwardingprotocols ensure the packet forwarding behavior of each nodeisconsistent with its routing states
-
7/29/2019 Monet23 Security in Adhoc Networks
19/46
Outline
18
Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline of
solutions Securityprimitives Secure routing protocolexample Secure packetforwarding Remarks on Link-layer
security Conclusion
-
7/29/2019 Monet23 Security in Adhoc Networks
20/46
Message Authentication Primitives
19
The essential component in any security designismessageauthentication Three crypto primitives for message authenticationare:1. HMAC
2. DigitalSignature3. One-wayHMAC
-
7/29/2019 Monet23 Security in Adhoc Networks
21/46
1. HMAC
20
What it is:
Hash function based Message Authentication Code [15]
hash functions are not keyed primitives, ie. do not
accommodate naturally the notion of secret key, but we
neglect that detail here
It was designed to meet the requirements of the IPSEC workinggroup in the IETF, and is now a standard.
How can I make sure that the message is actually sent by mypartner and it is as sent by the partner (unmodified)?
If two nodes share a secret symmetric key K, they can generateand verify a message authenticator h_K(.) using a cryptographic
one way hash function h.
-
7/29/2019 Monet23 Security in Adhoc Networks
22/46
HMAC (Contd)
21
How itworks: when party A transmits a message to party B, it appends to the
message a value called the authentication tag, computed by theMAC algorithm as a function of the transmitted information andthe shared secret key.
At reception, B recomputes the authentication tag on thereceived message using the same mechanism (and key) andchecks that the value he obtains equals the tag attached to thereceived message.
Only if the values match is the information received consideredas not altered on the way from A to B.1
(In cryptography, the goal is to prevent forgery, namely, thecomputation, by the adversary, of a message (not sent by thelegitimate parties) and its corresponding valid authenticationtag.)
-
7/29/2019 Monet23 Security in Adhoc Networks
23/46
(HMAC contd)
22
Advantages: The computation is very efficient (good for
handhelds)
Disadvantages
: Establishing a secret key in the first place is not trivial Does not scale well: a network of n nodes requires n(n-1)/2
keysto be established (and maintained).
Does not suit broadcast
e.g. SRP for DSR[13]
-
7/29/2019 Monet23 Security in Adhoc Networks
24/46
2. Digital Signatures
23
Asymmetric KeyCryptography Digital signatures use asymmetric key crypto, so here is an intro
key material is bound to a single user
a private key, to which only the user has access, and
a public key, which may be published or distributed on request.
Each key generates a corresponding transformation function
The functions are inversely related, i.e., if one function is used toencrypt a message, the other is used to decrypt the message
The advantage of a public-key system is that two users cancommunicate securely without exchanging secret keys.
The originator encrypts the message using the recipient's public key. Only the recipient's private key can be used to decrypt the message.
This is due to the computational infeasibility of inverting the publickey transformation function. In other words, without the recipient's
private key, it is computationally infeasible for the interceptortotransform the ciphertext into its original plaintext.
-
7/29/2019 Monet23 Security in Adhoc Networks
25/46
2. Digital Signatures
24
What it is: Based on asymmetric key (also called public-key)
cryptographye.g. RSA (see next slide)
A digital signature is a cryptographic checksum computed as afunction of a message and a user's private key.
A digital signature is different from a hand-written signature, inthat hand-written signatures are constant, regardless of thedocument being signed. A user's digital signature varies with thedata. For example, if a user signs five different messages,fivedifferent signatures are generated. Each signature, however, canbe authenticated for the signing user.
Due to the efficiency drawbacks of public-key cryptography,auser often signs a condensed version of a message, called amessage digest, rather than the message itself. Message digestsare generated by (1-way & collision-free) hashfunctions.
-
7/29/2019 Monet23 Security in Adhoc Networks
26/46
25
So, digital signature goes asfollows:At originator: Apply hash function to message to generate message digest
Encrypt message digest using own private key signature
Append signature to the message
Send message+signature.
At intended receiver:
Apply hash function to message to generate message digest_B
Decrypt signature using originator public key message
digest_A
Note: this does not protect the message from being seen by others.But it proves to receiver that the message is authentic andunaltered.
