Security in Wireless Sensor Networks - PowerPoint PPT Presentation


PPT – Security in Wireless Sensor Networks PowerPoint presentation | free to download - id: afb5e-MTE4M


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Security in Wireless Sensor Networks


... are qualitatively different from what private citizens worldwide faced before ... Adversary can take over the whole WSN by broadcasting beacons. Directed diffusion ... – PowerPoint PPT presentation

Number of Views:298
Avg rating:3.0/5.0
Slides: 57
Provided by: csBing


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Security in Wireless Sensor Networks

Security in Wireless Sensor Networks
  • Adrian Perrig, John Stankovic, and David Wagner

  • WSN security Too many problems... A number of
    solutions... Enough?
  • Survey Paper outlines security issues,
    discusses some existing solutions, and suggests
    possible research directions
  • Issues include
  • key establishment
  • secrecy
  • authentication
  • privacy
  • denial-of-service attacks ? More info in a later
    set of slides
  • secure routing ? More info in a later set of
  • node capture
  • Also discuses some sample security services for
    wireless sensor networks

Problems Applying Traditional Network Security
  • Sensor devices are limited in their energy,
    computation, and communication capabilities
  • Sensor nodes are often deployed in open areas,
    thus allowing physical attack
  • Sensor networks closely interact with their
  • physical environments and with people,
  • posing new security problems

Key Establishment and Trust
  • Sensor devices have limited computational power,
    making public-key cryptographic primitives too
    expensive in terms of system overhead.
  • Simplest solution is a network-wide shared key
  • problem if even a single node were compromised,
    the secret key would be revealed, and decryption
    of all network traffic would be possible
  • Slightly better solution
  • use a single shared key to establish a set of
    link keys, one per pair of communicating nodes,
    then erase the network-wide key
  • problem does not allow addition of new nodes
    after initial deployment

Key Establishment (continued)
  • Bootstrapping keys using a trusted base station
  • Each node needs to share only a single key with
    the base station and set up keys with other nodes
    through the base station
  • The base station becomes a single point of
  • Utilize tamper-resistant packaging for the base
    station, reducing the threat of physical attack
  • Most existing work assumes base station is safe
    Good assumption???

Random-key pre-distribution protocols
  • Large pool of symmetric keys is chosen
  • Random subset of the pool is distributed to each
    sensor node
  • To communicate, two nodes search their pools for
    a common key
  • If they find one, they use it to establish a
    session key
  • Not every pair of nodes shares a common key, but
    if the key-establishment probability is
    sufficiently high, nodes can securely communicate
    with sufficiently many nodes to obtain a
    connected network
  • No need to include a central trusted base station
  • Disadvantage Attackers who compromised
    sufficiently many nodes could also reconstruct
    the complete key pool and break the scheme

Secrecy and Authentication
  • We need cryptography as protection against
    eavesdropping, injection, and modification of
  • Trade-offs when incorporating cryptography into
    sensor networks
  • end-to-end cryptography achieves a high level of
    security but requires that keys be set up among
    all end points and be incompatible with passive
    participation and local broadcast
  • link-layer cryptography with a network-wide
    shared key simplifies key setup and supports
    passive participation and local broadcast, but
    intermediate nodes might eavesdrop or alter

Hardware vs. Software Cryptography
  • Hardware solutions are generally more efficient,
    but also more costly ()
  • University of California, Berkeley,
    implementation of TinySec incurs only an
    additional 510 performance overhead using
    software-only methods
  • Most of the overhead is due to increases in
    packet size
  • Cryptographic calculations have little effect on
    latency or throughput, since they can overlap
    with data transfer
  • Hardware reduces only the computational costs,
    not packet size
  • Thus, software-only techniques are sufficient (or
    reasonable to be more careful)

  • Issues
  • Employers might spy on their employees
  • Shop owners might spy on customers
  • Neighbours might spy on each other
  • Law enforcement agencies might spy on public
  • Technological improvements will only worsen the
  • Devices will get smaller and easier to conceal
  • Devices will get cheaper, thus surveillance will
    be more affordable

