Security and Cooperation in Wireless Networks Georg-August University Göttingen Secure routing in multi-hop wireless networks (II) Secure routing in multi-hop

Security and Cooperation in Wireless NetworksSecurity and Cooperation in Wireless Networks Georg-August University Göttingen

Secure routing in multi-hop wireless Secure routing in multi-hop wireless networks (II)networks (II)

secured ad hoc secured ad hoc network routing network routing protocols;protocols;

routing security in routing security in sensor networks;sensor networks;

Georg-August University GöttingenSecure routing in multi-hop wireless networks

outline

1 Securing ad hoc network routing protocols2 Secure routing in sensor networks

2


Some secure ad hoc network routing protocols

how the countermeasures against security threats can be used in routing protocols to provide security?

Some secure routing protocols:– SRP (on-demand source routing)– Ariadne (on-demand source routing)– S-AODV (on-demand distance vector routing)

3


SRP (Secure Routing Protocol)

SRP: a secure variant of DSR

uses symmetric-key authentication (MACs)

– due to mobility, it is impractical to require that the source and the destination share keys with all intermediate nodes

– there’s only a shared key between the source and the destination

key management simplified an end-to-end authenticated exchange of routing control

information provided between the source and the destination• The integrity of the route request message is protected by a

MAC generated using the key shared between the source and the destination

• The intermediate nodes add their identity to the request message (they do not verify the MAC as they do not know the key with which the MAC was computed; and they do not add their own MACs to the message either)

4


SRP (Secure Routing Protocol)

• the MAC will be verified at the destination, if the verification is successful a reply message will be sent back through the reverse of the path obtained from the route request

• integrity of the reply message is ensured by another MAC generated by the destination using the same shared key.

• If the MAC is verified successfully by the source node, the route will be accepted to be used to transmit data packet.

An efficient secure routing protocol (only one MAC on the request and one MAC on the reply)

but does not prevent the manipulation of mutable information added by intermediate nodes (the list of IDs)– Doors open for some attacks: e.g. route diversion by modifying the

list of intermediate nodes on the reply packet– some of those attacks can be thwarted by secure neighbor

discovery protocols

5


SRP operation illustrated

6

A * : [RREQ, A, H, id, sn, macAH, ()]B * : [RREQ, A, H, id, sn, macAH, (B)]C * : [RREQ, A, H, id, sn, macAH, (C)]D * : [RREQ, A, H, id, sn, macAH, (D)]E * : [RREQ, A, H, id, sn, macAH, (E)]F * : [RREQ, A, H, id, sn, macAH, (E, F)]G * : [RREQ, A, H, id, sn, macAH, (D, G)]

H A : [RREP, A, H, id, sn, (E, F), macHA]

A

B

C

D

E

F

G

H

Message Authentication Code: macAH= K_AH{RREQ, A, H, id, sn}Sn: query sequence number maintained by the source and the sestination


Ariadne

Ariadne is another secured variant of DSR

it uses control message authentication to prevent modification and forgery of routing messages– The control message authentication in Ariadne can be based on

digital signatures, MACs or TESLA

Two differences to SRP: – in Ariadne not only do the source and the destination authenticate the

messages, but the intermediate nodes also authenticate the route requests– Ariadne uses per-hop hash to prevent removal of identifiers from the

accumulated route in the route request.

Ariadne with digital signatures is the simplest case among the mentioned variations.

7


Ariadne with digital signatures

8

A : hA = macAH( RREQ | A | H | id )A * : [ RREQ, A, H, id, hA, (), () ]

E : hE = H( E | hA )E * : [ RREQ, A, H, id, hE, (E), (sigE) ]

F : hF = H(F | hE)F * : [ RREQ, A, H, id, hF, (E, F), (sigE, sigF) ]

H A: [ RREP, H, A, (E, F), (sigE, sigF), sigH ] (sent via F and E)

• Example: A performs the route discovery to destination H.• The source node computes a MAC over the initial route request and

broadcasts the message • Each intermediate node hashes the received hash along with its ID (using a

publicly known one-way hash function); and computes a digital signature and inserts it to the request message (each signature is computed over the message fields preceding it)

• The signature is appended to the list of signatures of the intermediate nodes and the message is re-broadcast.

