380 likes | 648 Views
SECURE ROUTING IN WIRELESS SENSOR NETWORKS Gayathri Venkataraman Preeti Raghunath. AGENDA. Sensor Networks Wireless Sensor Networks vs. Ad- Hoc Networks Sensor Network Security Challenges Attacks on Sensor Network routing Securing the Wireless Network Summary. Sensor Networks.
E N D
SECURE ROUTING IN WIRELESS SENSOR NETWORKS Gayathri Venkataraman Preeti Raghunath
AGENDA • Sensor Networks • Wireless Sensor Networks vs. Ad- Hoc Networks • Sensor Network Security Challenges • Attacks on Sensor Network routing • Securing the Wireless Network • Summary
Sensor Networks A sensor network is composed of a large number of sensor nodes that are densely deployed either inside the phenomenon or close it . Each of these sensor nodes collect data and transmit to the sink using special routing protocols. The sink may communicate to the task manager using Internet or satellite [1]. Figure 1 Sensor nodes communication Source : http://www.cdt.luth.se/babylon/snc/References/Akyildiz2002_SurveySensorNets_01024422.pdf Retrieved August 22, 2003
What is a Sensor Network? • Heterogeneous system that combines tiny sensors and actuators with general purpose computing elements. • Sensor readings from multiple nodes can be processed by one or more aggregation points
Base Station • Sensor Networks have one or more points of centralized control called Base Stations. • Base stations are either: • Gateway to another network • Data processing or storage center • Access point for human interface.
Sensor Network Architecture Base Stations Aggregation points Sensor Nodes
Constraints of Wireless Sensor Networks • Sensor Networks are resource-starved when it comes to: • Computational power • Memory • Bandwidth • Power
Sensor Networks VS. Ad Hoc Networks • Ad-Hoc Network supports routing between any pairs of nodes. • Sensor Networks have a specialized communication pattern: • Many to One • One to Many • Local Communication
Security challenges in Wireless Sensor networks (1 of 3) • Network Assumptions: • Radio links are not secure • Attackers can deploy malicious nodes into the network. • Trust Requirements: • Base Stations are trusted nodes • Aggregation points maybe trusted for certain protocols
Security challenges in Wireless Sensor networks (2 of 3) • Threat models: • Mote-Class attackers: Sensor nodes are used for attacks. Sensor can eavesdrop only nodes in its vicinity. • Laptop-Class attackers: More sophisticated. Can eavesdrop or jam entire network. • Outsider attacks: Attacker has no special access to the sensor network. • Insider attacks: An authorized participant of the network has gone bad by running malicious code.
Security challenges in Wireless Sensor networks (3 of 3) • Security Goals: • Protection against eavesdropping is responsibility of application layer not routing algorithms. • However, eavesdropping caused by abuse of routing protocol is the responsibility of protocols. • Graceful degradation of network in case of insider attack.
Attacks on Sensor Networks (1 of 3) • Spoofing: Altering, spoofing or replaying routing information between nodes. • Selective Forwarding: Malicious nodes does not forward any packets or selectively forwards packets.
Attacks on Sensor Networks (2 of 3) • Sinkhole attack: • Here the attacker’s goal is to lure all the traffic through a compromised node • Other nodes in the path have opportunities to tamper with application data • Sybil attack: • A single node presents multiple identities. • Wormholes: • Attacker tunnels messages received in one part of the network over a low-latency kink and replays them in a different part.
Attacks on Sensor Networks (3 of 3) • HELLO Flood attack: An attacker with enough transmission power convinces every node in the network that the attacker is the neighbor. • Acknowledgement spoofing: • Link layer acknowledgements are spoofed to convince a weak link is strong and vice-versa.
Attacks on Specific Routing Protocols Gayathri Venkataraman
Special Routing Protocols! Why??? A typical mote has 4MHz processor, 128 KB of instruction memory, 4 KB of RAM data, and 512 KB of flash memory. The whole device is powered by two AA batteries. So the requirement of special routing protocols with Less computation Less memory Simple No global identification like IP address
Challenges For Security Resource starved nature of sensor networks poses a big challenge for security Public-key Cryptography is so expensive With only 4KB of RAM memory must be used carefully
Directed Diffusion • Is a data centric routing • Base stations flood interests for named data • Nodes able to satisfy the interest disseminate information along • the reverse path of interest propagation. • Interests are initially transmitted at a lower rate. • Based nodes reinforce the path where there is more data. • Failed node paths are negatively reinforced.
Directed Diffusion http://www2.parc.com/spl/members/zhao/stanfordcs428/readings/Networking/Estrin_mobicom00.pdf Retrieved August 27, 2003
Attacks on Directed Diffusion • Suppression • Suppress the flow of data by sending negative reinforcement • Cloning • Attacker can replay an interest from legitimate base station • Path Influence • Attacker can influence the path taken by a data flow by spoofing • positive and negative reinforcements and bogus data events. • Selective forwarding and Tampering • Attacker can insert himself into the path of events flow and gain • Control of the event flow.
Attacks on Directed Diffusion • A Laptop class adversary can create worm hole between node A located near base station and node B located near likely events. • Interests are advertised through worm hole and rebroadcast by • node B. • If node A sends negative reinforcements and worm hole does not pass those messages then node B continues its positive reinforcement then no data reaches the sink node and eventually node B’s power is lost.
