INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks

1
INSENS Intrusion-Tolerant Routing For Wireless
Sensor Networks

• By Jing Deng, Richard Han, Shivakant Mishra
• Presented by Daryl Lonnon

2
INSENS Goals

• Define a secure intrusion-tolerant routing
  scheme.
• A small number of compromised nodes can only
  effect a small/localized area.
• Compromised nodes cannot bring down the entire
  network.

3
INSENS Goals
4
INSENS Challenges

• Wireless communication is broadcast in nature
  adversaries can
• Eavesdrop on packets as they cross the network
• Tamper with transmitted packets
• Inject packets to initiate DOS

5
Challenges (continued)

• Sensor nodes are highly constrained
• Limited power/lifetime
• Low-power micro-sensors and actuators
• Slow embedded processors
• Limited memory
• Low bandwidth communication
• Distributed in the field in-situ, lacking
  physical security.

6
INSENS Underlying Framework

• Large number of resource poor sensor nodes.
• 10-100 nodes for home monitoring
• 1000 nodes for battlefield and building
  monitoring
• Small number of resource rich base stations.

7
High Level Design Principles to Achieve Intrusion
Tolerance

• Securely build redundant routing.
• Only trusted base stations may initiate expensive
  network operations (such as route setup).
• Symmetric key encryption performed between base
  stations and nodes.

8
High Level Principles (Continued)

• Base stations perform expensive operations for
  nodes (i.e. route table computation).
• Secure only common traffic patterns.
• Base station -gt node/aggregator
• Aggregator/node -gt base station
• Nodes are static (motionless) after setup.

9
High Level Principles (Continued)

• Novel mechanisms can be used to overcome specific
  attacks.
• Allow for multiple base stations and multiple
  routes to those base stations.

10
Threat Model

• Adversary can compromise a node, obtaining all
  information (e.g. keys, routing info), as well
  as, reprogram a node.
• An adversary has a jamming range of d, where d is
  gt a nodes transmission range, and d ltlt the
  radius of the complete network.

11
Threat Model (continued)

• An adversary can only hear a node if the node can
  hear the adversary, the adversary may, however,
  transmit much further than a node.
• An adversary cannot tamper with a base station
  (without being detected).

12
INSENS Basic Protocol

• Divided into two separate phases.
• Route Discover determines the topology of the
  network
• Data Forwarding is the normal operation of the
  network

13
INSENS Basic Protocol Assumptions and
Preconditions

• Assumption Communication between nodes is
  symmetric (if a can hear b, b can hear a).
• Preconditions each node possess
• A symmetric key shared with the base station,
  which is used to create to derived keys and
  
• A globally known one way hash function F
• The initial number of a one way hash chain

14
INSENS Basic Protocol Route Discovery Overview

• Base station securely floods a request message.
• Nodes send local topology to base station in a
  feedback message.
• Base station sends each node a specific routing
  update message.

15
Basic INSENS Route Request

• The base station sends a route request message to
  each of its neighbors.
• Each node saves the neighbor that it first
  received a request from and forwards a modified
  route request.

16
Route Request Messages
Base Station
Node x
REQ
REQ

OHC
OHC
17
Basic INSENS Feedback

• Each node waits some amount of time, listening
  for neighbors flooding the request message.
• After some timeout, each node sends a feedback
  message to its parent.

18
INSENS Route Discovery

• The base station waits for feedback messages, and
  uses those neighbor lists to build route tables.
• A shortest path algorithm is used to generate the
  first path between a node and a base station.

19
INSENS Route Discovery (Second Path)

• The second path is generated first by creating
  three sets of nodes
• N1 are nodes along the path (not including the
  base station and target node).
• N2 are nodes that are neighbors to node in N1.
• N3 are nodes that are neighbors to nodes in N2.

20
INSENS Path Formation

• Remove N3 from the network, and compute
  shortest path. If a path exists, you have the
  second path.
• Remove N2 from the network, and compute the
  shortest path. If a path exists, you have the
  second path.
• Remove N1 from the network, and compute the
  shortest path. If a path exists you have the
  second path.
• If all fail, you have no second path.

