Intrusion Tolerance for NEST

1
Intrusion Tolerance for NEST
NEST 2 Kickoff Meeting November 4, 2002

• Bruno Dutertre, Steven Cheung
• SRI International

2
Administrative

• Project Title Intrusion Tolerance for Networked
  Embedded Sys.
• PM Vijay Raghavan
• PI Bruno Dutertre and Steven Cheung
• PI phone (650) 859-2717, (650) 859-5706
• PI email bruno_at_sdl.sri.com, cheung_at_sdl.sri.com
• Institution SRI International
• Contract F30602-02-C-0212
• Award start date 9/20/2002
• Award end date 12/20/2004
• Agent name organization Raymond Liuzzi,
  AFRL/Rome

3
Subcontractors and Collaborators

• Collaborators
• Hassen Saïdi
• Ulf Lindqvist
• Joshua D. Levy

4
Problem Description, Project Overview

• Objective
• Low-cost, intrusion-tolerant authentication and
  key management for NEST (resource-limited
  wireless devices)
• Impact
• Fundamental building blocks on which higher-level
  security services can be implemented
• Enable the secure deployment of sensor networks,
  or other NEST applications.
• Success criteria
• Demonstrate deployment on a representative
  network of small wireless sensors (Motes)
• Relevant metrics network size, fraction of
  compromised sensors, overhead

5
Intrusion Tolerance for NEST
Intrusion-tolerant key-distribution services for
large networks of microsensors

• Build low-cost key-management services for sensor
  networks
• Localized authentication protocols for
  bootstrapping
• Chains of trusted intermediaries for
• Secret sharing disjoint paths for tolerating
  compromised nodes
• Intrusion detection for motes
• Detect denial-of-service attacks
• Detect misbehaving nodes

Self organizing protocols Low cost
cryptography Detect/respondto DoS attacks

• Enable deployment of sensor networks in hostile
  environments
• Support other security services for wireless
  sensor networks
• Confidentiality and integrity of communication
• Robust NEST services

FY03 FY04 FY05
2QFY03 Design Bootstrapping Protocols 3QFY03
Baseline Intrusion Detection 4QFY03 Design
Inturion-tolerant Key-Distribution
Protocols 1QFY04 Experimental Validation and
Demo 1QFY05 Integration and Final Demo
6
Outline

• Existing approaches to authentication and key
  management
• PKI, Diffie-Hellman, trusted servers
• Proposed approach
• Local authentication and initial key
  establishment
• Leveraging local trust
• Intrusion detection and response
• Plan

7
Objective

• Low-cost key management for large-scale networks
  of small wireless devices
• Constraints
• Limited memory, processing power, and bandwidth
• Networks too large and not accessible for manual
  administration/configuration

8
Traditional Key Management

• Decentralized approaches
• Public-key infrastructure, certificates
• Diffie-Hellman style key establishment
• Approaches based on symmetric-key cryptography
• Trusted authenticationand key distribution
  server (e.g., Kerberos)

Too expensive
Limited scalability High administrativeoverhead
to set up long-term keys Vulnerable to
serverfailure Server may be a bottleneck
9
Proposed Approach

• Goals
• Intrusion-tolerant architecture for key
  management in NEST
• Use only inexpensive cryptographic algorithm
• Decentralized (no server) and self organizing
• Approach
• Build initial secure local links
• For nonlocal communication, rely on chains of
  intermediaries
• Use secret sharing when intermediaries are not
  fully trusted
• Develop complementary intrusion detection methods
  to locate nontrustworthy nodes

10
Bootstrapping

• Establish secure local links between neighbor
  devices quickly after deployment
• Weak authentication is enough (need only to
  recognize that your neighbor was deployed at the
  same time as you)
• Exploit initial trust (it takes time for an
  adversary to capture/compromise devices)
• Focusing on local links improves efficiency

11
Basic Bootstrapping Scheme

• For a set S of devices to be deployed
• Construct a symmetric key K
• Distribute it to all devices in the set
• K enables two neighbor devices A and B
• To recognize that they both belong to S (weak
  authentication)
• To generate and exchange a key for future
  communication
• Possible drawback
• Every device from S in communication range of A
  and B can discover . More robust variants
  are possible.

12
Leveraging Local Trust

• To establish keys between distant nodes
• use chains of trusted intermediaries
• To tolerate compromised nodes
• disjoint chains and secret sharing

13
Tradeoffs

• Security increases with
• the number of disjoint paths
• the number of shares
• but these also increase cost
• Challenges
• Implement cheap secret sharing techniques
• Quantify the security achieved
• Find the right tradeoff for an assumed fraction
  of compromised nodes

14
Intrusion Detection

• Goals
• Detect compromised nodes (to remove them from
  chains)
• Detect other intrusions denial-of-service
  attacks, attempt to drain power
• Cryptography is ineffective against these

15
Intrusion Detection Approach

• Develop models of attacks and relevant
  signatures
• What must be monitored?
• How to collect and distribute the data?
• Develop diagnosis methods
• Identify the source of the attack if possible
• Possible responses
• Avoid nodes that are considered compromised
• Hibernation to counter DoS or power-draining
  attacks

16
Experimental Evaluation

• Platform
• motes with TinyOS
• 20-30 nodes with upto 20 compromised nodes
• Objective show feasibility, measure overhead
• Experiment scenario remains to be defined

17
Project Status

• Participating in the security minitask
• Identifying security threats for a NEST
  environment
• Getting familiar with the TinyOS platform and the
  NEST Challenge
• In the process of setting up a sensor network
  testbed motes ordered

18
Schedule