Securing Neighbor Discovery

1
Securing Neighbor Discovery

• the wormhole attack
• centralized and decentralized wormhole detection
  mechanisms

2
Introduction

• many wireless networking mechanisms require that
  the nodes be aware of their neighborhood (i.e. to
  know which other nodes they can communicate with
  directly)
• The procedure used to acquire this knowledge is
  called neighbor discovery
• If two nodes are in each others radio range (are
  able to hear each other) they would be considered
  as neighbors
• a simple neighbor discovery protocol
• every node broadcasts a neighbor discovery
  request
• each node that hears the request responds with a
  neighbor discovery reply
• messages carry node identifiers ? neighboring
  nodes discover each others ID
• an adversary may try to thwart the execution of
  the protocol
• prevent two neighbors to discover each other by
  jamming
• create a neighbor relationship between far-away
  nodes
• by spoofing identity of legitimate nodes and to
  establish neighbor relationships with other nodes
  (can be prevented using entity authentication
  mechanisms)
• by installing a wormhole (cannot be prevented by
  cryptographic techniques alone)

3
What is a wormhole?

• a wormhole is an out-of-band connection,
  controlled by the adversary, between two physical
  locations in the network
• the adversary installs radio transceivers at both
  ends of the wormhole
• it transfers packets (possibly selectively)
  received from the network at one end of the
  wormhole to the other end via the out-of-band
  connection, and re-injects the packets there into
  the network
• wormhole attack the two wormhole ends
  (adversarial transceivers) WE1 and WE2 transmit
  (tunnel) the neighbor discovery messages heard in
  their radio rage to each other (possibly
  selectively) ? result A and B which are far away
  from each other will believe to be neighbors
  (because they actually hear each other through
  the wormhole)
• notes
• adversarys transceivers are not regular nodes
  (no node is compromised by the adversary)
• adversary doesnt need to understand what it
  tunnels (e.g., encrypted packets can also be
  tunneled through the wormhole)
• it is easy to mount a wormhole and it may have
  devastating effects on routing

4
Effects of a wormhole

• at the data link layer distorted network
  topology
• at the network layer
• routing protocols may choose routes that contain
  wormhole links
• typically those routes appear to be shorter

Neighbor relationships between the nodes
Shortest possible path from all other nodes to x
A set of nodes are randomly placed in the area
the gray disk radio range of x
As the result of the wormhole attack x and y
become neighbors because the attacker relays
their neighbor discovery messages
The wormhole black rectangles are the attackers
transceivers
Shortest possible path from all other nodes to x
after the attack happens many nodes reach node x
through the wormhole
5
Wormholes are not specific to ad hoc networks
access control system gate equipped with
contactless smart card reader
contactless smart card
wormhole
contactless smart card emulator
fast connection
smart card reader emulator
user may be far away from the building
6
Classification of wormhole detection methods

• centralized mechanisms
• data collected from the local neighborhood of
  every node are sent to a central entity
• based on the received data, a model of the entire
  network is constructed
• the central entity tries to detect
  inconsistencies (potential indicators of
  wormholes) in this model
• can be used in sensor networks, where the base
  station can play the role of the central entity
• decentralized mechanisms
• each node constructs a model of its own
  neighborhood using locally collected data
• each node tries to detect inconsistencies on its
  own
• advantage no need for a central entity (fits
  well some applications)
• disadvantage nodes need to be more complex

7
Statistical wormhole detection in sensor networks

• each node reports its list of believed neighbors
  to the base station
• the base station reconstructs the connectivity
  graph (model)
• a wormhole always increases the number of edges
  in the connectivity graph
• this increase may change the properties of the
  connectivity graph in a detectable way
• detection can be based on statistical hypothesis
  testing methods

8
Examples

•  

• The gray bars show the expected number of nodes
  with different node degrees
• The black bars show the observed node degrees in
  the experiment when there is a wormhole
• The black histogram shows there are some nodes
  with an unexpectedly high node degree.
• (node degree no. of neighbors of a node)

9
Examples

• a wormhole is usually a shortcut that decreases
  the length of the shortest paths in the network
• distribution of the length of the shortest paths
  will be distorted
• This experiment shows that when a wormhole is
  there the shorter paths are more likely than
  longer ones

