Secure multi-hop network programming with multiple one ... - CiteSeerX

20 downloads 0 Views 110KB Size Report
[9] Yih-Chun Hu, Adrian Perrig, and David B. Johnson. Rushing attacks and defense in wireless ad hoc network routing protocols. In WiSe '03: Proceedings.
Secure multi-hop network programming with multiple one-way key chains Hailun Tan School of Computer Science The University of New South Wales Sydney, Australia

[email protected] ABSTRACT The current network programming protocols provide an efficient way to update program image running on sensor nodes without physical access to them. However, given the open environment where sensor nodes are deployed, securing network programming is a challenging and important issue. Existing work addressing this issue either lacks the consideration on securing multi-hop version of network programming protocols, or are not cost-efficient.In this paper, we propose a novel scheme to secure multi-hop version of network programming protocols: multiple one-way hash chains. This scheme is resilient to malicious program image injection regardless of number of compromised nodes and it secures multi-hop propagation of program images for sensor nodes. The simulation result shows that our scheme has lower endto-end latency than the existing work.

1.

INTRODUCTION

Network programming is a convenient way to update the program image running on sensor nodes without any physical access to them, particularly after sensor nodes are deployed. The existing network program protocols [1] [2] propagate the new program images to nodes through wireless medium and employ different strategies to minimize the endto-end delay. However, these protocols do not consider the security mechanisms. In addition, sensor nodes are usually deployed in an open, unattended area, which implies that they are much more susceptible to node capture than their counterparts in traditional computer networks. As a result, an adversary could simply compromise a single sensor node and inject the malicious program image through WSN. Motivated by the importance and challenges in securing network programming protocols, our work is to design a new security scheme for network programming in wireless sensor network so that authenticity and integrity of a program image can be guaranteed. Although our scheme employs oneway key chain in a similar way as [3], our scheme supports

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Sensys ’07 , Sydney, Australia Copyright 200X ACM X-XXXXX-XX-X/XX/XX ...$5.00.

multi-hop network programming protocol while the scheme in [3] provides confidentiality in one-hop program image update. Authenticity of program image is referred to as trustworthiness of program image source. In our context, the base station is the only authenticated source to distribute program updates while sensor nodes should relay the program updates to its downstream peers instead of originating new program updates. Integrity of program image is referred to as intactness of content in authenticated program update. i.e. none of the sensor nodes can forward the altered updates without being detected.

2.

ASSUMPTIONS Our scheme is based on the following assumptions: • The base station cannot be compromised and it has unlimited computational power compared with sensor nodes. In Deluge, the base station is the origin of the legitimate program updates. If it were not trusted, nothing else in the WSN could be trusted. • We assume wireless sensor nodes to be physically static in the network and to be evenly distributed. • Our scheme makes no assumption on number of compromised nodes in the WSN. However, we find that if a node has k disjoint paths to the base station then it is protected against k − 1 compromised nodes in our scheme. In other words, given any healthy node (A) which has k one-hop neighbors, the adversary can compromise at most k − 1 neighbors if A is not compromised. • The compromised sensor nodes can eavesdrop on, copy, alter, inject or delay packets. • In our scheme, we do not consider Denial Of Service (DOS) attacks such as jamming attack (i.e., an adversary keeps sending garbage packets to cause collisions in MAC layer) or power depletion attack (i.e., an adversary keeps sending packets which definitely fail authentication but the remaining energy of its neighbors can be depleted due to excessive authentication operations). • We do not consider out-of-order packet delivery since it is guaranteed by Deluge.

3.

DESIGN OF OUR SCHEME

node needs to receive the authenticated update on key. i.e., it needs to decrypt the key update and verify the decrypted result. Then it needs to preprocess the packet with malicious content. i.e. it needs to forge packet authentication (Ti ) for ith packet. After that, it can inject malicious packet to circumvent the verification. However, the time for compromised node to finish all these operations is much longer than the time for the neighbors of compromised node to receive the authenticated packets from other peers. So even though the node is compromised in our scheme, it is hard to inject malicious packet due to the strict timing requirement.

In our scheme, sensor nodes are divided into different groups according to their hop distance to the base station. Each group has a distinct group key shared among members. Each key is one of the elements in a distinct one-way hash chain [4]. The one-way hash chain is constructed by repeatedly applying the one-way hash function (H), which is a public function easy to compute but computationally infeasible to revert, on a random seed number (Kn ) for n times. The last hashed output is called committed value of hash chain (K0 ). So we have K0 = H n (Kn ). Assume the program image is divided into k(k ≤ n) packets for transmission. Take the first packet (P0 ) for nodes in 1st hop group 1 as example, P0 will be concatenated with two segments: key update (U0 ) and packet authentication (T0 ). These two segments are built as follows:

• Low computational overhead: Our scheme employs only the symmetric cryptographic primitive to authenticate broadcast program updates. As a result, the computational overhead is much lower than existing work in secure network programming [5], which employs digital signature.

