}w!"#$%&'()+,-./012345<ya

Transcription

1 }w!"#$%&'()+,-./012345<ya MASARYK UNIVERSITY FACULTY OF INFORMATICS Secure Routing Protocols for Wireless Sensor Networks MASTER S THESIS Bc. Jiří Kůr Brno, spring 2008

2 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Advisor: Mgr. Petr Švenda ii

3 Acknowledgement I express my gratitude to Petr Švenda for introducing me into the problematic of evolutionary algorithms and for our fruitful discussions. I am grateful to my sister Hanka for the language corrections. iii

4 Abstract In this thesis, we examine the security aspects of wireless sensor networks with emphasis on security of routing. Several secure routing protocols are reviewed and their security is evaluated. In the second part of the thesis, concept for automatic attack generation and introduction to evolutionary algorithms are presented. Usability of the concept was verified using evolutionary algorithms. Several attacks on routing protocols were generated. The impact of generated attacks is discussed with respect to countermeasures. iv

5 Keywords Wireless Sensor Network, Routing, Security, Evolutionary Algorithms v

6 Contents 1 Introduction Wireless sensor networks Applications Hardware characteristics Security in WSN Security goals Key management Attacker model Secure Routing in WSNs Attacks on routing Bogus routing information Selective forwarding Sinkhole attack HELLO flood attack Wormhole attack Acknowledgement spoofing Sybil attack Denial of Service Towards secure routing µtesla ARMS Secure routing protocols Scure Implicit Geographic Forwarding IGF SIGF SIGF SIGF Secure Directed Diffusion SeRINS A Clean-Slate Approach Introduction to Evolutionary Algorithms Population of individuals and their representation vi

7 4.2 Genetic operators Fitness function and selection operator Automatic design of attack strategy Related work Basic concept Elementary rules Generation of attack strategy Translation Strategy execution Fitness function evaluation Concept realization via evolutionary algorithms Attacker model revised Evolutionary algorithms and genome structure Triggers Instructions Network simulator Fitness functions Results Minimum Cost Forwarding Forging beacons Selective forwarding Implicit Geographic Forwarding Rushing attack MAC layer jamming Neighborhood congestion Experience and future work Conclusion A Example of generated attack strategy vii

8 Chapter 1 Introduction Sensor nodes are tiny, low-cost devices equipped with environment sensors and radio for wireless communication. These sensor nodes may constitute the network for monitoring physical phenomena. Such network is called Wireless Sensor Network (WSN). Wireless sensor network consists of high number ( ) of sensor nodes and one or few powerful devices acting as gateways. Wireless sensor networks can be utilized in a broad variety of applications ranging from battlefield surveillance in military, through remote patient monitoring in medicine to forest fire detection in environmental applications. Majority of WSN applications require at least some level of security. In order to achieve the needed level, secure and robust routing is necessary. However, routing protocols for WSN were not designed with security requirements in mind. Karlof and Wagner [KW03] triggered a revolution in this field by proposing a comprehensive study on the security of routing in wireless sensor networks. They showed that all the protocols were then prone to simple attacks. Since then, security of routing has become a hot topic and several secure routing protocols were proposed. In this thesis, we aim to review the issue of secure routing in wireless sensor networks. We first introduce the concept of wireless sensor networks and outline their security aspects. In the second chapter, we examine selected secure routing protocols and evaluate their benefits and drawbacks. We also describe common attacks on routing protocols. The second half of the thesis deals with the problem of the attack strategies automatic generation and presents our results. We introduce the concept of Evolutionary Algorithms (EA) in the chapter 4. In the next chapter, we present our concept for automatic design of attack strategies. We use this concept to discover attacks on routing algorithms. We summarize the results and outline the future work in the conclusion. 1

9 Chapter 2 Wireless sensor networks Wireless Sensor Network is a heterogenous network composed of a large number of tiny low-cost devices, denoted as nodes, and few general-purpose computing devices referred to as base stations. The general purpose of wireless sensor network is to monitor some physical phenomena (e.g., temperature, barometric pressure, light) inside the area of deployment. The basic units of WSN are nodes (sometimes called motes). These nodes are equipped with communication unit, mostly the radio transceiver, processing unit, battery and sensors. Due to the size and expected costs of the nodes, they are constrained in processing power and energy. The number of nodes deployed in WSN can vary from tens to tens of thousands depending on the particular application. Nodes can be deployed, for example, by precise placing one by one into predefined positions or by dropping from the plane. Their positions can be static or mobile. Networks with nodes in static positions are more common. Nodes have to be autonomous and the network itself has to be self organizing. They are also prone to failures, thus the topology of the network changes very often. Beside resource limited nodes, the wireless sensor network includes one or more base stations (sometimes called sinks). These base stations have more resources and capabilities than the nodes. Assume base stations might have laptop capabilities. They act as gateways between the sensor network and other networks, e.g. Internet. They can also somehow coordinate the nodes. In most common application scheme, the nodes collect measured data and send them to the base stations, which forward them to the consumer. 2.1 Applications There is a broad variety of applications for wireless sensor networks. These applications can be divided into five categories [ASSC02]: military, environmental, health, home and other commercial applications. In military, the wireless sensor networks can be used for battlefield surveillance, sniper lo- 2

