Wireless Sensor Networks

Security and Privacy

Professor Jack StankovicDepartment of Computer Science

University of Virginia

SecuritySecurity

• Complex, many aspects to consider• Opportunity to address this properly

– from the start!• New (severe) constraints (memory,

bandwidth, cpu processing speeds, power, …)– Lightweight solutions required

• Symmetric cryptography (asymmetric crypto is probably too expensive)

• Digital signature – 300 bytes/packet

QuestionQuestion

• If, for some reasons, WSNs did not have the significant impact we have been projecting, what might those reasons be?

– Poor security – easy to make systems ineffective/unreliable

– Privacy policy – laws that state that thou shall not deploy WSNs in public places

QuestionQuestion

• Is it possible to build secure WSN?

• VigilNet – 40 services (each can be attacked)– Solutions for each won’t fit

• Weaker guarantees and evolve

VigilNet ArchitectureVigilNet Architecture

OutlineOutline

• Basic Problems• Routing Problems

– Solutions• SPINS

• Denial of Service• Privacy• Summary

Basic ProblemsBasic Problems• Vulnerability of channels (eavesdrop and

inject fake messages)• Vulnerability of nodes (capture, modify

messages, re-route) (or add new nodes)• Absence of infrastructure (e.g., no

centralized certification authorities)• Dynamically changing topology (difficult

to distinguish between dynamics and attacks)

• Minimum capacity devices– Drain batteries

• Real-Time – slow packets down

Basic ProblemsBasic Problems

• Most existing solutions are too costly– Digital signatures – adds as much as

300 bytes/packet– Asymmetric crypto adds large variables

and large memory costs, etc.

• Don’t handle broadcasting type operations

Communication ScenariosCommunication Scenarios

• Confidentiality (eavesdrop)

Adversary

Node1Base StationMsg

Node2

Eavesdropping is Good for Debugging

Communication Scenarios

Communication Scenarios

• Integrity

Adversary

Node1Base StationMsg1

Msg1’

Communication Scenarios

Communication Scenarios

• Authenticity

Base StationAdversary

Node 1

Node 2

Node 3

Node 4

I am the Base Station

Reprogram systemReset system parameters

Security AssumptionsSecurity Assumptions

• Trust and Key Management– Trust base station and oneself

– Symmetric Keys• Active area of research – how to

disseminate private keys

Security SolutionsSecurity Solutions

• Very difficult• Fn(assumptions made)

– E.g., attack model

• Themes for Security in WSN– Operate in the presence of security

attacks– Self-heal– Evolve to new attacks

Routing - Threat Models and Security Goals

Routing - Threat Models and Security Goals

• Threat Model:– Mote-class vs. laptop-class adversaries– Insiders vs. outsiders

• Security Goals:– Authenticity: verifies the identity of the sender– Integrity: messages are not tampered with– Availability: messages are received by intended

receivers– Confidentiality: no eavesdropping

• Insiders and laptop-class adversaries are difficult challenges

Routing - Network Assumptions

Routing - Network Assumptions

– Insecure Radio Links– Eavesdropping, modifying bits, and

packet replays– Attacker has similar capabilities (HW,

etc.)– Except, Attacker may have high quality

(long-range) communications– Nodes can be “turned”– Attacker controls > 1 node; collusion is

possible– Tamper resistant nodes are not realistic

Routing - Trust RequirementsRouting - Trust Requirements

– Base Stations are trustworthy– Random key pre-distributions are valid

• Initialization procedure prior to deployment– Global (pair-wise) key, pools of keys, etc.

• Neighbor to neighbor key establishment after deployment

• Note: Too expensive to involve base station on all transactions

WSN Routing AttacksWSN Routing Attacks

• Spoofing• Selective Forwarding• Blackhole/Sinkhole• Sybil • Wormholes• HELLO Floods

Many routing protocols have been proposed,but few with security as a goal !

(consider all the ones we studied in this course)

Route Where?Route Where?

