Upload
mary-helen
View
223
Download
0
Embed Size (px)
Citation preview
7/28/2019 ad hoc sec
1/27
Security in ad hoc networks
7/28/2019 ad hoc sec
2/27
Outline Introduction
Security Requirements of Wireless Ad-
Hoc Networks
Typical attacks on Wireless Ad-Hoc
Networks
Security protocols and methods for ad-
hoc networks
7/28/2019 ad hoc sec
3/27
Motivation Security is the most often cited concern
with wireless networks
Wireless networks pose unique securityproblems
Power and computation constraints are
often higher in wireless networks, makingsecurity requirements different
7/28/2019 ad hoc sec
4/27
Requirements for network security Data confidentiality: keep data secret (usually
accomplished by encryption)
Data integrity: prevent data from being altered (usually
accomplished by encryption) Data freshness: data is recent
Weak freshness:provides partial ordering of msgs
Strong freshness:provides total ordering and allows for
delay estimation
Data availability: data should be available on request
Data authentication: verification that the data or request
came from a specific, valid sender
7/28/2019 ad hoc sec
5/27
Why security on sensors is hard Constrains
Peanut CPU (slow computation rate)
Battery power: trade-off between security andbattery life
Limited memory High latency: conserve power, turn on
periodically
Nature of wireless ad-hoc network Every node can be a target
No trusted peer
Decentralized and cooperative participation of allnodes
Encryption and authentication cannot eliminatethreats
No matter how many intrusion preventionmeasures are inserted in a network, there arealways some weak links that one could exploit to
break in
7/28/2019 ad hoc sec
6/27
Wireless Ad-Hoc Network
Security Methods
Public-key cryptography overview
Public-key cryptography for wireless:
Key distribution :Certification Authorities,
PGP(Pretty Good Privacy)
Imprinting
SPINS SNEP
mTESLA
Intrusion Detection
7/28/2019 ad hoc sec
7/27
Public-key cryptography overview Alice chooses a random large integer a and
sends Bob
Bob chooses a random large integer b and
sends Alice
Alice computes
Bob computes
Both are equal to
nXk b mod'
nYk a mod
ngY b mod
ngX a mod
',kk ngabmod
7/28/2019 ad hoc sec
8/27
KEY
?
Public-key cryptography overviewAlice Bob
ba YX
K K
Key agreement protocol
7/28/2019 ad hoc sec
9/27
Imprinting
Policy New nodes are "imprinted" upon un-packaging (birth) with
their 'parent' and given a secure key and identity
A node's parent becomes its security admin. and can change
its security policy at any time
The initial imprinting should not be sent wirelessly, to avoid
imprinting multiple nodes with the same key
A node cannot change parents until it 'dies' Death can occur at a set time, or can be triggered by the
parent (and only by the parent). After death, a node can be
imprinted by a new parent.
7/28/2019 ad hoc sec
10/27
SPINS: Security Protocols for
Sensor Networks
A suite of security building blocks developed at UCBerkley
Designed for resource-constrained environments and
wireless communications Consists of two building blocks, mTESLA and SNEP SNEP
Data Confidentiality
Two-party data authentication
Data Integrity Freshness
mTESLA authenticated broadcast
7/28/2019 ad hoc sec
11/27
SNEP
(Sensor Network Encryption Protocol)
Communicating parties each keep a counter, andincrement it after each block is transmitted.
A master secret key, K is initially shared between the
node and base station and is used to derive all otherkeys
Low communication overhead :adds 8 bytes permessage
Semantic security: prevents an eavesdropper from
inferring encrypted data Data authentication: MAC (Message Authentication
Code)
Weak Freshness: Counter in MAC prevents replayingold messages
7/28/2019 ad hoc sec
12/27
SNEP (Contd.)
M=MAC(KMAC,C|E) represents the Message Authentication Code, where
C is the shared counter, E is the encrypted data ({D}), and KMAC is
the MAC key
A complete message from node A to node B consists of encrypted data,
and a MAC.A -> B : {D} , MAC(KMAC, C|{D})
The counter in SNEP provides weak freshness, but cannot show that a
message was created by B in response to a request from A
To achieve Strong Freshness
use a pseudo-random number called a nonce
Where NA is a nonce from A, and RA is a request from A, our new
messages look like this:
A -> B : NA, RAB -> A : {RB} , MAC(KMAC, NA|C|{RB})
7/28/2019 ad hoc sec
13/27
mTESLA(Timed Efficient Streaming Loss-tolerant
Authentication Protocol)
Restricts the number of authenticated senders
Discloses the key once per epoch
Requires loose time synchronization between base station and nodes
mTESLA Description Each MAC key is a key (K) of a key chain, generated by a public
one-way function F, where Kj =F(Kj+1)
All blocks sent in a specific time period use the same key
Received blocks are stored in a buffer until the associated key is
released and verified Any valid key can be used to derive earlier keys, or validate later
keys, but cannot be used to derive later keys.
7/28/2019 ad hoc sec
14/27
mTESLA(Contd.)
Sender Setup The sender generates a chain of secret keys by choosing the last
key (Kn) randomly, and applying a one-way function F, such
that: Kj =F(Kj +1)
Broadcasting Authenticated Packets Time intervals are set, and each key of the key-chain is
associated with an interval.
During interval t, the sender uses key Kt to compute the MAC ofall packets.
The sender waits for a delay of before revealing Kt, where is
greater than any reasonable packet round trip time.
