Download Slide 1

Cryptographic Protocols in
Wireless Sensor Networks
Petr Švenda
Faculty of Informatics, MU Brno
Laboratory of Security and Applied Cryptography
joint work with Dan Cvrček, Jiří Kůr, Václav Matyáš, Lukáš Sekanina
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Wireless Sensor Network
 Basic technology
●
●
●
●
●
8 bit CPU, ~1 kB RAM, ~102 kB flash
short range radio, battery powered
condition sensor (temperature, pressure, …)
xBow MicaZ, TMote Sky, Philips smart node, …
currently ~100$ or more (should be around 1$)
 Applications
●
●
●
●
●
●
medical monitoring
scientific (animal monitoring, geologic)
industry monitoring (bridge/tunnel conditions monitoring)
agriculture (field condition monitoring)
emergency response networks (fire detection)
military (enemy movement, snipers, vehicles)
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Large scale Wireless Sensor Networks
 Network of nodes and few powerful base stations
● 102 – 106 sensor nodes
● particular nodes deployed randomly, e.g., from plane
 Network characteristics
●
●
●
●
●
covering large areas - distributed
ad-hoc position/neighbours – not known in advance
flat or hierarchical topology
multi-hop communication
data locally aggregated
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Where do we need security in WSN?
 Sensitive data are often sensed/processed
● military application
● medical information, location data (privacy)
 Commercially viable information
● information for sale – cost for owner of the network
● know-how - agriculture monitoring
 Protection against vandalism
● distant non-existing fires blocks fireman
 Early stage of WSN allows to build security in rather
than as late patch
● as is the case with Internet today
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Differences from classical networks
 Running on battery (limited resource)
● days for personal network
● we don’t like to change battery too often
● years for large scale monitoring network
● we don’t like to visit all nodes in forest every month
● communication and computation is energy-expensive
 Nodes can be captured by an attacker
● and returned back as malicious node
● all secrets can be extracted as nodes are not tamper resistant
● to maintain reasonable cost of network
 Links can be temporal, network often disconnected
● by design, by necessity
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Security threats




Eavesdropping – capture of transmitted data
Message injection/modification/replay
Impersonation – fake identity, clones
Denial of Service (DoS)
● jamming (malicious nodes)
● secure routing (multi-hop communication)
● battery exhaustion
 Traffic analysis – who is communicating with whom
 Side-channel analysis – unexpected leaks of information
... kinds of threats that are hard to prevent even in
 All
classical networks with powerful computers
● but here: limited performance, decentralized, lack of
physical control…
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Why not use “classical” solutions?
 Often cannot be used without modifications
● platform limitations (energy, memory, speed)
 Key establishment is basic building block
● for most security protocols including secure routing
 Some classical solutions do not work
● single network-wide key (single point of failure)
● pairwise keys – each with every (high memory requirements)
● asymmetric crypto, trusted third party (high CPU, battery)
 Tamper resistant hardware is not panacea
● is expensive and skilled attacker can break it anyway [Ko98]
● memory card (SLE4428) - 1$, crypto card (SLE66/88) – 10-30$
 New ideas needed and some already emerged
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Power analysis device
External power supply
Tested smartcard
Measurement board
Ethernet
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
(bytecode)
Reverse engineering
 may reveal sensitive info
 keys, internal branches, …
(source code)
if (key == 0) m_ram1[0] = 1; compiler
else m_ram1[0] = 0;
sload_1;
ifeq_w L2;
L1: getfield_a_this 0;
sconst_0;
sconst_0;
bastore;
goto L3;
L2: getfield_a_this 0;
sconst_0;
sconst_1;
bastore;
goto L3;
L3: …
oscilloscope
(power trace, key != 0)
(power trace, key == 0)
 Better to design protocols tolerant to partial compromise
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Probabilistic key pre-distribution
Key pool
K27 K7
 Randomized key pre-distribution [EG02, CPS03]
● based on birthday paradox
K3
KK2123
K75 K53
K8 K1
K16
K23
11
K11
