wireless sensor networks security and privacy professor jack stankovic department of computer...
TRANSCRIPT
Wireless Sensor Networks
Security and Privacy
Professor Jack StankovicDepartment of Computer Science
University of Virginia
SecuritySecurity
• Complex, many aspects to consider• Opportunity to address this properly
– from the start!• New (severe) constraints (memory,
bandwidth, cpu processing speeds, power, …)– Lightweight solutions required
• Symmetric cryptography (asymmetric crypto is probably too expensive)
• Digital signature – 300 bytes/packet
QuestionQuestion
• If, for some reasons, WSNs did not have the significant impact we have been projecting, what might those reasons be?
– Poor security – easy to make systems ineffective/unreliable
– Privacy policy – laws that state that thou shall not deploy WSNs in public places
QuestionQuestion
• Is it possible to build secure WSN?
• VigilNet – 40 services (each can be attacked)– Solutions for each won’t fit
• Weaker guarantees and evolve
VigilNet ArchitectureVigilNet Architecture
OutlineOutline
• Basic Problems• Routing Problems
– Solutions• SPINS
• Denial of Service• Privacy• Summary
Basic ProblemsBasic Problems• Vulnerability of channels (eavesdrop and
inject fake messages)• Vulnerability of nodes (capture, modify
messages, re-route) (or add new nodes)• Absence of infrastructure (e.g., no
centralized certification authorities)• Dynamically changing topology (difficult
to distinguish between dynamics and attacks)
• Minimum capacity devices– Drain batteries
• Real-Time – slow packets down
Basic ProblemsBasic Problems
• Most existing solutions are too costly– Digital signatures – adds as much as
300 bytes/packet– Asymmetric crypto adds large variables
and large memory costs, etc.
• Don’t handle broadcasting type operations
Communication ScenariosCommunication Scenarios
• Confidentiality (eavesdrop)
Adversary
Node1Base StationMsg
Node2
Eavesdropping is Good for Debugging
Communication Scenarios
Communication Scenarios
• Integrity
Adversary
Node1Base StationMsg1
Msg1’
Communication Scenarios
Communication Scenarios
• Authenticity
Base StationAdversary
Node 1
Node 2
Node 3
Node 4
I am the Base Station
Reprogram systemReset system parameters
Security AssumptionsSecurity Assumptions
• Trust and Key Management– Trust base station and oneself
– Symmetric Keys• Active area of research – how to
disseminate private keys
Security SolutionsSecurity Solutions
• Very difficult• Fn(assumptions made)
– E.g., attack model
• Themes for Security in WSN– Operate in the presence of security
attacks– Self-heal– Evolve to new attacks
Routing - Threat Models and Security Goals
Routing - Threat Models and Security Goals
• Threat Model:– Mote-class vs. laptop-class adversaries– Insiders vs. outsiders
• Security Goals:– Authenticity: verifies the identity of the sender– Integrity: messages are not tampered with– Availability: messages are received by intended
receivers– Confidentiality: no eavesdropping
• Insiders and laptop-class adversaries are difficult challenges
Routing - Network Assumptions
Routing - Network Assumptions
– Insecure Radio Links– Eavesdropping, modifying bits, and
packet replays– Attacker has similar capabilities (HW,
etc.)– Except, Attacker may have high quality
(long-range) communications– Nodes can be “turned”– Attacker controls > 1 node; collusion is
possible– Tamper resistant nodes are not realistic
Routing - Trust RequirementsRouting - Trust Requirements
– Base Stations are trustworthy– Random key pre-distributions are valid
• Initialization procedure prior to deployment– Global (pair-wise) key, pools of keys, etc.
• Neighbor to neighbor key establishment after deployment
• Note: Too expensive to involve base station on all transactions
WSN Routing AttacksWSN Routing Attacks
• Spoofing• Selective Forwarding• Blackhole/Sinkhole• Sybil • Wormholes• HELLO Floods
Many routing protocols have been proposed,but few with security as a goal !