• Each node to base station• Nodes to aggregation points and

then from aggregation point to base station

• Between 2 (n) nodes (peer to peer)• Between 2 (n) areas• Among all members of a (static /

dynamic) group

Routing AttacksRouting Attacks

adversary

base station

sensor node

high quality wireless link

Attacks: try to manipulate user/application data oraffect the underlying routing topology (state information)

Attack: Bogus Routing Information

Attack: Bogus Routing Information

• Spoofed, altered, or relayed routing information causes problems

• Example: spoof routing table beacons or claim to be base station– Can attract traffic

Attacker becomes partof routing tree

Attacks: Selective Forwarding / Blackholes /

Sinkholes

Attacks: Selective Forwarding / Blackholes /

Sinkholes • Only forward a

select few… drop / modify remaining packets

• Forward none – blackhole

• Sinkhole – lure all traffic through a compromised node; enables selective forwarding

Attack: Sybil attackAttack: Sybil attack• An adversary may

present multiple identities to other nodes

• FT implications: routes believing to be using disjoint nodes could be using a single adversary– E.G., an attacker node

could provide multiple geographic locations to pretend to be in more than 1 place at a time

A

B

I am at A and B

Attack: WormholesAttack: Wormholes• Tunnel packets received

in one part of the network and replays them in a different part

• Two distant malicious nodes collude to understate their distance from each other by relaying packets along a private channel between them

• Enables other attacks – confuses topology

Attack: HELLO floodsAttack: HELLO floods

• Hello packets to announce presence of a node

• Assumption: the sender of a received packet is within normal radio range

• False! A powerful transmitter could reach the entire network

• Disrupts routing paths

Recall - SPEEDRecall - SPEED

• SPEED: A Semi-Stateless Protocol for Real-Time Communication in Sensor Networks. Uses neighbor tables

Strong Back-Pressure(Congestion)

Area AnycastMulticast

SPEEDSPEED

23

5

9

10

7

Delay

11

SPEED20

11030

115

Node 5's NT

Delay0.5s0.1s0.4s0.1s

ID97

103

Packet

Packet

Source

Destination

Attack – change table

RAP RAP

• RAP: A Real-Time Communication Architecture for Large-Scale Wireless Sensor Networks.

1

Packets withDifferent Velocities

Respecting Deadlines and

Priorities

Attack – change velocity;Different order of delivery

SPEED and RAP: Routing Security Analysis

SPEED and RAP: Routing Security Analysis

• Convince nodes to change their state tables (delay, source, destination, distance, deadlines, velocities).

• Flood network with high velocity packets (i.e. short deadlines or large distances).

• Change the radius of the last mile process.

• Local forwarding decisions allow some types of attacks to not be noticed. Example: a destination that is “beyond” the edge of the network.

• Just lower the velocity of a packet which will end up missing its deadline later and will be dropped.

Solution - SPINSSolution - SPINS

• Suite of security protocols optimized for sensor networks

• Practical on minimal hardware– Memory constraints– Energy constraints– CPU constraints

• Can be used for building higher level protocols, like secure routing

DefinitionDefinition

• Secure Channel: a communication channel that offers – Confidentiality

• no eavesdropping

– Data authentication• you know who sent message

– Integrity • data not changed

– Data freshness• Weak – correct order• Strong – recent in terms of time

SPINS: 2 Building BlocksSPINS: 2 Building Blocks

• SNEP (Sensor-Network Encryption Protocol)

– Encryption Protocol

• Data confidentiality and integrity

– Secure point-to-point communication

• 2-party authentication

– Data freshness (adversary can’t replay old messages)

TESLA (Micro Timed Efficient Stream Loss-tolerant Authentication)

– Provides streaming broadcast authentication

Typical CostTypical Cost

• Authenticated Broadcast– Asymmetric digital signature

• Up to 50-1000 bytes (of overhead) per packet

• Need a different solution

System AssumptionsSystem Assumptions

• Communication patterns– Frequent node-base station exchanges– Frequent network flooding from base– Node-node interactions infrequent (not

including multi-hop routing relays)

