1 / 25

Designing Secure Sensor Networks

Designing Secure Sensor Networks. - Elaine Shi & Adrian Perrig -. 2005. 9. 13. HongKi Lee. Contents. Introduction Threat and Trust Model Security Requirements Attacks and Countermeasures Promising Research Directions Conclusion. Introduction.

eben
Download Presentation

Designing Secure Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Designing Secure Sensor Networks - Elaine Shi & Adrian Perrig - 2005. 9. 13. HongKi Lee

  2. Contents • Introduction • Threat and Trust Model • Security Requirements • Attacks and Countermeasures • Promising Research Directions • Conclusion

  3. Introduction • Sensor networks will play an essential role in the upcoming age of pervasive computing => Security will be important for most applications • Security in sensor networks is complicated by the constrained capabilities of hardware and the properties • Severely constrained computation, memory, and energy resources • Susceptible to physical capture & compromise • Use wireless communication • Security also needs to scale to large-scale deployments

  4. Threat and Trust Model • Outsider Attacks • Attack from unauthorized participant of the sensor network • Eavesdrop to steal private or sensitive information • Alter or spoof packets to infringe on the authenticity of communication • DoS attack such as jamming and battery depletion attack • Capture and physically destroy nodes • Benign node failures result from non-adversarial factors such as catastrophic climate events • Insider Attacks / Node Compromise • Node compromise is the central problem of sensor network • An authorized participant in the sensor network • Captured and reprogrammed by the attacker • Running some malicious code • Radio compatible with the sensor nodes

  5. Threat and Trust Model • The Base Station as a Point of Trust • Base Station can act as a central trusted authority in protocol design • Much more powerful node with rich computational, memory, and radio resources • Assume that BS is physically protected or has tamper-robust hardware • Scalability is a major concern if use BS as a central trusted authority • BS act as a trusted intermediary to establish pairwise key • BS become a scalability bottleneck • to help set up d × n/2 keys (d : # of neighbors, n : # of nodes) • The nodes neighboring the BS suffer from higher communication overhead

  6. Security Requirements • Desired Properties • Authentication • Secrecy • Availability • Service Integrity

  7. Desired Properties • Robustness against Outsider Attacks • to protect eavesdropping or packet injection • robust to node failures • Resilience to Insider Attacks, Graceful Degradation with Respect to Node Compromise • mechanisms to deal with compromised nodes are required • mechanisms that are resilient to node compromise • gracefully degrades when a small fraction of nodes compromise • Realistic Levels of Security • security concerns of a sensor network and the level of security desired may differ according to application-specific needs

  8. Authentication • To detect maliciously injected or spoofed packets • source authentication : verify the origin of a packet • data authentication : ensure data integrity • Almost all applications require data authentication • military and safety-critical applications • inject false data reports or malicious routing information • other applications, still risk-prone to go without authentication • people can meddle with the sensor network protocols solely out of mischief • Does not solve the problem of compromised nodes • intrusion detection techniques to find the compromised nodes and revoke their cryptographic keys network-wide

  9. Secrecy • Ensuring the secrecy of sensed data for protecting from eavesdroppers • using standard encryption functions to protect • Encryption is not sufficient for protecting the privacy of data • Traffic analysis on the overheard ciphertext • Appropriate access control policies at the BS is needed • e.g. person locator application • Node compromise complicates the problem of secrecy • Sensitive data may be released by compromised node • If group shared key is used, it can eavesdrop and decrypt the communication between other nodes within its RF range

  10. Availability • Be functional throughout its lifetime • DoS attacks often result in a loss of availability • In a manufacturing monitoring application • may cause failure to detect a potential accident and result in financial loss • In a battlefield surveillance application • may open a back door for enemy invasion. • Various attacks can compromise the availability • important to achieve graceful degradation in the presence of node compromise or benign node failures

  11. Service Integrity • Above the networking layer, the sensor network usually implements several application-level services. • Secure data aggregation • to obtain a relatively accurate estimate of the real-world quantity being measured • to detect and reject a reported value that is significantly distorted by corrupted nodes • Time synchronization service • Current protocols assume a trusted environment • An open research problem • how to develop a time synchronization protocol that achieves graceful degradation in the presence of compromised nodes

  12. Attacks and Countermeasures • On Secrecy and Authentication • On Availability • Stealthy Attacks against Service Integrity

  13. On Secrecy and Authentication • Key Establishment and Management • Key establishment problem : how to set up secret keys between a pair of nodes in the network. • Global key stored on each sensor node prior to deployment • compromise one node : all communication links will be compromised • Public key cryptography • computational cost may be too high • may open up the network to DoS attacks • bogus message to perform signature verification =>Random key predistribution techniques • Further research is necessary to improve scalability, resilience to node compromise, memory requirements, and communication overhead

