10/31/200510/31/2005 11

Designing Secure Sensor Networks

Paper Authors: Paper Authors: Elaine Shi and Adrian Perrig, Carnegie Mellon

UniversityPresenter: Matt Egyhazy

November 1, 2005

10/31/2005 2

Presentation OverviewPresentation Overview

► Introduction, Context, and DefinitionsIntroduction, Context, and Definitions►Threat and Trust ModelThreat and Trust Model►Security RequirementsSecurity Requirements►Attacks and CountermeasuresAttacks and Countermeasures►Future Research DirectionsFuture Research Directions►Critique and ConclusionCritique and Conclusion

10/31/2005 3

Introduction: PaperIntroduction: Paper

► Paper is a Survey of the State-of-the-ArtPaper is a Survey of the State-of-the-Art Offers complete overview of Sensor Network Offers complete overview of Sensor Network

securitysecurity Refers to more specific documents for detailsRefers to more specific documents for details Some concepts already covered by Prof. ChenSome concepts already covered by Prof. Chen

► Concepts covered will be briefly reviewedConcepts covered will be briefly reviewed► Concepts not covered will be emphasizedConcepts not covered will be emphasized

► Authentication, Secrecy, Availability, IntegrityAuthentication, Secrecy, Availability, Integrity► Insider and Outsider AttacksInsider and Outsider Attacks

Compromised NodeCompromised Node Non-authorized ParticipantNon-authorized Participant

10/31/2005 4

Introduction: Sensor Introduction: Sensor NetworksNetworks

►Collection of sensor devicesCollection of sensor devices►Communicate through RFCommunicate through RF►Scarce ResourcesScarce Resources

PowerPower MemoryMemory ComputationComputation

►UsesUses Monitor Environments and Report Monitor Environments and Report

InformationInformation

10/31/2005 5

Definitions: Security Terms in Definitions: Security Terms in ContextContext

►AuthenticationAuthentication Verify identity of originatorVerify identity of originator

►SecrecySecrecy Data privacyData privacy

►AvailabilityAvailability System is up and runningSystem is up and running

► IntegrityIntegrity Verify that data is not modifiedVerify that data is not modified Reject falsely injected dataReject falsely injected data

10/31/2005 6

Context: Security Issues in Context: Security Issues in Sensor NetworksSensor Networks

► Not powerful enough for PKINot powerful enough for PKI Must use symmetric algorithmsMust use symmetric algorithms

► RSA SignatureRSA Signature► Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange► AES EncryptionAES Encryption

► Physically InsecurePhysically Insecure Deployment in insecure environmentsDeployment in insecure environments Must be inexpensiveMust be inexpensive

► Tamper-proof hardware is expensiveTamper-proof hardware is expensive► Wireless CommunicationWireless Communication► Large Scale Node DeploymentLarge Scale Node Deployment

Most security protocols Most security protocols ► Designed for two-party useDesigned for two-party use► Do not scaleDo not scale

10/31/2005 7

Threat and Trust: Outsider Threat and Trust: Outsider AttacksAttacks

► Listen to wireless Listen to wireless communicationcommunication

► Insert DataInsert Data Alter or spoof Alter or spoof

packetspackets► Jam networkJam network► Introduce false dataIntroduce false data

► Disable NodesDisable Nodes Inject trafficInject traffic

► Drain power resourcesDrain power resources Physically destroy Physically destroy

nodesnodes

10/31/2005 8

Threat and Trust: : Insider Threat and Trust: : Insider AttacksAttacks

► Two basic scenariosTwo basic scenarios A valid node is A valid node is

compromised by attackercompromised by attacker Attacker introduces a Attacker introduces a

more powerful machine more powerful machine into the sensor networkinto the sensor network

► Compromised NodesCompromised Nodes Run malicious codeRun malicious code RF compatible with other RF compatible with other

nodesnodes Authorized participantAuthorized participant

► In possession of In possession of cryptographic primitives cryptographic primitives (keys)(keys)

