1 ESAS 2004 New Research Challenges for the Security of Ad Hoc and Sensor Networks Jean-Pierre...

1

ESAS 2004

New Research Challenges for the Security of Ad Hoc and

Sensor Networks

Jean-Pierre Hubaux

EPFL

2

New Research Challenges for the Security of Ad Hoc and Sensor

Networks

Some current research themes Key establishment Secure routing Provable encounters Cooperation: the network layer perspective

New theme 1: Cooperation: the MAC layer perpective New theme 2: Secure positioning

Verifiable multilateration Application to vehicle networks Application to sensor networks

New theme 3: Denial of Service attacks

3

Key establishment techniques in ad hoc networks

Underlying questions:

• What is the identity of a node?

• What is the relationship between the user and the node?

• What does trust mean in such a framework?

Underlying questions:

• What is the identity of a node?

• What is the relationship between the user and the node?

• What does trust mean in such a framework?

Presence of an authority, at leastin the initialization phase

Usually based on threshold cryptography

Presence of an authority, at leastin the initialization phase

Usually based on threshold cryptography

No authority:Keys are generated

by the nodes

No authority:Keys are generated

by the nodes

Specializednodes (servers)

Specializednodes (servers)

Centralized secretshare dealer

Centralized secretshare dealer

Secure Public Key MgtSimilarity with PGP;certificate and trust

relationships

Secure Public Key MgtSimilarity with PGP;certificate and trust

relationships

Mobility helpssecurity

Mobility helpssecurity

4

Establishment of security associations(“Mobility helps security”, Mobihoc 2003)

Infrared link

(Alice, PuKAlice, XYZ)

(Bob, PuKBob , UVW)

Visual recognition, conscious establishment

of a two-way security association

Secure side channel -Typically short distance (a few meters)- Line of sight required- Ensures integrity- Confidentiality not required

Name

Name

NodeId

NodeId

AliceBob

5

Pace of establishment of the security associations- Depends on several factors:

- Area size- Number of communication partners: s- Number of nodes: n- Number of friends- Mobility model and its parameters (speed, pause times, …)

Established security associations :Desired security associations :

Convergence :

6

Simulation results, random waypoint

Various power ranges (automatic establishment of security associations)

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

10 100 1000 10000 100000 1000000time (s)

rnxs (t

)

power range 5m power range 50m power range 100m

random waypointsimulation area: 1000 x 1000 m rect.number of nodes: n=100pause time: 100sconfidence intervals: 95%

7

Probabilistic key sharing

Key setup in sensor networks(Eschenauer and Gligor, 2002)

key pre-distribution generation of a large pool of P keys random drawing of k keys out of P loading of the key ring into each sensor

shared-key discovery upon initialization every node discovers its neighbors

with which it shares keys path-key establishment (- - -)

assigns a path-key to neighbors w/o shared key multiple disjoint paths exist between two nodes

example (A,B)

Consequences

node-to-node authentication ? key revocation scope ? Re-keying ? resilience: effect of sensor-node capture ? network extension

A

B

Courtesy: Virgil Gligor

8

Secure routing in ad hoc networks

Ariadne

SRP

Packet leashes

RAP I.T.

SEAD, ARAN,

SAODVRAP I.T.

SECTOR I.T.

I.T.

DSR

AODV

FRESH

OLSR

General Wormhole Rushingattacks

Ro

uti

ng

pro

t oco

lAttack

Blackholeattack

…

…

I.T. : Incentive Techniques (assuming nodes are rational)

9

Provable encounters (“SECTOR”, SASN 2003)

- Initial distribution of keys/hash values

- Encounter certification comprised of the following phases:

- Authentication

- Distance bounding (Cf also Brands and Chaum, 1993)

- Issuance of the proof of encounter

a) Guaranteeing Encounter Freshness (GEF)

b) Guaranteeing the Time of Encounter (GTE)

- Encounter verification comprised of the following phases:

- Authentication

- Verification

claimant certifier

Encounter certification

claimant verifier

Encounter verification

Solution based on hash chains and on Merkle trees

10

Cooperation in self-organized systems

Question: how to enforce cooperation, if each node is its own authority?

Solutions:• based typically on game theory, on reputation systems, on micropayments• proposed by NEC, UC Berkeley, Stanford, CMU, Cornell, U. of Washington,Yale, UCSD, Eurécom, EPFL,…• address different scenarios: pure ad hoc, multi-hop access to the backbone,…• consider the problem at the network layer (and focus primarily on packet forwarding)

S1

S2

D1D2

11

Cooperation between nodes (a closer look)

Routing

Routing

Routing

Routing

Routing

MAC

MAC

MAC

MAC

MAC

MAC : Medium Access Control : manages the shared transmission medium (the radio link in this case) in a fully distributed wayQuestion 1: How do we prevent greedy behaviour on the MAC layer of multi-hop

wireless networks?

Question 1’: How is this problem solved today in WiFi hotspots?Answer: It is not solved!

