Cryptographic Protocols in Wireless Sensor Networks

1 / 30

About This Presentation

Title:

Cryptographic Protocols in Wireless Sensor Networks

Description:

Impersonation fake identity, clones. Denial of Service (DoS) jamming ... impersonation of BS, forging beacons. selective message forwarding/dropping ... – PowerPoint PPT presentation

Number of Views:110

Avg rating:3.0/5.0

Slides: 31

Provided by: neo88

more less

Transcript and Presenter's Notes

Title: Cryptographic Protocols in Wireless Sensor Networks

1
Cryptographic Protocols in Wireless Sensor
Networks

Petr venda
Faculty of Informatics, MU Brno
Laboratory of Security and Applied Cryptography
joint work with Dan Cvrcek, Jirí Kur, Václav
Matyá, Luká Sekanina

2
Wireless Sensor Network

Basic technology
8 bit CPU, 1 kB RAM, 102 kB flash
short range radio, battery powered
condition sensor (temperature, pressure, )
xBow MicaZ, TMote Sky, Philips smart node,
currently 100 or more (should be around 1)
Applications
medical monitoring
scientific (animal monitoring, geologic)
industry monitoring (bridge/tunnel conditions
monitoring)
agriculture (field condition monitoring)
emergency response networks (fire detection)
military (enemy movement, snipers, vehicles)

3
Large scale Wireless Sensor Networks

Network of nodes and few powerful base stations
102 106 sensor nodes
particular nodes deployed randomly, e.g., from
plane
Network characteristics
covering large areas - distributed
ad-hoc position/neighbours not known in advance
flat or hierarchical topology
multi-hop communication
data locally aggregated

4
Where do we need security in WSN?

Sensitive data are often sensed/processed
military application
medical information, location data (privacy)
Commercially viable information
information for sale cost for owner of the
network
know-how - agriculture monitoring
Protection against vandalism
distant non-existing fires blocks fireman

Early stage of WSN allows to build security in
rather
than as late patch
as is the case with Internet today

5
Differences from classical networks

Running on battery (limited resource)
days for personal network
we dont like to change battery too often
years for large scale monitoring network
we dont like to visit all nodes in forest every
month
communication and computation is energy-expensive
Nodes can be captured by an attacker
and returned back as malicious node
all secrets can be extracted as nodes are not
tamper resistant
to maintain reasonable cost of network
Links can be temporal, network often disconnected
by design, by necessity

6
Security threats

Eavesdropping capture of transmitted data
Message injection/modification/replay
Impersonation fake identity, clones
Denial of Service (DoS)
jamming (malicious nodes)
secure routing (multi-hop communication)
battery exhaustion
Traffic analysis who is communicating with whom
Side-channel analysis unexpected leaks of
information
...

All kinds of threats that are hard to prevent
even in classical networks with powerful
computers
but here limited performance, decentralized,
lack of physical control

7
Why not use classical solutions?

Often cannot be used without modifications
platform limitations (energy, memory, speed)
Key establishment is basic building block
for most security protocols including secure
routing
Some classical solutions do not work
single network-wide key (single point of failure)
pairwise keys each with every (high memory
requirements)
asymmetric crypto, trusted third party (high CPU,
battery)
Tamper resistant hardware is not panacea
is expensive and skilled attacker can break it
anyway Ko98
memory card (SLE4428) - 1, crypto card
(SLE66/88) 10-30
New ideas needed and some already emerged

8
Power analysis device
9
Reverse engineering
(bytecode) sload_1 ifeq_w L2 L1
getfield_a_this 0 sconst_0
sconst_0 bastore goto L3 L2
getfield_a_this 0 sconst_0
sconst_1 bastore goto L3 L3

may reveal sensitive info
keys, internal branches,

(source code) if (key 0) m_ram10 1 else
m_ram10 0

compiler
(power trace, key ! 0)
(power trace, key 0)