10/31/2005 9

Threat and Trust: Trust ModelThreat and Trust: Trust Model

► Base Station is Base Station is Point-of-TrustPoint-of-Trust Serves as interface Serves as interface

between external between external world and sensor world and sensor networknetwork

► AssumptionsAssumptions More powerful deviceMore powerful device

► CPUCPU► RFRF► MemoryMemory

Physically securePhysically secure

Trusted Base

Station

10/31/2005 10

Threat and Trust: Trust Model Threat and Trust: Trust Model (2)(2)

► Issues with Central Trusted Base StationIssues with Central Trusted Base Station ScalabilityScalability

►D – N/2 keys to setup D – N/2 keys to setup Where D is the number of neighbors per node and N is Where D is the number of neighbors per node and N is

the total number of nodes in the networkthe total number of nodes in the network►Need to refresh keys on a regular basis or as Need to refresh keys on a regular basis or as

neededneeded Higher energy usageHigher energy usage

►The nodes closest to the base station use more The nodes closest to the base station use more powerpower

Act as relays for the key exchangesAct as relays for the key exchanges

Single Point of Total Systematic CompromiseSingle Point of Total Systematic Compromise

10/31/2005 11

Threat and Trust: Trust Model Threat and Trust: Trust Model (3)(3)

► Key exchangeKey exchange Nodes share keys with base stationNodes share keys with base station These keys are used to securely exchange the These keys are used to securely exchange the

keys used for node->node communicationkeys used for node->node communication We call the secret key node A shares with the base

station KA, and similarly KB is the shared key between node B and the base station. If nodes A and B wish to establish a shared secret key KAB, the base station can act as a trusted intermediary to establish that key, for example, by sending a random KAB encrypted with KA to node A and encrypted with KB to node B.

10/31/2005 12

Security RequirementsSecurity Requirements

► Outside AttacksOutside Attacks RobustnessRobustness

► EncryptionEncryption► Release nodes in large quantitiesRelease nodes in large quantities► Adjust routing in real time to overcome changing Adjust routing in real time to overcome changing

topologytopology

► Inside AttacksInside Attacks Graceful DegradationGraceful Degradation

► Not always possible to detect node compromise and Not always possible to detect node compromise and revoke keysrevoke keys

► Use mechanisms to marginalize affect of small number Use mechanisms to marginalize affect of small number of node breachesof node breaches

10/31/2005 13

Security Requirements (2)Security Requirements (2)

►AuthenticationAuthentication Prevents outsiders from injecting False Prevents outsiders from injecting False

Data or stealing secretsData or stealing secrets Does not solve compromised node Does not solve compromised node

problemproblem

►SecrecySecrecy Encryption used to protect dataEncryption used to protect data ACLs at base station to ensure privacyACLs at base station to ensure privacy

►E.g. Person LocatorE.g. Person Locator

10/31/2005 14

Security Requirements (3)Security Requirements (3)

►AvailabilityAvailability Ensure that sensor network is operational Ensure that sensor network is operational

until expected end-of-lifeuntil expected end-of-life

►Service IntegrityService Integrity Secure Data AggregationSecure Data Aggregation

►Detect and reject invalid or false data entriesDetect and reject invalid or false data entries

Time synchronization protocolTime synchronization protocol

10/31/2005 15

Attacks and Countermeasures: Attacks and Countermeasures: Secrecy and AuthenticationSecrecy and Authentication

► AttacksAttacks EavesdroppingEavesdropping

► Listening to node conversationListening to node conversation

Packet replayPacket replay► Resend recorded node conversationsResend recorded node conversations

Modification/Spoofing packetsModification/Spoofing packets► Intercept and modify dataIntercept and modify data► Create completely false dataCreate completely false data

► CountersCounters Standard CryptographyStandard Cryptography

10/31/2005 16

Attacks and Countermeasures: Attacks and Countermeasures: Secrecy and Authentication (2)Secrecy and Authentication (2)

► Key ManagementKey Management Pre-deployed keyPre-deployed key

► GlobalGlobal Complete system compromiseComplete system compromise

PKI PKI ► May be too expensive even for initial key setupMay be too expensive even for initial key setup► Verification DoSVerification DoS

