CSC 774 Advanced Network Security. Outline. Related Work

Transcription

1 CC 77 Advanced Network ecurity Topic 6.3 ecure and Resilient Time ynchronization in Wireless ensor Networks 1 Outline Background of Wireless ensor Networks Related Work TinyeRync: ecure and Resilient Time ynchronization Conclusion and Future Work 2 Related Work NTP and GP are not practical for sensor networks. Recent time synchronization techniques. ingle-hop Pair-wise Time ynchronization. Receiver-Receiver based schemes. Elson et al., ACM IGOP 02; ender-receiver based schemes. Ganeriwal et al., enys 03; t1 t2 t t1 ender-receiver based Global Time ynchronization. Clock distribution schemes, Maroti et al., enys 0; Clock agreement schemes. Li and Rus, INFOCOM 0; t1 t2 R t t3 ender-receiver based 3 1

2 Threats ingle-hop Pair-wise Time ynchronization. No message authentication. Manzo et al., AN 05; Ganeriwal et al., Wise 05 Time sensitive. Jam and Replay attacks: Ganeriwal et al., Wise 05 Global Time ynchronization. Insider attacks Malicious Node Victim Nodes Our Contributions TinyeRync: Phase I ecure single-hop pair-wise time synchronization Phase II ecure and resilient global time synchronization 5 Phase I: ecure ingle-hop Pair-wise Time ynchronization 6 2

3 1 2 3 a1 a2 a3 a 0 Vcc1 GND 0 b1 b2 b3 b Overview Goal: Achieve time difference between two neighbor nodes in hostile environment. Existing work ecure TPN (Ganeriwal et al., Wise 05) Problems with secure TPN Our work: Prediction-based MAC layer timestamp. Hardware-assisted, authenticated MAC layer timestamp. 7 ecure TPN Ganeriwal et al., Wise 05 Estimate time difference and transmission delay. A t1 M1={A,B,t1,Req, MIC[KAB](A,B,t1,Req)} B ( t2! t1)! ( t! t3) " = is the time difference. 2 ( t2! t1) + ( t! t3) d = is half of the transmission delay. 2 t M2={B,A,t2,t3,Rep, MIC[KAB](B,A,t2,t3,Rep)} t2 t3 ecurity condition: d < maximum expected delay. time K AB : secret key shared between A and B. MIC: message integrity code 8 Problems in ecure TPN Authenticated MAC layer timestamp. MIC must be available when radio sends the MIC field. oftware solution in ecure TPN Calculate MIC using Tinyec (Karlof et al. enys 0) Works for low data rate radio (e.g., 38. kbps in CC1000 used by MICA2). Does not work for high data rate radio (e.g., 250kbps in CC220 used by MICAz). CPU... MIC CRC 9 3

4 Prediction-based MAC Layer Timestamp ender side: When channel is clear, it add sending time = current time + constant delay. = us. Receiver side: When the FD field is received, it records the time as receiving time. 10 Delay Uncertainty cpu Accessing and adding timestamp, Accessing timestamp ender Radio then send TXON command Interrupt handling Antenna Encoding symbol periods and preamble Encoding FD Decoding of FD Propagation of FD Propagation of FD Antenna Encoding of FD Receiver Radio Decoding of FD Encoding symbol periods and preamble Interrupt handling Accessing and adding timestamp, cpu Accessing timestamp then send TXON command t2 t3 11 Hardware-assisted, Authenticated MAC Layer Timestamp Hardware security support in CC220 Two modes stand-alone mode: 128 bit AE encryption on message in stand-alone buffer. in-line mode: begin encryption when message are being sent out; begin decryption after the whole message is received. Using in-line mode, CC220 can generate a 12-byte MIC on 98-byte message in 99 us 12

5 Distribution of ecure ingle-hop Pair-wise ynchronization Error Experimental result (1 tick = 8.68us) 80% 70% 67.76% 60% Percentage 50% 0% 30% 20% 19.8% 10% 0% 0.00% 0.01% 0.71% 8.3% 3.15% 0.09% 0.01% ynchronization Error (tick) 13 Phase II: ecure and Resilient Global Time ynchronization 1 Overview Goal: a network-wide time synchronization. The algorithm. Local broadcast authentication utela (Perrig et al., IEEE &P 01) Our work: short delayed utela 15 5

6 ecure and Resilient Global Time ynchronization Algorithm Each node i maintains a local clock time C i ecure and Resilient Global Time ynchronization Algorithm Each node i maintains a local clock time C i. For each neighbor node j, node i maintains a single-hop pair-wise time difference δ i,j ecure and Resilient Global Time ynchronization Algorithm Each node i maintains a local clock time C i. For each neighbor node j, node i maintains a single-hop pair-wise time difference δ i,j. A source node broadcasts its local time C periodically

