Wireless Security - University of Illinois - Engineering Wiki

wartrashyNetworking and Communications

Oct 26, 2013 (3 years and 8 months ago)

80 views

463.8 Wireless Security

Computer Security II

CS463/ECE424

University of Illinois



Cellular Networks


Wireless
L
ocal Area Networks (WLAN):
Wifi


Wireless
P
ersonal Area Networks (WPAN): Bluetooth,
Zigbee


Wireless
M
etropolitan Area Networks (WMAN):
WiMax


Wireless
R
egional Area Networks (WRAN): IEEE 802.22


Wireless Sensor Networks


Mobile Ad
-
hoc Networks


Cognitive Radio Networks




Wireless Communication Technologies

2

[Heile06
]

IEEE Standards

3

Range

ZigBee

802.15.4

15.4c

802.15.3

802.15.3c

WPAN

WLAN

WMAN

WRAN

WiFi

802.11

0.01

0.1

1

10

100

1000

Bluetooth

802.15.1

IEEE 802.22

WiMax

IEEE 802.16

IEEE 802.20

Data Rate (Mbps)

[Heile06
]


Medium is air


Everyone in vicinity can potentially hear or inject data


Interference can be a major concern


Communication is inherently less reliable than wired networks


Devices may be power, memory, processing, and
bandwidth constrained


Standard security/cryptography practices may not be viable


Devices may be mobile


Potentially more difficult to track down an attacker


Devices may be deployed in remote/unattended areas


Potentially easier to breach/compromise




Some Features of Wireless Networks /
Security Implications

4


Sensor Networks
-

Bootstrapping


Jamming (in Sensor Networks)


Cognitive Radio Networks

Topics

5

463.8.1 Sensor Networks


A Wireless Sensor Network (WSN) is composed of a large number
of small, low cost, low power sensor nodes


E.g. Mica 2: 8
-
bit CPU (4MHz),
128KB flash, 4KB RAM, OS:
TinyOS


Sense temperature
, pressure, sound, light, vibration, etc.


Communicate on short distances


Perform limited data processing


Sensor measurements sent to

one or more
sinks

(
base stations
)


Applications:


Detecting fire, chemical leakage


Measuring seismic activity, pollution monitoring


Monitoring structure integrity (e.g. a bridge)


Battlefield surveillance, biological attack detection



Wireless Sensor Network

[Ngai
04
]

Mica2 mote


berkeley.edu

7


Security goals: confidentiality, integrity, availability


Important first step:
Bootstrap

the establishment of a secure
communications infrastructure from sensors pre
-
initialized with
some secret info, but no prior contact with each other


Allow nodes deployed at a later time to
join

securely

Security


Bootstrapping Problem

Secure Channels

Deploy

Sensors

8

[Ngai
04
]


Limited computation power: inability to use public key
cryptography


Capture attacks
: inability for any node to put absolute trust in its
neighbors


Sensor network
may be

deployed via random scattering: inability
to determine which nodes will be neighbors after deployment


Limited memory resources: the amount of key
-
storage memory is
constrained


Limited bandwidth and transmission power
-

low reliability:
transmission of large blocks of data is expensive





Challenges

9


Requirements


Secure node
-
to
-
node communication


Should be functional without involving the base station


Nodes that join form secure communications with existing ones


Disallow unauthorized sensors to establish communications with network


Scheme should work without prior knowledge about deployment positions


Low computational and storage requirements


Evaluation Metrics


Resilience against node capture


Resistance against node replication


Revocation


Scale

Requirements / Evaluation Metrics

10


Initialization:


A pool of keys
S
,

n
nodes,

each nodes randomly gets
m
keys

(key ring)


Each pair of nodes share at least one key with
prob

p


Key
-
setup: nodes find out neighbors with whom they share keys


A connected graph of secure links is formed







Scheme 1: Basic Random Key Pre
-
distribution

11

[EschenauerG02]

Each node

randomly

gets
m

keys

A

B

E

Key Pool



S

D

C


When

|S| =
10,000
,
m=75


Pr

(two nodes have a common key) =

0.50

Analysis

12


Expected degree of a node:
d


To be connected with probability at least
c:




For example for c=.99 in prev. example, 20 < d < 50


If
n
’ is the number of sensors in a node’s range:



Questions:


What if the network becomes disconnected?


How would a node detect if the network is connected?


Don’t worry about this equation!

Scheme 2: q
-
composite Keys

13

Expected number of nodes adversary
needs to capture before it can
eavesdrop on any link with
prob

0.1

while keeping key
ring Size m =200,
prob

of connection
p = 0.5.

