Ad Hoc Sec
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ad Hoc Sec as PDF for free.
More details
- Words: 1,774
- Pages: 27
Security in ad hoc networks UCLA EE Chris Kurpinski Sungha Kim
Outline Introduction Security Requirements of Wireless Ad-Hoc Networks Typical attacks on Wireless Ad-Hoc Networks Security protocols and methods for ad-hoc networks
Motivation Security is the most often cited concern with wireless networks Wireless networks pose unique security problems Power and computation constraints are often higher in wireless networks, making security requirements different
Requirements for network security
Data confidentiality: keep data secret (usually accomplished by encryption) Data integrity: prevent data from being altered (usually accomplished by encryption) Data freshness: data is recent Weak freshness: provides partial ordering of msgs Strong freshness: provides total ordering and allows for delay estimation
Data availability: data should be available on request Data authentication: verification that the data or request came from a specific, valid sender
Why security on sensors is hard Constrains Peanut CPU (slow computation rate) Battery power: trade-off between security and battery life Limited memory High latency: conserve power, turn on periodically
Nature of wireless ad-hoc network Every node can be a target No trusted peer Decentralized and cooperative participation of all nodes Encryption and authentication cannot eliminate threats No matter how many intrusion prevention measures are inserted in a network, there are always some weak links that one could exploit to break in
Wireless Ad-Hoc Network Security Methods Public-key cryptography overview Public-key cryptography for wireless: Key distribution :Certification Authorities, PGP(Pretty Good Privacy) Imprinting
SPINS SNEP µ TESLA
Intrusion Detection
Public-key cryptography overview Alice chooses a random large integer a and a X = g mod n sends Bob Bob chooses a random large integer b and Y = g b mod n sends Alice Alice computes k = Y a mod n k ' = X b mod n Bob computes ' Both k , k are equal to g ab modn
Public-key cryptography overview Alice a
Bob X
Y
b
?
K
KEY
Key agreement protocol
K’
Imprinting Policy
New nodes are "imprinted" upon un-packaging (birth) with their 'parent' and given a secure key and identity
A node's parent becomes its security admin. and can change its security policy at any time
The initial imprinting should not be sent wirelessly, to avoid imprinting multiple nodes with the same key
A node cannot change parents until it 'dies'
Death can occur at a set time, or can be triggered by the parent (and only by the parent). After death, a node can be imprinted by a new parent.
SPINS: Security Protocols for Sensor Networks A suite of security building blocks developed at UC Berkley Designed for resource-constrained environments and wireless communications Consists of two building blocks, µ TESLA and SNEP SNEP
µ
Data Confidentiality Two-party data authentication Data Integrity Freshness
TESLA authenticated broadcast
SNEP (Sensor Network Encryption Protocol) parties each keep a counter, and Communicating increment it after each block is transmitted. master secret key, K is initially shared between the node Aand base station and is used to derive all other keys Low communication overhead :adds 8 bytes per message security: prevents an eavesdropper from Semantic inferring encrypted data Data authentication: MAC (Message Authentication Code) Freshness: Counter in MAC prevents replaying old Weak messages
SNEP (Contd.) M=MAC(KMAC ,C|E)
represents the Message Authentication Code, where C is the shared counter, E is the encrypted data ({D} ), and KMAC is the MAC key A complete message from node A to node B consists of encrypted data, and a MAC.
A -> B : {D}
, MAC(KMAC , C|{D}
)
The counter in SNEP provides weak freshness, but cannot show that a message was created by B in response to a request from A To achieve Strong Freshness use a pseudo-random number called a nonce Where NA is a nonce from A, and RA is a request from A, our new messages look like this:
A -> B : NA, RA B -> A : {R }
, MAC(K
, NA|C|{RB}
)
µ TESLA
(Timed Efficient Streaming Loss-tolerant Authentication Protocol)
Restricts the number of authenticated senders Discloses the key once per epoch Requires loose time synchronization between base station and nodes µ TESLA Description Each MAC key is a key (K) of a key chain, generated by a public one-way function F, where Kj =F(Kj+1) All blocks sent in a specific time period use the same key Received blocks are stored in a buffer until the associated key is released and verified Any valid key can be used to derive earlier keys, or validate later keys, but cannot be used to derive later keys.
µ TESLA(Contd.) Sender Setup The sender generates a chain of secret keys by choosing
the last key (Kn) randomly, and applying a one-way function F, such that: Kj =F(Kj +1)
Broadcasting Authenticated Packets Time intervals are set, and each key of the key-chain is
associated with an interval. During interval t, the sender uses key Kt to compute the
MAC of all packets. The sender waits for a delay of δ before revealing Kt,
where δ is greater than any reasonable packet round trip time.
