Security in ad hoc networks

Outline
Introduction Security Requirements of Wireless AdHoc Networks Typical attacks on Wireless Ad-Hoc Networks Security protocols and methods for adhoc networks

Motivation
Security is the most often cited concern with wireless networks Wireless networks pose unique security problems Power and computation constraints are often higher in wireless networks, making security requirements different

Requirements for network security

Data confidentiality: keep data secret (usually accomplished by encryption) Data integrity: prevent data from being altered (usually accomplished by encryption) Data freshness: data is recent Weak freshness: provides partial ordering of msgs Strong freshness: provides total ordering and allows for
delay estimation

Data availability: data should be available on request Data authentication: verification that the data or request came from a specific, valid sender

Why security on sensors is hard

Constrains
Peanut CPU (slow computation rate) Battery power: trade-off between security and battery life Limited memory High latency: conserve power, turn on periodically

Nature of wireless ad-hoc network

Every node can be a target No trusted peer Decentralized and cooperative participation of all nodes Encryption and authentication cannot eliminate threats No matter how many intrusion prevention measures are inserted in a network, there are always some weak links that one could exploit to break in

Wireless Ad-Hoc Network Security Methods

Public-key cryptography overview Public-key cryptography for wireless:
Key distribution :Certification Authorities, PGP(Pretty Good Privacy) Imprinting

SPINS
SNEP mTESLA

Intrusion Detection

Public-key cryptography overview

Alice chooses a random large integer a and X g a mod n sends Bob Bob chooses a random large integer b and sends Alice Y g b mod n k Y a mod n Alice computes k ' X b mod n Bob computes ' Both k , k are equal to g ab mod n

Public-key cryptography overview

Alice a X ? Y Bob b

KEY

Key agreement protocol

Imprinting
Policy

New nodes are "imprinted" upon un-packaging (birth) with their 'parent' and given a secure key and identity A node's parent becomes its security admin. and can change its security policy at any time The initial imprinting should not be sent wirelessly, to avoid imprinting multiple nodes with the same key A node cannot change parents until it 'dies' Death can occur at a set time, or can be triggered by the parent (and only by the parent). After death, a node can be imprinted by a new parent.

SPINS: Security Protocols for Sensor Networks

A suite of security building blocks developed at UC Berkley Designed for resource-constrained environments and wireless communications Consists of two building blocks, mTESLA and SNEP SNEP

Data Confidentiality Two-party data authentication Data Integrity Freshness

mTESLA authenticated broadcast

SNEP
(Sensor Network Encryption Protocol)

Communicating parties each keep a counter, and increment it after each block is transmitted. A master secret key, K is initially shared between the

node and base station and is used to derive all other keys Low communication overhead :adds 8 bytes per message Semantic security: prevents an eavesdropper from inferring encrypted data Data authentication: MAC (Message Authentication Code) Weak Freshness: Counter in MAC prevents replaying old messages

SNEP (Contd.)
M=MAC(KMAC,C|E)
represents the Message Authentication Code, where C is the shared counter, E is the encrypted data ({D}<Kencr, C>), and KMAC is the MAC key A complete message from node A to node B consists of encrypted data, and a MAC.

A -> B : {D} <Kencr, C> , MAC(KMAC, C|{D}<Kencr, C>)

The counter in SNEP provides weak freshness, but cannot show that a
message was created by B in response to a request from A To achieve Strong Freshness use a pseudo-random number called a nonce Where NA is a nonce from A, and RA is a request from A, our new messages look like this:

A -> B : NA, RA B -> A : {RB} <Kencr, C> , MAC(KMAC, NA|C|{RB}<Kencr, C>)

mTESLA
(Timed Efficient Streaming Loss-tolerant Authentication Protocol)
Restricts the number of authenticated senders Discloses the key once per epoch Requires loose time synchronization between base station and nodes
mTESLA Description Each MAC key is a key (K) of a key chain, generated by a public one-way function F, where Kj =F(Kj+1) All blocks sent in a specific time period use the same key Received blocks are stored in a buffer until the associated key is released and verified Any valid key can be used to derive earlier keys, or validate later keys, but cannot be used to derive later keys.

mTESLA(Contd.)
Sender Setup
The sender generates a chain of secret keys by choosing the last key (Kn) randomly, and applying a one-way function F, such that: Kj =F(Kj +1)

Broadcasting Authenticated Packets

Time intervals are set, and each key of the key-chain is associated with an interval. During interval t, the sender uses key Kt to compute the MAC of all packets.

