presented by Luba Yelovich-Sakharuk

presented by Luba Yelovich-Sakharuk
Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Yih-Chun HuAdrian Perrig David B. Johnson Carnegie Mellon University Carnegie Mellon University Rice University presented by Luba Yelovich-Sakharuk packet 1of 62

Outline Introduction Problem Statement Assumption and Notation
Detecting Wormhole Attacks Geographical Leashes Temporal Leashes Discussion Temporal Leashes and the TIK Protocol Temporal Leash Construction Details Tree-Authenticated Values TIK Protocol Description MAC Layer Considerations Evaluation TIK Performance Security Analysis Comparison Between Geographic and Temporal Leashes Related Work Conclusions

Introduction Problem Statement Assumption and Notation Detecting Wormhole Attacks Geographical Leashes Temporal Leashes Discussion Temporal Leashes and the TIK Protocol Temporal Leash Construction Details Tree-Authenticated Values TIK Protocol Description MAC Layer Considerations Evaluation TIK Performance Security Analysis Comparison Between Geographic and Temporal Leashes Related Work Conclusions

Introduction What is a wormhole attack? Attacker records a packet at one location in the network, tunnels the packet to another location, and replays it there. What is a leash? Any information added to a packet designed to restrict the packet’s maximum allowed transmission distance What is a packet leash? A general mechanism to detect a wormhole attack. What are geographic and Two types of leashes presented in temporal leashes? this paper. What is TIK ? An efficient authentication protocol designed for use with temporal leashes

Problem Statement The wormhole attack is particularly dangerous against: ad hoc network routing protocols in which the nodes that hear a packet transmission directly from some node consider themselves to be a neighbor of that node DSR, AODV - use Route Request for route discovery DSDV, OLSR, TBRPF - rely on the reception of broadcast packets for neighbor detection OLSR and TBRPF use HELLO packets to detect neighbors any wireless access control system - an attacker could relay the authentication exchanges to gain unauthorized access

Example of Route Discovery Mechanism

O DSR - Dynamic Source Routing AODV - Ad Hoc On-Demand Distance Vector
Route Discovery: 1) flood Route request message through network 2) request answered with route reply by -destination -some other node that knows a path to destination reply: “{A,B,C,D,E}” “{A}” “{A,B}” “{A,B, C}” “{A,B, C,D}” A B C D E Wormhole attack: “{A}” O A B C D E reply: “{A,O}” attacker “{A,O}”

OLSR - Optimized Link State Routing
Each node in the network selects a set of nodes (MPRs) in its neighborhood to retransmit its packets The set of selected neighbor nodes are called multipoint relays (MPRs) The neighbors of any Node N which are not in its MPR set, read and process the packet but do not retransmit the broadcast packet received from node N. Each node periodically broadcasts its HELLO messages, containing the information about its neighbors and their link status. HELLO messages received by all one-hop neighbors, but they are not relayed to further nodes. N

MRP selection in OLSR Node 1 Hop Neighbors 2 Hop Neighbors MPR(s)
B A,C,F,G D,E C Multipoint relays (MPRs) are selected to broadcast messages during the flooding process 10 of 62

TBRPF - Topology Broadcast Based on Reverse-Path Forwarding
TBRPF is a proactive routing protocol like OLSR and DSDV Each node computes a source tree to all reachable nodes Each node reports only part of its source tree to neighbors TBRPF uses “differential” HELLO messages which report only changes in the status of neighbors

O O OLSR and TBRPF use HELLO packets to detect neighbors HELLO A HELLO
attacker A and B will believe they are neighbors, which will cause the routing protocol to fail to find routes. HELLO HELLO HELLO O B attacker HELLO

O O DSDV - Destination-Sequenced Distanced Vector A (for n=2, 6 hops),
If (best existing route >= 2n +2 hops) { Then any node within n hops of A, would be unable to communicate with B and vise versa. } A routing advertisement O attacker routing advertisement (for n=2, 6 hops), 2 Nodes O and 2 are within 2 hops of A routing advertisement routing advertisement 3 Nodes O and 4 are within 2 hops of B A and B believe they are neighbors 4 if A and B were not within wireless transmission range of each other, they would be unable to communicate routing advertisement O B attacker routing advertisement

O O DSDV - Destination-Sequenced Distanced Vector (B, 1) A
Contradicts the premise that the best REAL route from A to B is at least 2n +2 hops long O attacker (B, 2) Hear n+1 to B C 3 3 hops is better than 4, will use A to get to B 4 O B attacker

Assumption and Notation
Beyond the scope of this paper: Security attacks on the wireless network’s physical layer Denial-of-Service attacks against MAC layer protocols Assumptions The wireless network may drop, corrupt, duplicate, or reorder packets MAC layer contains level of redundancy to detect randomly corrupted packets Nodes in the network may be resource constrained Node can obtain an authenticated key for the other node TIK - TESLA with Instant Key Disclosure Uses only efficient symmetric cryptography (block ciphers and hash functions) Like public keys in systems using asymmetric cryptography (digital signatures), these keys in TIK are public values(once disclosed).