Privacy (continued)
  • Sensor networks raise new threats that are
    qualitatively different from what private
    citizens worldwide faced before
  • Sensor networks allow data collection,
    coordinated analysis, and automated event
  • Networked systems of sensors can enable routine
    tracking of people and vehicles over long periods
    of time
  • EZ Pass OnStar Big Brother?
  • Suggested ways of approaching solution include a
    mix of
  • Societal norms
  • New laws
  • Technological responses

Robustness to Denial of Service
  • Simple form Radio jamming
  • Sophisticated form Transmit while a neighbor is
    also transmitting or continuously generating a
    request-to-send signal
  • Possible solution (when the jamming affects only
    a portion of the network)
  • Detect the jamming
  • Map the affected region
  • Route around the jammed area

Secure Routing
  • Proper routing and forwarding are essential for
    communication in sensor networks
  • Injection attacks
  • Transmit malicious routing information into the
    network resulting in routing inconsistencies
  • Authentication might guard against injection
    attacks, but some routing protocols are
    vulnerable to replay by the attacker of
    legitimate routing messages
  • Sensor network routing protocols are particularly
    susceptible to node-capture attacks
  • Compromise of a single node could be enough to
    take over the entire network or prevent any
    communication within it

Resilience to Node Capture
  • In traditional computing, physical security is
    often taken for granted
  • Sensor nodes, by contrast, are likely to be
    placed in open locations
  • Attacker might capture sensor nodes
  • Extract cryptographic secrets
  • Modify programs/Replace them with malicious nodes
  • Tamper-resistant packaging may be one defense,
    but its expensive

Algorithmic Solutionsto Node Capture
  • Attempt to build networks that operate correctly
    even in the presence of nodes that might behave
    in an arbitrarily malicious way
  • Replicate state across the network and use
    majority voting to detect inconsistencies
  • Gather redundant views of the environment and
    crosscheck them for consistency
  • Most challenging problems in sensor network
  • We are far from a complete solution

Network Security Services
  • So far, weve explored low-level security
    primitives for securing sensor networks.
  • Now, we consider high-level security mechanisms.
  • Secure group management
  • Intrusion detection
  • Secure data aggregation

Secure Group Management
  • Protocols for group management are required to
  • securely admit new group members
  • support secure group communication
  • Outcome of group computation must be
    authenticated to ensure it comes from a valid
  • Any solution must also be efficient in terms of
    time and energy

Intrusion detection
  • In wired networks, traffic and computation are
    typically monitored and analyzed for anomalies at
    various concentration points
  • expensive in terms of the networks memory and
    energy consumption
  • hurts bandwidth constraints
  • Wireless sensor networks require a solution that
    is fully distributed and inexpensive in terms of
    communication, energy, and memory requirements
  • In order to look for anomalies, applications and
    typical threat models must be understood
  • It is particularly important for researchers and
    practitioners to understand how cooperating
    adversaries might attack the system
  • The use of secure groups may be a promising
    approach for decentralized intrusion detection

Secure Data Aggregation
  • One benefit of a wireless sensor network is the
    fine-grain sensing that large and dense sets of
    nodes can provide
  • The sensed values must be aggregated to avoid
    overwhelming amounts of traffic back to the base
  • Depending on the architecture of the network,
    aggregation may take place in many places
  • All aggregation locations must be secured
  • If the application tolerates approximate answers,
    powerful techniques are available
  • Randomly sampling a small fraction of nodes and
    checking that they have behaved properly supports
    detection of many different types of attacks

  • Constraints and open environments of wireless
    sensor networks make security for these systems
  • Several properties of sensor networks may provide
  • architect security into these systems from the
    outset (they are still in their early design
  • exploit redundancy, scale, and the physical
    characteristics of the environment in the
  • build sensor networks so that they can detect and
    work around some fraction of their nodes which
    are compromised

Future Research Areas
  • Securing wireless communication links against
  • Eavesdropping
  • Tampering
  • Traffic analysis
  • Denial of service
  • Resource constraints
  • Asymmetric protocols
  • Most of the computation done at base station
  • Public-key cryptographic systems
  • How to make efficient on low-end devices?
  • Working around the lack of physical security
  • redundancy
  • knowledge about the physical environment