The sender waits for a delay of before revealing Kt, where is greater than any reasonable packet round trip time.

mTESLA(Contd.)
Bootstrapping a new receiver
Each receiver must have one authentic key of the key chain, and must know the key disclosure schedule. A new receiver M sends a nonce in the request message to the sender S. The sender replies with its current time Ts, a key Ki from a past interval i, the starting time Ti of interval i, the duration Tint of the time intervals, and the disclosure delay .

M -> S : NM S -> M : Ts| Ki |Ti |Tint |, MAC(KMS, NM | Ts| Ki |Ti |Tint |)

mTESLA(Contd.)
Authenticating broadcast packets
When receiving a new packet, the receiver needs to check that the key for that interval has not been disclosed yet. This implies that no adversary could have spoofed the contents If this condition is met, the packet is stored. Otherwise it is dropped As soon as the key Kj of a previous time interval is received, the receiver checks it against the last authentic key it knows, Ki, by applying the function F. After Kj has been authenticated, Ki is replaced by Kj in memory, and all the packets that were sent between time intervals i and j can be verified.

mTESLA(Contd.)
What if nodes need to broadcast data?
Nodes are limited in CPU and battery resources

Nodes broadcast data through the basestation, using SNEP as an authentication method Nodes broadcast the data, but do not compute the keys.
The basestation sends the key to the node as needed. The basestation can also broadcast the key disclosure, and/or perform the bootstrapping procedure for new nodes.

mTESLA (Contd.)
Implementation
Block cipher E performs the encryption Code space is saved by using the same function for encryption and decryption Random-number generation performed by the MAC, and counter C. MAC(Kran, C) Key setup Fk(x)=MAC(K,x)

Evaluation of a protocol based on SPINS

Distributed public key infrastructure

Certificates are stored and distributed by users Trust graph G(V,E) where V: users, E: public-key certificates If two vertices u and v are in H, and there is a directed path from u to v in H, then v is v) reachable from u in H. ( u H S(G,u) : subgraph on G by user u S(G,u,v) : S(G,u) S(G,v) Performance #{(u , v) V V : u S v} ( G ,u , v ) p A (G ) #{(u , v) V V : u v} G

Infrastructure Improvements
Shortcut hunter algorithm: finds the
path with the most shortcuts for all outgoing and incoming edges of a given node

Intrusion Detection
Assumptions
User and program activities are observable Misuse and anomaly detections are possible locally and in a distributed manner

Problems of IDS (intrusion

detection system)

Intrusion Detection (contd)

Misuse detection
Uses patterns of well-known attacks to match and identify known intrusions Accurate and effective Only works against known attacks

Anomaly detection
Uses established normal usage profiles to detect deviation from the norm Able to detect new types of attacks Cannot always describe the nature of an attack May have a high false positive rate

Intrusion Detection (contd.)

Anomaly detection in Wireless Ad-Hoc
Detection can be performed at each layer (link layer, MAC, applications, etc.) During the learning process, normal network conditions are recorded and used to create a 'normal profile' If a node detects an intrusion that affects the entire network, it can initiate a re-authentication process throughout the network, to exclude the malicious nodes If a node detects a local intrusion at a higher layer (e.g., one of its services), the lower layers are notified. The lower layer detection modules can investigate and possibly block access from the offending nodes.

Secure Aware Protocol

Traditional way
RREQ/RREP

SAR
Embed security metric into the RREQ packet
Ensure intermediate nodes can provide required security Authenticated users belonging to same trust level share a secret key

References
SPINS: Security Protocols for Sensor Networks. A Perrig, R. Szewczyk, V. Wen, D. Culler, J.D. Tyger The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. Frank Stajano, Ross Anderson Intrusion Detection in Wireless Ad-Hoc Networks. Yongguang Zhang, Wenke Lee. The Quest for Security in Mobile Ad-Hoc Networks. Jean-Pierre Hubaux, Levente Buttyan, Srdan Capkun. Ad Hoc Networking Critical Features and Performance Metrics. Madhavi W.Subbarao. Lowering Security Overhead in Link State Routing. Ralf Hauser, Tony Przygienda, Gene Tsudik.

References (Contd)
Mitigating Routing Misbehavior in Mobile Ad Hoc Networks. Sergio Marti, T.J.Giuli, Kevin Lai, and Mary Baker.
Secure Routing for Mobile Ad Hoc Networks. Panagiotis Papadimitratos and Zygmunt J. Hass. Securing Ad Hoc Networks. Lidong Zhou and Zygmunt J. Haas. Securing-Aware Ad hoc Routing for Wireless Networks. Seung Yi, Prasad Naldurg, and Robin Kravets. RFC2137 Secure Domain Name System Dynamic Update