10 2. WIRELESS SENSOR NETWORKS cation or to detect the chemical or biological attacks. Sensor network can also be greatly beneficial for the environment. For example, it can detect forest fires or help researchers to monitor animal habits. Important application area is medical environment, where nodes can collect patient s physiological data. In commerce, wireless sensor networks can be deployed in car tracking systems or used for securing buildings, temperature regulation in offices, etc. 2.2 Hardware characteristics Sensor nodes are small, low-cost and battery supplied devices. Therefore the concept of WSNs is quite challenging. There are two main constraints, the low processing power of the nodes and the capacity of their batteries. The former constraint directly determines the algorithms we can use. For example, we cannot use asymmetric cryptography or maintain large routing tables. Since the priority in the development is to minimize cost, size and power consumption, there is only a small chance of a significant improvement of computational power and memory in the near future. The later constraint influences the properties of used algorithms indirectly. Capacity of the batteries is essential for the node s lifetime. Often it is impossible or not intended to be possible to change batteries. Therefore the lifetime and usability of the network depends on their capacity and on the consumption of the nodes. Energy consumption is closely related to the algorithms implemented. For example, the biggest energy consumer is radio transceiver, hence the communication between nodes is very expensive in terms of node s energy resources. Efficient algorithms must take this into an account. The batteries are dominating part of the node in terms of size. The size of the node is thus directly proportional to a capacity of its batteries. Here are the parameters of typical today sensor node, TMote Sky [TM006]: size: 65 x 32 x 7 (mm, excluding battery pack) 16-bit RISC processor, 8MHz clock frequency, 48KB flash memory, 10KB RAM 1024KB of external flash memory to store data and code radio: RF frequency 2400 Mhz, bandwidth 250Kbps, with internal antenna outdoor range reaches 125m, indoor range up to 50m tinyos operating systems 3

11 2. WIRELESS SENSOR NETWORKS Figure 2.1: TMote Sky sensor node. Figure taken from [TM006] 2xAA battery lifetime > 1 year using sleep modes senors: temperature, humidity, light Contrary to the nodes, base station is assumed to have laptop capabilities and unlimited energy resources. More on wireless sensor network principals can be found in [ASSC02]. 2.3 Security in WSN Majority of sensor network applications require strong security features. This requirement is obvious in case of military applications or applications working with sensitive personal data, like health or home applications. However security is a very demanded property also in commercial applications, where information means a competitive advantage and all assets have to be protected. Also environmental applications need some level of security, at least in terms of robustness against accidental errors and vandalism. Nodes have two properties, which have critical impact on the security of WSNs, and which both are caused by the small size and low costs of the nodes. First, the nodes are not considered tamper resistant. Attacker with physical access to the node can extract the keys and other sensitive data from the node relatively easily. Attacker can then also turn the node into a malicious one by uploading malicious firmware into it. Second, the node is limited in resources, consequently only some security mechanisms can be applied. Contrary to nodes, base station is considered tamper-resistant and trusted. 4

12 2. WIRELESS SENSOR NETWORKS It also has much greater capabilities, suppose it may have lap-top capabilities and unlimited energy supply Security goals The security goals in sensor networks are similar to those in traditional networks. We require confidentiality, integrity, authenticity, freshness, anonymity and availability of service. Confidentiality, integrity and authentication are traditionally provided by an end-to-end mechanisms on high layers of ISO/OSI model, like SSL/TLS or SSH. But sensor networks often require in-network processing of the messages, like data aggregation, to be efficient and thus end-to-end approach is not in use. Therefore link-layer security architectures such as Tiny- Sec [KSW04] and mechanisms for securing node-to-node communication [PST + 02] are of a great interest in sensor networks. Freshness, anonymity and availability of service should be provided by a secure routing protocol. There are several other security features of the ideal secure routing protocol. For example an attacker should not be able to abuse the routing algorithm to shorten the network s lifetime. Or he should not be able to significantly slow down the traffic or increase latency. However these features are application specific and it is unlikely to design universal secure routing algorithm with all such properties Key management Poor sensor node s capabilities prevent us from massive use of expensive (in terms of computational resources) public key cryptography based on RSA or complexity of discrete logarithm problem. However some new designs [PLGP06] propose to use public key cryptography based on elliptic curves, which is less computationaly complex. They assume that every node contains a public key of a single trusted authority and is able to verify corresponding digital signature. It is questionable whether the public key cryptography will be available in sensor networks in the near future. Primary aim is to miniaturize the node and to decrease its cost, not to increase its processing power. However there are more and more schemes employing asymmetric cryptography and we feel that its use has an increasing tendency. Because of the limited processing power, symmetric cryptography is dominant in sensor networks. There are several schemes of key sharing among the nodes and base stations. We will examine the most common of 5

