Using Directional Antennas to Prevent Wormhole Attacks Lingxuan Hu David Evans
advertisement
Using Directional Antennas to Prevent Wormhole Attacks Lingxuan Hu David Evans Department of Computer Science University of Virginia Outline Problem Statement Background Protocol Experiment Scenario High-power base station Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly Routing Tree Adapted from Chris Karlof and David Wagner's WSNPA slides Routing Adapted from Chris Karlof and David Wagner's WSNPA slides Wormhole Attack • Tunnel packets received in one place of the network and replay them in another place • The attacker can have no key material. All it requires is two transceivers and one high quality out-ofband channel Adapted from Chris Karlof and David Wagner's WSNPA slides Disrupted Routing • Most packets will be routed to the wormhole • The wormhole can drop packets or more subtly, selectively forward packets to avoid detection Adapted from Chris Karlof and David Wagner's WSNPA slides Impact of Wormhole — Experiment Base Station at Corner Base Station at Center How many routing paths are disrupted by a single wormhole? Impact of Wormhole — Result 1 0.9 Base Station at Corner Base Station at Center 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0 50 100 150 200 250 300 Position of Endpoint (x,x) 350 400 450 500 Possible Solutions • Time – Signal is transmitted at speed of light • Location – Location awareness • Direction – Directional Antennas Directional Antennas Operation Modes: Omni and Directional In Omni Mode: Nodes send signals with gain Go In Directional Mode: Capable of sending in specified direction Directional Gain Gd (Gd > Go) Antenna Model 5 6 /3 4 East 1 3 2 The model is comprised of N antenna zones. The N zones may collectively cover the entire plane The zones are numbered 1 to N oriented clockwise starting with zone 1 facing east The channel is bidirectional. For, example, if A hears B from zone 1, then B will hear A in zone 4, which is the opposite zone Simple Neighbor Discovery HELLO | IDA IDN | EKNA R (IDA | R | zone (N, A)) A A Region NA AN N Announcement, done through sequential sweeping Include nonce and zone information in the message Check zone information and send back the nonce Detecting Wormhole zone (A, B) = 1 Hello A Wrong! 5 4 1 3 zone (A, B) = 4 B 6 /3 2 Sophisticated Wormhole 5 4 1 3 zone (A, B) = 1 Yes! Hello zone (A, B) = 1 A B Simple Neighbor Discovery can reduce the chance of successful wormhole attack to 1/6, but it is still unacceptable since a single wormhole can disrupt most routing paths. Possible Solution: Neighborhood coordination 6 /3 2 Verified Neighbor Discovery IDV | EKNV (IDA | zone (V, N)) HELLO | IDAVINQUIRY | IDN | IDNID |E | E (ID R (ID | ACCEPT) | R | zone N KANKNAID A |Azone (N, A)(N, A)) A A A Region NA AN N Region VN NA N Announcement, done through sequential sweeping Include nonce and zone information in the message Check zone information and send back the nonce Inquire the validity of neighbor A through verifiers Send confirmation to N if all zone information is correct Accept A as its neighbor and notify A Verification Region 5 4 1 3 zone (B, A) = 4 zone (B, V) = 5 v zone (B, A) = 4 zone (V, A) = 3 1. zone (B, A) ≠ zone (B, V) 2. zone (B, A) ≠ zone (V, A) 6 /3 2 Verifier Analysis zone (B, A) = zone (V, (B, A) V) v 6 5 A 4 5 1 3 2 Region I v B Y X 6 1 4 3 2 Region II 1. zone (B, A) ≠ zone (B, V) 2. zone (B, A) ≠ zone (V, A) Worawannotai attack A and B are just beyond the transmission range of each other There does have a valid verifier V in this case X simply retransmits messages between A and B, X doesn’t need to retransmit the message of V. Strict Neighbor Discovery Theorem: In strict neighbor discovery, if distance (A, B) > r, the verification region is empty Strict verification region 1. zone (B, A) ≠ zone (B, V) 2. zone (B, A) ≠ zone (V, A) 3. zone (B, V) can not be both adjacent to zone (B, A) and adjacent to zone (V, A) Cost Analysis Communication Overhead The typical secure link establishment includes announcement, challenge and response This protocol adds inquiry, verification and acceptance Connectivity Only accept a node as neighbor if it can be verified by at least one verifier, so may prevent some legitimate links from being established Impact on Connectivity Strict Protocol, Omni density = 3 500 500 450 450 400 400 350 350 300 300 y (meters) y (meters) Verified Protocol, Omni density = 3 250 200 250 200 150 150 100 100 50 50 0 0 0 50 100 150 200 250 300 350 400 450 500 x (meters) 0 50 100 150 200 250 300 350 400 450 500 x (meters) For a more typical network with omni density = 10. In verified protocol, 0.5% links are lost and no nodes are disconnected. In strict protocol, 40% links are lost and 0.03% nodes are disconnected. Node Distance vs Connectivity Strict Protocol Verified Protocol 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 Verified Protocol (Density=10) Verified Protocol (Density=3) Strict Protocol (Density=10) Strict Protocol (Density=3) 0.2 0.1 0 0 0.1 0.2 0.3 0.4 0.5 0.6 Node Distance (r) 0.7 0.8 0.9 1 Impact on Routing 10 9 Directional Transmission Verified Protocol Strict Protocol 8 7 6 5 4 3 2 1 0 4 6 8 10 12 14 16 18 20 Omnidirectional Node Density For verified protocol, the routing path length is nearly the same For strict protocol, the routing path length increases around 20% Omni density = 3 1 0.9 Lost Links, Strict Protocol Lost Links, Verified Protocol Disconnected Nodes, Strict Protocol Disconnected Nodes, Verified Protocol 0.8 0.9 0.7 0.6 0.6 0.5 0.4 0.4 0.3 0.3 0.2 0.2 0.1 0.1 0 0 10 20 30 40 50 Maximum Directional Error Degree Lost Links, Strict Protocol Lost Links, Verified Protocol Disconnected Nodes, Strict Protocol Disconnected Nodes, Verified Protocol 0.8 0.7 0.5 Omni density = 10 1 Ratio Ratio Directional Errors 60 0 0 10 20 30 40 50 Maximum Directional Error Degree The error is modeled by disorienting nodes by a random angle in [-max, max] The disconnected nodes is little affected The lost links will increases as maximum directional error degree increases 60 Conclusion Wormhole attack is a powerful attack that can be conducted without any cryptographic breaks Directional antennas offers a promising approach to preventing wormhole attacks through neighborhood coordination Discussion Design protocols to prevent more powerful wormhole attacks Or try to prove that some powerful wormhole is unpreventable if no assumption on time synchronization or location awareness is made. Mitigate replay attacks in other layers (routing, application) References [1] L. Hu and D. Evans. Using Directional Antennas to Prevent Wormhole Attacks. Network and Distributed System Security Symposium, San Diego, 5-6 February 2004. [2] R. Ramanathan. On the Performance of Beamforming Antennas in Ad Hoc Network. MobiHoc 2001, October 2001. [3] Y. Hu, A. Perrig, and D. Johnson. Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Networks. INFOCOM 2003, April 2003. [4] C. Karlof and D. Wagner. Secure Routing in Sensor Networks: Attacks and Countermeasures. First IEEE International Workshop on Sensor Network Protocols and Applications, May, 2003.