-
7/29/2019 Monet23 Security in Adhoc Networks
27/46
26
So, (secure) digital signature goes asfollows:At originator: Apply hash function to message to generate message digest
Encrypt message digest using own private keysignature
Append signature to the message
(Encrypt all of this using receivers public key)
Send encrypted(message+signature)
At intended receiver:
(Decrypt using own private
key
originator signature +
message) Apply hash function to message to generate message digest_B
Decrypt signature using originator public key messagedigest_A
-
7/29/2019 Monet23 Security in Adhoc Networks
28/46
Advantages
27
Scalesbetter a digital signature (but not secure message) can be verified by
any node given that it knows the public key of the signing node,
hence is scalable to a large numbers of receivers only atotalnumber of n public/private key pairs
-
7/29/2019 Monet23 Security in Adhoc Networks
29/46
-
7/29/2019 Monet23 Security in Adhoc Networks
30/46
3. One-way HMAC Key Chain
29
How itworks: To generate a key chain of length n+1, the first element of the
chain h is randomly picked and then the chain is generated by0repeatedly applying a one-way functionH A one-way hash function maps an input to an output of a fixed
length, which is the new key
The keys are then used and revealed in the reverseorder,starting from the last generated key hn
Any key hj can be verified from hi ( 0 i < j n ) to be indeed anelement in the chain by repeatedly applying H for j i times
Advantages: Less computation than asymmetric crypto
One authenticator can be verified by a large number ofreceivers
-
7/29/2019 Monet23 Security in Adhoc Networks
31/46
30
Disadvantages: Requires synchronization
Receivers need to buffer messages for verification when thekeyis revealed this delay may reduce routing protocol
responsiveness to topology changes
The release of the key requires a second roundofcommunication
Storage of the hash chain limits scalability
e.g. TESLA, SEAD (for DSDV) and Ariadne (forDSR).
-
7/29/2019 Monet23 Security in Adhoc Networks
32/46
31
TESLA (example of one way HMACkeychain
) Unicast authentication is cheap, using symmetrickeyauthentication, but doesnt scale forbroadcast. Secure broadcast authentication requires anasymmetricprimitiv
e TESLA differs from asymmetric protocols (e.g. RSA)inthat it achieves this asymmetry fromclocksynchronization and delayed key disclosure, ratherthanfrom computationally expensive one-wayfunctions
-
7/29/2019 Monet23 Security in Adhoc Networks
33/46
TESLA (Contd)
32
Timed Efficient Stream Loss-tolerant Authentication[8] Requires time synchronization and causes delay inauthentication Idea: The sender commits to a random key k without revealing it and transmits it to the
receivers. The sender then attaches a message authenticating code to the next packet P and usesthe
ikey k as the MACkey. In a later packetP
i+1, the sender decommits to k (i.e. it discloses the key), which allowsthereceivers to verify the commitment and the MAC of packet
P.
i
If both verifications are correct, and if it is guaranteed that packetP
i+1 was not sentbeforepacket P was received, then a receiver knows that the packet P is
authentic.i i
To start this scheme, the sender uses a regular signature scheme to sign theinitialcommitment. All subsequent packets are authenticated throughchaining. Security condition: A data packet Pi arrived safely, if the receiver canunambiguouslydecide, based on its synchronized time and network delay, that the sender did not yetsendout the corresponding key disclosurepacket.
Packet loss
tolernace Sender precomputes a sequence of n key values, called key chain (all one way i.e. eachoneis notinvertible) If receiver receives packet P, any subsequent packet reception allows it tocompute
i kiandki
and verify the authenticityof
Pi
-
7/29/2019 Monet23 Security in Adhoc Networks
34/46
TESLA example [9]
33
'
1 1 1 1
1 1 2
1
'
1 1
2
'
1 1 1 1
1 1 2
'
'
,(, )
,( ),
pick a fresh key
,(, )
,(
),
pick a fresh key
,(, )
,
(
),
where
() ; an
i i i i
iii
i
i
i i i i
iii
i
i
i i i i
iii
i
i i
PDMAC K D
DMF K K
K
PDMAC K D
DMF K K
K
PDMAC K D
DMF K K
KFK F
+
+
+
+
+
+ +
++++
!!
!!
!!
!!
!!
!
'
d are two hash functionsF
The example shows the transmission ofthree consecutive packets
When the i+1 packets is received, thereceivercan: Verify that Ki is correct by generating F(K)i
and comparing it with the one received in
packet i-1 Compute F(K) and generate MAC of P,i i
then compare it with the one received inpacket i.
The above also authenticate F(Ki+1)
The only way to break this security chain
isfor an attacker to get Pi+1 before thereceiver gets P (hence it would know kiiand take over the sequence without thereceiver being able to detect that.)
-
7/29/2019 Monet23 Security in Adhoc Networks
35/46
34
1
0
3
0
32
13
2
3
3
3
()
()
(
)(
)fo r examp
le:(
)(
)(
)
jj
n
n
n
iin
FxF
x
KF
KKF
K
KF
KKF
KKF
KKK
What happens if a packet in thesequence is lost?: make a key chain
Given K, an attacker cannot generateiany K, j>i.j
If a receiver receives packet Pi,
anysubsequent packet will allow it tocompute Ki and K as well as verify theiauthenticity of P.i
For example, suppose, in a sequence ofpackets, F (K ) is received, F (K ) is lost3 3
23
and F(K ) is received. Then receivercan 3run F(F(K )) to get F (K ) so as to3
23
validate the receivedpacket.
