340 likes | 403 Vues
Introduction to Sensor Networks. Rabie A. Ramadan, PhD Cairo University http://rabieramadan.org rabie@rabieramadan.org 4. Security in WSN. Security Requirements. Availability Data Confidentiality Data Integrity Non-repudiation Authorization and Key Management.
E N D
Introduction to Sensor Networks Rabie A. Ramadan, PhD Cairo University http://rabieramadan.org rabie@rabieramadan.org 4
Security Requirements • Availability • DataConfidentiality • DataIntegrity • Non-repudiation • Authorization and Key Management
Security Solution Constraints • Lightweight • Decentralized • Reactive • Fault-tolerant
Challenges in WSNs Constraints Implications Sensor node hardware, resource constraints Algos must be energy- and storage-efficient Nodes operate unattended Adversary can compromise any node Nodes not tamper-resistant Adversary can compromise any node’s keys No fixed infrastructure Cannot assume any special-function node in vicinity No pre-config’ed topology Nodes don’t know neighbours in advance Communicate in an open medium Communications are world-readable and world-writeable by default
Security design principles • Favour computation over communication • Communication 1000 times more energy-consuming than computation • Favour resilience (tolerance) over absolute security
WSN Security Research Fields • Routing security • Data forwarding security • Link layer security • Key management • . • .
Security issues in WSN • The discussed applications require communication in WSN to be highly secure • Main security threats in WSN are: • Radio links are insecure – eavesdropping / injecting faulty information is possible • Sensor nodes are not temper resistant – if it is compromised attacker obtains all security information • Attacker types: • Mote-class: attacker has access to some number of nodes with similar characteristics / laptop-class: attacker has access to more powerful devices • Outside (discussed above) / inside: attacker compromised some number of nodes in the network
Attacks on WSN • Main types of attacks on WSN are: • Spoofed, altered, or replayed routing information • Selective forwarding • Sinkhole attack • Sybil attack • Wormholes • HELLO flood attacks • Acknowledgment spoofing
B A1 A2 A3 A4 False routing information • Injecting fake routingcontrol packets into the network, examples: attract / repeal traffic, generate false error messages. • Consequences: routing loops, increased latency, decreased lifetime of the network, low reliability Example: captured node attracts traffic by advertising shortest path to sink, high battery power, etc
Selective forwarding • Multi hop paradigm is prevalent in WSN • It is assumed that nodes faithfully forward received messages • Compromised node might refuse to forward packets, however neighbors might start using another route • More dangerous: compromised node forwards selected packets
Sinkhole and Sybil attacks • Sinkhole attack: • Idea: attacker creates metaphorical sinkhole by advertising for example high quality route to a base station • Laptop class attacker can actually provide this kind of route connecting all nodes to real sink and then selectively drop packets • Almost all traffic is directed to the fake sinkhole • WSN are highly susceptible to this kind of attack because of the communication pattern: most of the traffic is directed towards sink – single point of failure. • Sybil attack: • Idea: a single node pretends to be present in different parts of the network. • Mostly affects geographical routing protocols
Wormholes • Idea: tunnel packets received on one part of the network to another • Well placed wormhole can completely disorder routing • Wormholes may convince distant nodes that they are close to sink. This may lead to sinkhole if node on the other end advertises high-quality route to sink
Wormholes (cont.) • Wormholes can exploit routing race conditions which happens when node takes routing decisions based on the first route advertisement • Even encryption can not prevent this attack • Wormholes may be used in conjunction with sybil attack
HELLO flood attack • Many WSN routing protocols require nodes to broadcast HELLO packets after deployment, which is a sort of neighbor discovery based on radio range of the node • Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Acknowledgment spoofing • Some routing protocols use link layer acknowledgments • Attacker may spoof acks • Goals: convince that weak link is strong or that dead node is alive. • Consequently weak link may be selected for routing; packets send through that link may be lost or corrupted
Overview of Countermeasures • Link layer encryption prevents majority of attacks: bogus routing information, Sybil attacks, acknowledgment spoofing, etc. • This makes the development of an appropriate key management architecture a task of a great importance • Wormhole attack, HELLO flood attacks and some others are still possible: attacker can tunnel legitimate packets to the other part of the network or broadcast large number of HELLO packets • Multi path routing, bidirectional link verification can also be used to prevent particular types of attacks like selective forwarding, HELLO flood
Part One Secure data aggregation
Phase 1: Query dissemination Sample query: SELECT AVERAGE(temperature) FROM sensors WHERE floor = 6 EPOCH DURATION 30s
Phase 2: Data aggregation aggregate aggregate aggregate Types of aggregation: (1) basic aggregation, (2) data compression, (3) parameter estimation
Phase 3: Result verification (optional) “Did you really report this?” “Did you really report this?” “Did you really report this?” “Did you really report this?” “Did you really report this?” “Did you really report this?”
