Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks

1
Packet Leashes A Defense against Wormhole
Attacks in Wireless Networks

• Authors Yih-Chun Hu, Adrian Perrig, David B.
  Johnson
• Presented by Qiao Xu

2
Outline

• Introduction
• Temporal Leashes
• TIK Protocol
• Performance Security Analysis
• Future Work Conclusion

3
Introduction

• Problem Wormhole Attack
• An attacker records packets at one location of
  the network, tunnel them to another location, and
  retransmits them there into the network
• Wormhole attack allows attackers to
• Gain unauthorized access
• Disrupt routing
• Perform DOS attacks
• Solution Packet Leash
• Add information into the packet to restrict its
  maximum allowed transmission distance

4
Temporal Leashes

• Definition a temporal leash establishes an upper
  bound on a packets lifetime, which restricts the
  maximum travel distance
• Key Requirement all nodes must have tightly
  synchronized clocks
• Maximum clock difference (?) between any two
  nodes must be within a few microseconds

5
Temporal Leashes

• Implementation with a packet expiration time
• Sender calculates a packet expiration time to be
  sent with each packet
• te ts L/c ?
• te packet expiration time
• ts packet sent time
• c propagation speed of wireless signal
• L maximum allowed travel distance L gt Lmin
  ?c
• ? maximum clock difference between 2 nodes

6
Temporal Leashes

• Receiver will accept and process a received
  packet if and only if the time when the packet is
  received (tr) is less than the packet expiration
  time (te)
• Whats missing?
• Need an efficient way for the receiver to
  authenticate te

7
TIK Protocol - Overview

• TIK TELSA with Instant Key disclosure
• TIK implements a temporal leash and provides
  efficient instant authentication for broadcast
  communication in wireless networks
• Based on the observation that a receiver can
  verify the TESLA security condition, that the
  corresponding key hasnt been disclosed, as it
  receives the packet gt allow sender to disclose
  the key in the same packet
• Assume sender can precisely predict ts and
  receiver can record tr as soon as the packet
  arrives
• Requires accurate time synchronization between
  all the nodes

8
TIK Protocol Sender Setup

• Sender generates a series of keys, K0, K1,,
  Kw-1, using a PRF F and a secret master key X
• Ki Fx(i)
• Sender selects a key expiration interval I and
  determines the expiration time (Ti) for its keys
• Ti T0 iI, where T0 is the expiration time
  for K0
• Sender constructs a Merkle hash tree to commit to
  keys K0, K1,, Kw-1

9
TIK Protocol Merkle Hash Tree

• m07

• m03

• m47

• m01

• m23

• m45

• m67

K0

• K1

• K2

• K3

• K4

• K5

• K6

• K7

• K0

• K1

• K2

• K3

• K4

• K5

• K6

• K7

10
TIK Protocol Merkle Hash Tree

• How is it constructed?
• For every leaf node, Ki H(Ki) i.e. K0
  H(K0)
• For every parent node, mp H(ml mr) i.e. m01
  H(K0 K1), m03 H(m01 m23)
• The root value (m07) is signed by the sender and
  sent to the receivers, where it can be
  authenticated with senders public key
• To authenticate K2, for example
• Sender must include K3, m01, m47 in the packet
• Receiver computes m07 and compare to the
  pre-distributed m07
• m07 H H m01 H HK2 K3 m47

11
TIK Protocol Receiver Bootstrapping

• Assume all nodes are synchronized with a maximum
  clock difference of ?
• Assume each receiver knows every senders hash
  tree root value and the associated parameter T0
  and I

12
TIK Protocol Sending and Verifying Packets
HMAC
M
T
Ki
Sender
HMAC
M
T
Ki
Receiver
Time at Sender
ts
Ti

• Time at Receiver

• tr (ts ? - ?)

• (Ti - ?)

13
TIK Protocol Sending and Verifying Packets

• S -gt R (HMACKi(M), M, T, Ki)
• M message payload
• HMACKi(M) message authentication code for M
• Ki key used to generate the HMAC for M
• T tree authentication values used to
  authenticate Ki
• Receiver
• Verifies if the sender has started sending Ki
  after receiving HMAC, based on Ti
• Verifies if Ki is authentic based on the hash
  root value and T
• Verifies the HMAC, using authenticated Ki
• Accept the packet as authentic only if all those
  verifications are successful

14
Security Performance Analysis

• Security Analysis
• Temporal leash with TIK protocol can detect and
  prevent wormhole attacks if all nodes are good
  nodes
• Cant deal with a malicious sender that claims a
  false timestamp
• Cant deal with a malicious receiver that refuses
  to check the leash
• Performance Analysis
• Requires only n public keys in a network with n
  nodes
• Efficient hash tree authentication of keys
• Efficient instant authentication of packet
  because the key is disclosed in the same packet
• Modest storage requirement for the Merkle hash
  tree

15
Future Work Conclusion

• Future Work
• More research on how the sender/receiver can
  accurately determine ts/tr
• Design and deploy accurate time synchronization
  device among the nodes
• Conclusion
• Wormhole attack is a powerful and disruptive
  attack against wireless networks
• With precise timestamps and tight clock
  synchronization, TIK can prevent wormhole attacks