Secure Localization

Presented byEric Chen, Frank Mokaya, Yu Seung Kim

west.cmu.edu 1

April 19, 2011

Contents

• Introduction• SeRLoc: Robust Localization for

Wireless Sensor Networks - Frank• Distance Bounding in Noisy

Environments – Yu Seung• Secure Positioning in Wireless

Networks - Eric

west.cmu.edu2

Introduction

• Range-based algorithms– Estimating distance to landmarks

based on various physical properties (e.g., RSS, ToA, TDoA)

– Ex) Distance Bounding Protocol• Range-free algorithms

– Using coarser metrics to place bounds on candidate positions

– Ex) SeRLocwest.cmu.edu

3

SeRLoc: Robust Localization for Wireless Sensor Networks

Loukas Lazos and Radha Poovendran ACM Transactions on Sensor Networks 2005

Presented by Frank

west.cmu.edu 4

Secure Localization for WSNs• WSNs monitor important vulnerable

systems: buildings, disaster mgmt.– Sensors need to have accurate location info

• Because of hostile environment, WSNs are vulnerable to many threats– Wrong location info can mean a lost life e.g.

in disaster response scenario• In short: We need Secure Localization

– Ensure robust location estimation even in the presence of adversaries

What threats are you talking about?• External

– Replay Attacks: • worm-hole attack

– Node impersonation attacks:• Sybil attack

• Internal– Other Compromise of network entities

• Sensor and Locator node capture• Not addressed

– Phy layer attacks: Jamming– MAC layer attacks: DoS

Solution? SeRLoc: SEcure Range-Independent LOCalization

• SeRLOC features– Two- tier network architecture– Range-less location estimation– Decentralized implementation– Robustness against security threats

Locators (Li): Randomly deployed

Known Location, Orientation

(X1, Y1)

SeRLOC Overview & AssumptionsSensors (Si): Randomly deployed, unknown location r

RLocator range R

Beamwidth θ

θ

Sensor range r

(X2, Y2)

(X3, Y3)

Locator

Sensor

Li : Directional Antennas

Si : Omnidirectional Antennas

©Radha Poovendran Seattle, Washington

ROILocator Sensor

L1

L4

L3(0, 0)

sL3

What’s the Idea behind SeRLoc?

• Location data gathering:– Each Locator Li transmits

information that defines the sector Seci

• Search Area Identified: – Each Sensor Si defines a

region of interest for its location based on all Locators LHs heard by Si

©Radha Poovendran Seattle, Washington

SeRLoc – ROI computationGRID Score Table (GST)

Sensor Search Area 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 2 3 3 3 3 4 4 4 3 3 3 3 3 3 1 1 2 2 2 3 4 4 4 4 4 4 4 3 3 2 21 1 2 2 4 4 4 4 4 4 4 4 4 4 3 3 22 2 2 2 3 4 4 4 4 4 4 4 4 3 2 2 22 2 3 3 3 3 4 4 4 4 4 4 3 3 2 2 22 2 2 3 3 3 3 4 4 4 4 3 3 2 2 2 21 2 2 2 3 3 3 3 4 4 3 2 2 2 3 4 32 2 2 3 3 3 3 3 2 2 2 2 1 1 1 1 10 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0

ROI

©Radha Poovendran Seattle, Washington

• Majority vote: Points with highest score in search area define the ROI

• Location set S: S : (xest, yest ) = (1n

xgii=1

n

∑ , 1n

ygii=1

n

∑ )

Security Mechanisms in SeRLOC1. Encryption: ensures authenticity of locators

– All beacons from locators encrypted with symmetric key K0

– Sensors have symmetric pairwise keys KsLi, with locators Li

– Locators use master Key KLi to derive KsLi using a pseudorandom function h, & unique sensor IDs: KsLi = hKLi(IDs)

– Scalability? Expansion prospects?• Preload sensors with extra keys• Use secret quantity known only to admin. Use this

quantity to load new keys

Security Mechanisms in SeRLOC2. Locator ID authentication: Ensures malicious

sensors cant inject bogus info into network– Based on efficient collision-resistant one-way hash

chains to provide locator ID authentication– Each locator Li has password PWi derived by use of

hash function e.g. SHA1 s.t. • H(PWi) = H(PWj) if and only if PWi = PWj

– Each sensor preloaded with table of locator IDs and corresponding hash values Hn(PWi): n ->large no.

– Each beacon from Li includes hash value Hn-j(Pwi)– Jth rec’d beacon verified if

• H(Hn-j+1(PWi)) = Hn-j(PWi)– After verification hash counter incremented so as

to process only one beacon from Li per time

Threat Analysis• Wormhole attack (WH): messages at one end

of link tunneled and replayed at a target destination point

L1 L3

L2 L4 L6

L5

Wormhole link

• Attacker records beacons at 2 and replays them at 1 through wormhole

• Sensor at 1 misled to believe it can hear L1-L6

1

2

(WH) Detection and Defense• Single Message/sector per locator

property– all sector beacons tx’d simultaneously– Same but fresh hash used for auth.– As a result sensor accepts one msg/ Li– Hearing >1 sector from a locator means

that attack is underway– Multipath, imperfect sectorization

effects treated as attack

(WH) Detection and Defense• Communication Range constraint

property– Sensor cannot hear two locators Li, Lj :

{LHs} more than 2R apart. R is range of transmission of each locator

– Violation means attack is underway

Ai

Aj

Wormhole link

2R

Li LjR

R

RLL ji 2≤−

Threat Analysis• Sybil attack (SA): adversary fabricates legit

node IDs or impersonates multiple network entities. Essentially, globally shared key K0 compromised

• Once K0breached, attacker can:– Insert bogus location info into the network – attach an already published hash value from a

locator not heard by the sensor under attack, and encrypt it with the compromised K0

