Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse University

Introduction Broadcast is an important communication primitive in wireless sensor networks. – Large number of sensor nodes – Limited signal range

Two approached for broadcast authentication: – Public key based digital signature [Gura et al. 2004], Signature: 0.81s ---multiplication on a 160-bit EC. Verification: 1.62s – uTESLA-based approaches [Perrig et.al. 2000; 2001], provides broadcast authentication based on symmetric cryptography by delayed disclosure of authentication keys. advantage: much more efficient and less resource consuming; disadvantage: cannot provide authentication immediately after broadcast packets are received.

Problem Both of them are vulnerable to Denial of Service attacks, which is a fatal threat to sensor networks because of the limited and depletable battery power on sensor nodes.

Against signature-based broadcast authentication An attacker may simply forge a large number of broadcast messages with digital signatures, force sensor nodes to verify these signatures, and eventually deplete their battery power. Using MICAz, DoS attacker can consume the receiver’s energy in at least two steps. 1.Receiving the packet; [CC2 2006], 0.25mJ 2.Processing the packet and verifying the signature mJ

Proposed Approach Basic idea : weak authenticator, can be efficiently verified and takes a amount of time to forge. Receiving a packet 1.First, verifies the weak authenticator. if yes, go to next; 2.Second, performs the expensive signature verification.

Cont. When digital signatures are used for broadcast authentication, a sensor node does not have to verify the digital signature if the weak authenticator cannot be verified. This approach is not a replacement of digital signatures but uses as an additional layer of protection to filter out forged broadcast packets so as to reduce the resource consumption due to DoS attacks.

Limitation powerful sender. introduces sender-side delay.

One-Way Key Chains: A Strawman Approach K_i = F(K_{i+1}), F is hash function and 0<i<n-1 Assumption, every nodes know K_0. i-th packet: index i, the message M_i, the broadcast authenticator BA_i, the i-th weak authenticator K_i.

Each receiver keeps the most recently authenticated weak authenticator K_j and the corresponding index j. Initially, j = 0 and K_j = K_0. On receiving a packet with index i, each receiver checks: 1.The i-th packet has not been previously authenticated.2.

Nice properties: – Each weak authenticator Ki can be easily verified by regular sensor nodes. – Before the broadcast of the i-th packet, an attacker does not have access to Ki, and thus cannot forge the weak authenticator (due to the one-way property of hash function F). Weak: A malicious node may exploit an observed weak authenticator to forge broadcast packets and the communication delay to forge broadcast packets. (wormhole)

Message Specific puzzles Idea: to use cryptographic puzzles to reduce the possibility that an attacker may exploit an observed weak authenticator to forge broadcast packets. 1. Sender(or an attacker) has to solve a cryptographic puzzle in order to generate a valid weak authenticator. 2. Puzzle solution is then used as the weak authenticator. 3. A receiver can efficiently verify a weak authenticator. 4. It take an attacker a substantial amount of time to forge a weak authenticator.

Solution Keyed message specific puzzles based on one-way key chains (message specific puzzles) Puzzle: Message, message index and broadcast authenticator Add a previously undisclosed key in the one-way key chain to prevent an attacker pre-compute a puzzle solution until such a key is released by the sender. On receiving a packet, any node can verify the puzzle solution. As result, even if the key known by an attacker, it can not immediately solve the puzzle for a forged packet, and thus cannot immediately launch DoS attacks.

Basic Construction 1. Sender generate a one way chain, K 0,K 1, ….., K n, and distributed K 0 to all potential receivers. 2. K i is i-th key and used for the weak authentication of the i-th broadcast packet. 3. i-th message specific: The index i, the message Mi, the broadcast authenticator BAi, and Ki.

Cont’ Solution must satisfy the following two conditions:

Cont’ Use puzzle key Ki and the puzzle solution P_i together as the weak authenticator for the i-th broadcast packet. Sender: Given the i-th broadcast message Mi, the sender first generates the broadcast authenticator BAi, retrieves the puzzle key Ki, and computes the puzzle solution Pi. The sender then broadcasts the packet with the payload i|Mi|BAi|Ki|Pi. Receiver: using F and K 0 (or a previously verified puzzle key)

Minimizing Reuse of Forged Puzzle Solutions Problem: the attacker may compute only a few forged puzzle solutions, but force receivers to perform signature verifications or packet forwarding many times. Consider: puzzle solution is valid, but broadcast authenticator is NOT right. Receiver can identify a forged puzzle solution after verifying the signature in the packet. Keep a buffer at each node for broadcast packets with potentially forged puzzle solution

Analysis Cost of finding a puzzle solution Given a puzzle strength l, the probability of finding a puzzle solution within x trials is E{x} = 2^l

Choice of parameters l: the network designer should determine the value l through balancing the maximum delay the sender can tolerate before sending the broadcast packet and the risk of DoS attacks against signature verifications. m: The larger packet hash buffer a node has, the better it can minimize the reuse of forged puzzle solutions.

we may set m = 50. Based on the benchmark result for Crypto [Dai 2004], it takes about seconds on average for a 2.1 GHz Pentium 4 processor to solve one puzzle if SHA-1 is used. Thus, this setting can force an attacker with such a machine to spend about 196 seconds on average (after finding 52 solutions) in order to have a chance to reuse a previously forged puzzle solution.

Implementation TinyECC, SHA-1, 64-bit Kn

Experimental Evaluation one laptop sender(connected to a MICAz mote through a programming board) thirty regular sensor node receivers

Computational Cost

Delay

Optimistic mode and pessimistic mode In the optimistic mode: a node rebroadcasts the packet locally once it verifies the weak authenticator. In the pessimistic mode, a node verifies both the weak authenticator and the signature, and rebroadcasts the packet only when both verifications pass. The switch between these two modes is determined by a detection metric N_f, w is a system parameter determined by the security policy. N_f represents the number of forged broadcast packets with valid weak authenticators but invalid signatures.