• Base station– Sufficient memory, power– Shares secret key with each node

• Node– Limited resources, limited trust– Each node trusts itself

DesignDesign

• Asymmetric cryptography is too expensive

• Use symmetric cryptography primitives

• A simple symmetric encryption function (RC5) provides:– Encryption & Decryption– Message Authentication Code (MAC)– Pseudorandom number generation– Hash Function

• Overhead is only 8 bytes per packet• Use single block cipher (for code reuse)

Block Cipher: RC5Block Cipher: RC5

• Subset of RC5 with 40% reduction in code size• Low memory requirements• Cipher text is the same size as the original text• They rejected AES and DES as too expensive

Plaintext

RC5 block cipherKey Ciphertext

Key Generation/SetupKey Generation/Setup

• Nodes and base station share a master key (pre-deployment)• Other keys are bootstrapped from the master key:

– Encryption keys (different for each direction between 2 nodes)– Message Authentication code key (different for each direction)– Random number generator key

Ctr

RC5 BlockCipherMaster Key KeyMAC

KeyEncryption

Keyrandom

F is a pseudo-Random function to generate keys

SNEP EncryptionSNEP Encryption

• Encrypted-data = {D}<Keyencryption, counter>• Counter is shared state – but not sent in message like

usual solutions; maintained at each pair of nodes• With the counter, even the same message is encrypted

differently each time• RC5 generates “random” data to XOR with message

Counter

RC5 BlockCipherKeyEncryption

+Pj Cj

SNEP EncryptionSNEP Encryption

• Weak freshness guaranteed; counter must increase

• Decryption is identical

Counter+1

RC5 Block CipherKeyEncryption

+Pj+1 Cj+1

Counter+1

RC5 Block CipherKeydecryption

+ Pj+1

SNEP MACSNEP MAC

• Message Authentication Code = MAC(KMAC, X)• MAC uses Cipher Block Chaining (CBC)• Every block of input affects output

KMAC RC5

X1

KMAC RC5

X2

KMAC RC5

X3

MAC

+ +

Authentication, ConfidentialityAuthentication, Confidentiality

• Without encryption on MSG, can have authentication only• For encrypted messages, the counter is included in the MAC• Counter in MAC prevents replays

Node A

Msg, MAC(KMAC, Msg)

{Msg}<Kencryption, Counter), MAC(KMAC, Counter|| {Msg}<Kencryption, Counter>)

Node B

Spins So FarSpins So Far

• SNEP

– Encryption Protocol (RC5)

•Data confidentiality and integrity

– Secure point-to-point communication

•2-party authentication

•MAC based on RC5

– Data freshness (adversary can’t replay old messages)• Counters

Broadcast AuthenticationBroadcast Authentication

• Broadcast is basic communication mechanism

• Sender broadcasts data• Each receiver verifies data origin

Sender

R1

M

R4

M

R3R2 MM

TESLA ProtocolTESLA Protocol

• TESLA : efficient source authentication in multicast for wired networks.

• µTESLA: broadcast authentication for WSNs.– TESLA is too expensive for WSN

TESLA ProtocolTESLA Protocol

• Compare & Contrast (similarities)– Both require loose time sync. between BS

and each node.– Both uses one-way hash function to produce

a chain of secret keys in the sender, each key corresponding to a time interval at which the sender sends a packet.

– Both maintain a key disclosure schedule known to both sender and receiver.

– Receiver holds off the authentication of a packet until the required key is disclosed.

