Secure Routing in Wireless Sensor Networks

Download Report

Transcript Secure Routing in Wireless Sensor Networks

SECURE ROUTING IN WIRELESS
SENSOR NETWORKS
Gayathri Venkataraman
Preeti Raghunath
AGENDA
 Sensor Networks
 Wireless Sensor Networks vs. Ad- Hoc
Networks
 Sensor Network Security Challenges
 Attacks on Sensor Network routing
 Securing the Wireless Network
 Summary
Sensor Networks
A sensor network is composed of a large number of sensor
nodes that are densely deployed either inside the phenomenon
or close it . Each of these sensor nodes collect data and transmit
to the sink using special routing protocols. The sink may
communicate to the task manager using Internet or satellite [1].
Figure 1 Sensor nodes communication
Source : http://www.cdt.luth.se/babylon/snc/References/Akyildiz2002_SurveySensorNets_01024422.pdf
Retrieved August 22, 2003
What is a Sensor Network?
 Heterogeneous system that combines tiny
sensors and actuators with general purpose
computing elements.
 Sensor readings from multiple nodes can be
processed by one or more aggregation
points
Base Station
 Sensor Networks have one or more points
of centralized control called Base Stations.
 Base stations are either:
– Gateway to another network
– Data processing or storage center
– Access point for human interface.
Sensor Network Architecture
Base Stations
Aggregation
points
Sensor Nodes
Constraints of Wireless Sensor
Networks
 Sensor Networks are resource-starved when
it comes to:
–
–
–
–
Computational power
Memory
Bandwidth
Power
Sensor Networks VS. Ad Hoc
Networks
 Ad-Hoc Network supports routing between
any pairs of nodes.
 Sensor Networks have a specialized
communication pattern:
– Many to One
– One to Many
– Local Communication
Security challenges in Wireless
Sensor networks (1 of 3)
 Network Assumptions:
– Radio links are not secure
– Attackers can deploy malicious nodes into the
network.
 Trust Requirements:
– Base Stations are trusted nodes
– Aggregation points maybe trusted for certain
protocols
Security challenges in Wireless
Sensor networks (2 of 3)
 Threat models:
– Mote-Class attackers: Sensor nodes are used for
attacks. Sensor can eavesdrop only nodes in its vicinity.
– Laptop-Class attackers: More sophisticated. Can
eavesdrop or jam entire network.
– Outsider attacks: Attacker has no special access to the
sensor network.
– Insider attacks: An authorized participant of the
network has gone bad by running malicious code.
Security challenges in Wireless
Sensor networks (3 of 3)
 Security Goals:
– Protection against eavesdropping is
responsibility of application layer not routing
algorithms.
– However, eavesdropping caused by abuse of
routing protocol is the responsibility of
protocols.
– Graceful degradation of network in case of
insider attack.
Attacks on Sensor Networks
(1 of 3)
 Spoofing: Altering, spoofing or replaying
routing information between nodes.
 Selective Forwarding: Malicious nodes does
not forward any packets or selectively
forwards packets.
Attacks on Sensor Networks
(2 of 3)
 Sinkhole attack:
– Here the attacker’s goal is to lure all the traffic through
a compromised node
– Other nodes in the path have opportunities to tamper
with application data
 Sybil attack:
– A single node presents multiple identities.
 Wormholes:
– Attacker tunnels messages received in one part of the
network over a low-latency kink and replays them in a
different part.
Attacks on Sensor Networks
(3 of 3)
 HELLO Flood attack: An attacker with
enough transmission power convinces
every node in the network that the attacker
is the neighbor.
 Acknowledgement spoofing:
– Link layer acknowledgements are spoofed to
convince a weak link is strong and vice-versa.
Attacks on Specific Routing Protocols
Gayathri Venkataraman
Special Routing Protocols! Why???
A typical mote has 4MHz processor, 128 KB of instruction
memory, 4 KB of RAM data, and 512 KB of flash memory.
The whole device is powered by two AA batteries. So the
requirement of special routing protocols with
Less computation
Less memory
Simple
No global identification like IP address
Challenges For Security
Resource starved nature of sensor networks poses a big
challenge for security
Public-key Cryptography is so expensive
With only 4KB of RAM memory must be used carefully
Directed Diffusion
•Is a data centric routing
•Base stations flood interests for named data
•Nodes able to satisfy the interest disseminate information along
the reverse path of interest propagation.
•Interests are initially transmitted at a lower rate.
•Based nodes reinforce the path where there is more data.
•Failed node paths are negatively reinforced.
Directed Diffusion
http://www2.parc.com/spl/members/zhao/stanfordcs428/readings/Networking/Estrin_mobicom00
.pdf
Retrieved August 27, 2003
Attacks on Directed Diffusion
•Suppression
Suppress the flow of data by sending negative reinforcement
•Cloning
Attacker can replay an interest from legitimate base station
•Path Influence
Attacker can influence the path taken by a data flow by spoofing
positive and negative reinforcements and bogus data events.
•Selective forwarding and Tampering
Attacker can insert himself into the path of events flow and gain
Control of the event flow.
Attacks on Directed Diffusion
•A Laptop class adversary can create worm hole between node
A located near base station and node B located near likely
events.
•Interests are advertised through worm hole and rebroadcast by
node B.
•If node A sends negative reinforcements and worm hole does
not pass those messages then node B continues its positive
reinforcement then no data reaches the sink node and
eventually node B’s power is lost.
Tiny-OS Beaconing
•In this protocol base stations periodically broadcast routing
update.
•All station receiving the update marks the base station as its
parent.
