1 / 57

Securing Wireless Sensor Networks

Securing Wireless Sensor Networks. CCSP Seminar 8 December 2003 David Evans evans@cs.virginia.edu http://www.cs.virginia.edu/evans/talks/ccsp Department of Computer Science University of Virginia. Two Talks for the Price of One!. 5000 years of cryptography Symmetric Ciphers

india-guzman
Télécharger la présentation

Securing Wireless Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Wireless Sensor Networks CCSP Seminar 8 December 2003 David Evans evans@cs.virginia.edu http://www.cs.virginia.edu/evans/talks/ccsp Department of Computer Science University of Virginia

  2. Two Talks for the Price of One! • 5000 years of cryptography • Symmetric Ciphers • Asymmetric Ciphers • Securing Wireless Sensor Networks • Key Distribution • Data Aggregation • Wormhole Attacks and Defenses

  3. Eve Terminology Insecure Channel Ciphertext Encrypt Decrypt Plaintext Plaintext Alice Bob C = E(P) P = D(C) E must be invertible: P = D (E (P))

  4. Eve “The enemy knows the system being used.” Claude Shannon Insecure Channel Ciphertext Encrypt Decrypt Plaintext Plaintext K K Alice Bob C = E(P, K) P = D(C, K)

  5. Jefferson’s Wheel Cipher Key: the order of wheels on the spindle

  6. Applet on Monticello’s web site by CS201J students: Matt Spear, “Boyd” Worawannotai, Edward Mitchell (Note: not for use on nuclear secrets!) http://monticello.org/jefferson/wheelcipher

  7. Jefferson Wheel Cipher • If used carefully, effectively unbreakable in Jefferson’s day • US army used very similar cipher in WWI • “Easy” to break today http://www.cs.virginia.edu/cs588/challenges/wheel-solved.html • A billion billion is a large number, • but it’s not that large a number. • — Whitfield Diffie

  8. Modern Symmetric Ciphers • Same idea but: • Use digital logic instead of mechanical rotors • Larger keys • Encrypt blocks of letters at a time • Good choice for most applications: AES (Rijndael) • Effectively unbreakable, minimal performance cost • 128 (“billion billion billion billion”) or 256 (“billion8”) bit keys • No practical attacks better than brute force known (yet)

  9. Eve Problem with all Symmetric Ciphers Insecure Channel Ciphertext Encrypt Decrypt Plaintext Plaintext K K Alice Bob How do Alice and Bob agree on K (without Eve hearing it)?

  10. Padlocked Boxes Hi! Alice

  11. Alice’s Padlock Alice’s Padlock Key Padlocked Boxes Hi! Alice

  12. Shady Sammy’s Slimy Shipping Service Padlocked Boxes Alice Alice’s Padlock Key

  13. Bob’s Padlock Bob’s Padlock Key Padlocked Boxes Alice Hi! Bob Alice’s Padlock Key

  14. Bob’s Padlock Key Padlocked Boxes Hi! Alice Bob Alice’s Padlock Key

  15. Bob’s Padlock Key Padlocked Boxes Hi! Alice Bob Alice’s Padlock Key

  16. Padlocked Boxes Alice Hi! Bob Bob’s Padlock Key

  17. Padlocked Boxes Hi! Alice Hi! Bob Bob’s Padlock Key

  18. One-Way Functions • Easy to compute, hard to invert • Trap-door one way function: • D (E (M)) = M • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D. • Hence, anyone who knows E can encrypt, but only someone who knows D can decrypt

  19. RSA [Rivest, Shamir, Adelman 78] One-way function: multiplication is easy, factoring is hard Trap-door: number theory (Euler and Fermat)

  20. Public-Key Applications: Privacy Bob Alice • Alice encrypts message to Bob using Bob’s Private Key • Only Bob knows Bob’s Private Key only Bob can decrypt message Decrypt Ciphertext Encrypt Plaintext Plaintext Bob’s Public Key Bob’s Private Key

  21. Signatures Bob Alice Signed Message Decrypt Encrypt Plaintext Plaintext • Bob knows it was from Alice, since only Alice knows Alice’s Private Key • Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!) • Integrity: Bob can’t change message (doesn’t know Alice’s Private Key) Alice’s Public Key Alice’s Private Key

  22. Problems with RSA • About 1000 times slower than symmetric algorithms • Just use RSA to transfer key, then use AES to encrypt data • Key size (and size of smallest message) must be large for security • 1024 bits ~ 128 bits for secret key • Public key doesn’t need confidentiality, but does need integrity

  23. Decrypt Ciphertext Encrypt Plaintext Plaintext Bob’s Public Key Bob’s Private Key Really Eve’s Public Key Really Eve’s Padlock Key Management Everyone can know the public key, but to be useful must know it is the owner’s public key. Alice Hi! Alice’s Padlock Key

  24. Securing Sensor Networks

  25. Sensor Networks High-power base station Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly

  26. Why security for sensor networks is hard • Low power devices • Public-key algorithms use too much energy • Limited device communication • Sending messages is extremely expensive • Communication is wireless • All messages are vulnerable to eavesdropping and forgery • Individual devices easily compromised • Cheap hardware in hostile territory