● key selection without replacement from large key pool
● 100 keys from 10000 (60% probability at least one key
shared)
● memory efficient, scalable
● relatively low node capture resilience (NCR)
● depends on pool size, ring size and # captured
 Multi-space pairwise polynomial keys [DDHV03, FKZZ05]
● basic idea + Blom’s threshold secure scheme
 Increasing ring size moderately allows to increase pool sizeK7
K23
highly, resulting node capture resilience is better
K75
● idea behind hypercube [LN03], group supported [SM07]
extensions
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
K3
K11
K23
www.buslab.org
Key Infection distribution model
 More realistic attacker model [ACP04, CS05]
● not able to eavesdrop the whole network (for short period)
● key is exchanged in plaintext between neighbours (“contact”)
 Secrecy amplification protocols
● able to secure compromised link eavesdropped by attacker
● transport of fresh link key over secure path
● can be used for probabilistic pre-distribution as well
 Published amplification protocols
● “PUSH” model [ACP04]
● “PULL” secrecy amplification [CS05]
● multi-hop/path versions
PUSH
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
PULL
www.buslab.org
Node-oriented protocol (example)
4-party PULL
RNG N3 R1
SND N3 N1 R1 R1
SND N3 N4 R1 R1
SND N4 N2 R1 R1
N1
N3
N3
N2
N4
N4
Total protocols runs: 11 x combNum(12, 2) = 11 x 66, ~2000 messages
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Communication overhead
 Node-oriented protocols are deployment independent
 Let’s introduce geographic position into protocol
● minimum radio strength to communicate
● approximate distance to node
 Parties identified by distance from central node and
its special partner (lower value, closer the node)
● e.g. N 0.32_0.15 => position in real deployment
 Can we achieve comparable fraction of secure links?
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
min[(Np1 – |NC – Nx|)2 + (Np2 – |NP – Nx|)2]
Group-oriented protocol
NP
RNG NP Rt11
SND NP N0.00 0.00 Rv11 Rt12
SND N0.35 0.67 NC Rv12 Rt2
NC
NP
NP
NC
NC
NP
Total protocols runs: 11, ~100 messages
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Evolution of SA protocols [SSM09]
EA Population
crossing, mutation
SA parent 1
SA offspring 1
SA offspring 2
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
Network
simulator
fitness
% secure links
SA parent 2
SA Protocol
RNG n3 r1
SND n3 n1 r1 r2
SND n3 n2 r1 r2
…
www.buslab.org
Results found by evolution – node-oriented
 4 parties, 200 instructions, small population size, no
crossing, rapid mutation (10%)
 Reinvented all published protocols
● pruning technique used to detect relevant instructions
 Evolved protocol better then all published
● “polymorphic” instruction, when 3rd party is missing
8
N1
1
4
9
N3
N2
3
2
7
54
0
N4
6
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Results found by evolution – group-oriented
(0.070) 00: SND N0.33 0.68 NP Rv6 Rt8
(0.070) 01: SND N0.35 0.67 NC Rv6 Rt2
(0.334) 02: RNG NP Rt11
(0.010) 03: SND N0.59 0.11 NP Rv7 Rt3
(0.007) 04: SND NP N0.75 0.70 Rv6 Rt1
(0.334) 05: SND NP N0.01 0.00 Rv11 Rt12
(0.003) 06: SND N0.01 0.00 NC Rv1 Rt5
(0.334) 07: SND N0.01 0.00 NC Rv12 Rt6
(0.014) 08: RNG N0.03 0.00 Rt1
(0.014) 09: SND N0.48 0.33 NP Rv1 Rt7
(0.077) 10: RNG N0.01 0.00 Rt6
(0.017) 11: SND N0.69 0.68 NC Rv1 Rt7
NC
NC
NP
NP
min[(Np1 – |NC – Nx|)2 + (Np2 – |NP – Nx|)2]
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Success rate of evolved protocols
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Automatic attack strategy - motivation
 Fundamental asymmetry between the attacker
and the defender
● attacker needs to find only one attack path
● defender should secure all of them
 Brute-force search over the space of possible
attack paths
● suitable approach for the defender
 Informed search for possible attacks without
inspecting all possibilities
● suitable for an attacker
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Basic concept
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Malicious routing in WSNs
 Misbehaving attacker nodes
●
●
●
●
search for attacks against standard routing
elementary actions store/load value, send message, time counters
triggers binded on specific action (type of message in air)
goals like increase fraction of non-delivered messages, message
hops, messages routed over malicious node
 Minimum cost forwarding (MCF) [YCLZ01]
● minimum spanning tree based with base station as a root,
● periodic broadcast of beacons, BS has cost 0