µ TESLA(Contd.) Bootstrapping a new receiver Each receiver must have one authentic key of the key
chain, and must know the key disclosure schedule. A new receiver M sends a nonce in the request message
to the sender S. The sender replies with its current time Ts, a key Ki from a
past interval i, the starting time Ti of interval i, the duration Tint of the time intervals, and the disclosure delay δ . M -> S : NM S -> M : Ts| Ki |Ti |Tint |δ , MAC(KMS, NM | Ts| Ki |Ti |Tint |δ )
µ TESLA(Contd.) Authenticating broadcast packets When receiving a new packet, the receiver needs to
check that the key for that interval has not been disclosed yet. This implies that no adversary could have spoofed the contents If this condition is met, the packet is stored. Otherwise it
is dropped As soon as the key Kj of a previous time interval is
received, the receiver checks it against the last authentic key it knows, Ki, by applying the function F. After Kj has been authenticated, Ki is replaced by Kj in
memory, and all the packets that were sent between time intervals i and j can be verified.
µ TESLA(Contd.) What if nodes need to broadcast data? Nodes are limited in CPU and battery resources
Nodes broadcast data through the basestation, using SNEP as an authentication method Nodes broadcast the data, but do not compute the keys. The basestation sends the key to the node as needed. The basestation can also broadcast the key disclosure,
and/or perform the bootstrapping procedure for new nodes.
µ TESLA (Contd.) Implementation Block cipher E performs the
encryption Code space is saved by using
the same function for encryption and decryption Random-number generation
performed by the MAC, and counter C. MAC(Kran, C) Key setup Fk(x)=MAC(K,x)
Evaluation of a protocol based on SPINS
Distributed public key infrastructure Certificates are stored and distributed by users Trust graph G(V,E) where V: users, E: public-key certificates If two vertices u and v are in H, and there is a directed path from u to v in H, then v is v) reachable from u in H. ( u → H S(G,u) : subgraph on G by user u S(G,u,v) : S(G,u) S(G,v) Performance #{(u, v) ∈ V × V : u S → v} ( G ,u , v ) p A (G ) = #{(u , v) ∈ V × V : u → v} G
Infrastructure Improvements Shortcut hunter algorithm: finds the path with the most shortcuts for all outgoing and incoming edges of a given node
Intrusion Detection
Assumptions User and program activities are observable Misuse and anomaly detections are possible locally and in a distributed manner
Problems of IDS (intrusion detection system)
Intrusion Detection (contd) Misuse detection
Uses patterns of well-known attacks to match and identify known intrusions
Accurate and effective
Only works against known attacks
Anomaly detection
Uses established normal usage profiles to detect deviation from the norm
Able to detect new types of attacks
Cannot always describe the nature of an attack
May have a high false positive rate
Intrusion Detection (contd.) Anomaly detection in Wireless Ad-Hoc Detection can be performed at each layer (link layer,
MAC, applications, etc.)
During the learning process, normal network conditions are recorded and used to create a 'normal profile'
If a node detects an intrusion that affects the entire
network, it can initiate a re-authentication process throughout the network, to exclude the malicious nodes If a node detects a local intrusion at a higher layer (e.g.,
one of its services), the lower layers are notified. The lower layer detection modules can investigate and possibly block access from the offending nodes.
Secure Aware Protocol Traditional way RREQ/RREP
SAR Embed security metric into the RREQ packet Ensure intermediate nodes can provide required security Authenticated users belonging to same trust level share a secret key
References SPINS: Security Protocols for Sensor Networks. A Perrig, R. Szewczyk, V. Wen, D. Culler, J.D. Tyger The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. Frank Stajano, Ross Anderson Intrusion Detection in Wireless Ad-Hoc Networks. Yongguang Zhang, Wenke Lee. The Quest for Security in Mobile Ad-Hoc Networks. Jean-Pierre Hubaux, Levente Buttyan, Srdan Capkun. Ad Hoc Networking Critical Features and Performance Metrics. Madhavi W.Subbarao. Lowering Security Overhead in Link State Routing. Ralf Hauser, Tony Przygienda, Gene Tsudik.
