Anonymous Path Routing Protocol in Wireless Sensor Networks Jang-Ping Sheu* §, Jehn-Ruey Jiang* and...
-
Upload
julius-knight -
Category
Documents
-
view
223 -
download
0
Transcript of Anonymous Path Routing Protocol in Wireless Sensor Networks Jang-Ping Sheu* §, Jehn-Ruey Jiang* and...
Anonymous Path Routing Protocol in Wireless Sensor Networks
Jang-Ping Sheu*§ , Jehn-Ruey Jiang* and Ching Tu*
National Central University* and National Tsing-Hua University§
Taiwan, R.O.C.
2/35ICC 2008
Outline
Introduction Related Work Anonymous Path Routing (APR) Protocol Security Analysis Implementation and Evaluation Conclusion
3/35ICC 2008
Outline
Introduction Related Work Anonymous Path Routing (APR) Protocol Security Analysis Implementation and Evaluation Conclusion
4/35ICC 2008
Introduction
Security is important for MANETs and WSNs Adversaries can easily overhear messages.
It is more challenging to keep WSNs secure Sensor nodes have limited capability Sensor nodes are easier to be captured and compromised It is harder to prevent the network topology from being
analyzed in a WSN than in a MANET because the former has a more dynamic topology than the latter.
We focus on keeping WSNs secure
5/35ICC 2008
Introduction
General attacks in WSNs Active attacks
• Forging attacks
• Replay attacks
• Denial of service (DoS) attacks
• …
Passive attacks• Data eavesdropping attacks
• Traffic analysis attacks
• …
They are “invisible” and harder to detect.
They may be the prelude of active
attacks.
6/35ICC 2008
Introduction
We rely on anonymous communication for resisting the attacks.
Anonymous communication A new paradigm to resist attacks Since identities of nodes are hidden, the
network topology is difficult to be analyzed. It can also prevent most of active attacks.
7/35ICC 2008
Outline
Introduction Related Work Anonymous Path Routing (APR) Protocol Security Analysis Implementation and Evaluation Conclusion
8/35ICC 2008
Related Work
ANODR ACM MobiHoc, 2003 An ANonymous On-Demand Routing protocol based
on trapdoor one-way function and boomerang onion
SDAR IEEE LCN, 2004 A Secure Distributed Anonymous Routing protocol
based on public key cryptography
9/35ICC 2008
Related Work
AnonDSR ACM SASN, 2005 An Anonymous Dynamic Source Routing protocol
based on shared secret key used in source and destination nodes, and public key cryptography used in the intermediate nodes
MASK IEEE INFOCOM, 2005 An anonymous on-demand routing protocol based on
bilinear pairing
10/35ICC 2008
Drawbacks of Existent Methods
High computing overhead
Each node should try all its shared secret keys for receiving an anonymous packet (ANODR)
Public key cryptography (AnonDSR, SDAR)
Bilinear mapping function (MASK)
Existent methods are not applicable to WSNs.
11/35ICC 2008
Outline
Introduction Related Work Anonymous Path Routing (APR) Protocol Security Analysis Implementation and Evaluation Conclusion
12/35ICC 2008
Three Schemes of APR
Anonymous one-hop communication
Anonymous multi-hop path routing
Anonymous data forwarding
13/35ICC 2008
Anonymous One-hop Communication
In the initial period One-hop pair-wise key establishment Data encryption key establishment MAC (Message Authentication Code) key establishment Bidirectional hidden identity (HI) establishment Link table establishment
• for storing all keys and HIs
Afterwards One-hop communication by HI One-hop acknowledgement
• for avoiding packet loss problem
14/35ICC 2008
One-Hop Key Establishment PIKE is applied to set one-hop pairwise keys and random nonces PIKE assumes that O(n) pre-established pairwise keys have been set when n
sensors are deployed
Node 14 shares different pair-wise keys with each of Nodes 1* and *4.
Node 91 shares different pair-wise keys with each of Nodes 9* and *1.
Nodes 11 and 94 share distinct pairwise keys with 91 and 14: Choose the “closer” node
15/35ICC 2008
One-Hop Key Establishment PIKE is applied to set one-hop pairwise keys and random
nonces
Two more keys are then setData encryption key: K0AB-enc = H(KAB⊕C1), C1 is a constantMAC function key: K0AB-mac = H(KAB⊕C2), C2 is a constant
The two keys will change dynamicallyData encryption key: Ki+1AB-enc = H(KiAB-enc)MAC function key: Ki+1AB-mac = H(KiAB-mac)
PIKE
A
J
B
H
I
KAB, rn
KAB, rnKAB, rn
KAB, rn
Encrypted by KAI
Encrypted by KBI
rn: random nonce
Key reply
16/35ICC 2008
Hidden Identity Establishment His are bidirectional
HISeqAB = H(KAB ⊕ IDB ⊕ Seq * rn)
HISeqBA = H(KBA ⊕ IDA ⊕ Seq * rn)
A
ES
J
B
HIAB
HIBA
HIJA
HIAJ
HISA
HIAS
HIEA
HIAE
HI-inHI-out
17/35ICC 2008
One-hop communication by HI
HI0AB , DATA, MAC
link table of BID Seq HI-in HI-out Kenc Kmac
A 0 HI0AB HI0BA K0AB-enc K0AB-mac
C 0 HI0CB HI0BC K0BC-enc K0BC-mac
D 0 HI0DB HI0BD K0BD-enc K0BD-mac
E 0 HI0EB HI0BE K0BE-enc K0BE-mac
H 0 HI0HB HI0BH K0BH-enc K0BH-mac
It’s for me!!