• Hash values computed in this way are called per-hop hash values

A

B

C

D

E

F

G

H


Ariadne with digital signatures

• When H receives the RREQ it would verify the MAC of the source and the per-hop hash values ---> if verified it would generate the RREP

• Every intermediate node passes the RREP to the next node without modifications

• Node A will verify the signatures of H and the intermediate nodes to accept the route returned by the reply

9


Ariadne with standard MACs

10

A : hA = macAH( RREQ | A | H | id )A * : [ RREQ, A, H, id, hA, (), () ]

E : hE = H( E | hA )E * : [ RREQ, A, H, id, hE, (E), (macEH) ]

F : hF = H(F | hE)F * : [ RREQ, A, H, id, hF, (E, F), (macEH, macFH) ]

H A : [ RREP, H, A, (E, F), macHA ]

• In Ariadne with standard MACs it is assumed that each intermediate node shares a key with the destination

• Each intermediate node generates a MAC using such a key

• Again per-hop hash mechanism is used to prevent removal of the MACs from the end of the packet by attackers

• The destination would verify the MACs and the hash values; if it is successful it will generate a RREP

A

B

C

D

E

F

G

H


Ariadne with standard MACs

• The RREP message includes the discovered path and a MAC value generated by the destination which will be verified by the source to authenticate the destination

• Note that the source can not authenticate the intermediate nodes and it must trust to the destination to have authenticated them correctly

• intermediate nodes can authenticate neither the RREQ nor the RREP

11


Symmetric-key broadcast authentication with TESLA MAC keys are consecutive elements in a one-way key chain:

– Kn Kn-1 … K0

– Ki = h(Ki+1)

TESLA protocol:– setup: K0 is sent to each node in an authentic way– time is divided into epochs– each message sent in epoch i is authenticated with key Ki

– Ki is disclosed in epoch i+d, where d is a system parameter– When Ki is disclosed it can be verified by checking h(Ki) = Ki-1 and then

the authentication can be verified

example:

12

K1 K2 K3 K4

P1 P2 P3 P4 P5 P6 P7 time

K1 K2 K3key disclosure schedule

K0


Ariadne with TESLA

Ariadne with TESLA is very similar to Ariadne with digital signatures, but instead of the signatures the intermediate nodes compute MACs on the route request with their current TESLA keys

assumptions:– each source-destination pair (S, D) shares a symmetric key KSD

– each node F (intermediate node) has a TESLA key chain KF,i

– each node knows an authentic TESLA key of every other nodes

route request (source S, destination D):– S authenticates the request with a MAC using KSD

– each intermediate node, F, appends a MAC computed with its current TESLA key

– D verifies the MAC of S– D verifies that the TESLA key used by F to generate its MAC has not

been disclosed yet

13


Ariadne with TESLA

route reply:• D generates a MAC using KSD

• each intermediate node delays the reply until it can disclose its TESLA key that was used to generate its MAC and then appends its TESLA key to the reply

• S verifies the MAC of D, and all the MACs of the intermediate nodes using their disclosed TESLA keys

Advantage: MACs can be calculated more efficiently than digital signatures (because of using symmetric cryptography)

Disadvantage: key disclosure delay of TESLA

14


Ariadne with TESLA

15

A *: [ RREQ, A, H, id, hA, (), () ]

E *: [ RREQ, A, H, id, hE, (E), (macKE,i) ]

F *: [ RREQ, A, H, id, hF, (E, F), (macKE,i, macKF,i

) ]

H F: [ RREP, H, A, (E, F), (macKE,i, macKF,i

), macHA, () ]

