1 A Practical Secure Neighbor Verification Protocol for Wireless Sensor Networks Reza Shokri, Marcin Poturalski, Gael Ravot, Panos Papadimitratos, and Jean-Pierre Hubaux Laboratory for Computer Communications and Applications, EPFL, Switzerland Second ACM Conference on Wireless Network Security (WiSec'09) March 2009 Zurich, Switzerland

2 Wormhole Attack

3 Wormhole

4 Wormhole Attack False Links over the Wormhole

5 Neighbor Verification Protocol Protocol Stages i.Ranging ii.Exchanging the Neighbor Tables (include distance) iii.Neighbor Verification (security tests) Our Main Idea Local geometric consistency tests Motivation - The other proposed methods are not implementable on sensor networks (e.g., directional antennas) or are not secure enough considering the sensor networks’ limitations (e.g., tight time synchronization in nanosecond precision is required). - Our goal is to propose a secure and practical protocol for WSN.

6 The Ranging Protocol

7 ? ? ? A B C D

8 AB t REQ/A t REQ/B C REQ Fresh Random Nonce

9 The Ranging Protocol AB REP t REQ/A t REQ/B C t REP/B t REP/A REQ

10 The Ranging Protocol AB REP t REQ/A t REQ/B C t REP/B t REP/A REQ t RNG/B t RNG/A RNG (Ultra)Sound

11 The Ranging Protocol AB REP t REQ/A t REQ/B C t REP/B t REP/A REQ t RNG/B t RNG/A RNG ACK (Ultra)Sound

12 The Ranging Protocol AB REP t REQ/A t REQ/B C t REP/B t REP/A REQ t RNG/B t RNG/A RNG (Ultra)Sound ACK Node B: “Synchronization Test” Speed of sound Empirical Synchronization Error

13 C B The Ranging Protocol (Over Attack) A d wa d wb d wc d bc A C B >= d wb + d wb The adversary can change adjust the distance between nodes only by introducing different delay values while relaying RNG messages

14 Neighbor Table Exchange A B C D F E G Each node broadcasts its neighbor table to its direct neighbors. Neighbor tables include distance between nodes. We assume nodes are deployed on a plane. (it can be extended to 3D)

15 Neighbor Verification (Security Tests)

16 Neighbor Verification (Security Tests) Link Symmetry Test d (B->A) = d (A->B) (1)

17 Neighbor Verification (Security Tests) Maximum Range Test d (B->A) < R R (1) (2) Link Symmetry Test d (B->A) = d (A->B)

18 Neighbor Verification (Security Tests) Quadrilateral Test Each 4 neighbors that form a clique must belong to a quadrilateral. (embedding graph on a plane) Maximum Range Test d (B->A) < R R (1) (3) (2) Link Symmetry Test d (B->A) = d (A->B)

19 Neighbor Verification (Security Tests) Quadrilateral Convexity Test A link will be marked as verified link if it belongs to a convex quadrilateral. Maximum Range Test d (B->A) < R R (1) (3) (2) (4) Quadrilateral Test Each 4 neighbors that form a clique must belong to a quadrilateral. (embedding graph on a plane) Link Symmetry Test d (B->A) = d (A->B)

20 Security Analysis

21 Security Analysis To successfully create a false link: the attacker has to convince 4 nodes that form a convex quadrilateral (2-2) (3-1) A B C D D A B C

22 Security Analysis (2-2) A B C D C D A B C D A B Nodes’ perception (1) Nodes’ perception (2) We have proved that neither of these perceptions are possible. Thus, 2-2 attack is impossible.

23 Security Analysis (3-1) D A B C A B C D Nodes’ perception D A B C We have proved that the attack is possible only if:

24 Experimental Results Settings The ranging protocol has been implemented on Crossbow Cricket motes

25 Experimental Results Settings The ranging protocol has been implemented on Crossbow Cricket motes Results Time Synchronization Error: 99.55% below 5 microsecond Distance Measurement Error: Below 5cm error (Range up to 4m) Link Symmetry Error: 97% below 7cm (74% below 2cm)

26 Performance Evaluation in Benign Setting Links have to satisfy the convex quadrilateral test to be verified by our protocol. Yet, even in a benign setting, some links might not belong to any convex quadrilateral, and therefore remain unverifiable. How percentage of true links can be verified?

27 Performance Evaluation in Benign Setting Coverage Uniform distribution of nodes in a field measuring 400m*400m “R”: Transmission range = 100m “e”: Maximum distance estimation error as percentage of R.

28 Conclusion -Neighbor Verification Protocol for Wireless Sensor Networks -Based on estimation of node distance and simple, local tests -Practical solution, implemented on Cricket motes -Formal analysis and proof of correctness -Highly effective against powerful adversaries -Adding detection of adversary increases security (see tech- report)

29 The Ranging Protocol (Properties) AB REP t REQ/A t REQ/B C t REP/B t REP/A REQ t RNG/B t RNG/A RNG (Ultra)Sound ACK i.REQ and REP cannot be delayed ii.RNG can be delayed: same delay for all pairs WAWA WBWB

30 Security Analysis (b): |AC|+|BD| = |AD|+|BC| = a + b + c + d + 2t(a) |AC|+|BD| < |AD|+|BC| (b) contradiction (c): x + y > a + b + c + d +2t (c) (triangle inequalities for: ∆ACX, ∆CXB, ∆BXD, ∆DXA) x + y < a + b + c + d (a) (triangle inequalities for: ∆ABW 1, ∆CDW 2 ) contradiction “t” is the distance equivalent to the delay over the wormhole: delay×s (2-2) Case

31 Security Analysis |AD|-|AW 1 | = |BD|-|BW 1 | = |CD|-|CW 1 | = t + d => A, B, C lie on a hyperbola with foci D and W 1, on the arm closer to W 1. As this arm is concave, no 3 points A, B, C can form a convex quadrilateral with D  (3-1) Case

32 Performance Evaluation in Benign Setting The number of tested 4-cliques per node. Computational Complexity 95-percentile Median 5-percentile