•This algorithm happens recursively with each node marking
its parent as the first node from which it hears the update.
•All packets received or generated by a node is forwarded to its
parent until it reaches the base station.
•This is a breadth first spanning tree rooted to the base station
Attacks on Tiny-OS Beaconing
Routing updates are not
authenticated
Attacker can suppress,
eaves-drop, and modify
packets through
a worm hole/ sink hole
attack as shown in the
figure
Source: http://webs.cs.berkeley.edu/retreat-1-03/slides/sensor-route-security.pdf
Retrieved on November 17, 2003
Attacks on Tiny-OS Beaconing
•A lap top class adversary can use Hello flood attack to
broadcast a routing update and all nodes will consider the
adversary as its parent.
So the nodes which are not in the actual range of the parent
may flood the packets to neighbors which also has the
adversary as its parent
•Routing Loops can be created. Suppose adversary knows
node A and node B are within radio range of each other.
Adversary sends a routing update to B as if it came from A. B
updates its parent as A, and sends routing update. Now A
updates its parent as B.
Geographic Routing
Two Kinds
•Geographic and Energy aware routing (GEAR) uses the
energy information and the location of neighboring nodes to
forward the packets
•Greedy Perimeter Stateless Routing (GPSR) used only the
proximity of neighbors to forward its messages. The energy
consumption is uneven within the nodes.
Attacks on Geographic Routing
•Regardless of adversary’s location he might advertise to be
closest and place himself on the path of data flow.
•For GEAR the adversary can advertise to have maximum
energy to divert all the packets to himself and can now mount a
selective forwarding attack
Routing Loops is possible in GPSR routing as shown in figure
Source: http://webs.cs.berkeley.edu/retreat-1-03/slides/sensor-route-security.pdf
Retrieved on November 17, 2003
Counter Measures
Link Layer Security
•Simple link layer encryption and authentication using a
globally shared key.
•If a worm hole is established, encryption makes selective
forwarding difficult, but can do nothing to prevent black hole
selective forwarding. This worm hole is possible by replaying
the message from one group of nodes to other group.
•Link layer security mechanisms cannot prevent any insider
attack.
Counter Measures
Sybil Attack
•Every node shares a unique symmetric key with base station
•Two nodes can use Needham-Schroeder like protocol to verify
identity and establish a shared key.
•Base station limits the number of nodes an insider can have
communication.
•This limits the number of nodes an adversary can communicate.
Counter Measures
Hello Flood Attacks
•Verify the bi-directionality of the link before taking any action
•Measures against Sybil Attack like limiting the number of
verified neighbors to a node will also prevent Hello Flood Attack
Counter Measures
Worm Hole and Sink Hole Attacks
•Sink holes are difficult to defend in protocols which use
advertised information like energy information and hop count.
Hop count can be verified, however energy and TinyOs
beaconing is difficult to defend.
•Best solution is to design protocols where above attacks are
meaningless
Counter Measures
•Protocols that construct topology initiated by base station
are susceptible to attacks
•Geographic protocols that construct topology on demand
using localized interactions and not from base stations are
good solutions.
•In geographic routing since proximity is a factor artificial
link to sink hole is not possible because they may not fall
in the normal radio range.
Counter Measures
•Geographic routing is secure against worm hole, sink hole,
and Sybil attacks, but the remaining problem is that the
location advertisement must be trusted.
•Probabilistic selection of next hop from several
advertisement can reduce the problem
•Restricting the structure of the topology can eliminate the
problem by eliminating advertisement. For example nodes
can arrange itself in square, triangular, etc., So that every
node can derive its neighbors
Counter Measures
Selective Forwarding
•Multi-path routing can be used to avoid this attacks.
•Messages routed over n paths whose nodes are completely
disjoint is an effective solution
•Creating this kind of path may be difficult .
•Probabilistic selection of next hop can add to security.
Counter Measures
Authenticated Broadcast & flooding
• digital signatures
• symmetric-key cryptography
• delayed key disclosure and one –way key chains
constructed with publicly computable cryptographically
secure hash function
•Replay attack is not possible key is used only once.
Limitations of Multi-Hop Routing
•If nodes within one or two hops near the base station are
compromised then the network will be completely down
•Protocols like leach which forms clusters and where cluster
heads communicate directly with base station may yield a
secure solution.
Conclusion
•Secure routing is vital to the acceptance and use of sensor
networks.
•Current protocols are insecure
•Careful protocol design is needed as a sensor mote cannot do
complex cryptographic computations
References
[1 ]Ian F. Akyildiz, Weilian Su, Yogesh Subramaniam, and Erdal Cayirci (2002,
August). A Survey on Sensor Networks.
http://www.cdt.luth.se/babylon/snc/References/Akyildiz2002_SurveySensorNets_01
024422.pdf Retrieved August 26, 2003
[2]Charlermek Intanagonwiwat, Ramesh Govindan, and Deborah Estrin.
Directed Diffusion:A Scalable and Robust Communication Paradigm
for Sensor Networks
http://www2.parc.com/spl/members/zhao/stanfordcs428/readings/Networking
/Estrin_mobicom00.pdf Retrieved August 20, 2003
[3] Chris Karlof, David Wagner, Secure Routing in Wireless Sensor Networks: Attacks
and Counter Measures
Thank You!!!!!
Questions???????????