F E: [ RREP, H, A, (E, F), (macKE,i, macKF,i

), macHA, (KF,i) ]

E A: [ RREP, H, A, (E, F), (macKE,i, macKF,i

), macKHA, (KF,i, KE,i) ]

Example: A is going to discover a route to H A broadcasts the RREQ and each intermediate node (E and F

consequently) computes its MAC and the per-hop hash value appends them to the message

H would verify that the TESLA keys used have not been disclosed yet; then it will verify the per-hop hash values of intermediate nodes

If verifications are successful, a RREP will be sent back by H over the discovered route, A-E-F-H.

A

B

C

D

E

F

G

H


Ariadne with TESLA

F waits until it can disclose KF,I and then appends the key to the RREP before passing it to E (who will do the same).

A will authenticate the intermediate nodes by verifying their MAC values using the keys KF,I and KF,I, and also authenticates the MAC generated by H to accept the route.

16


SAODV (Secure AODV)

SAODV: a secure variant of AODV– Provides authenticity, and integrity of routing messages and prevents the

manipulation of hop-count information

non-mutable information on the routing messages (including the IDs and the sequence numbers of the sender and the receiver) is protected with a digital signature (of the originator of the RREQ or the RREP packets)

uses hash chains for the protection of the HopCount value

new non-mutable fields (added to AODV routing packets):– MaxHopCount (= TTL (Time To Live): max number of hops that the

packet can go)

– TopHash new mutable field:

– Hash (contains the current hash value corresponding to the HopCount value)

17


SAODV (Secure AODV)

operation– When a node initiates a routing message, it would set:

• the Hash field to a random seed value • the HopCount field to zero • the MaxHopCount field to TTL value • The TopHash field to the iterative hash of the random seed for

MaxHopCount times

– each time a node increases HopCount, it also replaces Hash with H(Hash)

– verification of the HopCount is done by hashing the Hash field (MaxHopCount-HopCount) times and checking if the result matches TopHash

– If the attacker decreases the HopCount the above verification would fail and therefore the manipulation will be realized by the intermediate node

• But the attacker still can do the following attack:– Passing the message without increasing the HopCount value and

without updating the hash field18

Georg-August University GöttingenSecure routing in multi-hop wireless networks 19

Provable security for ad hoc network routing protocols the security of the “secure” routing protocols needs

to be analyzed to ensure they are free of flaws

It has been done mainly by informal means

informal reasoning about security protocols is prone to errors– some attacks have been found against Ariadne and S-AODV

To prove the security of protocols one needs more assurances– mathematical models– precise definitions– sound proof techniques

Georg-August University GöttingenSecure routing in multi-hop wireless networks 20

Elements of such a framework

– Network model• multi-hop communication and the broadcast nature of radio

channels are explicitly modeled using a graph (each vertex models a node and each edge models the link between two node who can hear each other)

– Adversary model• The abilities and the power of the adversary (computational power,

ability to capture nods, etc.)

– Configuration• Includes the network graph, the set of adversarial nodes,

labeling of the nodes with identifiers, assignments of costs to the nodes and the links

– Correctness criteria• Secure routing: e.g. only ‘existing’ routes are returned by

the protocol


Elements of such a framework

– Dynamic representation of the system• real-world model

– describes the behavior of the real system

• ideal-world model– How the system should work ideally

– Formal definition of security• Once the models are defined, the goal is to prove that for any

real-world adversary there exists an ideal-world adversary that can achieve essentially the same effects in the ideal-world model as those achieved by the real-world adversary in the real-world model.

– The existence of such a proof means no attack could be possible in real-world model, because otherwise it should be possible in the ideal-world model too (which is by definition impossible).

