Secure Sensor Routing A Clean-Slate Approach - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

Secure Sensor Routing A Clean-Slate Approach

Description:

Applications: burglar alarms, emergency response, industrial uses. All require ... Legitimate nodes use the Honeybee mechanism to eliminate malicious nodes ... – PowerPoint PPT presentation

Number of Views:111
Avg rating:3.0/5.0
Slides: 39
Provided by: Bryan112
Category:

less

Transcript and Presenter's Notes

Title: Secure Sensor Routing A Clean-Slate Approach


1
Secure Sensor RoutingA Clean-Slate Approach
  • Bryan Parno, Mark Luk, Evan Gaustad, Adrian
    Perrig
  • Carnegie Mellon University

2
Sensor Networks
  • Thousands of nodes, each with
  • A CPU and 10 KB of RAM
  • A radio
  • Sensors (e.g., heat, motion, sound)
  • Limited power
  • Communicate via multi-hop routing
  • Applications burglar alarms, emergency response,
    industrial uses
  • All require secure routing!

3
Attacks on Routing
  • Inject incorrect routing information or alter
    setup/update messages
  • Compromise sensors
  • Provide malicious routing data/messages
  • Suppress (selectively) routing messages
  • Specific attacks
  • Blackhole
  • Wormhole
  • Replication
  • Denial of Service
  • Sybil
  • Rushing
  • Slander
  • Framing

4
Consequences of Routing Attacks
  • Controlling routing allows the attacker to
    control the networks communication
  • Can view, modify, and/or drop messages
  • Create loops to exhaust legitimate nodes
  • Prevent or subvert proper network functionality

5
Techniques for Secure Routing
  • Prevention
  • Harden protocols by restricting participants
    actions
  • Typically employs cryptography
  • Only forestalls known attacks
  • Detection Recovery
  • Monitor behavior for malicious activity
  • Eliminate malicious participants
  • Must be able to distinguish anomalous behavior
    and accurately assign blame
  • Resilience
  • Maintain availability even under unpredicted
    attacks
  • Provide graceful performance degradation

6
Previous Work
  • Sensor routing
  • Most assume trusted environment
  • INSENS only applicable to certain topologies
  • SIGF requires GPS
  • Other secure routing protocols
  • Typically rely on a single technique
  • Prevention S-BGP, Ariadne
  • Detection Recovery Watchdog, Pathrater, Secure
    Traceroute
  • Resilience INSENS
  • Inappropriate for resource-constrained sensor
    nodes
  • Require PKI or excessive amounts of memory,
    computation or communication

7
Goals
  • Start from a clean-slate
  • Incorporate all three security techniques
  • Prevention, detection recovery, and resilience
  • Provide highly secure, highly available
    point-to-point routing
  • Necessary in many applications, e.g., Geographic
    Hash Tables (GHTs), key establishment, etc.
  • Minimize resource utilization

8
Outline
  • Introduction
  • Overview and Assumptions
  • Address and Routing Setup
  • Forwarding
  • Detection and Recovery
  • Simulation and Implementation

9
Our Routing Protocol Architecture
  • Establish routing tables and network addresses
  • Use prevention techniques to thwart active
    attackers
  • Detect and recover from attempts to deviate from
    the protocol or to launch additional attacks
  • Apply resilient routing techniques to forward
    packets
  • Uses the securely established routing tables and
    network addresses

10
Assumptions
  • Network authority (NA) uses a public/private
    keypair KNA , K-1NA
  • Each sensor node preloaded with
  • Network authoritys public key KNA
  • Unique IDx
  • Certificate Sig(K-1NA, IDx)
  • Signature scheme optimizes for verification
  • Intended for networks of primarily stationary
    sensors

11
Outline
  • Introduction
  • Overview and Assumptions
  • Address and Routing Setup
  • Forwarding
  • Detection and Recovery
  • Simulation and Implementation

