1. Security Protocols In Sensor Networks

2. Introduction –Security in sensor networks is important to prevent unauthorized users from eavesdropping, obstructing and tampering with sensor data, and launching denial-of-service (DOS) attacks against entire network –The challenges of designing and implementing of a secure routing in WSN are as follows: 1.The vulnerability of the network to eavesdropping, spoofing, unauthorized access, and DOS attacks increases due to the wireless communication among the sensor nodes 2.The limited resource constraints of the sensor nodes, such as memory, CPU, bandwidth, and battery life, hinders the degree of implementation of encryption, decryption and authentication mechanisms in individual sensor nodes A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks [Deng+ 2003]

3. Introduction 3.Physical security risk of being deployed in the field – individual sensor nodes can be obtained and face attacks from an unauthorized user in order to compromise a single sensor node. If attack is successful, a compromised sensor node can start malicious activities within the network such as false routing information and launching DOS attacks –The secure routing protocol should handle such attacks such that networks continues to function properly –Since this paper assumes that base station has more resources to defend against these kinds of attacks; therefore, it investigates on how to secure the system against attacks on the resource-poor sensor nodes A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks [Deng+ 2003]

4. Introduction –This paper evaluates the performance of INSENS, an INtrusion-tolerant routing protocol for wireless SEnsor NetworkS –More specifically, it evaluates implementations on the motes of the RC5 and AES encryption standards:  RC5-based scheme to generate message authentication codes (MACs) and  RC5-based generation of one-way sequence numbers –The proposed secure routing protocol is resilient to obstruction of the data delivery, develops end-to-end integrity checksums and authentication schemes to detect tampering with sensor data A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks [Deng+ 2003]

5. Introduction –INSENS has the property that a single compromised node can only disrupt a localized section of the network and is not enough to stop the entire network from functioning –The INSENS system adheres to the following design principles: 1.The individual nodes are not allowed broadcast to the entire network in order to prevent DOS flooding attacks – only base station can broadcast and it is considered as a gateway to the wired network. The base station is loosely authenticated via one-way sequence number such that nodes cannot spoof the base station and flood the network. Sensor nodes can unicast a packet only to the base station. Peer-to-peer sensor communication is not directly supported; however, tunneling through the base station allows indirect sensor-to-sensor communication A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks [Deng+ 2003]

6. Introduction 2.Control routing information needs to be authenticated to prevent false routing data advertisements. This way, the base station receives correct knowledge of the topology even if it may not represent the full view due to malicious packet dropping 3.To address resource constraints:  Symmetric key cryptography is chosen for confidentiality and authentication between a base station and a sensor node instead of computation intensive public key cryptography techniques  Base station is in charge for computation and dissemination of the routing tables 4.The redundant multipath routing is built into INSENS to achieve secure routing. The goal is to have disjoint paths such that even if the intruder compromises a node or a path, secondary paths will function correctly A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks [Deng+ 2003]

7. Introduction A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks [Deng+ 2003] Figure 1: Sample asymmetric WSN topology rooted at the base station. Triangle node is a malicious node. Black nodes are its downstream nodes. Intrusion-tolerant routing is assisted by multiple paths; downstream nodes can still communicate with the base station

8. Protocol Description –The INSENS is comprised of a route discovery phase and data forwarding phase –The route discovery phase builds appropriate forwarding tables at some nodes and it is divided into three rounds 1.Route request: The base station floods a request message to all reachable sensor nodes 2.Route feedback: Each sensor node sends its neighborhood topology information back to the base station using a feedback message 3.Computing and propagating multipath routing tables: The base station authenticates the neighborhood information, builds a topological view of the network, computes the forwarding tables for each sensor node, and sends the tables to the appropriate nodes using a routing update message A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks [Deng+ 2003]

9. Protocol Description –The data forwarding phase forwards data from each sensor node to and from the base station –A symmetric communication channel is assumed –Each node has a shared symmetric key with base station and has a globally known one-way function F and initial sequence number K 0 –F and K 0 are used to authenticate messages from the base station –The shared symmetric key, F and K 0 are distributed in advance – preprogrammed into each sensor node prior to deployment A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks [Deng+ 2003]

10. Advantages: –Builds a secure routing protocol, rather than placing security layer on top of existing routing protocols –INSENS prevents DoS-style attacks by not allowing individual nodes to broadcast to the entire network –The resource rich base station is chosen as the central point for computation rather than resource-poor network nodes –Redundant multipath routing is used to achieve secure routing –The one-way cryptographic hash function used to generate the sequence helps hiding attacker from guessing the next sequence number to spoof the network –It is not constrained by time synchronization or delayed release schedule A Transmission Control Scheme for Media Access in Sensor Networks [Woo+, 2003]

