Anonymous Path Routing Protocol in Wireless Sensor Networks Jang-Ping Sheu* §, Jehn-Ruey Jiang* and Ching Tu* National Central University* and National

Anonymous Path Routing Protocol in Wireless Sensor Networks

Jang-Ping Sheu*§ , Jehn-Ruey Jiang* and Ching Tu*

National Central University* and National Tsing-Hua University§

Taiwan, R.O.C.

2/35ICC 2008

Outline

Introduction Related Work Anonymous Path Routing (APR) Protocol Security Analysis Implementation and Evaluation Conclusion

3/35ICC 2008

Outline


4/35ICC 2008

Introduction

Security is important for MANETs and WSNs Adversaries can easily overhear messages.

It is more challenging to keep WSNs secure Sensor nodes have limited capability Sensor nodes are easier to be captured and compromised It is harder to prevent the network topology from being

analyzed in a WSN than in a MANET because the former has a more dynamic topology than the latter.

We focus on keeping WSNs secure

5/35ICC 2008

Introduction

General attacks in WSNs Active attacks

• Forging attacks

• Replay attacks

• Denial of service (DoS) attacks

• …

Passive attacks• Data eavesdropping attacks

• Traffic analysis attacks

• …

They are “invisible” and harder to detect.

They may be the prelude of active

attacks.

6/35ICC 2008

Introduction

We rely on anonymous communication for resisting the attacks.

Anonymous communication A new paradigm to resist attacks Since identities of nodes are hidden, the

network topology is difficult to be analyzed. It can also prevent most of active attacks.

7/35ICC 2008

Outline


8/35ICC 2008

Related Work

ANODR ACM MobiHoc, 2003 An ANonymous On-Demand Routing protocol based

on trapdoor one-way function and boomerang onion

SDAR IEEE LCN, 2004 A Secure Distributed Anonymous Routing protocol

based on public key cryptography

9/35ICC 2008

Related Work

AnonDSR ACM SASN, 2005 An Anonymous Dynamic Source Routing protocol

based on shared secret key used in source and destination nodes, and public key cryptography used in the intermediate nodes

MASK IEEE INFOCOM, 2005 An anonymous on-demand routing protocol based on

bilinear pairing

10/35ICC 2008

Drawbacks of Existent Methods

High computing overhead

Each node should try all its shared secret keys for receiving an anonymous packet (ANODR)

Public key cryptography (AnonDSR, SDAR)

Bilinear mapping function (MASK)

Existent methods are not applicable to WSNs.

11/35ICC 2008

Outline


12/35ICC 2008

Three Schemes of APR

Anonymous one-hop communication

Anonymous multi-hop path routing

Anonymous data forwarding

13/35ICC 2008

Anonymous One-hop Communication

In the initial period One-hop pair-wise key establishment Data encryption key establishment MAC (Message Authentication Code) key establishment Bidirectional hidden identity (HI) establishment Link table establishment

• for storing all keys and HIs

Afterwards One-hop communication by HI One-hop acknowledgement

• for avoiding packet loss problem

14/35ICC 2008

One-Hop Key Establishment PIKE is applied to set one-hop pairwise keys and random nonces PIKE assumes that O(n) pre-established pairwise keys have been set when n

sensors are deployed

Node 14 shares different pair-wise keys with each of Nodes 1* and *4.

Node 91 shares different pair-wise keys with each of Nodes 9* and *1.

Nodes 11 and 94 share distinct pairwise keys with 91 and 14: Choose the “closer” node

15/35ICC 2008

One-Hop Key Establishment PIKE is applied to set one-hop pairwise keys and random

nonces

Two more keys are then setData encryption key: K0AB-enc = H(KAB⊕C1), C1 is a constantMAC function key: K0AB-mac = H(KAB⊕C2), C2 is a constant

The two keys will change dynamicallyData encryption key: Ki+1AB-enc = H(KiAB-enc)MAC function key: Ki+1AB-mac = H(KiAB-mac)

PIKE

A

J

B

H

I

KAB, rn

KAB, rnKAB, rn

KAB, rn

Encrypted by KAI

Encrypted by KBI

rn: random nonce

Key reply

16/35ICC 2008

Hidden Identity Establishment His are bidirectional

HISeqAB = H(KAB ⊕ IDB ⊕ Seq * rn)

HISeqBA = H(KBA ⊕ IDA ⊕ Seq * rn)

