securing wireless sensor networks
DESCRIPTION
Securing Wireless Sensor Networks. CCSP Seminar 8 December 2003 David Evans [email protected] http://www.cs.virginia.edu/evans/talks/ccsp Department of Computer Science University of Virginia. Two Talks for the Price of One!. 5000 years of cryptography Symmetric Ciphers - PowerPoint PPT PresentationTRANSCRIPT
CCSP 8 Dec 2003 1
Securing Wireless Sensor NetworksCCSP Seminar
8 December 2003
David [email protected]
http://www.cs.virginia.edu/evans/talks/ccsp
Department of Computer Science
University of Virginia
CCSP 8 Dec 2003 2
Two Talks for the Price of One!
• 5000 years of cryptography – Symmetric Ciphers– Asymmetric Ciphers
• Securing Wireless Sensor Networks– Key Distribution– Data Aggregation– Wormhole Attacks and Defenses
CCSP 8 Dec 2003 3
Terminology
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Eve
Insecure Channel
C = E(P)P = D(C)E must be invertible: P = D (E (P))
CCSP 8 Dec 2003 4
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Insecure Channel
C = E(P, K)P = D(C, K)
K K
“The enemy knows the system being used.”
Claude Shannon
Eve
CCSP 8 Dec 2003 5
Jefferson’s Wheel Cipher
Key: the order of wheels on the spindle
CCSP 8 Dec 2003 6
http://monticello.org/jefferson/wheelcipher
Applet on Monticello’s web site by CS201J students: Matt Spear, “Boyd” Worawannotai, Edward Mitchell
(Note: not for use on nuclear secrets!)
CCSP 8 Dec 2003 7
Jefferson Wheel Cipher
• If used carefully, effectively unbreakable in Jefferson’s day – US army used very similar cipher in WWI
• “Easy” to break todayhttp://www.cs.virginia.edu/cs588/challenges/wheel-solved.html
A billion billion is a large number, but it’s not that large a number.
— Whitfield Diffie
CCSP 8 Dec 2003 8
Modern Symmetric Ciphers
• Same idea but:– Use digital logic instead of mechanical rotors– Larger keys– Encrypt blocks of letters at a time
• Good choice for most applications: AES (Rijndael)– Effectively unbreakable, minimal performance cost– 128 (“billion billion billion billion”) or 256 (“billion8”) bit
keys– No practical attacks better than brute force known (yet)
CCSP 8 Dec 2003 9
Problem with all Symmetric Ciphers
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice BobEve
Insecure Channel
How do Alice and Bob agree on K (without Eve hearing it)?
K K
CCSP 8 Dec 2003 10
Padlocked Boxes
Alice
Hi!
CCSP 8 Dec 2003 11
Padlocked Boxes
Alice Hi!
Alice’s Padlock
Alice’s Padlock Key
CCSP 8 Dec 2003 12
Padlocked Boxes
Alice
Alice’s Padlock Key
Shady Sammy’s
Slimy Shipping Service
CCSP 8 Dec 2003 13
Padlocked Boxes
Alice
Hi!
Bob
Bob’s Padlock
Bob’s Padlock Key
Alice’s Padlock Key
CCSP 8 Dec 2003 14
Padlocked Boxes
Alice
Hi!
Bob
Bob’s Padlock Key
Alice’s Padlock Key
CCSP 8 Dec 2003 15
Padlocked Boxes
Alice
Hi!
Bob
Bob’s Padlock Key
Alice’s Padlock Key
CCSP 8 Dec 2003 16
Padlocked Boxes
Alice
Hi!
Bob
Bob’s Padlock Key
CCSP 8 Dec 2003 17
Padlocked Boxes
Alice
Hi!
Bob
Bob’s Padlock Key
Hi!
CCSP 8 Dec 2003 18
One-Way Functions• Easy to compute, hard to invert
• Trap-door one way function:– D (E (M)) = M– E and D are easy to compute.– Revealing E doesn’t reveal an easy way to
compute D.– Hence, anyone who knows E can encrypt, but
only someone who knows D can decrypt
CCSP 8 Dec 2003 19
RSA [Rivest, Shamir, Adelman 78]One-way function:
multiplication is easy, factoring is hardTrap-door: number theory (Euler and Fermat)
CCSP 8 Dec 2003 20
Public-Key Applications: Privacy
• Alice encrypts message to Bob using Bob’s Private Key
• Only Bob knows Bob’s Private Key only Bob can decrypt message
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Bob’s Public Key Bob’s Private Key
CCSP 8 Dec 2003 21
Signatures
• Bob knows it was from Alice, since only Alice knows Alice’s Private Key
• Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!)
