Tema 5.- Seguridad Problemas Soluciones
Wireless medium is easy to snoop on Routing security vulnerabilities Due to ad hoc connectivity and mobility, it is hard to guarantee access to any particular node (for instance, to obtain a secret key) Easier for trouble-makers to insert themselves into a mobile ad hoc network (as compared to a wired network) Open medium Dynamic topology Distributed cooperation (absence of central authorities) Constrained capability (energy)
Securing Ad Hoc Networks Definition of Attack from the RFC 2828 Internet Security Glossary : An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of the system. Goals Availability: ensure survivability of the network despite denial of service attacks. The DoS can be targeted at any layer Confidentiality: ensures that certain information is not disclosed to unauthorized entities. Eg Routing information information should not be leaked out because it can help to identify and locate the targets Integrity: guarantee that a message being transferred is never corrupted. Authentication: enables a node to ensure the identity of the nodes communicating. Non-Repudiation: ensures that the origin of the message cannot deny having sent the message
Classification: External attack vs. Internal attack Routing attacks External: Intruder nodes can pose to be a part of the network injecting erroneous routes, replaying old information or introduce excessive traffic to partition the network Internal: The nodes themselves could be compromised. Detection of such nodes is difficult since compromised nodes can generate valid signatures. Passive attack vs. Active attack Passive attack: Attempts to learn or make use of information from the system but does not affect system resources (RFC 2828) Active attack: Attempts to alter system resources or affect their operation (RFC 2828)
Information source Information destination Normal Flow
Passive Attacks Sniffer Passive attacks Interception (confidentiality) Release of message contents Traffic analysis
All machines on a network can hear ongoing traffic Sniffers A machine will respond only to data addressed specifically to it Network interface: promiscuous mode able to capture all frames transmitted on the local area network segment Risks of Sniffers: Serious security threat Capture confidential information Authentication information Private data Capture network traffic information
Interception Information source Information destination Unauthorized party gains access to the asset Confidentiality Example: wiretapping, unauthorized copying of files
Release of message contents Passive attacks Intruder is able to interpret and extract information being transmitted Highest risk: authentication information Can be used to compromise additional system resources Traffic analysis Intruder is not able to interpret and extract the transmitted information Intruder is able to derive (infer) information from the traffic characteristics
Protection against passive attacks Shield confidential data from sniffers: cryptography Disturb traffic pattern: Traffic padding Onion routing Modern switch technology: network traffic is directed to the destination interfaces Detect and eliminate sniffers
Active attacks Active attacks Interruption Modification Fabrication (availability) (integrity) (integrity)
Information source Interruption Information destination Asset is destroyed or becomes unavailable - Availability Example: destruction of hardware, cutting communication line, disabling file management system, etc.
Adversary floods irrelevant data Consume network bandwidth Consume resource of a particular node Denial of service attack E-mail bombing attack: floods victim s mail with large bogus messages Popular Free tools available Smurf attack: Attacker multicast or broadcast an Internet Control Message Protocol (ICMP) with spoofed IP address of the victim system Each receiving system sends a respond to the victim Victim s system is flooded
TCP SYN flooding Server: limited number of allowed half-open connections Backlog queue: Existing half-open connections Full: no new connections can be established Time-out, reset Attack: Attacker: send SYN requests to server with IP source that unable to response to SYN-ACK Server s backlog queue filled No new connections can be established Keep sending SYN requests Does not affect Existing or open incoming connections Outgoing connections
Hard to provide full protection Some of the attacks can be prevented Protection against DoS, DDoS Filter out incoming traffic with local IP address as source Avoid established state until confirmation of client s identity Internet trace back: determine the source of an attack
Modification Information source Information destination Unauthorized party tampers with the asset Integrity Example: changing values of data, altering programs, modify content of a message, etc.
Attacks using modification Idea: Attacks using modification Malicious node announces better routes than the other nodes in order to be inserted in the ad-hoc network How? Redirection by changing the route sequence number Redirection with modified hop count Denial Of Service (DOS) attacks Modify the protocol fields of control messages Compromise the integrity of routing computation Cause network traffic to be dropped, redirected to a different destination or take a longer route
Attacks using modification Redirection with modified hop count: - The node C announces to B a path with a metric value of one - The intruder announces to B a path with a metric value of one too - B decides which path is the best by looking into the hop count value of each route Node C Metric 1 and 3 hops Node A Node B Node D Metric 1 and 1 hop Intruder
Attacks using modification Denial Of Service (DOS) attacks with modified source routes: A malicious node is inserted in the network The malicious node changes packet headers it receives The packets will not reach the destination: The transmission is aborted Node A sends packets with header: (route cache to reach node E) A-B-I-C-D-E Intruder I decapsulates packets, change the header: A-B-I-C-E Node C has no direct route with E, also the packets are dropped Node A Node B Intruder I Node C Node D Node E
Information source Fabrication Information destination Unauthorized party insets counterfeit object into the system Authenticity Example: insertion of offending messages, addition of records to a file, etc.