7 ecure and Resilient Global Time ynchronization Algorithm Each node i maintains a local clock time C i. For each neighbor node j, node i maintains a single-hop pair-wise time difference δ i,j. A source node broadcasts its local time C periodically. Each direct neighbor node i of node can obtain a source clock difference δ i, from node directly. Then, it broadcasts δ i, ecure and Resilient Global Time ynchronization Algorithm Each node i maintains a local clock time C i. For each neighbor node j, node i maintains a single-hop pair-wise time difference δ i,j. A source node broadcasts its local time C periodically. Each direct neighbor node i of node can obtain a source time difference δ i, from node directly. Then, it broadcasts δ i,. For other nodes, to tolerate up to t malicious neighbor nodes, each node i needs to obtain at least 2t+1 source time differences through different neighbor nodes. Node i chooses the median one as δ i,. Then it broadcasts δ i, ecure and Resilient Global Time ynchronization Algorithm Each node i maintains a local clock time C i. For each neighbor node j, node i maintains a single-hop pair-wise time difference δ i,j. A source node broadcasts its local time C periodically. Each direct neighbor node i of node can obtain a source time difference δ i, from node directly. Then, it broadcasts δ i,. For other nodes, to tolerate up to t malicious neighbor nodes, each node i needs to obtain at least 2t+1 source time differences through different neighbor nodes. Node i chooses the median one as δ i,. Then it broadcasts δ i,. Each node i can estimate the global clock C by C = C i +δ i,

8 How to Distribute Global ynchronization Messages? Unicast Messages authenticated by secure pair-wise key. Conclusion: too heavy communication overhead and substantial message collisions. calability problem Broadcast Can reduce the communication overhead. Require local broadcast authentication. Digital signature is too expensive for sensor nodes. utela 22 Overview of utela Perrig et al., IEEE &P 01 ender: Generate one-way key chain, K i =F(K i+1 ), 0 i n-1 Release the commitment K 0 Use key K i for all messages sent in time interval I i, and disclose K i in I i+d F F F... F F K0 K1 K2 Kn-1 Kn I1 I2... In-1 In Time T0 T1 T2 Tn-2 Tn-1 Tn Receiver: ecurity condition: the key has not been disclosed by the sender when the messages are received. Verify K i =F(K i+1 ) 23 Using utela in Time ynchronization? Problems: 1. utela itself requires loose pair-wise time synchronization. 2. Delayed authentication causes clocks drift away again. 2 8

9 hort Delayed utela Tight single-hop pair-wise time synchronization. Too short time intervals waste a lot of keys in a key chain. Interleaved short and long intervals. hort interval (r) : A sender broadcasts authenticated synchronization message. Long interval (R) : A sender discloses the key used in last short interval. r R r R r R r R ender A Time Receiver B Mi ti Ki Time 25 hort Delayed utela (Cont.) Receiver: ecurity condition: the message is sent in the sender s last short interval. (t i -T 0 + +δ max ) < i*(r+r)+r. : single-hop pair-wise time difference δ max : maximum synchronization error Verify K i =F(K i+1 ) 26 ecurity Property External attacks Message authentication. ecurity condition. Internal attacks Use the median of 2t+1 source clock differences through different neighbors to tolerate up to t insiders. 27 9

10 Experimental Evaluation oftware package TinyeRync MICAz motes running TinyO 35 files Providing 8 interfaces Code size in MICAz Memory RAM Program memory Bytes Parameters # of MICAz nodes pair-wise synchronization interval global synchronization interval Tolerance (t) utela short interval utela long interval key chain length 60 seconds 10 seconds 0, 1, 2, 3, 10 ms 1 second Network Deployment 29 Data Collection ink node Broadcast reference messages to all the nodes. Query each node one by one at different time. All the nodes When receiving a reference message Records the current global time when the message is received at MAC layer. When receiving a query message end the buffered global time information to the sink node

11 ynchronization Error Precision achieved: tens of microseconds 16 ynchronization Error (tick) Avg. Error Max. Error Tolerance (t) 1 tick = 8.68 us 31 ynchronization Rate When t=, 95% in 3 rounds Percentage One Round Two Rounds Three Round Tolerance (t) 32 Communication Overhead Number of messages Global synchronization interval (seconds) Number of message each node sends per hour

12 Incremental Deployment Average synchronization error (left Y-axis) ynchronization rate when t=2 (right Y-axis) microseconds 1.E+10 1.E+09 1.E+08 1.E+07 1.E+06 1.E+05 1.E+0 1.E+03 1.E+02 1.E+01 1.E+00 Avg ync Error ync Rate percentage 0:09:00 0:09:10 0:09:20 0:09:30 0:09:0 0:09:50 0:10:00 0:10:10 0:10:20 0:10:30 0:10:0 0:10:50 0:11:00 0:11:10 0:11:20 0:11:30 0:11:0 0:11:50 0:12:00 time (hh:mm:ss) 3 Conclusion TinyeRync: ecure single-hop pair-wise time synchronization Between two nodes The building block of global time synchronization. ecure and resilient global time synchronization In the whole network Future work Adapting the linear regression technique to compensate the constant clock drifts