Detecting Wormhole Attacks
Packet leash is general mechanism to detect a wormhole attack. Leash is any information added to a packet designed to restrict the packet’s maximum allowed transmission distance Geographical leash insures that the recipient of the packet is within a certain distance from the sender. Temporal leash ensures that the packet has an upper bound of its lifetime (restricts the maximum travel distance). Not allowed further BUSTED packet

Geographical Leashes tr ts - - - - - - - - - - - - - - -
Sender Receiver tr ts Ps Pr Ps ts Ps ts dsr  ||Ps - Pr|| + 2v*(tr - ts +  ) +  Ps - location of the Sender Pr - location of the Receiver ts - time at which Sender sent the packet tr - time at which Receiver received the packet v - velocity of any node  - maximum relative error in location information -error in the clocks synchronization Note: Any authentication technique can be used to allow a receiver to authenticate the location and timestamp in the received packets 20 of 62

  - must be known by all nodes in the network Temporal Leashes minus
maximum Based on T and the speed of light, I can detect if the packet traveled too far sender’s receiver’s  - must be known by all nodes in the network tr - ts = T Sender Receiver ts ts Note: As with geographical leashes, a regular digital signature or other authentication technique can be used to allow a receiver to authenticate a timestamp or expiration time in the received packets

  - must be known by all nodes in the network Temporal Leashes minus
If te expired, I will not except the packet! minus maximum sender’s receiver’s  - must be known by all nodes in the network Sender Receiver te te te is Expiration time, after which the Receiver should not accept the packet te is set as an offset from the time at which packet is send. te is based on the allowed maximum transmission distance and the speed of light

Discussion An advantage of geographical leashes over temporal leashes:
time synchronization can be much looser attacker can be caught if it pretends to reside at multiple locations A potential problem with leashes using a timestamp in a packet, the sender may not know the precise time at which it will transmit the packet The sender will know the time one slot (20s) prior to transmission Generating a digital signature, could take 10 ms (RSA with 1024-bit key) Two approaches to hide the signature generation latency: increase minimum transmission unit to allow computation to overlap with transmission use more efficient signature scheme such as Schnorr’s signature

Temporal Leashes and the TIK Protocol
Discussion of temporal leashes in more detail Design and operation of TIK protocol that implements temporal leashes te or ts

Temporal Leash Construction Details
tr < te? If so, I will process the packet. If not, I will drop it! Temporal Leash Construction Details Sender te = ts + L/ c -  Receiver te te c - propagation speed of our wireless signal L - temporal leash prevents the packet from travelling further than distance L, L > Lmin =  * c ts - time at which Sender sent the packet tr - time at which Receiver received the packet te - expiration timer -error in the clocks synchronization Receiver needs to authenticate the expiration time: Sender S and Receiver R must share a secret key K To send a message M to a receiver R, S sends: S R:  M, HMACK (M) , where HMACK (M) represents the message authentication code computed over message M with key K

30 of 62 Two major drawbacks in using message authentication codes in the standard: 1 Key setup is an expensive operation n(n-1)/2 keys in network with n nodes 2 This approach can not efficiently authenticate broadcast packets To secure a broadcast packet, add to the packet separate message authentication code - makes packet extremely large Separate HMAC can be avoided by multiple receivers sharing the same key, BUT it might allow colluding receivers to impersonate the sender

SOLUTION to the two major drawbacks:
Attach a digital signature to each packet Each node needs to have only one public-private key pair Each node needs to know only the public key for every other node Only n public keys need to be distributed in a network with n nodes A digital signature provides non-repudiation and authentication for broadcast packet the same way as for unicast packets

Several drawbacks in using digital signatures:
Usually digital signature are based on computationally expensive asymmetric cryptography Computationally expensive for the verifier (receiver) Overwhelmingly expensive for the signer (sender) $ $ $ $ $ $ $ $ $ $ $ $ $ Solution: Designed TIK protocol, based on a new protocol for efficient broadcast authentication that simultaneously provides the functionality of a temporal leash

