Presentation is loading. Please wait.

Presentation is loading. Please wait.

7/13/2007 AIIT Summer Course - F2 Security 1 Wireless Embedded Systems and Networking Foundations of IP-based Ubiquitous Sensor Networks WSN Security David.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "7/13/2007 AIIT Summer Course - F2 Security 1 Wireless Embedded Systems and Networking Foundations of IP-based Ubiquitous Sensor Networks WSN Security David."— Presentation transcript:

1 7/13/2007 AIIT Summer Course - F2 Security 1 Wireless Embedded Systems and Networking Foundations of IP-based Ubiquitous Sensor Networks WSN Security David E. Culler University of California, Berkeley Arch Rock Corp. July 9-13, 2007 * Much of this material based on work by David Wagner, UC Berkeley

2 7/13/2007AIIT Summer Course - F2 Security2 Learn From History… analog cellphones: AMPS1980 1990 2000 analog cloning, scanners  fraud pervasive & costly digital: TDMA, GSM TDMA eavesdropping [Bar] more TDMA flaws [WSK] GSM cloneable [BGW] GSM eavesdropping [BSW,BGW] Future: 3 rd gen.: 3GPP, … cellphones 802.11, WEP 2001 2002 WEP broken [BGW] WEP badly broken [FMS] WPA 2000 1999 Future: 802.11i 2003  attacks pervasive wireless networks Berkeley motes 2002 TinyOS 1.0 TinyOS 1.1, TinySec 2003 sensor networks Let’s get it right the from the start 802.15.4 AES AR TinyOS 2 AES

3 7/13/2007AIIT Summer Course - F2 Security3 Sensor Network Security What’s different about sensor nets? Stringent resource constraints Insecure wireless networks No physical security Interaction with the physical environment Back to the 90’sNewBack to the 70’s

4 7/13/2007AIIT Summer Course - F2 Security4 Communications Security “It doesn’t matter how good your crypto is if it is never used.”

5 7/13/2007AIIT Summer Course - F2 Security5

6 7/13/2007AIIT Summer Course - F2 Security6

7 7/13/2007AIIT Summer Course - F2 Security7

8 7/13/2007AIIT Summer Course - F2 Security8 TinySec Design Philosophy The lesson from 802.11: Build crypto-security in, and turn it on by default! TinySec Design Goals: 1. Encryption turned on by default 2. Encryption turned on by default 3. Encryption turned on by default  Usage must be transparent and intuitive  Performance must be reasonable 4. As much security as we can get, within these constraints

9 7/13/2007AIIT Summer Course - F2 Security9 TinySEC Challenges Must avoid complex key management –TinySec must be super-easy to deploy Crypto must run on wimpy devices –We’re not talking 2GHz P4’s here! –Dinky CPU (1-4 MHz), little RAM (  256 bytes), lousy battery –Public-key cryptography is right out Need to minimize packet overhead –Radio is very power-intensive: 1 bit transmitted  1000 CPU ops –TinyOS packets are  28 bytes long –Can’t afford to throw around an 128-bit IV here, a 128-bit MAC there Today: AES128 in hardware. 802.15.4 defines the frame – with the crypto. Main issue is key management

10 7/13/2007AIIT Summer Course - F2 Security10 Easy Key Management networ k base station k k k k k k Making key management easy: global shared keys

11 7/13/2007AIIT Summer Course - F2 Security11 Be Easy to Deploy Making deployment easy: plug-n-play crypto + link-layer security SecureGenericComm App Radio GenericComm App Radio

12 7/13/2007AIIT Summer Course - F2 Security12 Perform Well on Tiny Devices Use a block cipher for both encryption & authentication Skipjack is good for 8-bit devices; low RAM overhead Radio Stack [MicaHighSpeedRadioM/ CC1000RadioIntM] TinySecM CBC-ModeM SkipJackM CBC-MACM