Attacks using fabrication Idea: Attacks using fabrication Generates traffic to disturb the good operation of an ad-hoc network How? Falsifying route error messages Corrupting routing state Routing table overflow attack Replay attack Black hole attack
Falsifying route error messages: Attacks using fabrication When a node moves, the closest node sends error message to the others A malicious node can usurp the identity of another node (e.g. By using spoofing) and sends error messages to the others The other nodes update their routing tables with these bad information The victim node is isolated
Corrupting routing state: Attacks using fabrication In DSR, routes can be learned from promiscuously received packets A node should add the routing information contained in each packet s header it overhears A hacker can easily broadcast a message with a spoofed IP address such as the other nodes add this new route to reach a special node S It s the malicious node which will receive the packets intended to S.
Routing table overflow attack: Available in pro-active protocols. Attacks using fabrication These protocols try to find routing information before they are needed A hacker can send in the network a lot of route to non-existent nodes until overwhelm the protocol
Replay attack: A hacker sends old advertisements to a node The node updates its routing table with stale routes Black hole attack: Attacks using fabrication A hacker advertises a zero metric route for all destinations All the nodes around it will route packets towards it
Attacks using impersonation Attacks using impersonation Idea : Usurpates the identity of another node to perform changes How? Spoofing MAC address of other nodes
Forming loops by spoofing MAC address: Attacks using impersonation A malicious node M can listen all the nodes when the others nodes can only listen their closest neighbors Node M first changes its MAC address to the MAC address of the node A Node M moves closer to node B than node A is, and stays out of range of node A Node M announces node B a shorter path to reach X than the node D gives A B M C D E X
Forming loops by spoofing MAC address: Node B changes its path to reach X Packets will be sent first to node A Attacks using impersonation Node M moves closer to node D than node B is, and stays out of range of node B Node M announces node D a shorter path to reach X than the node E gives A M C B D E X
Attacks using impersonation Forming loops by spoofing MAC address: Node D changes its path to reach X Packets will be sent first to node B X is now unreachable because of the loop formed A C B M D E X
Attacks for routing: Wormhole attack (tunneling) Invisible node attack The Sybil attack Rushing attack Non-cooperation Other Routing attacks
Wormhole attack Colluding attackers uses tunnels between them to forward packets Place the attacker in a very powerful position The attackers take control of the route by claiming a shorter path S M tunnel... N C D A B
Invisible node attack Attack on DSR Malicious does not append its IP address M becomes invisible on the path S B M C D
The Sybil attack Represents multiple identities Disrupt geographic and multi-path routing B M 1 M 2 M3 M 4 M 5
Rushing attack Directed against on-demand routing protocols The attacker hurries route request packet to the next node to increase the probability of being included in a route
Non-cooperation Node lack of cooperation, not participate in routing or packet forwarding Node selfishness, save energy for itself
Tema 5.- Seguridad Problemas Soluciones
Ariadne Overview Authenticate routing messages using one of: Shared secrets between each pair of nodes Avoids need for synchronization Shared secrets between communicating nodes combined with broadcast authentication Requires loose time synchronization Allows additional protocol optimizations Digital signatures
TESLA Overview Broadcast authentication protocol used here for authenticating routing messages Efficient and adds only a single message authentication code (MAC) to a message Requires asymmetric primitive to prevent others from forging MAC TESLA achieves asymmetry through clock synchronization and delayed key disclosure
TESLA Overview (cont.) 1. Each sender splits the time into intervals 2. It then chooses random initial key (K N ) 3. Generates one-way key chain through repeated use of a one-way hash function (generating one key per time interval) K N-1 =H[K N ], K N-2 =H[K N-1 ] These keys are used in reverse order of generation 4. The sender discloses the keys based on the time intervals
Sender attaches MAC to each packet Computed over the packet s contents TESLA Overview (cont.) Sender determines time interval and uses corresponding value from oneway key chain With the packet, the sender also sends the most recent disclosable oneway chain value
Receiver knows the key disclosing schedule TESLA Overview (cont.) Checks that the key used to compute the MAC is still secret by determining that the sender could not have disclosed it yet As long as the key is still secret, the receiver buffers the packet When the key is disclosed, receiver checks its correctness (through self-authentication) and authenticates the buffered packets
Network Assumptions Network links are bidirectional The network may drop, corrupt, reorder or duplicate packets Each node must be able to estimate the end-to-end transmission time to any other node in the network Disregard physical attacks and Medium Access Control attacks
Node Assumptions Resources of nodes may vary greatly, so Ariadne assumes constrained nodes All nodes have loosely synchronized clocks
Three authentication mechanism possibilities: Pairwise secret keys (requires n(n+1)/2 keys) TESLA (shared keys between all source-destination pairs) Digital signatures (requires powerful nodes) Security Assumptions
