Security in Wireless Sensor Networks - PowerPoint PPT Presentation

Loading...

PPT – Security in Wireless Sensor Networks PowerPoint presentation | free to download - id: afb5e-MTE4M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Security in Wireless Sensor Networks

Description:

... are qualitatively different from what private citizens worldwide faced before ... Adversary can take over the whole WSN by broadcasting beacons. Directed diffusion ... – PowerPoint PPT presentation

Number of Views:298
Avg rating:3.0/5.0
Slides: 57
Provided by: csBing
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Security in Wireless Sensor Networks


1
Security in Wireless Sensor Networks
  • Adrian Perrig, John Stankovic, and David Wagner

2
Overview
  • WSN security Too many problems... A number of
    solutions... Enough?
  • Survey Paper outlines security issues,
    discusses some existing solutions, and suggests
    possible research directions
  • Issues include
  • key establishment
  • secrecy
  • authentication
  • privacy
  • denial-of-service attacks ? More info in a later
    set of slides
  • secure routing ? More info in a later set of
    slides
  • node capture
  • Also discuses some sample security services for
    wireless sensor networks

3
Problems Applying Traditional Network Security
Techniques
  • Sensor devices are limited in their energy,
    computation, and communication capabilities
  • Sensor nodes are often deployed in open areas,
    thus allowing physical attack
  • Sensor networks closely interact with their
  • physical environments and with people,
  • posing new security problems

4
Key Establishment and Trust
  • Sensor devices have limited computational power,
    making public-key cryptographic primitives too
    expensive in terms of system overhead.
  • Simplest solution is a network-wide shared key
  • problem if even a single node were compromised,
    the secret key would be revealed, and decryption
    of all network traffic would be possible
  • Slightly better solution
  • use a single shared key to establish a set of
    link keys, one per pair of communicating nodes,
    then erase the network-wide key
  • problem does not allow addition of new nodes
    after initial deployment

5
Key Establishment (continued)
  • Bootstrapping keys using a trusted base station
  • Each node needs to share only a single key with
    the base station and set up keys with other nodes
    through the base station
  • The base station becomes a single point of
    failure
  • Utilize tamper-resistant packaging for the base
    station, reducing the threat of physical attack
  • Most existing work assumes base station is safe
    Good assumption???

6
Random-key pre-distribution protocols
  • Large pool of symmetric keys is chosen
  • Random subset of the pool is distributed to each
    sensor node
  • To communicate, two nodes search their pools for
    a common key
  • If they find one, they use it to establish a
    session key
  • Not every pair of nodes shares a common key, but
    if the key-establishment probability is
    sufficiently high, nodes can securely communicate
    with sufficiently many nodes to obtain a
    connected network
  • No need to include a central trusted base station
  • Disadvantage Attackers who compromised
    sufficiently many nodes could also reconstruct
    the complete key pool and break the scheme

7
Secrecy and Authentication
  • We need cryptography as protection against
    eavesdropping, injection, and modification of
    packets
  • Trade-offs when incorporating cryptography into
    sensor networks
  • end-to-end cryptography achieves a high level of
    security but requires that keys be set up among
    all end points and be incompatible with passive
    participation and local broadcast
  • link-layer cryptography with a network-wide
    shared key simplifies key setup and supports
    passive participation and local broadcast, but
    intermediate nodes might eavesdrop or alter
    messages

8
Hardware vs. Software Cryptography
  • Hardware solutions are generally more efficient,
    but also more costly ()
  • University of California, Berkeley,
    implementation of TinySec incurs only an
    additional 510 performance overhead using
    software-only methods
  • Most of the overhead is due to increases in
    packet size
  • Cryptographic calculations have little effect on
    latency or throughput, since they can overlap
    with data transfer
  • Hardware reduces only the computational costs,
    not packet size
  • Thus, software-only techniques are sufficient (or
    reasonable to be more careful)

9
Privacy
  • Issues
  • Employers might spy on their employees
  • Shop owners might spy on customers
  • Neighbours might spy on each other
  • Law enforcement agencies might spy on public
    places
  • Technological improvements will only worsen the
    problem
  • Devices will get smaller and easier to conceal
  • Devices will get cheaper, thus surveillance will
    be more affordable

