Security in ad hoc networks

1
Security in ad hoc networks
UCLA EE Chris Kurpinski Sungha Kim
2
Outline

• Introduction
• Security Requirements of Wireless Ad-Hoc Networks
• Typical attacks on Wireless Ad-Hoc Networks
• Security protocols and methods for ad-hoc
  networks

3
Motivation

• Security is the most often cited concern with
  wireless networks
• Wireless networks pose unique security problems
• Power and computation constraints are often
  higher in wireless networks, making security
  requirements different

4
Requirements for network security

• Data confidentiality keep data secret (usually
  accomplished by encryption)
• Data integrity prevent data from being altered
  (usually accomplished by encryption)
• Data freshness data is recent
• Weak freshness provides partial ordering of msgs
• Strong freshness provides total ordering and
  allows for delay estimation
• Data availability data should be available on
  request
• Data authentication verification that the data
  or request came from a specific, valid sender

5
Why security on sensors is hard

• Constrains
• Peanut CPU (slow computation rate)
• Battery power trade-off between security and
  battery life
• Limited memory
• High latency conserve power, turn on
  periodically
• Nature of wireless ad-hoc network
• Every node can be a target
• No trusted peer
• Decentralized and cooperative participation of
  all nodes
• Encryption and authentication cannot eliminate
  threats
• No matter how many intrusion prevention measures
  are inserted in a network, there are always some
  weak links that one could exploit to break in

6
Wireless Ad-Hoc Network Security Methods

• Public-key cryptography overview
• Public-key cryptography for wireless
• Key distribution Certification Authorities,
  PGP(Pretty Good Privacy)
• Imprinting
• SPINS
• SNEP
• mTESLA
• Intrusion Detection

7
Public-key cryptography overview

• Alice chooses a random large integer a and sends
  Bob
• Bob chooses a random large integer b and sends
  Alice
• Alice computes
• Bob computes
• Both are equal to

8
Public-key cryptography overview
Alice
Bob
b
a
?
KEY

• Key agreement protocol

9
Imprinting

• Policy
• New nodes are "imprinted" upon un-packaging
  (birth) with their 'parent' and given a secure
  key and identity
• A node's parent becomes its security admin. and
  can change its security policy at any time
• The initial imprinting should not be sent
  wirelessly, to avoid imprinting multiple nodes
  with the same key
• A node cannot change parents until it 'dies'
• Death can occur at a set time, or can be
  triggered by the parent (and only by the parent).
  After death, a node can be imprinted by a new
  parent.

10
SPINS Security Protocols for Sensor Networks

• A suite of security building blocks developed at
  UC Berkley
• Designed for resource-constrained environments
  and wireless communications
• Consists of two building blocks, mTESLA and SNEP
• SNEP
• Data Confidentiality
• Two-party data authentication
• Data Integrity
• Freshness
• mTESLA
• authenticated broadcast

11
SNEP (Sensor Network Encryption Protocol)

• Communicating parties each keep a counter, and
  increment it after each block is transmitted.
• A master secret key, K is initially shared
  between the node and base station and is used to
  derive all other keys
• Low communication overhead adds 8 bytes per
  message
• Semantic security prevents an eavesdropper from
  inferring encrypted data
• Data authentication MAC (Message Authentication
  Code)
• Weak Freshness Counter in MAC prevents replaying
  old messages

12
SNEP (Contd.)

• MMAC(KMAC,CE) represents the Message
  Authentication Code, where C is the shared
  counter, E is the encrypted data (D),
  and KMAC is the MAC key
• A complete message from node A to node B consists
  of encrypted data, and a MAC.
• A - B D , MAC(KMAC,
  CD)
• The counter in SNEP provides weak freshness, but
  cannot show that a message was created by B in
  response to a request from A
• To achieve Strong Freshness
• use a pseudo-random number called a nonce
• Where NA is a nonce from A, and RA is a request
  from A, our new messages look like this
• A - B NA, RA
• B - A RB , MAC(KMAC,
  NACRB)

13
mTESLA(Timed Efficient Streaming Loss-tolerant
Authentication Protocol)

• Restricts the number of authenticated senders
• Discloses the key once per epoch
• Requires loose time synchronization between base
  station and nodes
• mTESLA Description
• Each MAC key is a key (K) of a key chain,
  generated by a public one-way function F, where
  Kj F(Kj1)
• All blocks sent in a specific time period use the
  same key
• Received blocks are stored in a buffer until the
  associated key is released and verified
• Any valid key can be used to derive earlier keys,
  or validate later keys, but cannot be used to
  derive later keys.

14
mTESLA(Contd.)

• Sender Setup
• The sender generates a chain of secret keys by
  choosing the last key (Kn) randomly, and applying
  a one-way function F, such that Kj F(Kj 1)
• Broadcasting Authenticated Packets
• Time intervals are set, and each key of the
  key-chain is associated with an interval.
• During interval t, the sender uses key Kt to
  compute the MAC of all packets.
• The sender waits for a delay of ? before
  revealing Kt, where ? is greater than any
  reasonable packet round trip time.

15
mTESLA(Contd.)

