ad hoc sec

7/28/2019 ad hoc sec

1/27

Security in ad hoc networks


2/27

Outline Introduction

Security Requirements of Wireless Ad-

Hoc Networks

Typical attacks on Wireless Ad-Hoc

Networks

Security protocols and methods for ad-

hoc networks


3/27

Motivation Security is the most often cited concern

with wireless networks

Wireless networks pose unique securityproblems

Power and computation constraints are

often higher in wireless networks, makingsecurity requirements different


4/27

Requirements for network security Data confidentiality: keep data secret (usually

accomplished by encryption)

Data integrity: prevent data from being altered (usually

accomplished by encryption) Data freshness: data is recent

Weak freshness:provides partial ordering of msgs

Strong freshness:provides total ordering and allows for

delay estimation

Data availability: data should be available on request

Data authentication: verification that the data or request

came from a specific, valid sender


5/27

Why security on sensors is hard Constrains

Peanut CPU (slow computation rate)

Battery power: trade-off between security andbattery life

Limited memory High latency: conserve power, turn on

periodically

Nature of wireless ad-hoc network Every node can be a target

No trusted peer

Decentralized and cooperative participation of allnodes

Encryption and authentication cannot eliminatethreats

No matter how many intrusion preventionmeasures are inserted in a network, there arealways some weak links that one could exploit to

break in


6/27

Wireless Ad-Hoc Network

Security Methods

Public-key cryptography overview

Public-key cryptography for wireless:

Key distribution :Certification Authorities,

PGP(Pretty Good Privacy)

Imprinting

SPINS SNEP

mTESLA

Intrusion Detection


7/27

Public-key cryptography overview Alice chooses a random large integer a and

sends Bob

Bob chooses a random large integer b and

sends Alice

Alice computes

Bob computes

Both are equal to

nXk b mod'

nYk a mod

ngY b mod

ngX a mod

',kk ngabmod


8/27

KEY

?

Public-key cryptography overviewAlice Bob

ba YX

K K

Key agreement protocol


9/27

Imprinting

Policy New nodes are "imprinted" upon un-packaging (birth) with

their 'parent' and given a secure key and identity

A node's parent becomes its security admin. and can change

its security policy at any time

The initial imprinting should not be sent wirelessly, to avoid

imprinting multiple nodes with the same key

A node cannot change parents until it 'dies' Death can occur at a set time, or can be triggered by the

parent (and only by the parent). After death, a node can be

imprinted by a new parent.


10/27

SPINS: Security Protocols for

Sensor Networks

A suite of security building blocks developed at UCBerkley

Designed for resource-constrained environments and

wireless communications Consists of two building blocks, mTESLA and SNEP SNEP

Data Confidentiality

Two-party data authentication

Data Integrity Freshness

mTESLA authenticated broadcast


11/27

SNEP

(Sensor Network Encryption Protocol)

Communicating parties each keep a counter, andincrement it after each block is transmitted.

A master secret key, K is initially shared between the

node and base station and is used to derive all otherkeys

Low communication overhead :adds 8 bytes permessage

Semantic security: prevents an eavesdropper from

inferring encrypted data Data authentication: MAC (Message Authentication

Code)

Weak Freshness: Counter in MAC prevents replayingold messages


12/27

SNEP (Contd.)

M=MAC(KMAC,C|E) represents the Message Authentication Code, where

C is the shared counter, E is the encrypted data ({D}), and KMAC is

the MAC key

A complete message from node A to node B consists of encrypted data,

and a MAC.A -> B : {D} , MAC(KMAC, C|{D})

The counter in SNEP provides weak freshness, but cannot show that a

message was created by B in response to a request from A

To achieve Strong Freshness

use a pseudo-random number called a nonce

Where NA is a nonce from A, and RA is a request from A, our new

messages look like this:

A -> B : NA, RAB -> A : {RB} , MAC(KMAC, NA|C|{RB})


13/27

mTESLA(Timed Efficient Streaming Loss-tolerant

Authentication Protocol)

Restricts the number of authenticated senders

Discloses the key once per epoch

Requires loose time synchronization between base station and nodes

mTESLA Description Each MAC key is a key (K) of a key chain, generated by a public

one-way function F, where Kj =F(Kj+1)

All blocks sent in a specific time period use the same key

Received blocks are stored in a buffer until the associated key is

released and verified Any valid key can be used to derive earlier keys, or validate later

keys, but cannot be used to derive later keys.


14/27

mTESLA(Contd.)

Sender Setup The sender generates a chain of secret keys by choosing the last

key (Kn) randomly, and applying a one-way function F, such

that: Kj =F(Kj +1)

Broadcasting Authenticated Packets Time intervals are set, and each key of the key-chain is

associated with an interval.

During interval t, the sender uses key Kt to compute the MAC ofall packets.

The sender waits for a delay of before revealing Kt, where is

greater than any reasonable packet round trip time.


15/27

mTESLA(Contd.)