Better to design protocols tolerant to partial
compromise

10
Probabilistic key pre-distribution

Randomized key pre-distribution EG02, CPS03
based on birthday paradox
key selection without replacement from large key
pool
100 keys from 10000 (60 probability at least one
key shared)
memory efficient, scalable
relatively low node capture resilience (NCR)
depends on pool size, ring size and captured
Multi-space pairwise polynomial keys DDHV03,
FKZZ05
basic idea Bloms threshold secure scheme
Increasing ring size moderately allows to
increase pool size highly, resulting node capture
resilience is better
idea behind hypercube LN03, group supported
SM07 extensions

11
Key Infection distribution model

More realistic attacker model ACP04, CS05
not able to eavesdrop the whole network (for
short period)
key is exchanged in plaintext between neighbours
(contact)
Secrecy amplification protocols
able to secure compromised link eavesdropped by
attacker
transport of fresh link key over secure path
can be used for probabilistic pre-distribution as
well
Published amplification protocols
PUSH model ACP04
PULL secrecy amplification CS05
multi-hop/path versions

PUSH
PULL
12
Node-oriented protocol (example)
4-party PULL RNG N3 R1 SND N3 N1 R1 R1 SND N3 N4
R1 R1 SND N4 N2 R1 R1
N1
N3
N3
N2
N4
N4
Total protocols runs 11 x combNum(12, 2) 11 x
66, 2000 messages
13
Communication overhead

Node-oriented protocols are deployment
independent
Lets introduce geographic position into protocol
minimum radio strength to communicate
approximate distance to node
Parties identified by distance from central node
and its special partner (lower value, closer the
node)
e.g. N 0.32_0.15 gt position in real deployment
Can we achieve comparable fraction of secure
links?

14
Group-oriented protocol
RNG NP Rt11 SND NP N0.00 0.00 Rv11 Rt12 SND N0.35
0.67 NC Rv12 Rt2
min(Np1 NC Nx)2 (Np2 NP Nx)2
NP
NC
NP
NP
NC
NP
NC
Total protocols runs 11, 100 messages
15
Evolution of SA protocols SSM09
16
Results found by evolution node-oriented

4 parties, 200 instructions, small population
size, no crossing, rapid mutation (10)
Reinvented all published protocols
pruning technique used to detect relevant
instructions
Evolved protocol better then all published
polymorphic instruction, when 3rd party is
missing

17
Results found by evolution group-oriented
(0.070) 00 SND N0.33 0.68 NP Rv6 Rt8 (0.070) 01
SND N0.35 0.67 NC Rv6 Rt2 (0.334) 02 RNG NP
Rt11 (0.010) 03 SND N0.59 0.11 NP Rv7
Rt3 (0.007) 04 SND NP N0.75 0.70 Rv6 Rt1 (0.334)
05 SND NP N0.01 0.00 Rv11 Rt12 (0.003) 06 SND
N0.01 0.00 NC Rv1 Rt5 (0.334) 07 SND N0.01 0.00
NC Rv12 Rt6 (0.014) 08 RNG N0.03 0.00
Rt1 (0.014) 09 SND N0.48 0.33 NP Rv1 Rt7 (0.077)
10 RNG N0.01 0.00 Rt6 (0.017) 11 SND N0.69 0.68
NC Rv1 Rt7
NC
NP
NC
NP
min(Np1 NC Nx)2 (Np2 NP Nx)2
18
Success rate of evolved protocols
19
Automatic attack strategy - motivation

Fundamental asymmetry between the attacker and
the defender
attacker needs to find only one attack path
defender should secure all of them
Brute-force search over the space of possible
attack paths
suitable approach for the defender
Informed search for possible attacks without
inspecting all possibilities
suitable for an attacker

20
Basic concept
21
Malicious routing in WSNs

Misbehaving attacker nodes
search for attacks against standard routing
elementary actions store/load value, send
message, time counters
triggers binded on specific action (type of
message in air)
goals like increase fraction of non-delivered
messages, message hops, messages routed over
malicious node
Minimum cost forwarding (MCF) YCLZ01
minimum spanning tree based with base station as
a root,
periodic broadcast of beacons, BS has cost 0
cost based on distance and remaining energy of
node
Implicit geographic forwarding (IGF) BHSS03
next hop selected based on geographic positions
of the nodes and base station, remaining energy
and random element