• Integrity: Bob can’t change message (doesn’t know Alice’s Private Key)
Encrypt DecryptPlaintext
SignedMessage
Plaintext
AliceBob
Alice’s Private Key Alice’s Public Key
CCSP 8 Dec 2003 22
Problems with RSA
• About 1000 times slower than symmetric algorithms– Just use RSA to transfer key, then use AES to
encrypt data
• Key size (and size of smallest message) must be large for security– 1024 bits ~ 128 bits for secret key
• Public key doesn’t need confidentiality, but does need integrity
CCSP 8 Dec 2003 23
Key Management
Everyone can know the public key, but to be useful must know it is the owner’s public key.
Alice
Encrypt DecryptPlaintextCiphertext
Plaintext
Bob’s Public Key Bob’s Private Key
Really Eve’s Public Key
Hi!
Alice’s Padlock Key
Really Eve’s Padlock
CCSP 8 Dec 2003 24
Securing Sensor Networks
CCSP 8 Dec 2003 25
Sensor Networks
Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly
High-power base station
CCSP 8 Dec 2003 26
Why security for sensor networks is hard
• Low power devices– Public-key algorithms use too much energy
• Limited device communication– Sending messages is extremely expensive
• Communication is wireless– All messages are vulnerable to
eavesdropping and forgery
• Individual devices easily compromised– Cheap hardware in hostile territory
CCSP 8 Dec 2003 27
Control Messages
Operator at base station controls behavior of sensor nodes
High-power base station
CCSP 8 Dec 2003 28
Rogue operator or compromised node should not be able to control behavior of other sensor nodes
High-power base station
CCSP 8 Dec 2003 29
Control Integrity• Needs asymmetry:
– Only base station can send out control messages– But, every node needs to understand them
• Traditional: Asymmetry of Information– Use public-key encryption:
• Send messages with base’s private key• Pre-load all nodes with base’s public key
– Too expensive: nodes would need to receive long messages and do public key decryptions
• Instead: asymmetry of time
CCSP 8 Dec 2003 30
Cryptographic Hash Chains
f f f x
f (x)f (f (x))f (f (f (x)))
Initially store: K0 = f4(x)K1 = f3(x)
verify f (K1) = K0
K2 = f2(x) verify f (K1) = K0
time
f is a one-wayfunction: easyto calculate f(x),but difficult toinvert f.
CCSP 8 Dec 2003 31
µTesla [Perrig, et. al., 2002]
• Initially: sensor nodes know K0 = fn(x) base station knows x
• Base station messages encrypted using K1 = fn-1(x)
• Nodes store and time stamp messages, but cannot decrypt them (yet)
• At time t1, base station broadcasts K1
• Nodes verify f (K1) = K0
• Nodes use K1 decrypt earlier messages• Nodes and base station must have loosely
synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed
CCSP 8 Dec 2003 32
Data Integrity
Only data from legitimate nodes should be accepted by the base station
High-power base station
CCSP 8 Dec 2003 33
Node Authentication
• Before deployment, establish a shared symmetric secret key between each node and base station: KNS
• Send readings with a MAC:RA | MAC (KAS, RA)
Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity.
CCSP 8 Dec 2003 34
Authenticated Sensor Net
Each node transmits: N | RN | MAC (KNS, RN) Base station verifies MAC before accepting RN.
CCSP 8 Dec 2003 35
Data Aggregation
If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station.
CCSP 8 Dec 2003 36
Authenticated Data Aggregation
A
B
C
A | RA | MAC (KAS, RA)
B | RB | MAC (KBS, RB)C | Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB))
CCSP 8 Dec 2003 37
Secure Aggregation
• Delayed Aggregation: Only aggregate messages after they have traveled one hop
• Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication
Lingxuan Hu and David Evans. Secure Aggregation for Wireless Networks. Workshop on Security and Assurance in Ad hoc Networks. January, 2003.
CCSP 8 Dec 2003 38
Protocol Example
IDA | RA | MAC (KAi, RA)| IDB | RB | MAC (KBi, RB)
| MAC (KEi, Aggr (RA, RB))
IDB | RB | MAC (KBi, RB)
IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD))
IDA | RA | MAC (KAi, RA)
A B
C
D
E F
G
IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)
| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)| MAC (KGi, Aggr (RA, RB, RC, RD))
KAi is the ith key in a µTesla key chain starting from KAS
CCSP 8 Dec 2003 39
IDA | RA | MAC (KAi, RA)| IDB | RB | MAC (KBi, RB)
| MAC (KEi, Aggr (RA, RB))
IDB | RB | MAC (KBi, RB)
IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD))
IDA | RA | MAC (KAi, RA)
AA BB
CC
DD
EE FF
GG
IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)
| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)| MAC (KGi, Aggr (RA, RB, RC, RD))
HH
IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD)) | MAC (KGi, Aggr (RA, RB, RC, RD)
| … (same from right side)| MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side))
CCSP 8 Dec 2003 40
Abridged Attack Analysis• Intruder Node (no key material)
– Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys
– Replay attacks ineffective: keys change, can only replay readings within this time period
• Compromised Node (all keys on one node)– Can lie about its own reading– But, cannot alter other nodes readings without
getting caught: aggregate will not match calculated aggregate at next level
CCSP 8 Dec 2003 41
Successful Attacks
• Compromised node selectively drops child readings– Nothing to prevent this (but unlikely to
change much without base station noticing)– Can use child snooping to catch it earlier
• Compromise two consecutive (parent and grandparent) nodes– Can forge readings for entire subtree
CCSP 8 Dec 2003 42
Communication Cost
0
100
200
300
400
500
600
700
800
340 1364 5460
No Aggregation
InsecureAggregationSecureAggregation
Sensor Nodes
Tot
al K
iloby
tes
Tra
nsm
itted
Sensor reading: 22 bytesMAC of message: 8 bytesIdeal binary network
Secure Aggregation requires about 3 times the amountof data transmission as Insecure Aggregation, but providesintegrity with < ½ the cost of no aggregation.