Tiny-OS Beaconing • In this protocol base stations periodically broadcast routing update. • All station receiving the update marks the base station as its parent. • This algorithm happens recursively with each node marking its parent as the first node from which it hears the update. • All packets received or generated by a node is forwarded to its parent until it reaches the base station. • This is a breadth first spanning tree rooted to the base station
Attacks on Tiny-OS Beaconing Routing updates are not authenticated Attacker can suppress, eaves-drop, and modify packets through a worm hole/ sink hole attack as shown in the figure Source: http://webs.cs.berkeley.edu/retreat-1-03/slides/sensor-route-security.pdf Retrieved on November 17, 2003
Attacks on Tiny-OS Beaconing • A lap top class adversary can use Hello flood attack to broadcast a routing update and all nodes will consider the adversary as its parent. • So the nodes which are not in the actual range of the parent may flood the packets to neighbors which also has the adversary as its parent • Routing Loops can be created. Suppose adversary knows node A and node B are within radio range of each other. Adversary sends a routing update to B as if it came from A. B updates its parent as A, and sends routing update. Now A updates its parent as B.
Geographic Routing • Two Kinds • Geographic and Energy aware routing (GEAR) uses the energy information and the location of neighboring nodes to forward the packets • Greedy Perimeter Stateless Routing (GPSR) used only the proximity of neighbors to forward its messages. The energy consumption is uneven within the nodes.
Attacks on Geographic Routing • Regardless of adversary’s location he might advertise to be closest and place himself on the path of data flow. • For GEAR the adversary can advertise to have maximum energy to divert all the packets to himself and can now mount a selective forwarding attack • Routing Loops is possible in GPSR routing as shown in figure Source: http://webs.cs.berkeley.edu/retreat-1-03/slides/sensor-route-security.pdf Retrieved on November 17, 2003
Counter Measures • Link Layer Security • Simple link layer encryption and authentication using a globally shared key. • If a worm hole is established, encryption makes selective forwarding difficult, but can do nothing to prevent black hole selective forwarding. This worm hole is possible by replaying the message from one group of nodes to other group. • Link layer security mechanisms cannot prevent any insider attack.
Counter Measures • Sybil Attack • Every node shares a unique symmetric key with base station • Two nodes can use Needham-Schroeder like protocol to verify • identity and establish a shared key. • Base station limits the number of nodes an insider can have • communication. • This limits the number of nodes an adversary can communicate.
Counter Measures • Hello Flood Attacks • Verify the bi-directionality of the link before taking any action • Measures against Sybil Attack like limiting the number of • verified neighbors to a node will also prevent Hello Flood Attack
Counter Measures • Worm Hole and Sink Hole Attacks • Sink holes are difficult to defend in protocols which use advertised information like energy information and hop count. Hop count can be verified, however energy and TinyOs beaconing is difficult to defend. • Best solution is to design protocols where above attacks are meaningless
Counter Measures • Protocols that construct topology initiated by base station are susceptible to attacks • Geographic protocols that construct topology on demand using localized interactions and not from base stations are good solutions. • In geographic routing since proximity is a factor artificial link to sink hole is not possible because they may not fall in the normal radio range.
Counter Measures • Geographic routing is secure against worm hole, sink hole, and Sybil attacks, but the remaining problem is that the location advertisement must be trusted. • Probabilistic selection of next hop from several advertisement can reduce the problem • Restricting the structure of the topology can eliminate the problem by eliminating advertisement. For example nodes can arrange itself in square, triangular, etc., So that every node can derive its neighbors
Counter Measures • Selective Forwarding • Multi-path routing can be used to avoid this attacks. • Messages routed over n paths whose nodes are completely disjoint is an effective solution • Creating this kind of path may be difficult . • Probabilistic selection of next hop can add to security.
Counter Measures • Authenticated Broadcast & flooding • digital signatures • symmetric-key cryptography • delayed key disclosure and one –way key chains constructed with publicly computable cryptographically secure hash function • Replay attack is not possible key is used only once.
Limitations of Multi-Hop Routing • If nodes within one or two hops near the base station are • compromised then the network will be completely down • Protocols like leach which forms clusters and where cluster heads communicate directly with base station may yield a secure solution.
Conclusion • Secure routing is vital to the acceptance and use of sensor networks. • Current protocols are insecure • Careful protocol design is needed as a sensor mote cannot do complex cryptographic computations
References [1 ]Ian F. Akyildiz, Weilian Su, Yogesh Subramaniam, and Erdal Cayirci (2002, August). A Survey on Sensor Networks. http://www.cdt.luth.se/babylon/snc/References/Akyildiz2002_SurveySensorNets_01024422.pdf Retrieved August 26, 2003 [2]Charlermek Intanagonwiwat, Ramesh Govindan, and Deborah Estrin. Directed Diffusion:A Scalable and Robust Communication Paradigm for Sensor Networks http://www2.parc.com/spl/members/zhao/stanfordcs428/readings/Networking /Estrin_mobicom00.pdf Retrieved August 20, 2003 [3] Chris Karlof, David Wagner, Secure Routing in Wireless Sensor Networks: Attacks and Counter Measures
Thank You!!!!! Questions???????????