Thoughts on the Formal Modeling of Security of Sensor Networks Catherine Meadows Center for High...
-
date post
20-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Thoughts on the Formal Modeling of Security of Sensor Networks Catherine Meadows Center for High...
Thoughts on the Formal Modeling of Security of
Sensor NetworksCatherine Meadows
Center for High Assurance Computer Systems
Naval Research LaboratoryWashington, DC
Outline of Talk
• Brief introduction to sensor networks• Brief introduction to standard Dolev-Yao notion
of protocol correctness• In-depth discussion of how assumptions behind
sensor network security differ from Dolev-Yao notions
• Some examples– Chose examples as different from DY-type
protocols as possible in order to illustrate points• Some suggestions for future research
What is a Sensor Network?
• Network of sensors and other devices communicating by wireless technology
• Responsible for gathering and coordinating data, and communicating it to data processing points
Security Needs of Sensor Networks
• Nodes need to be able to authenticate themselves to network
• Receiver of data from network needs to be able to ensure that that data is correct and consistent– Receiver could be another node in the network our
some entity outside of network– Data may be aggregate of data gathered by individual
nodes• Network needs to be able to protect itself from denial of
service attacks• Network may also need to protect secrecy of data,
although not in all applications– Will often be enough to guarantee that no single node
contains information about the entire network
How Can We Adapt Formal Crypto Protocol Analysis to
Sensor Networks • Have generally accepted threat model, Dolev-Yao, that
serves as the basis for most formal analysis systems for crypto protocols
• Well-defined formal methods built using that model– Recently, model has been extended to include
cryptographic notions of security• Purpose of this talk:
– Explore where DY does and does not apply to sensor networks
– Explore feasibility of developing general threat model for security of sensor networks
L3
Locators
L1
L2Adversary destination
Adversary origin
Wormhole link
Some Attacks on Sensor Networks
• Collusion: Illegal collaboration among subset of nodes• Sybil: Single entity impersonates multiple network
nodes– Effective against systems that rely on majority vote
• Sinkhole: Single node redirects all data through it– Good for implementing denial of service attack
• Wormhole: Adversary has faster link for communication between origin and destination point– Can be used to confuse network about physical
location of origin
Dolev-Yao Model
• Assume intruder who can– Read, intercept, alter, or create traffic at any point– Perform any cryptographic operation available to
legitimate member of system• Assume principals divided up into honest and dishonest
– Honest principals follow rules of protocol– Dishonest principals in league with intruder and
share all keys and other information with it• Any message sent by dishonest principal
– Honest principals stay honest, dishonest principals say dishonest
• Some variants of model do allow for compromise of keys
Dolev-Yao Model (cont.)
• Fixed set of operations allowed to principals– Concatenation, deconcatenation– Cryptographic functions (private key, public key,
keyed hash, etc.)– Generation of random nonces– Some versions also include timestamps
• Two general classes of security goals– Secrecy– Authentication: if a certain event occurs, then certain
other events must have or must not have occurred in the past
• Possibly in a prescribed order
What’s Behind Attacker Model in DY
• In wired networks, we generally assume strong layering– Crypto protocols will rely on routing to send data
from one point to another, but can’t make any special demands on it
• For that reason, DY model makes the worst case assumption that the network is completely under control of the intruder
Sensor Network Model Not as Pessimistic
• Severe energy constraints means that you need to have greater cross-layer communication– Secure services can and must be designed in closer
cooperation with other network services• Thus, most security protocols for sensor networks interact
closely with the routing mechanism• The upshot: modeling routing explicitly means that we can
assume that nodes controlled by intruder can only read or alter traffic if they are in close physical proximity to sender of traffic
• More detailed, but weaker, intruder model• Note: most, but not all, solutions rely on broadcast routing,
so can make simplifying assumption that attacker can pick up on or interfere with communication only if within certain distance of broadcasting node
Assumptions About Dishonest Principals
• In DY model, dishonest principals in league with attacker and assumed to be in communication with it
• In sensor networks, ability to communicate limited to physical proximity
• Only nodes that are close together are assumed always to be able to communicate
• Again, attacker model is weaker, but more detailed
Assumptions About Dishonest Principals (2)
• In DY, set of honest and dishonest nodes does not change
• In sensor network, nodes usually assumed to start out honest
• Much computation in sensor networks based on consensus– Thus necessary to identify bad nodes and
remove them
• Life trajectory of bad node: starts out good, becomes bad, is identified and removed
Assumptions About Attacker Computational
Strength• In sensor networks, nodes may have very
limited computational and memory capability in order to conserve energy
• Some models assume that attacker nodes have no more capability than honest nodes– Allows us to use non-cryptographic solutions
• Algorithms that are not cryptographically strong, but cannot be broken by resource-constrained node
Operations Available to Honest Principals
• Besides operations available to honest principals, have two others
• Distance bounding – Node can tell distance from other node by sending it a
message and see how long it takes to return– If response authenticated, dishonest node can lie
about being further away than it is, but not closer• Signal strength measurement
– Sender includes strength of transmitted message in message
– Receiver compares received strength to transmitted strength to compute distance
– Not secure, but can be useful when combined with other mechanisms
Security Goals
• DY Goals involve secrecy and authentication for some set of principals– What happens to rest of network is immaterial
• Sensor network goals usually apply to the entire network– Network should be connected (securely)– Majority of nodes in the network should be able to
compute their location• Goals often probabilistic
– May be too difficult to get perfect of near-perfect assurance of success
Protocol 1: Eschenauer-Gligor Key Distribution
Scheme• Public key cryptography often too expensive to implement in a
sensor network• Shared key crypto requires too many keys• Insight: don’t need every node to be able to communicate directly
with every other node– What you need is a connected graph
• Assign each node a random subset of given pool of keys• Nodes then go through a key discovery phase to determine which
near neighbors they share keys with• Resulting graph:
– Nodes are sensors– Edges are (s,t) where s and t are near one-hop neighbors sharing
key• Probabilistic analysis to determine whether graph is connected
– Given two nodes, what is the probability there is a path between them?