TESLATESLA

• Compare & ContrastDifferences

µTESLA removes or adapts the expensive features of TESLA:

Asymmetric digital signature is replaced by symmetric key

Frequency of key disclosure is greatly lessened Only the Base Station stores the key chain Inter-node communication is made possible by

the Base Station

TESLA OverviewTESLA Overview

• Provides authenticated broadcast mechanism

• Must have an asymmetric mechanism to prevent forgery

• Why not use asymmetric digital signatures?– Expensive computation, storage, and

communication

• Asymmetry: delayed key disclosure– Requires loosely synchronized clocks

Simple MAC Insecure for Broadcast

Simple MAC Insecure for Broadcast

Sender

R1

M, MAC(K,M)

R4

M, MAC(K,M)

M’, MAC(K,M’)

K

K K

Key SetupKey Setup

• Main idea: One-way key chains– BS chooses K(n) – easy to compute K(n-1)– BS computes entire chain

• K0 is initial commitment to chain• Base station gives K0 to all nodes

– Nodes can’t compute K(1)

Kn Kn-1 K1 K0

X

…….F(Kn) F(K1)F(K2)

BroadcastBroadcast

• Divide time into intervals• Associate Ki with interval i• Messages sent in interval i use Ki in MAC• Ki is revealed at time i + • Nodes authenticate Ki and messages using Ki

K0 K1 K2 K3 …

0 1 2 3 4 time

K0 Revealed Here

Robustness to Packet Loss

Robustness to Packet Loss

K2 K3 K4 K5

tTime 2 Time 3 Time 4 Time 5

K1

P5

K3

P3

K1

P2

K0

P1

K0

Verify MACs

P4

K2

FF

Authenticate K3

Time 1

REAVEALINGKey K0

TESLA IssuesTESLA Issues

• Important parameters: time interval, disclosure delay

• Delay must be greater than RTT to ensure integrity

• Parameters define maximum delay until messages can be processed

• Nodes must buffer broadcasts until key is disclosed

• Requires loose time synchronization in network• Base station commits to maximum number of

broadcasts when forming chain– When current chain is exhausted, all nodes must be

bootstrapped with a new one

Evaluation (Memory)Evaluation (Memory)

Evaluation (Execution Time)

Evaluation (Execution Time)

• 2.5 ms to encrypt a 16 byte message

• 18 ms to deal with broadcast authentication

Evaluation (Energy cost)

Evaluation (Energy cost)

• Total cost to send a message• Highest overhead is from transmission of 8-

byte MAC per packet

ExtraBytes

Authenticated RoutingAuthenticated Routing

• Simple “Breadth-first search” routing algorithm• Routing scheme assumes bidirectional communication• Base station periodically broadcasts beacon

BS

Authenticated RoutingAuthenticated Routing

• First reception of authenticated beacon during current routing interval defines “parent”

• At reception of a beacon, if it’s fresh then accept sender as its parent in the route and broadcast another beacon with the node’s id as sender id

BS

Authenticated RoutingAuthenticated Routing

• Attacker cannot re-route any link – won’t authenticate

BS

Authenticated RoutingAuthenticated Routing

• Final tree

BS

SPINS SummarySPINS Summary

• Focus on WSN communication patterns

• Meet severe energy, time, memory constraints

• Time synchronized network• Pre-loaded master keys• Basic techniques to be used in other

protocols

Denial of ServiceDenial of Service

Ref: Denial of Service in Sensor Networks; Wood & Stankovic

The Jamming ProblemThe Jamming Problem

• Jamming disrupts communication around the source

• Expensive to prevent—but can detect it

J

Solution SummarySolution Summary

J

Edge nodes blindly report jamming

Inner nodes sleep

Outer nodes map collaboratively

Jammed area

Jam DetectionJam Detection

• Highly decentralized algorithm:– Loose group semantics, eager

eavesdropping, supremacy of local information, robustness to packet loss and failure

– Does not consider other security attacks

A Mapping ServiceA Mapping Service

• Map jammed-area and export to other modules

• Possibilities for using this information:– Report jammed area to base station

• Send in vehicle

– Route around jammed area– Lower duty-cycle to save energy– Redirect any queries to services in

jammed area– Expose area as programmer-accessible

entity

Summary - Security Summary - Security

• Solutions from the start (too late?)