Denial of Service inSensor Networks
  • Anthony D. Wood
  • and John A. Stankovic

Why Security?
  • Battlefield
  • Disasters
  • Protect the location and status of casualties
    from unauthorized disclosure, particularly if the
    disaster relates to ongoing terrorist activities
  • Public safety
  • False alarms about chemical, biological, or
    environmental threats could cause panic or
    disregard for warning systems. An attack on the
    systems availability could precede a real attack
    on the protected resource
  • Home healthcare
  • Because protecting privacy is paramount, only
    authorized users can query or monitor the
    network. These networks can also form critical
    pieces of an accident-notification chain, thus
    they must be protected from failure

  • A DoS attack is any event that diminishes or
    eliminates a networks capacity to perform its
    expected function
  • Hardware failures, software bugs, resource
    exhaustion, environmental conditions, or their
  • Intentional Attack

Adversary Capability
  • Physically damaged or manipulated node
  • May be less powerful than a normally functioning
  • Subverted nodes (or added ones)
  • Interact with the network only through software
  • As powerful as other nodes
  • Immensely more powerful adversaries
  • Existing wired network with virtually unlimited
    computational and energy resources possible

Attacks on Physical Layer
  • Jamming
  • Defenses
  • Spread-spectrum
  • Region mapping Less expensive
  • Tampering
  • Defenses Tamper-proofing, hiding

Link Layer Attacks
  • Collision
  • Use error-correcting codes
  • Exhaustion
  • Rate limitation
  • Unfairness
  • Small frames

Network and Routing Attacks
  • Neglect and greed
  • Redundancy, probing
  • Traffic analysis
  • Encryption enough? Maybe not
  • Misdirection
  • Egress filtering, authorization, monitoring
  • Black holes
  • Authorization, monitoring, probing, redundancy

Neglect and Greed
  • Neglect
  • Drops packets arbitrarily
  • Greed
  • Gives undue priority to its own messages
  • Use multiple paths and/or redundant messages to
    mitigate these effects.

Traffic Analysis
  • Geographic forwarding allows attacker to figure
    out where important nodes are
  • Encrypting headers as well as content might
    alleviate this issue
  • Cryptographic means may not help when the
    communication pattern is many-to-one
  • Just watch traffic intensity

  • Diverting traffic away from intended destination
  • Targets the sender
  • Misdirecting many flows in one direction
  • Targets an arbitrary victim (receiver)
  • Defense
  • Egress Filtering
  • Verification of source addresses
  • Legitimately generated from below?

Black Holes
  • Distance-vector-based protocol weakness
  • Nodes advertise zero-cost routes to every other
  • Fixes
  • Authorization
  • Monitoring
  • Watchdog the next hop transmission of your
    packets by neighbors Mobicom 00
  • Probing
  • Send periodic messages across topology to test
    for blackout regions
  • Redundancy

Transport Layer DoS
  • Flooding
  • Client puzzles
  • Make the adversary commit resources
  • Only useful if the adversary has limited
  • Desynchronization
  • Authentication

  • Analyzing these vulnerabilities helps show why
    developers should consider DoS susceptibility at
    design time.

Adaptive Rate Control MAC Protocol by Woo Cull
  • Give preference to route-through traffic
  • This preserves the networks investment in
    packets that may have already traversed many hops
  • Makes flooding attacks more effective
  • High bandwidth packet streams that an adversary
    generates will receive preference
  • Thus, the network gives preference to malicious

  • Real-time communication architecture
  • Geographic forwarding
  • Velocity monotonic scheduling (VMS) policy
  • Originator of message sets deadline and
  • VMS layer computes velocity based on time to
    deadline and distance remaining

RAP Vulnerability
  • Flood with high velocity packets
  • Set destination at long distance
  • Possibly outside the network
  • Intermediate node adversary could lower the
    velocity of route through traffic
  • Causes deadline misses
  • If relying on a synchronized clock, attacking
    that mechanism could cause another node to always
  • Protecting clock synchronization is a challenging
    yet important problem by itself

Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures
  • Chris Karlof and David Wagner