13 7/13/2007AIIT Summer Course - F2 Security13 Minimize Packet Overhead Minimize overhead: cannibalize, cheat, steal dest AM IV len dataMAC 2141 4 Encrypted MAC’ed Key Differences No CRC -2 bytes No group ID -1 bytes MAC +4 bytes IV +4 bytes Total: +5 bytes

14 7/13/2007AIIT Summer Course - F2 Security14 Tricks for Low Overhead CBC mode encryption, with encrypted IV –Allows flexible IV formatting: 4 byte counter, + cleartext hdr fields (dest, AM type, length); gets the most bang for your birthday buck –IV robustness: Even if IV repeats, plaintext variability may provide an extra layer of defense –Ciphertext stealing avoids overhead on variable-length packets CBC-MAC, modified for variable-length packets –Small 4-byte MAC trades off security for performance; the good news is that low-bandwidth radio limits chosen-ciphertext attacks –Can replace the application CRC checksum; saves overhead On-the-fly crypto: overlap computation with I/O

15 7/13/2007AIIT Summer Course - F2 Security15 More Tricks & Features Early rejection for packets destined elsewhere –Stop listening & decrypting once we see dst addr  us Support for mixed-mode networks –Interoperable packet format with unencrypted packets, so network can carry both encrypted + unencrypted traffic –Crypto only where needed  better performance –Length field hack: steal 2 bits to distinguish between modes Support fine-grained mixed-mode usage of TinySec –Add 3 settings: no crypto, integrity only, integrity+secrecy –These come with performance tradeoffs –Select between settings on per-application or per-packet basis

16 7/13/2007AIIT Summer Course - F2 Security16 More Performance Tricks App-level API for end-to-end encryption –TinySec focuses mainly on link-layer crypto, but end-to-end crypto also has value –End-to-end secrecy enables performance optimizations (don’t decrypt & re-encrypt at every hop), enables more sophisticated per- node keying, but incompatible with in-network transformation and aggregation; thus, not always appropriate –End-to-end integrity less clear-cut, due to DoS attacks

17 7/13/2007AIIT Summer Course - F2 Security17 TinySec: Status Design + implementation stable Released in TinyOS 1.1 –Integration with RFM & Chipcon radio stacks; supports nesC 1.1 –Simple key management; should be transparent Widely used for research. Basis for much of the WSN security research.

18 7/13/2007AIIT Summer Course - F2 Security18 TinySec Evaluation Wins: Performance ok Integration seems truly easy Neutral: Out of scope: per-node keying, re-keying, sophisticated key mgmt; PKI; secure link-layer ACKs No security against insider attacks; What if a node is captured, stolen, or compromised? Losses: Not turned on by default in TinyOS.  Not turned on in TinyOS 2.0…

19 7/13/2007AIIT Summer Course - F2 Security19 AES128 Era Almost all IEEE 802.15.4 radios provide AES-128 in hardware –except Atmel RF230 Encryption and Authentication ON BY DEFAULT in AR TinyOS2.0-based Primer Pack / IP Completely transparent under UDP/TCP over 6LoWPAN Simple network-wide key established through secure physical exchange at commissioning. –Key transferred over wired USB –Physical proximity and security –Stored in config flash

20 7/13/2007AIIT Summer Course - F2 Security20 AES128 Block Cypher KeyExpansion using Rijndael's key scheduleRijndael's key schedule Initial Round –AddRoundKey Rounds –SubBytes — a non-linear substitution step where each byte is replaced with another according to a lookup table.lookup table –ShiftRows — a transposition step where each row of the state is shifted cyclically a certain number of steps. –MixColumns — a mixing operation which operates on the columns of the state, combining the four bytes in each column –AddRoundKey — each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule.key schedule Final Round (no MixColumns) –SubBytes –ShiftRows –AddRoundKey

21 7/13/2007AIIT Summer Course - F2 Security21 IEEE 802.15.4 AES128 Four modes –NULL –AES-CTR: Confidentiality –AES-CBC-MAC: Authentication –AES-CCM: Encryption and Authentication Packet Formats ACL entries