7/28/2019 ad hoc sec
15/27
mTESLA(Contd.)
Bootstrapping a new receiver Each receiver must have one authentic key of the key chain, and
must know the key disclosure schedule.
A new receiver M sends a nonce in the request message to the
sender S.
The sender replies with its current time Ts, a key Ki from a past
interval i, the starting time Ti of interval i, the duration Tint of the
time intervals, and the disclosure delay .
M -> S : NM
S -> M : Ts| Ki |Ti |Tint |, MAC(KMS, NM | Ts| Ki |Ti |Tint |)
7/28/2019 ad hoc sec
16/27
mTESLA(Contd.)
Authenticating broadcast packets When receiving a new packet, the receiver needs to check that
the key for that interval has not been disclosed yet. This implies
that no adversary could have spoofed the contents
If this condition is met, the packet is stored. Otherwise it is
dropped
As soon as the key Kj of a previous time interval is received, the
receiver checks it against the last authentic key it knows, Ki
, by
applying the function F.
After Kj has been authenticated, Ki is replaced by Kj in memory,
and all the packets that were sent between time intervals i and j
can be verified.
7/28/2019 ad hoc sec
17/27
mTESLA(Contd.)
What if nodes need to broadcast data? Nodes are limited in CPU and battery resources
Nodes broadcast data through the basestation,using SNEP as an authentication method
Nodes broadcast the data, but do not compute
the keys. The basestation sends the key to the node as needed.
The basestation can also broadcast the key disclosure, and/or
perform the bootstrapping procedure for new nodes.
7/28/2019 ad hoc sec
18/27
mTESLA (Contd.)
Implementation Block cipher E performs the
encryption
Code space is saved by using the
same function for encryption and
decryption
Random-number generation
performed by the MAC, and
counter C.
MAC(Kran, C)
Key setup Fk(x)=MAC(K,x)
7/28/2019 ad hoc sec
19/27
Evaluation of a protocol based
on SPINS
7/28/2019 ad hoc sec
20/27
Distributed public key
infrastructure
Certificates are stored and distributed by
users
Trust graph G(V,E) where V: users, E:
public-key certificates If two vertices u and v are in H, and there is
a directed path from u to v in H, then v is
reachable from u in H. ( )
S(G,u) : subgraph on G by user u
S(G,u,v) : S(G,u) S(G,v)
Performance
vH
u
}:),{(#
}:),{(#)(
),,(
vuVVvu
vuVVvuGp
G
vuGS
A
7/28/2019 ad hoc sec
21/27
Infrastructure
Improvements
Shortcut hunter
algorithm: finds the
path with the mostshortcuts for all out-
going and incoming
edges of a given node
7/28/2019 ad hoc sec
22/27
Intrusion Detection
Assumptions User and program activities are
observable
Misuse and anomaly detections are
possible locally and in a distributed
manner
Problems of IDS (intrusion
detection system)
7/28/2019 ad hoc sec
23/27
Intrusion Detection (contd)
Misuse detection
Uses patterns of well-known attacks to match and identify known
intrusions
Accurate and effective Only works against known attacks
Anomaly detection
Uses established normal usage profiles to detect deviation from
the norm Able to detect new types of attacks
Cannot always describe the nature of an attack
May have a high false positive rate
7/28/2019 ad hoc sec
24/27
Intrusion Detection (contd.)
Anomaly detection in Wireless Ad-Hoc
Detection can be performed at each layer (link layer, MAC,
applications, etc.)
During the learning process, normal network conditions arerecorded and used to create a 'normal profile'
If a node detects an intrusion that affects the entire network, it can
initiate a re-authentication process throughout the network, to
exclude the malicious nodes
If a node detects a local intrusion at a higher layer (e.g., one of its
services), the lower layers are notified. The lower layer detection
modules can investigate and possibly block access from the
offending nodes.
7/28/2019 ad hoc sec
25/27
Secure Aware Protocol
Traditional way
RREQ/RREP
SAR Embed security metric into
the RREQ packet
Ensure intermediate nodes canprovide required security
Authenticated users belonging
to same trust level share a
secret key
7/28/2019 ad hoc sec
26/27
References
SPINS: Security Protocols for Sensor Networks. A Perrig, R.Szewczyk, V. Wen, D. Culler, J.D. Tyger
The Resurrecting Duckling: Security Issues for Ad-hoc WirelessNetworks. Frank Stajano, Ross Anderson
Intrusion Detection in Wireless Ad-Hoc Networks. YongguangZhang, Wenke Lee.
The Quest for Security in Mobile Ad-Hoc Networks. Jean-PierreHubaux, Levente Buttyan, Srdan Capkun.
Ad Hoc Networking Critical Features and Performance Metrics.Madhavi W.Subbarao.
Lowering Security Overhead in Link State Routing. Ralf Hauser,Tony Przygienda, Gene Tsudik.
7/28/2019 ad hoc sec
27/27
References (Contd)
Mitigating Routing Misbehavior in Mobile Ad Hoc Networks.
Sergio Marti, T.J.Giuli, Kevin Lai, and Mary Baker.
Secure Routing for Mobile Ad Hoc Networks. Panagiotis
Papadimitratos and Zygmunt J. Hass. Securing Ad Hoc Networks. Lidong Zhou and Zygmunt J. Haas.
Securing-Aware Ad hoc Routing for Wireless Networks. Seung
Yi, Prasad Naldurg, and Robin Kravets.
RFC2137 Secure Domain Name System Dynamic Update