Random key pre-distributionRandom key pre-distribution► Broadcast AuthenticationBroadcast Authentication

uTeslauTesla► Creates AsymmetryCreates Asymmetry

Delayed key disclosure Delayed key disclosure One-way key chainOne-way key chain

10/31/2005 17

Attacks and Countermeasures: Attacks and Countermeasures: Secrecy and Authentication (3)Secrecy and Authentication (3)

► Random Key Pre-DistributionRandom Key Pre-Distribution A random pool of keys is selected from the key

space. Each sensor node receives a random subset of keys from the key pool before deployment. Any two nodes able to find one common key within their respective subsets can use that key as their shared secret to initiate communication.

Secure paths may not create a connected graph. Range extension is proposed to increase node range.

10/31/2005 18

Attacks and Countermeasures:Attacks and Countermeasures:AvailabilityAvailability

►Attacks (DoS)Attacks (DoS) Physical LayerPhysical Layer

►RF Interference - drains batteryRF Interference - drains battery Link LayerLink Layer

►Collision Attack – induce collisionsCollision Attack – induce collisions►Exhaustion Attack – repeated retransmissionExhaustion Attack – repeated retransmission►Unfairness Attack – degrade node Unfairness Attack – degrade node

performance by hogging channelperformance by hogging channel Network LayerNetwork Layer

►Inject malicious packetsInject malicious packets

10/31/2005 19

Attacks and Countermeasures:Attacks and Countermeasures:Availability(2)Availability(2)

►Physical Layer CountersPhysical Layer Counters Frequency Hopping/Spread SpectrumFrequency Hopping/Spread Spectrum

►Attacker would have to attack wider bandAttacker would have to attack wider band►Might be too sophisticated for low power sensorsMight be too sophisticated for low power sensors

Switch to Low PowerSwitch to Low Power►Nodes outlast attacker as he is using more power Nodes outlast attacker as he is using more power

to DoS the network than they are while sleepingto DoS the network than they are while sleeping Use Alternative CommunicationUse Alternative Communication

►OpticalOptical►InfraredInfrared

10/31/2005 20

Attacks and Countermeasures:Attacks and Countermeasures:Availability(3)Availability(3)

► Link Layer CountersLink Layer Counters Collision AttackCollision Attack

► ECC ECC Repair nodes damaged by collisionRepair nodes damaged by collision

Exhaustion AttackExhaustion Attack► Rate LimitationRate Limitation

Network can ignore excessive requests without sending expensive radio transmissions

Unfairness AttackUnfairness Attack► Small FramesSmall Frames

Individual node can capture the channel only for a short time.

Can increase overhead if nodes usually sends long transmissions

Defeated by quick response by attacker if nodes randomly dealy before responding

10/31/2005 21

Attacks and Countermeasures:Attacks and Countermeasures:Availability(4)Availability(4)

►Network Layer CountersNetwork Layer Counters AuthenticationAuthentication

►Allows receiver to detect malicious packetsAllows receiver to detect malicious packets

Message FreshnessMessage Freshness►Detect replayed packetsDetect replayed packets►NoncesNonces

One time use random numbers in message contentOne time use random numbers in message content

10/31/2005 22

Attacks and Countermeasures:Attacks and Countermeasures:Availability (5)Availability (5)

► Sybil AttackSybil Attack Node illegitimately Node illegitimately

claims multiple identitiesclaims multiple identities Link Layer - Dominates Link Layer - Dominates

RF RF Routing Layer – SinkholeRouting Layer – Sinkhole

► A sinkhole is created A sinkhole is created when the Sybil nodes when the Sybil nodes route all their traffic to a route all their traffic to a sinkhole Sybil node sinkhole Sybil node

► Selective ForwardingSelective Forwarding Sinkhole can Sinkhole can

selectively drop valid selectively drop valid messagesmessages

10/31/2005 23

Attacks and Countermeasures:Attacks and Countermeasures:Availability (6)Availability (6)

►Counters to SybilCounters to Sybil Key Association TechniqueKey Association Technique

►Associate cryptographic keys to the node Associate cryptographic keys to the node identityidentity