13 2. WIRELESS SENSOR NETWORKS them. Single key shared among all nodes: Simple, but weak scheme. Compromission of a single node compromise the whole network. This scheme is sometimes used for establishing the keys between each pair of neighboring nodes. It assumes, that attacker needs some time to compromise the node. During this time the new keys are established and globally shared key is erased. Every node shares a unique key with base station: Keys can be inserted into nodes off-line, prior to their deployment. Compromission of a single node compromise only its own key. Frequent assumption of security protocols. Each pair of neighboring nodes shares a key: Also common assumption. Frequently applied together with previous scheme. Enables hopby-hop encryption and in-network processing, therefore it is convenient for sensor network. However in most applications, keys cannot be preinstalled and must be distributed after deployment. Suppose we deploy the nodes by dropping them from the plane. We do not know, which nodes will be neighbors and which not. The neighborhood is established during the deployment process and keys have to be distributed afterwards. This task is nontrivial and requires additional assumptions and complex key distribution protocol [EG02, PST + 02, ZSJ03] Attacker model Karlof and Wagner have proposed following attacker model [KW03] suitable for sensor networks and routing. There are two types of attacker: moteclass attacker and laptop-class attacker. Mote-class attacker has one or few nodes with capabilities similar to a legitimate node. On the other hand, laptop-class attacker has a powerful device with capabilities comparable to laptop. He is not energy constrained and can have more sensitive antenna and more powerful radio. Another distinction can be made between insider attacks and outsider attacks. Insider attacks deal with a legitimate participants of the network behaving in a malicious way, whereas outsider attacks are mounted by outsider who is not the part of the network. However outsider can eavesdrop the communication easily due to the broadcast nature of a wireless communication. Attacker can be modeled also with respect to the Needham-Schroeder model [NS78]. Needham and Schroeder assume that an intruder can intrpose a computer on all communication paths, and thus can alter or copy parts of messages, replay messages, or emit false material. This model was extended to node-compromise model [EG02], which further assume: 1) keys can be loaded into the nodes in the secure way before the nodes are deployed. 2) the attacker is able to compromise only a fraction of the nodes. 6

14 2. WIRELESS SENSOR NETWORKS 3) attacker can extract all keys from compromitted node and 4) attacker is able to monitor only fraction of links during the short time period after the deployment of the nodes. This means that there is something like period of protection for nodes after deployment. 7

15 Chapter 3 Secure Routing in WSNs Routing techniques in wireless sensor networks are influenced by two factors. First, it has to deal with hardware and resource constraints. The routing algorithm has to be energy aware, thus minimize the control information flows and communication. Routing table maintenance is limited by memory capacity. Second, the nature of sensor network applications defines traffic patterns, which are different from the traditional ones. In sensor networks, it is not necessary to support communication between any pair of nodes, the dominant traffic is one-to-many (base station multicast), many-to-one (data sent to the base station) and local communication between neighbors. As the resources are limited and the number of nodes is large, wireless sensor network usually does not support global addressing, that brings high overhead. It often trade on its data centric character instead and deploys attribute-based addressing. This means the base station sends queries for data with specific properties. However routing technique is strongly dependent on the particular application for which the wireless sensor network is used. Each application has different requirements on routing. Today routing techniques can be divided into three categories [AKK04] based on the network structure: flat-based, hierarchical-based and locationbased routing. In flat-based routed networks, each node plays the same role, due to the large number of nodes the global addressing is not supported, the data-centric approach is used instead. Typical algorithms in this category are Direct Diffusion and Sensor Protocols for Information via Negotiation (SPIN). The hierarchical-based (sometimes called cluster-based) algorithms are used in networks, where the nodes are organized into clusters and route the information via special nodes denoted as cluster heads. The main benefit of such routing algorithms is data aggregation, which saves energy and increases efficiency. The typical representative of this category is Low Energy Adaptive Clustering Hierarchy (LEACH). Locationbased routing uses node s location for addressing. The position of a node can be relative to its neighbors or absolute, detected, for example, by GPS. 8