● cost based on distance and remaining energy of node
 Implicit geographic forwarding (IGF) [BHSS03]
● next hop selected based on geographic positions of the nodes and
base station, remaining energy and random element
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Malicious routing - results
 Usually hard to analyze
● complex behavior and interleaving of elementary actions
● pruning - actions without impact on fitness are discarded
● still, we were unable to fully interpret all details
 Minimum cost forwarding
● impersonation of BS, forging beacons
● selective message forwarding/dropping
 Implicit geographic forwarding
● immediate answer to Open Request To Send
● malicious node is always selected as a next hop
● selective MAC layer collisions
● to maximize number of hops / undelivered messages
● overloading of neighbours message buffers – message drop
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Conclusions
 Novel approaches for WSN are needed
● specific environment & platform limitations
 Security is always tradeoff between resources
spent and value of resources protected
 WSN seems to be an environment where
probabilistic approach to security fits better
 Protocols should be tolerant to partial compromise
 Automated approaches are welcome due to
diversity of usage scenarios
● network topology, hardware characteristics, compromise
pattern, ...
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
References
 [Ko98] P. Kocher, J. Jaffe, D. Jun. Introduction to differential Power
Analysis and Related attacks. 1998
 [EG02] L. Eschenauer, V. D. Gligor. A key-management scheme for
distributed sensor networks. 2002
 [DDHV03] W. Du, J. Deng, Y. S. Han, P. K. Varshney. A pairwise key
pre-distribution for wireless sensor networks. 2003.
 [CS05] D. Cvrček, P. Švenda. Smart dust security - Key Infection
revisited. 2005
 [SM07] P. Švenda, V. Matyáš. Authenticated key exchange with group
support for wireless sensor networks. 2007
 [SSM09] P. Švenda, L. Sekanina, V. Matyáš, Evolutionary Design of
Secrecy Amplification Protocols for Wireless Sensor Networks, 2009
 [YCLZ01] F. Ye, A. Chen, S. Lu, L. Zhang. A scalable solutions to
minimum cost forwarding in large sensor networks. 2001
 [BHSS03] B. Blum, T. He, S. Son, J. Stankovic. IGF: A state-free
robust communication protocol for wireless sensor networks. 2003
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Thank you for your attention.
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Automatic attack strategy concept
 Inspired by ability of EA to find our own bugs
 Knowing attacks allows us to build better defenses
● fruitful even if we cannot prove that no attack against system exits
 Categories of generated attacks
● re-combination of the existing attacks
● put existing attacks together in meaningful order
● e.g., capture packet, forge IP, replay packet
● improvement (optimization) of known attack strategy
● principle is known, “tuning” of parameters
● e.g., which subset of nodes should be captured
● finding novel attack strategies
● attacks composed from very simple actions
● e.g., set/store byte X of message, transmit Y millisec., …
 Attack generator and execution environment
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Attack 2: Malicious routing
 Misbehaving attacker nodes
● search for attacks against standard routing
● fitness options: non-delivered messages, message hops,
messages routed over malicious node, ...
● elementary actions: store/load value, send message, time counters
● triggers of response code on specific action
 Multiple network deployments
● partly avoids optimization of a strategy on a single topology
 Usually hard to analyze
● complex behavior and interleaving of elementary actions
● pruning - actions without impact on fitness are discarded
● still, we were unable to fully interpret all details
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Attack 1: Selective node capture
 Probabilistic pre-distribution with overlapping key
sets
 Attacker goes for maximum advantage with fixed
number of captured nodes
● compromised links, carried keys, impact on data
aggregation, …
● with information about actual deployment
 Example attack settings:
● probabilistic pre-distribution (3 keys at minimum)
● secrecy amplification protocol run atop
 Compared for several deterministic algorithms
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org
Selective node capture - results
Cryptographic protocols in WSNs, SPI’09, 7.5.2009
www.buslab.org