Wireless Sensor Networks Security and Privacy Professor Jack Stankovic Department of Computer Science University of Virginia

Security Complex, many aspects to consider Opportunity to address this properly – from the start! New (severe) constraints (memory, bandwidth, cpu processing speeds, power, …) –Lightweight solutions required Symmetric cryptography (asymmetric crypto is probably too expensive) Digital signature – 300 bytes/packet

Question If, for some reasons, WSNs did not have the significant impact we have been projecting, what might those reasons be? –Poor security – easy to make systems ineffective/unreliable –Privacy policy – laws that state that thou shall not deploy WSNs in public places

Question Is it possible to build secure WSN? VigilNet – 40 services (each can be attacked) –Solutions for each won’t fit Weaker guarantees and evolve

VigilNet Architecture

Outline Basic Problems Routing Problems –Solutions SPINS Denial of Service Privacy Summary

Basic Problems Vulnerability of channels (eavesdrop and inject fake messages) Vulnerability of nodes (capture, modify messages, re-route) (or add new nodes) Absence of infrastructure (e.g., no centralized certification authorities) Dynamically changing topology (difficult to distinguish between dynamics and attacks) Minimum capacity devices –Drain batteries Real-Time – slow packets down

Basic Problems Most existing solutions are too costly –Digital signatures – adds as much as 300 bytes/packet –Asymmetric crypto adds large variables and large memory costs, etc. Don’t handle broadcasting type operations

Communication Scenarios Confidentiality (eavesdrop) Adversary Node1 Base Station Msg Node2 Eavesdropping is Good for Debugging

Communication Scenarios Integrity Adversary Node1 Base Station Msg1 Msg1’

Communication Scenarios Authenticity Base Station Adversary Node 1 Node 2 Node 3 Node 4 I am the Base Station Reprogram system Reset system parameters

Security Assumptions Trust and Key Management –Trust base station and oneself –Symmetric Keys Active area of research – how to disseminate private keys

Security Solutions Very difficult Fn(assumptions made) –E.g., attack model Themes for Security in WSN –Operate in the presence of security attacks –Self-heal –Evolve to new attacks

Routing - Threat Models and Security Goals Threat Model: –Mote-class vs. laptop-class adversaries –Insiders vs. outsiders Security Goals: –Authenticity: verifies the identity of the sender –Integrity: messages are not tampered with –Availability: messages are received by intended receivers –Confidentiality: no eavesdropping Insiders and laptop-class adversaries are difficult challenges

Routing - Network Assumptions –Insecure Radio Links –Eavesdropping, modifying bits, and packet replays –Attacker has similar capabilities (HW, etc.) –Except, Attacker may have high quality (long-range) communications –Nodes can be “turned” –Attacker controls > 1 node; collusion is possible –Tamper resistant nodes are not realistic

Routing - Trust Requirements –Base Stations are trustworthy –Random key pre-distributions are valid Initialization procedure prior to deployment –Global (pair-wise) key, pools of keys, etc. Neighbor to neighbor key establishment after deployment Note: Too expensive to involve base station on all transactions

WSN Routing Attacks Spoofing Selective Forwarding Blackhole/Sinkhole Sybil Wormholes HELLO Floods Many routing protocols have been proposed, but few with security as a goal ! (consider all the ones we studied in this course)

Route Where? Each node to base station Nodes to aggregation points and then from aggregation point to base station Between 2 (n) nodes (peer to peer) Between 2 (n) areas Among all members of a (static / dynamic) group

Routing Attacks adversary base station sensor node high quality wireless link Attacks: try to manipulate user/application data or affect the underlying routing topology (state information)

Attack: Bogus Routing Information Spoofed, altered, or relayed routing information causes problems Example: spoof routing table beacons or claim to be base station –Can attract traffic Attacker becomes part of routing tree

Attacks: Selective Forwarding / Blackholes / Sinkholes Only forward a select few… drop / modify remaining packets Forward none – blackhole Sinkhole – lure all traffic through a compromised node; enables selective forwarding

