Security in ad hoc networks

UCLA EE
Chris Kurpinski
Sungha Kim
 Outline
 Introduction
 Security Requirements of Wireless
Ad-Hoc Networks
 Typical attacks on Wireless Ad-Hoc
Networks
 Security protocols and methods for
ad-hoc networks
 Motivation
 Security is the most often cited
concern with wireless networks
 Wireless networks pose unique
security problems
 Power and computation constraints
are often higher in wireless
networks, making security
requirements different
 Requirements for network
security
 Data confidentiality: keep data secret (usually
accomplished by encryption)
 Data integrity: prevent data from being altered
(usually accomplished by encryption)
 Data freshness: data is recent
 Weak freshness: provides partial ordering of msgs
 Strong freshness: provides total ordering and
allows for delay estimation
 Data availability: data should be available on
request
 Data authentication: verification that the data or
request came from a specific, valid sender
 Why security on sensors is
hard
 Constrains
 Peanut CPU (slow computation rate)
 Battery power: trade-off between security
and battery life
 Limited memory
 High latency: conserve power, turn on
periodically
 Nature of wireless ad-hoc network
 Every node can be a target
 No trusted peer
 Decentralized and cooperative participation
of all nodes
 Encryption and authentication cannot
eliminate threats
 No matter how many intrusion prevention
measures are inserted in a network, there
are always some weak links that one could
exploit to break in
 Wireless Ad-Hoc Network
Security Methods
 Public-key cryptography overview
 Public-key cryptography for wireless:
 Key distribution :Certification Authorities,
PGP(Pretty Good Privacy)
 Imprinting
 SPINS
 SNEP
 µ TESLA
 Intrusion Detection
 Public-key cryptography
overview
 Alice chooses a random large integer a and
sends Bob X = g a
mod n

 Bob chooses a random large integer b and

sends Alice Y = g b mod n

 Alice computes k = Y a mod n

 Bob computes k ' = X b mod n

'
 Both k , k are equal to g ab modn
 Public-key cryptography
overview
Alice Bob

a X Y b
?

K KEY K’

 Key agreement protocol

 Imprinting
 Policy
 New nodes are "imprinted" upon un-packaging (birth)
with their 'parent' and given a secure key and identity
 A node's parent becomes its security admin. and can
change its security policy at any time
 The initial imprinting should not be sent wirelessly, to
avoid imprinting multiple nodes with the same key
 A node cannot change parents until it 'dies'
 Death can occur at a set time, or can be triggered by
the parent (and only by the parent). After death, a
node can be imprinted by a new parent.
 SPINS: Security Protocols
for Sensor Networks
 A suite of security building blocks developed at UC
Berkley
 Designed for resource-constrained environments
and wireless communications
 Consists of two building blocks, µ TESLA and SNEP
 SNEP
 Data Confidentiality
 Two-party data authentication
 Data Integrity
 Freshness
 µ TESLA
 authenticated broadcast
 SNEP
(Sensor Network Encryption
Protocol)
 Communicating parties each keep a counter, and
increment it after each block is transmitted.
 Aand
master secret key, K is initially shared between the node
base station and is used to derive all other keys
 Low communication overhead :adds 8 bytes per message
 Semantic security: prevents an eavesdropper from
inferring encrypted data
 Data authentication: MAC (Message Authentication Code)
 Weak Freshness: Counter in MAC prevents replaying old
messages
 SNEP (Contd.)
M=MAC(KMAC ,C|E) represents the Message Authentication Code,
where C is the shared counter, E is the encrypted data ({D}<Kencr,
C> ), and KMAC is the MAC key
A complete message from node A to node B consists of
encrypted data, and a MAC.
A -> B : {D} <Kencr, C> , MAC(KMAC , C|{D}<Kencr,C> )

The counter in SNEP provides weak freshness, but cannot show

that a message was created by B in response to a request from A
To achieve Strong Freshness
 use a pseudo-random number called a nonce
 Where NA is a nonce from A, and RA is a request from A,
our new messages look like this:
A -> B : NA, RA
B -> A : {R } , MAC(K , NA|C|{RB} )
 µ TESLA
(Timed Efficient Streaming Loss-tolerant
Authentication Protocol)
 Restricts the number of authenticated senders
 Discloses the key once per epoch
 Requires loose time synchronization between base station and
nodes

 µ TESLA Description
 Each MAC key is a key (K) of a key chain, generated by a public
one-way function F, where Kj =F(Kj+1)
 All blocks sent in a specific time period use the same key
 Received blocks are stored in a buffer until the associated key
is released and verified
 Any valid key can be used to derive earlier keys, or validate
later keys, but cannot be used to derive later keys.
 µ TESLA(Contd.)

 Sender Setup
 The sender generates a chain of secret keys by choosing
the last key (Kn) randomly, and applying a one-way
function F, such that: Kj =F(Kj +1)
 Broadcasting Authenticated Packets
 Time intervals are set, and each key of the key-chain is
associated with an interval.
 During interval t, the sender uses key Kt to compute the
MAC of all packets.
 The sender waits for a delay of δ before revealing Kt,
where δ is greater than any reasonable packet round trip
time.
 µ TESLA(Contd.)

