250 likes | 390 Views
Some Security Challenges for Mesh Networks. Jean-Pierre Hubaux EPFL Switzerland Joint work with Imad Aad, Naouel Ben Salem, Levente Buttyan, Srdjan Capkun, Markus Jakobsson, and Maxim Raya Funded by the MICS/Terminodes project, www.mics.org.
E N D
Some Security Challenges for Mesh Networks Jean-Pierre Hubaux EPFL Switzerland Joint work with Imad Aad, Naouel Ben Salem, Levente Buttyan, Srdjan Capkun, Markus Jakobsson, and Maxim Raya Funded by the MICS/Terminodes project, www.mics.org
Some Security Challenges for Mesh NetworksOutline • Preventing greedy behavior at the MAC layer • Secure positioning • Cooperation between nodes
1. Preventing greedy behavior at the MAC layer Cheater Well-behaved node Well-behaved node
Solution 1 • Detection and handling of MAC layer misbehavior in wireless networks (Kyasanur and Vaidya, DSN 2003) • Idea: the receiver assigns backoff values to the sender • Detection: compares expected and observed backoffs • Correction: assigns penalty to the cheater
Solution 2 • DOMINO (Raya, Hubaux, and Aad, MobiSys 2004) • Idea: monitor the traffic and detect deviations by comparing average values of observed users • Detection tests: number of retransmissions, backoff, … • Features: • Full standard compliance • Needs to be implemented only at the Access Point • Applicable to all CSMA/CA-based protocols • Simple and efficient • The operator decides the amount of evidence required before taking action (in order e.g. to prevent false positives) • http://domino.epfl.ch Game-theoretic study:M. Cagalj, S. Ganeriwal, I. Aad and J.-P. Hubaux"On Cheating in CSMA/CA Networks"Technical report No. IC/2004/27, February 2004
Components of DOMINO Cheating method Detection test Oversized NAV Comparison of the declared and actual NAV values Comparison of the idle time after the last ACK with DIFS Transmission before DIFS Number of retransmissions Frame scrambling Backoff manipulation Maximum backoff: the maximum should be close to CWmin - 1 Actual backoff Consecutive backoff
DOMINO performance (ns-2 simulation) Setting: uplink UDP traffic; 7 well-behaved stations + 1 cheating station; each point corresponds to 100 simulations of 10s each; confidence int: 95%
2. Secure positioning • Being able to securely verify positions of devices can enable: • Location-based access control • Detection of displacement of valuables • Detection ofstealing • Monitoring and enforcement of policies (e.g., traffic monitoring) • Location-based charging • … • In multi-hop networks • Secure routing • Secure positioning • Secure data harvesting (sensor networks) • …
Distance measurement by Time of Flight (ToF) - Based on the speed of light (RF, Ir) tr ts ts dABm=(tr-ts)c dABm=(tr-ts-tprocB)c/2 tr B A (A and B are synchronized - ToF) (A and B are NOT synchronized – Round trip ToF) - Based on the speed of sound (Ultrasound) tr(RF) ts ts tr(US) B A ts dABm=(tr(RF)-tr(US))s
Attacks on RF and US ToF-based techniques - Dishonest device:cheat on the time of sending (ts) or time of reception (tr) - Malicious attacker: 2 steps: 1. Overhear and jam tr ts ts dABm=(tr-ts)c B A (A and B are assumed to be synchronised) M 2. Replay with a delay Δt tr+Δt ts ts+Δt B dABm=(tr+Δt-ts)c M => dABm>dAB
Summary of possible attacks on distance measurement Dishonest nodes Malicious attackers
Secure positioning • Goals: • preventing a dishonest node from cheating about its own position • preventing a malicious attacker from spoofing the position of an honest node • Our proposal: Verifiable Multilateration
Distance Bounding (RF) • Introduced in 1993 by Brands and Chaum to prevent the Mafia fraud attack NBS ts tr A BS dreal≤ db = (tr-ts)c/2(db=distance bound)
Distance bounding characteristics Dishonest nodes Malicious attackers • RF distance bounding: • nanosecond precision required, 1ns ~ 30cm • UWB enables clock precision up to 2ns and 1m positioning indoor and outdoor (up to 2km) with RF ToF • US distance bounding: • millisecond precision required,1ms ~ 35cm • distance bounding can be enabled with 802.11 and US
Verifiable Multilateration (Trilateration) BS3 A BS2 (x,y) Verification triangle y x BS1 Distancebounding
Verifiable Multilateration (properties 1/2) - a node located within the triangle cannot prove to be at another position within the triangle except at its true position. - a node located outside the triangle formed by the verifiers cannot prove to be at any position within the triangle - a malicious attacker cannot spoof the position of a node such that it seems that the nodeisat a position different from its real position within the triangle - a malicious attacker cannot spoof the position of a node such that it seems that it is located at a position within the triangle, if the node is outside the triangle
Verifiable Multilateration (properties 2/2) - a node can show (by distance enlargement) that it is positioned outside the triangle - an attacker can always show that the node is positioned outside the triangle The same holds in 3-D, with a triangular pyramid instead of a triangle • Srdjan Capkun and Jean-Pierre HubauxSecuring position and distance verification in wireless networks Technical report EPFL/IC/2004-43, May 2004 • Srdjan Capkun and Jean-Pierre HubauxSecure Positioning in Sensor Networks Technical report EPFL/IC/2004-44, May 2004
3. Cooperation between nodes • Multi-hop mesh networks represent a new and promising paradigm, but … Why would intermediate nodes bother to relay packets forthe benefit of other nodes? • No incentive the network does not work : • V. Srinivasan, P. Nuggehalli, C. Chiasserini, and R. Rao, Infocom 2003 • M. Felegyhazi, L. Buttyan, and J. P. Hubaux, PWC 2003 • Autonomous multi-hop networks R. Mahajan, M. Rodrig, D. Wetherhall, and J. Zahorjan, “Encouraging Cooperation in Multi-Hop Wireless Networks,”Technical Report CSE-04-06-01, Univ. of Washington, June 2004
Incentive techniques: other scenarios Initiator Correspondent BSB BSA j B A 1 i 1 • Multi-hop networks with sporadic access to the backbone S. Zhong, Y. R. Yang, and J. Chen, “Sprite: A Simple, Cheat-Proof, Credit-Based System for Mobile Ad Hoc Networks,” INFOCOM 2003 • Multi-hop networks with permanent access to the backbone Backbone • Systematic payment:N. Ben Salem, L. Buttyán, J.-P. Hubaux and M. Jakobsson,"A Charging and Rewarding Scheme for Packet Forwarding in Multi-hop CellularNetworks", MobiHoc 2003 • Solution based on lottery tickets:M. Jakobsson, J.-P. Hubaux and L. Buttyan, "A Micro-Payment Scheme Encouraging Collaboration in Multi-HopCellular Networks", Financial Crypto 2003
Conclusion • Mesh networks must be secured prior to any commercial deployment • A number of research results from the security of wireless (ad hoc) networks can be used or adapted, notably: • To prevent greedy behavior • To secure positioning • To stimulate cooperation between nodes • There are more challenges, in particular: • Preventing denial of service attacks • Stimulation of the network deployment