22 7/13/2007AIIT Summer Course - F2 Security22 Replay protection NONCE used to prevent replay attacks –Each packet must be “newer” than ones previously received

23 7/13/2007AIIT Summer Course - F2 Security23 Vulnerability Analysis Multiple ACLs a potential problem –If they share Key and Counter, combining packets intended for distinct destinations can reveal content. –Simple ACL management (network wide) Nonce state across power cycling

24 7/13/2007AIIT Summer Course - F2 Security24 II. Communications Security: What Crypto Can’t Do “If it’s provably secure, it’s probably not.” -- Lars Knudsen

25 7/13/2007AIIT Summer Course - F2 Security25 Limitations of Crypto Can’t prevent traffic analysis Can’t prevent re-transmitted packets Can’t prevent replayed packets Can’t prevent delayed packets Can’t prevent packets from being jammed Can’t prevent malicious insiders, captured nodes Crypto is not magic fairy dust; It won’t magically make insecure services secure.

26 7/13/2007AIIT Summer Course - F2 Security26 Isn’t Crypto All We Need? Crypto doesn’t automatically make X secure, where: X = network programming –Attacker could replay old programs X = time synchronization –Attacker could delay beacon packets, propagating wrong timing X = routing –Some attacks on next slide X = localization –Attack in three slides X = aggregation –Attacks after a few more slides

27 7/13/2007AIIT Summer Course - F2 Security27 Example: Attacks on Routing Hello flood attack: Broadcast really loudly; then everyone will think you are near them. Wormhole attack: Tunnel packets from one part of the network and replay them in a different part.

28 7/13/2007AIIT Summer Course - F2 Security28 Protocols analyzed in [KW03] ProtocolRelevant attacks TinyOS beaconingBogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods Directed diffusion and multipath variant Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods Geographic routing (GPSR,GEAR) Bogus routing information, selective forwarding, Sybil Minimum cost forwardingBogus routing information, selective forwarding, sinkholes, wormholes, HELLO floods Clustering based protocols (LEACH,TEEN,PEGASIS) Selective forwarding, HELLO floods Rumor routingBogus routing information, selective forwarding, sinkholes, Sybil, wormholes Energy conserving topology maintenance Bogus routing information, Sybil, HELLO floods

29 7/13/2007AIIT Summer Course - F2 Security29 Secure Location Services For more details: see the Echo protocol [SSW03], a secure protocol for location verification Applications: location-based access control

30 7/13/2007AIIT Summer Course - F2 Security30 IV. Tolerating Malicious Data: Resilient Aggregation

31 7/13/2007AIIT Summer Course - F2 Security31 An Example networ k base station Computing the average temperature 67° 64° 69° 71° 68° f ( 67°, …, 68°) where f (x 1, …, x n ) = (x 1 + … + x n ) / n

32 7/13/2007AIIT Summer Course - F2 Security32 An Example + An Attack networ k base station Computing the average temperature 67° 64° 69° 71° 68° f ( 67°, …, 1,000°) where f (x 1, …, x n ) = (x 1 + … + x n ) / n 1,000° result is drastically affected

33 7/13/2007AIIT Summer Course - F2 Security33 Statistical Theory First, some background: –Let D(Θ) be a parametrized distribution on  (Θ = param), X = (X 1, …, X n ) denotes n samples from D(Θ) –f :  n →  is an estimator if Θ’ = f (X) is an estimate of Θ –The root mean square error of an estimator f is rms(0) = E[(Θ’ – Θ) 2 ] 1/2 Next, a novel defense: resilient aggregation –A k-node attacker A is a function A:  n →  n that changes only k of its inputs. Let Θ* = f (A(X)), rms(k) = max A E[(Θ* – Θ) 2 ] 1/2 –Definition: f is (k, α)-resilient if rms(k) ≤ α  rms(0) –E.g.: the “average” is an estimator, but it is not (1, α)-resilient for any constant α