Security goals of data aggregation So the average is 251.5… Oh wait a minute • Robustness: Byzantine corruption of data would not make aggregation result totally meaningless • Confidentiality: To ensure that other than the sink and the sources, no intermediate node should have knowledge of the raw data or the aggregation result perform averaging 1 1000 3 2 What the hell am I forwarding? sink What the hell am I aggregating? sources
malicious Voting “is mean = 61.4 reasonable?” malicious 3 300 2 1 malicious 1 Alright, 61.4 is not reasonable! No Yes No No Resource-intensive, only good for mission-critical, small-scale networks No
Interactive proof algo • By [Przydatek et al. 2003], algo for proving probabilistically a given figure is indeed the median of the samples • Example for the sake of intuition: Prover must have the samples sorted first 1 1 2 3 4 5 6 Prover tells the verifier median is 3.5 and the no. of samples is 6 2 Verifier asks for the 3rd sample, prover tells the 3rd sample is 3 < 3.5, verifier is happy but still suspicious 3 Verifier asks for the 4th sample, prover tells the 4th sample is 4 > 3.5, verifier is happy but still suspicious 4 Verifier asks for the 1st and 6th sample, prover tells 1st is 1 < 3.5 and 6th is 6 > 3.5, verifier says: “Alright, I’ve sampled enough, median should be 3.5 at high probability”. 5 Relies on the trustworthiness of the samples, but how do we make sure?
Location verification – SerLoc (Secure Range-independent localization)
What is location verification? • Different assumptions from general localization • What if some malicious nodes lie about their location? • Sample attack scenario • Claim to be very close to the sink • Attract many packets • Drop some or all of them • Very easy DoS attack especially for geographic routing protocols
Secure Location Services • Secure Verification of Location Claims • [Sastry et al. WISE 2002]. • Location Privacy • Privacy-aware Location Sensor Networks [Gruteser et al. USENIX 2003]. • Secure Localization: Ensurerobust location estimationevenin the presence ofadversaries. • SeRLoc: [Lazos and Poovendran, WISE 2004]. • S-GPS: [Kuhn 2004]. • SPINE: [Capkun & Hubeaux, Infocom 2005].
SeRLoc • SeRLoc:SEcureRange-independent LOCalization. • SeRLoc features • No ranging hardware required. • Decentralized Implementation, Scalable. • Robust against attacks - Lightweight security.
Sensors: Randomly deployed, unknown location Omnidirectional Antennas Sensor range r Locators: Randomly deployed Directional Antennas r Known Location, Orientation R θ Beamwidth θ Locator range R Locator Sensor Two-tier network architecture (X2, Y2) (X4, Y4) (X3, Y3) (X1, Y1) (X5, Y5)
The Idea of SeRLoc ROI Locator Sensor L4 • Each locator Li transmits information that defines the sector Si, covered by each transmission. • Sensor defines the region of intersection (ROI) from all locators it hears. L1 L3 s L3 (0, 0)
How SerLoc works • Node i claims its location is (x, y) • Node i needs to send (x, y) a location verification request msg to a nearby verifier • A verifier can be a normal sensor node • The verifier sends a random nonce to node i and start the clock • Node i has to immediately return the challenge through both radio and ultrasonic channels • The verifier measures the time for node i returning the challenge and take the difference between the radio & ultrasonic signal propagation. Based on this observation, verify the claimed location
Weakness of SerLoc • Requires extra hardware, i.e., ultrasonic channel • Innocent victims may respond late due to backlog • Not location verification but range verification sink M’s claimed Location Verifier Oops... Verifier cannot tell the difference! Big trouble... M’s Real Location
Possible Research Issues • Most localization work is mathematical and evaluated via (high level) simulations • More realistic work is needed • Indoor localization is harder • Look at CodeBlue project at Harvard • Location verification • Can’t trust sensors • Secure localization • Can’t trust anchors