An Interleaved HopbyHop Authentication Scheme for Filtering of Injected False Data in Sensor Network

1
An Interleaved Hop-by-Hop Authentication Scheme
for Filtering of Injected False Data in Sensor
Network

• Authors Sencun Zhu, Sanjeev Setia, Sushil
  Jajodia
• Center for Secure Information Systems
• George Mason University
• In Proc. of the 2004 IEEE Symposium on Security
  and Privacy
• Presenter Yi-jui Wu

2
An Interleaved Hop-by-Hop Authentication Scheme
for Filtering of Injected False Data in Sensor
Network
3
Outline

• Introduction
• Assumptions
• The Interleaved Hop-by-hop Authentication Scheme
• Security Analysis
• Performance Evaluation
• Conclusion
• Discussion

4
Introduction

• The unattended nature of the sensor lends itself
  to several attacks.
• Standard authentication mechanisms are not
  sufficient for Insider attacks.
• The authors proposed a scheme to address
  false data injection attack.
• This scheme focuses on detecting and filtering
  out false packet.

5
Introduction (cont.)

• The scheme guarantees that if no more than t
  nodes are comprised, the base station will detect
  any false data packets injected by the
  compromised sensors.
• The scheme provides an upper bound B for the
  number of hops that a false data packet can be
  forwarded before it is detected and dropped.
• B t or B (t-1)(t-2)

6
Assumptions

• Network and node assumptions
• Sensor nodes are organized into clusters, and
  each cluster includes at least t1 nodes.
• Cluster head
• Network links are bidirectional.

7
Assumptions (cont.)

• Security assumptions
• LEAP
• Every nodes share a master secret key with the
  base station
• Every nodes share a pairwise with each of their
  neighbors
• A node can establish a pairwise key with another
  node that is multi hops away. (The Blundo Scheme)
• The base station has a mechanism to authenticate
  broadcast messages, and each node can verify the
  broadcast messages. (µTESLA)
• The base station will not be compromised.

8
The Interleaved Hop-by-hop Authentication Scheme

• Notations
• u, v communicating nodes
• Ku the key of node u shared with the base
  station
• Kuv the pairwise key shared between nodes u and
  v
• Ku(auth) authentication key for node u
• BS base station
• CH cluster head

BS
CH
un
un-1
u3
u2
u1
id 21
id 334
id56789
9
The Interleaved Hop-by-hop Authentication Scheme

• associated node ui, uj, i - j t 1
• upper associated node, lower associated node

v1
BS
u8
u7
u6
u5
u4
u3
u2
u1
CH
v2
v3
10
The Interleaved Hop-by-hop Authentication Scheme

• Basic Schemes
• node initialization and deployment phase
• association discovery phase
• report endorsement phase
• en-route filtering phase
• base station verification phase
• Association Maintenance

11
Node initialization and deployment scheme

• The key server loads every node with a unique
  integer id and necessary keying materials.
• Use LEAP to establish one-hop pairwise key.
• Establish multi-hop pairwise key (optional).

12
Association discovery phase

• Base station hello and cluster acknowledgment.

• Note during cluster ack phase, for security
  reason, all the node ids in the ACK are distinct.
  (explain later)
• The association discovery process usually
  overlaps with the route discovery process in a
  routing protocol (e.g. the TinyOS beaconing
  protocol).

13
Report Endorsement

• This scheme requires that at least t1 nodes
  agree on the report.
• When a node v agrees on an event E, it computes a
  MAC for E. In addition, node v computes another
  MAC for E, using the pairwise key shared with its
  upper associate node u.
• Partial report from node v E, MAC(Kv(auth),E),
  MAC(Kv,u, E)

14
Report Endorsement (cont.)

• CH collects partial reports from t1 different
  nodes, XORing t 1 individual MACs.
• XMAC(E) MAC(Kv1(auth),E) ? MAC(Kv2(auth),E)
  ?... ? MAC(Kvt1(auth),E)
• Pairwise MACs are not compressed.
• The report R that node CH finally generates and
  forwards BS is
• R E, Ci, v1,v2vt1,XMAC(E),
• MAC(Kvt1,ut1, E), MAC(Kvt,ut, E), MAC(Kv1u1,
  E)

15
En-route filting
16
Base station verification

• The base station BS only needs to verify the
  compressed MAC. If the verification fails, BS
  will discard the report.

