CCSP 8 Dec 2003 1

Securing Wireless Sensor NetworksCCSP Seminar

8 December 2003

David Evansevans@cs.virginia.edu

http://www.cs.virginia.edu/evans/talks/ccsp

Department of Computer Science

University of Virginia

CCSP 8 Dec 2003 2

Two Talks for the Price of One!

• 5000 years of cryptography – Symmetric Ciphers– Asymmetric Ciphers

• Securing Wireless Sensor Networks– Key Distribution– Data Aggregation– Wormhole Attacks and Defenses

CCSP 8 Dec 2003 3

Terminology

Encrypt DecryptPlaintextCiphertext

Plaintext

Alice Bob

Eve

Insecure Channel

C = E(P)P = D(C)E must be invertible: P = D (E (P))

CCSP 8 Dec 2003 4

Encrypt DecryptPlaintextCiphertext

Plaintext

Alice Bob

Insecure Channel

C = E(P, K)P = D(C, K)

K K

“The enemy knows the system being used.”

Claude Shannon

Eve

CCSP 8 Dec 2003 5

Jefferson’s Wheel Cipher

Key: the order of wheels on the spindle

CCSP 8 Dec 2003 6

http://monticello.org/jefferson/wheelcipher

Applet on Monticello’s web site by CS201J students: Matt Spear, “Boyd” Worawannotai, Edward Mitchell

(Note: not for use on nuclear secrets!)

CCSP 8 Dec 2003 7

Jefferson Wheel Cipher

• If used carefully, effectively unbreakable in Jefferson’s day – US army used very similar cipher in WWI

• “Easy” to break todayhttp://www.cs.virginia.edu/cs588/challenges/wheel-solved.html

A billion billion is a large number, but it’s not that large a number.

— Whitfield Diffie

CCSP 8 Dec 2003 8

Modern Symmetric Ciphers

• Same idea but:– Use digital logic instead of mechanical rotors– Larger keys– Encrypt blocks of letters at a time

• Good choice for most applications: AES (Rijndael)– Effectively unbreakable, minimal performance cost– 128 (“billion billion billion billion”) or 256 (“billion8”) bit

keys– No practical attacks better than brute force known (yet)

CCSP 8 Dec 2003 9

Problem with all Symmetric Ciphers

Encrypt DecryptPlaintextCiphertext

Plaintext

Alice BobEve

Insecure Channel

How do Alice and Bob agree on K (without Eve hearing it)?

K K

CCSP 8 Dec 2003 10

Padlocked Boxes

Alice

Hi!

CCSP 8 Dec 2003 11

Padlocked Boxes

Alice Hi!

Alice’s Padlock

Alice’s Padlock Key

CCSP 8 Dec 2003 12

Padlocked Boxes

Alice

Alice’s Padlock Key

Shady Sammy’s

Slimy Shipping Service

CCSP 8 Dec 2003 13

Padlocked Boxes

Alice

Hi!

Bob

Bob’s Padlock

Bob’s Padlock Key

Alice’s Padlock Key

CCSP 8 Dec 2003 14

Padlocked Boxes

Alice

Hi!

Bob

Bob’s Padlock Key

Alice’s Padlock Key

CCSP 8 Dec 2003 15

Padlocked Boxes

Alice

Hi!

Bob

Bob’s Padlock Key

Alice’s Padlock Key

CCSP 8 Dec 2003 16

Padlocked Boxes

Alice

Hi!

Bob

Bob’s Padlock Key

CCSP 8 Dec 2003 17

Padlocked Boxes

Alice

Hi!

Bob

Bob’s Padlock Key

Hi!

CCSP 8 Dec 2003 18

One-Way Functions• Easy to compute, hard to invert

• Trap-door one way function:– D (E (M)) = M– E and D are easy to compute.– Revealing E doesn’t reveal an easy way to

compute D.– Hence, anyone who knows E can encrypt, but

only someone who knows D can decrypt

CCSP 8 Dec 2003 19

RSA [Rivest, Shamir, Adelman 78]One-way function:

multiplication is easy, factoring is hardTrap-door: number theory (Euler and Fermat)

CCSP 8 Dec 2003 20

Public-Key Applications: Privacy

• Alice encrypts message to Bob using Bob’s Private Key

• Only Bob knows Bob’s Private Key only Bob can decrypt message

Encrypt DecryptPlaintextCiphertext

Plaintext

Alice Bob

Bob’s Public Key Bob’s Private Key

CCSP 8 Dec 2003 21

Signatures

• Bob knows it was from Alice, since only Alice knows Alice’s Private Key

• Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!)