34 7/13/2007AIIT Summer Course - F2 Security34 Relevance of Resilience Intuition –The (k, α)-resilient functions are exactly the ones that can be meaningfully and securely computed in the presence of k malicious insiders. Formalism –(see paper)

35 7/13/2007AIIT Summer Course - F2 Security35 Results (excerpts) f… is (k, α)-resilient, where minimumα = ∞ maximumα = ∞ sumα = ∞ averageα = ∞ average, discarding 5% outliers α ≈ 6.28 k /n for k 0.05 n medianα ≈ 0.32 k for k < 0.5 n maxα = ∞ count α  0.25 k /n (assuming n independent Gaussian/Bernoulli distributions)

36 7/13/2007AIIT Summer Course - F2 Security36 Hard: In-Network Resilient Agg. networ k In-network aggregation introduces new security challenges 2 4 1011 2

37 7/13/2007AIIT Summer Course - F2 Security37 Hard Problems Communication security –Defeating traffic analysis; spread spectrum for real? A library of secure distributed services & protocols Security against node compromise/capture –e.g., routing that can tolerate just one malicious insider? –Byzantine attack tolerance, on the cheap? Privacy

38 7/13/2007AIIT Summer Course - F2 Security38 Summary Crypto helps, but isn’t a total solution –Be aware of the systems tradeoffs Seek robustness against insider attack –Resilience gives a way to think about malicious/captured nodes –The law of large numbers is your friend

Download ppt "7/13/2007 AIIT Summer Course - F2 Security 1 Wireless Embedded Systems and Networking Foundations of IP-based Ubiquitous Sensor Networks WSN Security David."

Similar presentations

TinySec: Security for TinyOS C. Karlof, N. Sastry, D. Wagner November 20, 2002.

TinySec: Security for TinyOS C. Karlof, N. Sastry, D. Wagner November 20, 2002.
Chris Karlof and David Wagner

Chris Karlof and David Wagner
Jason Li Jeremy Fowers. Background Information Wireless sensor network characteristics General sensor network security mechanisms DoS attacks and defenses.

Jason Li Jeremy Fowers. Background Information Wireless sensor network characteristics General sensor network security mechanisms DoS attacks and defenses.
Cellphone Security David Wagner U.C. Berkeley. Cellular Systems Overview  Cellphone standards from around the world: North America AnalogAMPS DigitalCDMA,

Cellphone Security David Wagner U.C. Berkeley. Cellular Systems Overview  Cellphone standards from around the world: North America AnalogAMPS DigitalCDMA,
Trust relationships in sensor networks Ruben Torres October 2004.

Trust relationships in sensor networks Ruben Torres October 2004.
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures Chris Karlof David Wagner University of Califonia at Berkeley Paper review and.

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures Chris Karlof David Wagner University of Califonia at Berkeley Paper review and.
Authors : Chris Karlof, David Wagner Presenter : Shan Bai Secure Routing in Wireless Sensor Networks : Attacks and Countermeasures.

Authors : Chris Karlof, David Wagner Presenter : Shan Bai Secure Routing in Wireless Sensor Networks : Attacks and Countermeasures.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Secure Routing in Wireless Sensor Network Soumyajit Manna Kent State University 5/11/2015Kent State University1.

Secure Routing in Wireless Sensor Network Soumyajit Manna Kent State University 5/11/2015Kent State University1.
Introduction to Sensor Networks Rabie A. Ramadan, PhD Cairo University 4.

Introduction to Sensor Networks Rabie A. Ramadan, PhD Cairo University 4.
Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.

Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.
Wireless Security David Wagner University of California at Berkeley.

Wireless Security David Wagner University of California at Berkeley.
TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003

TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.
1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.

1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Seetha Manickam.
Internetworking Different networks –Different bit rates –Frame lengths –Protocols.

Internetworking Different networks –Different bit rates –Frame lengths –Protocols.
Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.

Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.

Similar presentations

Ads by Google