Securing Wireless Sensor Networks CCSP Seminar
advertisement
Securing Wireless Sensor Networks CCSP Seminar 8 December 2003 David Evans CCSP 8 Dec 2003 evans@cs.virginia.edu http://www.cs.virginia.edu/evans/talks/ccsp Department of Computer Science University of Virginia 1 Two Talks for the Price of One! • 5000 years of cryptography – Symmetric Ciphers – Asymmetric Ciphers • Securing Wireless Sensor Networks – Key Distribution – Data Aggregation – Wormhole Attacks and Defenses CCSP 8 Dec 2003 2 Terminology Insecure Channel Plaintext Encrypt Ciphertext Decrypt Plaintext Eve Alice CCSP 8 Dec 2003 C = E(P) P = D(C) E must be invertible: P = D (E (P)) Bob 3 “The enemy knows the system being used.” Claude Shannon Insecure Channel Plaintext Encrypt Ciphertext K Decrypt Plaintext K Eve Alice C = E(P, K) P = D(C, K) CCSP 8 Dec 2003 Bob 4 Jefferson’s Wheel Cipher Key: the order of wheels on the spindle CCSP 8 Dec 2003 5 Applet on Monticello’s web site by CS201J students: Matt Spear, “Boyd” Worawannotai, Edward Mitchell (Note: not for use on nuclear secrets!) http://monticello.org/jefferson/wheelcipher CCSP 8 Dec 2003 6 Jefferson Wheel Cipher • If used carefully, effectively unbreakable in Jefferson’s day – US army used very similar cipher in WWI • “Easy” to break today http://www.cs.virginia.edu/cs588/challenges/wheel-solved.html A billion billion is a large number, but it’s not that large a number. — Whitfield Diffie CCSP 8 Dec 2003 7 Modern Symmetric Ciphers • Same idea but: – Use digital logic instead of mechanical rotors – Larger keys – Encrypt blocks of letters at a time • Good choice for most applications: AES (Rijndael) – Effectively unbreakable, minimal performance cost – 128 (“billion billion billion billion”) or 256 (“billion8”) bit keys – No practical attacks better than brute force known (yet) CCSP 8 Dec 2003 8 Problem with all Symmetric Ciphers Insecure Channel Plaintext Encrypt Ciphertext K Alice Decrypt Plaintext K Eve Bob How do Alice and Bob agree on K (without Eve hearing it)? CCSP 8 Dec 2003 9 Padlocked Boxes Hi! Alice CCSP 8 Dec 2003 10 Padlocked Boxes Alice’s Padlock Alice Alice’s Padlock Key CCSP 8 Dec 2003 11 Padlocked Boxes Alice Shady Sammy’s Slimy Shipping Service Alice’s Padlock Key CCSP 8 Dec 2003 12 Padlocked Boxes Bob’s Padlock Alice Alice’s Padlock Key Bob Bob’s Padlock Key CCSP 8 Dec 2003 13 Padlocked Boxes Alice Alice’s Padlock Key Bob Bob’s Padlock Key CCSP 8 Dec 2003 14 Padlocked Boxes Alice Alice’s Padlock Key Bob Bob’s Padlock Key CCSP 8 Dec 2003 15 Padlocked Boxes Alice Bob Bob’s Padlock Key CCSP 8 Dec 2003 16 Padlocked Boxes Hi! Alice Bob Bob’s Padlock Key CCSP 8 Dec 2003 17 One-Way Functions • Easy to compute, hard to invert • Trap-door one way function: – D (E (M)) = M – E and D are easy to compute. – Revealing E doesn’t reveal an easy way to compute D. – Hence, anyone who knows E can encrypt, but only someone who knows D can decrypt CCSP 8 Dec 2003 18 RSA [Rivest, Shamir, Adelman 78] One-way function: multiplication is easy, factoring is hard Trap-door: number theory (Euler and Fermat) CCSP 8 Dec 2003 19 Public-Key Applications: Privacy Bob Alice Plaintext Encrypt Ciphertext Bob’s Public Key Decrypt Plaintext Bob’s Private Key • Alice encrypts message to Bob using Bob’s Private Key • Only Bob knows Bob’s Private Key only Bob can decrypt message CCSP 8 Dec 2003 20 Signatures Alice Plaintext Encrypt Signed Message Alice’s Private Key Decrypt Bob Plaintext Alice’s Public Key • Bob knows it was from Alice, since only Alice knows Alice’s Private Key • Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!) • Integrity: Bob can’t change message (doesn’t know Alice’s Private Key) CCSP 8 Dec 2003 21 Problems with RSA • About 1000 times slower than symmetric algorithms – Just use RSA to transfer key, then use AES to encrypt data • Key size (and size of smallest message) must be large for security – 1024 bits ~ 128 bits for secret key • Public key doesn’t need confidentiality, but does need integrity CCSP 8 Dec 2003 22 Key Management Plaintext Encrypt Ciphertext Bob’s Public Key Decrypt Plaintext Bob’s Private Key Really Eve’s Public Key Really Eve’s Padlock