-
7/29/2019 Monet23 Security in Adhoc Networks
36/46
Outline
35
Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline of
Solutions Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusio
n
-
7/29/2019 Monet23 Security in Adhoc Networks
37/46
Secure Source Routing: Ariadne [1]
36
Ariadne is designed for source routingprotocols S performs a Route Discovery for target D, theysharethe secret keysK
SD andK
DS, respectively, ineachdirection
. Target authenticatesRREQ To convince the target of the legitimacy of each field in a
ROUTEREQUEST, the initiator includes a MAC computed with key KSDover unique data, e.g. timestamp. The target can easily verify the
authenticity.
-
7/29/2019 Monet23 Security in Adhoc Networks
38/46
Node list authentication in Ariadne
37
Data authentication: initiator wants to authenticate each individual node in the node list of the
RREP
target wants to authenticate each node in the node list of the ROUTEREQUEST
Ariadne proposes three techniques for node list authenticationbased : Standard MACs
is most efficient, but requires pairwise shared keys between allnodes. the MAC list in the REQUEST is computed using a key shared between thetargetand the current
node. Digital signatures the REQUEST includes a signaturelist TESLA
target buffers the REPLY until intermediate nodes can release thecorrespondingTESLA keys
Protection against node removal use one-way hash functions to verify that no hop was omitted -- called
per-hop hashing.
-
7/29/2019 Monet23 Security in Adhoc Networks
39/46
Outline
38
Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline of
Solutions Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusio
n
-
7/29/2019 Monet23 Security in Adhoc Networks
40/46
Secure packet forwarding
39
It is possible for a malicious node to correctlyparticipatein the route discovery phase but fail to correctlyforwarddatapackets. The security solution should ensure that each
nodeindeed forwards packets according to its routingtable. This is typically achieved by the reactiveapproachbecause attacks on packetforwarding cannot be completelyprevented Two key components of this solutionare a detection technique and
a reaction scheme
-
7/29/2019 Monet23 Security in Adhoc Networks
41/46
Detection
40
Each node may perform localized detection by overhearing ongoingtransmission
Limited by channel errors, interference, mobility
Need mechanisms to avoid false accusations (slander)
e.g.
watchdog solution[10] for DSR A sends to B and knows (from header) that Bs next hop isC Assuming symmetric links, A will check to see if it overhears Bs transmissionto C, if not it increases a
counter If the counter passes a threshold it reports Bs behavior to thesource
Solution[11] works for AODV Same concept after adding a next_hop field in
AODV Also considered other kinds ofattacks
Solution [9] utilizes an Ack-based scheme Used on demand when a path loss rate issuspicious Sends encryptedprobes
-
7/29/2019 Monet23 Security in Adhoc Networks
42/46
-
7/29/2019 Monet23 Security in Adhoc Networks
43/46
Outline
42
Security and the protocolstack Security approaches andtradeoffs Security problems at the network and linklayers Outline of
Solutions Secure routing protocolexample Secure packetforwarding Remarks on Link-layersecurity Conclusio
n
-
7/29/2019 Monet23 Security in Adhoc Networks
44/46
802.11 MAC
43
The attacker may exploit its binary exponentialbackoffscheme to launch DoS attacks [5,6]. Reference [5] uses simulations to show thatimplementinga fair MAC protocol is a necessary butinsufficienttechnique to solve the
problem. Need a MAC with fairnessguarantees [6] proposes a MAC protocol that seeks to detectandreact to MAC-layer misbehaviors (i.e. it isreactive) The backoff timer is provided by the receiver (hence receiver
candetect misbehavior)
NAV field in RTS/CTS is vulnerable to DoS attacks[12] Attacker may only need to interfere on a few bits
powerconsumption favors the adversarysideNot clear how to prevent such resource consumption-based DoSattacks
-
7/29/2019 Monet23 Security in Adhoc Networks
45/46
IEEE 802.11 WEP
44
WEP [14] (Wired EquivalentPrivacy) is 802.11s optional encryption standard implemented in the
MAClayer
WEP has several problems regarding the vulnerabilityofthe cryptographic techniques toattacks
802.11i WPA [13] seems to have fixedtheseweaknesses
-
7/29/2019 Monet23 Security in Adhoc Networks
46/46
Conclusion
45
Touched on a few issues regarding securing ad hoc networks
Research on adhoc networks security is still in its earlystage The existing proposals are typically attack-centric: first identify several security threats
and then enhance the existing protocol or propose a new protocol
This may not work well under unanticipated attacks
A more ambitious goal is to embed security measures that can protectagainst unanticipated attacks a broader space e.g. treat malfunction
as an attack?
Need better tools to understand tradeoffs between security strength,
communication overhead, computation complexity, energyconsumption, and scalability (largely unexplored)