12
Address and Route Setup Overview
Node Routing ID Address
Table A 0.1 B 0.0 C 1.1
D 1.0
  • Goal
  • Assign a unique network address to each node
  • Populate each nodes routing table
  • Accomplished with a recursive grouping algorithm
  • Initially, each sensor constitutes its own group
  • Groups repeatedly merge until all nodes belong to
    same group
  • Each time a nodes group merges, the node adds
    one bit to its network address and one entry to
    its routing table

Node ID Address Routing Table
A 0.1 RTA
B 0.0 RTB
C 1.1 RTC
D 1.0 RTD
Node ID Address Routing Table
A 0.1
B 0.0
C 1.1
D 1.0
13
Recursive Grouping Algorithm
  • Groups act in an asynchronous, distributed
    fashion
  • Each group
  • Collects information about its neighbors
  • Proposes to merge with smallest neighboring group
  • Based on number of nodes in the group
  • Ties broken based on group ID
  • This metric keeps addresses and routing tables
    small
  • Mutual proposal triggers merge
  • Entire process is deterministic for a given
    topology
  • Limits the damage an attacker can inflict

14
Recursive Grouping Example
15
Calculating Network Addresses
  • Assume G and G decide to merge
  • Each node in G independently extends its network
    address by one bit based on
  • Nodes in G make similar changes

16
Network Addresses Formation
17
Populating Routing Tables
  • Assume G and G decide to merge
  • Each node in G records the neighbor from whom it
    heard about G in its current routing table slot

D
Prefix Next Hop
0. C
1.0 C
G
G
G
18
Sample Routing Table
1.1.0
Prefix Next Hop
0. 0.1.1
1.0. 1.0.1
1.1.1 1.1.1
19
Outline
  • Introduction
  • Overview and Assumptions
  • Address and Routing Setup
  • Forwarding
  • Detection and Recovery
  • Simulation and Implementation

20
Forwarding
  • Basic forwarding similar to area-style forwarding
  • Given a destination network address route towards
    node with longest matching prefix
  • Path length in logical hops bound by log(n)
  • A logical hop may require several physical hops

21
Forwarding Example
Message from 1.1.0 to 0.0.0
1.1.0
0.1.1
0.0.1
1.1.0
Prefix Next Hop
0. 0.1.1
1.0. 1.0.1
1.1.1 1.1.1
Prefix Next Hop
1. 1.1.0
0.0. 0.0.1
0.1.0 0.1.0
Prefix Next Hop
1. 1.0.0
0.1. 0.1.0
0.0.0 0.0.0
Prefix Next Hop
0. 0.1.1
1.0. 1.0.1
1.1.1 1.1.1
22
Outline
  • Introduction
  • Overview and Assumptions
  • Address and Routing Setup
  • Forwarding
  • Detection and Recovery
  • Threats
  • Detecting Grouping Deviations
  • Eliminating Malicious Nodes
  • Simulation and Implementation

23
Threats
  • Compromised nodes may lie about group size or ID
    to subvert route setup
  • Compromised nodes may claim multiple IDs or try
    to simultaneously group with several other nodes

24
Detecting Grouping Deviations
  • Maintain a Grouping Verification Tree (GVT) for
    each group during recursive grouping
  • Prevents attacker from lying about group ID or
    size
  • Based on a hash tree construction
  • Before two groups merge, they verify each others
    GVT
  • Integrity of the GVTs insures integrity of the
    recursive grouping algorithm
  • Final GVT covers all nodes in the network
  • Can be used to authenticate any nodes network
    address

25
Background Hash Trees
  • Employ a one-way hash function H
    0,1?0,1?to create one-way data structures
  • The Merkle Tree is one such data structure
  • Each internal node calculated as
  • Parent H(ChildL ChildR)
  • Authenticates a leaf node given the root value
    and nodes along the path to the root

26
Group ID Computation
  • Assume G and G decide to merge
  • Each node in G independently calculates the new
    group ID as

27
GVT Formation
  • One GVT per group
  • GVT leaves are IDs of nodes in the group
  • Internal nodes represent intermediate group IDs
  • Each node maintains information about its branch
    of the GVT
  • Specifically, the group ID and size of each merge
    partner

