Presentation is loading. Please wait.

Presentation is loading. Please wait.

CCSP 8 Dec 20031 Securing Wireless Sensor Networks CCSP Seminar 8 December 2003 David Evans

Published byAlice Dalton Modified over 9 years ago

Similar presentations

Presentation on theme: "CCSP 8 Dec 20031 Securing Wireless Sensor Networks CCSP Seminar 8 December 2003 David Evans"— Presentation transcript:

1 CCSP 8 Dec 20031 Securing Wireless Sensor Networks CCSP Seminar 8 December 2003 David Evans evans@cs.virginia.edu http://www.cs.virginia.edu/evans/talks/ccsp Department of Computer Science University of Virginia

2 CCSP 8 Dec 20032 Two Talks for the Price of One! 5000 years of cryptography –Symmetric Ciphers –Asymmetric Ciphers Securing Wireless Sensor Networks –Key Distribution –Data Aggregation –Wormhole Attacks and Defenses

3 CCSP 8 Dec 20033 Terminology Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob Eve Insecure Channel C = E(P) P = D(C) E must be invertible: P = D (E (P))

4 CCSP 8 Dec 20034 Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob Insecure Channel C = E(P, K) P = D(C, K) KK “The enemy knows the system being used.” Claude Shannon Eve

5 CCSP 8 Dec 20035 Jefferson’s Wheel Cipher Key: the order of wheels on the spindle

6 CCSP 8 Dec 20036 http://monticello.org/jefferson/wheelcipher Applet on Monticello’s web site by CS201J students: Matt Spear, “Boyd” Worawannotai, Edward Mitchell (Note: not for use on nuclear secrets!)

7 CCSP 8 Dec 20037 Jefferson Wheel Cipher If used carefully, effectively unbreakable in Jefferson’s day –US army used very similar cipher in WWI “Easy” to break today http://www.cs.virginia.edu/cs588/challenges/wheel-solved.html A billion billion is a large number, but it’s not that large a number. — Whitfield Diffie

8 CCSP 8 Dec 20038 Modern Symmetric Ciphers Same idea but: –Use digital logic instead of mechanical rotors –Larger keys –Encrypt blocks of letters at a time Good choice for most applications: AES (Rijndael) –Effectively unbreakable, minimal performance cost –128 (“billion billion billion billion”) or 256 (“billion 8 ”) bit keys –No practical attacks better than brute force known (yet)

9 CCSP 8 Dec 20039 Problem with all Symmetric Ciphers Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob Eve Insecure Channel How do Alice and Bob agree on K (without Eve hearing it)? KK

10 CCSP 8 Dec 200310 Padlocked Boxes Alice Hi!

11 CCSP 8 Dec 200311 Padlocked Boxes Alice Hi! Alice’s Padlock Alice’s Padlock Key

12 CCSP 8 Dec 200312 Padlocked Boxes Alice Alice’s Padlock Key Shady Sammy’s Slimy Shipping Service

13 CCSP 8 Dec 200313 Padlocked Boxes Alice Hi! Bob Bob’s Padlock Bob’s Padlock Key Alice’s Padlock Key

14 CCSP 8 Dec 200314 Padlocked Boxes Alice Hi! Bob Bob’s Padlock Key Alice’s Padlock Key

15 CCSP 8 Dec 200315 Padlocked Boxes Alice Hi! Bob Bob’s Padlock Key Alice’s Padlock Key

16 CCSP 8 Dec 200316 Padlocked Boxes Alice Hi! Bob Bob’s Padlock Key

17 CCSP 8 Dec 200317 Padlocked Boxes Alice Hi! Bob Bob’s Padlock Key Hi!

18 CCSP 8 Dec 200318 One-Way Functions Easy to compute, hard to invert Trap-door one way function: –D (E (M)) = M –E and D are easy to compute. –Revealing E doesn’t reveal an easy way to compute D. –Hence, anyone who knows E can encrypt, but only someone who knows D can decrypt

19 CCSP 8 Dec 200319 RSA [Rivest, Shamir, Adelman 78] One-way function: multiplication is easy, factoring is hard Trap-door: number theory (Euler and Fermat)

20 CCSP 8 Dec 200320 Public-Key Applications: Privacy Alice encrypts message to Bob using Bob’s Private Key Only Bob knows Bob’s Private Key  only Bob can decrypt message Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob Bob’s Public Key Bob’s Private Key

21 CCSP 8 Dec 200321 Signatures Bob knows it was from Alice, since only Alice knows Alice’s Private Key Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!) Integrity: Bob can’t change message (doesn’t know Alice’s Private Key) Encrypt Decrypt Plaintext Signed Message Plaintext Alice Bob Alice’s Private Key Alice’s Public Key

22 CCSP 8 Dec 200322 Problems with RSA About 1000 times slower than symmetric algorithms –Just use RSA to transfer key, then use AES to encrypt data Key size (and size of smallest message) must be large for security –1024 bits ~ 128 bits for secret key Public key doesn’t need confidentiality, but does need integrity