• key update: It is the encrypted result of K1 with K0 as the key. i.e. U0 = E(K1 )K0 , where E(A)B denotes A is encrypted with B as the key. • packet authentication: It is the hashed result of P0 concatenated with K1 . i.e. T0 = H(P0 ||K1 ), where ”||” denotes concatenation. After the above preprocessing of packet and the respective concatenation (i.e. P00 = P0 ||U0 ||T0 ), P00 is transmitted to nodes in 1st hop group. After retrieving the correct group information from P00 (i.e. parsing the right U0 and T0 ), the sensor nodes will need to perform the verifications on key update (U0 ) and packet authentication (T0 ) as follows: • key update: The sensor node decrypts U0 with K0 . i.e. D(U0 )K0 , where D(A)B denotes A is decrypted with B as the key. The sensor node will need to check if H(D(U0 )K0 ) is the same as K0 . if it is, the authenticity of U0 is ensured and K0 is replaced by K1 for the next packet verification. Otherwise, this packet is discarded. • packet authentication: This verification is processed only after the verification of key update passes. After the sensor node gets the authenticated K1 , it performs H(P0 ||K1 ) to see if it matches T0 . If it does, the integrity of packet is ensured. Otherwise, this packet is discarded. The above packet preprocessing and verification can be further expanded to nodes in the other groups with distinct key chains shared with the base station. Each time when Pi (0 ≤ i ≤ n − 1) passes both verifications in the nodes belonging to j th group, the key will be updated from Ki to Ki+1 . The respective Ui and Ti for j th group will be removed from packet.

4.

SCHEME PROPERTY Our scheme has the following nice properties: • Resistance against node compromise: Our scheme is resilient to node compromise because the compromised node has a difficult timing requirement to circumvent the verification process in our scheme. In order to inject malicious packets successfully, a compromised

1

assume nodes in 1st hop group hold K0 .

• Immediate authentication: Time synchronization between base station and sensor nodes is not required in our scheme, while TELSA [6], which applied the oneway hash chains for broadcast authentication in WSN, needs the loose time synchronization. So immediate authentication can be ensured.

5.

PERFORMANCE EVALUATION

We implement our scheme in TinyOS and evaluate it through the build-in simulator in TinyOS, TOSSIM [7]. In section 5.2, we compare our scheme with the original Deluge [1] and Sluice [5] in terms of end-to-end latency.

5.1

simulation setting

In Deluge, a program image is flooded in the network. Hence, as long as sensor nodes are connected in the network, the performance is affected by the density of nodes and independent to the topology of WSN. The rest of the simulation settings are listed in Table 1. Table 1: Simulation Setting parameters in simulation values in simulation number of nodes(N ) 2 − 30 number of pages for one program update 24 − 30 number of packets per page 48 number of hops program image propagates 1−6 number of nodes per group 5 transmission range 100 m

5.2

end-to-end latency

In Deluge, the program update is divided into fixed-size blocks called pages [1]. Each page is further divided into fixed-size packets, which are the basic transmission units. In Sluice, authors proposed to hash the last page, then attach the hashed value to the second last page. This process is applied recursively until the first page is reached. After that, the first page is signed with the private key of base station [5]. Each sensor node will have to verify the first page with

Deluge Deluge with multiple key chains Sluice

180 160 140 120 100 80 60 40 20 2

5

10 15 20 number of pages in program image

25

30

average energy taken to propogate updates to all nodes(s)

Time taken(in second) to transfer imge between 2 nodes

200

200 Deluge Deluge with multiple key chains

150

100

50

0 2

(a) one-hop program update

5

10 15 20 25 number of nodes in wireless sensor network

30

(b) multi-hop program update

Figure 1: end-to-end latency evaluation on single hop and multi-hop scenario on our scheme the public key of the base station, then authenticate each page by the hashed value from the previous one. Authors in [5] carried out their experiment for one-hop image propagation. Given data from [5], we could compare our scheme with Deluge [1] and Sluice [5] in Fig. 1(a) for one-hop program update. Our scheme and Sluice both have the linear scalability with respect to update size, as is shown in Fig. 1(a). At the beginning of program updates, our scheme has much lower latency than Sluice because in Sluice, the sensor node has to verify the digital signature for the first page of program image. In our scheme, there is no asymmetric cryptographic needed. As number of transmitted pages increases, the latency of Sluice escalates slower than our scheme since it authenticates program image in granularity of pages not packets. The number of symmetric cryptographic operations is significantly reduced in the price that a single modified packet within a page can lead to the failure of authentication for the whole page. Despite decrease in number of cryptographic operations, it cannot completely cover the significant delay from verification of digital signature in Sluice with respect to our scheme for the first 30-page update. Fig. 1(b) shows the end-to-end latency in our scheme for multi-hop program updates with respect to Deluge [1]. As number of nodes increases, the gap between Deluge and our scheme is enlarged due to the cryptographic operations in our scheme.

One-way key chain is used to ensure the confidentiality of the program image [3]. However, the scheme in [3] is confined to one-hop propagation. As a result, how to provide confidentiality in multi-hop broadcast in the WSNs will be a topic worth investigation in the future.