(consider all the ones we studied in this course)
Route Where?Route Where?
• Each node to base station• Nodes to aggregation points and
then from aggregation point to base station
• Between 2 (n) nodes (peer to peer)• Between 2 (n) areas• Among all members of a (static /
dynamic) group
Routing AttacksRouting Attacks
adversary
base station
sensor node
high quality wireless link
Attacks: try to manipulate user/application data oraffect the underlying routing topology (state information)
Attack: Bogus Routing Information
Attack: Bogus Routing Information
• Spoofed, altered, or relayed routing information causes problems
• Example: spoof routing table beacons or claim to be base station– Can attract traffic
Attacker becomes partof routing tree
Attacks: Selective Forwarding / Blackholes /
Sinkholes
Attacks: Selective Forwarding / Blackholes /
Sinkholes • Only forward a
select few… drop / modify remaining packets
• Forward none – blackhole
• Sinkhole – lure all traffic through a compromised node; enables selective forwarding
Attack: Sybil attackAttack: Sybil attack• An adversary may
present multiple identities to other nodes
• FT implications: routes believing to be using disjoint nodes could be using a single adversary– E.G., an attacker node
could provide multiple geographic locations to pretend to be in more than 1 place at a time
A
B
I am at A and B
Attack: WormholesAttack: Wormholes• Tunnel packets received
in one part of the network and replays them in a different part
• Two distant malicious nodes collude to understate their distance from each other by relaying packets along a private channel between them
• Enables other attacks – confuses topology
Attack: HELLO floodsAttack: HELLO floods
• Hello packets to announce presence of a node
• Assumption: the sender of a received packet is within normal radio range
• False! A powerful transmitter could reach the entire network
• Disrupts routing paths
Recall - SPEEDRecall - SPEED
• SPEED: A Semi-Stateless Protocol for Real-Time Communication in Sensor Networks. Uses neighbor tables
Strong Back-Pressure(Congestion)
Area AnycastMulticast
SPEEDSPEED
23
5
9
10
7
Delay
11
SPEED20
11030
115
Node 5's NT
Delay0.5s0.1s0.4s0.1s
ID97
103
Packet
Packet
Source
Destination
Attack – change table
RAP RAP
• RAP: A Real-Time Communication Architecture for Large-Scale Wireless Sensor Networks.
1
Packets withDifferent Velocities
Respecting Deadlines and
Priorities
Attack – change velocity;Different order of delivery
SPEED and RAP: Routing Security Analysis
SPEED and RAP: Routing Security Analysis
• Convince nodes to change their state tables (delay, source, destination, distance, deadlines, velocities).
• Flood network with high velocity packets (i.e. short deadlines or large distances).
• Change the radius of the last mile process.
• Local forwarding decisions allow some types of attacks to not be noticed. Example: a destination that is “beyond” the edge of the network.
• Just lower the velocity of a packet which will end up missing its deadline later and will be dropped.