Attack: Sybil attack An adversary may present multiple identities to other nodes FT implications: routes believing to be using disjoint nodes could be using a single adversary –E.G., an attacker node could provide multiple geographic locations to pretend to be in more than 1 place at a time A B I am at A and B

Attack: Wormholes Tunnel packets received in one part of the network and replays them in a different part Two distant malicious nodes collude to understate their distance from each other by relaying packets along a private channel between them Enables other attacks – confuses topology

Attack: HELLO floods Hello packets to announce presence of a node Assumption: the sender of a received packet is within normal radio range False! A powerful transmitter could reach the entire network Disrupts routing paths

Recall - SPEED SPEED: A Semi-Stateless Protocol for Real-Time Communication in Sensor Networks. Uses neighbor tables Strong Back-Pressure (Congestion) Area Anycast Multicast

SPEED Delay 11 SPEED Node 5's NT Delay 0.5s 0.1s 0.4s 0.1s ID Packet Source Destination Attack – change table

RAP RAP: A Real-Time Communication Architecture for Large-Scale Wireless Sensor Networks. 1 Packets with Different Velocities Respecting Deadlines and Priorities Attack – change velocity; Different order of delivery

SPEED and RAP: Routing Security Analysis Convince nodes to change their state tables (delay, source, destination, distance, deadlines, velocities). Flood network with high velocity packets (i.e. short deadlines or large distances). Change the radius of the last mile process. Local forwarding decisions allow some types of attacks to not be noticed. Example: a destination that is “beyond” the edge of the network. Just lower the velocity of a packet which will end up missing its deadline later and will be dropped.

Solution - SPINS Suite of security protocols optimized for sensor networks Practical on minimal hardware –Memory constraints –Energy constraints –CPU constraints Can be used for building higher level protocols, like secure routing

Definition Secure Channel: a communication channel that offers –Confidentiality no eavesdropping –Data authentication you know who sent message –Integrity data not changed –Data freshness Weak – correct order Strong – recent in terms of time

SPINS: 2 Building Blocks SNEP (Sensor-Network Encryption Protocol) –Encryption Protocol Data confidentiality and integrity –Secure point-to-point communication 2-party authentication –Data freshness (adversary can’t replay old messages)  TESLA (Micro Timed Efficient Stream Loss- tolerant Authentication) –Provides streaming broadcast authentication

Typical Cost Authenticated Broadcast –Asymmetric digital signature Up to bytes (of overhead) per packet Need a different solution

System Assumptions Communication patterns –Frequent node-base station exchanges –Frequent network flooding from base –Node-node interactions infrequent (not including multi-hop routing relays) Base station –Sufficient memory, power –Shares secret key with each node Node –Limited resources, limited trust –Each node trusts itself

Design Asymmetric cryptography is too expensive Use symmetric cryptography primitives A simple symmetric encryption function (RC5) provides: –Encryption & Decryption –Message Authentication Code (MAC) –Pseudorandom number generation –Hash Function Overhead is only 8 bytes per packet Use single block cipher (for code reuse)

Block Cipher: RC5 Subset of RC5 with 40% reduction in code size Low memory requirements Cipher text is the same size as the original text They rejected AES and DES as too expensive Plaintext RC5 block cipher Key Ciphertext

Key Generation/Setup Nodes and base station share a master key (pre-deployment) Other keys are bootstrapped from the master key: –Encryption keys (different for each direction between 2 nodes) –Message Authentication code key (different for each direction) –Random number generator key Ctr RC5 Block Cipher Master Key Key MAC Key Encryption Key random F is a pseudo- Random function to generate keys

SNEP Encryption Encrypted-data = {D} Counter is shared state – but not sent in message like usual solutions; maintained at each pair of nodes With the counter, even the same message is encrypted differently each time RC5 generates “random” data to XOR with message Counter RC5 Block Cipher Key Encryption + PjPj CjCj