A sends data to B
A
E
S
J
B
C
HD
Not for me!!
Not for me!!
Not for me!!
18/35ICC 2008
One-Hop Acknowledgement
To solve the packet loss problem
A B
Update link tableUpdate link table
HIAB , DATA
HIBA , ACK
HIAB , DATA
19/35ICC 2008
ACK Loss ACK loss problem
B updates sequence number and HI but A doesn’t Sequence numbers and HIs become different
Solution: storing last HI-in
A B
Update link table
Timeout!!!!It matches with
“last HI-in”
Update link table
Keep link table intact
HIAB , DATA
HIBA , ACK
20/35ICC 2008
Anonymous Multi-hop Path Routing Two more pseudonyms
HIPs (Hidden Identity for routing Path) are established for any possible source node and stored in HIP table for each path. (A path is represented by two end nodes of the path: the source node and the destination node.)
PathIDs are established and used in the routing table Two messages
Anonymous Path Routing Request (APR-REQ) Anonymous Path Routing Reply (APR-REP)
Two cases for the source and destination nodes With a pre-distributed pair-wise key
• Shown next Without pre-distributed pair-wise key
• Integrate PIKE into APR
21/35ICC 2008
Anonymous Multi-hop Path Routing with aPre-distributed Pair-wise Key Between S and D
HIP Source Key
… … …
HIPSD S KSD
HIP table of D
A C
E
S
J
B
H
D
M
K
F
G
I
HIPSD = H(KSD ID⊕ S ID⊕ D)
Flooding APR-REQ to the entire network
D is the destination!!
HIP Sour (Dest)
Key
… … …
HIPSD D KSD
HIP table of S
HIPSD, S
HIPSD, A
HIPSD, B
22/35ICC 2008
D sends APR-REP back to S
A C
ES
J
B
H
D
M
KI
PathIDSD
HIDB
HIBA
HIAS PathIDSD
PathIDSD
PathID Pre-hop Next-hop Sour (Dest)
PathIDSD B Null S
PathID Pre-hop Next-hop Sour (Dest)
PathIDSD A D Null
PathID Pre-hop Next-hop Sour (Dest)
PathIDSD Null A D
PathID Pre-hop Next-hop Sour (Dest)
PathIDSD S B Null
Routing table of D
Routing table of B
Routing table of A
Routing table of S
Anonymous Multi-hop Path Routing with aPre-distributed Pair-wise Key Between S and D
23/35ICC 2008
Anonymous Data Forwarding S sends data to D
A C
ES
J
B
H
D
M
KI
PathIDSD
HIBD
HIAB
HISA PathIDSD
PathIDSD
PathID Pre-hop Next-hop Sour (Dest)
PathIDSD B Null S
PathID Pre-hop Next-hop Sour (Dest)
PathIDSD A D Null
PathID Pre-hop Next-hop Sour (Dest)
PathIDSD Null A D
PathID Pre-hop Next-hop Sour (Dest)
PathIDSD S B Null
Routing table of D
Routing table of B
Routing table of A
Routing table of S
It is from S!!!
HIDB
HIBA
HIAS
D sends data to S
24/35ICC 2008
Outline
Introduction Related Work Anonymous Path Routing (APR) Protocol Security Analysis Implementation and Evaluation Conclusion
25/35ICC 2008
Security Analysis
APR can resist the following attacks Traffic analysis attacks
• No node can identify the sender and receiver except the two communicating nodes
Forging attacks• If adversaries send a malicious packet with forged HI,
the packet will be accepted with probability 1/ 2h+m
– h is the length of HI
– m is the length of MAC
– A typical setting: h = 16 and m = 32
26/35ICC 2008
Security Analysis
Replay attacks• If adversaries use the legal packets sent before, every
packet will only be accepted by receiving node only once
Denial of service (DoS) attacks• Without correct HI, DoS attack packets will be ignored
directly
• APR can limit the damage caused by DoS attacks in a local area
27/35ICC 2008
Outline
Introduction Related Work Anonymous Path Routing (APR) Protocol Security Analysis Implementation and Evaluation Conclusion
28/35ICC 2008
Implementation
ImplementationSymmetric key algorithm: SkipjackOne-way hash function: SHA-1Message authentication code function: CBC-MACPlatform: Berkeley MICAz (128KB Program Flash and 4 KB SRAM ) with TinyOSAssumption: Some pre-distributed keys are stored in program flash.