10
Privacy (continued)
  • Sensor networks raise new threats that are
    qualitatively different from what private
    citizens worldwide faced before
  • Sensor networks allow data collection,
    coordinated analysis, and automated event
    correlation
  • Networked systems of sensors can enable routine
    tracking of people and vehicles over long periods
    of time
  • EZ Pass OnStar Big Brother?
  • Suggested ways of approaching solution include a
    mix of
  • Societal norms
  • New laws
  • Technological responses

11
Robustness to Denial of Service
  • Simple form Radio jamming
  • Sophisticated form Transmit while a neighbor is
    also transmitting or continuously generating a
    request-to-send signal
  • Possible solution (when the jamming affects only
    a portion of the network)
  • Detect the jamming
  • Map the affected region
  • Route around the jammed area

12
Secure Routing
  • Proper routing and forwarding are essential for
    communication in sensor networks
  • Injection attacks
  • Transmit malicious routing information into the
    network resulting in routing inconsistencies
  • Authentication might guard against injection
    attacks, but some routing protocols are
    vulnerable to replay by the attacker of
    legitimate routing messages
  • Sensor network routing protocols are particularly
    susceptible to node-capture attacks
  • Compromise of a single node could be enough to
    take over the entire network or prevent any
    communication within it

13
Resilience to Node Capture
  • In traditional computing, physical security is
    often taken for granted
  • Sensor nodes, by contrast, are likely to be
    placed in open locations
  • Attacker might capture sensor nodes
  • Extract cryptographic secrets
  • Modify programs/Replace them with malicious nodes
  • Tamper-resistant packaging may be one defense,
    but its expensive

14
Algorithmic Solutionsto Node Capture
  • Attempt to build networks that operate correctly
    even in the presence of nodes that might behave
    in an arbitrarily malicious way
  • Replicate state across the network and use
    majority voting to detect inconsistencies
  • Gather redundant views of the environment and
    crosscheck them for consistency
  • Most challenging problems in sensor network
    security
  • We are far from a complete solution

15
Network Security Services
  • So far, weve explored low-level security
    primitives for securing sensor networks.
  • Now, we consider high-level security mechanisms.
  • Secure group management
  • Intrusion detection
  • Secure data aggregation

16
Secure Group Management
  • Protocols for group management are required to
  • securely admit new group members
  • support secure group communication
  • Outcome of group computation must be
    authenticated to ensure it comes from a valid
    group
  • Any solution must also be efficient in terms of
    time and energy

17
Intrusion detection
  • In wired networks, traffic and computation are
    typically monitored and analyzed for anomalies at
    various concentration points
  • expensive in terms of the networks memory and
    energy consumption
  • hurts bandwidth constraints
  • Wireless sensor networks require a solution that
    is fully distributed and inexpensive in terms of
    communication, energy, and memory requirements
  • In order to look for anomalies, applications and
    typical threat models must be understood
  • It is particularly important for researchers and
    practitioners to understand how cooperating
    adversaries might attack the system
  • The use of secure groups may be a promising
    approach for decentralized intrusion detection

18
Secure Data Aggregation
  • One benefit of a wireless sensor network is the
    fine-grain sensing that large and dense sets of
    nodes can provide
  • The sensed values must be aggregated to avoid
    overwhelming amounts of traffic back to the base
    station
  • Depending on the architecture of the network,
    aggregation may take place in many places
  • All aggregation locations must be secured
  • If the application tolerates approximate answers,
    powerful techniques are available
  • Randomly sampling a small fraction of nodes and
    checking that they have behaved properly supports
    detection of many different types of attacks

19
Conclusions
  • Constraints and open environments of wireless
    sensor networks make security for these systems
    challenging.
  • Several properties of sensor networks may provide
    solutions.
  • architect security into these systems from the
    outset (they are still in their early design
    stages)
  • exploit redundancy, scale, and the physical
    characteristics of the environment in the
    solutions
  • build sensor networks so that they can detect and
    work around some fraction of their nodes which
    are compromised

20
Future Research Areas
  • Securing wireless communication links against
  • Eavesdropping
  • Tampering
  • Traffic analysis
  • Denial of service
  • Resource constraints
  • Asymmetric protocols
  • Most of the computation done at base station
  • Public-key cryptographic systems
  • How to make efficient on low-end devices?
  • Working around the lack of physical security
  • redundancy
  • knowledge about the physical environment