• When newcomer claims position, three nodes forming triangle around that position perform distance bounding protocol
• Newcomer can’t claim to be farther away from one node than it is without also claiming to be closer to another node
• It’s impossible to pretend to be closer than you are!
Protocol 2: Capkun & Hubaux Secure Positioning
Scheme
Features of a Secure Distance Bounding
Protocol• Timed response must be quick to compute
– Computationally intensive response will mess up timing– Authentication is computationally expensive
• But, if protocol not authenticated properly, honest node’s connection could be hijacked by another node
• Need a way of including both crypto and fast responses in the same protocol
• Problem first addressed by Brands and Chaum, 1998– Seeking to defeat “grandmaster attack” on zero
knowledge protocols– Attacker passes off honest node protocol responses as
its own– Dual of problem we are considering here
Capkun and Hubaux Protocol
u : Generate random nonce Nu
: Generate commitment (c, d) = commit(Nu) u -> v : c
v : Generate random nonce Nv
v -> u : Nv
u -> v : Nu XOR Nv
v : Measure time tvu between sending Nv and receiving Nu XOR Nv
u -> v : Nu,Nv,d,MACKuv (u, Nu,Nv,d)
v: Verify MAC and verify if Nu = open(c, d)Security property: If protocol finishes successfully, u should have
sent Nu XOR Nv to v after receiving Nv
Protocol 3: SerLoc (Lazos and Poovendran, 2004)
• Secure location protocol designed to defeat wormhole attack
• Depends on architecture consisting of powerful beacons who have access to location information (e.g. via GPS), and less powerful sensors who locate themselves wrt beacons
• Attacker may try to replay beacon information from one part of network in other parts, confusing sensors
SerLoc Idea
L1
L4
L2
(0, 0)
s
L3
• Each locator Li
transmits information that defines the sector
Si, covered by each
transmission
• Sensor s defines the region of intersection (ROI), from all locators it hears – Majority Vote
IsLH
iiSROI
1=
=Locator Sensor ROI
Locators heard at the sensor
LHs
S2
S3
S4
S1
s
Dealing with Wormholes (1)Accept only single message per locator
Multiple messages from the same locator are heard due to: –Multi-path effects–Imperfect sectorization–Replay attack
sensor Locator
Ac
Wormhole link
Attacker
obstacle
R
R
R: locator-to-sensor communication range.
Multi-path or Imperfect Sectors are not attacks! False Alarms!
Exploit the range bounds to detect anomalies
Ai
RLL ji 2≤−
Aj
Dealing with Wormholes (2)
Wormhole link
2R
Li Lj
•This allows you to identify anomalies, but not to choose correct location
•If you hear from two locators greater than 2R apart, can use distance bounding to detect which is closer
R
R
• Locators heard by a sensor cannot be more than 2R apart, where R = locator-to-sensor communication range
Protocol not Secure Against Jamming
• If attacker can block transmission from close-by locators, sensor can no longer identify anomalies
• Lazos, Poovendran, and Capkun have developed protocol robust against jamming combining ideas of SerLoc and Capkun-Hubaux
• Use metric Maximum Spoofing Impact (MSI): maximum distance between actual location and spoofed location
• Protocol reduces MSI
Ai Aj
Wormhole link
2R
Li Lj
R
R
Where do we go from here?
• Look what’s been done for similar problems• Nature of problem
– Network-wide properties to be guaranteed– Guarantee only statistical – Attacker with limited powers
• Two examples– Denial of service
• Meadows’ denial of service model• Application of probabilistic model checkers to anti-DoS
– Agha et al. Use PMAude and VESTA to model Gunter et al.’s packet dropping protocol
– Anonymizing networks• Stubblebine and Syverson’s group intruder logic models intruder
with limited abilities• Application of probabilistic model checkers to anonymizing networks
– Shmatikov application of PRISM to Crowds
Conclusions
• Number of new problems to consider when analyzing security of sensor network protocols– Consensus-related goals– Probabilistic definitions of correctness– Need to take geometry, timing, and other
physical factors into account
• What are the best ways of dealing with these?
References
L. Eschenauer and V. Gligor, “A Key-Management Scheme for Distributed Sensor Networks” Proc. of the 9th ACM Conference on Computer and Communication Security, Washington D.C., November 2002
S. Capkun and J. Hubaux, “Secure Positioning of Wireless Devices and Applications to Sensor Networks,” Proc. of INFOCOM, Miami FL, March 2005
L. Lazos and R. Poovendran, “SeRloc: Secure Range-Independent Localization for Wireless Sensor Networks,” Proc. Of WISE, Philadelpia, PA, October 2004
L. Lazos, R. Poovendran, and S. Capkun, “ROPE: Robust Position Estimation in Wireless Sensor Networks,” Proc. of ISPN 2005