570 likes | 598 Views
Securing Wireless Sensor Networks. CCSP Seminar 8 December 2003 David Evans evans@cs.virginia.edu http://www.cs.virginia.edu/evans/talks/ccsp Department of Computer Science University of Virginia. Two Talks for the Price of One!. 5000 years of cryptography Symmetric Ciphers
E N D
Securing Wireless Sensor Networks CCSP Seminar 8 December 2003 David Evans evans@cs.virginia.edu http://www.cs.virginia.edu/evans/talks/ccsp Department of Computer Science University of Virginia
Two Talks for the Price of One! • 5000 years of cryptography • Symmetric Ciphers • Asymmetric Ciphers • Securing Wireless Sensor Networks • Key Distribution • Data Aggregation • Wormhole Attacks and Defenses
Eve Terminology Insecure Channel Ciphertext Encrypt Decrypt Plaintext Plaintext Alice Bob C = E(P) P = D(C) E must be invertible: P = D (E (P))
Eve “The enemy knows the system being used.” Claude Shannon Insecure Channel Ciphertext Encrypt Decrypt Plaintext Plaintext K K Alice Bob C = E(P, K) P = D(C, K)
Jefferson’s Wheel Cipher Key: the order of wheels on the spindle
Applet on Monticello’s web site by CS201J students: Matt Spear, “Boyd” Worawannotai, Edward Mitchell (Note: not for use on nuclear secrets!) http://monticello.org/jefferson/wheelcipher
Jefferson Wheel Cipher • If used carefully, effectively unbreakable in Jefferson’s day • US army used very similar cipher in WWI • “Easy” to break today http://www.cs.virginia.edu/cs588/challenges/wheel-solved.html • A billion billion is a large number, • but it’s not that large a number. • — Whitfield Diffie
Modern Symmetric Ciphers • Same idea but: • Use digital logic instead of mechanical rotors • Larger keys • Encrypt blocks of letters at a time • Good choice for most applications: AES (Rijndael) • Effectively unbreakable, minimal performance cost • 128 (“billion billion billion billion”) or 256 (“billion8”) bit keys • No practical attacks better than brute force known (yet)
Eve Problem with all Symmetric Ciphers Insecure Channel Ciphertext Encrypt Decrypt Plaintext Plaintext K K Alice Bob How do Alice and Bob agree on K (without Eve hearing it)?
Padlocked Boxes Hi! Alice
Alice’s Padlock Alice’s Padlock Key Padlocked Boxes Hi! Alice
Shady Sammy’s Slimy Shipping Service Padlocked Boxes Alice Alice’s Padlock Key
Bob’s Padlock Bob’s Padlock Key Padlocked Boxes Alice Hi! Bob Alice’s Padlock Key
Bob’s Padlock Key Padlocked Boxes Hi! Alice Bob Alice’s Padlock Key
Bob’s Padlock Key Padlocked Boxes Hi! Alice Bob Alice’s Padlock Key
Padlocked Boxes Alice Hi! Bob Bob’s Padlock Key
Padlocked Boxes Hi! Alice Hi! Bob Bob’s Padlock Key
One-Way Functions • Easy to compute, hard to invert • Trap-door one way function: • D (E (M)) = M • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D. • Hence, anyone who knows E can encrypt, but only someone who knows D can decrypt
RSA [Rivest, Shamir, Adelman 78] One-way function: multiplication is easy, factoring is hard Trap-door: number theory (Euler and Fermat)
Public-Key Applications: Privacy Bob Alice • Alice encrypts message to Bob using Bob’s Private Key • Only Bob knows Bob’s Private Key only Bob can decrypt message Decrypt Ciphertext Encrypt Plaintext Plaintext Bob’s Public Key Bob’s Private Key
Signatures Bob Alice Signed Message Decrypt Encrypt Plaintext Plaintext • Bob knows it was from Alice, since only Alice knows Alice’s Private Key • Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!) • Integrity: Bob can’t change message (doesn’t know Alice’s Private Key) Alice’s Public Key Alice’s Private Key
Problems with RSA • About 1000 times slower than symmetric algorithms • Just use RSA to transfer key, then use AES to encrypt data • Key size (and size of smallest message) must be large for security • 1024 bits ~ 128 bits for secret key • Public key doesn’t need confidentiality, but does need integrity
Decrypt Ciphertext Encrypt Plaintext Plaintext Bob’s Public Key Bob’s Private Key Really Eve’s Public Key Really Eve’s Padlock Key Management Everyone can know the public key, but to be useful must know it is the owner’s public key. Alice Hi! Alice’s Padlock Key
Sensor Networks High-power base station Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly
Why security for sensor networks is hard • Low power devices • Public-key algorithms use too much energy • Limited device communication • Sending messages is extremely expensive • Communication is wireless • All messages are vulnerable to eavesdropping and forgery • Individual devices easily compromised • Cheap hardware in hostile territory
Control Messages High-power base station Operator at base station controls behavior of sensor nodes
High-power base station Rogue operator or compromised node should not be able to control behavior of other sensor nodes