• Integrity: Bob can’t change message (doesn’t know Alice’s Private Key)

Encrypt DecryptPlaintext

SignedMessage

Plaintext

AliceBob

Alice’s Private Key Alice’s Public Key

CCSP 8 Dec 2003 22

Problems with RSA

• About 1000 times slower than symmetric algorithms– Just use RSA to transfer key, then use AES to

encrypt data

• Key size (and size of smallest message) must be large for security– 1024 bits ~ 128 bits for secret key

• Public key doesn’t need confidentiality, but does need integrity

CCSP 8 Dec 2003 23

Key Management

Everyone can know the public key, but to be useful must know it is the owner’s public key.

Alice

Encrypt DecryptPlaintextCiphertext

Plaintext

Bob’s Public Key Bob’s Private Key

Really Eve’s Public Key

Hi!

Alice’s Padlock Key

Really Eve’s Padlock

CCSP 8 Dec 2003 24

Securing Sensor Networks

CCSP 8 Dec 2003 25

Sensor Networks

Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly

High-power base station

CCSP 8 Dec 2003 26

Why security for sensor networks is hard

• Low power devices– Public-key algorithms use too much energy

• Limited device communication– Sending messages is extremely expensive

• Communication is wireless– All messages are vulnerable to

eavesdropping and forgery

• Individual devices easily compromised– Cheap hardware in hostile territory

CCSP 8 Dec 2003 27

Control Messages

Operator at base station controls behavior of sensor nodes

High-power base station

CCSP 8 Dec 2003 28

Rogue operator or compromised node should not be able to control behavior of other sensor nodes

High-power base station

CCSP 8 Dec 2003 29

Control Integrity• Needs asymmetry:

– Only base station can send out control messages– But, every node needs to understand them

• Traditional: Asymmetry of Information– Use public-key encryption:

• Send messages with base’s private key• Pre-load all nodes with base’s public key

– Too expensive: nodes would need to receive long messages and do public key decryptions

• Instead: asymmetry of time

CCSP 8 Dec 2003 30

Cryptographic Hash Chains

f f f x

f (x)f (f (x))f (f (f (x)))

Initially store: K0 = f4(x)K1 = f3(x)

verify f (K1) = K0

K2 = f2(x) verify f (K1) = K0

time

f is a one-wayfunction: easyto calculate f(x),but difficult toinvert f.

CCSP 8 Dec 2003 31

µTesla [Perrig, et. al., 2002]

• Initially: sensor nodes know K0 = fn(x) base station knows x

• Base station messages encrypted using K1 = fn-1(x)

• Nodes store and time stamp messages, but cannot decrypt them (yet)

• At time t1, base station broadcasts K1

• Nodes verify f (K1) = K0

• Nodes use K1 decrypt earlier messages• Nodes and base station must have loosely

synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed

CCSP 8 Dec 2003 32

Data Integrity

Only data from legitimate nodes should be accepted by the base station

High-power base station

CCSP 8 Dec 2003 33

Node Authentication

• Before deployment, establish a shared symmetric secret key between each node and base station: KNS

• Send readings with a MAC:RA | MAC (KAS, RA)

Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity.

CCSP 8 Dec 2003 34

Authenticated Sensor Net

Each node transmits: N | RN | MAC (KNS, RN) Base station verifies MAC before accepting RN.

CCSP 8 Dec 2003 35

Data Aggregation

If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station.

CCSP 8 Dec 2003 36

Authenticated Data Aggregation

A

B

C

A | RA | MAC (KAS, RA)

B | RB | MAC (KBS, RB)C | Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB))

CCSP 8 Dec 2003 37

Secure Aggregation

• Delayed Aggregation: Only aggregate messages after they have traveled one hop

• Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication

Lingxuan Hu and David Evans. Secure Aggregation for Wireless Networks. Workshop on Security and Assurance in Ad hoc Networks. January, 2003.

CCSP 8 Dec 2003 38

Protocol Example

IDA | RA | MAC (KAi, RA)| IDB | RB | MAC (KBi, RB)

| MAC (KEi, Aggr (RA, RB))

IDB | RB | MAC (KBi, RB)

IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD))

IDA | RA | MAC (KAi, RA)

A B

C

D

E F

G

IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)

| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)| MAC (KGi, Aggr (RA, RB, RC, RD))

KAi is the ith key in a µTesla key chain starting from KAS

CCSP 8 Dec 2003 39

IDA | RA | MAC (KAi, RA)| IDB | RB | MAC (KBi, RB)

| MAC (KEi, Aggr (RA, RB))

IDB | RB | MAC (KBi, RB)

IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD))

IDA | RA | MAC (KAi, RA)

AA BB

CC

DD

EE FF

GG

IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)

| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)| MAC (KGi, Aggr (RA, RB, RC, RD))

HH

IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD)) | MAC (KGi, Aggr (RA, RB, RC, RD)

| … (same from right side)| MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side))

CCSP 8 Dec 2003 40

Abridged Attack Analysis• Intruder Node (no key material)

– Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys

– Replay attacks ineffective: keys change, can only replay readings within this time period