Solution - SPINSSolution - SPINS
• Suite of security protocols optimized for sensor networks
• Practical on minimal hardware– Memory constraints– Energy constraints– CPU constraints
• Can be used for building higher level protocols, like secure routing
DefinitionDefinition
• Secure Channel: a communication channel that offers – Confidentiality
• no eavesdropping
– Data authentication• you know who sent message
– Integrity • data not changed
– Data freshness• Weak – correct order• Strong – recent in terms of time
SPINS: 2 Building BlocksSPINS: 2 Building Blocks
• SNEP (Sensor-Network Encryption Protocol)
– Encryption Protocol
• Data confidentiality and integrity
– Secure point-to-point communication
• 2-party authentication
– Data freshness (adversary can’t replay old messages)
TESLA (Micro Timed Efficient Stream Loss-tolerant Authentication)
– Provides streaming broadcast authentication
Typical CostTypical Cost
• Authenticated Broadcast– Asymmetric digital signature
• Up to 50-1000 bytes (of overhead) per packet
• Need a different solution
System AssumptionsSystem Assumptions
• Communication patterns– Frequent node-base station exchanges– Frequent network flooding from base– Node-node interactions infrequent (not
including multi-hop routing relays)
• Base station– Sufficient memory, power– Shares secret key with each node
• Node– Limited resources, limited trust– Each node trusts itself
DesignDesign
• Asymmetric cryptography is too expensive
• Use symmetric cryptography primitives
• A simple symmetric encryption function (RC5) provides:– Encryption & Decryption– Message Authentication Code (MAC)– Pseudorandom number generation– Hash Function
• Overhead is only 8 bytes per packet• Use single block cipher (for code reuse)
Block Cipher: RC5Block Cipher: RC5
• Subset of RC5 with 40% reduction in code size• Low memory requirements• Cipher text is the same size as the original text• They rejected AES and DES as too expensive
Plaintext
RC5 block cipherKey Ciphertext
Key Generation/SetupKey Generation/Setup
• Nodes and base station share a master key (pre-deployment)• Other keys are bootstrapped from the master key:
– Encryption keys (different for each direction between 2 nodes)– Message Authentication code key (different for each direction)– Random number generator key
Ctr
RC5 BlockCipherMaster Key KeyMAC
KeyEncryption
Keyrandom
F is a pseudo-Random function to generate keys
SNEP EncryptionSNEP Encryption
• Encrypted-data = {D}<Keyencryption, counter>• Counter is shared state – but not sent in message like
usual solutions; maintained at each pair of nodes• With the counter, even the same message is encrypted
differently each time• RC5 generates “random” data to XOR with message
Counter
RC5 BlockCipherKeyEncryption
+Pj Cj
SNEP EncryptionSNEP Encryption
• Weak freshness guaranteed; counter must increase
• Decryption is identical
Counter+1
RC5 Block CipherKeyEncryption
+Pj+1 Cj+1
Counter+1
RC5 Block CipherKeydecryption
+ Pj+1
SNEP MACSNEP MAC
• Message Authentication Code = MAC(KMAC, X)• MAC uses Cipher Block Chaining (CBC)• Every block of input affects output
KMAC RC5
X1
KMAC RC5
X2
KMAC RC5
X3
MAC
+ +
Authentication, ConfidentialityAuthentication, Confidentiality
• Without encryption on MSG, can have authentication only• For encrypted messages, the counter is included in the MAC• Counter in MAC prevents replays
Node A
Msg, MAC(KMAC, Msg)
{Msg}<Kencryption, Counter), MAC(KMAC, Counter|| {Msg}<Kencryption, Counter>)
Node B
Spins So FarSpins So Far
• SNEP
– Encryption Protocol (RC5)
•Data confidentiality and integrity
– Secure point-to-point communication
•2-party authentication
•MAC based on RC5
– Data freshness (adversary can’t replay old messages)• Counters
Broadcast AuthenticationBroadcast Authentication
• Broadcast is basic communication mechanism
• Sender broadcasts data• Each receiver verifies data origin
Sender
R1
M
R4
M
R3R2 MM
TESLA ProtocolTESLA Protocol
• TESLA : efficient source authentication in multicast for wired networks.
• µTESLA: broadcast authentication for WSNs.– TESLA is too expensive for WSN
TESLA ProtocolTESLA Protocol
• Compare & Contrast (similarities)– Both require loose time sync. between BS
and each node.– Both uses one-way hash function to produce
a chain of secret keys in the sender, each key corresponding to a time interval at which the sender sends a packet.
– Both maintain a key disclosure schedule known to both sender and receiver.
– Receiver holds off the authentication of a packet until the required key is disclosed.