21
Data Forwarding Tables

• For each node in a path, add to that nodes
  routing table a 3-tuple ltdestination,source,immedi
  ate sendergt
• After all paths have been calculated, unicast
  each node its table.
• If a node detects a message, it searches its
  table and broadcasts the message if it matches an
  entry.

22
Basic INSENS Protocol
N1
1. BS floods request message
2. Nodes respond with feedback
3. BS determines shortest path
N2
4. BS builds sets N1, N2 N3
N3
5. BS determines 2nd shortest path
6. BS sends out routing tables
23
Limitations of Basic INSENS

• Wireless communication is not always symmetric.
• Feedback messages can get long.
• Base station can get overloaded on large
  networks.
• No maintenance of network routing for failed
  and/or new nodes.

24
Enhanced INSENS adds

• Bidirectional verification.
• Secure multi-path multi-base station routing.
• Maintenance issues message loss, nodes joining
  and leaving.

25
Bidirectional Verification

• Defends against Rushing attacks.
• Echo-back process to verify neighbor nodes.
• Each node uses a temporary global key to setup
  pairwise keys with its neighbors
• During the handshake for pairwise keys, it
  verifies which nodes are neighbors.
• Each node, then, unicasts a random cluster key to
  all its valid neighbors.
• REQ messages are broadcast encrypted and
  authenticated with the cluster key.

26
Secure Multi-Path Multi-Base Station Routing

• Each node uses bi-directional verification to
  determine neighbors and setup cluster keys.
• Each base station floods a request message
• Each node that receives the request, verifies the
  OHC, replaces id with its id and rebroadcasts
  the message using its cluster key.
• This constructs multiple secure trees that span
  the network.

27
Maintenance Local Repair

• Local repair is used to add new nodes and fix
  holes in network.
• If node u has not received a REQ message after
  some time t, it sends an authenticated (with its
  cluster key) message (P REQ).
• Nodes that have received a REQ message send an
  authenticated (with their pair-wise key)
  affirmative response.
• Node u picks a node at random that gave an
  affirmative response.

28
Maintenance Pair-Wise Key Setup with New Nodes

• Before deleting their global key, old nodes save
  off a set of
• These pairs are used to query a new node u, to
  determine if it has the global key.
• The new node then queries an existing node by
  asking for its id and computing a key ( (using
  its polynomial share?)) and initiating a
  challenge response.

29
Enhanced INSENS Protocol

• Nodes use global key to find
• and setup pair-wise and cluster
• keys with neighbors.

2. BS floods request message, which is
forwarded on using cluster keys.
3. Nodes note first neighbor to send request
to build minimum spanning tree.
30
Implementation Basic INSENS

• Motes running TinyOS 1.0 with NesC.
• Base station running Java.
• RC5 used for encryption.
• CBC mode of RC5 used to generate MACs.
• RC5 over known plain text with result being next
  key to generate hash chain.

31
Implementation Basic INSENS

• 36 byte packet fragmentation by dropping packets
  with higher sequence numbers.
• Network setup was dominated by timeout at sensor
  nodes.

32
Performance (Cryptographic) of Enhanced INSENS

• Cryptographic storage 8 x (2n k l 2) where
  key size is 8 bytes, n neighbors, l random
  numbers, and k base stations.
• 4 milliseconds to encrypt a message.
• 4.2 milliseconds to verify hash chain and 136
  bytes overhead.

33
Effectiveness of Multipath Routing

• 2000 nodes, each node averaging 16 neighbors.
• Enhanced INSENS with 4 base stations
• Basic INSENS with 2 paths
• Single path routing.
• Jamming range activity range enhance was 3
  times better, basic was 2 times better.

34
Effectiveness of Multi-Path Routing

• Jamming range 2 x activity range Enhance was 2
  times better, basic was about equal to single
  path.
• Jamming range 3 x activity range Enhance was
  about 1.5 times better, basic was equal to single
  path.
• Versus rushing attacks, echo back almost
  completely eliminated blocked nodes.