Principles of Ad Hoc Networking Michel Barbeau and Evangelos - PowerPoint PPT Presentation

Principles of Ad Hoc Networking Michel Barbeau and Evangelos Kranakis November 12, 2007

Wireless security challenges Network type Challenge Wireless Open medium Mobility Handover implies change of security parameters Ad hoc Infrastructure based security not applicable Sensor In-network processing 2

Signature 1. Unforgeability: proof that the signer signed the document 2. Authenticity: convincing of the document’s authenticity 3. Unreusability: signature cannot be “moved” elsewhere 4. Unalterability: document cannot be changed after signing 5. Unrepudiatability: signer cannot later claim: did not sign the document 3

Digital signature • Set of messages: P ; Set of signatures: A ; Set of keys: K • Signing algorithm: Sig k : P → A , with k ∈ K • Verification algorithm: V er k : P × A → { true, false } � if y = Sig k ( x ) true • V er k ( x, y ) = if y � = Sig k ( x ) . false 4

RSA signature • An integer n = pq , the product of two distinct primes p and q • Two integers e, d such that ed ≡ 1 mod φ ( n ), φ ( n ) is the Euler totient function • n, e are public; p, q, d are private • Signature: Sig ( M ) ≡ M d mod n • Verification: V er ( M, N ) = true ⇔ M ≡ N e mod n 5

ElGamal signature • 6

Constructing one-way hash chains USE/REVEAL H H H H H H H v v v v v v v n−1 n−2 n−3 n−4 2 1 0 later earlier values values GENERATE CHAIN 7

Authentication in one-way hash chains H H H H H H v j v i i−j H (v ) = v j i 8

Forming a Merkle tree v v v v v v v v 0 1 2 3 4 5 6 7 9

Blinding in Merkle authentication trees u u u u u u u u 0 1 2 3 4 5 6 7 H H H H H H H H v v v v v v v v 0 1 2 3 4 5 6 7 10

Recursive hashing in Merkle authentication trees u 07 u u 03 47 u u u u 67 01 23 45 u u u u u u u u 0 1 2 3 4 5 6 7 v v v v v v v v 0 1 2 3 4 5 6 7 11

Example of Merkle authentication trees ✠✁✠ ✡✁✡ u path ✡✁✡ ✠✁✠ 07 ✡✁✡ ✠✁✠ ✞✁✞ ✟✁✟ u path u ✞✁✞ ✟✁✟ 03 47 ✞✁✞ ✟✁✟ sibling ✆✁✆ ✝✁✝ u u path u u 67 ✝✁✝ ✆✁✆ 01 23 45 ✆✁✆ ✝✁✝ sibling ✄✁✄ ☎✁☎ u u u u path u u u u ☎✁☎ ✄✁✄ 0 1 2 3 4 5 6 7 ✄✁✄ ☎✁☎ sibling �✁� ✂✁✂ path �✁� ✂✁✂ �✁� ✂✁✂ v v v v v v v v 0 1 2 3 4 5 6 7 12

The RC4 encryption Message L O G I N Text Message 1001100 1001111 1000111 1001001 1001110 in ACSII Key 1000100 1000001 1010110 1001001 1000100 XOR Stream 0001000 0001110 0010001 0000000 0001010 Ciphertext 13

Cracking RC4 messages Ciphertext 0001000 0001110 0010001 0000000 0001010 1 Ciphertext 0001110 0010100 0011010 0000000 0000101 XOR 2 XOR of un encrypted 0000110 0011010 0001011 0000000 messages 0001111 1st Message ( LOGIN ) 1001100 1001111 1000111 1001001 1001110 XOR in ACSII 2nd Message 1001010 1010101 1001100 1001001 1000001 in ACSII 2nd Message J U L I A Text 14

ZigBee frame with auxiliary header Application Physical MAC Network Auxiliary Encrypted Message ( c) Header Header Header Header Header Payload Integrity Code Physical MAC Network Auxiliary Message (b) Encrypted Payload Header Header Header Header Integrity Code Physical MAC Auxiliary Message (a) Encrypted Payload Header Header Header Integrity Code 15

ZigBee network entry Trust Router Joiner Center (1) Beacon Request (2) Beacon (3) Association Request (4) Update-Device (5) Association Response (6) Transport-Key (7) Transport-Key Joiner-Trust Center Link Key Setup Using SKKE (8) Transport-Key(Network Key) (9) Transport-Key(Network Key) 16

Key establishment using the fuzzy commitment protocol Responder Initiator Generate common symmetric key k Derive feature Derive feature value v value v' Compute e = v xor k [hash( k ), e] Compute k' = v' xor e hash( k)= hash( k' )? 17

ECG with IPI markers IPI 18

Initiator calculation in the fuzzy commitment protocol 6 c =(4,5) 5 4 3 2 v=(8.26,1.37) 1 1 2 3 4 5 6 7 8 19

Responder calculation in the fuzzy commitment protocol 6 f (v' - d) = (4,5) 5 v'-d=(3.50,4.59) 4 3 2 v'=(7.76,0.96) 1 1 2 3 4 5 6 7 8 20

Fuzzy encryption protocol Sender Receiver Get message m Generate symmetric key k [ E [ m ], C(k , v)] Derive value v Derive value v' k Using v', decommit k D [ E [ m ]] k k 21

Authentication using the fuzzy commitment protocol Sender Receiver Get message m Generate symmetric key k Derive value v Derive value v' [ E [ m ], MAC [ m ], C(k , v)] k k Using v', decommit k m' = D [E [m]] k k MAC [ m' ] = MAC [ m ]? k k 22

Example of SEAD implementation (only indices are depicted) 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 23

Example of hash tree chain. One-way chain generation 24

Merkle tree 25

Example of using the hash tree chain H( ) v i || 0 b 0 H H H( ) b 0 ||b 1 = b 01 H H( ) vi || 1 b H H 1 H H v i H( ) b 01 ||b 23 v i−1 H( ) vi || 2 b 2 H H H H H( ) v || 3 H i b H 3 H H( ) b 2 b 3 || = b 23 Hash−Tree 26

The bin-and-balls signature scheme s 1 s 2 s 3 s 4 s t G h 27

A single verifier v (inside region R ) and a prover p (not depicted) v R 28

A single verifier at the center of a circular region R where there is an upper bound of ∆ p on the processing delay v ∆ RoA(v, ) p s ∆ p R = RoA(v,0) 29

Wormhole attack A X Y B 30

Impact on routing protocols: one hop tunneling A X C Y B 31

Partitioning the range of the sensors into six zones numbered 1 , 2 , . . . , 6 clockwise 5 6 4 3 1 2 32

Bidirectional communication link A B 33

Wormhole vulnerability in the first protocol 5 6 5 6 A B Y X 1 4 1 4 C 3 2 3 2 Region I Region II 34

Cooperating with neighbors to prevent protocol vulnerabilities D 6 5 5 6 A B Y 1 4 X 1 4 C 3 2 3 2 Region I Region II 35

Verifier region A B 36

Worawannotai attack V A B X 37

Preventing the Worawannotai attack V a A B X b 38

Verifier region V a b A B X c d 39

Sequence number attacks malicious destination 4 hops a b c e d 3 hops source g s v f 40

Impact of location of base stations on disrupting traffic in a sensor network delimited by a square region 41

Omnidirectional and directional antennas A A B B Omnidirectional Directional 42