Embed Size (px)
Citation preview
Security in ad hoc networks
UCLA EE
Chris Kurpinski
Sungha Kim
Outline
� Introduction
� Security Requirements of Wireless Ad-
Hoc Networks
� Typical attacks on Wireless Ad-Hoc
Networks
� Security protocols and methods for ad-
hoc networks
Motivation
� Security is the most often cited concern
with wireless networks
� Wireless networks pose unique security
problems
� Power and computation constraints are
often higher in wireless networks, making
security requirements different
Requirements for network security
� Data confidentiality: keep data secret (usually
accomplished by encryption)
� Data integrity: prevent data from being altered (usually
accomplished by encryption)
� Data freshness: data is recent
� Weak freshness: provides partial ordering of msgs
� Strong freshness: provides total ordering and allows for delay estimation
� Data availability: data should be available on request
� Data authentication: verification that the data or request
came from a specific, valid sender
Why security on sensors is hard
� Constrains� Peanut CPU (slow computation rate)
� Battery power: trade-off between security and battery life
� Limited memory
� High latency: conserve power, turn on periodically
� Nature of wireless ad-hoc network� Every node can be a target
� No trusted peer� Decentralized and cooperative participation of all nodes
� Encryption and authentication cannot eliminate threats
� No matter how many intrusion prevention measures are inserted in a network, there are always some weak links that one could exploit to break in
Wireless Ad-Hoc Network
Security Methods
� Public-key cryptography overview
� Public-key cryptography for wireless:
� Key distribution :Certification Authorities,
PGP(Pretty Good Privacy)
� Imprinting
� SPINS
� SNEP
� µTESLA
� Intrusion Detection
Public-key cryptography overview
� Alice chooses a random large integer a and
sends Bob
� Bob chooses a random large integer b and
sends Alice
� Alice computes
� Bob computes
� Both are equal to
nXk bmod' =
nYk a mod=
ngY bmod=
ngX amod=
', kk ng
abmod
KEY
?
Public-key cryptography overview
Alice Bob
ba YX
K K’
� Key agreement protocol
Imprinting
� Policy� New nodes are "imprinted" upon un-packaging (birth) with
their 'parent' and given a secure key and identity
� A node's parent becomes its security admin. and can change
its security policy at any time
� The initial imprinting should not be sent wirelessly, to avoid
imprinting multiple nodes with the same key
� A node cannot change parents until it 'dies'
� Death can occur at a set time, or can be triggered by the
parent (and only by the parent). After death, a node can be
imprinted by a new parent.
SPINS: Security Protocols for
Sensor Networks
� A suite of security building blocks developed at UC Berkley
� Designed for resource-constrained environments and wireless communications
� Consists of two building blocks, µµµµTESLA and SNEP
� SNEP� Data Confidentiality
� Two-party data authentication
� Data Integrity
� Freshness
� µµµµTESLA� authenticated broadcast
SNEP
(Sensor Network Encryption Protocol)
� Communicating parties each keep a counter, and increment it after each block is transmitted.
� A master secret key, K is initially shared between the node and base station and is used to derive all other keys
� Low communication overhead :adds 8 bytes per message
� Semantic security: prevents an eavesdropper from inferring encrypted data
� Data authentication: MAC (Message Authentication Code)
� Weak Freshness: Counter in MAC prevents replaying old messages
SNEP (Contd.)
�M=MAC(KMAC,C|E) represents the Message Authentication Code, where
C is the shared counter, E is the encrypted data ({D}<Kencr, C>), and KMAC is
the MAC key
�A complete message from node A to node B consists of encrypted data,
and a MAC. A -> B : {D} <Kencr, C> , MAC(KMAC, C|{D}<Kencr, C>)
�The counter in SNEP provides weak freshness, but cannot show that a
message was created by B in response to a request from A
�To achieve Strong Freshness
� use a pseudo-random number called a nonce
� Where NA is a nonce from A, and RA is a request from A, our new
messages look like this:
A -> B : NA, RAB -> A : {RB} <Kencr, C> , MAC(KMAC, NA|C|{RB}<Kencr, C>)
µµµµTESLA(Timed Efficient Streaming Loss-tolerant
Authentication Protocol)
� Restricts the number of authenticated senders
� Discloses the key once per epoch
� Requires loose time synchronization between base station and nodes
� µµµµTESLA Description
� Each MAC key is a key (K) of a key chain, generated by a public one-way function F, where Kj =F(Kj+1)
� All blocks sent in a specific time period use the same key
� Received blocks are stored in a buffer until the associated key is released and verified
� Any valid key can be used to derive earlier keys, or validate later keys, but cannot be used to derive later keys.
µµµµTESLA(Contd.)
� Sender Setup� The sender generates a chain of secret keys by choosing the last
key (Kn) randomly, and applying a one-way function F, such
that: Kj =F(Kj +1)
� Broadcasting Authenticated Packets� Time intervals are set, and each key of the key-chain is
associated with an interval.
� During interval t, the sender uses key Kt to compute the MAC of
all packets.
� The sender waits for a delay of δ before revealing Kt, where δ is
greater than any reasonable packet round trip time.
