Computer Science
CSC 774 Advanced Network Security
Packet Leashes: A Defense Against Wormhole Attacks in
Wireless Networks
Presented by: Jinsuk Jun
14th Nov 2005
1
Outline
•
•
•
•
•
The Wormhole Attack
Packet Leash for Wormhole Detection
Temporal Leash and the TIK Protocol
Analysis
Future Works & Conclusion
Computer Science
2
The Wormhole Attack
Colluding
Attackers
S
D
Wormhole
Computer Science
• Attacker records a packet
at one location in the
network, tunnels the packet
to another location, then
replays it there
•
Packets may be replayed
from the far end of the
wormhole.
•
Puts attacker in a powerful
position.
3
Applications of the Wormhole Attack
• Denial-of-Service
– On-demand routing protocol such as DSR, AODV
• Routing Disruptions
– Periodic routing protocol such as DSDV, OLSR,
TBRPF
• Unauthorized Access
– Any wireless access control system that is based on
physical proximity
Computer Science
4
Packet Leash
• Assumptions
– Resource constrained nodes
– Existing key distribution mechanism
• Packet Leash
–
–
–
–
A general mechanism for detecting wormhole
Restrict a packet’s maximum transmission distance.
Geographical Leashes
Temporal Leashes
Computer Science
5
Geographical Leashes
•
•
•
•
Location knowledge
Loosely synchronized clocks
Bounded node velocity
Multiple location detection
Computer Science
6
Temporal Leashes
• Definition: a temporal leash establishes an
upper bound on a packet’s lifetime, which
restricts the maximum travel distance
• Timing and contention-based MAC protocols
• All nodes must have tightly sync clocks
– Maximum clock error (D) must be known by all
nodes
– Maximum error must be on the order of
microseconds or hundreds of nanoseconds
Computer Science
7
Temporal Leashes (contd.)
• Implementation with a packet expiration time
• Authentication technique should be use to protect the
timestamp inside packets
te  t s  L  D
c
te: packet expiration time
ts: packet sent time
c: propagation speed of wireless signal
L: maximum allowed travel distance; L > Lmin = Δ*c
Δ: maximum clock difference between 2 nodes
Computer Science
8
Temporal Leash (contd.)
• Node can use message authentication codes for
authentication
• The sender S and receiver R must share a
secret key K
S  R : M , HMAC K (M )
Computer Science
9
Temporal Leashes (contd.)
• Problem !
• In contention-based MAC protocol, sender
may not know the precise time it will transmit
• Generating digital signature such as RSA take
too much time ( order of 10 ms )
– Increase minimum transmission unit
– Use more efficient signature scheme
Computer Science
10
Tree-Authenticated Values
• One-way Hash Chain
– Chain value by repeatedly apply hash function
– Very efficient to compute but still has high
overhead
C0
C1
C2
C3
C4
• Hash Tree
– Place value at leaf node of binary tree
– Each internal node is derived from its 2 child nodes
Computer Science
11
Merkle Hash Trees
Computer Science
12
TIK Protocol
• TESLA with Instant Key disclosure
• Provide instant broadcast authentication for
temporal leashes
• Require accurate time sync between all nodes
• Require each node to know one public value
for each sender node
Computer Science
13
TIK Protocol (contd.)
• Sender Setup
– Derive a series of keys
K 0 , K1 ,, K w1 where K i  F (i)
F  psudo  random function
  master secret key
– Selects a key expiration interval I , and determines
a schedule of key expiration
Computer Science
14
TIK Protocol (contd.)
• Key expiration
K 0 expires at T0
K1 expires at T1  T0  I
K i expires at Ti  Ti 1  I  T0  i  I
• Sender construct hash tree using keys as leaf
nodes
K0 , K1 ,, K w1
Computer Science
15
TIK Protocol (contd.)
• Sending & Verifying Packets
• Sender:
– Sender pick a key Ki that will not have expired when receiver receives the
packet
S  R : HMAC K i ( M ), M , T , K i
M: message payload
HMACKi(M): message authentication code for M
Ki: key used to generate the HMAC for M
T: tree authentication values used to authenticate Ki
• Receiver:
– Verifies if the sender has started sending Ki after receiving HMAC, based
on Ti
– Verifies if Ki is authentic based on the hash root value and T
– Verifies the HMAC, using authenticated Ki
– Accept the packet as authentic only if all those verifications are successful
Computer Science
16
TIK Protocol (contd.)
Computer Science
17
TIK Protocol (contd.)
• MAC Layer Issues
• TDMA MAC protocol
– Choose the time at which the frame begins
transmission
– HMAC sent by time Ti  cr  2D
– Minimum payload length is cr  2D
• CSMA MAC protocol
– If protocol use RTS/CTS handshake, the min
packet size can be reduced
Computer Science
18
Security Analysis
• Temporal leash with TIK protocol can detect
and prevent wormhole attacks if all nodes are
good nodes
• Can’t deal with a malicious sender that claims
a false timestamp
• Can’t deal with a malicious receiver that
refuses to check the leash
Computer Science
19
Geographical VS. Temporal
Geographical Leash
• Can be used with radio
propagation model
• Do not require tight
time sync
• Location info increase
overhead
• Can be used until max
range is 2nD
Computer Science
Temporal Leash
• Highly efficient when
used with TIK
• Require tight time sync
• Cannot be used if max
range is less than cD
20
Geographical VS. Temporal
• Compare the effectiveness of geographic
leashes and temporal leashes by compare the
distance
– Geographic
– Temporal
d sr  ps  pr  2n  (tr  ts  D)  d
d sr  c  (tr  ts  D)
• Geographic leashes should be used when d <
cD and temporal leashes should be use when d
≤ cD
Computer Science
21
Future Works & Conclusion
• Future Works
– More research on how the sender/receiver can accurately
determine ts/tr
– Design and deploy accurate time synchronization device
among the nodes
• Conclusion
– Wormhole attack is a significant danger to routing protocols
in ad hoc networks.
– Packet leashes have the ability to detect such attacks.
– TIK can provide efficient authentication in networks with
tight time synchronization.
– Not for use in resource-scarce systems.
Computer Science
22