[ChanPS03]


q
common keys instead of
one


If two nodes share
q’>q
keys:

K = hash(K
1
||K
2
||… ||
K
q

)


Goal: choose a key pool
size |
S
| that the
prob

of
any two nodes sharing at
least
q
keys is ≥
p



Easy


-

Assignment:
Study
the formula from the paper




Node replication: No
resistance


Revocation:


A
controller

(large
communication range, maybe
mobile) broadcasts a single
revocation message, signed by
a key K
s



Controller encrypts K
s

with a
key it shares with each sensor
and
unicasts

this to each node


Capture


Works better if small
-
scale


Does not scale (see notes)

Evaluation

14

Prob

that the link between two
random nodes A, B can be decrypted
by the adversary who has
compromised
x
nodes.

m = 200, p = .33


Limited global payoff requirement
: “Suppose adversary has
captured some nodes, and is only able to break a fraction
f < f
m

of all communications. As long as
f < f
m
, we would like that, on
average, after capturing some node the adversary not learn
more about the rest of the network than they learn about the
communications of the node itself”


f
m
: the level of compromise past where the adversary gains “too
much control”


With a fixed
p
,
f
m
, and
m
, this translates to a
maximum
supportable network size (
msns
)

for each scheme

For example, for
p=.33
,
f
m
=.1, and
m=200
,


msns

for 2
-
composite key scheme = 1415


msns

for basic scheme = 1159



Maximum Supportable Network Size

15

[ChanPS03]


Assume the basic random key pre
-
distribution is in use


16

[AndersonP01]

Scheme 3: 2
-
Hop Multi
-
path Key
Reinforcement

K1

K4

K6

K2

K4

K8

Key = K4

-

Problem: If attacker
compromises a node who has K4,
A
-
B channel compromised

A

B

Key = E
K4
(Rand)

A

B

-

Problem: If attacker
eavesdropped on the network
from the beginning, it will know

E
K4
(Rand) after obtaining K4



A

B

r2

r2

r1

r1

-

Attacker needs to have compromised
the keys for both paths to gain access to
the key.

-

Eavesdropping probabilities can be
improved by two orders of magnitude

-

Msns

significantly improved

-

Cost: up to one order of magnitude
more network communication


[ChanPS03]

Resistance against Node Capture and
Maximum Supported Network Size

17

Outperforms other schemes


In previous schemes, no node can
authenticate

the identity of a
neighbor


Why needed?


Being sure of identity when detecting node misbehavior


Defense against node replication


Pairwise

security: if
n

sensors, each has shares a key with
n
-
1

other sensors


too expensive


Calculate the smallest
p
that assures network stays connected


Put the keys shared with

m
other nodes in a sensor’s ring


If key ring is
m
, a network of size
n=m/p
can be supported


Maximum network size results close to the basic scheme


Perfect resilience against node capture and replication



Scheme 4: Random
-
pairwise

key
scheme

18


q
-
composite:


Improves security under small scale attacks


Cost: Greater vulnerability against large scale attacks


Multipath reinforcement:


Significantly improves security


Cost: network communication overhead


Random
pairwise
:


Best overall security features (authentication, perfect
resilience against node capture and replication)


Cost: small maximum supported network size



Quick Comparison

19


Polynomial
-
based keys


D. Liu, P.
Ning
, Establishing
Pairwise

Keys in Distributed Sensor Networks,
CCS 03.


A limited form of public
-
key for sensor devices


G.
Gaubatz

, J.P.
Kaps

, E.
Ozturk

, B.
Sunar
, State of the Art in Ultra
-
Low
Power Public Key Cryptography for Wireless Sensor Networks, Proceedings
of the Third IEEE International Conference on Pervasive Computing and
Communications Workshops, 2005


Using the location of deployment of sensors for key
management


W. Du, J. Deng, Y. Han, S. Chen, P.
Varshney
. A Key Management Scheme for
Wireless Sensor Networks Using Deployment Knowledge.
Infocom

04.


D. Huang, M. Mehta, D.
Medhi
, L.
Harn
. Location
-
aware Key Management
for Wireless Sensor Networks, SASN 04



Other Key Distribution Schemes

(not required for this course)

20

463.8.2 Jamming

Wireless Jamming
-
style Denial of
Service Attacks


Jamming: behavior that prevents

other nodes from using the

channel to communicate by

occupying the channel that

they are communicating on



Jammer: entity that is purposefully

trying to interfere with the physical

transmission and reception of

wireless communication


Simplest / most common

way to jam: constantly emit

a radio signal

Jammer

22


Constant jammer:
Continuously emits a radio signal


Deceptive jammer:


Constantly injects regular packets to the channel without any gap between
consecutive packet transmissions


A normal communicator will be deceived into the receive state


Random jammer:
Alternates between sleeping and jamming


Reactive jammer:


Stays quiet when the channel is idle, starts transmitting a radio signal as
soon as it senses activity on the channel.


Targets the reception of a message


Detection:
Xu

et. al.
propose methods for detecting jamming in
wireless ad
-
hoc and sensor networks based on measuring
signal
strength, carrier sensing time,
and
packet delivery ratio


Types of Jammers / Detection

23

[
XuTZW05
]


Traditional approach to coping with radio jamming is to
employ sophisticated physical
-
layer technologies (e.g.
spread spectrum)


Such methods imply more expensive transceivers


Most commodity sensor networks do not employ
sufficiently strong spreading to survive jamming


Instead, systems like Mica2 Sensors are based on
carrier
-
sensing and are susceptible to radio interference

24

Defending Wireless Sensor Networks
from Jamming/Interference


A number of adjacent
channels
available for
communication



Sensors able to change the
channel
in

which they operate by changing their frequency


Many to few communication model (sensor to sink)