µµµµTESLA(Contd.)
� Bootstrapping a new receiver� Each receiver must have one authentic key of the key chain, and
must know the key disclosure schedule.
� A new receiver M sends a nonce in the request message to the
sender S.
� The sender replies with its current time Ts, a key Ki from a past
interval i, the starting time Ti of interval i, the duration Tint of the
time intervals, and the disclosure delay δ.
� M -> S : NM
� S -> M : Ts| Ki |Ti |Tint |δ, MAC(KMS, NM | Ts| Ki |Ti |Tint |δ)
µµµµTESLA(Contd.)
� Authenticating broadcast packets� When receiving a new packet, the receiver needs to check that
the key for that interval has not been disclosed yet. This implies
that no adversary could have spoofed the contents
� If this condition is met, the packet is stored. Otherwise it is
dropped
� As soon as the key Kj of a previous time interval is received, the
receiver checks it against the last authentic key it knows, Ki, by
applying the function F.
� After Kj has been authenticated, Ki is replaced by Kj in memory,
and all the packets that were sent between time intervals i and j
can be verified.
µµµµTESLA(Contd.)
� What if nodes need to broadcast data?� Nodes are limited in CPU and battery resources
� Nodes broadcast data through the basestation,
using SNEP as an authentication method
� Nodes broadcast the data, but do not compute
the keys. � The basestation sends the key to the node as needed.
� The basestation can also broadcast the key disclosure, and/or
perform the bootstrapping procedure for new nodes.
µTESLA (Contd.)
� Implementation� Block cipher E performs the
encryption
� Code space is saved by using the
same function for encryption and
decryption
� Random-number generation
performed by the MAC, and
counter C.
� MAC(Kran, C)
� Key setup Fk(x)=MAC(K,x)
Evaluation of a protocol based
on SPINS
Distributed public key
infrastructure
� Certificates are stored and distributed by
users
� Trust graph G(V,E) where V: users, E:
public-key certificates
� If two vertices u and v are in H, and there is
a directed path from u to v in H, then v is
reachable from u in H. ( )
� S(G,u) : subgraph on G by user u
� S(G,u,v) : S(G,u) S(G,v)
� Performance
U
vH
u →
}:),{(#
}:),{(#)(
),,(
vuVVvu
vuVVvuGp
G
vuGS
A→×∈
→×∈=
Infrastructure
Improvements
Shortcut hunter
algorithm: finds the path with the most
shortcuts for all out-
going and incoming
edges of a given node
Intrusion Detection
� Assumptions� User and program activities are
observable
� Misuse and anomaly detections are
possible locally and in a distributed
manner
� Problems of IDS (intrusion detection system)
Intrusion Detection (contd)
� Misuse detection
� Uses patterns of well-known attacks to match and identify known
intrusions
� Accurate and effective
� Only works against known attacks
� Anomaly detection
� Uses established normal usage profiles to detect deviation from
the norm
� Able to detect new types of attacks
� Cannot always describe the nature of an attack
� May have a high false positive rate
Intrusion Detection (contd.)
� Anomaly detection in Wireless Ad-Hoc
� Detection can be performed at each layer (link layer, MAC,
applications, etc.)
� During the learning process, normal network conditions are
recorded and used to create a 'normal profile'
� If a node detects an intrusion that affects the entire network, it can
initiate a re-authentication process throughout the network, to
exclude the malicious nodes
� If a node detects a local intrusion at a higher layer (e.g., one of its
services), the lower layers are notified. The lower layer detection
modules can investigate and possibly block access from the
offending nodes.
Secure Aware Protocol
� Traditional way
RREQ/RREP
� SAR� Embed security metric into
the RREQ packet
� Ensure intermediate nodes can
provide required security
� Authenticated users belonging to same trust level share a
secret key
References
� SPINS: Security Protocols for Sensor Networks. A Perrig, R. Szewczyk, V. Wen, D. Culler, J.D. Tyger
� The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. Frank Stajano, Ross Anderson
� Intrusion Detection in Wireless Ad-Hoc Networks. Yongguang Zhang, Wenke Lee.
� The Quest for Security in Mobile Ad-Hoc Networks. Jean-Pierre Hubaux, Levente Buttyan, Srdan Capkun.
� Ad Hoc Networking Critical Features and Performance Metrics. Madhavi W.Subbarao.
� Lowering Security Overhead in Link State Routing. Ralf Hauser, Tony Przygienda, Gene Tsudik.
References (Contd)
� Mitigating Routing Misbehavior in Mobile Ad Hoc Networks.
Sergio Marti, T.J.Giuli, Kevin Lai, and Mary Baker.
� Secure Routing for Mobile Ad Hoc Networks. Panagiotis
Papadimitratos and Zygmunt J. Hass.
� Securing Ad Hoc Networks. Lidong Zhou and Zygmunt J. Haas.
� Securing-Aware Ad hoc Routing for Wireless Networks. Seung
Yi, Prasad Naldurg, and Robin Kravets.
� RFC2137 Secure Domain Name System Dynamic Update