10
Multi-dimensional scaling

• the nodes not only report their lists of
  neighbors, but they also estimate (inaccurately)
  their distances to their neighbors
• connectivity information and estimated distances
  are input to a multi-dimensional scaling (MDS)
  algorithm
• the MDS algorithm tries to determine the possible
  position of each node in such a way that the
  constraints induced by the connectivity and the
  distance estimation data are respected
• the algorithm has a certain level of freedom in
  stretching the nodes within the error bounds of
  the distance estimation
• let us suppose that an adversary installed a
  wormhole in the network
• if the estimated distances between the affected
  nodes are much larger than the nodes
  communication range, then the wormhole is
  detected
• hence, the adversary must also falsify the
  distance estimation ? distances between far-away
  nodes become smaller
• this will result in a distortion in the virtual
  layout constructed by the MDS algorithm

11
Example 1

• in 1D

wormhole
reconstructed virtual layout
Real replacement of the nodes

• A virtual layout of the network is constructed
  based on the neighborhood information obtained by
  the nodes.
• In the real connectivity graph
• the gray disk the radio range of node b
• dashed lines the neighborhood relationships of
  the nodes
• red line a fake neighbor relationship created by
  the wormhole
• In the virtual layout of the network constructed
  using MDS from the inaccurate distance
  measurements of the neighboring nodes.
• B and f must be neighbors, so the distance
  between them should be smaller than the
  communication range
• This makes it impossible to fit the nodes on a
  straight line which helps to detect the attack
  (assuming that we know in advance that the nodes
  are located on a straight line).

12
Example 2

• in 2D

wormhole

• A virtual layout of the network is constructed
  based on the neighborhood information obtained by
  the nodes.
• In the real connectivity graph
• Grid lines the neighborhood relationships of the
  nodes
• red line a fake neighbor relationship created by
  the wormhole
• In the virtual layout of the network constructed
  using MDS from the inaccurate distance
  measurements of the neighboring nodes.
• A and C must be neighbors, so the distance
  between them should be smaller than the
  communication range --- gt MDS brings them
  together
• This makes it impossible to fit the nodes on a
  flat surface which helps to detect the attack.

13
Packet leashes

• packet leashes ensure that packets are not
  accepted too far from their source
• geographical leashes
• each node is equipped with a GPS receiver
• when sending a packet, the node puts its GPS
  position into the header
• the receiving node verifies if the sender is
  really within communication range
• temporal leashes
• nodes clocks are very tightly synchronized
• when sending a packet, the node puts a timestamp
  in the header
• the receiving node estimates the distance of the
  sender based on the elapsed time and the speed of
  light
• dest lt vlight(trcv tsnd Dt)
• Dt clock
  synchronization error
• note vlight Dt must be much smaller than the
  communication range

14
Packet leashes

• Both geographical and temporal leashes require
  packet authentication and integrity otherwise
  the adversary can modify or forge the leash
• There are two solutions
• Digital signatures uses asymmetric key
  cryptography
• MAC (Message authentication Code) uses symmetric
  key cryptography
• Only digital signatures can be used for broadcast
  messages neighbor discovery beacons are
  broadcast messages
• but asymmetric key cryptography is
  computationally expensive
• Solution using TESLA with Instant Key-Disclosure
  (TIK) to authenticate temporal leashes in packets

15
TESLA with Instant Key-Disclosure (TIK)

• A summary of TESLA (A protocol for broadcast
  authentication)
• The sender has a one-way key chain (the elements
  of a hash chain)
• The elements of the key chain are disclosed in a
  reverse order as with normal hash chain
• For each broadcast message the sender calculates
  a MAC value using the next element of the key
  chain (which is not released by the sender yet)
• The receiver can not verify the MAC right after a
  message is received because it does not know the
  key yet it must cash the message and wait until
  that key is released
• When the key is released the receiver verifies
  the MAC and also verifies if the key disclosed by
  the sender belongs to the chain (in a similar way
  with hash chains)
• The authentication of the last element of the key
  chain (which is used and released first) is done
  using digital signature or a MAC value
• Also when receiving a message the receiver needs
  to ensure that the key has not been disclosed by
  the sender yet (otherwise it may have been reused
  by the attacker) it should know the disclosure
  schedule of the sender and they need to have
  synchronized clocks