A

ES

J

B

HIAB

HIBA

HIJA

HIAJ

HISA

HIAS

HIEA

HIAE

HI-inHI-out

17/35ICC 2008

One-hop communication by HI

HI0AB , DATA, MAC

link table of BID Seq HI-in HI-out Kenc Kmac

A 0 HI0AB HI0BA K0AB-enc K0AB-mac

C 0 HI0CB HI0BC K0BC-enc K0BC-mac

D 0 HI0DB HI0BD K0BD-enc K0BD-mac

E 0 HI0EB HI0BE K0BE-enc K0BE-mac

H 0 HI0HB HI0BH K0BH-enc K0BH-mac

It’s for me!!

A sends data to B

A

E

S

J

B

C

HD

Not for me!!

Not for me!!

Not for me!!

18/35ICC 2008

One-Hop Acknowledgement

To solve the packet loss problem

A B

Update link tableUpdate link table

HIAB , DATA

HIBA , ACK

HIAB , DATA

19/35ICC 2008

ACK Loss ACK loss problem

B updates sequence number and HI but A doesn’t Sequence numbers and HIs become different

Solution: storing last HI-in

A B

Update link table

Timeout!!!!It matches with

“last HI-in”

Update link table

Keep link table intact

HIAB , DATA

HIBA , ACK

20/35ICC 2008

Anonymous Multi-hop Path Routing Two more pseudonyms

HIPs (Hidden Identity for routing Path) are established for any possible source node and stored in HIP table for each path. (A path is represented by two end nodes of the path: the source node and the destination node.)

PathIDs are established and used in the routing table Two messages

Anonymous Path Routing Request (APR-REQ) Anonymous Path Routing Reply (APR-REP)

Two cases for the source and destination nodes With a pre-distributed pair-wise key

• Shown next Without pre-distributed pair-wise key

• Integrate PIKE into APR

21/35ICC 2008

Anonymous Multi-hop Path Routing with aPre-distributed Pair-wise Key Between S and D

HIP Source Key

… … …

HIPSD S KSD

HIP table of D

A C

E

S

J

B

H

D

M

K

F

G

I

HIPSD = H(KSD ID⊕ S ID⊕ D)

Flooding APR-REQ to the entire network

D is the destination!!

HIP Sour (Dest)

Key

… … …

HIPSD D KSD

HIP table of S

HIPSD, S

HIPSD, A

HIPSD, B

22/35ICC 2008

D sends APR-REP back to S

A C

ES

J

B

H

D

M

KI

PathIDSD

HIDB

HIBA

HIAS PathIDSD

PathIDSD

PathID Pre-hop Next-hop Sour (Dest)

PathIDSD B Null S


PathIDSD A D Null


PathIDSD Null A D


PathIDSD S B Null

Routing table of D

Routing table of B

Routing table of A

Routing table of S

Anonymous Multi-hop Path Routing with aPre-distributed Pair-wise Key Between S and D

23/35ICC 2008

Anonymous Data Forwarding S sends data to D

A C

ES

J

B

H

D

M

KI

PathIDSD

HIBD

HIAB

HISA PathIDSD

PathIDSD


PathIDSD B Null S


PathIDSD A D Null


PathIDSD Null A D


PathIDSD S B Null

Routing table of D

Routing table of B

Routing table of A

Routing table of S

It is from S!!!

HIDB

HIBA

HIAS

D sends data to S

24/35ICC 2008

Outline


25/35ICC 2008

Security Analysis

APR can resist the following attacks Traffic analysis attacks

• No node can identify the sender and receiver except the two communicating nodes

Forging attacks• If adversaries send a malicious packet with forged HI,

the packet will be accepted with probability 1/ 2h+m

– h is the length of HI

– m is the length of MAC

– A typical setting: h = 16 and m = 32

26/35ICC 2008

Security Analysis

Replay attacks• If adversaries use the legal packets sent before, every

packet will only be accepted by receiving node only once

Denial of service (DoS) attacks• Without correct HI, DoS attack packets will be ignored

directly

• APR can limit the damage caused by DoS attacks in a local area

27/35ICC 2008

Outline


28/35ICC 2008

Implementation

ImplementationSymmetric key algorithm: SkipjackOne-way hash function: SHA-1Message authentication code function: CBC-MACPlatform: Berkeley MICAz (128KB Program Flash and 4 KB SRAM ) with TinyOSAssumption: Some pre-distributed keys are stored in program flash.