16 3. SECURE ROUTING IN WSNS To this category are included geographic routing algorithms like Geographic and Energy Aware Routing (GEAR) or Geographic Forwarding (GF). 3.1 Attacks on routing Since the concept of sensor networks originates from the wireless ad-hoc networks, many attacks on wireless ad-hoc networks can be adapted for sensor networks. Sybil attack is such an example [NSSP04]. Karlof and Wagner [KW03] show another types of attacks and furthermore they propose two novel attacks HELLO floods and sinkholes. Denial of Service attacks on sensor networks are studied by Stankovic and Wood [WS02]. We present a brief summary of major attack classes here. Bogus routing information The basic method how to influence routing is to change the routing information. An adversary spoofs, alters or replays routing information. By these methods he can create loops in routing, increase latency, extend the paths or attract the traffic to the chosen node. Selective forwarding Selective forwarding is a variant of the DoS attack. Malicious node forwards only a chosen packets and drops the rest. Attacker has to be included in the path of the data flow to mount selective forwarding. To do so, he can use can use Sybil attack or sinkhole attack. The ultimate variant of this attack is called a Black hole attack. In such case, all the packets are dropped. However node behaving like a Black hole can be easily detected by the neighboring nodes, considered as dead and excluded from the routing path. Therefore dropping only some messages may be more beneficial for the attacker. Sinkhole attack The goal of the sinkhole attack is to attract as much of the traffic as possible to the malicious node. The principle of this attack is that the malicious node tries to look very attractive for other nodes with respect to the routing algorithm. This goal can be achieved, for example, by spoofing the route advertisement or by providing a high-quality path to the base station using wormhole attack. Sinkhole can be further used for selective forwarding, which is very efficient and easy in that case. 9

17 3. SECURE ROUTING IN WSNS HELLO flood attack In some protocols, nodes announce themselves to the neighbors by broadcasting the HELLO packets. Node receiving such packet concludes, that the broadcasting node is his neighbor and is within the normal radio range. A lap-top class attacker can use a powerful radio to send HELLO packets to nodes, which are far more distant than the normal radio range from him. These nodes will send their messages to oblivion trying to reach the neighbor, which is not in their radio range. Wormhole attack Wormhole is a low-latency out-of-band channel used to connect two distant part of the network. Wormhole attack exploits the routing race conditions. This means that message, which should normally traverse multiple nodes, traverse only single one and hence is delivered in a much less time. Time of the delivery can be important for the routing scheme, especially if the influenced message contains routing information. The attacker can send replayed packets through the wormhole to persuade two distant nodes that they are neighbors. He can, for example, create wormhole between the base station and a node at the opposite side of network, thus instead of multiple hops the node appears to be only single hop from the base station. Therefore it becomes a sinkhole for his neighbors providing low-latency route to the base station. Acknowledgement spoofing Acknowledgement spoofing focus on the algorithms using link layer acknowledgements. An attacker spoofs these acknowledgements to persuade the node, that its dead neighbor is alive or that the weak link is reliable. The impact is similar to selective forwarding, chosen packets are lost with high probability. Sybil attack In the sybil attack, the attacker simulates multiple nodes and advertise multiple identities to the rest of the network. By this, he can cripple even the robust multipath routing algorithms, because the bulk of the paths (even all) may pass through him. In geographic routing, attacker s node can be virtually at more locations simultaneously and thus influence routing algo- 10

18 3. SECURE ROUTING IN WSNS rithm. Sybil attack in general means serious threat not only for routing, but also for other algorithms such as voting algorithm or distributed storage. Denial of Service Denial of Service represents more or less general class of attacks, that can be mounted on several ISO/OSI layers of wireless sensor network, including the network layer. Almost all above attacks, especially selective forwarding and HELLO floods, can result in the denial of service. 3.2 Towards secure routing Insecurity of routing algorithms is usually caused by missing authentication, freshness and integrity check of the routing information. This fact is demonstrated in presented attacks. Spoofing of routing information or acknowledgements is not be possible, if proper mechanisms ensuring integrity and authenticity are implemented. Sybil attack becomes more complicated if authentication of nodes is present. Freshness of messages can stop replay attacks. We present two security concepts proposed for sensor networks in this section. These concepts can be used to secure the existing routing protocols or can be taken as a security primitives when designing new protocol. They address the broadcast authentication problem, because broadcast is frequently used to spread the routing information along the network µtesla In several routing protocols [HSW + 00, YCLZ01, AKK04], the base station periodically broadcasts routing information or advertise itself as a base station. Attacker can forge such broadcasted information in case it is not properly authenticated. To achieve authenticated broadcast, asymmetric cryptography is traditionally used. However this approach is not suitable for resource constrained sensor networks. Therefore, µtesla [PST + 02] was designed. It provides an efficient authenticated broadcast based on symmetric cryptography. µtesla is the building block of the security architecture for sensor networks called SPINS (Security Protocols for Sensor Network) [PST + 02]. Another building block is SNEP, which is used to achieve confidentiality, integrity, authentication and freshness. µtesla exploits the concept of one-way hash chain. Because this concept is frequently used in secure routing protocols, we describe it in detail. Let 11