21


outline

1 Securing ad hoc network routing protocols2 Secure routing in sensor networks

22


Secure routing in sensor networks

multi-hop communications:– Increased network lifetime -- > crucial to sensor networks– Problem of secure routing:

• Nodes must rely on each other to send their packets to others

The security issues in wireless sensor networks are similar to the ones of ad hoc networks– There is more emphasis on resource constraints (power,

memory size, CPU speed) in sensor networks– Such differences are likely to persist in future to keep the

price of sensor nodes very low

23


How are sensor networks different from MANETs? communication patterns

– sensors to base station (many-to-one)– base station to sensors (one-to-many)

limited mobility– sensor nodes are mainly static– topology can change due to node and link failures

resource constraints– sensor nodes are much more constrained in terms of

resources

infrastructure support– the base station can act as a trusted entity

24


Sensor routing protocols: TinyOS beaconing

25

base station(sink)

sensor

• A topology-based routing protocol for sensor networks, but insecure.

• A routing tree is established rooted at the base-station.

• The data packets are sent between the base-station and the nodes on the tree.

• The tree is established using route update messages (beacon messages) which are broadcast by the sink.

• A node receiving the route update message for the first time sets the neighbor, who is receiving the message from, as its parent.


Authenticated TinyOS beaconing

since beacon messages are not authenticated, an adversary can initiate the route update process and become the root of the established tree

to prevent this, the base station should authenticate the beacons– needs broadcast authentication– due to resource constraints, symmetric key crypto should be

used– a possible solution is TESLA

this does not entirely solve the problem …

26


Authenticated TinyOS beaconing

A more subtle attack:– intermediate nodes are not authenticated– an adversary can use spoofing to create a routing loop:

• The adversary resides near node u• V is a neighbor of u which is further away from the sink than u itself• The attacker re-broadcasts the beacons in the name of v and therefore u

sets v as its parent.• Later, when u re-broadcasts the beacon v will set u as its parent.• Result: a routing loop is created :

– The resources of the nodes on the loop will be exhausted– Some packets will never arrive at the sink

27

adversary

u

v

in the name of vroute update


IGF (Implicit Geographic Forwarding)

Advantage of position-based routing protocols:– No routing state is required to be maintained by the nodes

• Less overhead than topology-based routing protocols (suitable for sensor networks)

• also more resistance against attacks aiming at creating incorrect routing states

One example is Implicit Geographic Forwarding (IGF) routing protocol

28


IGF (Implicit Geographic Forwarding)

position-based routing integrated with the RTS/CTS handshake of the MAC layer

when u wants to send a packet, it broadcasts an RTS – contains the position of u and that of the destination

neighbors in the 60o sextant set their CTS timer inversely proportional to the weighted sum to their distance from u, remaining energy, and their distance to the line between u and the destination– most desirable next hop will send CTS first

all other nodes hear the first CTS and cancel their timers

29

60 ou

candidate forwarders


Securing IGF

an adversarial node can send CTS immediately and become the next hop– Solution: nodes do not cancel their CTS timers

• u waits until more neighbors send CTS, and selects the next hop randomly

an adversary can spoof node IDs and appear with multiple identifiers to increase her chances to be selected as the next hop (sybil attack)– Solution: neighbors should be authenticated and next hop

should be selected from the set of authenticated neighbors

an insider adversary can still use her compromised identifiers– Solution: monitoring the behavior of neighbors

• those that often fail to forward packets should not be selected as next hop (e.g. assigning trust values)

30


Summary

routing is a fundamental function in networking, hence, an ideal target for attacks

attacks against routing aim at– increasing adversarial control over the communications between

some nodes;– degrading the quality of the service provided by the network;– increasing the resource consumption of some nodes (e.g., CPU,

memory, or energy)

many attacks (but not all!) can be prevented by authenticating routing control messages

it is difficult to protect the mutable parts of control messages

several secured ad hoc and sensor network routing protocols have been proposed which protect the network against security threats to some extent.

31

Documents

Security and Cooperation in Wireless Networks Georg-August University Göttingen Secure routing in multi-hop wireless networks (II) Secure routing in multi-hop