11. Disadvantages: –Base stations are given too much responsibility and thus the prime target for hackers to bring the entire network down –If an alternate path is not available, then the network is susceptible to partitioning under attack –No mentioning about the advantages of building a bottom up secure routing protocol (i.e. no numerical comparison of the proposed approach with other approaches) A Transmission Control Scheme for Media Access in Sensor Networks [Woo+, 2003]

12. Suggestions/Improvements/Future Work: –For multipath routing table dissemination, meshed multipath routing algorithm can be used –Further route failure detection via flow monitoring and overlay routing for route reconfiguration can be added to ensure fault tolerance in WSN –Better algorithm to find disjoint multi paths with minimum number of common nodes between node and base station

13. Introduction –It is very difficult to incorporate security mechanisms into sensor routing protocols after the design has completed –Therefore, sensor network routing protocols must be designed with security considerations and this is the only effective solution for secure routing in sensor networks –The main contributions of this paper are as follows: 1.Proposed threat models and security goals for secure routing in wireless sensor networks 2.Introduced two novel classes of previously undocumented attacks against sensor networks: sinkhole attacks and HELLO floods 3.It is shown how attacks against ad hoc and peer-to-peer networks can be adapted into powerful attacks against sensor networks Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

14. Introduction 4.Presented the first detailed security analysis of all the major routing protocols and energy conserving topology maintenance algorithms for sensor networks – described practical attacks against all of them that would defeat any reasonable security goals 5.Discussed countermeasures and design considerations for secure routing protocols in sensor networks Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

15. Introduction Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003] Figure 2: Sensor network legend All nodes may use low power radio links, but only laptop-class adversaries and base stations can use low latency, high bandwidth links Figure 3: A representative sensor network architecture

16. Problem Statement: A. Network Assumptions –Due to wireless communications, the radio links are insecure –Attackers can eavesdrop on radio transmissions, inject bits in the channel, and replay previously heard messages –It is assumed that the adversary can deploy few malicious nodes with similar hardware capabilities as the legitimate nodes –It is not assumed that sensor nodes are tamper resistant –Even though tamper resistance might be a defense for physical node compromise, this is not considered a general purpose solution since effective temper resistance can add significant per-unit cost, and sensor nodes are generally inexpensive Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

17. Problem Statement: B. Trust Requirements –Base stations are assumed to be trustworthy to behave correctly since they act as gateway nodes to the outside world –Aggregation points which are often regular nodes are trusted in certain protocols to accurately combine other messages to forward to base stations –It is possible that adversaries may deploy malicious aggregation points or turn malicious nodes into aggregation points; therefore, aggregation points may not be trustworthy Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

18. Problem Statement: C. Threat Models –There is a difference between mote-class and laptop-class attackers –In mote-class attackers, the attacker has access to a few sensor nodes with similar capabilities to motes, but nothing more –A laptop-class attacker may have access to more powerful devices in which case, malicious nodes have advantages over legitimate nodes – may jam the entire network using stronger transmitter, eavesdrop on an entire network, may have high bandwidth low-latency channel –Second distinction can be made between outsider and insider attacks –The discussion so far has been related to the outsider attacks, where the attacker has no special access to the network Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

19. Problem Statement: C. Threat Models –Insider attacks may occur either when an authorized participant in the network has been compromised, running malicious code or adversaries who have stolen the key material, code, and data from legitimate nodes D. Security Goals –Ideally, a secure routing protocol should guarantee the integrity, authenticity, and availability of messages in the presence of adversaries –Protection against eavesdropping is not an explicit goal for secure routing –Routing protocol should prevent eavesdropping caused by misuse of abuse of the protocol itself, for instance, eavesdropping achieved by the cloning or rerouting of a data flow should be prevented Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

20. Problem Statement: D. Security Goals –Protection against the replay of data packets is not the responsibility of the secure routing protocol, rather application layer can provide such service since only the application can fully and accurately detect the replay of data packets –In the case of insider laptop-class attacks, all of these goals are not fully attainable –Instead of complete compromise of the network, it is expected to have graceful degradation at best –The degradation should be no faster than a rate approximately proportional to the ratio of compromised nodes to total nodes Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