TESLATESLA
• Compare & ContrastDifferences
µTESLA removes or adapts the expensive features of TESLA:
Asymmetric digital signature is replaced by symmetric key
Frequency of key disclosure is greatly lessened Only the Base Station stores the key chain Inter-node communication is made possible by
the Base Station
TESLA OverviewTESLA Overview
• Provides authenticated broadcast mechanism
• Must have an asymmetric mechanism to prevent forgery
• Why not use asymmetric digital signatures?– Expensive computation, storage, and
communication
• Asymmetry: delayed key disclosure– Requires loosely synchronized clocks
Simple MAC Insecure for Broadcast
Simple MAC Insecure for Broadcast
Sender
R1
M, MAC(K,M)
R4
M, MAC(K,M)
M’, MAC(K,M’)
K
K K
Key SetupKey Setup
• Main idea: One-way key chains– BS chooses K(n) – easy to compute K(n-1)– BS computes entire chain
• K0 is initial commitment to chain• Base station gives K0 to all nodes
– Nodes can’t compute K(1)
Kn Kn-1 K1 K0
X
…….F(Kn) F(K1)F(K2)
BroadcastBroadcast
• Divide time into intervals• Associate Ki with interval i• Messages sent in interval i use Ki in MAC• Ki is revealed at time i + • Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 …
0 1 2 3 4 time
K0 Revealed Here
Robustness to Packet Loss
Robustness to Packet Loss
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
Time 1
REAVEALINGKey K0
TESLA IssuesTESLA Issues
• Important parameters: time interval, disclosure delay
• Delay must be greater than RTT to ensure integrity
• Parameters define maximum delay until messages can be processed
• Nodes must buffer broadcasts until key is disclosed
• Requires loose time synchronization in network• Base station commits to maximum number of
broadcasts when forming chain– When current chain is exhausted, all nodes must be
bootstrapped with a new one
Evaluation (Memory)Evaluation (Memory)
Evaluation (Execution Time)
Evaluation (Execution Time)
• 2.5 ms to encrypt a 16 byte message
• 18 ms to deal with broadcast authentication
Evaluation (Energy cost)
Evaluation (Energy cost)
• Total cost to send a message• Highest overhead is from transmission of 8-
byte MAC per packet
ExtraBytes
Authenticated RoutingAuthenticated Routing
• Simple “Breadth-first search” routing algorithm• Routing scheme assumes bidirectional communication• Base station periodically broadcasts beacon
BS
Authenticated RoutingAuthenticated Routing
• First reception of authenticated beacon during current routing interval defines “parent”
• At reception of a beacon, if it’s fresh then accept sender as its parent in the route and broadcast another beacon with the node’s id as sender id
BS
Authenticated RoutingAuthenticated Routing
• Attacker cannot re-route any link – won’t authenticate
BS
Authenticated RoutingAuthenticated Routing
• Final tree
BS
SPINS SummarySPINS Summary
• Focus on WSN communication patterns
• Meet severe energy, time, memory constraints
• Time synchronized network• Pre-loaded master keys• Basic techniques to be used in other
protocols
Denial of ServiceDenial of Service
Ref: Denial of Service in Sensor Networks; Wood & Stankovic
The Jamming ProblemThe Jamming Problem
• Jamming disrupts communication around the source
• Expensive to prevent—but can detect it
J
Solution SummarySolution Summary
J
Edge nodes blindly report jamming
Inner nodes sleep
Outer nodes map collaboratively
Jammed area
Jam DetectionJam Detection
• Highly decentralized algorithm:– Loose group semantics, eager
eavesdropping, supremacy of local information, robustness to packet loss and failure
– Does not consider other security attacks
A Mapping ServiceA Mapping Service
• Map jammed-area and export to other modules
• Possibilities for using this information:– Report jammed area to base station
• Send in vehicle
– Route around jammed area– Lower duty-cycle to save energy– Redirect any queries to services in
jammed area– Expose area as programmer-accessible
entity
Summary - Security Summary - Security
• Solutions from the start (too late?)