Shared secret keys Key distribution center Bootstrapping from a Public Key Infrastructure Pre-loading at initialization Initial TESLA keys Embed at initialization Assume PKI and embed Certifications Authority s public key at each node Key Setup
A and B are principals (e.g., communicating nodes) Ariadne Notation K AB and K BA are secret MAC keys shared between A and B MAC KAB (M) is computation of MAC of message M using key K AB
Route Discovery Assume sender and receiver share secret (non-tesla) keys for message authentication Target authenticates ROUTE REQUESTS Initiator includes a MAC computed with end-to-end key Target verifies authenticity and freshness of request using shared key Data authentication using TESLA keys Each hop authenticates new information in the REQUEST Target buffers REPLY until intermediate nodes release TESLA keys TESLA security condition is verified at the target Target includes a MAC in the REPLY to certify the condition was met Attacker can remove a node from node list in a REQUEST One-way hash functions verify that no hop was omitted (per-hop hashing)
Route Discovery (cont.) Assume all nodes know an authentic key of the TESLA one-way key chain of every other node Securing ROUTE REQUEST Target can authenticate the sender (using their additional shared key) Initiator can authenticate each path entry using intermediate TESLA keys No intermediate node can remove any other node in the REQUEST or REPLY
Route Discovery (cont.) ROUTE REQUEST packet contains eight fields: ROUTE REQUEST: label initiator: address of the sender target: address of the recipient id: unique identifier time interval: TESLA time interval of the pessimistic arrival time hash chain: sequence of MAC hashes node list: sequence of nodes on the path MAC list: MACs of the message using TESLA keys
Upon receiving ROUTE REQUEST, a node: 1. Processes the request only if it is new Route Discovery (cont.) 2. Processes the request only if the time interval is valid (not too far in the future, but not for an already disclosed TESLA key) 3. Modifies the request and rebroadcasts it Appends its address to the node list, replaces the hash chain with H[A, hash chain], appends MAC of entire REQUEST to MAC list using K Ai where i is the index for the time interval specified in the REQUEST
When the target receives the route request: Route Discovery (cont.) 1. Checks the validity of the REQUEST (determining that the keys from the time interval have not been disclosed yet and that hash chain is correct) 2. Returns ROUTE REPLY containing eight fields ROUTE REPLY, target, initiator, time interval, node list, MAC list target MAC: MAC computed over above fields with key shared between target and initiator key list: disclosable MAC keys of nodes along the path
Node forwarding ROUTE REPLY Route Discovery (cont.) Waits until it can disclose TESLA key from specified interval Appends that key to the key list This waiting does delay the return of the ROUTE REPLY but does not consume extra computational power
When initiator receives ROUTE REPLY Route Discovery (cont.) 1. Verifies each key in the key list is valid 2. Verifies that the target MAC is valid 3. Verifies that each MAC in the MAC list is valid using the TESLA keys
Based on DSR Route Maintenance Node forwarding a packet to the next hop returns a ROUTE ERROR to the original sender Prevent unauthorized nodes from sending errors, we require errors to be authenticated by the sender
Route Maintenance (cont.) ROUTE ERROR contains six fields ROUTE ERROR: label sending address: node encountering error receiving address: intended next hop time interval: pessimistic arrival time of error at destination error MAC: MAC of the preceding fields of the error (computed using sender s TESLA key) recent TESLA key: most recent disclosable TESLA key
Route Maintenance Errors are propagated just as regular data packets Intermediate nodes remove routes that use the bad link Sending node continues to send data packets along the route until error is validated Generates additional errors, which are all cleaned up when the error is finally validated
Anonymous Communication Sometimes security requirement may include anonymity Availability of an authentic key is not enough to prevent traffic analysis We may want to hide the source or the destination of a packet, or simply the amount of traffic between a given pair of nodes
Traffic Analysis Traditional approaches for anonymous communication, for instance, based on MIX nodes or dummy traffic insertion, can be used in wireless ad hoc networks as well However, it is possible to develop new approaches considering the broadcast nature of the wireless channel
Mix Nodes [Chaum] Mix nodes can reorder packets from different flows, insert dummy packets, or delay packets, to reduce correlation between packets in and packets out D G C M3 M1 B M2 E F A
Mix Nodes Node A wants to send message M to node G. Node A chooses 2 Mix nodes (in general n mix nodes), say, M1 and M2 D G C M3 M1 B M2 E F A
Mix Nodes Node A transmits to M1 message K1(R1, K2(R2, M)) where Ki() denotes encryption using public key Ki of Mix i, and Ri is a random number D G C M3 M1 B M2 E F A
Mix Nodes M1 recovers K2(R2,M) and send to M2 D G C M3 M1 B M2 E F A
Mix Nodes M2 recovers M and sends to G D G C M3 M1 B M2 E F A
Mix Nodes If M is encrypted by a secret key, no one other than G or A can know M Since M1 and M2 mix traffic, observers cannot determine the source-destination pair without compromising M1 and M2 both
Alternative Mix Nodes Suppose A uses M2 and M3 (not M1 and M2) Need to take fewer hops Choice of mix nodes affects overhead D G C M3 M1 B M2 E F A
Mix Node Selection Intelligent selection of mix nodes can reduce overhead [Jiang04] With mobility, the choice of mix nodes may have to be modified to reduce cost However, change of mix selection has the potential for divulging more information