SNEP Encryption Weak freshness guaranteed; counter must increase Decryption is identical Counter+1 RC5 Block Cipher Key Encryption + P j+1 C j+1 Counter+1 RC5 Block Cipher Key decryption + P j+1

SNEP MAC Message Authentication Code = MAC(K MAC, X) MAC uses Cipher Block Chaining (CBC) Every block of input affects output K MAC RC5 X1X1 K MAC RC5 X2X2 K MAC RC5 X3X3 MAC ++

Authentication, Confidentiality Without encryption on MSG, can have authentication only For encrypted messages, the counter is included in the MAC Counter in MAC prevents replays Node A Msg, MAC(K MAC, Msg) {Msg} <Kencryption, Counter), MAC(K MAC, Counter|| {Msg} ) Node B

Spins So Far SNEP –Encryption Protocol (RC5) Data confidentiality and integrity –Secure point-to-point communication 2-party authentication MAC based on RC5 –Data freshness (adversary can’t replay old messages) Counters

Broadcast Authentication Broadcast is basic communication mechanism Sender broadcasts data Each receiver verifies data origin Sender R1 M R4 M R3R2 MM

 TESLA Protocol TESLA : efficient source authentication in multicast for wired networks. µ TESLA: broadcast authentication for WSNs. –TESLA is too expensive for WSN

 TESLA Protocol Compare & Contrast (similarities) –Both require loose time sync. between BS and each node. –Both uses one-way hash function to produce a chain of secret keys in the sender, each key corresponding to a time interval at which the sender sends a packet. –Both maintain a key disclosure schedule known to both sender and receiver. –Receiver holds off the authentication of a packet until the required key is disclosed.

 TESLA Compare & Contrast Differences µ TESLA removes or adapts the expensive features of TESLA:  Asymmetric digital signature is replaced by symmetric key  Frequency of key disclosure is greatly lessened  Only the Base Station stores the key chain  Inter-node communication is made possible by the Base Station

 TESLA Overview Provides authenticated broadcast mechanism Must have an asymmetric mechanism to prevent forgery Why not use asymmetric digital signatures? –Expensive computation, storage, and communication Asymmetry: delayed key disclosure –Requires loosely synchronized clocks

Simple MAC Insecure for Broadcast Sender R1 M, MAC(K,M) R4 M, MAC(K,M) M’, MAC(K,M’) K K K

Key Setup Main idea: One-way key chains –BS chooses K(n) – easy to compute K(n-1) –BS computes entire chain K 0 is initial commitment to chain Base station gives K 0 to all nodes –Nodes can’t compute K(1) KnKn K n-1 K1K1 K0K0 X ……. F(Kn)F(K1)F(K2)

Broadcast Divide time into intervals Associate K i with interval i Messages sent in interval i use K i in MAC K i is revealed at time i +  Nodes authenticate K i and messages using K i K0K0 K1K1 K2K2 K3K3 … time  K 0 Revealed Here

Robustness to Packet Loss K2K3K4K5 t Time 2 Time 3Time 4Time 5 K1 P5 K3 P3 K1 P2 K0 P1 K0 Verify MACs P4 K2 FF Authenticate K3 Time 1 REAVEALING Key K0

 TESLA Issues Important parameters: time interval, disclosure delay Delay must be greater than RTT to ensure integrity Parameters define maximum delay until messages can be processed Nodes must buffer broadcasts until key is disclosed Requires loose time synchronization in network Base station commits to maximum number of broadcasts when forming chain –When current chain is exhausted, all nodes must be bootstrapped with a new one

Evaluation (Memory)

Evaluation (Execution Time) 2.5 ms to encrypt a 16 byte message 18 ms to deal with broadcast authentication

Evaluation (Energy cost) Total cost to send a message Highest overhead is from transmission of 8-byte MAC per packet Extra Bytes

Authenticated Routing Simple “Breadth-first search” routing algorithm Routing scheme assumes bidirectional communication Base station periodically broadcasts beacon BS