Key Contributions
  • Secure routing issues in WSNs
  • Show how they are different from ad hoc networks
  • Introduce two new classes of attacks
  • Sinkhole attack
  • Hello flood attack
  • Analyze security aspects of major routing
  • Discuss countermeasures design considerations
    for secure routing in WSNs

WSNs vs. Ad Hoc Networks
  • Multi-hop wireless communications
  • Ad hoc nets communication between two arbitrary
  • WSNs
  • Specialized communication patterns
  • Many-to-one
  • One-to-many
  • Local communication
  • More resource constrained
  • More trust needed for in-network processing,
    aggregation, duplicate elimination

  • Insecure radio links
  • Malicious nodes can collude to attack the WSN
  • Sensors are not tamper-resistant
  • Adversary can access all key material, data
  • Aggregation points may not be trustworthy
  • Base station is trustworthy

Threat Models
  • Device capability
  • Mote class attacker
  • Laptop class attacker more energy, more powerful
    CPU, sensitive antenna, more radio power
  • Attacker type
  • Outside attacker External to the network
  • Inside attacker Authorized node in the WSN is
    compromised or malicious

Security Goals
  • Secure routing
  • Support integrity, authenticity, availability of
    messages in presence of attack
  • Data confidentiality

Potential Attacks
  • Attacks on general WSN routing
  • Attacks on specific WSN protocols

Attacks on General WSN Routing Protocols
  • Spoof, alter, or replay routing info.
  • Create loops, attack or repel network traffic,
    partition the network, attract or repel network
    traffic, etc.
  • Message authentication can partly handle these
  • Selective forwarding
  • Malicious node selectively drops incoming packets

Sinkhole attack
  • Specific to WSNs
  • All packets are directed to base station
  • A malicious node advertises a high quality link
    to the base station to attract a lot of packets
  • Enable other attacks, e.g., selective forwarding
    or wormhole attack

Sybil attack
  • A single node presents multiple IDs to other
  • Affect geographic routing, distributed storage,
    multi-path routing, topology maintenance

Wormhole attack
  • Two colluding nodes
  • A node at one end of the wormhole advertises high
    quality link to the base station
  • Another node at the other end receives the
    attracted packets

Hello flood attack
  • Specific to WSNs
  • In some protocols, nodes have to periodically
    broadcast hello to advertise themselves
  • Not authenticated!
  • Laptop-class attacker can convince its a
    neighbor of distant nodes by sending high power
    hello messages

Acknowledge spoofing
  • Adversary spoofs ACKs to convince the sender a
    weak/dead link support good link quality

Attacks on Specific Routing Protocols
  • TinyOS beaconing
  • Construct a BFS rooted at the base station
  • Beacons are not authenticated
  • Adversary can take over the whole WSN by
    broadcasting beacons

Directed diffusion
  • Replay interest
  • Selective forwarding data tampering
  • Inject false data

Geographic routing
  • Adversary can provide false, possibly multiple,
    location info.
  • Create routing loop
  • GEAR considers energy in addition to location
  • Laptop-class attacker can exploit it

  • Shared key link layer encryption
  • Prevent outsider attacks, e.g., Sybil attacks,
    selective forwarding, ACK spoofing
  • Cannot handle insider attacks
  • Wormhole, Hello flood, TinyOS beaconing
  • Sybil attack
  • Every node shares a unique secret key with the
    base station
  • Create pairwise shared key for msg authentication
  • Limit the number of neighbors for a node
  • Hello flood attack
  • Verify link bidirectionality
  • Doesnt work if adversary has very sensitive

  • Wormhole, sinkhole attack
  • Cryptography may not help directly
  • Good routing protocol design
  • Geographic routing
  • Geographic routing
  • Location verification
  • Use fixed topology, e.g., grid structure
  • Selective forwarding
  • Multi-path routing
  • Route messages over disjoint or Braided paths
  • Dynamically pick next hop from a set of
  • Measure the trustworthiness of neighbors

  • Authenticated broadcast
  • uTESLA
  • Base station floods blacklist
  • Should be authenticated
  • Adversaries must not be able to spoof

  • WSN security is challenging, new area of research
  • Problems gtgt Solutions
  • Any ideas to address a problem?