Mitigating DoS Attacks against BroadcastAuthentication in Wireless Sensor Networks

Peng Ning, An LiuNorth Carolina State University

andWenliang Du

Syracuse University

Introduction

• Broadcast is an important communication primitive in wireless sensor networks.– Large number of sensor nodes– Limited signal range

• Two approached for broadcast authentication:– Public key based digital signature

[Gura et al. 2004] , Signature: 0.81s ---multiplication on a 160-bit EC.

Verification: 1.62s– uTESLA-based approaches

[Perrig et.al. 2000; 2001], provides broadcast authentication based on symmetric cryptography by delayed disclosure of authentication keys.• advantage: much more efficient and less resource

consuming;• disadvantage: cannot provide authentication immediately

after broadcast packets are received.

Problem

• Both of them are vulnerable to Denial of Service attacks, which is a fatal threat to sensor networks because of the limited and depletable battery power on sensor nodes.

Against signature-based broadcast authentication

• An attacker may simply forge a large number of broadcast messages with digital signatures, force sensor nodes to verify these signatures, and eventually deplete their battery power.

• Using MICAz, DoS attacker can consume the receiver’s energy in at least two steps.1. Receiving the packet; [CC2 2006], 0.25mJ2. Processing the packet and verifying the signature. 38.88mJ

Proposed Approach

• Basic idea : weak authenticator, can be efficiently verified and takes a amount of time to forge.

• Receiving a packet1.First, verifies the weak authenticator. if yes, go

to next;2.Second, performs the expensive signature

verification.

Cont.

• When digital signatures are used for broadcast authentication, a sensor node does not have to verify the digital signature if the weak authenticator cannot be verified.

• This approach is not a replacement of digital signatures but uses as an additional layer of protection to filter out forged broadcast packets so as to reduce the resource consumption due to DoS attacks.

Limitation

• powerful sender.• introduces sender-side delay.

One-Way Key Chains: A Strawman Approach

• K_i = F(K_{i+1}), F is hash function and 0<i<n-1• Assumption, every nodes know K_0.• i-th packet: index i, the message M_i, the broadcast

authenticator BA_i, the i-th weak authenticator K_i.

• Each receiver keeps the most recently authenticated weak authenticator K_j and the corresponding index j.

• Initially, j = 0 and K_j = K_0.• On receiving a packet with index i, each

receiver checks:1. The i-th packet has not been previously

authenticated.2. 2.

• Nice properties:– Each weak authenticator Ki can be easily verified by regular

sensor nodes.– Before the broadcast of the i-th packet, an attacker does not

have access to Ki, and thus cannot forge the weak authenticator (due to the one-way property of hash function F).

• Weak: A malicious node may exploit an observed weak authenticator to forge broadcast packets and the communication delay to forge broadcast packets. (wormhole)

Message Specific puzzles• Idea: to use cryptographic puzzles to reduce the

possibility that an attacker may exploit an observed weak authenticator to forge broadcast packets.

• 1. Sender(or an attacker) has to solve a cryptographic puzzle in order to generate a valid weak authenticator.

• 2. Puzzle solution is then used as the weak authenticator.• 3. A receiver can efficiently verify a weak authenticator.• 4. It take an attacker a substantial amount of time to

forge a weak authenticator.

Solution• Keyed message specific puzzles based on one-way key chains

(message specific puzzles)• Puzzle: Message, message index and broadcast authenticator• Add a previously undisclosed key in the one-way key chain to

prevent an attacker pre-compute a puzzle solution until such a key is released by the sender.

• On receiving a packet, any node can verify the puzzle solution.• As result, even if the key known by an attacker, it can not

immediately solve the puzzle for a forged packet, and thus cannot immediately launch DoS attacks.

Basic Construction

• 1. Sender generate a one way chain, K0,K1,…..,Kn,

and distributed K0 to all potential receivers. • 2. Ki is i-th key and used for the weak

authentication of the i-th broadcast packet.• 3. i-th message specific: The index i, the

message Mi, the broadcast authenticator BAi, and Ki.

Cont’

• Solution must satisfy the following two conditions:

Cont’

• Use puzzle key Ki and the puzzle solution P_i together as the weak authenticator for the i-th broadcast packet.

• Sender: Given the i-th broadcast message Mi, the sender first generates the broadcast authenticator BAi, retrieves the puzzle key Ki, and computes the puzzle solution Pi. The sender then broadcasts the packet with the payload i|Mi|BAi|Ki|Pi.

• Receiver: using F and K0 (or a previously verified puzzle key)

Minimizing Reuse of Forged Puzzle Solutions

• Problem: the attacker may compute only a few forged puzzle solutions, but force receivers to perform signature verifications or packet forwarding many times.

• Consider: puzzle solution is valid, but broadcast authenticator is NOT right.

• Receiver can identify a forged puzzle solution after verifying the signature in the packet.

• Keep a buffer at each node for broadcast packets with potentially forged puzzle solution

Analysis

• Cost of finding a puzzle solution• Given a puzzle strength l, the probability of

finding a puzzle solution within x trials is

• E{x} = 2^l

Choice of parameters

• l: the network designer should determine the value l through balancing the maximum delay the sender can tolerate before sending the broadcast packet and the risk of DoS attacks against signature verifications.

• m: The larger packet hash buffer a node has, the better it can minimize the reuse of forged puzzle solutions.

• we may set m = 50.• Based on the benchmark result for Crypto++

5.2.1 [Dai 2004], it takes about 3.766 seconds on average for a 2.1 GHz Pentium 4 processor to solve one puzzle if SHA-1 is used. Thus, this setting can force an attacker with such a machine to spend about 196 seconds on average (after finding 52 solutions) in order to have a chance to reuse a previously forged puzzle solution.

Implementation

• TinyECC, SHA-1, 64-bit Kn

Experimental Evaluation

• one laptop sender(connected to a MICAz mote through a programming board)

• thirty regular sensor node receivers

Computational Cost

Delay

Optimistic mode and pessimistic mode

• In the optimistic mode: a node rebroadcasts the packet locally once it verifies the weak authenticator.

• In the pessimistic mode, a node verifies both the weak authenticator and the signature, and rebroadcasts the packet only when both verifications pass.

• The switch between these two modes is determined by a detection metric N_f , w is a system parameter determined by the security policy.

• N_f represents the number of forged broadcast packets with valid weak authenticators but invalid signatures.