21. Attacks on Sensor Network Routing A. Spoofed, altered, or replayed routing information –This is the most direct attack against a routing protocol –Adversaries may be able to create routing loops, attract or repel network traffic, extend or shorten source routes, generate false error messages, partition the network, increase end-to-end delay latency B. Selective Forwarding –Malicious nodes may refuse to forward certain messages, drop them, ensuring that they are not propagated any further –In order not get noticed by the neighboring nodes by not forwarding the packets, the adversary may selectively forwards the packets Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

22. Attacks on Sensor Network Routing B. Selective Forwarding –It is most effective when the attacker is explicitly included on the path of a data flow –An adversary overhearing a flow passing through neighboring nodes might be able to emulate selective forwarding by jamming or causing a collision on each forwarded packet of interest C. Sinkhole Attacks –Adversary tries to lure all the traffic from a particular area through a compromised node, creating a metaphorical sinkhole with the adversary at the center Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

23. Attacks on Sensor Network Routing C. Sinkhole Attacks –Typically works by making a compromised node look attractive to surrounding nodes with respect to the routing algorithm –The adversary could spoof or replay an advertisement for high quality route to a base station –Due to either real or imagine high quality route through compromised node, each neighboring node of the adversary will forward packets destined for a base station through the adversary –Since all packets share the same destination (the only base station), a compromised node needs only to provide a single high quality route to the base station to influence a large number of nodes Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

24. Attacks on Sensor Network Routing D. The Sybil Attack –A single node presents multiple identities to other nodes in the network –This type of attack can reduce the effectiveness of fault-tolerant schemes and pose a threat to geographic routing protocols –Adversary can be in more than one place at once by using this attack E. Wormholes –An adversary tunnels messages received one part of the network over a low latency link and replays them in a different part –Wormhole attacks generally involve two distant malicious nodes colluding to understand their distance from each other by relaying packets along an out-of-bound channel available only to the attacker Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

25. Attacks on Sensor Network Routing E. Wormholes –An adversary can convince nodes who are multiple hops away from the base station to believe that they are only one or two hops away via the wormhole – this creates a sinkhole –Wormholes can be used to convince two distant nodes that they are neighbors by relaying packets between the two of them –This attacks can be combined with selective forwarding or eavesdropping F. HELLO Flood Attack –A laptop-class attacker broadcasting routing or other information with large enough transmission power could convince every node in the network that the adversary is its neighbor Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

26. Attacks on Sensor Network Routing F. HELLO Flood Attack –An adversary advertising a high quality route to the base station to every node in the network can cause large number of nodes to use this route, leaving the network in the state of confusion –An adversary can re-broadcast overhead packets with enough power to be received by every node –HELLO floods can be considered as one-way broadcast wormholes and uses a single hop broadcast to transmit a message to a large number of nodes unlike the traditional definition of flooding denoting epidemic-like propagation of a message to every node in the network Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

27. Attacks on Sensor Network Routing G. Acknowledgement Spoofing –An adversary can spoof link layer acknowledgements for overhead packets addressed to the neighboring nodes –A sender can be convinced that a weak link is strong or a dead node is alive since packets sent along weak or dead links are lost –An adversary can mount a selective forwarding attack using acknowledgment spoofing by encouraging the target node to transmit packets on those weak links Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

28. Advantages: –The authors outline a number of attacks that are possible on a sensor network. They introduce two new kinds of attacks that are specific to sensor networks –The authors present the drawbacks of the existing protocols to overcome these threats –It is reported that the majority of outsider attacks against sensor network routing protocols can be prevented by simple link layer encryption and authentication using globally shared key –The analysis of various possible attacks on WSN give insight into the sorts of countermeasures required for security in WSN Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

29. Disadvantages: –Energy requirements and overheads of implementing the countermeasures are not presented –The authors have not simulated or provided any platform to show that the countermeasure actually works –The use of geographical information for security carries heavy overhead Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

30. Suggestions/Improvements/Future Work: –Multipath routing to multiple destination base stations can be as a strategy to provide tolerance against individual base station attacks and/or compromise –Relocation of the base station in the network topology can be studied as a means of enhancing resiliency and mitigating the scope of damage –Develop application specific security schemes and counter measures for given attacks Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures [Karlof+ 2003]

31. [Deng+ 2003] J. Deng, R. Han, and S. Mishra, A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks, Proceedings of IPSN 2003. [Karlof+ 2003] C. Karlof and D. Wagner, Secure Routing in Sensor Networks: Attacks and Countermeasures, Proceedings of SNPA 2003. [Perrig+ 2001] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. Tygar, SPINS: Security Suite for Sensor Networks, MobiCom 2001, Rome, Italy, pp. 189-199. References