  27. Control Messages High-power base station Operator at base station controls behavior of sensor nodes

  28. High-power base station Rogue operator or compromised node should not be able to control behavior of other sensor nodes

  29. Control Integrity • Needs asymmetry: • Only base station can send out control messages • But, every node needs to understand them • Traditional: Asymmetry of Information • Use public-key encryption: • Send messages with base’s private key • Pre-load all nodes with base’s public key • Too expensive: nodes would need to receive long messages and do public key decryptions • Instead: asymmetry of time

  30. Cryptographic Hash Chains f f f x f (x) f (f (f (x))) f (f (x)) f is a one-way function: easy to calculate f(x), but difficult to invert f. time Initially store: K0 = f4(x) K1 = f3(x) verify f (K1) = K0 K2 = f2(x) verify f (K1) = K0

  31. µTesla [Perrig, et. al., 2002] • Initially: sensor nodes know K0 = fn(x) base station knows x • Base station messages encrypted using K1 = fn-1(x) • Nodes store and time stamp messages, but cannot decrypt them (yet) • At time t1, base station broadcasts K1 • Nodes verify f (K1) = K0 • Nodes use K1 decrypt earlier messages • Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed

  32. Data Integrity High-power base station Only data from legitimate nodes should be accepted by the base station

  33. Node Authentication • Before deployment, establish a shared symmetric secret key between each node and base station: KNS • Send readings with a MAC: RA | MAC (KAS, RA) Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity.

  34. Authenticated Sensor Net Each node transmits: N |RN | MAC (KNS, RN) Base station verifies MAC before accepting RN.

  35. Data Aggregation If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station.

  36. Authenticated Data Aggregation A |RA | MAC (KAS, RA) C A B C |Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB)) B |RB | MAC (KBS, RB)

  37. Secure Aggregation • Delayed Aggregation: Only aggregate messages after they have traveled one hop • Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication Lingxuan Hu and David Evans. Secure Aggregation for Wireless Networks. Workshop on Security and Assurance in Ad hoc Networks. January, 2003.

  38. Protocol Example IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) G IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) F E D IDB | RB | MAC (KBi, RB) IDA | RA | MAC (KAi, RA) C KAi is the ith key in a µTesla key chain starting from KAS A B

  39. IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD)) | MAC (KGi, Aggr (RA, RB, RC, RD) | … (same from right side) | MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side)) H IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) G IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) F E D IDA | RA | MAC (KAi, RA) IDB | RB | MAC (KBi, RB) C A B

  40. Abridged Attack Analysis • Intruder Node (no key material) • Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys • Replay attacks ineffective: keys change, can only replay readings within this time period • Compromised Node (all keys on one node) • Can lie about its own reading • But, cannot alter other nodes readings without getting caught: aggregate will not match calculated aggregate at next level

  41. Successful Attacks • Compromised node selectively drops child readings • Nothing to prevent this (but unlikely to change much without base station noticing) • Can use child snooping to catch it earlier • Compromise two consecutive (parent and grandparent) nodes • Can forge readings for entire subtree

  42. Communication Cost • Total Kilobytes Transmitted Sensor reading: 22 bytes MAC of message: 8 bytes Ideal binary network • Sensor Nodes Secure Aggregation requires about 3 times the amount of data transmission as Insecure Aggregation, but provides integrity with < ½ the cost of no aggregation.

  43. Summary • With our protocol, you can get authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you. • Not trusting your children is reasonable (inexpensive) • Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol

  44. Routing Security (Lingxuan Hu’s slide)

  45. Wormhole Attack • Tunnel packets received in one place of the network and replay them in another place • The attacker needs no key material, just two transceivers!

  46. Impact of Wormhole 1 0.9 0.8 Base Station at Corner 0.7 0.6 0.5 Fraction of Routes to Base Station Disrupted 0.4 0.3 0.2 Base Station at Center 0.1 0 0 50 100 150 200 250 300 350 400 450 500 Position of Endpoint (x, x)

  47. Preventing Wormhole Attacks • Know your neighbors • Physical Space • Exploit knowledge about physical space • Redundancy • Use cooperation to establish trust • Physical properties • Speed of transmission limits time when another node can hear it

  48. Directional Antennas Operation Modes: OmniandDirectional Lingxuan Hu and David Evans. Using Directional Antennas to Prevent Wormhole Attacks. Network and Distributed System Security Symposium (NDSS), Feb 2004.

  49. Antenna Model East Nodes orient themselves using a magnetic compass so zone 1 always faces East.

  50. Directional Neighbor Discovery 3 2 4 1 6 5 zone (N, A) is the antenna zone in which N hears A N A 1. A Region HELLO | IDA Sent by all antenna elements (sweeping) 2. N  A IDN | EKNA(IDA | R | zone (N, A)) Sent by zone (N, A) element R is a random nonce 3. A  NR

More Related