4/26/2007 1

Computer Science

Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks

Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson

Presented by : Varagur Karthik Iyer

Adapted from the slides by: Qiao Xu, CSC774 Spring04

4/26/2007 2Computer Science

Outline

• Introduction

• Temporal Leashes

• TIK Protocol

• Performance & Security Analysis

• Future Work & Conclusion

4/26/2007 3Computer Science

Introduction

• Problem: Wormhole Attack– An attacker records packets at one location of the

network, tunnel them to another location, and retransmits them there into the network

– Wormhole attack allows attackers to:• Gain unauthorized access• Disrupt routing• Perform DOS attacks

• Solution: Packet Leash– Add information into the packet to restrict its

maximum allowed transmission distance

4/26/2007 4Computer Science

Illustration of a wormhole attack

• A mobile wireless ad hoc network

• Nodes S and D communicate through wireless multi hop routing

Normal Operation

S

D

4/26/2007 5Computer Science

Illustration of a wormhole attack

• A mobile wireless ad hoc network

• Nodes S and D communicate through wireless multi hop routing

Under Attack

S

DWormhole

ColludingAttackers

4/26/2007 6Computer Science

Packet Leashes

• Goal– Limit the distance traveled by

a packet in a network

• Approaches– Two approaches to the

achieve the goal

• Space : geographical leashesLimit the range of the packet using the distance it can travel

• Time : Temporal LeashesLimit the range of the packet using the time it remains valid

S

DWormhole

ColludingAttackers

4/26/2007 7Computer Science

Geographical Leashes (Overview)

• Definition: a geographical leash establishes an upper bound on the distance that a packet can travel

• Requirements– Every node must have knowledge of its location– Loose time synchronization– Nodes can be relatively mobile

• Geographical leashes also enable multiple location detection

4/26/2007 8Computer Science

Temporal Leashes

• Definition: a temporal leash establishes an upper bound on a packet’s lifetime, which restricts the maximum travel distance

• Key Requirement: all nodes must have tightly synchronized clocks– Maximum clock difference (Δ) between any two

nodes must be within a few microseconds

4/26/2007 9Computer Science

Temporal Leashes

• Implementation with a packet expiration time

• Sender calculates a packet expiration time to be sent with each packet:

te = ts + L/c – Δ– te: packet expiration time

– ts: packet sent time

– c: propagation speed of wireless signal

– L: maximum allowed travel distance; L > Lmin = Δ*c– Δ: maximum clock difference between 2 nodes

4/26/2007 10Computer Science

Temporal Leashes

• Receiver will accept and process a received packet if and only if the time when the packet is received (tr) is less than the packet expiration time (te)

• What’s missing?– Need an efficient way for the receiver to

authenticate te

4/26/2007 11Computer Science

TIK Protocol - Overview

• TIK – TESLA with Instant Key disclosure– TIK implements a temporal leash and provides efficient

instant authentication for broadcast communication in wireless networks

– Based on the observation that a receiver can verify the TESLA security condition, that the corresponding key hasn’t been disclosed, as it receives the packet, this allows sender to disclose the key in the same packet

– Assume sender can precisely predict ts and receiver can record tr as soon as the packet arrives

– Requires accurate time synchronization between all the nodes

4/26/2007 12Computer Science

TIK Protocol – Sender Setup

• Sender generates a series of keys, K0, K1,…, Kw-

1, using a PRF F and a secret master key X:

Ki = Fx(i)

• Sender selects a key expiration interval I and determines the expiration time (Ti) for its keys:

Ti = T0 + i*I, where T0 is the expiration time for K0

• Sender constructs a Merkle hash tree to commit to keys: K0, K1,…, Kw-1

4/26/2007 13Computer Science

TIK Protocol – Merkle Hash Tree

m03

m01

K0’

K0

K1’

K1

m23

K2’

K2 K3

K3’

m47

m45

K4’

K4

K5’

K5

m67

K6’

K6 K7

K7’

m07

4/26/2007 14Computer Science

TIK Protocol – Merkle Hash Tree

• How is it constructed?– For every leaf node, Ki’ = H(Ki); i.e. K0’ = H(K0)– For every parent node, mp = H(ml || mr); i.e. m01 = H(K0’ || K1’),

m03 = H(m01 || m23);

• The root value (m07) is signed by the sender and sent to the receivers, where it can be authenticated with sender’s public key

• To authenticate K2, for example:– Sender must include K3’, m01, m47 in the packet– Receiver computes m07’ and compare to the pre-distributed m07

m07’ = H[ H[ m01 || H[ H[K2] || K3’]] || m47 ]

4/26/2007 15Computer Science

TIK Protocol – Receiver Bootstrapping

• Assume all nodes are synchronized with a maximum clock difference of Δ

• Assume each receiver knows every sender’s hash tree root value and the associated parameter T0 and I

4/26/2007 16Computer Science

TIK Protocol – Sending and Verifying Packets

HMAC M T Ki

HMAC M T Ki

Sender

Receiver

Time at Sender

•Time at Receiver

ts Ti

•tr ≤ (ts + т - Δ) •≤ (Ti - Δ)

4/26/2007 17Computer Science

TIK Protocol – Sending and Verifying Packets

• S → R: (HMACKi(M), M, T, Ki)– M: message payload– HMACKi(M): message authentication code for M– Ki: key used to generate the HMAC for M– T: tree authentication values used to authenticate Ki

• Receiver:– Verifies if the sender has started sending Ki after receiving

HMAC, based on Ti

– Verifies if Ki is authentic based on the hash root value and T– Verifies the HMAC, using authenticated Ki

– Accept the packet as authentic only if all those verifications are successful

4/26/2007 18Computer Science

Security & Performance Analysis

• Security Analysis– Temporal leash with TIK protocol can detect and prevent

wormhole attacks if all nodes are good nodes– Can’t deal with a malicious sender that claims a false

timestamp– Can’t deal with a malicious receiver that refuses to check

the leash• Performance Analysis

– Requires only n public keys in a network with n nodes– Efficient hash tree authentication of keys– Efficient instant authentication of packet because the key is

disclosed in the same packet– Modest storage requirement for the Merkle hash tree

4/26/2007 19Computer Science

Related Work

• RF-Watermarking– Modulating the RF waveform in a way known only to

authorized nodes

– Vulnerable to node capture

• Intrusion Detection– Hard to isolate attacker using a software only approach,

since it is hard to distinguish malicious traffic from legitimate traffic

4/26/2007 20Computer Science

Future Work & Conclusion

• Future Work– An efficient implementation of Geographical leashes

– Securing TIK against node misbehavior (sender/receiver)

– Achieving accurate time synchronization among the nodes

• Conclusion– Wormhole attack is a powerful and disruptive attack against

wireless networks

– With precise timestamps and tight clock synchronization, TIK can prevent wormhole attacks

4/26/2007 21Computer Science

Thank You!

• Questions and Comments