►Node impersonation can only be accomplished Node impersonation can only be accomplished if keys are compromisedif keys are compromised

10/31/2005 24

Attacks and Countermeasures:Attacks and Countermeasures:Availability (6)Availability (6)

►Routing AttacksRouting Attacks Spread Bogus Routing InformationSpread Bogus Routing Information Hello FloodingHello Flooding

►More powerful adversary sends Hello message More powerful adversary sends Hello message to all nodes in the networkto all nodes in the network

►This creates a chain reaction where all the This creates a chain reaction where all the nodes send response back to the adversary.nodes send response back to the adversary.

Not all of these responses can even reach the Not all of these responses can even reach the originator, causing confusion throughout the originator, causing confusion throughout the networknetwork

10/31/2005 25

Attacks and Countermeasures:Attacks and Countermeasures:Availability (7)Availability (7)

►Counters to Routing AttacksCounters to Routing Attacks Multi-path RoutingMulti-path Routing

►Use multiple paths for each transmissionUse multiple paths for each transmission►This scheme relies on the probability that not This scheme relies on the probability that not

all selected paths are controlled by an all selected paths are controlled by an adversaryadversary

►Increases use of network resourcesIncreases use of network resources

10/31/2005 26

Attacks and Countermeasures:Attacks and Countermeasures:Service IntegrityService Integrity

► Attacks Attacks Focus on forcing the system to accept invalid Focus on forcing the system to accept invalid

datadata Corrupted sensor/aggregatorCorrupted sensor/aggregator

► Report invalid resultsReport invalid results

Sybil Sybil ► Impersonated nodes can collude in reporting false dataImpersonated nodes can collude in reporting false data

DoSDoS► Prohibit valid nodes from reporting dataProhibit valid nodes from reporting data

False Time SynchronizationFalse Time Synchronization► Disseminate false synchronization messagesDisseminate false synchronization messages

10/31/2005 27

Attacks and Countermeasures:Attacks and Countermeasures:Service Integrity (2)Service Integrity (2)

►CountersCounters Data Aggregation/ReportingData Aggregation/Reporting

►Secure Information Aggregation ProtocolSecure Information Aggregation Protocol►aggregate-commit-prove: aggregators help

computing aggregation of sensor nodes’ raw data and reply to the home server with the aggregation result together with a commitment to the collection of data; the home server and the aggregators then perform efficient interactive proofs such that the home server will be able to verify the correctness of the results (or detect cheating with high probability).

10/31/2005 28

Attacks and Countermeasures:Attacks and Countermeasures:Service Integrity (3)Service Integrity (3)

► Secure Information Aggregation ProtocolSecure Information Aggregation Protocol Keys shared between Aggregator and Data sensorsKeys shared between Aggregator and Data sensors

► Provides authenticityProvides authenticity Assuming that nodes cannot be compromisedAssuming that nodes cannot be compromised

► Does not protect against corrupt nodesDoes not protect against corrupt nodes

Aggregator sends hash of sensor values and Aggregator sends hash of sensor values and computed averages to the home server.computed averages to the home server.1. The home server checks that the committed data is a good

representation of the true data values in the sensor network.

2. The home server checks if the aggregator is cheating, in the sense that the aggregation result is not (close to) the correct result aggregated from the committed data values.

10/31/2005 29

Attacks and Countermeasures:Attacks and Countermeasures:Service Integrity (4)Service Integrity (4)

►Time Synchronization CountersTime Synchronization Counters Extremely weak area of sensor network Extremely weak area of sensor network

securitysecurity All current network designs assume All current network designs assume

trusted environmenttrusted environment

10/31/2005 30

Future Research Directions: Future Research Directions: Code AttestationCode Attestation

►Verify code running on sensorsVerify code running on sensors Malicious nodes will not have valid codeMalicious nodes will not have valid code

► Implemented in HardwareImplemented in Hardware Trusted Computing GroupTrusted Computing Group Next-Generation Secure Computing BaseNext-Generation Secure Computing Base May add cost to sensor device fabricationMay add cost to sensor device fabrication