23 CCSP 8 Dec 200323 Key Management Everyone can know the public key, but to be useful must know it is the owner’s public key. Alice Encrypt Decrypt Plaintext Ciphertext Plaintext Bob’s Public Key Bob’s Private Key Really Eve’s Public Key Hi! Alice’s Padlock Key Really Eve’s Padlock

24 CCSP 8 Dec 200324 Securing Sensor Networks

25 CCSP 8 Dec 200325 Sensor Networks Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly High-power base station

26 CCSP 8 Dec 200326 Why security for sensor networks is hard Low power devices –Public-key algorithms use too much energy Limited device communication –Sending messages is extremely expensive Communication is wireless –All messages are vulnerable to eavesdropping and forgery Individual devices easily compromised –Cheap hardware in hostile territory

27 CCSP 8 Dec 200327 Control Messages Operator at base station controls behavior of sensor nodes High-power base station

28 CCSP 8 Dec 200328 Rogue operator or compromised node should not be able to control behavior of other sensor nodes High-power base station

29 CCSP 8 Dec 200329 Control Integrity Needs asymmetry: –Only base station can send out control messages –But, every node needs to understand them Traditional: Asymmetry of Information –Use public-key encryption: Send messages with base’s private key Pre-load all nodes with base’s public key –Too expensive: nodes would need to receive long messages and do public key decryptions Instead: asymmetry of time

30 CCSP 8 Dec 200330 Cryptographic Hash Chains fff x f (x) f (f (x))f (f (f (x))) Initially store:K 0 = f 4 (x) K 1 = f 3 (x) verify f (K 1 ) = K 0 K 2 = f 2 (x) verify f (K 1 ) = K 0 time f is a one-way function: easy to calculate f(x), but difficult to invert f.

31 CCSP 8 Dec 200331 µTesla [Perrig, et. al., 2002] Initially: sensor nodes know K 0 = f n (x) base station knows x Base station messages encrypted using K 1 = f n-1 (x) Nodes store and time stamp messages, but cannot decrypt them (yet) At time t 1, base station broadcasts K 1 Nodes verify f (K 1 ) = K 0 Nodes use K 1 decrypt earlier messages Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K 1 after K 1 was revealed

32 CCSP 8 Dec 200332 Data Integrity Only data from legitimate nodes should be accepted by the base station High-power base station

33 CCSP 8 Dec 200333 Node Authentication Before deployment, establish a shared symmetric secret key between each node and base station: K NS Send readings with a MAC: R A | MAC (K AS, R A ) Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity.

34 CCSP 8 Dec 200334 Authenticated Sensor Net Each node transmits: N | R N | MAC (K NS, R N ) Base station verifies MAC before accepting R N.

35 CCSP 8 Dec 200335 Data Aggregation If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station.

36 CCSP 8 Dec 200336 Authenticated Data Aggregation A B C A | R A | MAC (K AS, R A ) B | R B | MAC (K BS, R B ) C | Aggr (R A, R B ) | MAC (K CS, Aggr (R A, R B ))

37 CCSP 8 Dec 200337 Secure Aggregation Delayed Aggregation: Only aggregate messages after they have traveled one hop Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication Lingxuan Hu and David Evans. Secure Aggregation for Wireless Networks. Workshop on Security and Assurance in Ad hoc Networks. January, 2003.

38 CCSP 8 Dec 200338 Protocol Example ID A | R A | MAC (K Ai, R A ) | ID B | R B | MAC (K Bi, R B ) | MAC (K Ei, Aggr (R A, R B )) ID B | R B | MAC (K Bi, R B ) ID C | R C | MAC (K Ci, R C ) | ID D | R D | MAC (K Di, R D ) | MAC (K Fi, Aggr (R C, R D )) ID A | R A | MAC (K Ai, R A ) A B C D E F G ID E | Aggr (R A, R B ) | MAC (K Ei, Aggr (R A, R B ) | ID F | Aggr (R C, R D ) | MAC (K Fi, Aggr (R C, R D ) | MAC (K Gi, Aggr (R A, R B, R C, R D )) K Ai is the i th key in a µTesla key chain starting from K AS

39 CCSP 8 Dec 200339 ID A | R A | MAC (K Ai, R A ) | ID B | R B | MAC (K Bi, R B ) | MAC (K Ei, Aggr (R A, R B )) ID B | R B | MAC (K Bi, R B ) ID C | R C | MAC (K Ci, R C ) | ID D | R D | MAC (K Di, R D ) | MAC (K Fi, Aggr (R C, R D )) ID A | R A | MAC (K Ai, R A ) AB C D E F G ID E | Aggr (R A, R B ) | MAC (K Ei, Aggr (R A, R B ) | ID F | Aggr (R C, R D ) | MAC (K Fi, Aggr (R C, R D ) | MAC (K Gi, Aggr (R A, R B, R C, R D )) H ID G | Aggr (Aggr (R A, R B ), Aggr (R C, R D )) | MAC (K Gi, Aggr (R A, R B, R C, R D ) | … (same from right side) | MAC (K Hi, Aggr (R A, R B, R C, R D,... readings from right side))