19 3. SECURE ROUTING IN WSNS us assume that we have public one-way function F, and random number r. The one-way hash chain of length n is the sequence of n numbers, where the last number is r, and i th number is obtained by application of function F on (i+1)-th one, for 0 < i < n. Generation of one-way hash chain thus starts by application of function F on r. The key property of this chain is, that everyone can compute i-th item, having arbitrary j-th item, where i < j, but not vice versa. One of the first applications of this chain was Lamport s scheme for one-time password generation [Lam81]. To make use of µtesla, each node has to share a secret key with the base station. There also has to be a loose time synchronization between nodes and the base station. Prior to the actual broadcast, the base station generates the one-way hash chain of the length n with the random key K n as the last element, let us denote this chain as a one-way key chain. Then the derived key K 1, first element of the one-way key chain, is delivered to all nodes in an authenticated (not necessarily confidential) manner using their keys shared with the base station. The time is divided into uniform intervals. Note that we have loose time synchronization. Base station associates each key of the key chain with one interval. Hence in the interval i base station authenticates the packets with the Message Authentication Code (MAC) using key K i. The node receiving these packets, stores them for further authentication. In the following time interval, the base station reveals the key K i. Receiving nodes use that key to check authenticity of the packets stored in previous time interval and verify the integrity and authenticity of the key by application of the oneway function F on it. Note that the nodes already posses key K v, where v < i. If the verification of the key succeeds, K v is replaced by K i and the packet is considered as authentic. In time interval i only packets authenticated by key K i are accepted. This prevents an attacker from using already revealed key to spoof the packets. µtesla has two drawbacks. The nodes have to keep the messages buffered, because the authentication is delayed. It can be problem because of the limited memory of nodes. It also delays the propagation of routing information. The second drawback is the need of loose time synchronization. µtesla can be extended to provide authenticated broadcast not only for base stations but also for nodes. Nevertheless, this model is not needed so often. Nodes usually broadcast messages only to their neighbors and these messages can be authenticated in more efficient way as showed in following subsection. 12

20 3. SECURE ROUTING IN WSNS Figure 3.1: ARMS. The relation between packets. i denotes the actual contents of the packet. Message represents sequence F (K n+1 ) K n i. Figure taken from[lc06b] ARMS µtesla aims to authenticate broadcast messages from the base station. Unfortunately this scheme is not suitable for resource constraint nodes, which are not able to maintain long one-way hash chain. Moreover, nodes typically performs only so called local broadcast, which means the packets are broadcasted only to the neighbors. Authentication of a local broadcast can be achieved in an efficient way using ARMS [LC06b] (An Authenticated Routing Message in Sensor Networks). ARMS scheme assumes, that each pair of neighboring nodes share a secret key. This assumption is reasonable and can be achieved by several schemes [EG02, PST + 02, ZSJ03]. As µtesla, ARMS trade on the one-way hash chain principle. In contrast to µtesla, the chain is extremely short and periodically renewed. Prior to the actual broadcast, sender generates random key K 1. Then he derives short one-way key chain F (K 1 ), K 1, and sends the value F (K 1 ) (commitment) to all the neighbors using authenticated unicast. Broadcasted packet has then the form: [F (K 2 ) K 1 i MAC(K 1, message)], where F (K 2 ) is a new commitment, i is the actual authenticated content, message is [F (K 2 ) K 1 i] and MAC(K, m) denotes MAC of m using key K. Since receiver knows previous commitment F (K 1 ), he can immediately verify the authenticity of key K 1 and thus authenticity and integrity of the whole packet. Concurrently, new commitment F (K 2 ) is established. The relation between subsequent packets is shown in the figure 3.1. Note, that if a single message is lost, the phase of authenticated unicast has to be repeated. For this reason, authors have extended the one-way 13