Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet of Things Amr El Mougy Alaa Gohar.

Published byAmbrose Day Modified over 7 years ago

Similar presentations

Presentation on theme: "Internet of Things Amr El Mougy Alaa Gohar."— Presentation transcript:

1 Internet of Things Amr El Mougy Alaa Gohar

2 IoT Security – part 2

3 RPL Security

4 Security Features Defines protection for all types of control messages (DIO, DAO, DIS, DAO-ACK) Three security levels are identified Security field identifies the cryptographic suite used and the security level Services include: Integrity and authenticity Confidentiality Key management Protection against replay attacks

5 Implementing Security Services
Integrity can be provided using a MAC-32 or MAC-64 codes RSA Digital signatures based on SHA-256 also supported Confidentiality is supported based on AES/CCM. The entire RPL packet falls within the scope of protection (except the immutable fields of the header) Security level is specified in the LVL field Replay attacks are prevented using a counter and timestamp Sensors can issue a challenge/response message to check the consistency of the counter value at a different node

6 Key Identifier Mode Three types of keys are defined:
Group symmetric key Symmetric key per pair of nodes Public key for digital signatures Key index field allows identification of which key to be used

7 Security Modes Three modes are defined:
Unsecured: default mode. No security is applied to RPL messages Preinstalled: a pre-configured symmetric is used by a device to join an RPL instance as host or router. The key supports confidentiality, integrity, and data authentication Authenticated: appropriate for routers. The preinstalled key is used to join the RPL and then to obtain a different key from a key authority, which is responsible for authenticating the router. Authenticated mode can only be supported using public key cryptography. However the standard does not specify how it can be implemented.

8 CoAP Security

9 Security Services CoAP doesn’t have built in security features but defines bindings to Datagram Transport Layer Security (DTLS) DTLS supports similar services to TLS but for UDP packets This means security is supported at the transport layer rather than the application layer Security services include: Confidentiality, authentication, and integrity: based on AES-CCM Non-repudiation: based on elliptic curve digital signatures (public keys) Protection against replay attacks: using a different nonce for each CoAP packet

10 Security Modes CoAP defines four security modes to be enforced by DTLS
NoSec: completely unsecured transmissions PreSharedKey: sensing devices are pre-programmed with a symmetric key. Devices may use one key for every destination or use group keys for a set of devices RawPublicKey: mandatory in CoAP. Devices use a pre-programmed public key to avoid needing a certificate authority. The public keys are used for authentication Certificates: public keys are authenticated using certificated based on public key infrastructure Device authentication is supported in RawPublicKey and Certificate modes using elliptic curve digital signatures Key exchange can also be done using elliptic curve Diffie-Hellman A DTLS handshake is required before data exchange

11 ICN Security

12 ICN Challenges In ICN, publishers may not send their content directly to receivers ICN changes the security model from securing endpoints to securing objects Thus, ICN may suffer from all new forms of attacks in addition to legacy ones In-network caching is heavily used Since content may come from any place in the network, security cannot be bound to endpoints Security is applied to the content itself

13 Security Levels The severity of ICN attacks can be calculated by looking at the following metrics: Block content retrieval Access user request Cache pollution Misrouting Request timeout Number of affected nodes Geographical distribution of attacked networks Remote exploitation Availability of environment that was attacked How difficult is it to fix the attack

14 Types of ICN Attacks

15 1. Naming Attacks The attacker tries to monitor/censor Internet usage by blocking delivery of content or viewing who request this content ICN makes information flow more visible to attackers For the attacker to monitor user requests they have to hijack an ICN node because packets do not carry host identifiers This is not necessary for content filtration/deletion Naming attacks can be classified into watchlist and sniffing attacks

16 Naming Attacks Watchlist
The attacker tries to delete a specific list of content names The attacker monitors network links to perform real-time traffic filtering The attacker either deletes (or monitors) the user’s request or deletes the content itself

17 Naming Attacks Sniffing
The attacker does not have a specific list but monitors packets to check for content that includes particular keywords (Real Madrid, Zamalek, Lady Gaga) Any packet containing these keywords are marked and filtered out Main difference is that the attacker does not have a predefined list of content names but does real-time analysis of traffic

18 Impact of Naming Attacks
Naming attacks can cause the following: Censorship: specific content never delivered Privacy: the attacker learns the interests of a large number of users because ICN allows access to user requests Denial of service: the attacker blocks access to particular requests (for example a set of users)

19 2. Routing Related Attacks
Routing in ICN is asynchronous: publishers and subscribers do not act at the same time Thus, the corresponding states at the routers have to be consistent, which is not easy Attacks in this category include spoofing attacks to cause the consistency to fail It also includes DDOS attacks that consumes resources