21
Denial of Service inSensor Networks
  • Anthony D. Wood
  • and John A. Stankovic

22
Why Security?
  • Battlefield
  • Disasters
  • Protect the location and status of casualties
    from unauthorized disclosure, particularly if the
    disaster relates to ongoing terrorist activities
  • Public safety
  • False alarms about chemical, biological, or
    environmental threats could cause panic or
    disregard for warning systems. An attack on the
    systems availability could precede a real attack
    on the protected resource
  • Home healthcare
  • Because protecting privacy is paramount, only
    authorized users can query or monitor the
    network. These networks can also form critical
    pieces of an accident-notification chain, thus
    they must be protected from failure

23
DENIAL OF SERVICE THREAT
  • A DoS attack is any event that diminishes or
    eliminates a networks capacity to perform its
    expected function
  • Hardware failures, software bugs, resource
    exhaustion, environmental conditions, or their
    combination
  • Intentional Attack

24
Adversary Capability
  • Physically damaged or manipulated node
  • May be less powerful than a normally functioning
    node
  • Subverted nodes (or added ones)
  • Interact with the network only through software
  • As powerful as other nodes
  • Immensely more powerful adversaries
  • Existing wired network with virtually unlimited
    computational and energy resources possible

25
Attacks on Physical Layer
  • Jamming
  • Defenses
  • Spread-spectrum
  • Region mapping Less expensive
  • Tampering
  • Defenses Tamper-proofing, hiding

26
Link Layer Attacks
  • Collision
  • Use error-correcting codes
  • Exhaustion
  • Rate limitation
  • Unfairness
  • Small frames

27
Network and Routing Attacks
  • Neglect and greed
  • Redundancy, probing
  • Traffic analysis
  • Encryption enough? Maybe not
  • Misdirection
  • Egress filtering, authorization, monitoring
  • Black holes
  • Authorization, monitoring, probing, redundancy

28
Neglect and Greed
  • Neglect
  • Drops packets arbitrarily
  • Greed
  • Gives undue priority to its own messages
  • Use multiple paths and/or redundant messages to
    mitigate these effects.

29
Traffic Analysis
  • Geographic forwarding allows attacker to figure
    out where important nodes are
  • Encrypting headers as well as content might
    alleviate this issue
  • Cryptographic means may not help when the
    communication pattern is many-to-one
  • Just watch traffic intensity
  • INSENS ICDCS 03

30
Misdirection
  • Diverting traffic away from intended destination
  • Targets the sender
  • Misdirecting many flows in one direction
  • Targets an arbitrary victim (receiver)
  • Defense
  • Egress Filtering
  • Verification of source addresses
  • Legitimately generated from below?

31
Black Holes
  • Distance-vector-based protocol weakness
  • Nodes advertise zero-cost routes to every other
    node.
  • Fixes
  • Authorization
  • Monitoring
  • Watchdog the next hop transmission of your
    packets by neighbors Mobicom 00
  • Probing
  • Send periodic messages across topology to test
    for blackout regions
  • Redundancy

32
Transport Layer DoS
  • Flooding
  • Client puzzles
  • Make the adversary commit resources
  • Only useful if the adversary has limited
    resources
  • Desynchronization
  • Authentication

33
PROTOCOL VULNERABILITIES to DoS
  • Analyzing these vulnerabilities helps show why
    developers should consider DoS susceptibility at
    design time.

34
Adaptive Rate Control MAC Protocol by Woo Cull
  • Give preference to route-through traffic
  • This preserves the networks investment in
    packets that may have already traversed many hops
  • Makes flooding attacks more effective
  • High bandwidth packet streams that an adversary
    generates will receive preference
  • Thus, the network gives preference to malicious
    traffic

35
RAP
  • Real-time communication architecture
  • Geographic forwarding
  • Velocity monotonic scheduling (VMS) policy
  • Originator of message sets deadline and
    destination
  • VMS layer computes velocity based on time to
    deadline and distance remaining

36
RAP Vulnerability
  • Flood with high velocity packets
  • Set destination at long distance
  • Possibly outside the network
  • Intermediate node adversary could lower the
    velocity of route through traffic
  • Causes deadline misses
  • If relying on a synchronized clock, attacking
    that mechanism could cause another node to always
    drop
  • Protecting clock synchronization is a challenging
    yet important problem by itself

37
Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures
  • Chris Karlof and David Wagner