• Bootstrapping a new receiver
• Each receiver must have one authentic key of the
  key chain, and must know the key disclosure
  schedule.
• A new receiver M sends a nonce in the request
  message to the sender S.
• The sender replies with its current time Ts, a
  key Ki from a past interval i, the starting time
  Ti of interval i, the duration Tint of the time
  intervals, and the disclosure delay ?.
• M - S NM
• S - M Ts Ki Ti Tint ?, MAC(KMS, NM Ts
  Ki Ti Tint ?)

16
mTESLA(Contd.)

• Authenticating broadcast packets
• When receiving a new packet, the receiver needs
  to check that the key for that interval has not
  been disclosed yet. This implies that no
  adversary could have spoofed the contents
• If this condition is met, the packet is stored.
  Otherwise it is dropped
• As soon as the key Kj of a previous time interval
  is received, the receiver checks it against the
  last authentic key it knows, Ki, by applying the
  function F.
• After Kj has been authenticated, Ki is replaced
  by Kj in memory, and all the packets that were
  sent between time intervals i and j can be
  verified.

17
mTESLA(Contd.)

• What if nodes need to broadcast data?
• Nodes are limited in CPU and battery resources
• Nodes broadcast data through the basestation,
  using SNEP as an authentication method
• Nodes broadcast the data, but do not compute the
  keys.
• The basestation sends the key to the node as
  needed.
• The basestation can also broadcast the key
  disclosure, and/or perform the bootstrapping
  procedure for new nodes.

18
mTESLA (Contd.)

• Implementation
• Block cipher E performs the encryption
• Code space is saved by using the same function
  for encryption and decryption
• Random-number generation performed by the MAC,
  and counter C.
• MAC(Kran, C)
• Key setup Fk(x)MAC(K,x)

19
Evaluation of a protocol based on SPINS
20
Distributed public key infrastructure

• Certificates are stored and distributed by users
• Trust graph G(V,E) where V users, E public-key
  certificates
• If two vertices u and v are in H, and there is a
  directed path from u to v in H, then v is
  reachable from u in H. ( )
• S(G,u) subgraph on G by user u
• S(G,u,v) S(G,u) S(G,v)
• Performance

21
Infrastructure Improvements

• Shortcut hunter algorithm finds the path with
  the most shortcuts for all out-going and incoming
  edges of a given node

22
Intrusion Detection

• Assumptions
• User and program activities are observable
• Misuse and anomaly detections are possible
  locally and in a distributed manner
• Problems of IDS (intrusion detection system)

23
Intrusion Detection (contd)

• Misuse detection
• Uses patterns of well-known attacks to match and
  identify known intrusions
• Accurate and effective
• Only works against known attacks
• Anomaly detection
• Uses established normal usage profiles to detect
  deviation from the norm
• Able to detect new types of attacks
• Cannot always describe the nature of an attack
• May have a high false positive rate

24
Intrusion Detection (contd.)

• Anomaly detection in Wireless Ad-Hoc
• Detection can be performed at each layer (link
  layer, MAC, applications, etc.)
• During the learning process, normal network
  conditions are recorded and used to create a
  'normal profile'
• If a node detects an intrusion that affects the
  entire network, it can initiate a
  re-authentication process throughout the network,
  to exclude the malicious nodes
• If a node detects a local intrusion at a higher
  layer (e.g., one of its services), the lower
  layers are notified. The lower layer detection
  modules can investigate and possibly block access
  from the offending nodes.

25
Secure Aware Protocol

• Traditional way
• RREQ/RREP
• SAR
• Embed security metric into the RREQ packet
• Ensure intermediate nodes can provide required
  security
• Authenticated users belonging to same trust level
  share a secret key

26
References

• SPINS Security Protocols for Sensor Networks. A
  Perrig, R. Szewczyk, V. Wen, D. Culler, J.D.
  Tyger
• The Resurrecting Duckling Security Issues for
  Ad-hoc Wireless Networks. Frank Stajano, Ross
  Anderson
• Intrusion Detection in Wireless Ad-Hoc Networks.
  Yongguang Zhang, Wenke Lee.
• The Quest for Security in Mobile Ad-Hoc Networks.
  Jean-Pierre Hubaux, Levente Buttyan, Srdan
  Capkun.
• Ad Hoc Networking Critical Features and
  Performance Metrics. Madhavi W.Subbarao.
• Lowering Security Overhead in Link State Routing.
  Ralf Hauser, Tony Przygienda, Gene Tsudik.

27
References (Contd)

• Mitigating Routing Misbehavior in Mobile Ad Hoc
  Networks. Sergio Marti, T.J.Giuli, Kevin Lai, and
  Mary Baker.
• Secure Routing for Mobile Ad Hoc Networks.
  Panagiotis Papadimitratos and Zygmunt J. Hass.
• Securing Ad Hoc Networks. Lidong Zhou and Zygmunt
  J. Haas.
• Securing-Aware Ad hoc Routing for Wireless
  Networks. Seung Yi, Prasad Naldurg, and Robin
  Kravets.
• RFC2137 Secure Domain Name System Dynamic Update