29/35ICC 2008
Implementation Results
Memory FootprintRequired programming memory: 9436 bytesRequired SRAM size:
•Depended on network size and node density•50 bytes for an entry of the link table•8 bytes for an entry in routing table
30/35ICC 2008
Implementation Results
Computing Time
Transmission Time
Implementation Time (ms)
Data Encryption (Skipjack, 24Bytes) 1.51
Link Table Update 1.27
MAC Computing 0.81
Payload Length Time (ms)
24 Bytes 27.5
31/35ICC 2008
Implementation Results (Cont.)
Routing Time
0
100
200
300
400
500
600
700
2 3 4 5 6 7
Number of Hops
Rou
ting
Tim
e (m
s)
574.2 ms
32/35ICC 2008
0
200
400
600
800
1000
1200
25 50 75 100 125 150 175 200
Number of nodes
Ave
rage
siz
e of
HI ta
ble
per no
de (Byt
es)
EnvironmentTest field: 5R x 5R (R is the communication range)Number of nodes: 25~200Multi-hop communications per node: 5~20
Average link table size
1.1 Kbytes
Implementation Results (Cont.)
33/35ICC 2008
Average routing table size
0
200
400
600
800
1000
1200
1400
1600
1800
25 50 75 100 125 150 175 200
Number of nodes
Ave
rage
rout
ing
tabl
e si
ze p
er n
ode
(Byt
es)
5 Multihop Neighbors10 Multihop Neighbors15 Multihop Neighbors20 Multihop Neighbors
1.6 Kbytes
Implementation Results (Cont.)
34/35ICC 2008
0
200
400
600
800
1000
1200
1400
1600
1800
2000
25 50 75 100 125 150 175 200
Number of nodes
Ave
rage
mem
ory
over
head
of A
PR p
er n
ode
(Byt
es)
5 Multihop Neighbors
10 Multihop Neighbors
15 Multihop Neighbors
20 Multihop Neighbors
Average memory overhead for varying numbers of nodes
1.88 Kbytes1.72 Kbytes
Implementation Results (Cont.)
route requestsper node
route requestsper node
35/35ICC 2008
Outline
Introduction Related Work Anonymous Path Routing (APR) Protocol Security Analysis Implementation and Evaluation Conclusion
36/35ICC 2008
Conclusion
In APR, data can be encrypted by pair-wise keys and transmitted with pseudonyms between neighboring sensor nodes (link level) between the source and destination nodes of a multi-hop
communication path (routing level)
APR can resist several types of attacks Traffic analysis attacks Forging attacks Replay attacks Denial of service (DoS) attacks
We have implemented APR on the sensor platform of MICAz with TinyOS To demonstrate APR’s applicability and communication capability
37/35ICC 2008
~ Thank you for your listening ~Q & A
38/35ICC 2008
Anonymous Multi-hop Communication – End-to-end Key Establishment
A C
ES
J
B
H
D
M
K
F
GI
M wants to communicate with D
KSD, rn
KSD, rn
KSD, rn
KSD, rn
Anonymous path from M to I
Anonymous path from I to D
39/35ICC 2008
Anonymous Path Routing (APR) Request with Key Reply Message
A C
ES
J
B
H
D
M
K
F
GI
D launch anonymous multi-hop path routing
HIPDM, D, Key reply
40/35ICC 2008
PathID Collision Problem
Case 1: Different Pre-hop nodesPre-hop nodes are differentForwarding node can choose proper node for forwardingEx.
•The packet with the PathID is 12 comes from L should be send to N•The packet with the PathID is 12 comes from K should be send to I
PathID Pre-hop Next-hop Sour (Dest)
12 L N Null
12 K I NullI
F
K
N
L
Routing table of F
12
1212
12
41/35ICC 2008
PathID Collision Problem (Cont.)
P
O
R
Q
PathID Pre-hop Next-hop Sour (Dest)
Original Change PathID
13 Q R Null true Null
13 Q P Null false 14
14 Q P Null false 13
Routing table of O
13
14
14
13
13
13
Case 2: Same Pre-hop node
42/35ICC 2008
PathID Collision Problem (Cont.)
P
O
R
Q
PathID Pre-hop Next-hop Dest (Sour) Original Change PathID
13 IDQ IDR Null True Null
13 IDQ IDP Null False 14
13 IDQ IDX Null False 15
14 IDQ IDP Null False 13
15 IDQ IDX Null False 13
Routing table of O
13
14
14
13
13
13
X
13
15
15
Back