Control Integrity • Needs asymmetry: • Only base station can send out control messages • But, every node needs to understand them • Traditional: Asymmetry of Information • Use public-key encryption: • Send messages with base’s private key • Pre-load all nodes with base’s public key • Too expensive: nodes would need to receive long messages and do public key decryptions • Instead: asymmetry of time
Cryptographic Hash Chains f f f x f (x) f (f (f (x))) f (f (x)) f is a one-way function: easy to calculate f(x), but difficult to invert f. time Initially store: K0 = f4(x) K1 = f3(x) verify f (K1) = K0 K2 = f2(x) verify f (K1) = K0
µTesla [Perrig, et. al., 2002] • Initially: sensor nodes know K0 = fn(x) base station knows x • Base station messages encrypted using K1 = fn-1(x) • Nodes store and time stamp messages, but cannot decrypt them (yet) • At time t1, base station broadcasts K1 • Nodes verify f (K1) = K0 • Nodes use K1 decrypt earlier messages • Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed
Data Integrity High-power base station Only data from legitimate nodes should be accepted by the base station
Node Authentication • Before deployment, establish a shared symmetric secret key between each node and base station: KNS • Send readings with a MAC: RA | MAC (KAS, RA) Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity.
Authenticated Sensor Net Each node transmits: N |RN | MAC (KNS, RN) Base station verifies MAC before accepting RN.
Data Aggregation If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station.
Authenticated Data Aggregation A |RA | MAC (KAS, RA) C A B C |Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB)) B |RB | MAC (KBS, RB)
Secure Aggregation • Delayed Aggregation: Only aggregate messages after they have traveled one hop • Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication Lingxuan Hu and David Evans. Secure Aggregation for Wireless Networks. Workshop on Security and Assurance in Ad hoc Networks. January, 2003.
Protocol Example IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) G IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) F E D IDB | RB | MAC (KBi, RB) IDA | RA | MAC (KAi, RA) C KAi is the ith key in a µTesla key chain starting from KAS A B
IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD)) | MAC (KGi, Aggr (RA, RB, RC, RD) | … (same from right side) | MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side)) H IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) G IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) F E D IDA | RA | MAC (KAi, RA) IDB | RB | MAC (KBi, RB) C A B
Abridged Attack Analysis • Intruder Node (no key material) • Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys • Replay attacks ineffective: keys change, can only replay readings within this time period • Compromised Node (all keys on one node) • Can lie about its own reading • But, cannot alter other nodes readings without getting caught: aggregate will not match calculated aggregate at next level
Successful Attacks • Compromised node selectively drops child readings • Nothing to prevent this (but unlikely to change much without base station noticing) • Can use child snooping to catch it earlier • Compromise two consecutive (parent and grandparent) nodes • Can forge readings for entire subtree
Communication Cost • Total Kilobytes Transmitted Sensor reading: 22 bytes MAC of message: 8 bytes Ideal binary network • Sensor Nodes Secure Aggregation requires about 3 times the amount of data transmission as Insecure Aggregation, but provides integrity with < ½ the cost of no aggregation.
Summary • With our protocol, you can get authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you. • Not trusting your children is reasonable (inexpensive) • Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol
Routing Security (Lingxuan Hu’s slide)
Wormhole Attack • Tunnel packets received in one place of the network and replay them in another place • The attacker needs no key material, just two transceivers!
Impact of Wormhole 1 0.9 0.8 Base Station at Corner 0.7 0.6 0.5 Fraction of Routes to Base Station Disrupted 0.4 0.3 0.2 Base Station at Center 0.1 0 0 50 100 150 200 250 300 350 400 450 500 Position of Endpoint (x, x)
Preventing Wormhole Attacks • Know your neighbors • Physical Space • Exploit knowledge about physical space • Redundancy • Use cooperation to establish trust • Physical properties • Speed of transmission limits time when another node can hear it
Directional Antennas Operation Modes: OmniandDirectional Lingxuan Hu and David Evans. Using Directional Antennas to Prevent Wormhole Attacks. Network and Distributed System Security Symposium (NDSS), Feb 2004.
Antenna Model East Nodes orient themselves using a magnetic compass so zone 1 always faces East.
Directional Neighbor Discovery 3 2 4 1 6 5 zone (N, A) is the antenna zone in which N hears A N A 1. A Region HELLO | IDA Sent by all antenna elements (sweeping) 2. N A IDN | EKNA(IDA | R | zone (N, A)) Sent by zone (N, A) element R is a random nonce 3. A NR