Tree-Authenticated Values
TIK requires an efficient mechanism for authenticating keys Values from a one-way hash chain are very efficient to verify, but only if values in sequence For the TIK, values used very sparsely One-way hash function is efficient to compute, but computation requires overhead Tree structure is used for more efficient authentication of values

“blind” all the values with a one-way hash function H, v’i = H(vi)
To authenticate v0, v1, …vw-1, place them a leaf nodes of a binary tree “blind” all the values with a one-way hash function H, v’i = H(vi) Use Merkle hash tree construction to commit to the values v’0, ... v’w-1 Each internal node of the binary tree is derived from its two child nodes m_parent = H(m_left || m_right) Example: Sender want to authenticate key v2 It includes values v’3, m01, m47 Receiver with an authentic root value m07 verify that H[ H[m01 || H[H[v2] || v’3]] || m47] == stored m07 If the verification successful, the receiver knows that v2 is authentic m07 m03 m23 v'2 H[ || m47 ] H [m01 || ] H[ || v’3 ] H[v2]

Hash Tree Optimization
In TIK, the depth of the hash tree can be large Storing the entire tree is impractical Store only the upper layers of the tree, recompute lower layer on demand Node keeps two trees of depth d, one fully computed and being used one being filled in

Compute calculation and storage cost for the hash tree used in TIK
D = depth of the tree = 4 ; d = depth of part of the tree recomputed on demand 1 2 3 4 The initial computation of the tree requires 2^(D-1) evaluations of the RPF = 8 2^D -1 evaluations of the hash functions = 15 Total storage is given by 2^(D-d+1) (2^d -1) Value of d that minimizes the total storage is D/2 = 2

TIK Protocol Description
TIK - TESLA with Instant Key Disclosure (extension of the TESLA broadcast authentication protocol) TIK implements a temporal leash and enables the receiver to detect a wormhole attack TIK is based on efficient symmetric cryptographic primitives TIK requires accurate time synchronization between all communicating parties TIK requires each communicating node to know just one public value for each sender FOUR stages in TIK protocol: Sender setup Receiver bootstrapping Sending and Verifying Authenticated packets

To derive a series of keys K0, K1, …, Kw :
Sender Setup To derive a series of keys K0, K1, …, Kw : Ki = Fx (i), where F is a pseudo-random function, x is a secret master key Advantage of this method, sender can efficiently access key in any order Computationally intractable for an attacker to find the master secret key x derive a Ki without x To construct F, can use pseudo-random permutation (block cipher) message authentication code 40 of 62

More on Sender Setup Sender selects a key expiration interval I Determines a schedule for each of it’s keys to expire K0 expires at T0, K1 expires at T1 = T0 + I, Ki expires at Ti = Ti-1 + I= T0 + i*I Sender constructs the Merkle hash tree to commit K0, K1, …, Kw-1 The root of the resulting hash tree is m0,w-1, or simply m The value m commits to all keys and is used to authenticate any leaf key efficiently!

Receiver Bootstrapping
Assume all nodes have synchronized clocks with max synch error  Assume each receiver knows every sender’s hash tree root m associated parameters To and I This info is sufficient for the receiver to authenticate any packets from the sender  minus maximum sender’s receiver’s

Sending and Verifying Authentication Packets
Sender sends a Packet P Estimates upper bound tr on the arrival time of the HMAC at the receiver Based on tr, sender picks a key Ki, Ti > tr +  Sender Receiver - -key expired - - Ki , v’3, m01, m47 HMAC Sender discloses the key only after it expires No attacker can know Ki Once the receiver gets the authentic key Ki, it can authenticate all packets that carry a message authentication code computed with Ki

Message authentication is delayed
Drawback Message authentication is delayed Receiver must wait for the key before it can authenticate the packet If nodes are tightly time synchronized, possible to remove authentication delay Sender can disclose the key in the same packet that carries the corresponding message authentication code

Sending and Receiving of a TIK packet
M - message payload T - tree authentication values Ki - key used to generate the HMAC The TIK packet is transmitted by S as S R: HMACKi (M),M,T,Ki 

MAC Layer Considerations
TDMA MAC protocol may be able to choose the time at which a frame begins transmission The HMAC is sent by Ti -r/c -2 Minimum payload length is r/c + 2 times the bit rate of transmission If MAC protocol uses Request-to-Send/Clear-to-Send (RTS/CTS) handshake, minimum packet size can be reduced by carrying HMAC inside RTC frame. AB: (RTC, HMACKi (M)) BA: (CTS) AB: (DSTS, M, tree values, Ki) Minimum message size is just (2 +I +2tturn) * transmission data rate, instead of r/c + 2 +I (I is the duration of a time interval, tturn is minimum allowed time between receiving a control frame)

Evaluation Is TIK good?

