Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson Presented by : Varagur Karthik Iyer Adapted from the slides by: Qiao Xu, CSC774 Spring04 4/26/2007
Outline Introduction Temporal Leashes TIK Protocol Performance & Security Analysis Future Work & Conclusion 4/26/2007
Introduction Problem: Wormhole Attack Solution: Packet Leash An attacker records packets at one location of the network, tunnel them to another location, and retransmits them there into the network Wormhole attack allows attackers to: Gain unauthorized access Disrupt routing Perform DOS attacks Solution: Packet Leash Add information into the packet to restrict its maximum allowed transmission distance 4/26/2007
Illustration of a wormhole attack A mobile wireless ad hoc network Nodes S and D communicate through wireless multi hop routing Normal Operation S D 4/26/2007
Illustration of a wormhole attack A mobile wireless ad hoc network Nodes S and D communicate through wireless multi hop routing Under Attack Colluding Attackers S Wormhole D 4/26/2007
Packet Leashes Goal Approaches S Wormhole D Limit the distance traveled by a packet in a network Approaches Two approaches to the achieve the goal Space : geographical leashes Limit the range of the packet using the distance it can travel Time : Temporal Leashes Limit the range of the packet using the time it remains valid Colluding Attackers S Wormhole D 4/26/2007
Geographical Leashes (Overview) Definition: a geographical leash establishes an upper bound on the distance that a packet can travel Requirements Every node must have knowledge of its location Loose time synchronization Nodes can be relatively mobile Geographical leashes also enable multiple location detection 4/26/2007
Temporal Leashes Definition: a temporal leash establishes an upper bound on a packet’s lifetime, which restricts the maximum travel distance Key Requirement: all nodes must have tightly synchronized clocks Maximum clock difference (Δ) between any two nodes must be within a few microseconds 4/26/2007
Temporal Leashes Implementation with a packet expiration time Sender calculates a packet expiration time to be sent with each packet: te = ts + L/c – Δ te: packet expiration time ts: packet sent time c: propagation speed of wireless signal L: maximum allowed travel distance; L > Lmin = Δ*c Δ: maximum clock difference between 2 nodes 4/26/2007
Temporal Leashes Receiver will accept and process a received packet if and only if the time when the packet is received (tr) is less than the packet expiration time (te) What’s missing? Need an efficient way for the receiver to authenticate te 4/26/2007
TIK Protocol - Overview TIK – TESLA with Instant Key disclosure TIK implements a temporal leash and provides efficient instant authentication for broadcast communication in wireless networks Based on the observation that a receiver can verify the TESLA security condition, that the corresponding key hasn’t been disclosed, as it receives the packet, this allows sender to disclose the key in the same packet Assume sender can precisely predict ts and receiver can record tr as soon as the packet arrives Requires accurate time synchronization between all the nodes 4/26/2007
TIK Protocol – Sender Setup Sender generates a series of keys, K0, K1,…, Kw-1, using a PRF F and a secret master key X: Ki = Fx(i) Sender selects a key expiration interval I and determines the expiration time (Ti) for its keys: Ti = T0 + i*I, where T0 is the expiration time for K0 Sender constructs a Merkle hash tree to commit to keys: K0, K1,…, Kw-1 4/26/2007
TIK Protocol – Merkle Hash Tree 4/26/2007
TIK Protocol – Merkle Hash Tree How is it constructed? For every leaf node, Ki’ = H(Ki); i.e. K0’ = H(K0) For every parent node, mp = H(ml || mr); i.e. m01 = H(K0’ || K1’), m03 = H(m01 || m23); The root value (m07) is signed by the sender and sent to the receivers, where it can be authenticated with sender’s public key To authenticate K2, for example: Sender must include K3’, m01, m47 in the packet Receiver computes m07’ and compare to the pre-distributed m07 m07’ = H[ H[ m01 || H[ H[K2] || K3’]] || m47 ] 4/26/2007
TIK Protocol – Receiver Bootstrapping Assume all nodes are synchronized with a maximum clock difference of Δ Assume each receiver knows every sender’s hash tree root value and the associated parameter T0 and I 4/26/2007
TIK Protocol – Sending and Verifying Packets Sender HMAC M T Ki Receiver HMAC M T Ki Time at Sender ts Ti Time at Receiver tr ≤ (ts + т - Δ) ≤ (Ti - Δ) 4/26/2007
TIK Protocol – Sending and Verifying Packets S → R: (HMACKi(M), M, T, Ki) M: message payload HMACKi(M): message authentication code for M Ki: key used to generate the HMAC for M T: tree authentication values used to authenticate Ki Receiver: Verifies if the sender has started sending Ki after receiving HMAC, based on Ti Verifies if Ki is authentic based on the hash root value and T Verifies the HMAC, using authenticated Ki Accept the packet as authentic only if all those verifications are successful 4/26/2007
Security & Performance Analysis Security Analysis Temporal leash with TIK protocol can detect and prevent wormhole attacks if all nodes are good nodes Can’t deal with a malicious sender that claims a false timestamp Can’t deal with a malicious receiver that refuses to check the leash Performance Analysis Requires only n public keys in a network with n nodes Efficient hash tree authentication of keys Efficient instant authentication of packet because the key is disclosed in the same packet Modest storage requirement for the Merkle hash tree 4/26/2007
Related Work RF-Watermarking Intrusion Detection Modulating the RF waveform in a way known only to authorized nodes Vulnerable to node capture Intrusion Detection Hard to isolate attacker using a software only approach, since it is hard to distinguish malicious traffic from legitimate traffic 4/26/2007
Future Work & Conclusion An efficient implementation of Geographical leashes Securing TIK against node misbehavior (sender/receiver) Achieving accurate time synchronization among the nodes Conclusion Wormhole attack is a powerful and disruptive attack against wireless networks With precise timestamps and tight clock synchronization, TIK can prevent wormhole attacks 4/26/2007
Thank You! Questions and Comments 4/26/2007