Bootstrapping a new receiver Each receiver must have one authentic key of the key chain, and

must know the key disclosure schedule.

A new receiver M sends a nonce in the request message to the

sender S.

The sender replies with its current time Ts, a key Ki from a past

interval i, the starting time Ti of interval i, the duration Tint of the

time intervals, and the disclosure delay .

M -> S : NM

S -> M : Ts| Ki |Ti |Tint |, MAC(KMS, NM | Ts| Ki |Ti |Tint |)


16/27

mTESLA(Contd.)

Authenticating broadcast packets When receiving a new packet, the receiver needs to check that

the key for that interval has not been disclosed yet. This implies

that no adversary could have spoofed the contents

If this condition is met, the packet is stored. Otherwise it is

dropped

As soon as the key Kj of a previous time interval is received, the

receiver checks it against the last authentic key it knows, Ki

, by

applying the function F.

After Kj has been authenticated, Ki is replaced by Kj in memory,

and all the packets that were sent between time intervals i and j

can be verified.


17/27

mTESLA(Contd.)

What if nodes need to broadcast data? Nodes are limited in CPU and battery resources

Nodes broadcast data through the basestation,using SNEP as an authentication method

Nodes broadcast the data, but do not compute

the keys. The basestation sends the key to the node as needed.

The basestation can also broadcast the key disclosure, and/or

perform the bootstrapping procedure for new nodes.


18/27

mTESLA (Contd.)

Implementation Block cipher E performs the

encryption

Code space is saved by using the

same function for encryption and

decryption

Random-number generation

performed by the MAC, and

counter C.

MAC(Kran, C)

Key setup Fk(x)=MAC(K,x)


19/27

Evaluation of a protocol based

on SPINS


20/27

Distributed public key

infrastructure

Certificates are stored and distributed by

users

Trust graph G(V,E) where V: users, E:

public-key certificates If two vertices u and v are in H, and there is

a directed path from u to v in H, then v is

reachable from u in H. ( )

S(G,u) : subgraph on G by user u

S(G,u,v) : S(G,u) S(G,v)

Performance

vH

u

}:),{(#

}:),{(#)(

),,(

vuVVvu

vuVVvuGp

G

vuGS

A


21/27

Infrastructure

Improvements

Shortcut hunter

algorithm: finds the

path with the mostshortcuts for all out-

going and incoming

edges of a given node


22/27

Intrusion Detection

Assumptions User and program activities are

observable

Misuse and anomaly detections are

possible locally and in a distributed

manner

Problems of IDS (intrusion

detection system)


23/27

Intrusion Detection (contd)

Misuse detection

Uses patterns of well-known attacks to match and identify known

intrusions

Accurate and effective Only works against known attacks

Anomaly detection

Uses established normal usage profiles to detect deviation from

the norm Able to detect new types of attacks

Cannot always describe the nature of an attack

May have a high false positive rate


24/27

Intrusion Detection (contd.)

Anomaly detection in Wireless Ad-Hoc

Detection can be performed at each layer (link layer, MAC,

applications, etc.)

During the learning process, normal network conditions arerecorded and used to create a 'normal profile'

If a node detects an intrusion that affects the entire network, it can

initiate a re-authentication process throughout the network, to

exclude the malicious nodes

If a node detects a local intrusion at a higher layer (e.g., one of its

services), the lower layers are notified. The lower layer detection

modules can investigate and possibly block access from the

offending nodes.


25/27

Secure Aware Protocol

Traditional way

RREQ/RREP

SAR Embed security metric into

the RREQ packet

Ensure intermediate nodes canprovide required security

Authenticated users belonging

to same trust level share a

secret key


26/27

References

SPINS: Security Protocols for Sensor Networks. A Perrig, R.Szewczyk, V. Wen, D. Culler, J.D. Tyger

The Resurrecting Duckling: Security Issues for Ad-hoc WirelessNetworks. Frank Stajano, Ross Anderson

Intrusion Detection in Wireless Ad-Hoc Networks. YongguangZhang, Wenke Lee.

The Quest for Security in Mobile Ad-Hoc Networks. Jean-PierreHubaux, Levente Buttyan, Srdan Capkun.

Ad Hoc Networking Critical Features and Performance Metrics.Madhavi W.Subbarao.

Lowering Security Overhead in Link State Routing. Ralf Hauser,Tony Przygienda, Gene Tsudik.


27/27

References (Contd)

Mitigating Routing Misbehavior in Mobile Ad Hoc Networks.

Sergio Marti, T.J.Giuli, Kevin Lai, and Mary Baker.

Secure Routing for Mobile Ad Hoc Networks. Panagiotis

Papadimitratos and Zygmunt J. Hass. Securing Ad Hoc Networks. Lidong Zhou and Zygmunt J. Haas.

Securing-Aware Ad hoc Routing for Wireless Networks. Seung

Yi, Prasad Naldurg, and Robin Kravets.

RFC2137 Secure Domain Name System Dynamic Update

Documents

ad hoc sec