50 of 62 Introduction Problem Statement Assumption and Notation
Detecting Wormhole Attacks Geographical Leashes Temporal Leashes Discussion Temporal Leashes and the TIK Protocol Temporal Leash Construction Details Tree-Authenticated Values TIK Protocol Description MAC Layer Considerations Evaluation TIK Performance Security Analysis Comparison Between Geographic and Temporal Leashes Related Work Conclusions

TIK Performance Pentium III 1GHz 1.3 million Compaq iPaq Linux 222,000
Measured computational power and memory currently available in mobile devices Optimized MD5 hash code from ISI to achieve maximum performance for hashing hashes/second Pentium III 1GHz 1.3 million Compaq iPaq Linux 222,000 3870 PocketPC Can also be efficiently implemented in hardware 20k gate ASIC (1/3 complexity 1.9 million of Bluetooth, <1/3 IEEE Xilinx FPGA using 1650 LUTs 1.0 million In terms of memory consumption iPaq MB Flash, 64 MB of RAM Modern notebooks s of Mbytes of RAM

transmission data rate of 108 Mbps range of 250 m
IEEE a card: transmission data rate of 108 Mbps range of 250 m To authenticate a received packet, a node needs to perform 33 hashes To keep up wit link speed, a node needs to verify pack at most 25.9 s Requiring 1,273,000 hashes per second For a total computational requirement of 1,516,000 hashes per second Can be achieved today in hardware by: placing two MD5 units on a singe FPGA board with an ASIC Many laptops today are equipped with at least 1.2 GHz Pentium III CPU’s which should be able to perform 1.5 million hash operation per second

transmission data rate of 11Mbps range of 250 m
IEEE b cards: transmission data rate of 11Mbps range of 250 m Assuming node generates each new tree while using its current tree, it requires just 2.6 Mbytes of storage and needs to perform just 26,500 operations per sec To authenticate a received packet, a node needs to performs 30 hash functions TIK would take at least 232 s to transmit TIK can authenticate packets using 13,000 hashes per second for a total of 39,500 hash function per second. 39,500 hash function per second is well within the capability of an iPaq, with 82% of its CPU time to spare!!!

In a sensor network (Hollar et al’s weC mote), nodes may only be
able to achieve: time synchronization accurate to 1s have a 19.6 kbps link speed 20m range In this case, the smallest packet that can be authenticated is 4900 bytes weC mote does not have sufficient memory to store this packet TIK is unusable in such a resource-scarce system The level of time synchronization in this system is such that TIK could not provide a usable wormhole detection system

Security Analysis A malicious receiver can refuse to check: leash
authentication on a packet This may allow an attacker to tunnel a packet to another attacker without detection Second attacker cannot retransmit the packet without getting caught A malicious sender can claim a false timestamp or location When geographic leashes are used in conjunction with digital signatures, nodes may be able to detect a malicious node and spread that information to other nodes. This attack is equivalent to the malicious sender sharing its keys with the wormhole attacker

Comparison Between Geographic and Temporal Leashes
pros cons highly efficient, especially when used with TIK tight time synchronization can not be used if max range < c  (c is the speed of light,  is max clock sync error) Geographical Leashes pros cons can be used in conjunction with radio require more general broadcast propagation model, allowing them to detect authentication mechanism tunnels through obstacles increasing computation, overhead do not require tight time synchronization location info increases overhead can be used until maximum range is < 2v (v is the max movement speed of any node)

Related Work 60 of 62 Radio Frequency (RF) water marking (difficult to assess its security) No work has been published regarding possibility of using intrusion detection to detect wormhole attacks TIK provides advantage over hop-by-hop authentication with TESLA (latency and packet overhead, but byte overhead suffers) IEEE i Task Group is designing modifications to IEEE to improve security (proposals don’t address wormhole attack) Other Medium Access Control protocols specify privacy and authenticity mechanisms (none protect against wormhole attacks)

Conclusions Wormhole attack Packet leashes
Geographic and Temporal leashes TIK 62

presented by Luba Yelovich-Sakharuk

Similar presentations

Presentation on theme: "presented by Luba Yelovich-Sakharuk"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

presented by Luba Yelovich-Sakharuk

Similar presentations

Presentation on theme: "presented by Luba Yelovich-Sakharuk"— Presentation transcript:

Similar presentations

About project

Feedback