12

Question 1’ : How do we prevent greedy behavior at the MAC layer in WiFi hotspots ?

Well-behaved node Well-behaved node

The access point is trustedThe access point is trusted

The MAC layer is fair: if users have similar needs, they obtain a similar share of the bandwidth

The MAC layer is fair: if users have similar needs, they obtain a similar share of the bandwidth

13

Question 1’ : Preventing greedy behavior at the MAC layer in WiFi hotspots

Well-behaved node Cheater

The access point is trustedThe access point is trusted

14

IEEE 802.11 MAC – Brief reminder

• IEEE 802.11 is the MAC protocol used in WiFi• By default, it is the one used in wireless multi-hop networks

• IEEE 802.11 is the MAC protocol used in WiFi• By default, it is the one used in wireless multi-hop networks

15

Greedy technique 1/4:oversized NAV

16

Greedy technique 2/4: transmit before DIFS

17

Greedy technique 3/4 : scramble others’ frames

18

Greedy technique 4/4: pick a shorter backoff

Implementation of this cheating technique: 3 lines of code!Implementation of this cheating technique: 3 lines of code!

19

Proposed solution: DOMINO DOMINO: System for Detection Of greedy behaviour in the MAC layer of

WiFi public NetwOrks (Raya, Hubaux, Aad, Mobisys 2004) Idea: monitor the traffic and detect deviations by comparing average values of

observed users

Detection tests: statistical comparison of the observed protocol behaviour

Features:

• Full standard compliance

• Needs to be implemented only at the Access Point

• Simple and efficient

The operator decides the amount of evidence required before taking action (in order e.g. to prevent false positives)

Other solution: Kyasanur + Vaidya, DSN 2003 (but not protocol compliant)

20

Detection Tests of DOMINO

Consecutive backoff

Actual backoff

Maximum backoff: the maximum should

be close to CWmin - 1

Backoff manipulation

Comparison of the idle time after the last

ACK with DIFSTransmission before DIFS

Comparison of the declared and actual

NAV valuesOversized NAV

Number of retransmissionsFrame scrambling

Detection testCheating method

21

Simulation of cheating and detection

Cheating technique: Backoff manipulation

Traffic:

Constant Bit Rate / UDP traffic

FTP / TCP traffic

misbehavior coefficient (m): cheater chooses its

backoff as (1 - m) x CWmin

Simulation environment: ns-2

Cheater

22

Simulation results

• Each point corresponds to 100 simulations• Confidence intervals: 95%

• Each point corresponds to 100 simulations• Confidence intervals: 95%

23

Implementation of the demo prototype

Equipment

Adapters based on the Atheros

AR5212 chipset

MADWIFI driver

Misbehavior: backoff

Overwrite the values CWmin and

CWmax (in driver)

Monitoring

The driver in MONITOR mode

prism2 frame header

AP DOMINO

Cheater Well-behaved

24

Conclusion on the prevention of greedy behaviour at the MAC layer

There exist greedy techniques against hotspots Some of these techniques are straightforward We have proposed, implemented and patented a simple

solution, DOMINO, to prevent them (http://domino.epfl.ch) The same problem in self-organized wireless systems is still

unsolved. Can it be solved? Game-theoretic study:

M. Cagalj, S. Ganeriwal, I. Aad and J.-P. Hubaux"On Cheating in CSMA/CA Networks" Technical report No. IC/2004/27, July 2004

Many problems still need to be solved in this field

25

Question 2: How to securely locate a node

Being able to securely verify the positions of devices can enable:

- Location-based access control (e.g., prevention of the parking lot attack)- Detection of displacement of valuables- Detection of stealing- Location-based charging - …

In multi-hop networks- Secure routing- Secure positioning- Secure data harvesting (sensor networks)- …

Comm. Tower

v1

v3v4

v5

26

m1

v 2

v1

v1

v - honest nodem - malicious nodec - compromised node

v3

m5

m3

m4

m 2

c

c

Wormhole

Node displacement

a)

b)

d) Dissemination of false location and distance information

c) Malicious distance enlargement

Node's actual lo cationNode's actual

distanceNode's measureddistance

Node's reportedlocation

Attacks against sensor networks positions

27

Positioning systems (and prototypes)

- GPS, Galileo, Glonass (Outdoor, Radio Frequency (RF) – Time of Flight (ToF))

- Active Badge (Indoor, Infrared(IR)), Olivetti

- Active Bat, Cricket (Indoor, Ultrasound(US)-based), AT&T Lab Cambridge, MIT

- RADAR, SpotON, Nibble (Indoor/Outdoor, RF- RSS), Microsoft, Univ of

Washington, UCLA+Xerox Palo Alto Lab

- Ultra Wideband Precision Asset Location System, (Indoor/Outdoor, RF-(UWB)-

ToF), Multispectral solutions, Inc.