CCSP 8 Dec 2003 43
Summary• With our protocol, you can get
authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you.
• Not trusting your children is reasonable (inexpensive)
• Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol
CCSP 8 Dec 2003 44
Routing Security
(Lingxuan Hu’s slide)
CCSP 8 Dec 2003 45
Wormhole Attack
• Tunnel packets received in one place of the network and replay them in another place
• The attacker needs no key material, just two transceivers!
CCSP 8 Dec 2003 46
Impact of Wormhole
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 50 100 150 200 250 300 350 400 450 500
Fra
ctio
n of
Rou
tes
to B
ase
Sta
tion
Dis
rupt
ed
Position of Endpoint (x, x)
Base Station at Corner
Base Station at Center
CCSP 8 Dec 2003 47
Preventing Wormhole Attacks
• Know your neighbors• Physical Space
– Exploit knowledge about physical space
• Redundancy– Use cooperation to establish trust
• Physical properties– Speed of transmission limits time when
another node can hear it
CCSP 8 Dec 2003 48
Directional Antennas
Operation Modes: Omni and Directional
Lingxuan Hu and David Evans. Using Directional Antennas to Prevent Wormhole Attacks. Network and Distributed System Security Symposium (NDSS), Feb 2004.
CCSP 8 Dec 2003 49
Antenna Model
/3
1
2 3
4
5 6
Nodes orient themselves using a magnetic compass so zone 1 always faces East.
East
CCSP 8 Dec 2003 50
Directional Neighbor Discovery
A
1. A Region HELLO | IDA
Sent by all antenna elements (sweeping)2. N A IDN | EKNA (IDA | R | zone (N, A))
Sent by zone (N, A) elementR is a random nonce
3. A N R
N
1
2 3
4
5 6
zone (N, A)is the antennazone in whichN hears A
CCSP 8 Dec 2003 51
A B
zone (B, A) = 1zone (A, B) = 1
zone (x, y) should be opposite zone (y,x)A and B know they are not really neighbors
1
2 3
4
5
6
zone (N, A)is the antennazone in whichN hears A
Sophisticated Wormhole
A B
zone (A, B) = 1
zone (B, A) = 4
1
2 3
4
5
6
Wormhole can convince ~1/6 of node pairsthey are false neighbors
CCSP 8 Dec 2003 53
Verified Neighbor Discovery
• Wormhole can only trick nodes in particular locations
• Verify neighbors using other nodes
• Based on the direction from which you hear the verifier node, and it hears the announcer, can distinguish legitimate neighbor
CCSP 8 Dec 2003 54
Verifier Region
1. zone (B, A) zone (B, V) 2. zone (B, A) zone (V, A)3. zone (B, V) cannot be both adjacent to zone (B, A) and
adjacent to zone (V, A)
CCSP 8 Dec 2003 55
Lose some legitimate Neighbors
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Link
s C
onne
cted
Rat
io
Node Distance (r)
Verified Protocol (Density=10)Verified Protocol (Density=3)Strict Protocol (Density=10)Strict Protocol (Density=3)
CCSP 8 Dec 2003 56
…but small effect on connectivity and routing
Omni density = 3, Directional Density = 9.7
0
50
100
150
200
250
300
350
400
450
500
0 50 100 150 200 250 300 350 400 450 500
y (m
eter
s)
x (meters)
0
1
2
3
4
5
6
7
8
9
10
4 6 8 10 12 14 16 18 20A
vera
ge P
ath
Leng
th
Omnidirectional Node Density
Trust Everythingl
Verified Neighbor Discovery Protocol
CCSP 8 Dec 2003 57
Summarywww.cs.virginia.edu/evans/talks/ccsp
• Morals:– Secure aggregation: don’t trust your
children, trust your parents and grandparents not to conspire against you
– Wormhole Defenses: know your neighbors, but don’t trust them unless your other neighbors do
• CRAB Seminar plug: CS851 Cryptography Applications
• Funding: NSF CAREER, NSF ITR