Alice Alice’s Padlock Key CCSP 8 Dec 2003 Everyone can know the public key, but to be useful must know it is the owner’s public key. 23 Securing Sensor Networks CCSP 8 Dec 2003 24 Sensor Networks High-power base station Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly CCSP 8 Dec 2003 25 Why security for sensor networks is hard • Low power devices – Public-key algorithms use too much energy • Limited device communication – Sending messages is extremely expensive • Communication is wireless – All messages are vulnerable to eavesdropping and forgery • Individual devices easily compromised – Cheap hardware in hostile territory CCSP 8 Dec 2003 26 Control Messages High-power base station Operator at base station controls behavior of sensor nodes CCSP 8 Dec 2003 27 High-power base station Rogue operator or compromised node should not be able to control behavior of other sensor nodes CCSP 8 Dec 2003 28 Control Integrity • Needs asymmetry: – Only base station can send out control messages – But, every node needs to understand them • Traditional: Asymmetry of Information – Use public-key encryption: • Send messages with base’s private key • Pre-load all nodes with base’s public key – Too expensive: nodes would need to receive long messages and do public key decryptions • Instead: asymmetry of time CCSP 8 Dec 2003 29 Cryptographic Hash Chains f f (f (f (x))) f f (f (x)) f f (x) time Initially store: K0 = f4(x) K1 = f3(x) verify f (K1) = K0 K2 = f2(x) verify f (K1) = K0 CCSP 8 Dec 2003 x f is a one-way function: easy to calculate f(x), but difficult to invert f. 30 µTesla [Perrig, et. al., 2002] • Initially: sensor nodes know K0 = fn(x) base station knows x • Base station messages encrypted using K1 = fn-1(x) • Nodes store and time stamp messages, but cannot decrypt them (yet) • At time t1, base station broadcasts K1 • Nodes verify f (K1) = K0 • Nodes use K1 decrypt earlier messages • Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed CCSP 8 Dec 2003 31 Data Integrity High-power base station Only data from legitimate nodes should be accepted by the base station CCSP 8 Dec 2003 32 Node Authentication • Before deployment, establish a shared symmetric secret key between each node and base station: KNS • Send readings with a MAC: RA | MAC (KAS, RA) Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity. CCSP 8 Dec 2003 33 Authenticated Sensor Net Each node transmits: N | RN | MAC (KNS, RN) Base station verifies MAC before accepting RN. CCSP 8 Dec 2003 34 Data Aggregation If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station. CCSP 8 Dec 2003 35 Authenticated Data Aggregation A | RA | MAC (KAS, RA) C A B C | Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB)) CCSP 8 Dec 2003 B | RB | MAC (KBS, RB) 36 Secure Aggregation • Delayed Aggregation: Only aggregate messages after they have traveled one hop • Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication Lingxuan Hu and David Evans. Secure Aggregation for Wireless Networks. Workshop on Security and Assurance in Ad hoc Networks. January, 2003. CCSP 8 Dec 2003 37 Protocol Example IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) G F E IDA | RA | MAC (KAi, RA) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) D IDB | RB | MAC (KBi, RB) C KAi is the ith key in a µTesla key chain A starting from KAS CCSP 8 Dec 2003 B 38 IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD)) | MAC (KGi, Aggr (RA, RB, RC, RD) | … (same from right side) | MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side)) H IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) G F E IDA | RA | MAC (KAi, RA) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) D IDB | RB | MAC (KBi, RB) C A CCSP 8 Dec 2003 B 39 Abridged Attack Analysis • Intruder Node (no key material) – Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys – Replay attacks ineffective: keys change, can only replay readings within this time period • Compromised Node (all keys on one node) – Can lie about its own reading – But, cannot alter other nodes readings without getting caught: aggregate will not match calculated aggregate at next level CCSP 8 Dec 2003 40 Successful