  14. Broadcast/Multicast Authentication • Broadcast and multicast are indispensable for sensor networks • source authentication poses a new research challenge • digital signature • public key cryptography is too costly for sensor networks =>μTesla protocol • provides secure broadcast authentication assuming loose time synchronization between sensor nodes • asymmetry into symmetric key cryptography through delayed key disclosure and one-way function key chains

  15. On Availability • Jamming and Packet Injection • Physical layer : interfering RF signals to impede communication • draining the nodes’ battery => frequency hopping & spread spectrum communication • Link-layer : jamming exploits properties of medium access control • malicious collisions or unfair share of the radio resource =>design secure medium access control protocols • error correcting codes, rate limitation, small frames • Networking layer : inject malicious packets =>authentication to enable the receiver to detect malicious packets =>message freshness through nonces to detect replayed packets

  16. The Sybil Attack • malicious node illegitimately claims multiple identities • MAC layer : dominating fraction of the shared radio resource • Routing layer : lure network traffic to go through the same physical malicious entity • with high probability a Sybil identity will be selected as the next hop • “sinkhole” is created and selective forwarding by attacker => Leverage the key predistribution process • associate each node’s identity with the keys assigned to it • spoofing identity can succeed only when it has the corresponding keys • otherwise, it either fails to establish a communication link with the network or fails to survive validation

  17. Miscellaneous Attacks against Routing • Routing availability is sacrificed if an intended recipient is denied the message • With compromised nodes, a simple attack is to drop packets or perform selective forwarding • Spreading bogus routing information, creating sinkholes or wormholes, and Hello flooding is more sophisticated attacks =>Multipath routing is a possible defense • Use multiple disjoint paths to route a message • unlikely that every path is controlled by compromised nodes

  18. Stealthy Attacks against Service Integrity • To make the network accept a false data value • False data value => false aggregation result • Examples of stealthy Attack • corrupted sensor/aggregator • report significantly biased or fictitious values • Sybil attack • one compromised node to have greater impact on the aggregated result • DoS attacks • legitimate nodes cannot report their sensor readings to the base station • Consider time synchronization • Disseminate false timing information to desynchronize nodes => A Secure Information Aggregation (SIA) protocol • Study on stealthy attack in the data aggregation context and proposed SIA robust to the stealthy attack

  19. Promising Research Directions • Code Attestation • Secure Misbehavior Detection and Node Revocation • Secure Routing • Secure Localization • Efficient Cryptographic Primitives

  20. Code Attestation • Coping with compromised nodes is the most difficult challenge => Use code attestation to validate the code running on each sensor • Detect compromised nodes by verifying their memory content • Hardware : vision of a new trusted computing age • Equipped with trusted hardware (developed by TCG, NGSCB) • Build attestation mechanisms exploiting the trusted hardware • remote party can verify the code running on a device • reduce cost, enhance efficiency, and minimize energy consumption is essential • code attestation through pure software means • So far little research has been done in this aspect • A promising research direction

  21. Secure Misbehavior Detection and Node Revocation • Detect and revoke compromised nodes in a timely fashion • Use a distributed voting system to tackle the problem • Potential problems • Malicious nodes can slander legitimate nodes • Cast votes against legitimate nodes • Malicious node can make a legitimate node look bad to other legitimate nodes • Pretend to be a victim to make a legitimate node look bad ☞ Limit each node to m potential votes

  22. Secure Routing • Should enable communication despite adversarial activities • So far routing protocols for sensor networks assume a trusted environment • Secure routing protocols for ad hoc networks • Prevents tampering of routing protocol by compromised nodes • Prevents a large number of types of DoS attacks • Utilizes efficient symmetric key primitives • Still be too heavyweight for sensor networks • Sensor networks are differ from an ad hoc network • Usually immobile • Traffic patterns : data-centric =>Secure routing protocol well suited to sensor networks is required

  23. Secure Localization • Two aspects of Securing localization problem • Sensor node can accurately determine its geographic coordinates in an adversarial environment • Malicious node cannot claim a false position to the infrastructure • Securing location determination • Prerequisite for secure geographic routing • Help to solve the wormhole attack and the Sybil attack • for Wormhole attack : a route consists of two consecutive nodes that are distant in geographic location is suspicion on the integrity of route • for Sybil attack : a concentration of nodes in a small geographic area is suspicious • an important building block to secure sensor networks

  24. Efficient Cryptographic Primitives • Traditional security solutions are often too expensive for sensor networks • SPINS protocol suite • Leveraging efficient block ciphers to perform a variety of cryptographic operations • TinySec: Link layer security for tiny devices • Trading off efficiency and security • More research in this domain is necessary • Especially in exploring the use of efficient asymmetric cryptographic mechanisms for key establishment and digital signatures

  25. Conclusion • Sensor networks will play an important role in critical military applications as well as pervade our daily life • However, security concerns constitute a potential stumbling block to the impending wide deployment of sensor networks • Several exciting research challenges remain before we can trust sensor networks to take over important missions

More Related