16
TESLA with Instant Key-disclosure (TIK)

• idea authentication delay of TESLA can be
  removed in an environment where the nodes clocks
  are tightly synchronized
• The MAC of the packet is sent just before the
  packet and the key is sent just after the packet
• by the time the sender reveals the key, the
  receiver has already received the MAC
• The TESLA condition is satisfied if the receiver
  receives the MAC earlier than the time that
  sender starts revealing the TESLA key
• security condition tr tmax lt ts Dt tmax
  tpkt tr lt ts Dt tpkt
• ts is known to the receiver from the temporal
  leash
• The clock synchronization error Dt must be very
  small, otherwise the key can not be accepted

17
Mutual Authentication with Distance-bounding
(MAD)

• Let u and v are two nodes and kuv is the
  symmetric key shared between them let mackuv be
  the message authentication function controlled by
  kuv
• Initialization phase
• u generates two random numbers r and r and v
  generates two random numbers s and s such that r
  and s are l bits long and r and s are l bits
  long
• Using a one-way hash function u computes
  cuH(r,r) and v computes cvH(s,s) and send
  them to each other

18
Mutual Authentication with Distance-bounding
(MAD)

• Distance bounding phase
• Let the bits of r and s are denoted by ri and si
  (i1,2,,l)
• The steps shown in the next figure will be
  repeated l times (for i1,2,,l)
• In each step a node sends the next bit of its
  first random number in combination with the
  previous bit received from the other party
• Each node calculates its distance to the other
  node based on the delay measured between each bit
  it sends and the next bit received from the other
  party
• The purpose of combining the next bit to be sent
  with the last bit received is to prevent a
  malicious party from sending her bits too early
  and thus falsifying the distance estimation. For
  instance, v could send the bits of s before
  receiving the corresponding bits of r. As a
  result, u would measure a shorter distance to v
  than their real distance.

19
Mutual Authentication with Distance-bounding
(MAD)

• Authentication phase
• U computes the bits si ai ßi (i1,2,,l) and
  the MAC
• µu mackuv(xyr1 s1 rl sl)
• v computes the bits ri ai ßi-1 (i1,2,,l)
  and the MAC
• µv mackuv(xys1r1 slrl)
• U sends r µu and v sends s µv to u
• U verifies if the µv and the commitment cv are
  correct and v verifies if the µu and the
  commitment cu are correct
• If the verifications are successful the nodes
  would know that the distance measurements they
  performed are valid

20
Mutual Authentication with Distance-bounding
(MAD)

• MAD allows distance bounding without synchronized
  clocks
• Disadvantage requires rapid bit exchange
  (requires special hardware)

21
Using position information of anchors

• anchors are special nodes that know their own
  positions (GPS)
• there are only a few anchors randomly distributed
  among regular nodes
• two nodes consider each other as neighbors only
  if
• they hear each other and
• they hear more than T common anchors
• anchors put their location data in their messages
• transmission range of anchors (R) is larger than
  that of regular nodes (r)
• wormholes are detected based on the following two
  principles
• a node should not hear two anchors that are 2R
  apart from each other
• a node should not receive the same message twice
  from the same anchor the messages sent by the
  anchors are encrypted and each anchor includes a
  one-time password in every message that it sends

22
Principle 1

•  

23
Principle 1

• Therefore the probability that there is at least
  one anchor in an area of size S is (1-e-lS),
  where l is the density of anchors
• Let P1 be the probability that x hears two
  anchors that have a distance larger than 2R from
  each other
• If there is at least one anchor in each shaded
  area x will hear at least such two anchors
• P1 ³ (1-e-lSx)(1-e-lSO), where Sx is the
  size of Ax and SO is the size of AO
• (1-e-lSx) the probability that there is at
  least one anchor in Sx
• (1-e-lSO) the probability that there is at
  least one anchor in SO

24
Principle 1
Lower bound on the probability of attack
detection, P1, as a function of the distance
between x and O
25
Principle 2

• when x and O are closer than 2R, the discs Ax and
  AO overlap
• if there is an anchor in the intersection AxO,
  then the messages of that anchor is heard twice
  by x
• first directly and then from transceiver D who
  receives it from O through the wormhole
• the probability P2 of detection is equal to the
  probability that there is at least one anchor in
  AxO
• P2 1-e-lSxO