– Impersonate a higher number of locators than LHs and compromise majority voting scheme

Detection and Defense• Specify a threshold Lmax as the

maximum allowable number of locators heard by each sensor

• If a sensor hears more than Lmax locators, it assumes attack – Select Lmax so P(|LHs| ≥ Lmax) is low

and P(|LHs| > Lmax /2) is high• Sensor binds to Closest Locator using

Closest Locator Algorithm (CLA) to determine its position

Distance Bounding in Noisy Environments

Dave Singelee and Bart PreneelESAS ’07

Presented by Yu Seung

west.cmu.edu

18

Proximity Based Authentication

west.cmu.edu19

Distance Bounding Protocols

• Determining an upper bound on the distance between V and P

• Distance sources– RSS, AoA, ToF– Attacker can mislead the signal

strength by using directional antenna

west.cmu.edu20

Attacks Against DBP

• Mafia fraud attacks (a.k.a. relay attacks)– An intruder close to V can identify itself to V as P

west.cmu.edu21

• Terrorist fraud attacks– Collaboration between P and intruder

Design Principles of secure DBP

• P has to identify itself (ex. shared secret key)• To prevent mafia fraud attacks, DBP should

have a challenge-response protocol– the challenge should be unpredictable and the

response should depend on the challenge• To prevent terrorist fraud attacks,

– Using private (or symmetric key)– Using trusted hardware

• Communication process should be minimized

west.cmu.edu22

DBP by Brands and Chaum

• Proposed in EUROCRYPT ‘93

west.cmu.edu23

Start of rapid bit exchange

End of rapid bit exchange

verify commit

verify sign(m)

}1,0{ℜ∈im }1,0{ℜ∈iα

P V)||( 1 kmmcommit

iα

iβiii m⊕← αβ

)()_( 1 msigncommitopenkkm βαβα |||| 11 ←

kkm βαβα |||| 11 ←

MAD by Capkun et al.

• Mutual authentication protocol using DBP

• Both parties estimate an upper bound on the distance between themselves

west.cmu.edu24

RFID Protocol by Hancke and Kuhn

• Proposed in SecureComm 2005• Designed to cope with bit errors during

the fast bit exchanges• Useful in noisy environments such as RFID• For given the security parameter x and the

n fast bit exchanges, DBP succeeds if at least (n-x) of the responses are correct

west.cmu.edu25

RFID Protocol (cont.)

west.cmu.edu26

Noise Resilient MAD

• Combining the strengths of MAD and RFID– Mutual entity authentication– Resilient to bit errors during the exchange

• Exchanging all challenges and responses again on a slower channel with error correction with MAD too costly

• Instead, extends k bits to n bits based on ECC in initial phase and exchanges n bits

west.cmu.edu27

Noise Resilient MAD (cont.)

west.cmu.edu28

Performance Analysis

• An attacker has a major advantage when bit errors due to noise can appear

• Resilient MAD shows slightly lower FR ratio than Hancke and Kuhn’s DBP

west.cmu.edu29

Performance Analysis (cont.)

• Resilient MAD shows significantly lower FA ratio than Hancke and Kuhn’s DBP

west.cmu.edu30

Performance Analysis (cont.)

west.cmu.edu31

Secure Positioning in Wireless Networks

Srdjan Capkun and Jean-Pierre HubauxIEEE JSAC 2006

Presented by Eric

west.cmu.edu

32

Attack model

• External attackers and Internal attackers (compromised nodes)

• Node centric – asks public base stations for position

• Infrastructure centric - Infrastructure computes the location based on their mutual communication

Attacks - GPS

• GPS satellite simulators can spoof radio signals

• Civilian GPS receivers will accept the strongest signal

• This type of attack can be prevented, if we can authenticate the satellite (but we can’t)

Attack – Ultrasound positioning

• Ultrasound positioning systems measure the time of flight of ultrasound signals to determine a node’s location

• Vulnerabilities:- Wormhole attack- Replay attack

Attack – Radio Positioning

• Use received signal strength to infer the distance from transmitter

• Vulnerabilities:– Compromised node can reply with

fake signal strength– Replay attack

Verifiable Multilateration

• VM is a secure localization technique that is related to the following techniques

• Distance bounding techniques upper bounds the distance of one device to another (compromised) device

• Authenticated ranging protocols enable two honest and trusted parties to measure their mutual distance in an authenticated manner

Verifiable Multilateration

• Step 1: verifiers v1...vn perform distance bounding to u

• Step 2: computes the estimated distance (x, y) with the results from step 1

• Step 3:– d test: is (x,y) within the measurement error?– Point in triangle test: does (x,y) fall in a

triangle formed by at least one triplet of verifiers?

Cooperative positioning

• Deploying a large number of landmarks is difficult

• SPINE- Sensor nodes can be used to locate each other using a cooperative technique based on VM

Conclusion

• Range-free algorithm (SeRLoc)– Distributed algorithm– Sector antennas are required

• Range-based algorithm (Distance Bounding Protocols)

– Prevention of distance reduction– Hardware to support high precision is required– High synchronization among nodes is required

west.cmu.edu40

Questions?

west.cmu.edu 41

©Radha Poovendran

SeRLoc - Security mechanisms•Message Encryption: Messages encrypted with a symmetric key K0.•Beacon Format:

Locator’s coordinates Slopes of the sector

ID authentication

Shared symmetric key

Li : { (Xi, Yi) || (θi,1, θi,2) || (Hn-j(PWi)), j } K0

• Every sensor stores the values Hn(PWi) for all the locators.

• A sensor can authenticate all locators that are within its range

PWi H0(Pwi)H H1(Pwi) Hn(Pwi)H H H

one-way hash functionHash chain

Synchronization var