References (Contd) Mitigating Routing Misbehavior in Mobile Ad Hoc Networks. Sergio Marti, T.J.Giuli, Kevin Lai, and Mary Baker. Secure Routing for Mobile Ad Hoc Networks. Panagiotis Papadimitratos and Zygmunt J. Hass. Securing Ad Hoc Networks. Lidong Zhou and Zygmunt J. Haas. Securing-Aware Ad hoc Routing for Wireless Networks. Seung Yi, Prasad Naldurg, and Robin Kravets. RFC2137 Secure Domain Name System Dynamic Update
Outline Introduction Security Requirements of Wireless Ad-Hoc Networks Typical attacks on Wireless Ad-Hoc Networks Security protocols and methods for ad-hoc networks
Motivation Security is the most often cited concern with wireless networks Wireless networks pose unique security problems Power and computation constraints are often higher in wireless networks, making security requirements different
Requirements for network security
Data confidentiality: keep data secret (usually accomplished by encryption) Data integrity: prevent data from being altered (usually accomplished by encryption) Data freshness: data is recent Weak freshness: provides partial ordering of msgs Strong freshness: provides total ordering and allows for delay estimation
Data availability: data should be available on request Data authentication: verification that the data or request came from a specific, valid sender
Why security on sensors is hard Constrains Peanut CPU (slow computation rate) Battery power: trade-off between security and battery life Limited memory High latency: conserve power, turn on periodically
Nature of wireless ad-hoc network Every node can be a target No trusted peer Decentralized and cooperative participation of all nodes Encryption and authentication cannot eliminate threats No matter how many intrusion prevention measures are inserted in a network, there are always some weak links that one could exploit to break in
Wireless Ad-Hoc Network Security Methods Public-key cryptography overview Public-key cryptography for wireless: Key distribution :Certification Authorities, PGP(Pretty Good Privacy) Imprinting
SPINS SNEP µ TESLA
Intrusion Detection
Public-key cryptography overview Alice chooses a random large integer a and a X = g mod n sends Bob Bob chooses a random large integer b and Y = g b mod n sends Alice Alice computes k = Y a mod n k ' = X b mod n Bob computes ' Both k , k are equal to g ab modn
Public-key cryptography overview Alice a
Bob X
Y
b
?
K
KEY
Key agreement protocol
K’
Imprinting Policy
New nodes are "imprinted" upon un-packaging (birth) with their 'parent' and given a secure key and identity
A node's parent becomes its security admin. and can change its security policy at any time
The initial imprinting should not be sent wirelessly, to avoid imprinting multiple nodes with the same key
A node cannot change parents until it 'dies'
Death can occur at a set time, or can be triggered by the parent (and only by the parent). After death, a node can be imprinted by a new parent.
SPINS: Security Protocols for Sensor Networks A suite of security building blocks developed at UC Berkley Designed for resource-constrained environments and wireless communications Consists of two building blocks, µ TESLA and SNEP SNEP
µ
Data Confidentiality Two-party data authentication Data Integrity Freshness
TESLA authenticated broadcast
SNEP (Sensor Network Encryption Protocol) parties each keep a counter, and Communicating increment it after each block is transmitted. master secret key, K is initially shared between the node Aand base station and is used to derive all other keys Low communication overhead :adds 8 bytes per message security: prevents an eavesdropper from Semantic inferring encrypted data Data authentication: MAC (Message Authentication Code) Freshness: Counter in MAC prevents replaying old Weak messages
SNEP (Contd.) M=MAC(KMAC ,C|E)
represents the Message Authentication Code, where C is the shared counter, E is the encrypted data ({D}
A -> B : {D}
, MAC(KMAC , C|{D}
)
The counter in SNEP provides weak freshness, but cannot show that a message was created by B in response to a request from A To achieve Strong Freshness use a pseudo-random number called a nonce Where NA is a nonce from A, and RA is a request from A, our new messages look like this:
A -> B : NA, RA B -> A : {R }
, MAC(K
, NA|C|{RB}
)
µ TESLA
(Timed Efficient Streaming Loss-tolerant Authentication Protocol)
Restricts the number of authenticated senders Discloses the key once per epoch Requires loose time synchronization between base station and nodes µ TESLA Description Each MAC key is a key (K) of a key chain, generated by a public one-way function F, where Kj =F(Kj+1) All blocks sent in a specific time period use the same key Received blocks are stored in a buffer until the associated key is released and verified Any valid key can be used to derive earlier keys, or validate later keys, but cannot be used to derive later keys.
µ TESLA(Contd.) Sender Setup The sender generates a chain of secret keys by choosing
the last key (Kn) randomly, and applying a one-way function F, such that: Kj =F(Kj +1)
Broadcasting Authenticated Packets Time intervals are set, and each key of the key-chain is
associated with an interval. During interval t, the sender uses key Kt to compute the
MAC of all packets. The sender waits for a delay of δ before revealing Kt,
where δ is greater than any reasonable packet round trip time.