► Implemented in SoftwareImplemented in Software Memory comparisonMemory comparison

10/31/2005 31

Future Research Directions: Future Research Directions: Misbehavior Detection and Misbehavior Detection and

RevocationRevocation► Utilize votingUtilize voting

Node A votes against B if B is found to be Node A votes against B if B is found to be misbehavingmisbehaving

If enough bad votes against B, B’s usage of the If enough bad votes against B, B’s usage of the network is revokednetwork is revoked

However, malicious nodes can slander good nodes However, malicious nodes can slander good nodes by casting votes against themby casting votes against them

One work-around is to limit number of votes and One work-around is to limit number of votes and store them with the key-ringstore them with the key-ring

► At startup, each node pair exchanges the activation votes At startup, each node pair exchanges the activation votes to allow its neighbors to vote against itto allow its neighbors to vote against it

10/31/2005 32

Future Research Directions: Future Research Directions: Secure RoutingSecure Routing

►Existing Routing Protocols Assume Existing Routing Protocols Assume Trusted EnvironmentTrusted Environment Directed DiffusionDirected Diffusion Geographic RoutingGeographic Routing

►Proposed Secure Protocols for Ad-Hoc Proposed Secure Protocols for Ad-Hoc Wireless are Too HeavyWireless are Too Heavy Also, traffic patterns of sensor network do Also, traffic patterns of sensor network do

not align with Ad-Hoc Wireless networknot align with Ad-Hoc Wireless network

10/31/2005 33

Future Research Directions: Future Research Directions: Secure LocalizationSecure Localization

►PropertiesProperties Sensor can determine its geographic locationSensor can determine its geographic location Malicious sensors cannot claim false positionMalicious sensors cannot claim false position

►Solves Several AttacksSolves Several Attacks Wormhole can be detected if route goes “out Wormhole can be detected if route goes “out

of its way” to wormhole nodeof its way” to wormhole node Sybil can be detected by its close geographic Sybil can be detected by its close geographic

location of impersonated nodeslocation of impersonated nodes

10/31/2005 34

Future Research Directions: Future Research Directions: Efficient Cryptographic Efficient Cryptographic

PrimitivesPrimitives►Traditional security solutions are too Traditional security solutions are too

expensive in sensor networksexpensive in sensor networks►Symmetric algorithms are not flexible Symmetric algorithms are not flexible

enoughenough►Cure-all would be more efficient Cure-all would be more efficient

asymmetric algorithms for use in key asymmetric algorithms for use in key establishment and digital signaturesestablishment and digital signatures

10/31/2005 35

Conclusion and CritiqueConclusion and Critique

► ConclusionConclusion Sensor networks are not ready for secure deploymentSensor networks are not ready for secure deployment More research and better implementations are More research and better implementations are

neededneeded

► CritiqueCritique Light overview of entire field of security in sensor Light overview of entire field of security in sensor

networksnetworks Extra reading of cited documents is required to fully Extra reading of cited documents is required to fully

understand mentioned conceptsunderstand mentioned concepts Overall, well written and authoritative introduction Overall, well written and authoritative introduction

into the fieldinto the field

10/31/2005 36

ReferencesReferences► A. Wood and J. Stankovic, “Denial of Service in Sensor

Networks,” IEEE Comp., Oct. 2002, pp. 54–62.► Laurent Eschenauer and Virgil D. Gligor. A key management

scheme for distributed sensor networks. In Proceedings of the 9th ACM Conference on Computer and Communication Security, pages 41–47, November 2002.

► H. Chan, A. Perrig, and D. Song, “Random Key Pre-distribution Schemes for Sensor Networks,” IEEE Symp. Security and Privacy, May 2003.

► C. Karlof and D. Wagner, “Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures,” Proc. 1st IEEE Int’l., Wksp. Sensor Network Protocols and Applications, May 2003.

► B. Przydatek, D. Song, and A. Perrig, “SIA: Secure Information Aggregation in Sensor Networks,” Proc. 1st ACM Int’l. Conf. Embedded Networked Sensor Sys., Nov. 2003, pp. 255–65.