Ad Hoc/Sensor Network positioning systems:

- Convex position estimation (Centralized), UC Berkeley

- Angle of Arrival based positioning (Distributed, Angle of Arrival), Rutgers

- Dynamic fine-grained localization (Distributed), UCLA

- GPS-less low cost outdoor localization (Distributed, Landmark-based), UCLA

- GPS-free positioning (Distributed), EPFL

28

Distance measurement techniques

- Based on the speed of light (RF, Ir)

ts

A B(A and B are synchronized - ToF)

tr dABm=(tr-ts)c

ts

- Based on the speed of sound (Ultrasound)

(A and B are NOT synchronized – Round trip ToF)

tr dABm=(tr-ts-tprocB)c/2

ts

A B

tr(RF)

dABm=(tr(RF)-tr(US))s

ts

tstr(US)

- Based on Received Signal Strength (RSS)

29

Attacks on RF and US ToF-based techniques

- Dishonest device: cheat on the time of sending (ts) or

time of reception (tr)

ts1. Overhear and jam

2. Replay with a delay Δt

A B(A and B are assumed

to be synchronised)

tr dABm=(tr-ts)c

ts

ts

B

tr+Δt

dABm=(tr+Δt-ts)cts+Δt

M

=> dABm>dAB

- Malicious attacker: 2 steps:

M

30

Summary of possible attacks on distance measurement

Malicious attackers

RSS (Received Signal Strength)

Distance enlargement and

reduction

Distance enlargement and

reduction

Ultrasound Time of Flight

Distance enlargement and

reduction

Distance enlargement and

reduction

Radio Time of Flight

Distance enlargement and

reduction

Distance enlargement only

Dishonest nodes

31

The challenge of secure positioning

- Goals:

- preventing a dishonest node from cheating about its own position

- preventing a malicious attacker from spoofing the position of an

honest node

- Our proposal: Verifiable Multilateration

32

Distance Bounding (RF)

ts

BS A

NBS

tr

- Introduced in 1993 by Brands and Chaum (to prevent the Mafia fraud attack)

ABS NN εt procA

dreal ≤ db = (tr-ts)c/2 (db=distance bound)

33

Distance bounding characteristics

RSSDistance enlargement

and reduction Distance enlargement

and reduction

US ToFDistance enlargement

and reduction

Distance enlargement and

reduction

RF ToFDistance enlargement

and reductionDistance enlargement

only

RF Distance BoundingDistance enlargement

onlyDistance enlargement

only

US Distance BoundingDistance enlargement

onlyDistance enlargement

and reduction

Malicious attackersDishonest nodes- RF distance bounding:

- nanosecond precision required, 1ns ~ 30cm

- UWB enables clock precision up to 2ns and 1m

positioning indoor and outdoor (up to 2km)

- US distance bounding:

- millisecond precision required,1ms ~ 35cm

34

Verifiable Multilateration (Trilateration)

x

y

(x,y)

BS1

BS2

BS3

Verification triangle

Distancebounding

A

35

Properties of Verifiable Multilateration

- a malicious attacker cannot spoof the position of a node such that it seems that the node is at a position different from its real position within the triangle

- a node located within the triangle cannot prove to be at another position within the triangle except at its true position.

- a node located outside the triangle formed by the verifiers cannot prove to be at any position within the triangle

- a malicious attacker cannot spoof the position of a node such that it seems that it is located at a position within the triangle, if the node is outside the triangle

The same holds in 3-D, with a triangular pyramid instead of a triangleThe same holds in 3-D, with a triangular pyramid instead of a triangle

36

Conclusion on secure positioning

New research area Time of flight seems to be the most appropriate technique Initial solutions for:

Hand-held / automotive devices Sensor networks

Srdjan Capkun and Jean-Pierre HubauxSecuring position and distance verification in wireless networks     Technical report EPFL/IC/2004-43, May 2004

Srdjan Capkun and Jean-Pierre HubauxSecure Positioning in Sensor Networks     Technical report EPFL/IC/2004-44, June 2004

(More information available at Srdjan’s home page: SecLoW)

37

Denial of service attacks

TCP can be highly vulnerable to protocol-compliant attacks:• Packet reordering• Packet delaying• Packet dropping

Aad, Hubaux, Knightly, Mobicom 2004

Illustration of the« JellyFish »re-order attack

• Isolated relay chain• Single JF• Standard 802.11, 2Mb/s• TCP-Sack• Simulator: ns-2

38

Conclusion

The security of ad hoc and sensor networks is a strategic research topic

The kind of considered scenario (nature of the network authority, attacker model, capabilities of the nodes,…) can radically influence the solution to be chosen

The study of security problems in the framework of self-organized wireless systems can help identifying problems of and solutions for conventional networks

39

Upcoming Events

WiSe 2004 : 3rd ACM Workshop on Wireless Security, Philadelphia, October 1

VANET 2004 : 1st ACM Workshop on Vehicular Ad Hoc Networks, Philadelphia, October 1

SASN 2004 : ACM Workshop on Security of Ad Hoc and Sensor Networks, October 25, Washington DC

escar 2004 : 2nd Workshop on Security in Cars, Bochum, November 10-11