20 Routing Related Attacks
DDOS Resource Exhaustion Infrastructure Source Mobile Blockade Flooding Timing Routing Related Attacks Spoofing Jamming Hijacking Interception

21 Routing Related Attacks
DDOS Infrastructure attacks: the attacker sends a large number of available/unavailable requests The network keeps propagating these requests towards the source, consuming resources ICN mitigates this attack by propagating requests to multiple resources

22 Routing Related Attacks
DDOS Source attacks: the attacker targets a specific publisher and sends a very large number of requests Mobile blockade: the attacker sends a large number of requests while traversing the network, thereby contaminating a particular geographical region Timing attack: the attacker increases the timeout of requests to violate the router’s consistency. These leads to larger delays in responses Mobile blockade

23 Routing Related Attacks
Spoofing Jamming attacks: the attacker sends a large number of bogus requests. The network replies but no one is waiting to receive Hijacking attack: the attacker masquerades as a trusted publisher and announces invalid routes for any content. Requests sent on these invalid routes will not be answered. Interception attacks: man in the middle. The attacker announces invalid routes and the content is sent to the attacker, who then forwards it to the users, violating their privacy Hijacking Interception Jamming

24 3. Caching Related Attacks
Caching is a very important component in ICN It is vulnerable to pollution or corruption Caching attacks can be classified into time analysis, bogus announcements, and cache pollution attacks

25 Caching Related Attacks
Time Analysis The attacker monitors traffic of a user and measures the response time between cached and uncached content When a legitimate user requests content for the first time it will be obtained from the publisher in time T1 + T2 If an adversary requests the same content later it will be returned in only T1 because it was cached. The attacker uses this information to learn that a user has requested the content before 1- A user requests for ICN content named (x). 2- and 3- ICN routers try to find the content (x). 4- and 5- ICN routers forward the content (x) to the requested user. 6- The user retrieves the content (x) in total time T1+T2. 7- An adversary requests for the content (x). 8- The adversary retrieves the content (x) in time T2 only, as routers cache the content.

26 Caching Related Attacks
Bogus Announcements The attacker sends many content updates at a rate greater than the convergence time of the routers to violate caching and routing systems ICN routers will not be able to respond properly to requests while these bogus announcements are being received

27 Caching Related Attacks
Cache Pollution Unpopular requests: the attacker only sends requests for content that is unpopular. Requires a prior knowledge of content popularity Random requests: the attacker requests content at random to fill the cache with content that may not necessarily be popular

28 Random requests (normal)
1- User1 requests for ICN content named (x). 2- R1 router tries to find the content (x). 3- R1 retrieves the content from ICN network. 4- R1 caches the content (x). 5- User1 retrieves the content (x). 6- User2 requests the same content (x) via R2 router. 7- R2 tries to find the closest copy, which exists in R1 router. 8- R1 sends the content to R2 router. 9- R2 caches the content (x). 10- User2 retrieves the content (x). Random requests (normal) 1- User1 requests for ICN content named (x). 2- R1 router tries to find the content (x). 3- R1 retrieves the content from ICN network. 4- R1 caches the content (x). 5- User1 retrieves the content (x). 6- An attacker sends a large number of random/unpopular requests to violate the cache. 7- User2 requests the same content (x) via R2 router. 8- R2 tries to find the closest copy and sends request to R1. 9- R1 router tries to find the content (x). 10- R1 retrieves the content from ICN network. 11- R1 caches the content (x). 12- R1 sends the content to R2. 13- R2 caches the content (x). 14- User2 retrieves the content (x). Random requests (attacked)

29 4. Miscellaneous Attacks
Attacks that aim to degrade ICN services or gain unauthorized access Can be classified into packet mistreatment, breaching signer’s key, and unauthorized access Packet mistreatment: the attacker gains access to an ICN node or link and modifies or replays packets The requester may receive the reply to a request several times or the attacker may generate content on behalf of the user Can lead to congestion of links or reduced throughput (or DOS) Unauthorized access: the attacker gains access to a service he/she is not authorized to. Here the attacker makes use of any available content copy to gain access Here the attacker may capture all user requests and track all their activities

30 Miscellaneous Attacks Breaching Signer’s key
The attacker somehow obtains the private key of the publisher used to sign packets Using this key, the attacker can generate any content and it will be trusted by the users An attacker requests for ICN content named (x). The attacker retrieves the content (x) that contains signer’s public key and signature, which can be used with the content itself to determine the signer’s key.

Download ppt "Internet of Things Amr El Mougy Alaa Gohar."

Similar presentations

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Cryptography and Network Security

Cryptography and Network Security
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.

Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Network Security David Lazăr.

Network Security David Lazăr.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Multimedia & Mobile Communications Lab.

Multimedia & Mobile Communications Lab.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013.

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,

Similar presentations

Ads by Google