40 CCSP 8 Dec 200340 Abridged Attack Analysis Intruder Node (no key material) –Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys –Replay attacks ineffective: keys change, can only replay readings within this time period Compromised Node (all keys on one node) –Can lie about its own reading –But, cannot alter other nodes readings without getting caught: aggregate will not match calculated aggregate at next level

41 CCSP 8 Dec 200341 Successful Attacks Compromised node selectively drops child readings –Nothing to prevent this (but unlikely to change much without base station noticing) –Can use child snooping to catch it earlier Compromise two consecutive (parent and grandparent) nodes –Can forge readings for entire subtree

42 CCSP 8 Dec 200342 Communication Cost Sensor Nodes Total Kilobytes Transmitted Sensor reading: 22 bytes MAC of message: 8 bytes Ideal binary network Secure Aggregation requires about 3 times the amount of data transmission as Insecure Aggregation, but provides integrity with < ½ the cost of no aggregation.

43 CCSP 8 Dec 200343 Summary With our protocol, you can get authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you. Not trusting your children is reasonable (inexpensive) Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol

44 CCSP 8 Dec 200344 Routing Security (Lingxuan Hu’s slide)

45 CCSP 8 Dec 200345 Wormhole Attack Tunnel packets received in one place of the network and replay them in another place The attacker needs no key material, just two transceivers!

46 CCSP 8 Dec 200346 Impact of Wormhole 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0 50 100 150 200 250 300 350 400 450 500 Fraction of Routes to Base Station Disrupted Position of Endpoint (x, x) Base Station at Corner Base Station at Center

47 CCSP 8 Dec 200347 Preventing Wormhole Attacks Know your neighbors Physical Space –Exploit knowledge about physical space Redundancy –Use cooperation to establish trust Physical properties –Speed of transmission limits time when another node can hear it

48 CCSP 8 Dec 200348 Directional Antennas Operation Modes: Omni and Directional Lingxuan Hu and David Evans. Using Directional Antennas to Prevent Wormhole Attacks. Network and Distributed System Security Symposium (NDSS), Feb 2004.

49 CCSP 8 Dec 200349 Antenna Model Nodes orient themselves using a magnetic compass so zone 1 always faces East. East

50 CCSP 8 Dec 200350 Directional Neighbor Discovery A 1. A  RegionHELLO | ID A Sent by all antenna elements (sweeping) 2. N  AID N | E K NA (ID A | R | zone (N, A)) Sent by zone (N, A) element R is a random nonce 3.A  NR N 1 2 3 4 5 6 zone (N, A) is the antenna zone in which N hears A

51 CCSP 8 Dec 200351 A B zone (B, A) = 1 zone (A, B) = 1 zone (x, y) should be opposite zone (y,x) A and B know they are not really neighbors 1 2 3 4 5 6 zone (N, A) is the antenna zone in which N hears A

52 Sophisticated Wormhole A B zone (A, B) = 1 zone (B, A) = 4 1 2 3 4 5 6 Wormhole can convince ~1/6 of node pairs they are false neighbors

53 CCSP 8 Dec 200353 Verified Neighbor Discovery Wormhole can only trick nodes in particular locations Verify neighbors using other nodes Based on the direction from which you hear the verifier node, and it hears the announcer, can distinguish legitimate neighbor

54 CCSP 8 Dec 200354 Verifier Region 1. zone (B, A)  zone (B, V) 2. zone (B, A)  zone (V, A) 3. zone (B, V) cannot be both adjacent to zone (B, A) and adjacent to zone (V, A)

55 CCSP 8 Dec 200355 Lose some legitimate Neighbors

56 CCSP 8 Dec 200356 …but small effect on connectivity and routing Omni density = 3, Directional Density = 9.7 0 1 2 3 4 5 6 7 8 9 10 4 6 8 12 14 16 18 20 Average Path Length Omnidirectional Node Density Trust Everythingl Verified Neighbor Discovery Protocol

57 CCSP 8 Dec 200357 Summary www.cs.virginia.edu/evans/talks/ccsp Morals: –Secure aggregation: don’t trust your children, trust your parents and grandparents not to conspire against you –Wormhole Defenses: know your neighbors, but don’t trust them unless your other neighbors do CRAB Seminar plug: CS851 Cryptography Applications Funding: NSF CAREER, NSF ITR

Download ppt "CCSP 8 Dec 20031 Securing Wireless Sensor Networks CCSP Seminar 8 December 2003 David Evans"

Similar presentations

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Using Directional Antennas to Prevent Wormhole Attacks Lingxuan Hu, David Evans Jason Buckingham CSCI 7143: Secure Sensor Networks November 2, 2004.

Using Directional Antennas to Prevent Wormhole Attacks Lingxuan Hu, David Evans Jason Buckingham CSCI 7143: Secure Sensor Networks November 2, 2004.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.
Cryptographic Technologies

Cryptographic Technologies
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.

Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.

Similar presentations

Ads by Google