7.2

key distribution

To any cryptography scheme in the WSNs, how to distribute the keys to the nodes in the WSNs is the the first important step. In Tinysec [8], the keys are assumed to be distributed securely without any further details. Since the key distribution is also required in this scheme to establish the shared key between the base station and sensor nodes, it will be another direction to look into in terms of security in network programming.

7.3

individual node security

We implement our scheme in one of the most popular sensor network platforms, TinyOS and evaluate the performance in TOSSIM [7]. The simulation result shows that our scheme outperforms Sluice [5] in terms of end-to-end latency.

Since the WSNs communication uses an open medium susceptible to eavesdropping or interference. With limited computational and communication capability, security measure on the nodes in more powerful networks are not feasible to the WSNs. Trust Platform Module (TPM) is a micro-controller, having its own memory,can store secured information from an attacker. On the other hand, the much more powerful components(Stargates) are used for data aggregation. With the tamper-proof TPM installed on Stargates, a symmetric key between the sensor nodes and the Stargates can be established to protect the exchanged information from being eavesdropped and interception. Such mechanism can be further expanded to the communication between the Stargates and the base station.

7.

7.4

6.

CONCLUSIONS

FUTURE WORKS

The scheme in this paper secures multi-hop broadcast of a program image by employing multiple one-way key chains shared between base station and the sensor nodes.There are several other aspects or directions I can get into in the future during my PhD studies.

7.1

Confidentiality

guard against time-dependent attacks

In the WSNs, there are some time-dependent attacks such as rushing attack [9], wormhole attack [10]. Most of the existing mechanisms [9], [10] against these attacks either employ the temporal synchronization or spatial synchronization, which are expensive to the sensor nodes. Given the fact that these attacks usually ”accelerate” parts of the network protocol in the WSNs to create the conditions for the mali-

cious attack in the later stage such as blackhole in the network. Some ”client puzzles” can be designed for the attackers to solve before they can mount the these time-dependent attacks. One such example is that a server will distribute several small cryptographic puzzles to its clients to solve before an attacker, disguised as a legitimate client, sends redundant requests to deplete the server’s resource [11]. Since these client puzzle are time-consuming to the attacker to solve. the effect of ”acceleration” can be minimized.

8.

BIOGRAPHY OF AUTHOR

Hailun Tan is a Ph.D. candidate at the School of Computer Science and Engineering at the University of New South Wales. He holds two M.S. degrees from the Australian National University. He used to be a member in CSIRO, ICT Center and Network Pervasive Computing Program (NPC), NICTA. His research interests include security and reliable communication in sensor networks, mesh network. He is a student member of IEEE Communication Society. His primary supervisor is Prof. Sanjay Jha.

9.

REFERENCES

[1] Jonathan W. Hui and David Culler. The dynamic behavior of a data dissemination protocol for network programming at scale. In SenSys ’04, pages 81–94, New York, NY, USA, 2004. ACM Press. [2] Limin Wang. Mnp: multihop network reprogramming service for sensor networks. In SenSys ’04: Proceedings of the 2nd international conference on Embedded networked sensor systems, pages 285–286, New York, NY, USA, 2004. ACM Press. [3] Jaleel Shaheen, Diethelm Ostry, Vijay Sivaraman, and Sanjay Jha. Confidential and secure broadcast in wireless sensor networks. In Personal, Indoor and Mobile Radio Communications, 2007. PIMRC 2007. IEEE 18th International Symposium on, 2007. [4] Leslie Lamport. Password authentication with insecure communication. Commun. ACM, 24(11):770–772, November 1981. [5] P. E. Lanigan, R. Gandhi, and P. Narasimhan. Sluice: Secure dissemination of code updates in sensor networks. In Distributed Computing Systems, 2006. ICDCS 2006. 26th IEEE International Conference on, pages 53–63, 2006. [6] Adrian Perrig, Robert Szewczyk, Victor Wen, David E. Culler, and J. D. Tygar. Spins: security protocols for sensor netowrks. In Mobile Computing and Networking, pages 189–199, 2001. [7] Philip Levis, Nelson Lee, Matt Welsh, and David Culler. Tossim: accurate and scalable simulation of entire tinyos applications. In SenSys ’03, pages 126–137, New York, NY, USA, 2003. ACM Press. [8] Chris Karlof, Naveen Sastry, and David Wagner. Tinysec: a link layer security architecture for wireless sensor networks. In SenSys ’04, pages 162–175, New York, NY, USA, 2004. ACM Press. [9] Yih-Chun Hu, Adrian Perrig, and David B. Johnson. Rushing attacks and defense in wireless ad hoc network routing protocols. In WiSe ’03: Proceedings of the 2003 ACM workshop on Wireless security, pages 30–40, New York, NY, USA, 2003. ACM Press.

[10] Y. C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: a defense against wormhole attacks in wireless networks. volume 3, pages 1976–1986 vol.3, 2003. [11] Donggook Park, Jungjoon Kim, Colin Boyd, and Ed Dawson. Cryptographic salt: A countermeasure against denial-of-service attacks. pages 334+. 2001.