A tree based routing; a node has a routing
parent
; data
forwarded from
children
towards parents towards the
sink(s)


Neighbor:
a node’s parent or child

Communication Model


25

[
XuTZ07
]


A non
-
intentional (
mis
-
configured) or fairly static constant
jammer


Blocks one (or a few) channels at a time


If it hops to different channels, stays on each for a minimum amount of
time


Do not consider a powerful attacker that can jam all channels at
all times


Do not consider a jammer that rapidly changes channels to
disrupt communication across all channels


Most likely scenario: one or more compromised or
mis
-
configured
sensors that each constantly transmit on a channel and may once
in a while change their channels

Interference (Jamming) Model

26

[
XuTZ07] [WoodS02]



Simple idea: switch to a new channel to avoid interference


Boundary

nodes: neighbors of jammed

nodes outside the jammed area


If A has a poor connection with

parent B, it will first attempt

to find another suitable parent B’


Only if there is no suitable B’, it will

attempt to probe a new channel for B


If A loses child C: if the C connected to a new parent C’, A should
have heard the routing announcement


If no routing announcement, then it will probe a new channel for C

Channel Surfing Overview


27

Jammer

[
XuTZ07]


28

Channel Surfing Overview (Cont’d)



Desirable to choose the next channel so that
adversary cannot predict what channel the
network will go to


Networks uses a key
K

specific to channel
assignment shared by all sensors


If the
n
-
th

channel assignment is
C(n)
, then
C(n+1)=
E
k
(C(n))


E
is a keyed pseudo
-
random generator


If
C(n+1)=C(n),
it proceeds to
C(n+2)
and so on…


Entire network coordinates its evasion of interference by
switching to a new channel


Boundary nodes notice lost neighbors, discover them on the new
channel, come back to the old channel and broadcast a “channel
switch command”

to the entire network


Simple


Nodes may miss channel

switch broadcasts


Broadcast messages

should be authenticated


Global: significant cost



Strategy 1: Coordinated Channel
Switching

29


Entire network is governed

by one global clock


Consider two channels


Time divided to some

time
-
slots


Each slot assigned to a single channel


Boundary nodes multiplex between two channels


Requires synchronization
-

overhead


Initiation: Each boundary node sends a list of channels it has to
operate on to root; root creates and broadcasts a global schedule


A lot of idle slots for many sensors



Strategy 2: Synchronous Spectral
Multiplexing

30


A node is only aware of its neighbor’s channel information


Sensors cannot be programmed to send

data anytime they desire


Node
A

locally decides when it

will be on each channel


Node
A n
otifies
B

and
C

when

it goes to channel 1, and notifies

D when it goes to channel 2


No overhead for global synchronization


Advantage more pronounced when the jammed region is small





Strategy 3: Asynchronous Spectral
Multiplexing

31

Test Bed for Experiments (1)

32

Sink

Test Bed for Experiments (2)

33

Before Attack

After Attack

Jammed

Disconnected


Two problems in wireless sensor networks

1.
Bootstrapping (key distribution)


Basic random pre
-
distribution


q
-
composite random key pre
-
distribution


Multi
-
path reinforcement


Random pair
-
wise

2.
Avoiding constant jammers


Coordinated channel switching


Synchronous spectral multiplexing


Asynchronous spectral multiplexing

Summary

34


Which channel surfing strategy would you
recommend for each of the following scenarios:


Jamming in a small region for a short duration


Jamming in a large area for a long duration


Jamming in a small region


Irregular
bursty

traffic from children towards the sink


Regular traffic from children towards the sink




Discussion Questions (1/2)

35


Consider the following applications


Monitoring vibrations in a small bridge


Detecting fire in a 100
-
acre state park


Battlefield surveillance on a 1 sq mile crossroad


Discuss the trade
-
offs involved in using each of the
discussed key
-
distributions. Hint: Include the application
criticality and threat model in your discussion.


Discussion Questions (2/2)

36


[Heile06]
B
Heile
,
Wireless Sensor and Control Networks (PPT)


[Ngai04] Edith
Ngai’s
,
Security in Wireless Sensor Networks (PPT)


[ChanPS03]
H. Chan, A.
Perrig
, and D. Song. Random key
predistribution

schemes for
sensor networks. IEEE Symposium on Security and Privacy,
2003.


[EschenauerG02]
L.
Eschenauer

and V. D.
Gligor
. A key
-
management scheme for
distributed sensor networks. ACM conference on Computer and communications
security, 2002.


[AndersonP01] Ross Anderson and Adrian
Perrig
. Key infection: Smart trust for smart
dust, November 2001.


[XuTZW05]
W.
Xu,W
. Trappe, Y. Zhang, and
T.Wood
. The feasibility of launching and
detecting jamming attacks in wireless networks. ACM international


symposium on Mobile ad hoc networking and computing, 2005.


[XuTZ07]
W.
Xu
, W. Trappe, and Y. Zhang. Channel surfing: defending wireless sensor
networks from interference. ACM international conference on Information processing
in sensor networks, pages 499

508, New York, NY, USA, 2007.


References

37