26
Principle 2
Probability of detection P2 as a function of the
distance between x and O
27
Wormhole detection with directional antennas

• Assume that each node is equipped with a
  directional antenna and each antenna has n
  non-overlapping zones
• When a message is received the node determines on
  which zone the signal is stronger it will
  communicate to the sender of that message on the
  detected zone
• when two nodes are within each others
  communication range, they must hear each other
  from opposite directions (all antennas have the
  same orientation)
• if x and y communicate through a wormhole this
  condition may not be always satisfied (i.e. Zyx
  ¹ Zxy )
• Notations
• Zyx means the zone by which node y hears node x
• Zxy means the zone by which node x hears node y
• With 6 zones for instance zone 1 is opposite to
  zone 4 and zone 3 is opposite to zone 6
• Zxy means the zone opposite to the zone in which
  node x hears node y

28
Wormhole detection with directional antennas

• but sometimes it might be satisfied (by chance)
  (i.e. Zyx Zxy )
• And this would prevent the nodes from detecting
  the presence of the wormhole
• To solve this problem the nodes can cooperate and
  help each other to detect wormholes

29
Using verifiers

• Using verifiers
• Idea if x and y are real neighbors, then every
  third node that both x and y can communicate with
  should be able to run the protocol successfully
  with both x and y
• Assume that y wants to verify the neighborhood of
  x
• if y and x are not real neighbors (hear each
  other through wormhole), then there may be a node
  v with which both x and y can communicate
  (possibly via the wormhole) but v can not run the
  neighbor discovery protocol with either x or y
  (i.e. Zvx ¹ Zxv or Zvy ¹ Zyv )
• such a v can be used by y to detect the wormhole

30
Conditions for being a verifier

• Assume that y wants to verify the neighborhood of
  x
• if node y hears v in the same zone in which it
  hears x, then y may hear both x and v through the
  wormhole
• ? Condition 1 for a valid verifier v, y must
  hear v and x from different zones (i.e., Zyv ¹
  Zyx must hold)
• if v hears x in the same zone in which y hears x
  (i.e., Zvx Zyx), then they may both hear x
  through the wormholes transceiver
• if, in addition, x happens to hear the other
  transceiver of the wormhole in zone Zyx, then x
  can establish neighbor relationships with both y
  and v
• ? Condition 2 for a valid verifier v, v must
  hear x from a zone different from the one in
  which y hears x (i.e., Zvx ¹ Zyx must hold too).

31
Using verifiers the mechanism

• y accepts x as a neighbor if
• they hear each other from opposite zones
• theres at least one valid verifier v such that x
  and v hear each other from opposite zones
• how does this detect wormholes ?
• let us assume that y hears x through the wormhole
• ? one end of the wormhole is near to x, the other
  end is in zone Zyx
• let us further assume that v is a valid verifier
• ? first condition (Zyv ¹ Zyx) is satisfied
  (because v is a valid verifier)
• ? y hears v directly (since y hears v from a
  zone different from Zyx)
• ? x hears both y and v through the wormhole
• ? second condition (Zvx ¹ Zyx) is satisfied
  (because v is a valid verifier)
• ? x and v cannot hear each other from opposite
  zones
• lets assume they can, i.e. Zxv Zvx
• we know that x hears both y and v through the
  wormhole ? Zxy Zxv
• in addition, we know that Zxy Zyx (otherwise y
  would not consider x as a potential neighbor)
• Zvx Zxv Zxy Zyx ? Zvx Zyx (contradicts
  the second condition)
• If ty and x hear each other through wormhole no
  valid verifier v exists such that x and v hear
  each other from opposite zones ? y will not
  accept x as a neighbor

32
Summary

• a wormhole is an out-of-band connection,
  controlled by the adversary, between two physical
  locations in the network
• a wormhole distorts the network topology and may
  have a profound effect on routing
• wormhole detection is a complicated problem
• centralized and decentralized approaches
• statistical wormhole detection
• wormhole detection by multi-dimensional scaling
  and visualization
• packet leashes
• distance bounding techniques
• anchor assisted wormhole detection
• using directional antennas
• many approaches are based on strong assumptions
• tight clock synchronization
• rapid bit exchange
• GPS equipped nodes
• directional antennas
• wormhole detection is still an active research
  area