29/35ICC 2008

Implementation Results

Memory FootprintRequired programming memory: 9436 bytesRequired SRAM size:

•Depended on network size and node density•50 bytes for an entry of the link table•8 bytes for an entry in routing table

30/35ICC 2008

Implementation Results

Computing Time

Transmission Time

Implementation Time (ms)

Data Encryption (Skipjack, 24Bytes) 1.51

Link Table Update 1.27

MAC Computing 0.81

Payload Length Time (ms)

24 Bytes 27.5

31/35ICC 2008

Implementation Results (Cont.)

Routing Time

0

100

200

300

400

500

600

700

2 3 4 5 6 7

Number of Hops

Rou

ting

Tim

e (m

s)

574.2 ms

32/35ICC 2008

0

200

400

600

800

1000

1200

25 50 75 100 125 150 175 200

Number of nodes

Ave

rage

siz

e of

HI ta

ble

per no

de (Byt

es)

EnvironmentTest field: 5R x 5R (R is the communication range)Number of nodes: 25~200Multi-hop communications per node: 5~20

Average link table size

1.1 Kbytes


33/35ICC 2008

Average routing table size

0

200

400

600

800

1000

1200

1400

1600

1800

25 50 75 100 125 150 175 200

Number of nodes

Ave

rage

rout

ing

tabl

e si

ze p

er n

ode

(Byt

es)

5 Multihop Neighbors10 Multihop Neighbors15 Multihop Neighbors20 Multihop Neighbors

1.6 Kbytes


34/35ICC 2008

0

200

400

600

800

1000

1200

1400

1600

1800

2000

25 50 75 100 125 150 175 200

Number of nodes

Ave

rage

mem

ory

over

head

of A

PR p

er n

ode

(Byt

es)

5 Multihop Neighbors




Average memory overhead for varying numbers of nodes

1.88 Kbytes1.72 Kbytes


route requestsper node

route requestsper node

35/35ICC 2008

Outline


36/35ICC 2008

Conclusion

In APR, data can be encrypted by pair-wise keys and transmitted with pseudonyms between neighboring sensor nodes (link level) between the source and destination nodes of a multi-hop

communication path (routing level)

APR can resist several types of attacks Traffic analysis attacks Forging attacks Replay attacks Denial of service (DoS) attacks

We have implemented APR on the sensor platform of MICAz with TinyOS To demonstrate APR’s applicability and communication capability

37/35ICC 2008

~ Thank you for your listening ~Q & A

38/35ICC 2008

Anonymous Multi-hop Communication – End-to-end Key Establishment

A C

ES

J

B

H

D

M

K

F

GI

M wants to communicate with D

KSD, rn

KSD, rn

KSD, rn

KSD, rn

Anonymous path from M to I

Anonymous path from I to D

39/35ICC 2008

Anonymous Path Routing (APR) Request with Key Reply Message

A C

ES

J

B

H

D

M

K

F

GI

D launch anonymous multi-hop path routing

HIPDM, D, Key reply

40/35ICC 2008

PathID Collision Problem

Case 1: Different Pre-hop nodesPre-hop nodes are differentForwarding node can choose proper node for forwardingEx.

•The packet with the PathID is 12 comes from L should be send to N•The packet with the PathID is 12 comes from K should be send to I


12 L N Null

12 K I NullI

F

K

N

L

Routing table of F

12

1212

12

41/35ICC 2008

PathID Collision Problem (Cont.)

P

O

R

Q


Original Change PathID

13 Q R Null true Null

13 Q P Null false 14

14 Q P Null false 13

Routing table of O

13

14

14

13

13

13

Case 2: Same Pre-hop node

42/35ICC 2008

PathID Collision Problem (Cont.)

P

O

R

Q

PathID Pre-hop Next-hop Dest (Sour) Original Change PathID

13 IDQ IDR Null True Null

13 IDQ IDP Null False 14

13 IDQ IDX Null False 15

14 IDQ IDP Null False 13

15 IDQ IDX Null False 13

Routing table of O

13

14

14

13

13

13

X

13

15

15

Back

Documents

Anonymous Path Routing Protocol in Wireless Sensor Networks Jang-Ping Sheu* §, Jehn-Ruey Jiang* and Ching Tu* National Central University* and National