µ TESLA(Contd.) Bootstrapping a new receiver Each receiver must have one authentic key of the key
chain, and must know the key disclosure schedule. A new receiver M sends a nonce in the request message
to the sender S. The sender replies with its current time Ts, a key Ki from a
past interval i, the starting time Ti of interval i, the duration Tint of the time intervals, and the disclosure delay δ . M -> S : NM S -> M : Ts| Ki |Ti |Tint |δ , MAC(KMS, NM | Ts| Ki |Ti |Tint |δ )
µ TESLA(Contd.) Authenticating broadcast packets When receiving a new packet, the receiver needs to
check that the key for that interval has not been disclosed yet. This implies that no adversary could have spoofed the contents If this condition is met, the packet is stored. Otherwise it
is dropped As soon as the key Kj of a previous time interval is
received, the receiver checks it against the last authentic key it knows, Ki, by applying the function F. After Kj has been authenticated, Ki is replaced by Kj in
memory, and all the packets that were sent between time intervals i and j can be verified.
µ TESLA(Contd.) What if nodes need to broadcast data? Nodes are limited in CPU and battery resources
Nodes broadcast data through the basestation, using SNEP as an authentication method Nodes broadcast the data, but do not compute the keys. The basestation sends the key to the node as needed. The basestation can also broadcast the key disclosure,
and/or perform the bootstrapping procedure for new nodes.
µ TESLA (Contd.) Implementation Block cipher E performs the
encryption Code space is saved by using
the same function for encryption and decryption Random-number generation
performed by the MAC, and counter C. MAC(Kran, C) Key setup Fk(x)=MAC(K,x)
Evaluation of a protocol based on SPINS
Distributed public key infrastructure Certificates are stored and distributed by users Trust graph G(V,E) where V: users, E: public-key certificates If two vertices u and v are in H, and there is a directed path from u to v in H, then v is v) reachable from u in H. ( u → H S(G,u) : subgraph on G by user u S(G,u,v) : S(G,u) S(G,v) Performance #{(u, v) ∈ V × V : u S → v} ( G ,u , v ) p A (G ) = #{(u , v) ∈ V × V : u → v} G
Infrastructure Improvements Shortcut hunter algorithm: finds the path with the most shortcuts for all outgoing and incoming edges of a given node
Intrusion Detection
Assumptions User and program activities are observable Misuse and anomaly detections are possible locally and in a distributed manner
Problems of IDS (intrusion detection system)
Intrusion Detection (contd) Misuse detection
Uses patterns of well-known attacks to match and identify known intrusions
Accurate and effective
Only works against known attacks
Anomaly detection
Uses established normal usage profiles to detect deviation from the norm
Able to detect new types of attacks
Cannot always describe the nature of an attack
May have a high false positive rate
Intrusion Detection (contd.) Anomaly detection in Wireless Ad-Hoc Detection can be performed at each layer (link layer,
MAC, applications, etc.)
During the learning process, normal network conditions are recorded and used to create a 'normal profile'
If a node detects an intrusion that affects the entire
network, it can initiate a re-authentication process throughout the network, to exclude the malicious nodes If a node detects a local intrusion at a higher layer (e.g.,
one of its services), the lower layers are notified. The lower layer detection modules can investigate and possibly block access from the offending nodes.
Secure Aware Protocol Traditional way RREQ/RREP
SAR Embed security metric into the RREQ packet Ensure intermediate nodes can provide required security Authenticated users belonging to same trust level share a secret key
References SPINS: Security Protocols for Sensor Networks. A Perrig, R. Szewczyk, V. Wen, D. Culler, J.D. Tyger The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. Frank Stajano, Ross Anderson Intrusion Detection in Wireless Ad-Hoc Networks. Yongguang Zhang, Wenke Lee. The Quest for Security in Mobile Ad-Hoc Networks. Jean-Pierre Hubaux, Levente Buttyan, Srdan Capkun. Ad Hoc Networking Critical Features and Performance Metrics. Madhavi W.Subbarao. Lowering Security Overhead in Link State Routing. Ralf Hauser, Tony Przygienda, Gene Tsudik.
References (Contd) Mitigating Routing Misbehavior in Mobile Ad Hoc Networks. Sergio Marti, T.J.Giuli, Kevin Lai, and Mary Baker. Secure Routing for Mobile Ad Hoc Networks. Panagiotis Papadimitratos and Zygmunt J. Hass. Securing Ad Hoc Networks. Lidong Zhou and Zygmunt J. Haas. Securing-Aware Ad hoc Routing for Wireless Networks. Seung Yi, Prasad Naldurg, and Robin Kravets. RFC2137 Secure Domain Name System Dynamic Update
Related Documents
Ad Hoc Sec
July 2020 3
Ad-hoc
May 2020 14
Ad-hoc
May 2020 7
Ad Hoc Networking
May 2020 5
Securing Ad Hoc Networks
April 2020 20