SECURE ROUTING IN WIRELESS SENSOR NETWORKS Gayathri Venkataraman Preeti Raghunath

SECURE ROUTING IN WIRELESS SENSOR NETWORKS

Gayathri VenkataramanPreeti Raghunath

AGENDA Sensor Networks

Wireless Sensor Networks vs. Ad- Hoc Networks

Sensor Network Security Challenges Attacks on Sensor Network routing Securing the Wireless Network Summary

Sensor Networks A sensor network is composed of a large number of sensor nodes

that are densely deployed either inside the phenomenon or close it . Each of these sensor nodes collect data and transmit to the sink using special routing protocols. The sink may communicate to the task manager using Internet or satellite [1].

Figure 1 Sensor nodes communicationSource : http://www.cdt.luth.se/babylon/snc/References/Akyildiz2002_SurveySensorNets_01024422.pdf Retrieved August 22, 2003

What is a Sensor Network? Heterogeneous system that combines tiny

sensors and actuators with general purpose computing elements.

Sensor readings from multiple nodes can be processed by one or more aggregation points

Base Station Sensor Networks have one or more points

of centralized control called Base Stations. Base stations are either:

– Gateway to another network– Data processing or storage center– Access point for human interface.

Sensor Network ArchitectureBase Stations

Sensor Nodes

Aggregation points

Constraints of Wireless Sensor Networks

Sensor Networks are resource-starved when it comes to:– Computational power– Memory– Bandwidth– Power

Sensor Networks VS. Ad Hoc Networks

Ad-Hoc Network supports routing between any pairs of nodes.

Sensor Networks have a specialized communication pattern:– Many to One– One to Many– Local Communication

Security challenges in Wireless Sensor networks (1 of 3)

Network Assumptions:– Radio links are not secure– Attackers can deploy malicious nodes into the

network. Trust Requirements:

– Base Stations are trusted nodes– Aggregation points maybe trusted for certain

protocols

Security challenges in Wireless Sensor networks (2 of 3)

Threat models:– Mote-Class attackers: Sensor nodes are used for

attacks. Sensor can eavesdrop only nodes in its vicinity.– Laptop-Class attackers: More sophisticated. Can

eavesdrop or jam entire network.– Outsider attacks: Attacker has no special access to the

sensor network.– Insider attacks: An authorized participant of the

network has gone bad by running malicious code.

Security challenges in Wireless Sensor networks (3 of 3)

Security Goals:– Protection against eavesdropping is

responsibility of application layer not routing algorithms.

– However, eavesdropping caused by abuse of routing protocol is the responsibility of protocols.

– Graceful degradation of network in case of insider attack.

Attacks on Sensor Networks (1 of 3)

Spoofing: Altering, spoofing or replaying routing information between nodes.

Selective Forwarding: Malicious nodes does not forward any packets or selectively forwards packets.

Attacks on Sensor Networks (2 of 3)

Sinkhole attack: – Here the attacker’s goal is to lure all the traffic through

a compromised node– Other nodes in the path have opportunities to tamper

with application data Sybil attack:

– A single node presents multiple identities. Wormholes:

– Attacker tunnels messages received in one part of the network over a low-latency kink and replays them in a different part.

Attacks on Sensor Networks (3 of 3)

HELLO Flood attack: An attacker with enough transmission power convinces every node in the network that the attacker is the neighbor.

Acknowledgement spoofing:– Link layer acknowledgements are spoofed to

convince a weak link is strong and vice-versa.

Attacks on Specific Routing Protocols

Gayathri Venkataraman

Special Routing Protocols! Why???

A typical mote has 4MHz processor, 128 KB of instruction memory, 4 KB of RAM data, and 512 KB of flash memory. The whole device is powered by two AA batteries. So the requirement of special routing protocols with

Less computationLess memorySimpleNo global identification like IP address

Challenges For Security

Resource starved nature of sensor networks poses a big challenge for security

Public-key Cryptography is so expensive

With only 4KB of RAM memory must be used carefully

Directed Diffusion

•Is a data centric routing

•Base stations flood interests for named data

•Nodes able to satisfy the interest disseminate information along the reverse path of interest propagation.

•Interests are initially transmitted at a lower rate.

•Based nodes reinforce the path where there is more data.

•Failed node paths are negatively reinforced.

http://www2.parc.com/spl/members/zhao/stanfordcs428/readings/Networking/Estrin_mobicom00.pdf  Retrieved August 27, 2003

Directed Diffusion

Attacks on Directed Diffusion

•SuppressionSuppress the flow of data by sending negative reinforcement

•CloningAttacker can replay an interest from legitimate base station

•Path InfluenceAttacker can influence the path taken by a data flow by spoofingpositive and negative reinforcements and bogus data events.

•Selective forwarding and TamperingAttacker can insert himself into the path of events flow and gainControl of the event flow.

Attacks on Directed Diffusion

•A Laptop class adversary can create worm hole between node A located near base station and node B located near likely events.

•Interests are advertised through worm hole and rebroadcast bynode B.

•If node A sends negative reinforcements and worm hole does not pass those messages then node B continues its positive reinforcement then no data reaches the sink node and eventually node B’s power is lost.

Tiny-OS Beaconing

•In this protocol base stations periodically broadcast routing update.