• Compromised Node (all keys on one node)– Can lie about its own reading– But, cannot alter other nodes readings without

getting caught: aggregate will not match calculated aggregate at next level

CCSP 8 Dec 2003 41

Successful Attacks

• Compromised node selectively drops child readings– Nothing to prevent this (but unlikely to

change much without base station noticing)– Can use child snooping to catch it earlier

• Compromise two consecutive (parent and grandparent) nodes– Can forge readings for entire subtree

CCSP 8 Dec 2003 42

Communication Cost

0

100

200

300

400

500

600

700

800

340 1364 5460

No Aggregation

InsecureAggregationSecureAggregation

Sensor Nodes

Tot

al K

iloby

tes

Tra

nsm

itted

Sensor reading: 22 bytesMAC of message: 8 bytesIdeal binary network

Secure Aggregation requires about 3 times the amountof data transmission as Insecure Aggregation, but providesintegrity with < ½ the cost of no aggregation.

CCSP 8 Dec 2003 43

Summary• With our protocol, you can get

authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you.

• Not trusting your children is reasonable (inexpensive)

• Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol

CCSP 8 Dec 2003 44

Routing Security

(Lingxuan Hu’s slide)

CCSP 8 Dec 2003 45

Wormhole Attack

• Tunnel packets received in one place of the network and replay them in another place

• The attacker needs no key material, just two transceivers!

CCSP 8 Dec 2003 46

Impact of Wormhole

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 50 100 150 200 250 300 350 400 450 500

Fra

ctio

n of

Rou

tes

to B

ase

Sta

tion

Dis

rupt

ed

Position of Endpoint (x, x)

Base Station at Corner

Base Station at Center

CCSP 8 Dec 2003 47

Preventing Wormhole Attacks

• Know your neighbors• Physical Space

– Exploit knowledge about physical space

• Redundancy– Use cooperation to establish trust

• Physical properties– Speed of transmission limits time when

another node can hear it

CCSP 8 Dec 2003 48

Directional Antennas

Operation Modes: Omni and Directional

Lingxuan Hu and David Evans. Using Directional Antennas to Prevent Wormhole Attacks. Network and Distributed System Security Symposium (NDSS), Feb 2004.

CCSP 8 Dec 2003 49

Antenna Model

/3

1

2 3

4

5 6

Nodes orient themselves using a magnetic compass so zone 1 always faces East.

East

CCSP 8 Dec 2003 50

Directional Neighbor Discovery

A

1. A Region HELLO | IDA

Sent by all antenna elements (sweeping)2. N A IDN | EKNA (IDA | R | zone (N, A))

Sent by zone (N, A) elementR is a random nonce

3. A N R

N

1

2 3

4

5 6

zone (N, A)is the antennazone in whichN hears A

CCSP 8 Dec 2003 51

A B

zone (B, A) = 1zone (A, B) = 1

zone (x, y) should be opposite zone (y,x)A and B know they are not really neighbors

1

2 3

4

5

6

zone (N, A)is the antennazone in whichN hears A

Sophisticated Wormhole

A B

zone (A, B) = 1

zone (B, A) = 4

1

2 3

4

5

6

Wormhole can convince ~1/6 of node pairsthey are false neighbors

CCSP 8 Dec 2003 53

Verified Neighbor Discovery

• Wormhole can only trick nodes in particular locations

• Verify neighbors using other nodes

• Based on the direction from which you hear the verifier node, and it hears the announcer, can distinguish legitimate neighbor

CCSP 8 Dec 2003 54

Verifier Region

1. zone (B, A) zone (B, V) 2. zone (B, A) zone (V, A)3. zone (B, V) cannot be both adjacent to zone (B, A) and

adjacent to zone (V, A)

CCSP 8 Dec 2003 55

Lose some legitimate Neighbors

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Link

s C

onne

cted

Rat

io

Node Distance (r)

Verified Protocol (Density=10)Verified Protocol (Density=3)Strict Protocol (Density=10)Strict Protocol (Density=3)

CCSP 8 Dec 2003 56

…but small effect on connectivity and routing

Omni density = 3, Directional Density = 9.7

0

50

100

150

200

250

300

350

400

450

500

0 50 100 150 200 250 300 350 400 450 500

y (m

eter

s)

x (meters)

0

1

2

3

4

5

6

7

8

9

10

4 6 8 10 12 14 16 18 20A

vera

ge P

ath

Leng

th

Omnidirectional Node Density

Trust Everythingl

Verified Neighbor Discovery Protocol

CCSP 8 Dec 2003 57

Summarywww.cs.virginia.edu/evans/talks/ccsp

• Morals:– Secure aggregation: don’t trust your

children, trust your parents and grandparents not to conspire against you

– Wormhole Defenses: know your neighbors, but don’t trust them unless your other neighbors do

• CRAB Seminar plug: CS851 Cryptography Applications

• Funding: NSF CAREER, NSF ITR