• Lightweight solutions required

• System must operate in presence of faults AND attacks

• Framework needed for security updates as attacks evolve over time

Summary - SecuritySummary - Security

• Define new trust models• Key distribution schemes (static and

dynamic)• Routing, secure groups, denial of service,

localization, …

• Can solutions exploit– Physical properties?

• Directional antennas, time validity intervals of data, velocity, …

– Density? – Redundancy? – HW?

Medical System Architecture

Medical System Architecture

Internet

Internet

PDAs

Nurses Stations

Smart Living Health Spaces

Smart Living Health Spaces

MotivationMotivation

• What is privacy?– “The claim of

individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” – Alan Westin

• WSN in healthcare

Many StakeholdersMany Stakeholders

• Patients• Patients family and friends• Doctors• Nurses• Technicians• Orderlies• Admin• Social Workers

PrivacyPrivacy

• Very complex, dynamic• Differs for different countries,

people, etc.• Build into WSN at start• Filters

– Example: only transmit aggregated information about people in an area not ID based information

• Showstopper?

Authorization FrameworkAuthorization Framework

Request Authorizer

Privacy Policy

Policy ManagerContext Manager

Context

Data mining analysis

Request History

Database

User’s Request

Reply

Inconsistency Check

Ask for data

Change policy

Request ExpressionsRequest Expressions• Mandatory:

– <Request Subject >– <Data Subject>– <Data>– <Action>

• Optional:– [Aggregate Function]– [Time]– [Place]– [Conditions]– [Set Values]

• Example: Nurse N1 requests to read pulse of patient P1 for 30

minutes if P1’s pulse is lower than 50 bpm N1 read (P1,pulse) [t1,t1+30] if (P1,pulse) < 50

Roles, UserID, roomID, floorID

Read, write, delete, add, set

EKG, pulse, motion, light, temp, activity

max, min, avgsingle time t , periodic [t1,t2]Bed, room, floor,

=, >, <, >=, <=, <> single value, range

Policy ComponentsPolicy Components

– Request Subject – Rule: (action, ruling, context)– Data Subject– Data

– Examples:• Doctor (read,allow,critical condition) (patient,

activity data) Role policy

• DoctorX (read, deny) (patient, activity data) Individual policy

RepresentationRepresentation

• Directed Acyclic Graph – Nodes:

• Individual user• Role• Data

– Edges:• Inheritance• Data association• Rule: (action, ruling, context)

Privacy Policy Representation -

Example

Privacy Policy Representation -

Example

U: User1

U: User2

R: Doctor

D: Cardio

D: PII

R: Patient

U: User3

U: User4

<rule>

Policy Inconsistency Types

Policy Inconsistency Types

• Syntax inconsistency• Semantic

inconsistency– Multiple-role– Role vs. individual

policy– Multiple rule

instances

User

Role 1

Role 2

Data

Is-a

<rule 3>

<rule 1>

<rule 2>

Is-a

Inconsistency Detection Example

Inconsistency Detection Example

User

Role t

Data

<rule 3>

<rule 4>

Role s

Privacy Privacy

• Added requirements for WSN– WSN specific

• Lightweight and Integrated Solutions

– Highly dynamic• Alarms• Override when necessary

– Highly distributed access and data creation

– Data is transient– Notion of inanimate objects

Possible ApproachPossible Approach

• Privacy filters– Collect what is needed; no more

• Blurring• Reactive to critical situations

– Real-Time Privacy

• WSN-Privacy Language• Consistency checks (at different

levels of granularity, at different times)

• Across enterprise trust domains

Summary - Research Q.Summary - Research Q.

• How do we compose untrustworthy entities into a trustworthy aggregation– And how to maintain this trust as

topology changes

• Lightweight key management• Routing, denial of service, intrusion

detection, authentication, localization, etc.

• Adaptive security and privacy service