Authenticated Routing First reception of authenticated beacon during current routing interval defines “parent” At reception of a beacon, if it’s fresh then accept sender as its parent in the route and broadcast another beacon with the node’s id as sender id BS

Authenticated Routing Attacker cannot re-route any link – won’t authenticate BS

Authenticated Routing Final tree BS

SPINS Summary Focus on WSN communication patterns Meet severe energy, time, memory constraints Time synchronized network Pre-loaded master keys Basic techniques to be used in other protocols

Denial of Service Ref: Denial of Service in Sensor Networks; Wood & Stankovic

The Jamming Problem Jamming disrupts communication around the source Expensive to prevent—but can detect it J

Solution Summary J Edge nodes blindly report jamming Inner nodes sleep Outer nodes map collaboratively Jammed area

Jam Detection Highly decentralized algorithm: –Loose group semantics, eager eavesdropping, supremacy of local information, robustness to packet loss and failure –Does not consider other security attacks

A Mapping Service Map jammed-area and export to other modules Possibilities for using this information: –Report jammed area to base station Send in vehicle –Route around jammed area –Lower duty-cycle to save energy –Redirect any queries to services in jammed area –Expose area as programmer-accessible entity

Summary - Security Solutions from the start (too late?) Lightweight solutions required System must operate in presence of faults AND attacks Framework needed for security updates as attacks evolve over time

Summary - Security Define new trust models Key distribution schemes (static and dynamic) Routing, secure groups, denial of service, localization, … Can solutions exploit –Physical properties? Directional antennas, time validity intervals of data, velocity, … –Density? –Redundancy? –HW?

Medical System Architecture InternetInternet Internet PDAs Nurses Stations

Smart Living Health Spaces

Motivation What is privacy? –“ The claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others ” – Alan Westin WSN in healthcare

Many Stakeholders Patients Patients family and friends Doctors Nurses Technicians Orderlies Admin Social Workers

Privacy Very complex, dynamic Differs for different countries, people, etc. Build into WSN at start Filters –Example: only transmit aggregated information about people in an area not ID based information Showstopper?

Authorization Framework Ask for data Change policy

Request Expressions Mandatory: – Optional: –[Aggregate Function] –[Time] –[Place] –[Conditions] –[Set Values] Example: Nurse N1 requests to read pulse of patient P1 for 30 minutes if P1 ’ s pulse is lower than 50 bpm  N1 read (P1,pulse) [t1,t1+30] if (P1,pulse) < 50 Roles, UserID, roomID, floorID Read, write, delete, add, set EKG, pulse, motion, light, temp, activity max, min, avg single time t, periodic [t1,t2] Bed, room, floor, =, >, =, single value, range

Policy Components –Request Subject –Rule: (action, ruling, context) –Data Subject –Data –Examples: Doctor (read,allow,critical condition) (patient, activity data)  Role policy DoctorX (read, deny) (patient, activity data)  Individual policy

Representation Directed Acyclic Graph –Nodes: Individual user Role Data –Edges: Inheritance Data association Rule: (action, ruling, context)

Privacy Policy Representation - Example

Policy Inconsistency Types Syntax inconsistency Semantic inconsistency –Multiple-role –Role vs. individual policy –Multiple rule instances

Inconsistency Detection Example

Privacy Added requirements for WSN –WSN specific Lightweight and Integrated Solutions –Highly dynamic Alarms Override when necessary –Highly distributed access and data creation –Data is transient –Notion of inanimate objects

Possible Approach Privacy filters –Collect what is needed; no more Blurring Reactive to critical situations –Real-Time Privacy WSN-Privacy Language Consistency checks (at different levels of granularity, at different times) Across enterprise trust domains

Summary - Research Q. How do we compose untrustworthy entities into a trustworthy aggregation –And how to maintain this trust as topology changes Lightweight key management Routing, denial of service, intrusion detection, authentication, localization, etc. Adaptive security and privacy service