•All station receiving the update marks the base station as its parent.

•This algorithm happens recursively with each node marking its parent as the first node from which it hears the update.

•All packets received or generated by a node is forwarded to its parent until it reaches the base station.

•This is a breadth first spanning tree rooted to the base station

Attacks on Tiny-OS Beaconing

Routing updates are not authenticated

Attacker can suppress, eaves-drop, and modify packets througha worm hole/ sink hole attack as shown in the figure

Source: http://webs.cs.berkeley.edu/retreat-1-03/slides/sensor-route-security.pdfRetrieved on November 17, 2003

Attacks on Tiny-OS Beaconing

•A lap top class adversary can use Hello flood attack to broadcast a routing update and all nodes will consider the adversary as its parent.

So the nodes which are not in the actual range of the parent may flood the packets to neighbors which also has the adversary as its parent

•Routing Loops can be created. Suppose adversary knows node A and node B are within radio range of each other. Adversary sends a routing update to B as if it came from A. B updates its parent as A, and sends routing update. Now A updates its parent as B.

Geographic Routing

Two Kinds •Geographic and Energy aware routing (GEAR) uses the energy information and the location of neighboring nodes to forward the packets

•Greedy Perimeter Stateless Routing (GPSR) used only the proximity of neighbors to forward its messages. The energy consumption is uneven within the nodes.

Attacks on Geographic Routing•Regardless of adversary’s location he might advertise to be closest and place himself on the path of data flow.

•For GEAR the adversary can advertise to have maximum energy to divert all the packets to himself and can now mount a selective forwarding attack

Routing Loops is possible in GPSR routing as shown in figure

Source: http://webs.cs.berkeley.edu/retreat-1-03/slides/sensor-route-security.pdfRetrieved on November 17, 2003

Counter Measures

Link Layer Security•Simple link layer encryption and authentication using a globally shared key.

•If a worm hole is established, encryption makes selective forwarding difficult, but can do nothing to prevent black hole selective forwarding. This worm hole is possible by replaying the message from one group of nodes to other group.

•Link layer security mechanisms cannot prevent any insider attack.

Counter Measures

Sybil Attack

•Every node shares a unique symmetric key with base station

•Two nodes can use Needham-Schroeder like protocol to verifyidentity and establish a shared key.

•Base station limits the number of nodes an insider can have communication.

•This limits the number of nodes an adversary can communicate.

Counter Measures

Hello Flood Attacks

•Verify the bi-directionality of the link before taking any action

•Measures against Sybil Attack like limiting the number ofverified neighbors to a node will also prevent Hello Flood Attack

Counter Measures

Worm Hole and Sink Hole Attacks•Sink holes are difficult to defend in protocols which use advertised information like energy information and hop count. Hop count can be verified, however energy and TinyOs beaconing is difficult to defend.

•Best solution is to design protocols where above attacks are meaningless

•Protocols that construct topology initiated by base station are susceptible to attacks

•Geographic protocols that construct topology on demand using localized interactions and not from base stations are good solutions.

•In geographic routing since proximity is a factor artificial link to sink hole is not possible because they may not fall in the normal radio range.

Counter Measures

•Geographic routing is secure against worm hole, sink hole, and Sybil attacks, but the remaining problem is that the location advertisement must be trusted.

•Probabilistic selection of next hop from several advertisement can reduce the problem

•Restricting the structure of the topology can eliminate the problem by eliminating advertisement. For example nodes can arrange itself in square, triangular, etc., So that every node can derive its neighbors

Counter Measures

Counter Measures

Selective Forwarding

•Multi-path routing can be used to avoid this attacks.

•Messages routed over n paths whose nodes are completely disjoint is an effective solution

•Creating this kind of path may be difficult .

•Probabilistic selection of next hop can add to security.

Counter Measures

Authenticated Broadcast & flooding

• digital signatures

• symmetric-key cryptography

• delayed key disclosure and one –way key chains constructed with publicly computable cryptographically secure hash function •Replay attack is not possible key is used only once.

Limitations of Multi-Hop Routing

•If nodes within one or two hops near the base station arecompromised then the network will be completely down

•Protocols like leach which forms clusters and where cluster heads communicate directly with base station may yield a secure solution.

Conclusion

•Secure routing is vital to the acceptance and use of sensor networks.

•Current protocols are insecure

•Careful protocol design is needed as a sensor mote cannot do complex cryptographic computations

References

[1 ]Ian F. Akyildiz, Weilian Su, Yogesh Subramaniam, and Erdal Cayirci (2002, August). A Survey on Sensor Networks. http://www.cdt.luth.se/babylon/snc/References/Akyildiz2002_SurveySensorNets_01024422.pdf Retrieved August 26, 2003

[2]Charlermek Intanagonwiwat, Ramesh Govindan, and Deborah Estrin. Directed Diffusion:A Scalable and Robust Communication Paradigm

for Sensor Networkshttp://www2.parc.com/spl/members/zhao/stanfordcs428/readings/Networking /Estrin_mobicom00.pdf Retrieved August 20, 2003

[3] Chris Karlof, David Wagner, Secure Routing in Wireless Sensor Networks: Attacks and Counter Measures

Thank You!!!!!

Questions???????????