Attacks • Compromised node selectively drops child readings – Nothing to prevent this (but unlikely to change much without base station noticing) – Can use child snooping to catch it earlier • Compromise two consecutive (parent and grandparent) nodes – Can forge readings for entire subtree CCSP 8 Dec 2003 41 Communication Cost No Aggregation Total Kilobytes Transmitted 800 700 Insecure Aggregation Secure Aggregation 600 500 400 300 Sensor reading: 22 bytes MAC of message: 8 bytes Ideal binary network 200 100 0 340 1364 5460 Sensor Nodes Secure Aggregation requires about 3 times the amount of data transmission as Insecure Aggregation, but provides integrity with < ½ the cost of no aggregation. CCSP 8 Dec 2003 42 Summary • With our protocol, you can get authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you. • Not trusting your children is reasonable (inexpensive) • Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol CCSP 8 Dec 2003 43 Routing Security (Lingxuan Hu’s slide) CCSP 8 Dec 2003 44 Wormhole Attack • Tunnel packets received in one place of the network and replay them in another place • The attacker needs no key material, just two transceivers! CCSP 8 Dec 2003 45 Impact of Wormhole Fraction of Routes to Base Station Disrupted 1 0.9 0.8 Base Station at Corner 0.7 0.6 0.5 0.4 0.3 0.2 Base Station at Center 0.1 0 0 50 100 150 200 250 300 350 400 450 500 Position of Endpoint (x, x) CCSP 8 Dec 2003 46 Preventing Wormhole Attacks • Know your neighbors • Physical Space – Exploit knowledge about physical space • Redundancy – Use cooperation to establish trust • Physical properties – Speed of transmission limits time when another node can hear it CCSP 8 Dec 2003 47 Directional Antennas Operation Modes: Omni and Directional Lingxuan Hu and David Evans. Using Directional Antennas to Prevent Wormhole Attacks. Network and Distributed System Security Symposium (NDSS), Feb 2004. CCSP 8 Dec 2003 48 Antenna Model 3 2 /3 4 East 1 5 6 Nodes orient themselves using a magnetic compass so zone 1 always faces East. CCSP 8 Dec 2003 49 Directional Neighbor Discovery 3 2 4 1 6 5 A N zone (N, A) is the antenna zone in which N hears A 1. A Region HELLO | IDA Sent by all antenna elements (sweeping) 2. N A IDN | EKNA (IDA | R | zone (N, A)) Sent by zone (N, A) element R is a random nonce 3. A N R CCSP 8 Dec 2003 50 3 zone (N, A) is the antenna zone in which N hears A zone (A, B) = 1 2 4 1 6 5 zone (B, A) = 1 B A zone (x, y) should be opposite zone (y,x) A and B know they are not really neighbors CCSP 8 Dec 2003 51 3 Sophisticated Wormhole 1 4 5 zone (A, B) = 1 2 6 zone (B, A) = 4 B A Wormhole can convince ~1/6 of node pairs they are false neighbors Verified Neighbor Discovery • Wormhole can only trick nodes in particular locations • Verify neighbors using other nodes • Based on the direction from which you hear the verifier node, and it hears the announcer, can distinguish legitimate neighbor CCSP 8 Dec 2003 53 Verifier Region 1. zone (B, A) zone (B, V) 2. zone (B, A) zone (V, A) 3. zone (B, V) cannot be both adjacent to zone (B, A) and adjacent to zone (V, A) CCSP 8 Dec 2003 54 Lose some legitimate Neighbors 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 Verified Protocol (Density=10) Verified Protocol (Density=3) Strict Protocol (Density=10) Strict Protocol (Density=3) 0.2 0.1 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Node Distance (r) CCSP 8 Dec 2003 55 …but small effect on connectivity and routing 10 500 9 450 8 Average Path Length 400 y (meters) 350 300 250 200 Verified Neighbor Discovery Protocol 7 6 5 4 Trust Everythingl 3 150 2 100 1 50 0 4 0 0 50 100 150 200 250 300 350 400 450 500 6 8 10 12 14 16 18 20 Omnidirectional Node Density x (meters) Omni density = 3, Directional Density = 9.7 CCSP 8 Dec 2003 56 Summary www.cs.virginia.edu/evans/talks/ccsp • Morals: – Secure aggregation: don’t trust your children, trust your parents and grandparents not to conspire against you – Wormhole Defenses: know your neighbors, but don’t trust them unless your other neighbors do • CRAB Seminar plug: CS851 Cryptography Applications • Funding: NSF CAREER, NSF ITR CCSP 8 Dec 2003 57