38
Key Contributions
  • Secure routing issues in WSNs
  • Show how they are different from ad hoc networks
  • Introduce two new classes of attacks
  • Sinkhole attack
  • Hello flood attack
  • Analyze security aspects of major routing
    protocols
  • Discuss countermeasures design considerations
    for secure routing in WSNs

39
WSNs vs. Ad Hoc Networks
  • Multi-hop wireless communications
  • Ad hoc nets communication between two arbitrary
    nodes
  • WSNs
  • Specialized communication patterns
  • Many-to-one
  • One-to-many
  • Local communication
  • More resource constrained
  • More trust needed for in-network processing,
    aggregation, duplicate elimination

40
Assumptions
  • Insecure radio links
  • Malicious nodes can collude to attack the WSN
  • Sensors are not tamper-resistant
  • Adversary can access all key material, data
    code
  • Aggregation points may not be trustworthy
  • Base station is trustworthy

41
Threat Models
  • Device capability
  • Mote class attacker
  • Laptop class attacker more energy, more powerful
    CPU, sensitive antenna, more radio power
  • Attacker type
  • Outside attacker External to the network
  • Inside attacker Authorized node in the WSN is
    compromised or malicious

42
Security Goals
  • Secure routing
  • Support integrity, authenticity, availability of
    messages in presence of attack
  • Data confidentiality

43
Potential Attacks
  • Attacks on general WSN routing
  • Attacks on specific WSN protocols

44
Attacks on General WSN Routing Protocols
  • Spoof, alter, or replay routing info.
  • Create loops, attack or repel network traffic,
    partition the network, attract or repel network
    traffic, etc.
  • Message authentication can partly handle these
    issues
  • Selective forwarding
  • Malicious node selectively drops incoming packets

45
Sinkhole attack
  • Specific to WSNs
  • All packets are directed to base station
  • A malicious node advertises a high quality link
    to the base station to attract a lot of packets
  • Enable other attacks, e.g., selective forwarding
    or wormhole attack

46
Sybil attack
  • A single node presents multiple IDs to other
    nodes
  • Affect geographic routing, distributed storage,
    multi-path routing, topology maintenance

47
Wormhole attack
  • Two colluding nodes
  • A node at one end of the wormhole advertises high
    quality link to the base station
  • Another node at the other end receives the
    attracted packets

48
Hello flood attack
  • Specific to WSNs
  • In some protocols, nodes have to periodically
    broadcast hello to advertise themselves
  • Not authenticated!
  • Laptop-class attacker can convince its a
    neighbor of distant nodes by sending high power
    hello messages

49
Acknowledge spoofing
  • Adversary spoofs ACKs to convince the sender a
    weak/dead link support good link quality

50
Attacks on Specific Routing Protocols
  • TinyOS beaconing
  • Construct a BFS rooted at the base station
  • Beacons are not authenticated
  • Adversary can take over the whole WSN by
    broadcasting beacons

51
Directed diffusion
  • Replay interest
  • Selective forwarding data tampering
  • Inject false data

52
Geographic routing
  • Adversary can provide false, possibly multiple,
    location info.
  • Create routing loop
  • GEAR considers energy in addition to location
  • Laptop-class attacker can exploit it

53
Countermeasures
  • Shared key link layer encryption
  • Prevent outsider attacks, e.g., Sybil attacks,
    selective forwarding, ACK spoofing
  • Cannot handle insider attacks
  • Wormhole, Hello flood, TinyOS beaconing
  • Sybil attack
  • Every node shares a unique secret key with the
    base station
  • Create pairwise shared key for msg authentication
  • Limit the number of neighbors for a node
  • Hello flood attack
  • Verify link bidirectionality
  • Doesnt work if adversary has very sensitive
    radio

54
Countermeasures
  • Wormhole, sinkhole attack
  • Cryptography may not help directly
  • Good routing protocol design
  • Geographic routing
  • Geographic routing
  • Location verification
  • Use fixed topology, e.g., grid structure
  • Selective forwarding
  • Multi-path routing
  • Route messages over disjoint or Braided paths
  • Dynamically pick next hop from a set of
    candidates
  • Measure the trustworthiness of neighbors

55
Countermeasures
  • Authenticated broadcast
  • uTESLA
  • Base station floods blacklist
  • Should be authenticated
  • Adversaries must not be able to spoof

56
Conclusions
  • WSN security is challenging, new area of research
  • Problems gtgt Solutions
  • Any ideas to address a problem?
About PowerShow.com