Post on 19-Dec-2015
Efficiently Authenticating Code Images in Dynamically Reprogrammed
Wireless Sensor Networks
PerSec 2006
Speaker: Prof. Rick HanCoauthors Jing Deng and Prof. Shiv Mishra
University of Colorado at BoulderDepartment of Computer Science
Reprogramming Wireless Sensor Networks (WSNs)
• Reprogramming in situ sensor nodes through wireless medium.– Important for sensor
network management.• Patch buggy code, change
run-time parameters.• Install new applications
and unanticipated features.
• Very important for hostile and/or rugged terrain.
• General properties of WSNs– Resource constraints– Tree-structured routing
FireWxNetMobiSys 2006
Base station
Tree-structuredtopology of WSN
Secure Reprogramming in WSNs• Security is critical for Reprogramming.
– Scientific applications – lives may depend on the data (FireWxNet)
– Military applications– Commercial applications – inject false code
• Types of attacks:– Prevent an adversary from injecting malicious or bogus code
image to sensor nodes.• Data authenticity and integrity – a focus of this paper
– Prevent an adversary from a DoS flooding attack – our approach has resilience to this
– Prevent an adversary from understanding program code• Confidentiality – not a focus of this paper
– In WSNs, an adversary can compromise a node!
Efficiently protect authenticity and integrity of program code image disseminated from base station
A System Model for Reprogramming Sensor Nodes
BS
n
654321
1
2
m
…
23
11
23
12
31
23
2 1
21
1
• Entire code image is segmented into pages, each page contains a certain number of packets.• Page level: a node has to receive page by page sequentially.• Packet level: a node broadcasts all packets in a page in “Round-Robin” way. After receiving ACK/NACK messages from neighbors nodes, it broadcasts lost packets, and so on, until all packets are received by neighbors.
program code
• Provides an efficient way to reliably disseminate a large amount of data to the entire network.
• Deluge, others…
2 4,5,nn2
Threat Model and Security Goals• Threat Model
– Adversary can eavesdrop on all packets nearby.
– Adversary can inject (any types of ) data nearby.
– Adversary can compromise a sensor node and obtain all information inside it, including code image and keys.
– Adversary cannot compromise the base station.
• Security Goals1. Protect authenticity and integrity of code
image.• Adversary cannot inject his malicious program
code even given compromised sensor nodes.2. Preventing adversary from launching Denial of
Services attacks by flooding bogus packets.• Every node can verify the authenticity of code
image as soon as it receives it.• Otherwise adversary can inject bogus packets
to launch DoS attacks or force a node to drop correct data.
3. Low cost.• The communication/computing overhead are
acceptable.
BS2
31
12
3
12 1
2
2 1
21
1
• Does not protect against:– Local jamming attacks.
• Can countermeasure it.– Data confidentiality.
MM
M
Limiting Public Key Operations• Difficult to construct a pure symmetric key approach.
– Global key– Transitory global key - to deal with node compromise, but still has problems…– Pairwise keys – issues raised in earlier talk, etc.– Key distribution problem
• Are public key algorithms feasible on standard sensor nodes? Yes, just barely.– Computing overhead
• RSA– 2-3 seconds (512 bits of key) on mica2.
• Elliptic Curve Cryptographic algorithm– D. Malan: 40 seconds to encrypt 16 bytes of data on MICA2– P. Ning: TinyECC takes 12 to 16 seconds to verify a signature on MICAz– V. Gupta: Sizzle from Sun, hundreds or thousands milliseconds on Atmel chip (haven’t
seen source code yet)
– Communication overhead: RSA: 512 bits of key, Elliptic curve : 168 bits of key• Our approach:
– combine public key and fast cryptographic hash schemes, but limit public key executions
– Predistribute the public key of the base station, and a cryptographic hash
Signed Hash Tree Scheme• Motivation: to make our scheme
more efficient when some data packets are lost.
• Solution: send all hashes first, then send data packets.
• Build a hash tree, hashes in high level packets can be used to authenticate hashes/data in low level packets.
– P2,0=Hash(P3,0)||Hash(P3,1)• Send packets from high level to low
level. • After a node received packet P, it can
receive disordered children (hash/data) packets of P.
• An attacker can’t modify packets undetected
• Compromise reveals public key and hash
• A node can verify immediately each packet, even if out of order
• Sender can disseminate packets similar to Round-Robin.
P4,0 P4,1 P4,2 P4,3 P4,4 P4,5 P4,6 P4,7
P3,0 P3,1 P3,2 P3,3
P2,0 P2,2
P1,0
signature
New Results: Compare to a Signed Hash Chain Scheme
sign(H1) H1 data1 H2
packet 0
H1=Hash(P1)
data2 H3
packet 1 packet 2
datan
packet n
H2=Hash(P2) Hn=Hash(Pn)
• Similar approaches published in operating systems, SenSys 05 poster, etc.• The base station has a private key, and all sensors have the public key.• Each packet contains the secure hash value of next packet.• The first packet P0 value contains the signature of the secure hash value signed with
private key.• When a node receives packet P0, it can verify the authenticity of the hash value H1
with the public key.• When a node receives packet Pk, it can verify its authenticity with Hk it received
before. • Protects data authenticity and integrity.• Problems:
– Maliciously breaking the chain => can’t verify subsequent packets – Not efficient when packet loss rate is high.– To verify packet Hk, B have to receive all packets from H0 to Hk-1. (cannot run Round-robin
scheme with NACK)
AB
New Results: Linked Hash-tree Scheme
Hash tree of Page 2
page 1 (C1)
HL1 HL2 HC2HL3 HC3 HLm
Packets in page 3
P1,0
P2,0 P2,1
P3,0 P3,1 P3,2 P3,3
P4,0 P4,1 P4,2 P4,3 P4,4 P4,5 P4,6 P4,7
Hash tree of Page 1
Hash tree of Page m
HC1gmg3g2g1
page 2 (C2)
page 3 (C3)
page m (Cm)
HC0E(HC0)g0
• Motivation– Conform with code dissemination protocol of Deluge – enforces per
page ordering, so can out-of-order packets within a page, but not out-of-order pages => per-page public key!
– Reduce memory cost• Each page contains a hash tree for code image authentication.• Use a signed hash chain to link the root nodes of all hash trees.
To appear in IPSN 2006
New Results: Simulations
• Scenario– A node disseminates 32KB data to 20 neighbors. Packet size 128B, hash size
4B.• Hash chain scheme is very expensive since every receiver needs to send
an ACK message back to sender.• Hash tree scheme consumes too much memory.• Hybrid hash chain/tree scheme has feasible moderate cost.• (more simulation results are in the IPSN paper)
Deluge 4KB
Hash Chain 4 bytes
Hash Tree 32KB
Hybrid 4.1KB
Memory Consumption
Summary
• Presented a signed hash tree scheme for efficient and secure dissemination of code to WSNs– Form a signed hash tree– Release hashes a priori– Immediate verification– Out-of-order verification
• New results show that a hybrid signed chain-tree is the best combination of low overhead, low memory, and low delay– performance is close to insecure Deluge scheme
Fine