28
GVT Verification
  • Before merging, group G verifies the GVT for G
    (and vice versa)
  • G announces its group ID (and size)
  • Group G sends a challenge value to G
  • The challenge uniquely selects a node in G
  • Chosen node sends its certificate and GVT
    information to G
  • Nodes in G verify the GVT values

Responder
Challenger
29
Eliminating Malicious Nodes
  • Legitimate nodes use the Honeybee mechanism to
    eliminate malicious nodes
  • To revoke malicious node M, legitimate node L
    broadcasts
  • IDL, IDM, and a signature
  • Legitimate nodes revoke M and L
  • Prevents a compromised node from revoking more
    than one legitimate node

30
Outline
  • Introduction
  • Overview and Assumptions
  • Address and Routing Setup
  • Forwarding
  • Detection and Recovery
  • Simulation and Implementation

31
Simulations
  • Comparison against Beacon Vector Routing (BVR)
    protocol NSDI 2005
  • Optimized for efficiency
  • No security included
  • Experimental Setup
  • 500 nodes, random deployment, DOI radio model
  • Summary of Results
  • Our routing success rate 100
  • Paths longer than shortest path
  • Distributes overhead evenly throughout network
  • Better than BVR, even in topologies with voids

32
Metric Path Stretch
  • Stretch Protocol Path Length / Optimal Path
    Length
  • Optimistic for BVR does not include failed BVR
    routes

33
Metric Load Distribution - Uniform
34
Metric Load Distribution - Irregular
35
Implementation
  • Developed in NesC on TinyOS using Telos sensor
    nodes
  • Source code to be available soon
  • Challenges overcome
  • Reliable Broadcast
  • Asynchronicity
  • Asymmetric Links
  • Ongoing work to expand the current testbed

36
Other Contributions
  • Techniques for resilient forwarding
  • Duplicate detection
  • Proofs of performance and correctness
  • Implementation details

37
Conclusions
  • Secure sensor routing is an important and
    difficult problem
  • Most previous techniques assume a trusted
    environment or use a single security technique
  • We design a protocol incorporating all three
    security techniques that still compares favorably
    to insecure protocols

38
Thank you!
parno_at_cmu.edu
39
Drawbacks of Wired Networks
  • Expensive to deploy
  • Expensive to maintain
  • Upgrade
  • Replace
  • Wires can introduce failures
  • Wires are costly
  • Wireless networks are more cost effective!

40
Merging Two Groups
  • Assume G and G decide to merge
  • Each node in G independently
  • Calculates the new group ID
  • Extends its network address by one bit according
    to
  • Records the neighbor from whom it heard about G
    in the current routing table slot

41
Duplicate Detection
  • After recursive grouping concludes, each node
    announces its ID and network address to its
    neighbors
  • Run a replication detection algorithm
    PaPeGl2005 to identify duplicates
  • Detects nodes that
  • Claim multiple IDs
  • Simultaneously group with several other nodes
  • Duplicates are revoked

42
Resilient Forwarding
  • Extend routing tables to facilitate multi-path
    forwarding
  • During each merge, a node remembers multiple
    neighbors that announced the merge target
  • Leverages natural redundancy in the recursive
    grouping algorithm

B
Prefix Next Hop0 Next Hop1
1. A C
0.1. C D
0.0.0 A --
43
Resilient Forwarding
  • Sender includes a direction string ? in its
    packet
  • ? ?0 ?1 ?k , ?i ? 0,1
  • Forwarding node selects among next hops based on
    current value of ?

44
GVT Verification
  • Before merging, group G verifies the GVT for G
    (and vice versa)
  • G announces its group ID and size
  • Group G chooses a challenger node
  • Challenger creates challenge
  • Challenger broadcasts the challenge to G and G
  • Based on challenge, G chooses responder node
  • Responder sends its certificate and GVT branch
    information to G
  • Nodes in G verify the GVT values
Write a Comment
User Comments (0)
About PowerShow.com