22
Malicious routing - results

Usually hard to analyze
complex behavior and interleaving of elementary
actions
pruning - actions without impact on fitness are
discarded
still, we were unable to fully interpret all
details
Minimum cost forwarding
impersonation of BS, forging beacons
selective message forwarding/dropping
Implicit geographic forwarding
immediate answer to Open Request To Send
malicious node is always selected as a next hop
selective MAC layer collisions
to maximize number of hops / undelivered messages
overloading of neighbours message buffers
message drop

23
Conclusions

Novel approaches for WSN are needed
specific environment platform limitations
Security is always tradeoff between resources
spent and value of resources protected
WSN seems to be an environment where
probabilistic approach to security fits better
Protocols should be tolerant to partial
compromise
Automated approaches are welcome due to diversity
of usage scenarios
network topology, hardware characteristics,
compromise pattern, ...

24
References

Ko98 P. Kocher, J. Jaffe, D. Jun. Introduction
to differential Power Analysis and Related
attacks. 1998
EG02 L. Eschenauer, V. D. Gligor. A
key-management scheme for distributed sensor
networks. 2002
DDHV03 W. Du, J. Deng, Y. S. Han, P. K.
Varshney. A pairwise key pre-distribution for
wireless sensor networks. 2003.
CS05 D. Cvrcek, P. venda. Smart dust security
- Key Infection revisited. 2005
SM07 P. venda, V. Matyá. Authenticated key
exchange with group support for wireless sensor
networks. 2007
SSM09 P. venda, L. Sekanina, V. Matyá,
Evolutionary Design of Secrecy Amplification
Protocols for Wireless Sensor Networks, 2009
YCLZ01 F. Ye, A. Chen, S. Lu, L. Zhang. A
scalable solutions to minimum cost forwarding in
large sensor networks. 2001
BHSS03 B. Blum, T. He, S. Son, J. Stankovic.
IGF A state-free robust communication protocol
for wireless sensor networks. 2003

25
Thank you for your attention.
26
(No Transcript)
27
How probabilistic pre-distribution fails
28
Overview

Basic introduction to WSNs
and differences from classical networks
Need for novel security solutions
probabilistic pre-distribution
Key Infection
Automated approaches welcome
Automated search for attacks

29
Node capture resilience cohesion
Node capture resilience
ring size (30 - 500)
net. density (7-40)
key sharing probability
compromised fraction of pool
pool size (103 -107)
connectable neighbors (3-40)
captured nodes (100-104)

Increasing ring size moderately allows to
increase pool size highly
resulting node capture resilience is better
Idea behind hypercube LN03, group supported
SM07 extensions
different assumptions about network topology and
compromise knowledge

30
Automatic attack strategy concept

Inspired by ability of EA to find our own bugs
Knowing attacks allows us to build better
defenses
fruitful even if we cannot prove that no attack
against system exits
Categories of generated attacks
re-combination of the existing attacks
put existing attacks together in meaningful order
e.g., capture packet, forge IP, replay packet
improvement (optimization) of known attack
strategy
principle is known, tuning of parameters
e.g., which subset of nodes should be captured
finding novel attack strategies
attacks composed from very simple actions
e.g., set/store byte X of message, transmit Y
millisec.,
Attack generator and execution environment

31
Attack 2 Malicious routing

Misbehaving attacker nodes
search for attacks against standard routing
fitness options non-delivered messages, message
hops, messages routed over malicious node, ...
elementary actions store/load value, send
message, time counters
triggers of response code on specific action
Multiple network deployments
partly avoids optimization of a strategy on a
single topology
Usually hard to analyze
complex behavior and interleaving of elementary
actions
pruning - actions without impact on fitness are
discarded
still, we were unable to fully interpret all
details