• Lightweight solutions required
• System must operate in presence of faults AND attacks
• Framework needed for security updates as attacks evolve over time
Summary - SecuritySummary - Security
• Define new trust models• Key distribution schemes (static and
dynamic)• Routing, secure groups, denial of service,
localization, …
• Can solutions exploit– Physical properties?
• Directional antennas, time validity intervals of data, velocity, …
– Density? – Redundancy? – HW?
Medical System Architecture
Medical System Architecture
Internet
Internet
PDAs
Nurses Stations
Smart Living Health Spaces
Smart Living Health Spaces
MotivationMotivation
• What is privacy?– “The claim of
individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” – Alan Westin
• WSN in healthcare
Many StakeholdersMany Stakeholders
• Patients• Patients family and friends• Doctors• Nurses• Technicians• Orderlies• Admin• Social Workers
PrivacyPrivacy
• Very complex, dynamic• Differs for different countries,
people, etc.• Build into WSN at start• Filters
– Example: only transmit aggregated information about people in an area not ID based information
• Showstopper?
Authorization FrameworkAuthorization Framework
Request Authorizer
Privacy Policy
Policy ManagerContext Manager
Context
Data mining analysis
Request History
Database
User’s Request
Reply
Inconsistency Check
Ask for data
Change policy
Request ExpressionsRequest Expressions• Mandatory:
– <Request Subject >– <Data Subject>– <Data>– <Action>
• Optional:– [Aggregate Function]– [Time]– [Place]– [Conditions]– [Set Values]
• Example: Nurse N1 requests to read pulse of patient P1 for 30
minutes if P1’s pulse is lower than 50 bpm N1 read (P1,pulse) [t1,t1+30] if (P1,pulse) < 50
Roles, UserID, roomID, floorID
Read, write, delete, add, set
EKG, pulse, motion, light, temp, activity
max, min, avgsingle time t , periodic [t1,t2]Bed, room, floor,
=, >, <, >=, <=, <> single value, range
Policy ComponentsPolicy Components
– Request Subject – Rule: (action, ruling, context)– Data Subject– Data
– Examples:• Doctor (read,allow,critical condition) (patient,
activity data) Role policy
• DoctorX (read, deny) (patient, activity data) Individual policy
RepresentationRepresentation
• Directed Acyclic Graph – Nodes:
• Individual user• Role• Data
– Edges:• Inheritance• Data association• Rule: (action, ruling, context)
Privacy Policy Representation -
Example
Privacy Policy Representation -
Example
U: User1
U: User2
R: Doctor
D: Cardio
D: PII
R: Patient
U: User3
U: User4
<rule>
Policy Inconsistency Types
Policy Inconsistency Types
• Syntax inconsistency• Semantic
inconsistency– Multiple-role– Role vs. individual
policy– Multiple rule
instances
User
Role 1
Role 2
Data
Is-a
<rule 3>
<rule 1>
<rule 2>
Is-a
Inconsistency Detection Example
Inconsistency Detection Example
User
Role t
Data
<rule 3>
<rule 4>
Role s
Privacy Privacy
• Added requirements for WSN– WSN specific
• Lightweight and Integrated Solutions
– Highly dynamic• Alarms• Override when necessary
– Highly distributed access and data creation
– Data is transient– Notion of inanimate objects
Possible ApproachPossible Approach
• Privacy filters– Collect what is needed; no more
• Blurring• Reactive to critical situations
– Real-Time Privacy
• WSN-Privacy Language• Consistency checks (at different
levels of granularity, at different times)
• Across enterprise trust domains
Summary - Research Q.Summary - Research Q.
• How do we compose untrustworthy entities into a trustworthy aggregation– And how to maintain this trust as
topology changes
• Lightweight key management• Routing, denial of service, intrusion
detection, authentication, localization, etc.
• Adaptive security and privacy service