 Bootstrapping a new receiver

 Each receiver must have one authentic key of the key
chain, and must know the key disclosure schedule.
 A new receiver M sends a nonce in the request message
to the sender S.
 The sender replies with its current time Ts, a key Ki from a
past interval i, the starting time Ti of interval i, the
duration Tint of the time intervals, and the disclosure delay
δ .

 M -> S : NM
 S -> M : Ts| Ki |Ti |Tint |δ , MAC(KMS, NM | Ts| Ki |Ti |Tint |δ )
 µ TESLA(Contd.)

 Authenticating broadcast packets

 When receiving a new packet, the receiver needs to
check that the key for that interval has not been
disclosed yet. This implies that no adversary could have
spoofed the contents
 If this condition is met, the packet is stored. Otherwise it
is dropped
 As soon as the key Kj of a previous time interval is
received, the receiver checks it against the last authentic
key it knows, Ki, by applying the function F.
 After Kj has been authenticated, Ki is replaced by Kj in
memory, and all the packets that were sent between time
intervals i and j can be verified.
 µ TESLA(Contd.)

 What if nodes need to broadcast data?

 Nodes are limited in CPU and battery resources

 Nodes broadcast data through the

basestation, using SNEP as an
authentication method
 Nodes broadcast the data, but do not
compute the keys.
 The basestation sends the key to the node as needed.
 The basestation can also broadcast the key disclosure,
and/or perform the bootstrapping procedure for new
nodes.
 µ TESLA (Contd.)
 Implementation
 Block cipher E performs the
encryption
 Code space is saved by using
the same function for
encryption and decryption
 Random-number generation
performed by the MAC, and
counter C.
 MAC(Kran, C)
 Key setup Fk(x)=MAC(K,x)
Evaluation of a protocol
based on SPINS
 Distributed public key
infrastructure
 Certificates are stored and distributed by
users
 Trust graph G(V,E) where V: users, E:
public-key certificates
 If two vertices u and v are in H, and there is
a directed path from u to v in H, then v is
reachable from u in H. ( u → H
v)

 S(G,u) : subgraph on G by user u

 S(G,u,v) : S(G,u)  S(G,v)
 Performance
#{(u, v) ∈ V × V : u S → v}
p A (G ) = ( G ,u , v )

#{(u , v) ∈ V × V : u → G
v}
 Infrastructure
Improvements
Shortcut hunter
algorithm: finds the
path with the most
shortcuts for all out-
going and incoming
edges of a given node
 Intrusion Detection
 Assumptions
 User and program activities are
observable
 Misuse and anomaly detections
are possible locally and in a
distributed manner
 Problems of IDS (intrusion
detection system)
 Intrusion Detection (contd)
 Misuse detection
 Uses patterns of well-known attacks to match and identify
known intrusions
 Accurate and effective
 Only works against known attacks
 Anomaly detection
 Uses established normal usage profiles to detect
deviation from the norm
 Able to detect new types of attacks
 Cannot always describe the nature of an attack
 May have a high false positive rate
 Intrusion Detection (contd.)

 Anomaly detection in Wireless Ad-Hoc

 Detection can be performed at each layer (link layer,
MAC, applications, etc.)
 During the learning process, normal network conditions
are recorded and used to create a 'normal profile'
 If a node detects an intrusion that affects the entire
network, it can initiate a re-authentication process
throughout the network, to exclude the malicious nodes
 If a node detects a local intrusion at a higher layer (e.g.,
one of its services), the lower layers are notified. The
lower layer detection modules can investigate and
possibly block access from the offending nodes.
 Secure Aware Protocol
 Traditional way
RREQ/RREP

 SAR
 Embed security metric
into the RREQ packet
 Ensure intermediate nodes
can provide required
security
 Authenticated users
belonging to same trust
level share a secret key
 References
 SPINS: Security Protocols for Sensor Networks. A Perrig, R.
Szewczyk, V. Wen, D. Culler, J.D. Tyger
 The Resurrecting Duckling: Security Issues for Ad-hoc Wireless
Networks. Frank Stajano, Ross Anderson
 Intrusion Detection in Wireless Ad-Hoc Networks. Yongguang
Zhang, Wenke Lee.
 The Quest for Security in Mobile Ad-Hoc Networks. Jean-Pierre
Hubaux, Levente Buttyan, Srdan Capkun.
 Ad Hoc Networking Critical Features and Performance Metrics.
Madhavi W.Subbarao.
 Lowering Security Overhead in Link State Routing. Ralf Hauser,
Tony Przygienda, Gene Tsudik.
 References (Contd)
 Mitigating Routing Misbehavior in Mobile Ad Hoc Networks.
Sergio Marti, T.J.Giuli, Kevin Lai, and Mary Baker.
 Secure Routing for Mobile Ad Hoc Networks. Panagiotis
Papadimitratos and Zygmunt J. Hass.
 Securing Ad Hoc Networks. Lidong Zhou and Zygmunt J. Haas.
 Securing-Aware Ad hoc Routing for Wireless Networks. Seung Yi,
Prasad Naldurg, and Robin Kravets.
 RFC2137 Secure Domain Name System Dynamic Update