17
Association Maintenace

• The correctness of the scheme relies on correct
  association knowledge.
• base station initiated repair and local repair.

18
Association Maintenace Base station initiated
repair

• Periodically execute the base station hello step.
• Interact with underlying routing protocol
• for ex., in the TinyOS beaconing protocol, the
  base station broadcasts a beaconing message
  periodically forming a breadth-first tree rooted
  at the base station.
• execute the base station hello step for each
  epoch by piggybacking node ids in every beaconing
  message.

19
Association Maintenace Local repair

• Based on the right-hand rule in the greedy
  parameter stateless routing (GPSR) protocol.
• Assume every node knows the locations or relative
  locations of its neighbors (e.g., because of
  GPS).

20
Security Analysis

• Base station detection
• En-route filtering
• outsider attacks
• insider attacks

21
Security Analysis Base station detection

• The adversary has to compromise at least t1
  nodes to be able to forge a report to deceive the
  base station.
• XOR-MAC scheme is proven to be secure.
• Recall XMAC(E) MAC(Kv1(auth),E) ?
  MAC(Kv2(auth),E) ?... ? MAC(Kvt1(auth),E)

22
Security Analysis En-route filtering

• Outsider attacks secure, because of the
  hop-by-hop authenticated fashion.
• Insider attacks
• if the association knowledge of each node is
  correct and only t nodes are compromised the
  false report will be found after it is forwarded
  by at most t non-compromised nodes.
• Recall the report R E, Ci, v1,v2vt1,XMAC(E),
  MAC(Kvt1,ut1, E), MAC(Kvt,ut, E),
  MAC(Kv1u1, E)
• But the attacker may attacks on the cluster
  acknowledge process to create fake association
  knowledge.

23
Security Analysis En-route filtering (cont.)

• Attacks on cluster acknowledgement process
• recall the cluster acknowledgement phase

• The goal of this attack is to lower associate
  more than t non-compromised nodes to t
  compromised nodes.
• cluster insider attacks and en-route insider
  attacks

24
Security Analysis Cluster Insider Attacks

• All the t compromised nodes are from the cluster.

v1
v2
CH
(v3,CH,v2,v1)
v3
t3
25
Security Analysis Cluster Outsider Attacks
BS
CH
1
2
3
4
5
6
7
8
C
9
A
B
D
E
F
t3
26
Security Analysis Cluster Outsider Attacks

• In the above case, a false report will be dropped
  after it is forwarded by at most t2
  noncompromised nodes.
• Enhancement
• add a node feedback mechanism reduce to
  (t-1)(t-2)
• if all sensor nodes possess GPS devices, the
  upper bound may reduce to t or slightly larger
  than t.

27
Performance Evaluation

• Computational cost
• Establishing pairwise keys about 1/10000 of
  creating a RSA signature
• Report Authentication the energy for computing
  a MAC is about the same as that for transmitting
  one byte
• Communication cost
• every authentic report contains one compressed
  MAC and t1 pairwise MACs.
• Storage cost?

28
Conclusion

• The author presented a simple but effective
  authentication scheme to prevent false data
  injection attacks in sensor networks.
• The scheme guarantees that if no more than t
  nodes are comprised, the base station will detect
  any false data packets injected by the
  compromised sensors.
• The scheme provides an upper bound B for the
  number of hops that a false data packet can be
  forwarded before it is detected and dropped.
• B t2

29
Discussion

• How to choose t?
• Does this scheme suit for any network topology?